| blob | 4115fffacfa560cd5c4a7e9575affdc75bc84e88 |
1 /* X509CertSelector.java -- selects X.509 certificates by criteria.
2 Copyright (C) 2004, 2005, 2006 Free Software Foundation, Inc.
4 This file is part of GNU Classpath.
6 GNU Classpath is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2, or (at your option)
9 any later version.
11 GNU Classpath is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with GNU Classpath; see the file COPYING. If not, write to the
18 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
19 02110-1301 USA.
21 Linking this library statically or dynamically with other modules is
22 making a combined work based on this library. Thus, the terms and
23 conditions of the GNU General Public License cover the whole
24 combination.
26 As a special exception, the copyright holders of this library give you
27 permission to link this library with independent modules to produce an
28 executable, regardless of the license terms of these independent
29 modules, and to copy and distribute the resulting executable under
30 terms of your choice, provided that you also meet, for each linked
31 independent module, the terms and conditions of the license of that
32 module. An independent module is a module which is not derived from
33 or based on this library. If you modify this library, you may extend
34 this exception to your version of the library, but you are not
35 obligated to do so. If you do not wish to do so, delete this
36 exception statement from your version. */
71 /**
72 * A concrete implementation of {@link CertSelector} for X.509 certificates,
73 * which allows a number of criteria to be set when accepting certificates,
74 * from validity dates, to issuer and subject distinguished names, to some
75 * of the various X.509 extensions.
76 *
77 * <p>Use of this class requires extensive knowledge of the Internet
78 * Engineering Task Force's Public Key Infrastructure (X.509). The primary
79 * document describing this standard is <a
80 * href="http://www.ietf.org/rfc/rfc3280.txt">RFC 3280: Internet X.509
81 * Public Key Infrastructure Certificate and Certificate Revocation List
82 * (CRL) Profile</a>.
83 *
84 * <p>Note that this class is not thread-safe. If multiple threads will
85 * use or modify this class then they need to synchronize on the object.
86 *
87 * @author Casey Marshall (csm@gnu.org)
88 * @since 1.4
89 */
91 {
93 // Constants and fields.
94 // -------------------------------------------------------------------------
101 {
104 }
107 {
111 {
138 }
140 }
161 /**
162 * Creates a new X.509 certificate selector. The new selector will be
163 * empty, and will accept any certificate (provided that it is an
164 * {@link X509Certificate}).
165 */
167 {
169 }
171 /**
172 * Add a name to match in the NameConstraints extension. The argument is
173 * the DER-encoded bytes of a GeneralName structure.
174 *
175 * See the method {@link #addSubjectAlternativeName(int, byte[])} for the
176 * format of the GeneralName structure.
177 *
178 * @param id The name identifier. Must be between 0 and 8.
179 * @param name The DER-encoded bytes of the name to match.
180 * @throws IOException If the name DER is malformed.
181 */
183 {
188 }
190 /**
191 * Add a name to match in the NameConstraints extension. This method will
192 * only recognize certain types of name that have convenient string
193 * encodings. For robustness, you should use the {@link
194 * #addPathToName(int, byte[])} method whenever possible.
195 *
196 * @param id The name identifier. Must be between 0 and 8.
197 * @param name The name.
198 * @throws IOException If the name cannot be decoded.
199 */
201 {
206 }
208 /**
209 * Add a name, as DER-encoded bytes, to the subject alternative names
210 * criterion.
211 *
212 * The name is a GeneralName structure, which has the ASN.1 format:
213 *
214 * <pre>
215 GeneralName ::= CHOICE {
216 otherName [0] OtherName,
217 rfc822Name [1] IA5String,
218 dNSName [2] IA5String,
219 x400Address [3] ORAddress,
220 directoryName [4] Name,
221 ediPartyName [5] EDIPartyName,
222 uniformResourceIdentifier [6] IA5String,
223 iPAddress [7] OCTET STRING,
224 registeredID [8] OBJECT IDENTIFIER }
225 </pre>
226 *
227 * @param id The type of name this is.
228 * @param name The DER-encoded name.
229 * @throws IOException If the name is not a valid DER sequence.
230 */
232 throws IOException
233 {
238 }
240 /**
241 * Add a name to the subject alternative names criterion. This method will
242 * only recognize certain types of name that have convenient string
243 * encodings. For robustness, you should use the {@link
244 * #addSubjectAlternativeName(int, byte[])} method whenever possible.
245 *
246 * This method can only decode certain name kinds of names as strings.
247 *
248 * @param id The type of name this is. Must be in the range [0,8].
249 * @param name The name.
250 * @throws IOException If the id is out of range, or if the name
251 * is null.
252 */
254 throws IOException
255 {
260 }
263 {
264 try
265 {
267 }
269 {
271 }
272 }
274 /**
275 * Returns the authority key identifier criterion, or <code>null</code> if
276 * this value was not set. Note that the byte array is cloned to prevent
277 * modification.
278 *
279 * @return The authority key identifier.
280 */
282 {
285 else
287 }
289 /**
290 * Returns the basic constraints criterion, or -1 if this value is not set.
291 *
292 * @return The basic constraints.
293 */
295 {
297 }
299 /**
300 * Returns the certificate criterion, or <code>null</code> if this value
301 * was not set.
302 *
303 * @return The certificate.
304 */
306 {
308 }
310 /**
311 * Returns the date at which certificates must be valid, or <code>null</code>
312 * if this criterion was not set.
313 *
314 * @return The target certificate valitity date.
315 */
317 {
320 else
322 }
324 /**
325 * Returns the set of extended key purpose IDs, as an unmodifiable set
326 * of OID strings. Returns <code>null</code> if this criterion is not
327 * set.
328 *
329 * @return The set of key purpose OIDs (strings).
330 */
332 {
335 else
337 }
339 /**
340 * Returns the issuer criterion as a sequence of DER bytes, or
341 * <code>null</code> if this value was not set.
342 *
343 * @return The issuer.
344 */
346 {
349 else
351 }
353 /**
354 * Returns the issuer criterion as a string, or <code>null</code> if this
355 * value was not set.
356 *
357 * @return The issuer.
358 */
360 {
363 else
365 }
367 /**
368 * Returns the public key usage criterion, or <code>null</code> if this
369 * value is not set. Note that the array is cloned to prevent modification.
370 *
371 * @return The public key usage.
372 */
374 {
377 else
379 }
381 /**
382 * Returns whether or not all specified alternative names must match.
383 * If false, a certificate is considered a match if <em>one</em> of the
384 * specified alternative names matches.
385 *
386 * @return true if all names must match.
387 */
389 {
391 }
393 /**
394 * Returns the name constraints criterion, or <code>null</code> if this
395 * value is not set. Note that the byte array is cloned to prevent
396 * modification.
397 *
398 * @return The name constraints.
399 */
401 {
404 else
406 }
409 {
411 {
414 {
419 }
422 }
424 }
426 /**
427 * Returns the certificate policy extension that will be matched by this
428 * selector, or null if the certificate policy will not be matched.
429 *
430 * @return The policy to be matched, or null.
431 */
433 {
436 {
439 {
441 }
443 }
445 }
447 /**
448 * This method, and its related X.509 certificate extension — the
449 * private key usage period — is not supported under the Internet
450 * PKI for X.509 certificates (PKIX), described in RFC 3280. As such, this
451 * method is not supported either.
452 *
453 * <p>Do not use this method. It is not deprecated, as it is not deprecated
454 * in the Java standard, but it is basically a no-operation and simply
455 * returns <code>null</code>.
456 *
457 * @return Null.
458 */
460 {
462 }
464 /**
465 * Returns the serial number criterion, or <code>null</code> if this
466 * value was not set.
467 *
468 * @return The serial number.
469 */
471 {
473 }
475 /**
476 * Get the subject alternative names criterion. The collection returned
477 * is a collection of pairs: the first element is an {@link Integer}
478 * containing the name type, and the second is a byte array containing
479 * the DER-encoded name bytes.
480 *
481 * @return The subject alternative names criterion. Returns null if this
482 * criterion is not set.
483 */
485 {
487 {
490 {
495 }
497 }
499 }
501 /**
502 * Returns the subject criterion as a sequence of DER bytes, or
503 * <code>null</code> if this value is not set.
504 *
505 * @return The subject.
506 */
508 {
511 else
513 }
515 /**
516 * Returns the subject criterion as a string, of <code>null</code> if
517 * this value was not set.
518 *
519 * @return The subject.
520 */
522 {
525 else
527 }
529 /**
530 * Returns the subject key identifier criterion, or <code>null</code> if
531 * this value was not set. Note that the byte array is cloned to prevent
532 * modification.
533 *
534 * @return The subject key identifier.
535 */
537 {
540 else
542 }
544 /**
545 * Returns the subject public key criterion, or <code>null</code> if this
546 * value is not set.
547 *
548 * @return The subject public key.
549 */
551 {
553 }
555 /**
556 * Returns the public key algorithm ID that matching certificates must have,
557 * or <code>null</code> if this criterion was not set.
558 *
559 * @return The public key algorithm ID.
560 */
562 {
564 }
566 /**
567 * Match a certificate. This method will check the given certificate
568 * against all the enabled criteria of this selector, and will return
569 * <code>true</code> if the given certificate matches.
570 *
571 * @param certificate The certificate to check.
572 * @return true if the certificate matches all criteria.
573 */
575 {
580 {
581 try
582 {
587 }
589 {
591 }
592 }
594 {
597 }
599 {
600 try
601 {
603 }
605 {
607 }
608 }
610 {
613 }
615 {
618 }
620 {
623 }
625 {
629 }
631 {
635 }
637 {
641 }
643 {
646 }
648 {
650 try
651 {
653 }
655 {
657 }
661 {
664 }
665 }
667 {
669 try
670 {
672 }
674 {
676 }
681 {
683 {
684 try
685 {
692 {
695 }
696 else
699 match++;
700 }
702 {
704 }
705 }
708 }
709 }
711 {
715 }
718 {
721 {
724 }
725 else
726 {
729 try
730 {
732 }
734 {
735 // ignored
736 }
737 }
743 }
746 {
749 {
750 Extension e =
754 }
755 else
756 {
759 {
760 try
761 {
763 }
765 {
766 }
767 }
768 }
775 {
777 {
779 match++;
780 }
781 }
784 }
787 }
789 /**
790 * Sets the authority key identifier criterion, or <code>null</code> to clear
791 * this criterion. Note that the byte array is cloned to prevent modification.
792 *
793 * @param authKeyId The authority key identifier.
794 */
796 {
798 }
800 /**
801 * Sets the basic constraints criterion. Specify -1 to clear this parameter.
802 *
803 * @param basicConstraints The new basic constraints value.
804 */
806 {
810 }
812 /**
813 * Sets the certificate criterion. If set, only certificates that are
814 * equal to the certificate passed here will be accepted.
815 *
816 * @param cert The certificate.
817 */
819 {
821 }
823 /**
824 * Sets the date at which certificates must be valid. Specify
825 * <code>null</code> to clear this criterion.
826 *
827 * @param certValid The certificate validity date.
828 */
830 {
832 }
834 /**
835 * Sets the extended key usage criterion, as a set of OID strings. Specify
836 * <code>null</code> to clear this value.
837 *
838 * @param keyPurposeSet The set of key purpose OIDs.
839 * @throws IOException If any element of the set is not a valid OID string.
840 */
842 {
844 {
847 }
850 {
854 try
855 {
860 }
862 {
866 }
867 }
869 }
871 /**
872 * Sets the issuer, specified as the DER encoding of the issuer's
873 * distinguished name. Only certificates issued by this issuer will
874 * be accepted.
875 *
876 * @param name The DER encoding of the issuer's distinguished name.
877 * @throws IOException If the given name is incorrectly formatted.
878 */
880 {
882 {
883 try
884 {
886 }
888 {
890 }
891 }
892 else
894 }
896 /**
897 * Sets the issuer, specified as a string representation of the issuer's
898 * distinguished name. Only certificates issued by this issuer will
899 * be accepted.
900 *
901 * @param name The string representation of the issuer's distinguished name.
902 * @throws IOException If the given name is incorrectly formatted.
903 */
905 {
907 {
908 try
909 {
911 }
913 {
915 }
916 }
917 else
919 }
921 /**
922 * Sets the public key usage criterion. Specify <code>null</code> to clear
923 * this value.
924 *
925 * @param keyUsage The public key usage.
926 */
928 {
930 }
932 /**
933 * Sets whether or not all subject alternative names must be matched.
934 * If false, then a certificate will be considered a match if one
935 * alternative name matches.
936 *
937 * @param matchAllNames Whether or not all alternative names must be
938 * matched.
939 */
941 {
943 }
945 /**
946 * Sets the name constraints criterion; specify <code>null</code> to
947 * clear this criterion. Note that if non-null, the argument will be
948 * cloned to prevent modification.
949 *
950 * @param nameConstraints The new name constraints.
951 * @throws IOException If the argument is not a valid DER-encoded
952 * name constraints.
953 */
955 throws IOException
956 {
957 // Check if the input is well-formed...
960 // But we just compare raw byte arrays.
963 }
965 /**
966 * Sets the pathToNames criterion. The argument is a collection of
967 * pairs, the first element of which is an {@link Integer} giving
968 * the ID of the name, and the second element is either a {@link String}
969 * or a byte array.
970 *
971 * See {@link #addPathToName(int, byte[])} and {@link #addPathToName(int, String)}
972 * for how these arguments are handled.
973 *
974 * @param names The names.
975 * @throws IOException If any argument is malformed.
976 */
978 {
980 {
982 }
983 else
984 {
987 {
994 else
997 }
998 }
999 }
1001 /**
1002 * Sets the certificate policy to match, or null if this criterion should
1003 * not be checked. Each element if the set must be a dotted-decimal form
1004 * of certificate policy object identifier.
1005 *
1006 * @param policy The policy to match.
1007 * @throws IOException If some element of the policy is not a valid
1008 * policy extenison OID.
1009 */
1011 {
1013 {
1016 {
1017 try
1018 {
1024 }
1026 {
1028 }
1030 {
1034 }
1035 }
1037 }
1038 else
1040 }
1042 /**
1043 * This method, and its related X.509 certificate extension — the
1044 * private key usage period — is not supported under the Internet
1045 * PKI for X.509 certificates (PKIX), described in RFC 3280. As such, this
1046 * method is not supported either.
1047 *
1048 * <p>Do not use this method. It is not deprecated, as it is not deprecated
1049 * in the Java standard, but it is basically a no-operation.
1050 *
1051 * @param UNUSED Is silently ignored.
1052 */
1054 {
1055 }
1057 /**
1058 * Sets the serial number of the desired certificate. Only certificates that
1059 * contain this serial number are accepted.
1060 *
1061 * @param serialNo The serial number.
1062 */
1064 {
1066 }
1068 /**
1069 * Sets the subject, specified as the DER encoding of the subject's
1070 * distinguished name. Only certificates with the given subject will
1071 * be accepted.
1072 *
1073 * @param name The DER encoding of the subject's distinguished name.
1074 * @throws IOException If the given name is incorrectly formatted.
1075 */
1077 {
1079 {
1080 try
1081 {
1083 }
1085 {
1087 }
1088 }
1089 else
1091 }
1093 /**
1094 * Sets the subject, specified as a string representation of the
1095 * subject's distinguished name. Only certificates with the given
1096 * subject will be accepted.
1097 *
1098 * @param name The string representation of the subject's distinguished name.
1099 * @throws IOException If the given name is incorrectly formatted.
1100 */
1102 {
1104 {
1105 try
1106 {
1108 }
1110 {
1112 }
1113 }
1114 else
1116 }
1118 /**
1119 * Sets the subject alternative names critertion. Each element of the
1120 * argument must be a {@link java.util.List} that contains exactly two
1121 * elements: the first an {@link Integer}, representing the type of
1122 * name, and the second either a {@link String} or a byte array,
1123 * representing the name itself.
1124 *
1125 * @param altNames The alternative names.
1126 * @throws IOException If any element of the argument is invalid.
1127 */
1129 throws IOException
1130 {
1132 {
1135 }
1138 {
1146 else
1149 }
1151 }
1153 /**
1154 * Sets the subject key identifier criterion, or <code>null</code> to clear
1155 * this criterion. Note that the byte array is cloned to prevent modification.
1156 *
1157 * @param subjectKeyId The subject key identifier.
1158 */
1160 {
1163 }
1165 /**
1166 * Sets the subject public key criterion as a DER-encoded key. Specify
1167 * <code>null</code> to clear this value.
1168 *
1169 * @param key The DER-encoded key bytes.
1170 * @throws IOException If the argument is not a valid DER-encoded key.
1171 */
1173 {
1175 {
1179 }
1180 try
1181 {
1185 }
1187 {
1193 }
1194 }
1196 /**
1197 * Sets the subject public key criterion as an opaque representation.
1198 * Specify <code>null</code> to clear this criterion.
1199 *
1200 * @param key The public key.
1201 */
1203 {
1206 {
1209 }
1210 try
1211 {
1215 }
1217 {
1220 }
1221 }
1223 /**
1224 * Sets the public key algorithm ID that matching certificates must have.
1225 * Specify <code>null</code> to clear this criterion.
1226 *
1227 * @param sigId The public key ID.
1228 * @throws IOException If the specified ID is not a valid object identifier.
1229 */
1231 {
1233 {
1234 try
1235 {
1241 }
1243 {
1247 }
1248 }
1249 else
1251 }
1254 {
1276 {
1279 {
1284 }
1286 }
1288 {
1291 {
1296 }
1298 }
1300 {
1305 }
1318 }
1319 }