1 /* 2 * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.x509; 27 28 import java.io.IOException; 29 import java.io.OutputStream; 30 31 import java.security.cert.*; 32 import java.util.*; 33 34 import sun.security.util.*; 35 import sun.misc.HexDumpEncoder; 36 37 38 /** 39 * The X509CertInfo class represents X.509 certificate information. 40 * 41 * <P>X.509 certificates have several base data elements, including:<UL> 42 * 43 * <LI>The <em>Subject Name</em>, an X.500 Distinguished Name for 44 * the entity (subject) for which the certificate was issued. 45 * 46 * <LI>The <em>Subject Public Key</em>, the public key of the subject. 47 * This is one of the most important parts of the certificate. 48 * 49 * <LI>The <em>Validity Period</em>, a time period (e.g. six months) 50 * within which the certificate is valid (unless revoked). 51 * 52 * <LI>The <em>Issuer Name</em>, an X.500 Distinguished Name for the 53 * Certificate Authority (CA) which issued the certificate. 54 * 55 * <LI>A <em>Serial Number</em> assigned by the CA, for use in 56 * certificate revocation and other applications. 57 * 58 * @author Amit Kapoor 59 * @author Hemma Prafullchandra 60 * @see CertAttrSet 61 * @see X509CertImpl 62 */ 63 public class X509CertInfo implements CertAttrSet<String> { 64 /** 65 * Identifier for this attribute, to be used with the 66 * get, set, delete methods of Certificate, x509 type. 67 */ 68 public static final String IDENT = "x509.info"; 69 // Certificate attribute names 70 public static final String NAME = "info"; 71 public static final String DN_NAME = "dname"; 72 public static final String VERSION = CertificateVersion.NAME; 73 public static final String SERIAL_NUMBER = CertificateSerialNumber.NAME; 74 public static final String ALGORITHM_ID = CertificateAlgorithmId.NAME; 75 public static final String ISSUER = "issuer"; 76 public static final String SUBJECT = "subject"; 77 public static final String VALIDITY = CertificateValidity.NAME; 78 public static final String KEY = CertificateX509Key.NAME; 79 public static final String ISSUER_ID = "issuerID"; 80 public static final String SUBJECT_ID = "subjectID"; 81 public static final String EXTENSIONS = CertificateExtensions.NAME; 82 83 // X509.v1 data 84 protected CertificateVersion version = new CertificateVersion(); 85 protected CertificateSerialNumber serialNum = null; 86 protected CertificateAlgorithmId algId = null; 87 protected X500Name issuer = null; 88 protected X500Name subject = null; 89 protected CertificateValidity interval = null; 90 protected CertificateX509Key pubKey = null; 91 92 // X509.v2 & v3 extensions 93 protected UniqueIdentity issuerUniqueId = null; 94 protected UniqueIdentity subjectUniqueId = null; 95 96 // X509.v3 extensions 97 protected CertificateExtensions extensions = null; 98 99 // Attribute numbers for internal manipulation 100 private static final int ATTR_VERSION = 1; 101 private static final int ATTR_SERIAL = 2; 102 private static final int ATTR_ALGORITHM = 3; 103 private static final int ATTR_ISSUER = 4; 104 private static final int ATTR_VALIDITY = 5; 105 private static final int ATTR_SUBJECT = 6; 106 private static final int ATTR_KEY = 7; 107 private static final int ATTR_ISSUER_ID = 8; 108 private static final int ATTR_SUBJECT_ID = 9; 109 private static final int ATTR_EXTENSIONS = 10; 110 111 // DER encoded CertificateInfo data 112 private byte[] rawCertInfo = null; 113 114 // The certificate attribute name to integer mapping stored here 115 private static final Map<String,Integer> map = new HashMap<String,Integer>(); 116 static { map.put(VERSION, Integer.valueOf(ATTR_VERSION))117 map.put(VERSION, Integer.valueOf(ATTR_VERSION)); map.put(SERIAL_NUMBER, Integer.valueOf(ATTR_SERIAL))118 map.put(SERIAL_NUMBER, Integer.valueOf(ATTR_SERIAL)); map.put(ALGORITHM_ID, Integer.valueOf(ATTR_ALGORITHM))119 map.put(ALGORITHM_ID, Integer.valueOf(ATTR_ALGORITHM)); map.put(ISSUER, Integer.valueOf(ATTR_ISSUER))120 map.put(ISSUER, Integer.valueOf(ATTR_ISSUER)); map.put(VALIDITY, Integer.valueOf(ATTR_VALIDITY))121 map.put(VALIDITY, Integer.valueOf(ATTR_VALIDITY)); map.put(SUBJECT, Integer.valueOf(ATTR_SUBJECT))122 map.put(SUBJECT, Integer.valueOf(ATTR_SUBJECT)); map.put(KEY, Integer.valueOf(ATTR_KEY))123 map.put(KEY, Integer.valueOf(ATTR_KEY)); map.put(ISSUER_ID, Integer.valueOf(ATTR_ISSUER_ID))124 map.put(ISSUER_ID, Integer.valueOf(ATTR_ISSUER_ID)); map.put(SUBJECT_ID, Integer.valueOf(ATTR_SUBJECT_ID))125 map.put(SUBJECT_ID, Integer.valueOf(ATTR_SUBJECT_ID)); map.put(EXTENSIONS, Integer.valueOf(ATTR_EXTENSIONS))126 map.put(EXTENSIONS, Integer.valueOf(ATTR_EXTENSIONS)); 127 } 128 129 /** 130 * Construct an uninitialized X509CertInfo on which <a href="#decode"> 131 * decode</a> must later be called (or which may be deserialized). 132 */ X509CertInfo()133 public X509CertInfo() { } 134 135 /** 136 * Unmarshals a certificate from its encoded form, parsing the 137 * encoded bytes. This form of constructor is used by agents which 138 * need to examine and use certificate contents. That is, this is 139 * one of the more commonly used constructors. Note that the buffer 140 * must include only a certificate, and no "garbage" may be left at 141 * the end. If you need to ignore data at the end of a certificate, 142 * use another constructor. 143 * 144 * @param cert the encoded bytes, with no trailing data. 145 * @exception CertificateParsingException on parsing errors. 146 */ X509CertInfo(byte[] cert)147 public X509CertInfo(byte[] cert) throws CertificateParsingException { 148 try { 149 DerValue in = new DerValue(cert); 150 151 parse(in); 152 } catch (IOException e) { 153 throw new CertificateParsingException(e); 154 } 155 } 156 157 /** 158 * Unmarshal a certificate from its encoded form, parsing a DER value. 159 * This form of constructor is used by agents which need to examine 160 * and use certificate contents. 161 * 162 * @param derVal the der value containing the encoded cert. 163 * @exception CertificateParsingException on parsing errors. 164 */ X509CertInfo(DerValue derVal)165 public X509CertInfo(DerValue derVal) throws CertificateParsingException { 166 try { 167 parse(derVal); 168 } catch (IOException e) { 169 throw new CertificateParsingException(e); 170 } 171 } 172 173 /** 174 * Appends the certificate to an output stream. 175 * 176 * @param out an output stream to which the certificate is appended. 177 * @exception CertificateException on encoding errors. 178 * @exception IOException on other errors. 179 */ encode(OutputStream out)180 public void encode(OutputStream out) 181 throws CertificateException, IOException { 182 if (rawCertInfo == null) { 183 DerOutputStream tmp = new DerOutputStream(); 184 emit(tmp); 185 rawCertInfo = tmp.toByteArray(); 186 } 187 out.write(rawCertInfo.clone()); 188 } 189 190 /** 191 * Return an enumeration of names of attributes existing within this 192 * attribute. 193 */ getElements()194 public Enumeration<String> getElements() { 195 AttributeNameEnumeration elements = new AttributeNameEnumeration(); 196 elements.addElement(VERSION); 197 elements.addElement(SERIAL_NUMBER); 198 elements.addElement(ALGORITHM_ID); 199 elements.addElement(ISSUER); 200 elements.addElement(VALIDITY); 201 elements.addElement(SUBJECT); 202 elements.addElement(KEY); 203 elements.addElement(ISSUER_ID); 204 elements.addElement(SUBJECT_ID); 205 elements.addElement(EXTENSIONS); 206 207 return elements.elements(); 208 } 209 210 /** 211 * Return the name of this attribute. 212 */ getName()213 public String getName() { 214 return(NAME); 215 } 216 217 /** 218 * Returns the encoded certificate info. 219 * 220 * @exception CertificateEncodingException on encoding information errors. 221 */ getEncodedInfo()222 public byte[] getEncodedInfo() throws CertificateEncodingException { 223 try { 224 if (rawCertInfo == null) { 225 DerOutputStream tmp = new DerOutputStream(); 226 emit(tmp); 227 rawCertInfo = tmp.toByteArray(); 228 } 229 return rawCertInfo.clone(); 230 } catch (IOException e) { 231 throw new CertificateEncodingException(e.toString()); 232 } catch (CertificateException e) { 233 throw new CertificateEncodingException(e.toString()); 234 } 235 } 236 237 /** 238 * Compares two X509CertInfo objects. This is false if the 239 * certificates are not both X.509 certs, otherwise it 240 * compares them as binary data. 241 * 242 * @param other the object being compared with this one 243 * @return true iff the certificates are equivalent 244 */ equals(Object other)245 public boolean equals(Object other) { 246 if (other instanceof X509CertInfo) { 247 return equals((X509CertInfo) other); 248 } else { 249 return false; 250 } 251 } 252 253 /** 254 * Compares two certificates, returning false if any data 255 * differs between the two. 256 * 257 * @param other the object being compared with this one 258 * @return true iff the certificates are equivalent 259 */ equals(X509CertInfo other)260 public boolean equals(X509CertInfo other) { 261 if (this == other) { 262 return(true); 263 } else if (rawCertInfo == null || other.rawCertInfo == null) { 264 return(false); 265 } else if (rawCertInfo.length != other.rawCertInfo.length) { 266 return(false); 267 } 268 for (int i = 0; i < rawCertInfo.length; i++) { 269 if (rawCertInfo[i] != other.rawCertInfo[i]) { 270 return(false); 271 } 272 } 273 return(true); 274 } 275 276 /** 277 * Calculates a hash code value for the object. Objects 278 * which are equal will also have the same hashcode. 279 */ hashCode()280 public int hashCode() { 281 int retval = 0; 282 283 for (int i = 1; i < rawCertInfo.length; i++) { 284 retval += rawCertInfo[i] * i; 285 } 286 return(retval); 287 } 288 289 /** 290 * Returns a printable representation of the certificate. 291 */ toString()292 public String toString() { 293 294 if (subject == null || pubKey == null || interval == null 295 || issuer == null || algId == null || serialNum == null) { 296 throw new NullPointerException("X.509 cert is incomplete"); 297 } 298 StringBuilder sb = new StringBuilder(); 299 300 sb.append("[\n"); 301 sb.append(" " + version.toString() + "\n"); 302 sb.append(" Subject: " + subject.toString() + "\n"); 303 sb.append(" Signature Algorithm: " + algId.toString() + "\n"); 304 sb.append(" Key: " + pubKey.toString() + "\n"); 305 sb.append(" " + interval.toString() + "\n"); 306 sb.append(" Issuer: " + issuer.toString() + "\n"); 307 sb.append(" " + serialNum.toString() + "\n"); 308 309 // optional v2, v3 extras 310 if (issuerUniqueId != null) { 311 sb.append(" Issuer Id:\n" + issuerUniqueId.toString() + "\n"); 312 } 313 if (subjectUniqueId != null) { 314 sb.append(" Subject Id:\n" + subjectUniqueId.toString() + "\n"); 315 } 316 if (extensions != null) { 317 Collection<Extension> allExts = extensions.getAllExtensions(); 318 Extension[] exts = allExts.toArray(new Extension[0]); 319 sb.append("\nCertificate Extensions: " + exts.length); 320 for (int i = 0; i < exts.length; i++) { 321 sb.append("\n[" + (i+1) + "]: "); 322 Extension ext = exts[i]; 323 try { 324 if (OIDMap.getClass(ext.getExtensionId()) == null) { 325 sb.append(ext.toString()); 326 byte[] extValue = ext.getExtensionValue(); 327 if (extValue != null) { 328 DerOutputStream out = new DerOutputStream(); 329 out.putOctetString(extValue); 330 extValue = out.toByteArray(); 331 HexDumpEncoder enc = new HexDumpEncoder(); 332 sb.append("Extension unknown: " 333 + "DER encoded OCTET string =\n" 334 + enc.encodeBuffer(extValue) + "\n"); 335 } 336 } else 337 sb.append(ext.toString()); //sub-class exists 338 } catch (Exception e) { 339 sb.append(", Error parsing this extension"); 340 } 341 } 342 Map<String,Extension> invalid = extensions.getUnparseableExtensions(); 343 if (invalid.isEmpty() == false) { 344 sb.append("\nUnparseable certificate extensions: " + invalid.size()); 345 int i = 1; 346 for (Extension ext : invalid.values()) { 347 sb.append("\n[" + (i++) + "]: "); 348 sb.append(ext); 349 } 350 } 351 } 352 sb.append("\n]"); 353 return sb.toString(); 354 } 355 356 /** 357 * Set the certificate attribute. 358 * 359 * @params name the name of the Certificate attribute. 360 * @params val the value of the Certificate attribute. 361 * @exception CertificateException on invalid attributes. 362 * @exception IOException on other errors. 363 */ set(String name, Object val)364 public void set(String name, Object val) 365 throws CertificateException, IOException { 366 X509AttributeName attrName = new X509AttributeName(name); 367 368 int attr = attributeMap(attrName.getPrefix()); 369 if (attr == 0) { 370 throw new CertificateException("Attribute name not recognized: " 371 + name); 372 } 373 // set rawCertInfo to null, so that we are forced to re-encode 374 rawCertInfo = null; 375 String suffix = attrName.getSuffix(); 376 377 switch (attr) { 378 case ATTR_VERSION: 379 if (suffix == null) { 380 setVersion(val); 381 } else { 382 version.set(suffix, val); 383 } 384 break; 385 386 case ATTR_SERIAL: 387 if (suffix == null) { 388 setSerialNumber(val); 389 } else { 390 serialNum.set(suffix, val); 391 } 392 break; 393 394 case ATTR_ALGORITHM: 395 if (suffix == null) { 396 setAlgorithmId(val); 397 } else { 398 algId.set(suffix, val); 399 } 400 break; 401 402 case ATTR_ISSUER: 403 setIssuer(val); 404 break; 405 406 case ATTR_VALIDITY: 407 if (suffix == null) { 408 setValidity(val); 409 } else { 410 interval.set(suffix, val); 411 } 412 break; 413 414 case ATTR_SUBJECT: 415 setSubject(val); 416 break; 417 418 case ATTR_KEY: 419 if (suffix == null) { 420 setKey(val); 421 } else { 422 pubKey.set(suffix, val); 423 } 424 break; 425 426 case ATTR_ISSUER_ID: 427 setIssuerUniqueId(val); 428 break; 429 430 case ATTR_SUBJECT_ID: 431 setSubjectUniqueId(val); 432 break; 433 434 case ATTR_EXTENSIONS: 435 if (suffix == null) { 436 setExtensions(val); 437 } else { 438 if (extensions == null) 439 extensions = new CertificateExtensions(); 440 extensions.set(suffix, val); 441 } 442 break; 443 } 444 } 445 446 /** 447 * Delete the certificate attribute. 448 * 449 * @params name the name of the Certificate attribute. 450 * @exception CertificateException on invalid attributes. 451 * @exception IOException on other errors. 452 */ delete(String name)453 public void delete(String name) 454 throws CertificateException, IOException { 455 X509AttributeName attrName = new X509AttributeName(name); 456 457 int attr = attributeMap(attrName.getPrefix()); 458 if (attr == 0) { 459 throw new CertificateException("Attribute name not recognized: " 460 + name); 461 } 462 // set rawCertInfo to null, so that we are forced to re-encode 463 rawCertInfo = null; 464 String suffix = attrName.getSuffix(); 465 466 switch (attr) { 467 case ATTR_VERSION: 468 if (suffix == null) { 469 version = null; 470 } else { 471 version.delete(suffix); 472 } 473 break; 474 case (ATTR_SERIAL): 475 if (suffix == null) { 476 serialNum = null; 477 } else { 478 serialNum.delete(suffix); 479 } 480 break; 481 case (ATTR_ALGORITHM): 482 if (suffix == null) { 483 algId = null; 484 } else { 485 algId.delete(suffix); 486 } 487 break; 488 case (ATTR_ISSUER): 489 issuer = null; 490 break; 491 case (ATTR_VALIDITY): 492 if (suffix == null) { 493 interval = null; 494 } else { 495 interval.delete(suffix); 496 } 497 break; 498 case (ATTR_SUBJECT): 499 subject = null; 500 break; 501 case (ATTR_KEY): 502 if (suffix == null) { 503 pubKey = null; 504 } else { 505 pubKey.delete(suffix); 506 } 507 break; 508 case (ATTR_ISSUER_ID): 509 issuerUniqueId = null; 510 break; 511 case (ATTR_SUBJECT_ID): 512 subjectUniqueId = null; 513 break; 514 case (ATTR_EXTENSIONS): 515 if (suffix == null) { 516 extensions = null; 517 } else { 518 if (extensions != null) 519 extensions.delete(suffix); 520 } 521 break; 522 } 523 } 524 525 /** 526 * Get the certificate attribute. 527 * 528 * @params name the name of the Certificate attribute. 529 * 530 * @exception CertificateException on invalid attributes. 531 * @exception IOException on other errors. 532 */ get(String name)533 public Object get(String name) 534 throws CertificateException, IOException { 535 X509AttributeName attrName = new X509AttributeName(name); 536 537 int attr = attributeMap(attrName.getPrefix()); 538 if (attr == 0) { 539 throw new CertificateParsingException( 540 "Attribute name not recognized: " + name); 541 } 542 String suffix = attrName.getSuffix(); 543 544 switch (attr) { // frequently used attributes first 545 case (ATTR_EXTENSIONS): 546 if (suffix == null) { 547 return(extensions); 548 } else { 549 if (extensions == null) { 550 return null; 551 } else { 552 return(extensions.get(suffix)); 553 } 554 } 555 case (ATTR_SUBJECT): 556 if (suffix == null) { 557 return(subject); 558 } else { 559 return(getX500Name(suffix, false)); 560 } 561 case (ATTR_ISSUER): 562 if (suffix == null) { 563 return(issuer); 564 } else { 565 return(getX500Name(suffix, true)); 566 } 567 case (ATTR_KEY): 568 if (suffix == null) { 569 return(pubKey); 570 } else { 571 return(pubKey.get(suffix)); 572 } 573 case (ATTR_ALGORITHM): 574 if (suffix == null) { 575 return(algId); 576 } else { 577 return(algId.get(suffix)); 578 } 579 case (ATTR_VALIDITY): 580 if (suffix == null) { 581 return(interval); 582 } else { 583 return(interval.get(suffix)); 584 } 585 case (ATTR_VERSION): 586 if (suffix == null) { 587 return(version); 588 } else { 589 return(version.get(suffix)); 590 } 591 case (ATTR_SERIAL): 592 if (suffix == null) { 593 return(serialNum); 594 } else { 595 return(serialNum.get(suffix)); 596 } 597 case (ATTR_ISSUER_ID): 598 return(issuerUniqueId); 599 case (ATTR_SUBJECT_ID): 600 return(subjectUniqueId); 601 } 602 return null; 603 } 604 605 /* 606 * Get the Issuer or Subject name 607 */ getX500Name(String name, boolean getIssuer)608 private Object getX500Name(String name, boolean getIssuer) 609 throws IOException { 610 if (name.equalsIgnoreCase(X509CertInfo.DN_NAME)) { 611 return getIssuer ? issuer : subject; 612 } else if (name.equalsIgnoreCase("x500principal")) { 613 return getIssuer ? issuer.asX500Principal() 614 : subject.asX500Principal(); 615 } else { 616 throw new IOException("Attribute name not recognized."); 617 } 618 } 619 620 /* 621 * This routine unmarshals the certificate information. 622 */ parse(DerValue val)623 private void parse(DerValue val) 624 throws CertificateParsingException, IOException { 625 DerInputStream in; 626 DerValue tmp; 627 628 if (val.tag != DerValue.tag_Sequence) { 629 throw new CertificateParsingException("signed fields invalid"); 630 } 631 rawCertInfo = val.toByteArray(); 632 633 in = val.data; 634 635 // Version 636 tmp = in.getDerValue(); 637 if (tmp.isContextSpecific((byte)0)) { 638 version = new CertificateVersion(tmp); 639 tmp = in.getDerValue(); 640 } 641 642 // Serial number ... an integer 643 serialNum = new CertificateSerialNumber(tmp); 644 645 // Algorithm Identifier 646 algId = new CertificateAlgorithmId(in); 647 648 // Issuer name 649 issuer = new X500Name(in); 650 if (issuer.isEmpty()) { 651 throw new CertificateParsingException( 652 "Empty issuer DN not allowed in X509Certificates"); 653 } 654 655 // validity: SEQUENCE { start date, end date } 656 interval = new CertificateValidity(in); 657 658 // subject name 659 subject = new X500Name(in); 660 if ((version.compare(CertificateVersion.V1) == 0) && 661 subject.isEmpty()) { 662 throw new CertificateParsingException( 663 "Empty subject DN not allowed in v1 certificate"); 664 } 665 666 // public key 667 pubKey = new CertificateX509Key(in); 668 669 // If more data available, make sure version is not v1. 670 if (in.available() != 0) { 671 if (version.compare(CertificateVersion.V1) == 0) { 672 throw new CertificateParsingException( 673 "no more data allowed for version 1 certificate"); 674 } 675 } else { 676 return; 677 } 678 679 // Get the issuerUniqueId if present 680 tmp = in.getDerValue(); 681 if (tmp.isContextSpecific((byte)1)) { 682 issuerUniqueId = new UniqueIdentity(tmp); 683 if (in.available() == 0) 684 return; 685 tmp = in.getDerValue(); 686 } 687 688 // Get the subjectUniqueId if present. 689 if (tmp.isContextSpecific((byte)2)) { 690 subjectUniqueId = new UniqueIdentity(tmp); 691 if (in.available() == 0) 692 return; 693 tmp = in.getDerValue(); 694 } 695 696 // Get the extensions. 697 if (version.compare(CertificateVersion.V3) != 0) { 698 throw new CertificateParsingException( 699 "Extensions not allowed in v2 certificate"); 700 } 701 if (tmp.isConstructed() && tmp.isContextSpecific((byte)3)) { 702 extensions = new CertificateExtensions(tmp.data); 703 } 704 705 // verify X.509 V3 Certificate 706 verifyCert(subject, extensions); 707 708 } 709 710 /* 711 * Verify if X.509 V3 Certificate is compliant with RFC 5280. 712 */ verifyCert(X500Name subject, CertificateExtensions extensions)713 private void verifyCert(X500Name subject, 714 CertificateExtensions extensions) 715 throws CertificateParsingException, IOException { 716 717 // if SubjectName is empty, check for SubjectAlternativeNameExtension 718 if (subject.isEmpty()) { 719 if (extensions == null) { 720 throw new CertificateParsingException("X.509 Certificate is " + 721 "incomplete: subject field is empty, and certificate " + 722 "has no extensions"); 723 } 724 SubjectAlternativeNameExtension subjectAltNameExt = null; 725 SubjectAlternativeNameExtension extValue = null; 726 GeneralNames names = null; 727 try { 728 subjectAltNameExt = (SubjectAlternativeNameExtension) 729 extensions.get(SubjectAlternativeNameExtension.NAME); 730 names = subjectAltNameExt.get( 731 SubjectAlternativeNameExtension.SUBJECT_NAME); 732 } catch (IOException e) { 733 throw new CertificateParsingException("X.509 Certificate is " + 734 "incomplete: subject field is empty, and " + 735 "SubjectAlternativeName extension is absent"); 736 } 737 738 // SubjectAlternativeName extension is empty or not marked critical 739 if (names == null || names.isEmpty()) { 740 throw new CertificateParsingException("X.509 Certificate is " + 741 "incomplete: subject field is empty, and " + 742 "SubjectAlternativeName extension is empty"); 743 } else if (subjectAltNameExt.isCritical() == false) { 744 throw new CertificateParsingException("X.509 Certificate is " + 745 "incomplete: SubjectAlternativeName extension MUST " + 746 "be marked critical when subject field is empty"); 747 } 748 } 749 } 750 751 /* 752 * Marshal the contents of a "raw" certificate into a DER sequence. 753 */ emit(DerOutputStream out)754 private void emit(DerOutputStream out) 755 throws CertificateException, IOException { 756 DerOutputStream tmp = new DerOutputStream(); 757 758 // version number, iff not V1 759 version.encode(tmp); 760 761 // Encode serial number, issuer signing algorithm, issuer name 762 // and validity 763 serialNum.encode(tmp); 764 algId.encode(tmp); 765 766 if ((version.compare(CertificateVersion.V1) == 0) && 767 (issuer.toString() == null)) 768 throw new CertificateParsingException( 769 "Null issuer DN not allowed in v1 certificate"); 770 771 issuer.encode(tmp); 772 interval.encode(tmp); 773 774 // Encode subject (principal) and associated key 775 if ((version.compare(CertificateVersion.V1) == 0) && 776 (subject.toString() == null)) 777 throw new CertificateParsingException( 778 "Null subject DN not allowed in v1 certificate"); 779 subject.encode(tmp); 780 pubKey.encode(tmp); 781 782 // Encode issuerUniqueId & subjectUniqueId. 783 if (issuerUniqueId != null) { 784 issuerUniqueId.encode(tmp, DerValue.createTag(DerValue.TAG_CONTEXT, 785 false,(byte)1)); 786 } 787 if (subjectUniqueId != null) { 788 subjectUniqueId.encode(tmp, DerValue.createTag(DerValue.TAG_CONTEXT, 789 false,(byte)2)); 790 } 791 792 // Write all the extensions. 793 if (extensions != null) { 794 extensions.encode(tmp); 795 } 796 797 // Wrap the data; encoding of the "raw" cert is now complete. 798 out.write(DerValue.tag_Sequence, tmp); 799 } 800 801 /** 802 * Returns the integer attribute number for the passed attribute name. 803 */ attributeMap(String name)804 private int attributeMap(String name) { 805 Integer num = map.get(name); 806 if (num == null) { 807 return 0; 808 } 809 return num.intValue(); 810 } 811 812 /** 813 * Set the version number of the certificate. 814 * 815 * @params val the Object class value for the Extensions 816 * @exception CertificateException on invalid data. 817 */ setVersion(Object val)818 private void setVersion(Object val) throws CertificateException { 819 if (!(val instanceof CertificateVersion)) { 820 throw new CertificateException("Version class type invalid."); 821 } 822 version = (CertificateVersion)val; 823 } 824 825 /** 826 * Set the serial number of the certificate. 827 * 828 * @params val the Object class value for the CertificateSerialNumber 829 * @exception CertificateException on invalid data. 830 */ setSerialNumber(Object val)831 private void setSerialNumber(Object val) throws CertificateException { 832 if (!(val instanceof CertificateSerialNumber)) { 833 throw new CertificateException("SerialNumber class type invalid."); 834 } 835 serialNum = (CertificateSerialNumber)val; 836 } 837 838 /** 839 * Set the algorithm id of the certificate. 840 * 841 * @params val the Object class value for the AlgorithmId 842 * @exception CertificateException on invalid data. 843 */ setAlgorithmId(Object val)844 private void setAlgorithmId(Object val) throws CertificateException { 845 if (!(val instanceof CertificateAlgorithmId)) { 846 throw new CertificateException( 847 "AlgorithmId class type invalid."); 848 } 849 algId = (CertificateAlgorithmId)val; 850 } 851 852 /** 853 * Set the issuer name of the certificate. 854 * 855 * @params val the Object class value for the issuer 856 * @exception CertificateException on invalid data. 857 */ setIssuer(Object val)858 private void setIssuer(Object val) throws CertificateException { 859 if (!(val instanceof X500Name)) { 860 throw new CertificateException( 861 "Issuer class type invalid."); 862 } 863 issuer = (X500Name)val; 864 } 865 866 /** 867 * Set the validity interval of the certificate. 868 * 869 * @params val the Object class value for the CertificateValidity 870 * @exception CertificateException on invalid data. 871 */ setValidity(Object val)872 private void setValidity(Object val) throws CertificateException { 873 if (!(val instanceof CertificateValidity)) { 874 throw new CertificateException( 875 "CertificateValidity class type invalid."); 876 } 877 interval = (CertificateValidity)val; 878 } 879 880 /** 881 * Set the subject name of the certificate. 882 * 883 * @params val the Object class value for the Subject 884 * @exception CertificateException on invalid data. 885 */ setSubject(Object val)886 private void setSubject(Object val) throws CertificateException { 887 if (!(val instanceof X500Name)) { 888 throw new CertificateException( 889 "Subject class type invalid."); 890 } 891 subject = (X500Name)val; 892 } 893 894 /** 895 * Set the public key in the certificate. 896 * 897 * @params val the Object class value for the PublicKey 898 * @exception CertificateException on invalid data. 899 */ setKey(Object val)900 private void setKey(Object val) throws CertificateException { 901 if (!(val instanceof CertificateX509Key)) { 902 throw new CertificateException( 903 "Key class type invalid."); 904 } 905 pubKey = (CertificateX509Key)val; 906 } 907 908 /** 909 * Set the Issuer Unique Identity in the certificate. 910 * 911 * @params val the Object class value for the IssuerUniqueId 912 * @exception CertificateException 913 */ setIssuerUniqueId(Object val)914 private void setIssuerUniqueId(Object val) throws CertificateException { 915 if (version.compare(CertificateVersion.V2) < 0) { 916 throw new CertificateException("Invalid version"); 917 } 918 if (!(val instanceof UniqueIdentity)) { 919 throw new CertificateException( 920 "IssuerUniqueId class type invalid."); 921 } 922 issuerUniqueId = (UniqueIdentity)val; 923 } 924 925 /** 926 * Set the Subject Unique Identity in the certificate. 927 * 928 * @params val the Object class value for the SubjectUniqueId 929 * @exception CertificateException 930 */ setSubjectUniqueId(Object val)931 private void setSubjectUniqueId(Object val) throws CertificateException { 932 if (version.compare(CertificateVersion.V2) < 0) { 933 throw new CertificateException("Invalid version"); 934 } 935 if (!(val instanceof UniqueIdentity)) { 936 throw new CertificateException( 937 "SubjectUniqueId class type invalid."); 938 } 939 subjectUniqueId = (UniqueIdentity)val; 940 } 941 942 /** 943 * Set the extensions in the certificate. 944 * 945 * @params val the Object class value for the Extensions 946 * @exception CertificateException 947 */ setExtensions(Object val)948 private void setExtensions(Object val) throws CertificateException { 949 if (version.compare(CertificateVersion.V3) < 0) { 950 throw new CertificateException("Invalid version"); 951 } 952 if (!(val instanceof CertificateExtensions)) { 953 throw new CertificateException( 954 "Extensions class type invalid."); 955 } 956 extensions = (CertificateExtensions)val; 957 } 958 } 959