linkerlau/my-jdk
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(jdk8): move files to new folder to avoid resources compiled.

Browse Source
This commit is contained in:
linkerlau
2025-09-07 15:25:52 +08:00
parent 3f0047bf6f
commit 8c35cfb1c0
17415 changed files with 217 additions and 213 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
jdkSrc/jdk8/java/security/cert/CRL.java Normal file
View File

@@ -0,0 +1,88 @@
/*
* Copyright (c) 1998, 2006, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
/**
* This class is an abstraction of certificate revocation lists (CRLs) that
* have different formats but important common uses. For example, all CRLs
* share the functionality of listing revoked certificates, and can be queried
* on whether or not they list a given certificate.
* <p>
* Specialized CRL types can be defined by subclassing off of this abstract
* class.
*
* @author Hemma Prafullchandra
*
*
* @see X509CRL
* @see CertificateFactory
*
* @since 1.2
*/
public abstract class CRL {
// the CRL type
private String type;
/**
* Creates a CRL of the specified type.
*
* @param type the standard name of the CRL type.
* See Appendix A in the <a href=
* "../../../../technotes/guides/security/crypto/CryptoSpec.html#AppA">
* Java Cryptography Architecture API Specification &amp; Reference </a>
* for information about standard CRL types.
*/
protected CRL(String type) {
this.type = type;
}
/**
* Returns the type of this CRL.
*
* @return the type of this CRL.
*/
public final String getType() {
return this.type;
}
/**
* Returns a string representation of this CRL.
*
* @return a string representation of this CRL.
*/
public abstract String toString();
/**
* Checks whether the given certificate is on this CRL.
*
* @param cert the certificate to check for.
* @return true if the given certificate is on this CRL,
* false otherwise.
*/
public abstract boolean isRevoked(Certificate cert);
}

88
jdkSrc/jdk8/java/security/cert/CRLException.java Normal file
View File

@@ -0,0 +1,88 @@
/*
* Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.security.GeneralSecurityException;
/**
* CRL (Certificate Revocation List) Exception.
*
* @author Hemma Prafullchandra
*/
public class CRLException extends GeneralSecurityException {
private static final long serialVersionUID = -6694728944094197147L;
/**
* Constructs a CRLException with no detail message. A
* detail message is a String that describes this particular
* exception.
*/
public CRLException() {
super();
}
/**
* Constructs a CRLException with the specified detail
* message. A detail message is a String that describes this
* particular exception.
*
* @param message the detail message.
*/
public CRLException(String message) {
super(message);
}
/**
* Creates a {@code CRLException} with the specified
* detail message and cause.
*
* @param message the detail message (which is saved for later retrieval
* by the {@link #getMessage()} method).
* @param cause the cause (which is saved for later retrieval by the
* {@link #getCause()} method). (A {@code null} value is permitted,
* and indicates that the cause is nonexistent or unknown.)
* @since 1.5
*/
public CRLException(String message, Throwable cause) {
super(message, cause);
}
/**
* Creates a {@code CRLException} with the specified cause
* and a detail message of {@code (cause==null ? null : cause.toString())}
* (which typically contains the class and detail message of
* {@code cause}).
*
* @param cause the cause (which is saved for later retrieval by the
* {@link #getCause()} method). (A {@code null} value is permitted,
* and indicates that the cause is nonexistent or unknown.)
* @since 1.5
*/
public CRLException(Throwable cause) {
super(cause);
}
}

104
jdkSrc/jdk8/java/security/cert/CRLReason.java Normal file
View File

@@ -0,0 +1,104 @@
/*
* Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
/**
* The CRLReason enumeration specifies the reason that a certificate
* is revoked, as defined in <a href="http://tools.ietf.org/html/rfc5280">
* RFC 5280: Internet X.509 Public Key Infrastructure Certificate and CRL
* Profile</a>.
*
* @author Sean Mullan
* @since 1.7
* @see X509CRLEntry#getRevocationReason
* @see CertificateRevokedException#getRevocationReason
*/
public enum CRLReason {
/**
* This reason indicates that it is unspecified as to why the
* certificate has been revoked.
*/
UNSPECIFIED,
/**
* This reason indicates that it is known or suspected that the
* certificate subject's private key has been compromised. It applies
* to end-entity certificates only.
*/
KEY_COMPROMISE,
/**
* This reason indicates that it is known or suspected that the
* certificate subject's private key has been compromised. It applies
* to certificate authority (CA) certificates only.
*/
CA_COMPROMISE,
/**
* This reason indicates that the subject's name or other information
* has changed.
*/
AFFILIATION_CHANGED,
/**
* This reason indicates that the certificate has been superseded.
*/
SUPERSEDED,
/**
* This reason indicates that the certificate is no longer needed.
*/
CESSATION_OF_OPERATION,
/**
* This reason indicates that the certificate has been put on hold.
*/
CERTIFICATE_HOLD,
/**
* Unused reason.
*/
UNUSED,
/**
* This reason indicates that the certificate was previously on hold
* and should be removed from the CRL. It is for use with delta CRLs.
*/
REMOVE_FROM_CRL,
/**
* This reason indicates that the privileges granted to the subject of
* the certificate have been withdrawn.
*/
PRIVILEGE_WITHDRAWN,
/**
* This reason indicates that it is known or suspected that the
* certificate subject's private key has been compromised. It applies
* to authority attribute (AA) certificates only.
*/
AA_COMPROMISE
}

66
jdkSrc/jdk8/java/security/cert/CRLSelector.java Normal file
View File

@@ -0,0 +1,66 @@
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
/**
* A selector that defines a set of criteria for selecting {@code CRL}s.
* Classes that implement this interface are often used to specify
* which {@code CRL}s should be retrieved from a {@code CertStore}.
* <p>
* <b>Concurrent Access</b>
* <p>
* Unless otherwise specified, the methods defined in this interface are not
* thread-safe. Multiple threads that need to access a single
* object concurrently should synchronize amongst themselves and
* provide the necessary locking. Multiple threads each manipulating
* separate objects need not synchronize.
*
* @see CRL
* @see CertStore
* @see CertStore#getCRLs
*
* @author Steve Hanna
* @since 1.4
*/
public interface CRLSelector extends Cloneable {
/**
* Decides whether a {@code CRL} should be selected.
*
* @param crl the {@code CRL} to be checked
* @return {@code true} if the {@code CRL} should be selected,
* {@code false} otherwise
*/
boolean match(CRL crl);
/**
* Makes a copy of this {@code CRLSelector}. Changes to the
* copy will not affect the original and vice versa.
*
* @return a copy of this {@code CRLSelector}
*/
Object clone();
}

343
jdkSrc/jdk8/java/security/cert/CertPath.java Normal file
View File

@@ -0,0 +1,343 @@
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.io.ByteArrayInputStream;
import java.io.NotSerializableException;
import java.io.ObjectStreamException;
import java.io.Serializable;
import java.util.Iterator;
import java.util.List;
/**
* An immutable sequence of certificates (a certification path).
* <p>
* This is an abstract class that defines the methods common to all
* {@code CertPath}s. Subclasses can handle different kinds of
* certificates (X.509, PGP, etc.).
* <p>
* All {@code CertPath} objects have a type, a list of
* {@code Certificate}s, and one or more supported encodings. Because the
* {@code CertPath} class is immutable, a {@code CertPath} cannot
* change in any externally visible way after being constructed. This
* stipulation applies to all public fields and methods of this class and any
* added or overridden by subclasses.
* <p>
* The type is a {@code String} that identifies the type of
* {@code Certificate}s in the certification path. For each
* certificate {@code cert} in a certification path {@code certPath},
* {@code cert.getType().equals(certPath.getType())} must be
* {@code true}.
* <p>
* The list of {@code Certificate}s is an ordered {@code List} of
* zero or more {@code Certificate}s. This {@code List} and all
* of the {@code Certificate}s contained in it must be immutable.
* <p>
* Each {@code CertPath} object must support one or more encodings
* so that the object can be translated into a byte array for storage or
* transmission to other parties. Preferably, these encodings should be
* well-documented standards (such as PKCS#7). One of the encodings supported
* by a {@code CertPath} is considered the default encoding. This
* encoding is used if no encoding is explicitly requested (for the
* {@link #getEncoded() getEncoded()} method, for instance).
* <p>
* All {@code CertPath} objects are also {@code Serializable}.
* {@code CertPath} objects are resolved into an alternate
* {@link CertPathRep CertPathRep} object during serialization. This allows
* a {@code CertPath} object to be serialized into an equivalent
* representation regardless of its underlying implementation.
* <p>
* {@code CertPath} objects can be created with a
* {@code CertificateFactory} or they can be returned by other classes,
* such as a {@code CertPathBuilder}.
* <p>
* By convention, X.509 {@code CertPath}s (consisting of
* {@code X509Certificate}s), are ordered starting with the target
* certificate and ending with a certificate issued by the trust anchor. That
* is, the issuer of one certificate is the subject of the following one. The
* certificate representing the {@link TrustAnchor TrustAnchor} should not be
* included in the certification path. Unvalidated X.509 {@code CertPath}s
* may not follow these conventions. PKIX {@code CertPathValidator}s will
* detect any departure from these conventions that cause the certification
* path to be invalid and throw a {@code CertPathValidatorException}.
*
* <p> Every implementation of the Java platform is required to support the
* following standard {@code CertPath} encodings:
* <ul>
* <li>{@code PKCS7}</li>
* <li>{@code PkiPath}</li>
* </ul>
* These encodings are described in the <a href=
* "{@docRoot}/../technotes/guides/security/StandardNames.html#CertPathEncodings">
* CertPath Encodings section</a> of the
* Java Cryptography Architecture Standard Algorithm Name Documentation.
* Consult the release documentation for your implementation to see if any
* other encodings are supported.
* <p>
* <b>Concurrent Access</b>
* <p>
* All {@code CertPath} objects must be thread-safe. That is, multiple
* threads may concurrently invoke the methods defined in this class on a
* single {@code CertPath} object (or more than one) with no
* ill effects. This is also true for the {@code List} returned by
* {@code CertPath.getCertificates}.
* <p>
* Requiring {@code CertPath} objects to be immutable and thread-safe
* allows them to be passed around to various pieces of code without worrying
* about coordinating access. Providing this thread-safety is
* generally not difficult, since the {@code CertPath} and
* {@code List} objects in question are immutable.
*
* @see CertificateFactory
* @see CertPathBuilder
*
* @author Yassir Elley
* @since 1.4
*/
public abstract class CertPath implements Serializable {
private static final long serialVersionUID = 6068470306649138683L;
private String type; // the type of certificates in this chain
/**
* Creates a {@code CertPath} of the specified type.
* <p>
* This constructor is protected because most users should use a
* {@code CertificateFactory} to create {@code CertPath}s.
*
* @param type the standard name of the type of
* {@code Certificate}s in this path
*/
protected CertPath(String type) {
this.type = type;
}
/**
* Returns the type of {@code Certificate}s in this certification
* path. This is the same string that would be returned by
* {@link java.security.cert.Certificate#getType() cert.getType()}
* for all {@code Certificate}s in the certification path.
*
* @return the type of {@code Certificate}s in this certification
* path (never null)
*/
public String getType() {
return type;
}
/**
* Returns an iteration of the encodings supported by this certification
* path, with the default encoding first. Attempts to modify the returned
* {@code Iterator} via its {@code remove} method result in an
* {@code UnsupportedOperationException}.
*
* @return an {@code Iterator} over the names of the supported
* encodings (as Strings)
*/
public abstract Iterator<String> getEncodings();
/**
* Compares this certification path for equality with the specified
* object. Two {@code CertPath}s are equal if and only if their
* types are equal and their certificate {@code List}s (and by
* implication the {@code Certificate}s in those {@code List}s)
* are equal. A {@code CertPath} is never equal to an object that is
* not a {@code CertPath}.
* <p>
* This algorithm is implemented by this method. If it is overridden,
* the behavior specified here must be maintained.
*
* @param other the object to test for equality with this certification path
* @return true if the specified object is equal to this certification path,
* false otherwise
*/
public boolean equals(Object other) {
if (this == other)
return true;
if (! (other instanceof CertPath))
return false;
CertPath otherCP = (CertPath) other;
if (! otherCP.getType().equals(type))
return false;
List<? extends Certificate> thisCertList = this.getCertificates();
List<? extends Certificate> otherCertList = otherCP.getCertificates();
return(thisCertList.equals(otherCertList));
}
/**
* Returns the hashcode for this certification path. The hash code of
* a certification path is defined to be the result of the following
* calculation:
* <pre>{@code
* hashCode = path.getType().hashCode();
* hashCode = 31*hashCode + path.getCertificates().hashCode();
* }</pre>
* This ensures that {@code path1.equals(path2)} implies that
* {@code path1.hashCode()==path2.hashCode()} for any two certification
* paths, {@code path1} and {@code path2}, as required by the
* general contract of {@code Object.hashCode}.
*
* @return the hashcode value for this certification path
*/
public int hashCode() {
int hashCode = type.hashCode();
hashCode = 31*hashCode + getCertificates().hashCode();
return hashCode;
}
/**
* Returns a string representation of this certification path.
* This calls the {@code toString} method on each of the
* {@code Certificate}s in the path.
*
* @return a string representation of this certification path
*/
public String toString() {
StringBuffer sb = new StringBuffer();
Iterator<? extends Certificate> stringIterator =
getCertificates().iterator();
sb.append("\n" + type + " Cert Path: length = "
+ getCertificates().size() + ".\n");
sb.append("[\n");
int i = 1;
while (stringIterator.hasNext()) {
sb.append("=========================================="
+ "===============Certificate " + i + " start.\n");
Certificate stringCert = stringIterator.next();
sb.append(stringCert.toString());
sb.append("\n========================================"
+ "=================Certificate " + i + " end.\n\n\n");
i++;
}
sb.append("\n]");
return sb.toString();
}
/**
* Returns the encoded form of this certification path, using the default
* encoding.
*
* @return the encoded bytes
* @exception CertificateEncodingException if an encoding error occurs
*/
public abstract byte[] getEncoded()
throws CertificateEncodingException;
/**
* Returns the encoded form of this certification path, using the
* specified encoding.
*
* @param encoding the name of the encoding to use
* @return the encoded bytes
* @exception CertificateEncodingException if an encoding error occurs or
* the encoding requested is not supported
*/
public abstract byte[] getEncoded(String encoding)
throws CertificateEncodingException;
/**
* Returns the list of certificates in this certification path.
* The {@code List} returned must be immutable and thread-safe.
*
* @return an immutable {@code List} of {@code Certificate}s
* (may be empty, but not null)
*/
public abstract List<? extends Certificate> getCertificates();
/**
* Replaces the {@code CertPath} to be serialized with a
* {@code CertPathRep} object.
*
* @return the {@code CertPathRep} to be serialized
*
* @throws ObjectStreamException if a {@code CertPathRep} object
* representing this certification path could not be created
*/
protected Object writeReplace() throws ObjectStreamException {
try {
return new CertPathRep(type, getEncoded());
} catch (CertificateException ce) {
NotSerializableException nse =
new NotSerializableException
("java.security.cert.CertPath: " + type);
nse.initCause(ce);
throw nse;
}
}
/**
* Alternate {@code CertPath} class for serialization.
* @since 1.4
*/
protected static class CertPathRep implements Serializable {
private static final long serialVersionUID = 3015633072427920915L;
/** The Certificate type */
private String type;
/** The encoded form of the cert path */
private byte[] data;
/**
* Creates a {@code CertPathRep} with the specified
* type and encoded form of a certification path.
*
* @param type the standard name of a {@code CertPath} type
* @param data the encoded form of the certification path
*/
protected CertPathRep(String type, byte[] data) {
this.type = type;
this.data = data;
}
/**
* Returns a {@code CertPath} constructed from the type and data.
*
* @return the resolved {@code CertPath} object
*
* @throws ObjectStreamException if a {@code CertPath} could not
* be constructed
*/
protected Object readResolve() throws ObjectStreamException {
try {
CertificateFactory cf = CertificateFactory.getInstance(type);
return cf.generateCertPath(new ByteArrayInputStream(data));
} catch (CertificateException ce) {
NotSerializableException nse =
new NotSerializableException
("java.security.cert.CertPath: " + type);
nse.initCause(ce);
throw nse;
}
}
}
}

331
jdkSrc/jdk8/java/security/cert/CertPathBuilder.java Normal file
View File

@@ -0,0 +1,331 @@
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.security.AccessController;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivilegedAction;
import java.security.Provider;
import java.security.Security;
import sun.security.util.Debug;
import sun.security.jca.*;
import sun.security.jca.GetInstance.Instance;
/**
* A class for building certification paths (also known as certificate chains).
* <p>
* This class uses a provider-based architecture.
* To create a {@code CertPathBuilder}, call
* one of the static {@code getInstance} methods, passing in the
* algorithm name of the {@code CertPathBuilder} desired and optionally
* the name of the provider desired.
*
* <p>Once a {@code CertPathBuilder} object has been created, certification
* paths can be constructed by calling the {@link #build build} method and
* passing it an algorithm-specific set of parameters. If successful, the
* result (including the {@code CertPath} that was built) is returned
* in an object that implements the {@code CertPathBuilderResult}
* interface.
*
* <p>The {@link #getRevocationChecker} method allows an application to specify
* additional algorithm-specific parameters and options used by the
* {@code CertPathBuilder} when checking the revocation status of certificates.
* Here is an example demonstrating how it is used with the PKIX algorithm:
*
* <pre>
* CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
* PKIXRevocationChecker rc = (PKIXRevocationChecker)cpb.getRevocationChecker();
* rc.setOptions(EnumSet.of(Option.PREFER_CRLS));
* params.addCertPathChecker(rc);
* CertPathBuilderResult cpbr = cpb.build(params);
* </pre>
*
* <p>Every implementation of the Java platform is required to support the
* following standard {@code CertPathBuilder} algorithm:
* <ul>
* <li>{@code PKIX}</li>
* </ul>
* This algorithm is described in the <a href=
* "{@docRoot}/../technotes/guides/security/StandardNames.html#CertPathBuilder">
* CertPathBuilder section</a> of the
* Java Cryptography Architecture Standard Algorithm Name Documentation.
* Consult the release documentation for your implementation to see if any
* other algorithms are supported.
*
* <p>
* <b>Concurrent Access</b>
* <p>
* The static methods of this class are guaranteed to be thread-safe.
* Multiple threads may concurrently invoke the static methods defined in
* this class with no ill effects.
* <p>
* However, this is not true for the non-static methods defined by this class.
* Unless otherwise documented by a specific provider, threads that need to
* access a single {@code CertPathBuilder} instance concurrently should
* synchronize amongst themselves and provide the necessary locking. Multiple
* threads each manipulating a different {@code CertPathBuilder} instance
* need not synchronize.
*
* @see CertPath
*
* @since 1.4
* @author Sean Mullan
* @author Yassir Elley
*/
public class CertPathBuilder {
/*
* Constant to lookup in the Security properties file to determine
* the default certpathbuilder type. In the Security properties file,
* the default certpathbuilder type is given as:
* <pre>
* certpathbuilder.type=PKIX
* </pre>
*/
private static final String CPB_TYPE = "certpathbuilder.type";
private final CertPathBuilderSpi builderSpi;
private final Provider provider;
private final String algorithm;
/**
* Creates a {@code CertPathBuilder} object of the given algorithm,
* and encapsulates the given provider implementation (SPI object) in it.
*
* @param builderSpi the provider implementation
* @param provider the provider
* @param algorithm the algorithm name
*/
protected CertPathBuilder(CertPathBuilderSpi builderSpi, Provider provider,
String algorithm)
{
this.builderSpi = builderSpi;
this.provider = provider;
this.algorithm = algorithm;
}
/**
* Returns a {@code CertPathBuilder} object that implements the
* specified algorithm.
*
* <p> This method traverses the list of registered security Providers,
* starting with the most preferred Provider.
* A new CertPathBuilder object encapsulating the
* CertPathBuilderSpi implementation from the first
* Provider that supports the specified algorithm is returned.
*
* <p> Note that the list of registered providers may be retrieved via
* the {@link Security#getProviders() Security.getProviders()} method.
*
* @param algorithm the name of the requested {@code CertPathBuilder}
* algorithm. See the CertPathBuilder section in the <a href=
* "{@docRoot}/../technotes/guides/security/StandardNames.html#CertPathBuilder">
* Java Cryptography Architecture Standard Algorithm Name Documentation</a>
* for information about standard algorithm names.
*
* @return a {@code CertPathBuilder} object that implements the
* specified algorithm.
*
* @throws NoSuchAlgorithmException if no Provider supports a
* CertPathBuilderSpi implementation for the
* specified algorithm.
*
* @see java.security.Provider
*/
public static CertPathBuilder getInstance(String algorithm)
throws NoSuchAlgorithmException {
Instance instance = GetInstance.getInstance("CertPathBuilder",
CertPathBuilderSpi.class, algorithm);
return new CertPathBuilder((CertPathBuilderSpi)instance.impl,
instance.provider, algorithm);
}
/**
* Returns a {@code CertPathBuilder} object that implements the
* specified algorithm.
*
* <p> A new CertPathBuilder object encapsulating the
* CertPathBuilderSpi implementation from the specified provider
* is returned. The specified provider must be registered
* in the security provider list.
*
* <p> Note that the list of registered providers may be retrieved via
* the {@link Security#getProviders() Security.getProviders()} method.
*
* @param algorithm the name of the requested {@code CertPathBuilder}
* algorithm. See the CertPathBuilder section in the <a href=
* "{@docRoot}/../technotes/guides/security/StandardNames.html#CertPathBuilder">
* Java Cryptography Architecture Standard Algorithm Name Documentation</a>
* for information about standard algorithm names.
*
* @param provider the name of the provider.
*
* @return a {@code CertPathBuilder} object that implements the
* specified algorithm.
*
* @throws NoSuchAlgorithmException if a CertPathBuilderSpi
* implementation for the specified algorithm is not
* available from the specified provider.
*
* @throws NoSuchProviderException if the specified provider is not
* registered in the security provider list.
*
* @exception IllegalArgumentException if the {@code provider} is
* null or empty.
*
* @see java.security.Provider
*/
public static CertPathBuilder getInstance(String algorithm, String provider)
throws NoSuchAlgorithmException, NoSuchProviderException {
Instance instance = GetInstance.getInstance("CertPathBuilder",
CertPathBuilderSpi.class, algorithm, provider);
return new CertPathBuilder((CertPathBuilderSpi)instance.impl,
instance.provider, algorithm);
}
/**
* Returns a {@code CertPathBuilder} object that implements the
* specified algorithm.
*
* <p> A new CertPathBuilder object encapsulating the
* CertPathBuilderSpi implementation from the specified Provider
* object is returned. Note that the specified Provider object
* does not have to be registered in the provider list.
*
* @param algorithm the name of the requested {@code CertPathBuilder}
* algorithm. See the CertPathBuilder section in the <a href=
* "{@docRoot}/../technotes/guides/security/StandardNames.html#CertPathBuilder">
* Java Cryptography Architecture Standard Algorithm Name Documentation</a>
* for information about standard algorithm names.
*
* @param provider the provider.
*
* @return a {@code CertPathBuilder} object that implements the
* specified algorithm.
*
* @exception NoSuchAlgorithmException if a CertPathBuilderSpi
* implementation for the specified algorithm is not available
* from the specified Provider object.
*
* @exception IllegalArgumentException if the {@code provider} is
* null.
*
* @see java.security.Provider
*/
public static CertPathBuilder getInstance(String algorithm,
Provider provider) throws NoSuchAlgorithmException {
Instance instance = GetInstance.getInstance("CertPathBuilder",
CertPathBuilderSpi.class, algorithm, provider);
return new CertPathBuilder((CertPathBuilderSpi)instance.impl,
instance.provider, algorithm);
}
/**
* Returns the provider of this {@code CertPathBuilder}.
*
* @return the provider of this {@code CertPathBuilder}
*/
public final Provider getProvider() {
return this.provider;
}
/**
* Returns the name of the algorithm of this {@code CertPathBuilder}.
*
* @return the name of the algorithm of this {@code CertPathBuilder}
*/
public final String getAlgorithm() {
return this.algorithm;
}
/**
* Attempts to build a certification path using the specified algorithm
* parameter set.
*
* @param params the algorithm parameters
* @return the result of the build algorithm
* @throws CertPathBuilderException if the builder is unable to construct
* a certification path that satisfies the specified parameters
* @throws InvalidAlgorithmParameterException if the specified parameters
* are inappropriate for this {@code CertPathBuilder}
*/
public final CertPathBuilderResult build(CertPathParameters params)
throws CertPathBuilderException, InvalidAlgorithmParameterException
{
return builderSpi.engineBuild(params);
}
/**
* Returns the default {@code CertPathBuilder} type as specified by
* the {@code certpathbuilder.type} security property, or the string
* {@literal "PKIX"} if no such property exists.
*
* <p>The default {@code CertPathBuilder} type can be used by
* applications that do not want to use a hard-coded type when calling one
* of the {@code getInstance} methods, and want to provide a default
* type in case a user does not specify its own.
*
* <p>The default {@code CertPathBuilder} type can be changed by
* setting the value of the {@code certpathbuilder.type} security property
* to the desired type.
*
* @see java.security.Security security properties
* @return the default {@code CertPathBuilder} type as specified
* by the {@code certpathbuilder.type} security property, or the string
* {@literal "PKIX"} if no such property exists.
*/
public final static String getDefaultType() {
String cpbtype =
AccessController.doPrivileged(new PrivilegedAction<String>() {
public String run() {
return Security.getProperty(CPB_TYPE);
}
});
return (cpbtype == null) ? "PKIX" : cpbtype;
}
/**
* Returns a {@code CertPathChecker} that the encapsulated
* {@code CertPathBuilderSpi} implementation uses to check the revocation
* status of certificates. A PKIX implementation returns objects of
* type {@code PKIXRevocationChecker}. Each invocation of this method
* returns a new instance of {@code CertPathChecker}.
*
* <p>The primary purpose of this method is to allow callers to specify
* additional input parameters and options specific to revocation checking.
* See the class description for an example.
*
* @return a {@code CertPathChecker}
* @throws UnsupportedOperationException if the service provider does not
* support this method
* @since 1.8
*/
public final CertPathChecker getRevocationChecker() {
return builderSpi.engineGetRevocationChecker();
}
}

104
jdkSrc/jdk8/java/security/cert/CertPathBuilderException.java Normal file
View File

@@ -0,0 +1,104 @@
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.security.GeneralSecurityException;
/**
* An exception indicating one of a variety of problems encountered when
* building a certification path with a {@code CertPathBuilder}.
* <p>
* A {@code CertPathBuilderException} provides support for wrapping
* exceptions. The {@link #getCause getCause} method returns the throwable,
* if any, that caused this exception to be thrown.
* <p>
* <b>Concurrent Access</b>
* <p>
* Unless otherwise specified, the methods defined in this class are not
* thread-safe. Multiple threads that need to access a single
* object concurrently should synchronize amongst themselves and
* provide the necessary locking. Multiple threads each manipulating
* separate objects need not synchronize.
*
* @see CertPathBuilder
*
* @since 1.4
* @author Sean Mullan
*/
public class CertPathBuilderException extends GeneralSecurityException {
private static final long serialVersionUID = 5316471420178794402L;
/**
* Creates a {@code CertPathBuilderException} with {@code null}
* as its detail message.
*/
public CertPathBuilderException() {
super();
}
/**
* Creates a {@code CertPathBuilderException} with the given
* detail message. The detail message is a {@code String} that
* describes this particular exception in more detail.
*
* @param msg the detail message
*/
public CertPathBuilderException(String msg) {
super(msg);
}
/**
* Creates a {@code CertPathBuilderException} that wraps the specified
* throwable. This allows any exception to be converted into a
* {@code CertPathBuilderException}, while retaining information
* about the wrapped exception, which may be useful for debugging. The
* detail message is set to ({@code cause==null ? null : cause.toString()})
* (which typically contains the class and detail message of
* cause).
*
* @param cause the cause (which is saved for later retrieval by the
* {@link #getCause getCause()} method). (A {@code null} value is
* permitted, and indicates that the cause is nonexistent or unknown.)
*/
public CertPathBuilderException(Throwable cause) {
super(cause);
}
/**
* Creates a {@code CertPathBuilderException} with the specified
* detail message and cause.
*
* @param msg the detail message
* @param cause the cause (which is saved for later retrieval by the
* {@link #getCause getCause()} method). (A {@code null} value is
* permitted, and indicates that the cause is nonexistent or unknown.)
*/
public CertPathBuilderException(String msg, Throwable cause) {
super(msg, cause);
}
}

68
jdkSrc/jdk8/java/security/cert/CertPathBuilderResult.java Normal file
View File

@@ -0,0 +1,68 @@
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
/**
* A specification of the result of a certification path builder algorithm.
* All results returned by the {@link CertPathBuilder#build
* CertPathBuilder.build} method must implement this interface.
* <p>
* At a minimum, a {@code CertPathBuilderResult} contains the
* {@code CertPath} built by the {@code CertPathBuilder} instance.
* Implementations of this interface may add methods to return implementation
* or algorithm specific information, such as debugging information or
* certification path validation results.
* <p>
* <b>Concurrent Access</b>
* <p>
* Unless otherwise specified, the methods defined in this interface are not
* thread-safe. Multiple threads that need to access a single
* object concurrently should synchronize amongst themselves and
* provide the necessary locking. Multiple threads each manipulating
* separate objects need not synchronize.
*
* @see CertPathBuilder
*
* @since 1.4
* @author Sean Mullan
*/
public interface CertPathBuilderResult extends Cloneable {
/**
* Returns the built certification path.
*
* @return the certification path (never {@code null})
*/
CertPath getCertPath();
/**
* Makes a copy of this {@code CertPathBuilderResult}. Changes to the
* copy will not affect the original and vice versa.
*
* @return a copy of this {@code CertPathBuilderResult}
*/
Object clone();
}

98
jdkSrc/jdk8/java/security/cert/CertPathBuilderSpi.java Normal file
View File

@@ -0,0 +1,98 @@
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.security.InvalidAlgorithmParameterException;
/**
* The <i>Service Provider Interface</i> (<b>SPI</b>)
* for the {@link CertPathBuilder CertPathBuilder} class. All
* {@code CertPathBuilder} implementations must include a class (the
* SPI class) that extends this class ({@code CertPathBuilderSpi}) and
* implements all of its methods. In general, instances of this class should
* only be accessed through the {@code CertPathBuilder} class. For
* details, see the Java Cryptography Architecture.
* <p>
* <b>Concurrent Access</b>
* <p>
* Instances of this class need not be protected against concurrent
* access from multiple threads. Threads that need to access a single
* {@code CertPathBuilderSpi} instance concurrently should synchronize
* amongst themselves and provide the necessary locking before calling the
* wrapping {@code CertPathBuilder} object.
* <p>
* However, implementations of {@code CertPathBuilderSpi} may still
* encounter concurrency issues, since multiple threads each
* manipulating a different {@code CertPathBuilderSpi} instance need not
* synchronize.
*
* @since 1.4
* @author Sean Mullan
*/
public abstract class CertPathBuilderSpi {
/**
* The default constructor.
*/
public CertPathBuilderSpi() { }
/**
* Attempts to build a certification path using the specified
* algorithm parameter set.
*
* @param params the algorithm parameters
* @return the result of the build algorithm
* @throws CertPathBuilderException if the builder is unable to construct
* a certification path that satisfies the specified parameters
* @throws InvalidAlgorithmParameterException if the specified parameters
* are inappropriate for this {@code CertPathBuilder}
*/
public abstract CertPathBuilderResult engineBuild(CertPathParameters params)
throws CertPathBuilderException, InvalidAlgorithmParameterException;
/**
* Returns a {@code CertPathChecker} that this implementation uses to
* check the revocation status of certificates. A PKIX implementation
* returns objects of type {@code PKIXRevocationChecker}.
*
* <p>The primary purpose of this method is to allow callers to specify
* additional input parameters and options specific to revocation checking.
* See the class description of {@code CertPathBuilder} for an example.
*
* <p>This method was added to version 1.8 of the Java Platform Standard
* Edition. In order to maintain backwards compatibility with existing
* service providers, this method cannot be abstract and by default throws
* an {@code UnsupportedOperationException}.
*
* @return a {@code CertPathChecker} that this implementation uses to
* check the revocation status of certificates
* @throws UnsupportedOperationException if this method is not supported
* @since 1.8
*/
public CertPathChecker engineGetRevocationChecker() {
throw new UnsupportedOperationException();
}
}

77
jdkSrc/jdk8/java/security/cert/CertPathChecker.java Normal file
View File

@@ -0,0 +1,77 @@
/*
* Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
/**
* <p>Performs one or more checks on each {@code Certificate} of a
* {@code CertPath}.
*
* <p>A {@code CertPathChecker} implementation is typically created to extend
* a certification path validation algorithm. For example, an implementation
* may check for and process a critical private extension of each certificate
* in a certification path.
*
* @since 1.8
*/
public interface CertPathChecker {
/**
* Initializes the internal state of this {@code CertPathChecker}.
*
* <p>The {@code forward} flag specifies the order that certificates will
* be passed to the {@link #check check} method (forward or reverse).
*
* @param forward the order that certificates are presented to the
* {@code check} method. If {@code true}, certificates are
* presented from target to trust anchor (forward); if
* {@code false}, from trust anchor to target (reverse).
* @throws CertPathValidatorException if this {@code CertPathChecker} is
* unable to check certificates in the specified order
*/
void init(boolean forward) throws CertPathValidatorException;
/**
* Indicates if forward checking is supported. Forward checking refers
* to the ability of the {@code CertPathChecker} to perform its checks
* when certificates are presented to the {@code check} method in the
* forward direction (from target to trust anchor).
*
* @return {@code true} if forward checking is supported, {@code false}
* otherwise
*/
boolean isForwardCheckingSupported();
/**
* Performs the check(s) on the specified certificate using its internal
* state. The certificates are presented in the order specified by the
* {@code init} method.
*
* @param cert the {@code Certificate} to be checked
* @throws CertPathValidatorException if the specified certificate does
* not pass the check
*/
void check(Certificate cert) throws CertPathValidatorException;
}

63
jdkSrc/jdk8/java/security/cert/CertPathHelperImpl.java Normal file
View File

@@ -0,0 +1,63 @@
/*
* Copyright (c) 2002, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.util.Date;
import sun.security.provider.certpath.CertPathHelper;
/**
* Helper class that allows the Sun CertPath provider to access
* implementation dependent APIs in CertPath framework.
*
* @author Andreas Sterbenz
*/
class CertPathHelperImpl extends CertPathHelper {
private CertPathHelperImpl() {
// empty
}
/**
* Initialize the helper framework. This method must be called from
* the static initializer of each class that is the target of one of
* the methods in this class. This ensures that the helper is initialized
* prior to a tunneled call from the Sun provider.
*/
synchronized static void initialize() {
if (CertPathHelper.instance == null) {
CertPathHelper.instance = new CertPathHelperImpl();
}
}
protected void implSetDateAndTime(X509CRLSelector sel, Date date, long skew) {
sel.setDateAndTime(date, skew);
}
protected boolean implIsJdkCA(TrustAnchor anchor) {
return anchor.isJdkCA();
}
}

49
jdkSrc/jdk8/java/security/cert/CertPathParameters.java Normal file
View File

@@ -0,0 +1,49 @@
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
/**
* A specification of certification path algorithm parameters.
* The purpose of this interface is to group (and provide type safety for)
* all {@code CertPath} parameter specifications. All
* {@code CertPath} parameter specifications must implement this
* interface.
*
* @author Yassir Elley
* @see CertPathValidator#validate(CertPath, CertPathParameters)
* @see CertPathBuilder#build(CertPathParameters)
* @since 1.4
*/
public interface CertPathParameters extends Cloneable {
/**
* Makes a copy of this {@code CertPathParameters}. Changes to the
* copy will not affect the original and vice versa.
*
* @return a copy of this {@code CertPathParameters}
*/
Object clone();
}

343
jdkSrc/jdk8/java/security/cert/CertPathValidator.java Normal file
View File

@@ -0,0 +1,343 @@
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.security.AccessController;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivilegedAction;
import java.security.Provider;
import java.security.Security;
import sun.security.util.Debug;
import sun.security.jca.*;
import sun.security.jca.GetInstance.Instance;
/**
* A class for validating certification paths (also known as certificate
* chains).
* <p>
* This class uses a provider-based architecture.
* To create a {@code CertPathValidator},
* call one of the static {@code getInstance} methods, passing in the
* algorithm name of the {@code CertPathValidator} desired and
* optionally the name of the provider desired.
*
* <p>Once a {@code CertPathValidator} object has been created, it can
* be used to validate certification paths by calling the {@link #validate
* validate} method and passing it the {@code CertPath} to be validated
* and an algorithm-specific set of parameters. If successful, the result is
* returned in an object that implements the
* {@code CertPathValidatorResult} interface.
*
* <p>The {@link #getRevocationChecker} method allows an application to specify
* additional algorithm-specific parameters and options used by the
* {@code CertPathValidator} when checking the revocation status of
* certificates. Here is an example demonstrating how it is used with the PKIX
* algorithm:
*
* <pre>
* CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
* PKIXRevocationChecker rc = (PKIXRevocationChecker)cpv.getRevocationChecker();
* rc.setOptions(EnumSet.of(Option.SOFT_FAIL));
* params.addCertPathChecker(rc);
* CertPathValidatorResult cpvr = cpv.validate(path, params);
* </pre>
*
* <p>Every implementation of the Java platform is required to support the
* following standard {@code CertPathValidator} algorithm:
* <ul>
* <li>{@code PKIX}</li>
* </ul>
* This algorithm is described in the <a href=
* "{@docRoot}/../technotes/guides/security/StandardNames.html#CertPathValidator">
* CertPathValidator section</a> of the
* Java Cryptography Architecture Standard Algorithm Name Documentation.
* Consult the release documentation for your implementation to see if any
* other algorithms are supported.
*
* <p>
* <b>Concurrent Access</b>
* <p>
* The static methods of this class are guaranteed to be thread-safe.
* Multiple threads may concurrently invoke the static methods defined in
* this class with no ill effects.
* <p>
* However, this is not true for the non-static methods defined by this class.
* Unless otherwise documented by a specific provider, threads that need to
* access a single {@code CertPathValidator} instance concurrently should
* synchronize amongst themselves and provide the necessary locking. Multiple
* threads each manipulating a different {@code CertPathValidator}
* instance need not synchronize.
*
* @see CertPath
*
* @since 1.4
* @author Yassir Elley
*/
public class CertPathValidator {
/*
* Constant to lookup in the Security properties file to determine
* the default certpathvalidator type. In the Security properties file,
* the default certpathvalidator type is given as:
* <pre>
* certpathvalidator.type=PKIX
* </pre>
*/
private static final String CPV_TYPE = "certpathvalidator.type";
private final CertPathValidatorSpi validatorSpi;
private final Provider provider;
private final String algorithm;
/**
* Creates a {@code CertPathValidator} object of the given algorithm,
* and encapsulates the given provider implementation (SPI object) in it.
*
* @param validatorSpi the provider implementation
* @param provider the provider
* @param algorithm the algorithm name
*/
protected CertPathValidator(CertPathValidatorSpi validatorSpi,
Provider provider, String algorithm)
{
this.validatorSpi = validatorSpi;
this.provider = provider;
this.algorithm = algorithm;
}
/**
* Returns a {@code CertPathValidator} object that implements the
* specified algorithm.
*
* <p> This method traverses the list of registered security Providers,
* starting with the most preferred Provider.
* A new CertPathValidator object encapsulating the
* CertPathValidatorSpi implementation from the first
* Provider that supports the specified algorithm is returned.
*
* <p> Note that the list of registered providers may be retrieved via
* the {@link Security#getProviders() Security.getProviders()} method.
*
* @param algorithm the name of the requested {@code CertPathValidator}
* algorithm. See the CertPathValidator section in the <a href=
* "{@docRoot}/../technotes/guides/security/StandardNames.html#CertPathValidator">
* Java Cryptography Architecture Standard Algorithm Name Documentation</a>
* for information about standard algorithm names.
*
* @return a {@code CertPathValidator} object that implements the
* specified algorithm.
*
* @exception NoSuchAlgorithmException if no Provider supports a
* CertPathValidatorSpi implementation for the
* specified algorithm.
*
* @see java.security.Provider
*/
public static CertPathValidator getInstance(String algorithm)
throws NoSuchAlgorithmException {
Instance instance = GetInstance.getInstance("CertPathValidator",
CertPathValidatorSpi.class, algorithm);
return new CertPathValidator((CertPathValidatorSpi)instance.impl,
instance.provider, algorithm);
}
/**
* Returns a {@code CertPathValidator} object that implements the
* specified algorithm.
*
* <p> A new CertPathValidator object encapsulating the
* CertPathValidatorSpi implementation from the specified provider
* is returned. The specified provider must be registered
* in the security provider list.
*
* <p> Note that the list of registered providers may be retrieved via
* the {@link Security#getProviders() Security.getProviders()} method.
*
* @param algorithm the name of the requested {@code CertPathValidator}
* algorithm. See the CertPathValidator section in the <a href=
* "{@docRoot}/../technotes/guides/security/StandardNames.html#CertPathValidator">
* Java Cryptography Architecture Standard Algorithm Name Documentation</a>
* for information about standard algorithm names.
*
* @param provider the name of the provider.
*
* @return a {@code CertPathValidator} object that implements the
* specified algorithm.
*
* @exception NoSuchAlgorithmException if a CertPathValidatorSpi
* implementation for the specified algorithm is not
* available from the specified provider.
*
* @exception NoSuchProviderException if the specified provider is not
* registered in the security provider list.
*
* @exception IllegalArgumentException if the {@code provider} is
* null or empty.
*
* @see java.security.Provider
*/
public static CertPathValidator getInstance(String algorithm,
String provider) throws NoSuchAlgorithmException,
NoSuchProviderException {
Instance instance = GetInstance.getInstance("CertPathValidator",
CertPathValidatorSpi.class, algorithm, provider);
return new CertPathValidator((CertPathValidatorSpi)instance.impl,
instance.provider, algorithm);
}
/**
* Returns a {@code CertPathValidator} object that implements the
* specified algorithm.
*
* <p> A new CertPathValidator object encapsulating the
* CertPathValidatorSpi implementation from the specified Provider
* object is returned. Note that the specified Provider object
* does not have to be registered in the provider list.
*
* @param algorithm the name of the requested {@code CertPathValidator}
* algorithm. See the CertPathValidator section in the <a href=
* "{@docRoot}/../technotes/guides/security/StandardNames.html#CertPathValidator">
* Java Cryptography Architecture Standard Algorithm Name Documentation</a>
* for information about standard algorithm names.
*
* @param provider the provider.
*
* @return a {@code CertPathValidator} object that implements the
* specified algorithm.
*
* @exception NoSuchAlgorithmException if a CertPathValidatorSpi
* implementation for the specified algorithm is not available
* from the specified Provider object.
*
* @exception IllegalArgumentException if the {@code provider} is
* null.
*
* @see java.security.Provider
*/
public static CertPathValidator getInstance(String algorithm,
Provider provider) throws NoSuchAlgorithmException {
Instance instance = GetInstance.getInstance("CertPathValidator",
CertPathValidatorSpi.class, algorithm, provider);
return new CertPathValidator((CertPathValidatorSpi)instance.impl,
instance.provider, algorithm);
}
/**
* Returns the {@code Provider} of this
* {@code CertPathValidator}.
*
* @return the {@code Provider} of this {@code CertPathValidator}
*/
public final Provider getProvider() {
return this.provider;
}
/**
* Returns the algorithm name of this {@code CertPathValidator}.
*
* @return the algorithm name of this {@code CertPathValidator}
*/
public final String getAlgorithm() {
return this.algorithm;
}
/**
* Validates the specified certification path using the specified
* algorithm parameter set.
* <p>
* The {@code CertPath} specified must be of a type that is
* supported by the validation algorithm, otherwise an
* {@code InvalidAlgorithmParameterException} will be thrown. For
* example, a {@code CertPathValidator} that implements the PKIX
* algorithm validates {@code CertPath} objects of type X.509.
*
* @param certPath the {@code CertPath} to be validated
* @param params the algorithm parameters
* @return the result of the validation algorithm
* @exception CertPathValidatorException if the {@code CertPath}
* does not validate
* @exception InvalidAlgorithmParameterException if the specified
* parameters or the type of the specified {@code CertPath} are
* inappropriate for this {@code CertPathValidator}
*/
public final CertPathValidatorResult validate(CertPath certPath,
CertPathParameters params)
throws CertPathValidatorException, InvalidAlgorithmParameterException
{
return validatorSpi.engineValidate(certPath, params);
}
/**
* Returns the default {@code CertPathValidator} type as specified by
* the {@code certpathvalidator.type} security property, or the string
* {@literal "PKIX"} if no such property exists.
*
* <p>The default {@code CertPathValidator} type can be used by
* applications that do not want to use a hard-coded type when calling one
* of the {@code getInstance} methods, and want to provide a default
* type in case a user does not specify its own.
*
* <p>The default {@code CertPathValidator} type can be changed by
* setting the value of the {@code certpathvalidator.type} security
* property to the desired type.
*
* @see java.security.Security security properties
* @return the default {@code CertPathValidator} type as specified
* by the {@code certpathvalidator.type} security property, or the string
* {@literal "PKIX"} if no such property exists.
*/
public final static String getDefaultType() {
String cpvtype =
AccessController.doPrivileged(new PrivilegedAction<String>() {
public String run() {
return Security.getProperty(CPV_TYPE);
}
});
return (cpvtype == null) ? "PKIX" : cpvtype;
}
/**
* Returns a {@code CertPathChecker} that the encapsulated
* {@code CertPathValidatorSpi} implementation uses to check the revocation
* status of certificates. A PKIX implementation returns objects of
* type {@code PKIXRevocationChecker}. Each invocation of this method
* returns a new instance of {@code CertPathChecker}.
*
* <p>The primary purpose of this method is to allow callers to specify
* additional input parameters and options specific to revocation checking.
* See the class description for an example.
*
* @return a {@code CertPathChecker}
* @throws UnsupportedOperationException if the service provider does not
* support this method
* @since 1.8
*/
public final CertPathChecker getRevocationChecker() {
return validatorSpi.engineGetRevocationChecker();
}
}

296
jdkSrc/jdk8/java/security/cert/CertPathValidatorException.java Normal file
View File

@@ -0,0 +1,296 @@
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.io.InvalidObjectException;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.security.GeneralSecurityException;
/**
* An exception indicating one of a variety of problems encountered when
* validating a certification path.
* <p>
* A {@code CertPathValidatorException} provides support for wrapping
* exceptions. The {@link #getCause getCause} method returns the throwable,
* if any, that caused this exception to be thrown.
* <p>
* A {@code CertPathValidatorException} may also include the
* certification path that was being validated when the exception was thrown,
* the index of the certificate in the certification path that caused the
* exception to be thrown, and the reason that caused the failure. Use the
* {@link #getCertPath getCertPath}, {@link #getIndex getIndex}, and
* {@link #getReason getReason} methods to retrieve this information.
*
* <p>
* <b>Concurrent Access</b>
* <p>
* Unless otherwise specified, the methods defined in this class are not
* thread-safe. Multiple threads that need to access a single
* object concurrently should synchronize amongst themselves and
* provide the necessary locking. Multiple threads each manipulating
* separate objects need not synchronize.
*
* @see CertPathValidator
*
* @since 1.4
* @author Yassir Elley
*/
public class CertPathValidatorException extends GeneralSecurityException {
private static final long serialVersionUID = -3083180014971893139L;
/**
* @serial the index of the certificate in the certification path
* that caused the exception to be thrown
*/
private int index = -1;
/**
* @serial the {@code CertPath} that was being validated when
* the exception was thrown
*/
private CertPath certPath;
/**
* @serial the reason the validation failed
*/
private Reason reason = BasicReason.UNSPECIFIED;
/**
* Creates a {@code CertPathValidatorException} with
* no detail message.
*/
public CertPathValidatorException() {
this(null, null);
}
/**
* Creates a {@code CertPathValidatorException} with the given
* detail message. A detail message is a {@code String} that
* describes this particular exception.
*
* @param msg the detail message
*/
public CertPathValidatorException(String msg) {
this(msg, null);
}
/**
* Creates a {@code CertPathValidatorException} that wraps the
* specified throwable. This allows any exception to be converted into a
* {@code CertPathValidatorException}, while retaining information
* about the wrapped exception, which may be useful for debugging. The
* detail message is set to ({@code cause==null ? null : cause.toString()})
* (which typically contains the class and detail message of
* cause).
*
* @param cause the cause (which is saved for later retrieval by the
* {@link #getCause getCause()} method). (A {@code null} value is
* permitted, and indicates that the cause is nonexistent or unknown.)
*/
public CertPathValidatorException(Throwable cause) {
this((cause == null ? null : cause.toString()), cause);
}
/**
* Creates a {@code CertPathValidatorException} with the specified
* detail message and cause.
*
* @param msg the detail message
* @param cause the cause (which is saved for later retrieval by the
* {@link #getCause getCause()} method). (A {@code null} value is
* permitted, and indicates that the cause is nonexistent or unknown.)
*/
public CertPathValidatorException(String msg, Throwable cause) {
this(msg, cause, null, -1);
}
/**
* Creates a {@code CertPathValidatorException} with the specified
* detail message, cause, certification path, and index.
*
* @param msg the detail message (or {@code null} if none)
* @param cause the cause (or {@code null} if none)
* @param certPath the certification path that was in the process of
* being validated when the error was encountered
* @param index the index of the certificate in the certification path
* that caused the error (or -1 if not applicable). Note that
* the list of certificates in a {@code CertPath} is zero based.
* @throws IndexOutOfBoundsException if the index is out of range
* {@code (index < -1 || (certPath != null && index >=
* certPath.getCertificates().size()) }
* @throws IllegalArgumentException if {@code certPath} is
* {@code null} and {@code index} is not -1
*/
public CertPathValidatorException(String msg, Throwable cause,
CertPath certPath, int index) {
this(msg, cause, certPath, index, BasicReason.UNSPECIFIED);
}
/**
* Creates a {@code CertPathValidatorException} with the specified
* detail message, cause, certification path, index, and reason.
*
* @param msg the detail message (or {@code null} if none)
* @param cause the cause (or {@code null} if none)
* @param certPath the certification path that was in the process of
* being validated when the error was encountered
* @param index the index of the certificate in the certification path
* that caused the error (or -1 if not applicable). Note that
* the list of certificates in a {@code CertPath} is zero based.
* @param reason the reason the validation failed
* @throws IndexOutOfBoundsException if the index is out of range
* {@code (index < -1 || (certPath != null && index >=
* certPath.getCertificates().size()) }
* @throws IllegalArgumentException if {@code certPath} is
* {@code null} and {@code index} is not -1
* @throws NullPointerException if {@code reason} is {@code null}
*
* @since 1.7
*/
public CertPathValidatorException(String msg, Throwable cause,
CertPath certPath, int index, Reason reason) {
super(msg, cause);
if (certPath == null && index != -1) {
throw new IllegalArgumentException();
}
if (index < -1 ||
(certPath != null && index >= certPath.getCertificates().size())) {
throw new IndexOutOfBoundsException();
}
if (reason == null) {
throw new NullPointerException("reason can't be null");
}
this.certPath = certPath;
this.index = index;
this.reason = reason;
}
/**
* Returns the certification path that was being validated when
* the exception was thrown.
*
* @return the {@code CertPath} that was being validated when
* the exception was thrown (or {@code null} if not specified)
*/
public CertPath getCertPath() {
return this.certPath;
}
/**
* Returns the index of the certificate in the certification path
* that caused the exception to be thrown. Note that the list of
* certificates in a {@code CertPath} is zero based. If no
* index has been set, -1 is returned.
*
* @return the index that has been set, or -1 if none has been set
*/
public int getIndex() {
return this.index;
}
/**
* Returns the reason that the validation failed. The reason is
* associated with the index of the certificate returned by
* {@link #getIndex}.
*
* @return the reason that the validation failed, or
* {@code BasicReason.UNSPECIFIED} if a reason has not been
* specified
*
* @since 1.7
*/
public Reason getReason() {
return this.reason;
}
private void readObject(ObjectInputStream stream)
throws ClassNotFoundException, IOException {
stream.defaultReadObject();
if (reason == null) {
reason = BasicReason.UNSPECIFIED;
}
if (certPath == null && index != -1) {
throw new InvalidObjectException("certpath is null and index != -1");
}
if (index < -1 ||
(certPath != null && index >= certPath.getCertificates().size())) {
throw new InvalidObjectException("index out of range");
}
}
/**
* The reason the validation algorithm failed.
*
* @since 1.7
*/
public static interface Reason extends java.io.Serializable { }
/**
* The BasicReason enumerates the potential reasons that a certification
* path of any type may be invalid.
*
* @since 1.7
*/
public static enum BasicReason implements Reason {
/**
* Unspecified reason.
*/
UNSPECIFIED,
/**
* The certificate is expired.
*/
EXPIRED,
/**
* The certificate is not yet valid.
*/
NOT_YET_VALID,
/**
* The certificate is revoked.
*/
REVOKED,
/**
* The revocation status of the certificate could not be determined.
*/
UNDETERMINED_REVOCATION_STATUS,
/**
* The signature is invalid.
*/
INVALID_SIGNATURE,
/**
* The public key or the signature algorithm has been constrained.
*/
ALGORITHM_CONSTRAINED
}
}

50
jdkSrc/jdk8/java/security/cert/CertPathValidatorResult.java Normal file
View File

@@ -0,0 +1,50 @@
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
/**
* A specification of the result of a certification path validator algorithm.
* <p>
* The purpose of this interface is to group (and provide type safety
* for) all certification path validator results. All results returned
* by the {@link CertPathValidator#validate CertPathValidator.validate}
* method must implement this interface.
*
* @see CertPathValidator
*
* @since 1.4
* @author Yassir Elley
*/
public interface CertPathValidatorResult extends Cloneable {
/**
* Makes a copy of this {@code CertPathValidatorResult}. Changes to the
* copy will not affect the original and vice versa.
*
* @return a copy of this {@code CertPathValidatorResult}
*/
Object clone();
}

108
jdkSrc/jdk8/java/security/cert/CertPathValidatorSpi.java Normal file
View File

@@ -0,0 +1,108 @@
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.security.InvalidAlgorithmParameterException;
/**
*
* The <i>Service Provider Interface</i> (<b>SPI</b>)
* for the {@link CertPathValidator CertPathValidator} class. All
* {@code CertPathValidator} implementations must include a class (the
* SPI class) that extends this class ({@code CertPathValidatorSpi})
* and implements all of its methods. In general, instances of this class
* should only be accessed through the {@code CertPathValidator} class.
* For details, see the Java Cryptography Architecture.
* <p>
* <b>Concurrent Access</b>
* <p>
* Instances of this class need not be protected against concurrent
* access from multiple threads. Threads that need to access a single
* {@code CertPathValidatorSpi} instance concurrently should synchronize
* amongst themselves and provide the necessary locking before calling the
* wrapping {@code CertPathValidator} object.
* <p>
* However, implementations of {@code CertPathValidatorSpi} may still
* encounter concurrency issues, since multiple threads each
* manipulating a different {@code CertPathValidatorSpi} instance need not
* synchronize.
*
* @since 1.4
* @author Yassir Elley
*/
public abstract class CertPathValidatorSpi {
/**
* The default constructor.
*/
public CertPathValidatorSpi() {}
/**
* Validates the specified certification path using the specified
* algorithm parameter set.
* <p>
* The {@code CertPath} specified must be of a type that is
* supported by the validation algorithm, otherwise an
* {@code InvalidAlgorithmParameterException} will be thrown. For
* example, a {@code CertPathValidator} that implements the PKIX
* algorithm validates {@code CertPath} objects of type X.509.
*
* @param certPath the {@code CertPath} to be validated
* @param params the algorithm parameters
* @return the result of the validation algorithm
* @exception CertPathValidatorException if the {@code CertPath}
* does not validate
* @exception InvalidAlgorithmParameterException if the specified
* parameters or the type of the specified {@code CertPath} are
* inappropriate for this {@code CertPathValidator}
*/
public abstract CertPathValidatorResult
engineValidate(CertPath certPath, CertPathParameters params)
throws CertPathValidatorException, InvalidAlgorithmParameterException;
/**
* Returns a {@code CertPathChecker} that this implementation uses to
* check the revocation status of certificates. A PKIX implementation
* returns objects of type {@code PKIXRevocationChecker}.
*
* <p>The primary purpose of this method is to allow callers to specify
* additional input parameters and options specific to revocation checking.
* See the class description of {@code CertPathValidator} for an example.
*
* <p>This method was added to version 1.8 of the Java Platform Standard
* Edition. In order to maintain backwards compatibility with existing
* service providers, this method cannot be abstract and by default throws
* an {@code UnsupportedOperationException}.
*
* @return a {@code CertPathChecker} that this implementation uses to
* check the revocation status of certificates
* @throws UnsupportedOperationException if this method is not supported
* @since 1.8
*/
public CertPathChecker engineGetRevocationChecker() {
throw new UnsupportedOperationException();
}
}

67
jdkSrc/jdk8/java/security/cert/CertSelector.java Normal file
View File

@@ -0,0 +1,67 @@
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
/**
* A selector that defines a set of criteria for selecting
* {@code Certificate}s. Classes that implement this interface
* are often used to specify which {@code Certificate}s should
* be retrieved from a {@code CertStore}.
* <p>
* <b>Concurrent Access</b>
* <p>
* Unless otherwise specified, the methods defined in this interface are not
* thread-safe. Multiple threads that need to access a single
* object concurrently should synchronize amongst themselves and
* provide the necessary locking. Multiple threads each manipulating
* separate objects need not synchronize.
*
* @see Certificate
* @see CertStore
* @see CertStore#getCertificates
*
* @author Steve Hanna
* @since 1.4
*/
public interface CertSelector extends Cloneable {
/**
* Decides whether a {@code Certificate} should be selected.
*
* @param cert the {@code Certificate} to be checked
* @return {@code true} if the {@code Certificate}
* should be selected, {@code false} otherwise
*/
boolean match(Certificate cert);
/**
* Makes a copy of this {@code CertSelector}. Changes to the
* copy will not affect the original and vice versa.
*
* @return a copy of this {@code CertSelector}
*/
Object clone();
}

422
jdkSrc/jdk8/java/security/cert/CertStore.java Normal file
View File

@@ -0,0 +1,422 @@
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.security.AccessController;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivilegedAction;
import java.security.Provider;
import java.security.Security;
import java.util.Collection;
import sun.security.jca.*;
import sun.security.jca.GetInstance.Instance;
/**
* A class for retrieving {@code Certificate}s and {@code CRL}s
* from a repository.
* <p>
* This class uses a provider-based architecture.
* To create a {@code CertStore}, call one of the static
* {@code getInstance} methods, passing in the type of
* {@code CertStore} desired, any applicable initialization parameters
* and optionally the name of the provider desired.
* <p>
* Once the {@code CertStore} has been created, it can be used to
* retrieve {@code Certificate}s and {@code CRL}s by calling its
* {@link #getCertificates(CertSelector selector) getCertificates} and
* {@link #getCRLs(CRLSelector selector) getCRLs} methods.
* <p>
* Unlike a {@link java.security.KeyStore KeyStore}, which provides access
* to a cache of private keys and trusted certificates, a
* {@code CertStore} is designed to provide access to a potentially
* vast repository of untrusted certificates and CRLs. For example, an LDAP
* implementation of {@code CertStore} provides access to certificates
* and CRLs stored in one or more directories using the LDAP protocol and the
* schema as defined in the RFC service attribute.
*
* <p> Every implementation of the Java platform is required to support the
* following standard {@code CertStore} type:
* <ul>
* <li>{@code Collection}</li>
* </ul>
* This type is described in the <a href=
* "{@docRoot}/../technotes/guides/security/StandardNames.html#CertStore">
* CertStore section</a> of the
* Java Cryptography Architecture Standard Algorithm Name Documentation.
* Consult the release documentation for your implementation to see if any
* other types are supported.
*
* <p>
* <b>Concurrent Access</b>
* <p>
* All public methods of {@code CertStore} objects must be thread-safe.
* That is, multiple threads may concurrently invoke these methods on a
* single {@code CertStore} object (or more than one) with no
* ill effects. This allows a {@code CertPathBuilder} to search for a
* CRL while simultaneously searching for further certificates, for instance.
* <p>
* The static methods of this class are also guaranteed to be thread-safe.
* Multiple threads may concurrently invoke the static methods defined in
* this class with no ill effects.
*
* @since 1.4
* @author Sean Mullan, Steve Hanna
*/
public class CertStore {
/*
* Constant to lookup in the Security properties file to determine
* the default certstore type. In the Security properties file, the
* default certstore type is given as:
* <pre>
* certstore.type=LDAP
* </pre>
*/
private static final String CERTSTORE_TYPE = "certstore.type";
private CertStoreSpi storeSpi;
private Provider provider;
private String type;
private CertStoreParameters params;
/**
* Creates a {@code CertStore} object of the given type, and
* encapsulates the given provider implementation (SPI object) in it.
*
* @param storeSpi the provider implementation
* @param provider the provider
* @param type the type
* @param params the initialization parameters (may be {@code null})
*/
protected CertStore(CertStoreSpi storeSpi, Provider provider,
String type, CertStoreParameters params) {
this.storeSpi = storeSpi;
this.provider = provider;
this.type = type;
if (params != null)
this.params = (CertStoreParameters) params.clone();
}
/**
* Returns a {@code Collection} of {@code Certificate}s that
* match the specified selector. If no {@code Certificate}s
* match the selector, an empty {@code Collection} will be returned.
* <p>
* For some {@code CertStore} types, the resulting
* {@code Collection} may not contain <b>all</b> of the
* {@code Certificate}s that match the selector. For instance,
* an LDAP {@code CertStore} may not search all entries in the
* directory. Instead, it may just search entries that are likely to
* contain the {@code Certificate}s it is looking for.
* <p>
* Some {@code CertStore} implementations (especially LDAP
* {@code CertStore}s) may throw a {@code CertStoreException}
* unless a non-null {@code CertSelector} is provided that
* includes specific criteria that can be used to find the certificates.
* Issuer and/or subject names are especially useful criteria.
*
* @param selector A {@code CertSelector} used to select which
* {@code Certificate}s should be returned. Specify {@code null}
* to return all {@code Certificate}s (if supported).
* @return A {@code Collection} of {@code Certificate}s that
* match the specified selector (never {@code null})
* @throws CertStoreException if an exception occurs
*/
public final Collection<? extends Certificate> getCertificates
(CertSelector selector) throws CertStoreException {
return storeSpi.engineGetCertificates(selector);
}
/**
* Returns a {@code Collection} of {@code CRL}s that
* match the specified selector. If no {@code CRL}s
* match the selector, an empty {@code Collection} will be returned.
* <p>
* For some {@code CertStore} types, the resulting
* {@code Collection} may not contain <b>all</b> of the
* {@code CRL}s that match the selector. For instance,
* an LDAP {@code CertStore} may not search all entries in the
* directory. Instead, it may just search entries that are likely to
* contain the {@code CRL}s it is looking for.
* <p>
* Some {@code CertStore} implementations (especially LDAP
* {@code CertStore}s) may throw a {@code CertStoreException}
* unless a non-null {@code CRLSelector} is provided that
* includes specific criteria that can be used to find the CRLs.
* Issuer names and/or the certificate to be checked are especially useful.
*
* @param selector A {@code CRLSelector} used to select which
* {@code CRL}s should be returned. Specify {@code null}
* to return all {@code CRL}s (if supported).
* @return A {@code Collection} of {@code CRL}s that
* match the specified selector (never {@code null})
* @throws CertStoreException if an exception occurs
*/
public final Collection<? extends CRL> getCRLs(CRLSelector selector)
throws CertStoreException {
return storeSpi.engineGetCRLs(selector);
}
/**
* Returns a {@code CertStore} object that implements the specified
* {@code CertStore} type and is initialized with the specified
* parameters.
*
* <p> This method traverses the list of registered security Providers,
* starting with the most preferred Provider.
* A new CertStore object encapsulating the
* CertStoreSpi implementation from the first
* Provider that supports the specified type is returned.
*
* <p> Note that the list of registered providers may be retrieved via
* the {@link Security#getProviders() Security.getProviders()} method.
*
* <p>The {@code CertStore} that is returned is initialized with the
* specified {@code CertStoreParameters}. The type of parameters
* needed may vary between different types of {@code CertStore}s.
* Note that the specified {@code CertStoreParameters} object is
* cloned.
*
* @param type the name of the requested {@code CertStore} type.
* See the CertStore section in the <a href=
* "{@docRoot}/../technotes/guides/security/StandardNames.html#CertStore">
* Java Cryptography Architecture Standard Algorithm Name Documentation</a>
* for information about standard types.
*
* @param params the initialization parameters (may be {@code null}).
*
* @return a {@code CertStore} object that implements the specified
* {@code CertStore} type.
*
* @throws NoSuchAlgorithmException if no Provider supports a
* CertStoreSpi implementation for the specified type.
*
* @throws InvalidAlgorithmParameterException if the specified
* initialization parameters are inappropriate for this
* {@code CertStore}.
*
* @see java.security.Provider
*/
public static CertStore getInstance(String type, CertStoreParameters params)
throws InvalidAlgorithmParameterException,
NoSuchAlgorithmException {
try {
Instance instance = GetInstance.getInstance("CertStore",
CertStoreSpi.class, type, params);
return new CertStore((CertStoreSpi)instance.impl,
instance.provider, type, params);
} catch (NoSuchAlgorithmException e) {
return handleException(e);
}
}
private static CertStore handleException(NoSuchAlgorithmException e)
throws NoSuchAlgorithmException, InvalidAlgorithmParameterException {
Throwable cause = e.getCause();
if (cause instanceof InvalidAlgorithmParameterException) {
throw (InvalidAlgorithmParameterException)cause;
}
throw e;
}
/**
* Returns a {@code CertStore} object that implements the specified
* {@code CertStore} type.
*
* <p> A new CertStore object encapsulating the
* CertStoreSpi implementation from the specified provider
* is returned. The specified provider must be registered
* in the security provider list.
*
* <p> Note that the list of registered providers may be retrieved via
* the {@link Security#getProviders() Security.getProviders()} method.
*
* <p>The {@code CertStore} that is returned is initialized with the
* specified {@code CertStoreParameters}. The type of parameters
* needed may vary between different types of {@code CertStore}s.
* Note that the specified {@code CertStoreParameters} object is
* cloned.
*
* @param type the requested {@code CertStore} type.
* See the CertStore section in the <a href=
* "{@docRoot}/../technotes/guides/security/StandardNames.html#CertStore">
* Java Cryptography Architecture Standard Algorithm Name Documentation</a>
* for information about standard types.
*
* @param params the initialization parameters (may be {@code null}).
*
* @param provider the name of the provider.
*
* @return a {@code CertStore} object that implements the
* specified type.
*
* @throws NoSuchAlgorithmException if a CertStoreSpi
* implementation for the specified type is not
* available from the specified provider.
*
* @throws InvalidAlgorithmParameterException if the specified
* initialization parameters are inappropriate for this
* {@code CertStore}.
*
* @throws NoSuchProviderException if the specified provider is not
* registered in the security provider list.
*
* @exception IllegalArgumentException if the {@code provider} is
* null or empty.
*
* @see java.security.Provider
*/
public static CertStore getInstance(String type,
CertStoreParameters params, String provider)
throws InvalidAlgorithmParameterException,
NoSuchAlgorithmException, NoSuchProviderException {
try {
Instance instance = GetInstance.getInstance("CertStore",
CertStoreSpi.class, type, params, provider);
return new CertStore((CertStoreSpi)instance.impl,
instance.provider, type, params);
} catch (NoSuchAlgorithmException e) {
return handleException(e);
}
}
/**
* Returns a {@code CertStore} object that implements the specified
* {@code CertStore} type.
*
* <p> A new CertStore object encapsulating the
* CertStoreSpi implementation from the specified Provider
* object is returned. Note that the specified Provider object
* does not have to be registered in the provider list.
*
* <p>The {@code CertStore} that is returned is initialized with the
* specified {@code CertStoreParameters}. The type of parameters
* needed may vary between different types of {@code CertStore}s.
* Note that the specified {@code CertStoreParameters} object is
* cloned.
*
* @param type the requested {@code CertStore} type.
* See the CertStore section in the <a href=
* "{@docRoot}/../technotes/guides/security/StandardNames.html#CertStore">
* Java Cryptography Architecture Standard Algorithm Name Documentation</a>
* for information about standard types.
*
* @param params the initialization parameters (may be {@code null}).
*
* @param provider the provider.
*
* @return a {@code CertStore} object that implements the
* specified type.
*
* @exception NoSuchAlgorithmException if a CertStoreSpi
* implementation for the specified type is not available
* from the specified Provider object.
*
* @throws InvalidAlgorithmParameterException if the specified
* initialization parameters are inappropriate for this
* {@code CertStore}
*
* @exception IllegalArgumentException if the {@code provider} is
* null.
*
* @see java.security.Provider
*/
public static CertStore getInstance(String type, CertStoreParameters params,
Provider provider) throws NoSuchAlgorithmException,
InvalidAlgorithmParameterException {
try {
Instance instance = GetInstance.getInstance("CertStore",
CertStoreSpi.class, type, params, provider);
return new CertStore((CertStoreSpi)instance.impl,
instance.provider, type, params);
} catch (NoSuchAlgorithmException e) {
return handleException(e);
}
}
/**
* Returns the parameters used to initialize this {@code CertStore}.
* Note that the {@code CertStoreParameters} object is cloned before
* it is returned.
*
* @return the parameters used to initialize this {@code CertStore}
* (may be {@code null})
*/
public final CertStoreParameters getCertStoreParameters() {
return (params == null ? null : (CertStoreParameters) params.clone());
}
/**
* Returns the type of this {@code CertStore}.
*
* @return the type of this {@code CertStore}
*/
public final String getType() {
return this.type;
}
/**
* Returns the provider of this {@code CertStore}.
*
* @return the provider of this {@code CertStore}
*/
public final Provider getProvider() {
return this.provider;
}
/**
* Returns the default {@code CertStore} type as specified by the
* {@code certstore.type} security property, or the string
* {@literal "LDAP"} if no such property exists.
*
* <p>The default {@code CertStore} type can be used by applications
* that do not want to use a hard-coded type when calling one of the
* {@code getInstance} methods, and want to provide a default
* {@code CertStore} type in case a user does not specify its own.
*
* <p>The default {@code CertStore} type can be changed by setting
* the value of the {@code certstore.type} security property to the
* desired type.
*
* @see java.security.Security security properties
* @return the default {@code CertStore} type as specified by the
* {@code certstore.type} security property, or the string
* {@literal "LDAP"} if no such property exists.
*/
public final static String getDefaultType() {
String cstype;
cstype = AccessController.doPrivileged(new PrivilegedAction<String>() {
public String run() {
return Security.getProperty(CERTSTORE_TYPE);
}
});
if (cstype == null) {
cstype = "LDAP";
}
return cstype;
}
}

103
jdkSrc/jdk8/java/security/cert/CertStoreException.java Normal file
View File

@@ -0,0 +1,103 @@
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.security.GeneralSecurityException;
/**
* An exception indicating one of a variety of problems retrieving
* certificates and CRLs from a {@code CertStore}.
* <p>
* A {@code CertStoreException} provides support for wrapping
* exceptions. The {@link #getCause getCause} method returns the throwable,
* if any, that caused this exception to be thrown.
* <p>
* <b>Concurrent Access</b>
* <p>
* Unless otherwise specified, the methods defined in this class are not
* thread-safe. Multiple threads that need to access a single
* object concurrently should synchronize amongst themselves and
* provide the necessary locking. Multiple threads each manipulating
* separate objects need not synchronize.
*
* @see CertStore
*
* @since 1.4
* @author Sean Mullan
*/
public class CertStoreException extends GeneralSecurityException {
private static final long serialVersionUID = 2395296107471573245L;
/**
* Creates a {@code CertStoreException} with {@code null} as
* its detail message.
*/
public CertStoreException() {
super();
}
/**
* Creates a {@code CertStoreException} with the given detail
* message. A detail message is a {@code String} that describes this
* particular exception.
*
* @param msg the detail message
*/
public CertStoreException(String msg) {
super(msg);
}
/**
* Creates a {@code CertStoreException} that wraps the specified
* throwable. This allows any exception to be converted into a
* {@code CertStoreException}, while retaining information about the
* cause, which may be useful for debugging. The detail message is
* set to ({@code cause==null ? null : cause.toString()}) (which
* typically contains the class and detail message of cause).
*
* @param cause the cause (which is saved for later retrieval by the
* {@link #getCause getCause()} method). (A {@code null} value is
* permitted, and indicates that the cause is nonexistent or unknown.)
*/
public CertStoreException(Throwable cause) {
super(cause);
}
/**
* Creates a {@code CertStoreException} with the specified detail
* message and cause.
*
* @param msg the detail message
* @param cause the cause (which is saved for later retrieval by the
* {@link #getCause getCause()} method). (A {@code null} value is
* permitted, and indicates that the cause is nonexistent or unknown.)
*/
public CertStoreException(String msg, Throwable cause) {
super(msg, cause);
}
}

80
jdkSrc/jdk8/java/security/cert/CertStoreParameters.java Normal file
View File

@@ -0,0 +1,80 @@
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
/**
* A specification of {@code CertStore} parameters.
* <p>
* The purpose of this interface is to group (and provide type safety for)
* all {@code CertStore} parameter specifications. All
* {@code CertStore} parameter specifications must implement this
* interface.
* <p>
* Typically, a {@code CertStoreParameters} object is passed as a parameter
* to one of the {@link CertStore#getInstance CertStore.getInstance} methods.
* The {@code getInstance} method returns a {@code CertStore} that
* is used for retrieving {@code Certificate}s and {@code CRL}s. The
* {@code CertStore} that is returned is initialized with the specified
* parameters. The type of parameters needed may vary between different types
* of {@code CertStore}s.
*
* @see CertStore#getInstance
*
* @since 1.4
* @author Steve Hanna
*/
public interface CertStoreParameters extends Cloneable {
/**
* Makes a copy of this {@code CertStoreParameters}.
* <p>
* The precise meaning of "copy" may depend on the class of
* the {@code CertStoreParameters} object. A typical implementation
* performs a "deep copy" of this object, but this is not an absolute
* requirement. Some implementations may perform a "shallow copy" of some
* or all of the fields of this object.
* <p>
* Note that the {@code CertStore.getInstance} methods make a copy
* of the specified {@code CertStoreParameters}. A deep copy
* implementation of {@code clone} is safer and more robust, as it
* prevents the caller from corrupting a shared {@code CertStore} by
* subsequently modifying the contents of its initialization parameters.
* However, a shallow copy implementation of {@code clone} is more
* appropriate for applications that need to hold a reference to a
* parameter contained in the {@code CertStoreParameters}. For example,
* a shallow copy clone allows an application to release the resources of
* a particular {@code CertStore} initialization parameter immediately,
* rather than waiting for the garbage collection mechanism. This should
* be done with the utmost care, since the {@code CertStore} may still
* be in use by other threads.
* <p>
* Each subclass should state the precise behavior of this method so
* that users and developers know what to expect.
*
* @return a copy of this {@code CertStoreParameters}
*/
Object clone();
}

125
jdkSrc/jdk8/java/security/cert/CertStoreSpi.java Normal file
View File

@@ -0,0 +1,125 @@
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.security.InvalidAlgorithmParameterException;
import java.util.Collection;
/**
* The <i>Service Provider Interface</i> (<b>SPI</b>)
* for the {@link CertStore CertStore} class. All {@code CertStore}
* implementations must include a class (the SPI class) that extends
* this class ({@code CertStoreSpi}), provides a constructor with
* a single argument of type {@code CertStoreParameters}, and implements
* all of its methods. In general, instances of this class should only be
* accessed through the {@code CertStore} class.
* For details, see the Java Cryptography Architecture.
* <p>
* <b>Concurrent Access</b>
* <p>
* The public methods of all {@code CertStoreSpi} objects must be
* thread-safe. That is, multiple threads may concurrently invoke these
* methods on a single {@code CertStoreSpi} object (or more than one)
* with no ill effects. This allows a {@code CertPathBuilder} to search
* for a CRL while simultaneously searching for further certificates, for
* instance.
* <p>
* Simple {@code CertStoreSpi} implementations will probably ensure
* thread safety by adding a {@code synchronized} keyword to their
* {@code engineGetCertificates} and {@code engineGetCRLs} methods.
* More sophisticated ones may allow truly concurrent access.
*
* @since 1.4
* @author Steve Hanna
*/
public abstract class CertStoreSpi {
/**
* The sole constructor.
*
* @param params the initialization parameters (may be {@code null})
* @throws InvalidAlgorithmParameterException if the initialization
* parameters are inappropriate for this {@code CertStoreSpi}
*/
public CertStoreSpi(CertStoreParameters params)
throws InvalidAlgorithmParameterException { }
/**
* Returns a {@code Collection} of {@code Certificate}s that
* match the specified selector. If no {@code Certificate}s
* match the selector, an empty {@code Collection} will be returned.
* <p>
* For some {@code CertStore} types, the resulting
* {@code Collection} may not contain <b>all</b> of the
* {@code Certificate}s that match the selector. For instance,
* an LDAP {@code CertStore} may not search all entries in the
* directory. Instead, it may just search entries that are likely to
* contain the {@code Certificate}s it is looking for.
* <p>
* Some {@code CertStore} implementations (especially LDAP
* {@code CertStore}s) may throw a {@code CertStoreException}
* unless a non-null {@code CertSelector} is provided that includes
* specific criteria that can be used to find the certificates. Issuer
* and/or subject names are especially useful criteria.
*
* @param selector A {@code CertSelector} used to select which
* {@code Certificate}s should be returned. Specify {@code null}
* to return all {@code Certificate}s (if supported).
* @return A {@code Collection} of {@code Certificate}s that
* match the specified selector (never {@code null})
* @throws CertStoreException if an exception occurs
*/
public abstract Collection<? extends Certificate> engineGetCertificates
(CertSelector selector) throws CertStoreException;
/**
* Returns a {@code Collection} of {@code CRL}s that
* match the specified selector. If no {@code CRL}s
* match the selector, an empty {@code Collection} will be returned.
* <p>
* For some {@code CertStore} types, the resulting
* {@code Collection} may not contain <b>all</b> of the
* {@code CRL}s that match the selector. For instance,
* an LDAP {@code CertStore} may not search all entries in the
* directory. Instead, it may just search entries that are likely to
* contain the {@code CRL}s it is looking for.
* <p>
* Some {@code CertStore} implementations (especially LDAP
* {@code CertStore}s) may throw a {@code CertStoreException}
* unless a non-null {@code CRLSelector} is provided that includes
* specific criteria that can be used to find the CRLs. Issuer names
* and/or the certificate to be checked are especially useful.
*
* @param selector A {@code CRLSelector} used to select which
* {@code CRL}s should be returned. Specify {@code null}
* to return all {@code CRL}s (if supported).
* @return A {@code Collection} of {@code CRL}s that
* match the specified selector (never {@code null})
* @throws CertStoreException if an exception occurs
*/
public abstract Collection<? extends CRL> engineGetCRLs
(CRLSelector selector) throws CertStoreException;
}

307
jdkSrc/jdk8/java/security/cert/Certificate.java Normal file
View File

@@ -0,0 +1,307 @@
/*
* Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.util.Arrays;
import java.security.Provider;
import java.security.PublicKey;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.InvalidKeyException;
import java.security.SignatureException;
import sun.security.x509.X509CertImpl;
/**
* <p>Abstract class for managing a variety of identity certificates.
* An identity certificate is a binding of a principal to a public key which
* is vouched for by another principal. (A principal represents
* an entity such as an individual user, a group, or a corporation.)
*<p>
* This class is an abstraction for certificates that have different
* formats but important common uses. For example, different types of
* certificates, such as X.509 and PGP, share general certificate
* functionality (like encoding and verifying) and
* some types of information (like a public key).
* <p>
* X.509, PGP, and SDSI certificates can all be implemented by
* subclassing the Certificate class, even though they contain different
* sets of information, and they store and retrieve the information in
* different ways.
*
* @see X509Certificate
* @see CertificateFactory
*
* @author Hemma Prafullchandra
*/
public abstract class Certificate implements java.io.Serializable {
private static final long serialVersionUID = -3585440601605666277L;
// the certificate type
private final String type;
/** Cache the hash code for the certiticate */
private int hash = -1; // Default to -1
/**
* Creates a certificate of the specified type.
*
* @param type the standard name of the certificate type.
* See the CertificateFactory section in the <a href=
* "{@docRoot}/../technotes/guides/security/StandardNames.html#CertificateFactory">
* Java Cryptography Architecture Standard Algorithm Name Documentation</a>
* for information about standard certificate types.
*/
protected Certificate(String type) {
this.type = type;
}
/**
* Returns the type of this certificate.
*
* @return the type of this certificate.
*/
public final String getType() {
return this.type;
}
/**
* Compares this certificate for equality with the specified
* object. If the {@code other} object is an
* {@code instanceof} {@code Certificate}, then
* its encoded form is retrieved and compared with the
* encoded form of this certificate.
*
* @param other the object to test for equality with this certificate.
* @return true iff the encoded forms of the two certificates
* match, false otherwise.
*/
public boolean equals(Object other) {
if (this == other) {
return true;
}
if (!(other instanceof Certificate)) {
return false;
}
try {
byte[] thisCert = X509CertImpl.getEncodedInternal(this);
byte[] otherCert = X509CertImpl.getEncodedInternal((Certificate)other);
return Arrays.equals(thisCert, otherCert);
} catch (CertificateException e) {
return false;
}
}
/**
* Returns a hashcode value for this certificate from its
* encoded form.
*
* @return the hashcode value.
*/
public int hashCode() {
int h = hash;
if (h == -1) {
try {
h = Arrays.hashCode(X509CertImpl.getEncodedInternal(this));
} catch (CertificateException e) {
h = 0;
}
hash = h;
}
return h;
}
/**
* Returns the encoded form of this certificate. It is
* assumed that each certificate type would have only a single
* form of encoding; for example, X.509 certificates would
* be encoded as ASN.1 DER.
*
* @return the encoded form of this certificate
*
* @exception CertificateEncodingException if an encoding error occurs.
*/
public abstract byte[] getEncoded()
throws CertificateEncodingException;
/**
* Verifies that this certificate was signed using the
* private key that corresponds to the specified public key.
*
* @param key the PublicKey used to carry out the verification.
*
* @exception NoSuchAlgorithmException on unsupported signature
* algorithms.
* @exception InvalidKeyException on incorrect key.
* @exception NoSuchProviderException if there's no default provider.
* @exception SignatureException on signature errors.
* @exception CertificateException on encoding errors.
*/
public abstract void verify(PublicKey key)
throws CertificateException, NoSuchAlgorithmException,
InvalidKeyException, NoSuchProviderException,
SignatureException;
/**
* Verifies that this certificate was signed using the
* private key that corresponds to the specified public key.
* This method uses the signature verification engine
* supplied by the specified provider.
*
* @param key the PublicKey used to carry out the verification.
* @param sigProvider the name of the signature provider.
*
* @exception NoSuchAlgorithmException on unsupported signature
* algorithms.
* @exception InvalidKeyException on incorrect key.
* @exception NoSuchProviderException on incorrect provider.
* @exception SignatureException on signature errors.
* @exception CertificateException on encoding errors.
*/
public abstract void verify(PublicKey key, String sigProvider)
throws CertificateException, NoSuchAlgorithmException,
InvalidKeyException, NoSuchProviderException,
SignatureException;
/**
* Verifies that this certificate was signed using the
* private key that corresponds to the specified public key.
* This method uses the signature verification engine
* supplied by the specified provider. Note that the specified
* Provider object does not have to be registered in the provider list.
*
* <p> This method was added to version 1.8 of the Java Platform
* Standard Edition. In order to maintain backwards compatibility with
* existing service providers, this method cannot be {@code abstract}
* and by default throws an {@code UnsupportedOperationException}.
*
* @param key the PublicKey used to carry out the verification.
* @param sigProvider the signature provider.
*
* @exception NoSuchAlgorithmException on unsupported signature
* algorithms.
* @exception InvalidKeyException on incorrect key.
* @exception SignatureException on signature errors.
* @exception CertificateException on encoding errors.
* @exception UnsupportedOperationException if the method is not supported
* @since 1.8
*/
public void verify(PublicKey key, Provider sigProvider)
throws CertificateException, NoSuchAlgorithmException,
InvalidKeyException, SignatureException {
throw new UnsupportedOperationException();
}
/**
* Returns a string representation of this certificate.
*
* @return a string representation of this certificate.
*/
public abstract String toString();
/**
* Gets the public key from this certificate.
*
* @return the public key.
*/
public abstract PublicKey getPublicKey();
/**
* Alternate Certificate class for serialization.
* @since 1.3
*/
protected static class CertificateRep implements java.io.Serializable {
private static final long serialVersionUID = -8563758940495660020L;
private String type;
private byte[] data;
/**
* Construct the alternate Certificate class with the Certificate
* type and Certificate encoding bytes.
*
* <p>
*
* @param type the standard name of the Certificate type. <p>
*
* @param data the Certificate data.
*/
protected CertificateRep(String type, byte[] data) {
this.type = type;
this.data = data;
}
/**
* Resolve the Certificate Object.
*
* <p>
*
* @return the resolved Certificate Object
*
* @throws java.io.ObjectStreamException if the Certificate
* could not be resolved
*/
protected Object readResolve() throws java.io.ObjectStreamException {
try {
CertificateFactory cf = CertificateFactory.getInstance(type);
return cf.generateCertificate
(new java.io.ByteArrayInputStream(data));
} catch (CertificateException e) {
throw new java.io.NotSerializableException
("java.security.cert.Certificate: " +
type +
": " +
e.getMessage());
}
}
}
/**
* Replace the Certificate to be serialized.
*
* @return the alternate Certificate object to be serialized
*
* @throws java.io.ObjectStreamException if a new object representing
* this Certificate could not be created
* @since 1.3
*/
protected Object writeReplace() throws java.io.ObjectStreamException {
try {
return new CertificateRep(type, getEncoded());
} catch (CertificateException e) {
throw new java.io.NotSerializableException
("java.security.cert.Certificate: " +
type +
": " +
e.getMessage());
}
}
}

88
jdkSrc/jdk8/java/security/cert/CertificateEncodingException.java Normal file
View File

@@ -0,0 +1,88 @@
/*
* Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
/**
* Certificate Encoding Exception. This is thrown whenever an error
* occurs while attempting to encode a certificate.
*
* @author Hemma Prafullchandra
*/
public class CertificateEncodingException extends CertificateException {
private static final long serialVersionUID = 6219492851589449162L;
/**
* Constructs a CertificateEncodingException with no detail message. A
* detail message is a String that describes this particular
* exception.
*/
public CertificateEncodingException() {
super();
}
/**
* Constructs a CertificateEncodingException with the specified detail
* message. A detail message is a String that describes this
* particular exception.
*
* @param message the detail message.
*/
public CertificateEncodingException(String message) {
super(message);
}
/**
* Creates a {@code CertificateEncodingException} with the specified
* detail message and cause.
*
* @param message the detail message (which is saved for later retrieval
* by the {@link #getMessage()} method).
* @param cause the cause (which is saved for later retrieval by the
* {@link #getCause()} method). (A {@code null} value is permitted,
* and indicates that the cause is nonexistent or unknown.)
* @since 1.5
*/
public CertificateEncodingException(String message, Throwable cause) {
super(message, cause);
}
/**
* Creates a {@code CertificateEncodingException}
* with the specified cause and a detail message of
* {@code (cause==null ? null : cause.toString())}
* (which typically contains the class and detail message of
* {@code cause}).
*
* @param cause the cause (which is saved for later retrieval by the
* {@link #getCause()} method). (A {@code null} value is permitted,
* and indicates that the cause is nonexistent or unknown.)
* @since 1.5
*/
public CertificateEncodingException(Throwable cause) {
super(cause);
}
}

88
jdkSrc/jdk8/java/security/cert/CertificateException.java Normal file
View File

@@ -0,0 +1,88 @@
/*
* Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.security.GeneralSecurityException;
/**
* This exception indicates one of a variety of certificate problems.
*
* @author Hemma Prafullchandra
* @see Certificate
*/
public class CertificateException extends GeneralSecurityException {
private static final long serialVersionUID = 3192535253797119798L;
/**
* Constructs a certificate exception with no detail message. A detail
* message is a String that describes this particular exception.
*/
public CertificateException() {
super();
}
/**
* Constructs a certificate exception with the given detail
* message. A detail message is a String that describes this
* particular exception.
*
* @param msg the detail message.
*/
public CertificateException(String msg) {
super(msg);
}
/**
* Creates a {@code CertificateException} with the specified
* detail message and cause.
*
* @param message the detail message (which is saved for later retrieval
* by the {@link #getMessage()} method).
* @param cause the cause (which is saved for later retrieval by the
* {@link #getCause()} method). (A {@code null} value is permitted,
* and indicates that the cause is nonexistent or unknown.)
* @since 1.5
*/
public CertificateException(String message, Throwable cause) {
super(message, cause);
}
/**
* Creates a {@code CertificateException} with the specified cause
* and a detail message of {@code (cause==null ? null : cause.toString())}
* (which typically contains the class and detail message of
* {@code cause}).
*
* @param cause the cause (which is saved for later retrieval by the
* {@link #getCause()} method). (A {@code null} value is permitted,
* and indicates that the cause is nonexistent or unknown.)
* @since 1.5
*/
public CertificateException(Throwable cause) {
super(cause);
}
}

59
jdkSrc/jdk8/java/security/cert/CertificateExpiredException.java Normal file
View File

@@ -0,0 +1,59 @@
/*
* Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
/**
* Certificate Expired Exception. This is thrown whenever the current
* {@code Date} or the specified {@code Date} is after the
* {@code notAfter} date/time specified in the validity period
* of the certificate.
*
* @author Hemma Prafullchandra
*/
public class CertificateExpiredException extends CertificateException {
private static final long serialVersionUID = 9071001339691533771L;
/**
* Constructs a CertificateExpiredException with no detail message. A
* detail message is a String that describes this particular
* exception.
*/
public CertificateExpiredException() {
super();
}
/**
* Constructs a CertificateExpiredException with the specified detail
* message. A detail message is a String that describes this
* particular exception.
*
* @param message the detail message.
*/
public CertificateExpiredException(String message) {
super(message);
}
}

537
jdkSrc/jdk8/java/security/cert/CertificateFactory.java Normal file
View File

@@ -0,0 +1,537 @@
/*
* Copyright (c) 1998, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.io.InputStream;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.security.Provider;
import java.security.Security;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import sun.security.jca.*;
import sun.security.jca.GetInstance.Instance;
/**
* This class defines the functionality of a certificate factory, which is
* used to generate certificate, certification path ({@code CertPath})
* and certificate revocation list (CRL) objects from their encodings.
*
* <p>For encodings consisting of multiple certificates, use
* {@code generateCertificates} when you want to
* parse a collection of possibly unrelated certificates. Otherwise,
* use {@code generateCertPath} when you want to generate
* a {@code CertPath} (a certificate chain) and subsequently
* validate it with a {@code CertPathValidator}.
*
* <p>A certificate factory for X.509 must return certificates that are an
* instance of {@code java.security.cert.X509Certificate}, and CRLs
* that are an instance of {@code java.security.cert.X509CRL}.
*
* <p>The following example reads a file with Base64 encoded certificates,
* which are each bounded at the beginning by -----BEGIN CERTIFICATE-----, and
* bounded at the end by -----END CERTIFICATE-----. We convert the
* {@code FileInputStream} (which does not support {@code mark}
* and {@code reset}) to a {@code BufferedInputStream} (which
* supports those methods), so that each call to
* {@code generateCertificate} consumes only one certificate, and the
* read position of the input stream is positioned to the next certificate in
* the file:
*
* <pre>{@code
* FileInputStream fis = new FileInputStream(filename);
* BufferedInputStream bis = new BufferedInputStream(fis);
*
* CertificateFactory cf = CertificateFactory.getInstance("X.509");
*
* while (bis.available() > 0) {
* Certificate cert = cf.generateCertificate(bis);
* System.out.println(cert.toString());
* }
* }</pre>
*
* <p>The following example parses a PKCS#7-formatted certificate reply stored
* in a file and extracts all the certificates from it:
*
* <pre>
* FileInputStream fis = new FileInputStream(filename);
* CertificateFactory cf = CertificateFactory.getInstance("X.509");
* Collection c = cf.generateCertificates(fis);
* Iterator i = c.iterator();
* while (i.hasNext()) {
* Certificate cert = (Certificate)i.next();
* System.out.println(cert);
* }
* </pre>
*
* <p> Every implementation of the Java platform is required to support the
* following standard {@code CertificateFactory} type:
* <ul>
* <li>{@code X.509}</li>
* </ul>
* and the following standard {@code CertPath} encodings:
* <ul>
* <li>{@code PKCS7}</li>
* <li>{@code PkiPath}</li>
* </ul>
* The type and encodings are described in the <a href=
* "{@docRoot}/../technotes/guides/security/StandardNames.html#CertificateFactory">
* CertificateFactory section</a> and the <a href=
* "{@docRoot}/../technotes/guides/security/StandardNames.html#CertPathEncodings">
* CertPath Encodings section</a> of the
* Java Cryptography Architecture Standard Algorithm Name Documentation.
* Consult the release documentation for your implementation to see if any
* other types or encodings are supported.
*
* @author Hemma Prafullchandra
* @author Jan Luehe
* @author Sean Mullan
*
* @see Certificate
* @see X509Certificate
* @see CertPath
* @see CRL
* @see X509CRL
*
* @since 1.2
*/
public class CertificateFactory {
// The certificate type
private String type;
// The provider
private Provider provider;
// The provider implementation
private CertificateFactorySpi certFacSpi;
/**
* Creates a CertificateFactory object of the given type, and encapsulates
* the given provider implementation (SPI object) in it.
*
* @param certFacSpi the provider implementation.
* @param provider the provider.
* @param type the certificate type.
*/
protected CertificateFactory(CertificateFactorySpi certFacSpi,
Provider provider, String type)
{
this.certFacSpi = certFacSpi;
this.provider = provider;
this.type = type;
}
/**
* Returns a certificate factory object that implements the
* specified certificate type.
*
* <p> This method traverses the list of registered security Providers,
* starting with the most preferred Provider.
* A new CertificateFactory object encapsulating the
* CertificateFactorySpi implementation from the first
* Provider that supports the specified type is returned.
*
* <p> Note that the list of registered providers may be retrieved via
* the {@link Security#getProviders() Security.getProviders()} method.
*
* @param type the name of the requested certificate type.
* See the CertificateFactory section in the <a href=
* "{@docRoot}/../technotes/guides/security/StandardNames.html#CertificateFactory">
* Java Cryptography Architecture Standard Algorithm Name Documentation</a>
* for information about standard certificate types.
*
* @return a certificate factory object for the specified type.
*
* @exception CertificateException if no Provider supports a
* CertificateFactorySpi implementation for the
* specified type.
*
* @see java.security.Provider
*/
public static final CertificateFactory getInstance(String type)
throws CertificateException {
try {
Instance instance = GetInstance.getInstance("CertificateFactory",
CertificateFactorySpi.class, type);
return new CertificateFactory((CertificateFactorySpi)instance.impl,
instance.provider, type);
} catch (NoSuchAlgorithmException e) {
throw new CertificateException(type + " not found", e);
}
}
/**
* Returns a certificate factory object for the specified
* certificate type.
*
* <p> A new CertificateFactory object encapsulating the
* CertificateFactorySpi implementation from the specified provider
* is returned. The specified provider must be registered
* in the security provider list.
*
* <p> Note that the list of registered providers may be retrieved via
* the {@link Security#getProviders() Security.getProviders()} method.
*
* @param type the certificate type.
* See the CertificateFactory section in the <a href=
* "{@docRoot}/../technotes/guides/security/StandardNames.html#CertificateFactory">
* Java Cryptography Architecture Standard Algorithm Name Documentation</a>
* for information about standard certificate types.
*
* @param provider the name of the provider.
*
* @return a certificate factory object for the specified type.
*
* @exception CertificateException if a CertificateFactorySpi
* implementation for the specified algorithm is not
* available from the specified provider.
*
* @exception NoSuchProviderException if the specified provider is not
* registered in the security provider list.
*
* @exception IllegalArgumentException if the provider name is null
* or empty.
*
* @see java.security.Provider
*/
public static final CertificateFactory getInstance(String type,
String provider) throws CertificateException,
NoSuchProviderException {
try {
Instance instance = GetInstance.getInstance("CertificateFactory",
CertificateFactorySpi.class, type, provider);
return new CertificateFactory((CertificateFactorySpi)instance.impl,
instance.provider, type);
} catch (NoSuchAlgorithmException e) {
throw new CertificateException(type + " not found", e);
}
}
/**
* Returns a certificate factory object for the specified
* certificate type.
*
* <p> A new CertificateFactory object encapsulating the
* CertificateFactorySpi implementation from the specified Provider
* object is returned. Note that the specified Provider object
* does not have to be registered in the provider list.
*
* @param type the certificate type.
* See the CertificateFactory section in the <a href=
* "{@docRoot}/../technotes/guides/security/StandardNames.html#CertificateFactory">
* Java Cryptography Architecture Standard Algorithm Name Documentation</a>
* for information about standard certificate types.
* @param provider the provider.
*
* @return a certificate factory object for the specified type.
*
* @exception CertificateException if a CertificateFactorySpi
* implementation for the specified algorithm is not available
* from the specified Provider object.
*
* @exception IllegalArgumentException if the {@code provider} is
* null.
*
* @see java.security.Provider
*
* @since 1.4
*/
public static final CertificateFactory getInstance(String type,
Provider provider) throws CertificateException {
try {
Instance instance = GetInstance.getInstance("CertificateFactory",
CertificateFactorySpi.class, type, provider);
return new CertificateFactory((CertificateFactorySpi)instance.impl,
instance.provider, type);
} catch (NoSuchAlgorithmException e) {
throw new CertificateException(type + " not found", e);
}
}
/**
* Returns the provider of this certificate factory.
*
* @return the provider of this certificate factory.
*/
public final Provider getProvider() {
return this.provider;
}
/**
* Returns the name of the certificate type associated with this
* certificate factory.
*
* @return the name of the certificate type associated with this
* certificate factory.
*/
public final String getType() {
return this.type;
}
/**
* Generates a certificate object and initializes it with
* the data read from the input stream {@code inStream}.
*
* <p>In order to take advantage of the specialized certificate format
* supported by this certificate factory,
* the returned certificate object can be typecast to the corresponding
* certificate class. For example, if this certificate
* factory implements X.509 certificates, the returned certificate object
* can be typecast to the {@code X509Certificate} class.
*
* <p>In the case of a certificate factory for X.509 certificates, the
* certificate provided in {@code inStream} must be DER-encoded and
* may be supplied in binary or printable (Base64) encoding. If the
* certificate is provided in Base64 encoding, it must be bounded at
* the beginning by -----BEGIN CERTIFICATE-----, and must be bounded at
* the end by -----END CERTIFICATE-----.
*
* <p>Note that if the given input stream does not support
* {@link java.io.InputStream#mark(int) mark} and
* {@link java.io.InputStream#reset() reset}, this method will
* consume the entire input stream. Otherwise, each call to this
* method consumes one certificate and the read position of the
* input stream is positioned to the next available byte after
* the inherent end-of-certificate marker. If the data in the input stream
* does not contain an inherent end-of-certificate marker (other
* than EOF) and there is trailing data after the certificate is parsed, a
* {@code CertificateException} is thrown.
*
* @param inStream an input stream with the certificate data.
*
* @return a certificate object initialized with the data
* from the input stream.
*
* @exception CertificateException on parsing errors.
*/
public final Certificate generateCertificate(InputStream inStream)
throws CertificateException
{
return certFacSpi.engineGenerateCertificate(inStream);
}
/**
* Returns an iteration of the {@code CertPath} encodings supported
* by this certificate factory, with the default encoding first. See
* the CertPath Encodings section in the <a href=
* "{@docRoot}/../technotes/guides/security/StandardNames.html#CertPathEncodings">
* Java Cryptography Architecture Standard Algorithm Name Documentation</a>
* for information about standard encoding names and their formats.
* <p>
* Attempts to modify the returned {@code Iterator} via its
* {@code remove} method result in an
* {@code UnsupportedOperationException}.
*
* @return an {@code Iterator} over the names of the supported
* {@code CertPath} encodings (as {@code String}s)
* @since 1.4
*/
public final Iterator<String> getCertPathEncodings() {
return(certFacSpi.engineGetCertPathEncodings());
}
/**
* Generates a {@code CertPath} object and initializes it with
* the data read from the {@code InputStream} inStream. The data
* is assumed to be in the default encoding. The name of the default
* encoding is the first element of the {@code Iterator} returned by
* the {@link #getCertPathEncodings getCertPathEncodings} method.
*
* @param inStream an {@code InputStream} containing the data
* @return a {@code CertPath} initialized with the data from the
* {@code InputStream}
* @exception CertificateException if an exception occurs while decoding
* @since 1.4
*/
public final CertPath generateCertPath(InputStream inStream)
throws CertificateException
{
return(certFacSpi.engineGenerateCertPath(inStream));
}
/**
* Generates a {@code CertPath} object and initializes it with
* the data read from the {@code InputStream} inStream. The data
* is assumed to be in the specified encoding. See
* the CertPath Encodings section in the <a href=
* "{@docRoot}/../technotes/guides/security/StandardNames.html#CertPathEncodings">
* Java Cryptography Architecture Standard Algorithm Name Documentation</a>
* for information about standard encoding names and their formats.
*
* @param inStream an {@code InputStream} containing the data
* @param encoding the encoding used for the data
* @return a {@code CertPath} initialized with the data from the
* {@code InputStream}
* @exception CertificateException if an exception occurs while decoding or
* the encoding requested is not supported
* @since 1.4
*/
public final CertPath generateCertPath(InputStream inStream,
String encoding) throws CertificateException
{
return(certFacSpi.engineGenerateCertPath(inStream, encoding));
}
/**
* Generates a {@code CertPath} object and initializes it with
* a {@code List} of {@code Certificate}s.
* <p>
* The certificates supplied must be of a type supported by the
* {@code CertificateFactory}. They will be copied out of the supplied
* {@code List} object.
*
* @param certificates a {@code List} of {@code Certificate}s
* @return a {@code CertPath} initialized with the supplied list of
* certificates
* @exception CertificateException if an exception occurs
* @since 1.4
*/
public final CertPath
generateCertPath(List<? extends Certificate> certificates)
throws CertificateException
{
return(certFacSpi.engineGenerateCertPath(certificates));
}
/**
* Returns a (possibly empty) collection view of the certificates read
* from the given input stream {@code inStream}.
*
* <p>In order to take advantage of the specialized certificate format
* supported by this certificate factory, each element in
* the returned collection view can be typecast to the corresponding
* certificate class. For example, if this certificate
* factory implements X.509 certificates, the elements in the returned
* collection can be typecast to the {@code X509Certificate} class.
*
* <p>In the case of a certificate factory for X.509 certificates,
* {@code inStream} may contain a sequence of DER-encoded certificates
* in the formats described for
* {@link #generateCertificate(java.io.InputStream) generateCertificate}.
* In addition, {@code inStream} may contain a PKCS#7 certificate
* chain. This is a PKCS#7 <i>SignedData</i> object, with the only
* significant field being <i>certificates</i>. In particular, the
* signature and the contents are ignored. This format allows multiple
* certificates to be downloaded at once. If no certificates are present,
* an empty collection is returned.
*
* <p>Note that if the given input stream does not support
* {@link java.io.InputStream#mark(int) mark} and
* {@link java.io.InputStream#reset() reset}, this method will
* consume the entire input stream.
*
* @param inStream the input stream with the certificates.
*
* @return a (possibly empty) collection view of
* java.security.cert.Certificate objects
* initialized with the data from the input stream.
*
* @exception CertificateException on parsing errors.
*/
public final Collection<? extends Certificate> generateCertificates
(InputStream inStream) throws CertificateException {
return certFacSpi.engineGenerateCertificates(inStream);
}
/**
* Generates a certificate revocation list (CRL) object and initializes it
* with the data read from the input stream {@code inStream}.
*
* <p>In order to take advantage of the specialized CRL format
* supported by this certificate factory,
* the returned CRL object can be typecast to the corresponding
* CRL class. For example, if this certificate
* factory implements X.509 CRLs, the returned CRL object
* can be typecast to the {@code X509CRL} class.
*
* <p>Note that if the given input stream does not support
* {@link java.io.InputStream#mark(int) mark} and
* {@link java.io.InputStream#reset() reset}, this method will
* consume the entire input stream. Otherwise, each call to this
* method consumes one CRL and the read position of the input stream
* is positioned to the next available byte after the inherent
* end-of-CRL marker. If the data in the
* input stream does not contain an inherent end-of-CRL marker (other
* than EOF) and there is trailing data after the CRL is parsed, a
* {@code CRLException} is thrown.
*
* @param inStream an input stream with the CRL data.
*
* @return a CRL object initialized with the data
* from the input stream.
*
* @exception CRLException on parsing errors.
*/
public final CRL generateCRL(InputStream inStream)
throws CRLException
{
return certFacSpi.engineGenerateCRL(inStream);
}
/**
* Returns a (possibly empty) collection view of the CRLs read
* from the given input stream {@code inStream}.
*
* <p>In order to take advantage of the specialized CRL format
* supported by this certificate factory, each element in
* the returned collection view can be typecast to the corresponding
* CRL class. For example, if this certificate
* factory implements X.509 CRLs, the elements in the returned
* collection can be typecast to the {@code X509CRL} class.
*
* <p>In the case of a certificate factory for X.509 CRLs,
* {@code inStream} may contain a sequence of DER-encoded CRLs.
* In addition, {@code inStream} may contain a PKCS#7 CRL
* set. This is a PKCS#7 <i>SignedData</i> object, with the only
* significant field being <i>crls</i>. In particular, the
* signature and the contents are ignored. This format allows multiple
* CRLs to be downloaded at once. If no CRLs are present,
* an empty collection is returned.
*
* <p>Note that if the given input stream does not support
* {@link java.io.InputStream#mark(int) mark} and
* {@link java.io.InputStream#reset() reset}, this method will
* consume the entire input stream.
*
* @param inStream the input stream with the CRLs.
*
* @return a (possibly empty) collection view of
* java.security.cert.CRL objects initialized with the data from the input
* stream.
*
* @exception CRLException on parsing errors.
*/
public final Collection<? extends CRL> generateCRLs(InputStream inStream)
throws CRLException {
return certFacSpi.engineGenerateCRLs(inStream);
}
}

315
jdkSrc/jdk8/java/security/cert/CertificateFactorySpi.java Normal file
View File

@@ -0,0 +1,315 @@
/*
* Copyright (c) 1998, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.io.InputStream;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.security.Provider;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
/**
* This class defines the <i>Service Provider Interface</i> (<b>SPI</b>)
* for the {@code CertificateFactory} class.
* All the abstract methods in this class must be implemented by each
* cryptographic service provider who wishes to supply the implementation
* of a certificate factory for a particular certificate type, e.g., X.509.
*
* <p>Certificate factories are used to generate certificate, certification path
* ({@code CertPath}) and certificate revocation list (CRL) objects from
* their encodings.
*
* <p>A certificate factory for X.509 must return certificates that are an
* instance of {@code java.security.cert.X509Certificate}, and CRLs
* that are an instance of {@code java.security.cert.X509CRL}.
*
* @author Hemma Prafullchandra
* @author Jan Luehe
* @author Sean Mullan
*
*
* @see CertificateFactory
* @see Certificate
* @see X509Certificate
* @see CertPath
* @see CRL
* @see X509CRL
*
* @since 1.2
*/
public abstract class CertificateFactorySpi {
/**
* Generates a certificate object and initializes it with
* the data read from the input stream {@code inStream}.
*
* <p>In order to take advantage of the specialized certificate format
* supported by this certificate factory,
* the returned certificate object can be typecast to the corresponding
* certificate class. For example, if this certificate
* factory implements X.509 certificates, the returned certificate object
* can be typecast to the {@code X509Certificate} class.
*
* <p>In the case of a certificate factory for X.509 certificates, the
* certificate provided in {@code inStream} must be DER-encoded and
* may be supplied in binary or printable (Base64) encoding. If the
* certificate is provided in Base64 encoding, it must be bounded at
* the beginning by -----BEGIN CERTIFICATE-----, and must be bounded at
* the end by -----END CERTIFICATE-----.
*
* <p>Note that if the given input stream does not support
* {@link java.io.InputStream#mark(int) mark} and
* {@link java.io.InputStream#reset() reset}, this method will
* consume the entire input stream. Otherwise, each call to this
* method consumes one certificate and the read position of the input stream
* is positioned to the next available byte after the inherent
* end-of-certificate marker. If the data in the
* input stream does not contain an inherent end-of-certificate marker (other
* than EOF) and there is trailing data after the certificate is parsed, a
* {@code CertificateException} is thrown.
*
* @param inStream an input stream with the certificate data.
*
* @return a certificate object initialized with the data
* from the input stream.
*
* @exception CertificateException on parsing errors.
*/
public abstract Certificate engineGenerateCertificate(InputStream inStream)
throws CertificateException;
/**
* Generates a {@code CertPath} object and initializes it with
* the data read from the {@code InputStream} inStream. The data
* is assumed to be in the default encoding.
*
* <p> This method was added to version 1.4 of the Java 2 Platform
* Standard Edition. In order to maintain backwards compatibility with
* existing service providers, this method cannot be {@code abstract}
* and by default throws an {@code UnsupportedOperationException}.
*
* @param inStream an {@code InputStream} containing the data
* @return a {@code CertPath} initialized with the data from the
* {@code InputStream}
* @exception CertificateException if an exception occurs while decoding
* @exception UnsupportedOperationException if the method is not supported
* @since 1.4
*/
public CertPath engineGenerateCertPath(InputStream inStream)
throws CertificateException
{
throw new UnsupportedOperationException();
}
/**
* Generates a {@code CertPath} object and initializes it with
* the data read from the {@code InputStream} inStream. The data
* is assumed to be in the specified encoding.
*
* <p> This method was added to version 1.4 of the Java 2 Platform
* Standard Edition. In order to maintain backwards compatibility with
* existing service providers, this method cannot be {@code abstract}
* and by default throws an {@code UnsupportedOperationException}.
*
* @param inStream an {@code InputStream} containing the data
* @param encoding the encoding used for the data
* @return a {@code CertPath} initialized with the data from the
* {@code InputStream}
* @exception CertificateException if an exception occurs while decoding or
* the encoding requested is not supported
* @exception UnsupportedOperationException if the method is not supported
* @since 1.4
*/
public CertPath engineGenerateCertPath(InputStream inStream,
String encoding) throws CertificateException
{
throw new UnsupportedOperationException();
}
/**
* Generates a {@code CertPath} object and initializes it with
* a {@code List} of {@code Certificate}s.
* <p>
* The certificates supplied must be of a type supported by the
* {@code CertificateFactory}. They will be copied out of the supplied
* {@code List} object.
*
* <p> This method was added to version 1.4 of the Java 2 Platform
* Standard Edition. In order to maintain backwards compatibility with
* existing service providers, this method cannot be {@code abstract}
* and by default throws an {@code UnsupportedOperationException}.
*
* @param certificates a {@code List} of {@code Certificate}s
* @return a {@code CertPath} initialized with the supplied list of
* certificates
* @exception CertificateException if an exception occurs
* @exception UnsupportedOperationException if the method is not supported
* @since 1.4
*/
public CertPath
engineGenerateCertPath(List<? extends Certificate> certificates)
throws CertificateException
{
throw new UnsupportedOperationException();
}
/**
* Returns an iteration of the {@code CertPath} encodings supported
* by this certificate factory, with the default encoding first. See
* the CertPath Encodings section in the <a href=
* "{@docRoot}/../technotes/guides/security/StandardNames.html#CertPathEncodings">
* Java Cryptography Architecture Standard Algorithm Name Documentation</a>
* for information about standard encoding names.
* <p>
* Attempts to modify the returned {@code Iterator} via its
* {@code remove} method result in an
* {@code UnsupportedOperationException}.
*
* <p> This method was added to version 1.4 of the Java 2 Platform
* Standard Edition. In order to maintain backwards compatibility with
* existing service providers, this method cannot be {@code abstract}
* and by default throws an {@code UnsupportedOperationException}.
*
* @return an {@code Iterator} over the names of the supported
* {@code CertPath} encodings (as {@code String}s)
* @exception UnsupportedOperationException if the method is not supported
* @since 1.4
*/
public Iterator<String> engineGetCertPathEncodings() {
throw new UnsupportedOperationException();
}
/**
* Returns a (possibly empty) collection view of the certificates read
* from the given input stream {@code inStream}.
*
* <p>In order to take advantage of the specialized certificate format
* supported by this certificate factory, each element in
* the returned collection view can be typecast to the corresponding
* certificate class. For example, if this certificate
* factory implements X.509 certificates, the elements in the returned
* collection can be typecast to the {@code X509Certificate} class.
*
* <p>In the case of a certificate factory for X.509 certificates,
* {@code inStream} may contain a single DER-encoded certificate
* in the formats described for
* {@link CertificateFactory#generateCertificate(java.io.InputStream)
* generateCertificate}.
* In addition, {@code inStream} may contain a PKCS#7 certificate
* chain. This is a PKCS#7 <i>SignedData</i> object, with the only
* significant field being <i>certificates</i>. In particular, the
* signature and the contents are ignored. This format allows multiple
* certificates to be downloaded at once. If no certificates are present,
* an empty collection is returned.
*
* <p>Note that if the given input stream does not support
* {@link java.io.InputStream#mark(int) mark} and
* {@link java.io.InputStream#reset() reset}, this method will
* consume the entire input stream.
*
* @param inStream the input stream with the certificates.
*
* @return a (possibly empty) collection view of
* java.security.cert.Certificate objects
* initialized with the data from the input stream.
*
* @exception CertificateException on parsing errors.
*/
public abstract Collection<? extends Certificate>
engineGenerateCertificates(InputStream inStream)
throws CertificateException;
/**
* Generates a certificate revocation list (CRL) object and initializes it
* with the data read from the input stream {@code inStream}.
*
* <p>In order to take advantage of the specialized CRL format
* supported by this certificate factory,
* the returned CRL object can be typecast to the corresponding
* CRL class. For example, if this certificate
* factory implements X.509 CRLs, the returned CRL object
* can be typecast to the {@code X509CRL} class.
*
* <p>Note that if the given input stream does not support
* {@link java.io.InputStream#mark(int) mark} and
* {@link java.io.InputStream#reset() reset}, this method will
* consume the entire input stream. Otherwise, each call to this
* method consumes one CRL and the read position of the input stream
* is positioned to the next available byte after the inherent
* end-of-CRL marker. If the data in the
* input stream does not contain an inherent end-of-CRL marker (other
* than EOF) and there is trailing data after the CRL is parsed, a
* {@code CRLException} is thrown.
*
* @param inStream an input stream with the CRL data.
*
* @return a CRL object initialized with the data
* from the input stream.
*
* @exception CRLException on parsing errors.
*/
public abstract CRL engineGenerateCRL(InputStream inStream)
throws CRLException;
/**
* Returns a (possibly empty) collection view of the CRLs read
* from the given input stream {@code inStream}.
*
* <p>In order to take advantage of the specialized CRL format
* supported by this certificate factory, each element in
* the returned collection view can be typecast to the corresponding
* CRL class. For example, if this certificate
* factory implements X.509 CRLs, the elements in the returned
* collection can be typecast to the {@code X509CRL} class.
*
* <p>In the case of a certificate factory for X.509 CRLs,
* {@code inStream} may contain a single DER-encoded CRL.
* In addition, {@code inStream} may contain a PKCS#7 CRL
* set. This is a PKCS#7 <i>SignedData</i> object, with the only
* significant field being <i>crls</i>. In particular, the
* signature and the contents are ignored. This format allows multiple
* CRLs to be downloaded at once. If no CRLs are present,
* an empty collection is returned.
*
* <p>Note that if the given input stream does not support
* {@link java.io.InputStream#mark(int) mark} and
* {@link java.io.InputStream#reset() reset}, this method will
* consume the entire input stream.
*
* @param inStream the input stream with the CRLs.
*
* @return a (possibly empty) collection view of
* java.security.cert.CRL objects initialized with the data from the input
* stream.
*
* @exception CRLException on parsing errors.
*/
public abstract Collection<? extends CRL> engineGenerateCRLs
(InputStream inStream) throws CRLException;
}

59
jdkSrc/jdk8/java/security/cert/CertificateNotYetValidException.java Normal file
View File

@@ -0,0 +1,59 @@
/*
* Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
/**
* Certificate is not yet valid exception. This is thrown whenever
* the current {@code Date} or the specified {@code Date}
* is before the {@code notBefore} date/time in the Certificate
* validity period.
*
* @author Hemma Prafullchandra
*/
public class CertificateNotYetValidException extends CertificateException {
static final long serialVersionUID = 4355919900041064702L;
/**
* Constructs a CertificateNotYetValidException with no detail message. A
* detail message is a String that describes this particular
* exception.
*/
public CertificateNotYetValidException() {
super();
}
/**
* Constructs a CertificateNotYetValidException with the specified detail
* message. A detail message is a String that describes this
* particular exception.
*
* @param message the detail message.
*/
public CertificateNotYetValidException(String message) {
super(message);
}
}

89
jdkSrc/jdk8/java/security/cert/CertificateParsingException.java Normal file
View File

@@ -0,0 +1,89 @@
/*
* Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
/**
* Certificate Parsing Exception. This is thrown whenever an
* invalid DER-encoded certificate is parsed or unsupported DER features
* are found in the Certificate.
*
* @author Hemma Prafullchandra
*/
public class CertificateParsingException extends CertificateException {
private static final long serialVersionUID = -7989222416793322029L;
/**
* Constructs a CertificateParsingException with no detail message. A
* detail message is a String that describes this particular
* exception.
*/
public CertificateParsingException() {
super();
}
/**
* Constructs a CertificateParsingException with the specified detail
* message. A detail message is a String that describes this
* particular exception.
*
* @param message the detail message.
*/
public CertificateParsingException(String message) {
super(message);
}
/**
* Creates a {@code CertificateParsingException} with the specified
* detail message and cause.
*
* @param message the detail message (which is saved for later retrieval
* by the {@link #getMessage()} method).
* @param cause the cause (which is saved for later retrieval by the
* {@link #getCause()} method). (A {@code null} value is permitted,
* and indicates that the cause is nonexistent or unknown.)
* @since 1.5
*/
public CertificateParsingException(String message, Throwable cause) {
super(message, cause);
}
/**
* Creates a {@code CertificateParsingException} with the
* specified cause and a detail message of
* {@code (cause==null ? null : cause.toString())}
* (which typically contains the class and detail message of
* {@code cause}).
*
* @param cause the cause (which is saved for later retrieval by the
* {@link #getCause()} method). (A {@code null} value is permitted,
* and indicates that the cause is nonexistent or unknown.)
* @since 1.5
*/
public CertificateParsingException(Throwable cause) {
super(cause);
}
}

248
jdkSrc/jdk8/java/security/cert/CertificateRevokedException.java Normal file
View File

@@ -0,0 +1,248 @@
/*
* Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.IOException;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.x500.X500Principal;
import sun.misc.IOUtils;
import sun.security.util.ObjectIdentifier;
import sun.security.x509.InvalidityDateExtension;
/**
* An exception that indicates an X.509 certificate is revoked. A
* {@code CertificateRevokedException} contains additional information
* about the revoked certificate, such as the date on which the
* certificate was revoked and the reason it was revoked.
*
* @author Sean Mullan
* @since 1.7
* @see CertPathValidatorException
*/
public class CertificateRevokedException extends CertificateException {
private static final long serialVersionUID = 7839996631571608627L;
/**
* @serial the date on which the certificate was revoked
*/
private Date revocationDate;
/**
* @serial the revocation reason
*/
private final CRLReason reason;
/**
* @serial the {@code X500Principal} that represents the name of the
* authority that signed the certificate's revocation status information
*/
private final X500Principal authority;
private transient Map<String, Extension> extensions;
/**
* Constructs a {@code CertificateRevokedException} with
* the specified revocation date, reason code, authority name, and map
* of extensions.
*
* @param revocationDate the date on which the certificate was revoked. The
* date is copied to protect against subsequent modification.
* @param reason the revocation reason
* @param extensions a map of X.509 Extensions. Each key is an OID String
* that maps to the corresponding Extension. The map is copied to
* prevent subsequent modification.
* @param authority the {@code X500Principal} that represents the name
* of the authority that signed the certificate's revocation status
* information
* @throws NullPointerException if {@code revocationDate},
* {@code reason}, {@code authority}, or
* {@code extensions} is {@code null}
*/
public CertificateRevokedException(Date revocationDate, CRLReason reason,
X500Principal authority, Map<String, Extension> extensions) {
if (revocationDate == null || reason == null || authority == null ||
extensions == null) {
throw new NullPointerException();
}
this.revocationDate = new Date(revocationDate.getTime());
this.reason = reason;
this.authority = authority;
// make sure Map only contains correct types
this.extensions = Collections.checkedMap(new HashMap<>(),
String.class, Extension.class);
this.extensions.putAll(extensions);
}
/**
* Returns the date on which the certificate was revoked. A new copy is
* returned each time the method is invoked to protect against subsequent
* modification.
*
* @return the revocation date
*/
public Date getRevocationDate() {
return (Date) revocationDate.clone();
}
/**
* Returns the reason the certificate was revoked.
*
* @return the revocation reason
*/
public CRLReason getRevocationReason() {
return reason;
}
/**
* Returns the name of the authority that signed the certificate's
* revocation status information.
*
* @return the {@code X500Principal} that represents the name of the
* authority that signed the certificate's revocation status information
*/
public X500Principal getAuthorityName() {
return authority;
}
/**
* Returns the invalidity date, as specified in the Invalidity Date
* extension of this {@code CertificateRevokedException}. The
* invalidity date is the date on which it is known or suspected that the
* private key was compromised or that the certificate otherwise became
* invalid. This implementation calls {@code getExtensions()} and
* checks the returned map for an entry for the Invalidity Date extension
* OID ("2.5.29.24"). If found, it returns the invalidity date in the
* extension; otherwise null. A new Date object is returned each time the
* method is invoked to protect against subsequent modification.
*
* @return the invalidity date, or {@code null} if not specified
*/
public Date getInvalidityDate() {
Extension ext = getExtensions().get("2.5.29.24");
if (ext == null) {
return null;
} else {
try {
Date invalidity = InvalidityDateExtension.toImpl(ext).get("DATE");
return new Date(invalidity.getTime());
} catch (IOException ioe) {
return null;
}
}
}
/**
* Returns a map of X.509 extensions containing additional information
* about the revoked certificate, such as the Invalidity Date
* Extension. Each key is an OID String that maps to the corresponding
* Extension.
*
* @return an unmodifiable map of X.509 extensions, or an empty map
* if there are no extensions
*/
public Map<String, Extension> getExtensions() {
return Collections.unmodifiableMap(extensions);
}
@Override
public String getMessage() {
return "Certificate has been revoked, reason: "
+ reason + ", revocation date: " + revocationDate
+ ", authority: " + authority + ", extension OIDs: "
+ extensions.keySet();
}
/**
* Serialize this {@code CertificateRevokedException} instance.
*
* @serialData the size of the extensions map (int), followed by all of
* the extensions in the map, in no particular order. For each extension,
* the following data is emitted: the OID String (Object), the criticality
* flag (boolean), the length of the encoded extension value byte array
* (int), and the encoded extension value bytes.
*/
private void writeObject(ObjectOutputStream oos) throws IOException {
// Write out the non-transient fields
// (revocationDate, reason, authority)
oos.defaultWriteObject();
// Write out the size (number of mappings) of the extensions map
oos.writeInt(extensions.size());
// For each extension in the map, the following are emitted (in order):
// the OID String (Object), the criticality flag (boolean), the length
// of the encoded extension value byte array (int), and the encoded
// extension value byte array. The extensions themselves are emitted
// in no particular order.
for (Map.Entry<String, Extension> entry : extensions.entrySet()) {
Extension ext = entry.getValue();
oos.writeObject(ext.getId());
oos.writeBoolean(ext.isCritical());
byte[] extVal = ext.getValue();
oos.writeInt(extVal.length);
oos.write(extVal);
}
}
/**
* Deserialize the {@code CertificateRevokedException} instance.
*/
private void readObject(ObjectInputStream ois)
throws IOException, ClassNotFoundException {
// Read in the non-transient fields
// (revocationDate, reason, authority)
ois.defaultReadObject();
// Defensively copy the revocation date
revocationDate = new Date(revocationDate.getTime());
// Read in the size (number of mappings) of the extensions map
// and create the extensions map
int size = ois.readInt();
if (size == 0) {
extensions = Collections.emptyMap();
} else if (size < 0) {
throw new IOException("size cannot be negative");
} else {
extensions = new HashMap<>(size > 20 ? 20 : size);
}
// Read in the extensions and put the mappings in the extensions map
for (int i = 0; i < size; i++) {
String oid = (String) ois.readObject();
boolean critical = ois.readBoolean();
byte[] extVal = IOUtils.readExactlyNBytes(ois, ois.readInt());
Extension ext = sun.security.x509.Extension.newExtension
(new ObjectIdentifier(oid), critical, extVal);
extensions.put(oid, ext);
}
}
}

141
jdkSrc/jdk8/java/security/cert/CollectionCertStoreParameters.java Normal file
View File

@@ -0,0 +1,141 @@
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.io.Serializable;
import java.util.Collection;
import java.util.Collections;
/**
* Parameters used as input for the Collection {@code CertStore}
* algorithm.
* <p>
* This class is used to provide necessary configuration parameters
* to implementations of the Collection {@code CertStore}
* algorithm. The only parameter included in this class is the
* {@code Collection} from which the {@code CertStore} will
* retrieve certificates and CRLs.
* <p>
* <b>Concurrent Access</b>
* <p>
* Unless otherwise specified, the methods defined in this class are not
* thread-safe. Multiple threads that need to access a single
* object concurrently should synchronize amongst themselves and
* provide the necessary locking. Multiple threads each manipulating
* separate objects need not synchronize.
*
* @since 1.4
* @author Steve Hanna
* @see java.util.Collection
* @see CertStore
*/
public class CollectionCertStoreParameters
implements CertStoreParameters {
private Collection<?> coll;
/**
* Creates an instance of {@code CollectionCertStoreParameters}
* which will allow certificates and CRLs to be retrieved from the
* specified {@code Collection}. If the specified
* {@code Collection} contains an object that is not a
* {@code Certificate} or {@code CRL}, that object will be
* ignored by the Collection {@code CertStore}.
* <p>
* The {@code Collection} is <b>not</b> copied. Instead, a
* reference is used. This allows the caller to subsequently add or
* remove {@code Certificates} or {@code CRL}s from the
* {@code Collection}, thus changing the set of
* {@code Certificates} or {@code CRL}s available to the
* Collection {@code CertStore}. The Collection {@code CertStore}
* will not modify the contents of the {@code Collection}.
* <p>
* If the {@code Collection} will be modified by one thread while
* another thread is calling a method of a Collection {@code CertStore}
* that has been initialized with this {@code Collection}, the
* {@code Collection} must have fail-fast iterators.
*
* @param collection a {@code Collection} of
* {@code Certificate}s and {@code CRL}s
* @exception NullPointerException if {@code collection} is
* {@code null}
*/
public CollectionCertStoreParameters(Collection<?> collection) {
if (collection == null)
throw new NullPointerException();
coll = collection;
}
/**
* Creates an instance of {@code CollectionCertStoreParameters} with
* the default parameter values (an empty and immutable
* {@code Collection}).
*/
public CollectionCertStoreParameters() {
coll = Collections.EMPTY_SET;
}
/**
* Returns the {@code Collection} from which {@code Certificate}s
* and {@code CRL}s are retrieved. This is <b>not</b> a copy of the
* {@code Collection}, it is a reference. This allows the caller to
* subsequently add or remove {@code Certificates} or
* {@code CRL}s from the {@code Collection}.
*
* @return the {@code Collection} (never null)
*/
public Collection<?> getCollection() {
return coll;
}
/**
* Returns a copy of this object. Note that only a reference to the
* {@code Collection} is copied, and not the contents.
*
* @return the copy
*/
public Object clone() {
try {
return super.clone();
} catch (CloneNotSupportedException e) {
/* Cannot happen */
throw new InternalError(e.toString(), e);
}
}
/**
* Returns a formatted string describing the parameters.
*
* @return a formatted string describing the parameters
*/
public String toString() {
StringBuffer sb = new StringBuffer();
sb.append("CollectionCertStoreParameters: [\n");
sb.append(" collection: " + coll + "\n");
sb.append("]");
return sb.toString();
}
}

101
jdkSrc/jdk8/java/security/cert/Extension.java Normal file
View File

@@ -0,0 +1,101 @@
/*
* Copyright (c) 2007, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.io.IOException;
import java.io.OutputStream;
import java.io.Serializable;
/**
* This interface represents an X.509 extension.
*
* <p>
* Extensions provide a means of associating additional attributes with users
* or public keys and for managing a certification hierarchy. The extension
* format also allows communities to define private extensions to carry
* information unique to those communities.
*
* <p>
* Each extension contains an object identifier, a criticality setting
* indicating whether it is a critical or a non-critical extension, and
* and an ASN.1 DER-encoded value. Its ASN.1 definition is:
*
* <pre>
*
* Extension ::= SEQUENCE {
* extnId OBJECT IDENTIFIER,
* critical BOOLEAN DEFAULT FALSE,
* extnValue OCTET STRING
* -- contains a DER encoding of a value
* -- of the type registered for use with
* -- the extnId object identifier value
* }
*
* </pre>
*
* <p>
* This interface is designed to provide access to a single extension,
* unlike {@link java.security.cert.X509Extension} which is more suitable
* for accessing a set of extensions.
*
* @since 1.7
*/
public interface Extension {
/**
* Gets the extensions's object identifier.
*
* @return the object identifier as a String
*/
String getId();
/**
* Gets the extension's criticality setting.
*
* @return true if this is a critical extension.
*/
boolean isCritical();
/**
* Gets the extensions's DER-encoded value. Note, this is the bytes
* that are encoded as an OCTET STRING. It does not include the OCTET
* STRING tag and length.
*
* @return a copy of the extension's value, or {@code null} if no
* extension value is present.
*/
byte[] getValue();
/**
* Generates the extension's DER encoding and writes it to the output
* stream.
*
* @param out the output stream
* @exception IOException on encoding or output error.
* @exception NullPointerException if {@code out} is {@code null}.
*/
void encode(OutputStream out) throws IOException;
}

149
jdkSrc/jdk8/java/security/cert/LDAPCertStoreParameters.java Normal file
View File

@@ -0,0 +1,149 @@
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
/**
* Parameters used as input for the LDAP {@code CertStore} algorithm.
* <p>
* This class is used to provide necessary configuration parameters (server
* name and port number) to implementations of the LDAP {@code CertStore}
* algorithm.
* <p>
* <b>Concurrent Access</b>
* <p>
* Unless otherwise specified, the methods defined in this class are not
* thread-safe. Multiple threads that need to access a single
* object concurrently should synchronize amongst themselves and
* provide the necessary locking. Multiple threads each manipulating
* separate objects need not synchronize.
*
* @since 1.4
* @author Steve Hanna
* @see CertStore
*/
public class LDAPCertStoreParameters implements CertStoreParameters {
private static final int LDAP_DEFAULT_PORT = 389;
/**
* the port number of the LDAP server
*/
private int port;
/**
* the DNS name of the LDAP server
*/
private String serverName;
/**
* Creates an instance of {@code LDAPCertStoreParameters} with the
* specified parameter values.
*
* @param serverName the DNS name of the LDAP server
* @param port the port number of the LDAP server
* @exception NullPointerException if {@code serverName} is
* {@code null}
*/
public LDAPCertStoreParameters(String serverName, int port) {
if (serverName == null)
throw new NullPointerException();
this.serverName = serverName;
this.port = port;
}
/**
* Creates an instance of {@code LDAPCertStoreParameters} with the
* specified server name and a default port of 389.
*
* @param serverName the DNS name of the LDAP server
* @exception NullPointerException if {@code serverName} is
* {@code null}
*/
public LDAPCertStoreParameters(String serverName) {
this(serverName, LDAP_DEFAULT_PORT);
}
/**
* Creates an instance of {@code LDAPCertStoreParameters} with the
* default parameter values (server name "localhost", port 389).
*/
public LDAPCertStoreParameters() {
this("localhost", LDAP_DEFAULT_PORT);
}
/**
* Returns the DNS name of the LDAP server.
*
* @return the name (not {@code null})
*/
public String getServerName() {
return serverName;
}
/**
* Returns the port number of the LDAP server.
*
* @return the port number
*/
public int getPort() {
return port;
}
/**
* Returns a copy of this object. Changes to the copy will not affect
* the original and vice versa.
* <p>
* Note: this method currently performs a shallow copy of the object
* (simply calls {@code Object.clone()}). This may be changed in a
* future revision to perform a deep copy if new parameters are added
* that should not be shared.
*
* @return the copy
*/
public Object clone() {
try {
return super.clone();
} catch (CloneNotSupportedException e) {
/* Cannot happen */
throw new InternalError(e.toString(), e);
}
}
/**
* Returns a formatted string describing the parameters.
*
* @return a formatted string describing the parameters
*/
public String toString() {
StringBuffer sb = new StringBuffer();
sb.append("LDAPCertStoreParameters: [\n");
sb.append(" serverName: " + serverName + "\n");
sb.append(" port: " + port + "\n");
sb.append("]");
return sb.toString();
}
}

199
jdkSrc/jdk8/java/security/cert/PKIXBuilderParameters.java Normal file
View File

@@ -0,0 +1,199 @@
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidParameterException;
import java.util.Set;
/**
* Parameters used as input for the PKIX {@code CertPathBuilder}
* algorithm.
* <p>
* A PKIX {@code CertPathBuilder} uses these parameters to {@link
* CertPathBuilder#build build} a {@code CertPath} which has been
* validated according to the PKIX certification path validation algorithm.
*
* <p>To instantiate a {@code PKIXBuilderParameters} object, an
* application must specify one or more <i>most-trusted CAs</i> as defined by
* the PKIX certification path validation algorithm. The most-trusted CA
* can be specified using one of two constructors. An application
* can call {@link #PKIXBuilderParameters(Set, CertSelector)
* PKIXBuilderParameters(Set, CertSelector)}, specifying a
* {@code Set} of {@code TrustAnchor} objects, each of which
* identifies a most-trusted CA. Alternatively, an application can call
* {@link #PKIXBuilderParameters(KeyStore, CertSelector)
* PKIXBuilderParameters(KeyStore, CertSelector)}, specifying a
* {@code KeyStore} instance containing trusted certificate entries, each
* of which will be considered as a most-trusted CA.
*
* <p>In addition, an application must specify constraints on the target
* certificate that the {@code CertPathBuilder} will attempt
* to build a path to. The constraints are specified as a
* {@code CertSelector} object. These constraints should provide the
* {@code CertPathBuilder} with enough search criteria to find the target
* certificate. Minimal criteria for an {@code X509Certificate} usually
* include the subject name and/or one or more subject alternative names.
* If enough criteria is not specified, the {@code CertPathBuilder}
* may throw a {@code CertPathBuilderException}.
* <p>
* <b>Concurrent Access</b>
* <p>
* Unless otherwise specified, the methods defined in this class are not
* thread-safe. Multiple threads that need to access a single
* object concurrently should synchronize amongst themselves and
* provide the necessary locking. Multiple threads each manipulating
* separate objects need not synchronize.
*
* @see CertPathBuilder
*
* @since 1.4
* @author Sean Mullan
*/
public class PKIXBuilderParameters extends PKIXParameters {
private int maxPathLength = 5;
/**
* Creates an instance of {@code PKIXBuilderParameters} with
* the specified {@code Set} of most-trusted CAs.
* Each element of the set is a {@link TrustAnchor TrustAnchor}.
*
* <p>Note that the {@code Set} is copied to protect against
* subsequent modifications.
*
* @param trustAnchors a {@code Set} of {@code TrustAnchor}s
* @param targetConstraints a {@code CertSelector} specifying the
* constraints on the target certificate
* @throws InvalidAlgorithmParameterException if {@code trustAnchors}
* is empty {@code (trustAnchors.isEmpty() == true)}
* @throws NullPointerException if {@code trustAnchors} is
* {@code null}
* @throws ClassCastException if any of the elements of
* {@code trustAnchors} are not of type
* {@code java.security.cert.TrustAnchor}
*/
public PKIXBuilderParameters(Set<TrustAnchor> trustAnchors, CertSelector
targetConstraints) throws InvalidAlgorithmParameterException
{
super(trustAnchors);
setTargetCertConstraints(targetConstraints);
}
/**
* Creates an instance of {@code PKIXBuilderParameters} that
* populates the set of most-trusted CAs from the trusted
* certificate entries contained in the specified {@code KeyStore}.
* Only keystore entries that contain trusted {@code X509Certificate}s
* are considered; all other certificate types are ignored.
*
* @param keystore a {@code KeyStore} from which the set of
* most-trusted CAs will be populated
* @param targetConstraints a {@code CertSelector} specifying the
* constraints on the target certificate
* @throws KeyStoreException if {@code keystore} has not been
* initialized
* @throws InvalidAlgorithmParameterException if {@code keystore} does
* not contain at least one trusted certificate entry
* @throws NullPointerException if {@code keystore} is
* {@code null}
*/
public PKIXBuilderParameters(KeyStore keystore,
CertSelector targetConstraints)
throws KeyStoreException, InvalidAlgorithmParameterException
{
super(keystore);
setTargetCertConstraints(targetConstraints);
}
/**
* Sets the value of the maximum number of non-self-issued intermediate
* certificates that may exist in a certification path. A certificate
* is self-issued if the DNs that appear in the subject and issuer
* fields are identical and are not empty. Note that the last certificate
* in a certification path is not an intermediate certificate, and is not
* included in this limit. Usually the last certificate is an end entity
* certificate, but it can be a CA certificate. A PKIX
* {@code CertPathBuilder} instance must not build
* paths longer than the length specified.
*
* <p> A value of 0 implies that the path can only contain
* a single certificate. A value of -1 implies that the
* path length is unconstrained (i.e. there is no maximum).
* The default maximum path length, if not specified, is 5.
* Setting a value less than -1 will cause an exception to be thrown.
*
* <p> If any of the CA certificates contain the
* {@code BasicConstraintsExtension}, the value of the
* {@code pathLenConstraint} field of the extension overrides
* the maximum path length parameter whenever the result is a
* certification path of smaller length.
*
* @param maxPathLength the maximum number of non-self-issued intermediate
* certificates that may exist in a certification path
* @throws InvalidParameterException if {@code maxPathLength} is set
* to a value less than -1
*
* @see #getMaxPathLength
*/
public void setMaxPathLength(int maxPathLength) {
if (maxPathLength < -1) {
throw new InvalidParameterException("the maximum path "
+ "length parameter can not be less than -1");
}
this.maxPathLength = maxPathLength;
}
/**
* Returns the value of the maximum number of intermediate non-self-issued
* certificates that may exist in a certification path. See
* the {@link #setMaxPathLength} method for more details.
*
* @return the maximum number of non-self-issued intermediate certificates
* that may exist in a certification path, or -1 if there is no limit
*
* @see #setMaxPathLength
*/
public int getMaxPathLength() {
return maxPathLength;
}
/**
* Returns a formatted string describing the parameters.
*
* @return a formatted string describing the parameters
*/
public String toString() {
StringBuffer sb = new StringBuffer();
sb.append("[\n");
sb.append(super.toString());
sb.append(" Maximum Path Length: " + maxPathLength + "\n");
sb.append("]\n");
return sb.toString();
}
}

119
jdkSrc/jdk8/java/security/cert/PKIXCertPathBuilderResult.java Normal file
View File

@@ -0,0 +1,119 @@
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.security.PublicKey;
/**
* This class represents the successful result of the PKIX certification
* path builder algorithm. All certification paths that are built and
* returned using this algorithm are also validated according to the PKIX
* certification path validation algorithm.
*
* <p>Instances of {@code PKIXCertPathBuilderResult} are returned by
* the {@code build} method of {@code CertPathBuilder}
* objects implementing the PKIX algorithm.
*
* <p>All {@code PKIXCertPathBuilderResult} objects contain the
* certification path constructed by the build algorithm, the
* valid policy tree and subject public key resulting from the build
* algorithm, and a {@code TrustAnchor} describing the certification
* authority (CA) that served as a trust anchor for the certification path.
* <p>
* <b>Concurrent Access</b>
* <p>
* Unless otherwise specified, the methods defined in this class are not
* thread-safe. Multiple threads that need to access a single
* object concurrently should synchronize amongst themselves and
* provide the necessary locking. Multiple threads each manipulating
* separate objects need not synchronize.
*
* @see CertPathBuilderResult
*
* @since 1.4
* @author Anne Anderson
*/
public class PKIXCertPathBuilderResult extends PKIXCertPathValidatorResult
implements CertPathBuilderResult {
private CertPath certPath;
/**
* Creates an instance of {@code PKIXCertPathBuilderResult}
* containing the specified parameters.
*
* @param certPath the validated {@code CertPath}
* @param trustAnchor a {@code TrustAnchor} describing the CA that
* served as a trust anchor for the certification path
* @param policyTree the immutable valid policy tree, or {@code null}
* if there are no valid policies
* @param subjectPublicKey the public key of the subject
* @throws NullPointerException if the {@code certPath},
* {@code trustAnchor} or {@code subjectPublicKey} parameters
* are {@code null}
*/
public PKIXCertPathBuilderResult(CertPath certPath,
TrustAnchor trustAnchor, PolicyNode policyTree,
PublicKey subjectPublicKey)
{
super(trustAnchor, policyTree, subjectPublicKey);
if (certPath == null)
throw new NullPointerException("certPath must be non-null");
this.certPath = certPath;
}
/**
* Returns the built and validated certification path. The
* {@code CertPath} object does not include the trust anchor.
* Instead, use the {@link #getTrustAnchor() getTrustAnchor()} method to
* obtain the {@code TrustAnchor} that served as the trust anchor
* for the certification path.
*
* @return the built and validated {@code CertPath} (never
* {@code null})
*/
public CertPath getCertPath() {
return certPath;
}
/**
* Return a printable representation of this
* {@code PKIXCertPathBuilderResult}.
*
* @return a {@code String} describing the contents of this
* {@code PKIXCertPathBuilderResult}
*/
public String toString() {
StringBuffer sb = new StringBuffer();
sb.append("PKIXCertPathBuilderResult: [\n");
sb.append(" Certification Path: " + certPath + "\n");
sb.append(" Trust Anchor: " + getTrustAnchor().toString() + "\n");
sb.append(" Policy Tree: " + String.valueOf(getPolicyTree()) + "\n");
sb.append(" Subject Public Key: " + getPublicKey() + "\n");
sb.append("]");
return sb.toString();
}
}

196
jdkSrc/jdk8/java/security/cert/PKIXCertPathChecker.java Normal file
View File

@@ -0,0 +1,196 @@
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.util.Collection;
import java.util.Set;
/**
* An abstract class that performs one or more checks on an
* {@code X509Certificate}.
*
* <p>A concrete implementation of the {@code PKIXCertPathChecker} class
* can be created to extend the PKIX certification path validation algorithm.
* For example, an implementation may check for and process a critical private
* extension of each certificate in a certification path.
*
* <p>Instances of {@code PKIXCertPathChecker} are passed as parameters
* using the {@link PKIXParameters#setCertPathCheckers setCertPathCheckers}
* or {@link PKIXParameters#addCertPathChecker addCertPathChecker} methods
* of the {@code PKIXParameters} and {@code PKIXBuilderParameters}
* class. Each of the {@code PKIXCertPathChecker}s {@link #check check}
* methods will be called, in turn, for each certificate processed by a PKIX
* {@code CertPathValidator} or {@code CertPathBuilder}
* implementation.
*
* <p>A {@code PKIXCertPathChecker} may be called multiple times on
* successive certificates in a certification path. Concrete subclasses
* are expected to maintain any internal state that may be necessary to
* check successive certificates. The {@link #init init} method is used
* to initialize the internal state of the checker so that the certificates
* of a new certification path may be checked. A stateful implementation
* <b>must</b> override the {@link #clone clone} method if necessary in
* order to allow a PKIX {@code CertPathBuilder} to efficiently
* backtrack and try other paths. In these situations, the
* {@code CertPathBuilder} is able to restore prior path validation
* states by restoring the cloned {@code PKIXCertPathChecker}s.
*
* <p>The order in which the certificates are presented to the
* {@code PKIXCertPathChecker} may be either in the forward direction
* (from target to most-trusted CA) or in the reverse direction (from
* most-trusted CA to target). A {@code PKIXCertPathChecker} implementation
* <b>must</b> support reverse checking (the ability to perform its checks when
* it is presented with certificates in the reverse direction) and <b>may</b>
* support forward checking (the ability to perform its checks when it is
* presented with certificates in the forward direction). The
* {@link #isForwardCheckingSupported isForwardCheckingSupported} method
* indicates whether forward checking is supported.
* <p>
* Additional input parameters required for executing the check may be
* specified through constructors of concrete implementations of this class.
* <p>
* <b>Concurrent Access</b>
* <p>
* Unless otherwise specified, the methods defined in this class are not
* thread-safe. Multiple threads that need to access a single
* object concurrently should synchronize amongst themselves and
* provide the necessary locking. Multiple threads each manipulating
* separate objects need not synchronize.
*
* @see PKIXParameters
* @see PKIXBuilderParameters
*
* @since 1.4
* @author Yassir Elley
* @author Sean Mullan
*/
public abstract class PKIXCertPathChecker
implements CertPathChecker, Cloneable {
/**
* Default constructor.
*/
protected PKIXCertPathChecker() {}
/**
* Initializes the internal state of this {@code PKIXCertPathChecker}.
* <p>
* The {@code forward} flag specifies the order that
* certificates will be passed to the {@link #check check} method
* (forward or reverse). A {@code PKIXCertPathChecker} <b>must</b>
* support reverse checking and <b>may</b> support forward checking.
*
* @param forward the order that certificates are presented to
* the {@code check} method. If {@code true}, certificates
* are presented from target to most-trusted CA (forward); if
* {@code false}, from most-trusted CA to target (reverse).
* @throws CertPathValidatorException if this
* {@code PKIXCertPathChecker} is unable to check certificates in
* the specified order; it should never be thrown if the forward flag
* is false since reverse checking must be supported
*/
@Override
public abstract void init(boolean forward)
throws CertPathValidatorException;
/**
* Indicates if forward checking is supported. Forward checking refers
* to the ability of the {@code PKIXCertPathChecker} to perform
* its checks when certificates are presented to the {@code check}
* method in the forward direction (from target to most-trusted CA).
*
* @return {@code true} if forward checking is supported,
* {@code false} otherwise
*/
@Override
public abstract boolean isForwardCheckingSupported();
/**
* Returns an immutable {@code Set} of X.509 certificate extensions
* that this {@code PKIXCertPathChecker} supports (i.e. recognizes, is
* able to process), or {@code null} if no extensions are supported.
* <p>
* Each element of the set is a {@code String} representing the
* Object Identifier (OID) of the X.509 extension that is supported.
* The OID is represented by a set of nonnegative integers separated by
* periods.
* <p>
* All X.509 certificate extensions that a {@code PKIXCertPathChecker}
* might possibly be able to process should be included in the set.
*
* @return an immutable {@code Set} of X.509 extension OIDs (in
* {@code String} format) supported by this
* {@code PKIXCertPathChecker}, or {@code null} if no
* extensions are supported
*/
public abstract Set<String> getSupportedExtensions();
/**
* Performs the check(s) on the specified certificate using its internal
* state and removes any critical extensions that it processes from the
* specified collection of OID strings that represent the unresolved
* critical extensions. The certificates are presented in the order
* specified by the {@code init} method.
*
* @param cert the {@code Certificate} to be checked
* @param unresolvedCritExts a {@code Collection} of OID strings
* representing the current set of unresolved critical extensions
* @exception CertPathValidatorException if the specified certificate does
* not pass the check
*/
public abstract void check(Certificate cert,
Collection<String> unresolvedCritExts)
throws CertPathValidatorException;
/**
* {@inheritDoc}
*
* <p>This implementation calls
* {@code check(cert, java.util.Collections.<String>emptySet())}.
*/
@Override
public void check(Certificate cert) throws CertPathValidatorException {
check(cert, java.util.Collections.<String>emptySet());
}
/**
* Returns a clone of this object. Calls the {@code Object.clone()}
* method.
* All subclasses which maintain state must support and
* override this method, if necessary.
*
* @return a copy of this {@code PKIXCertPathChecker}
*/
@Override
public Object clone() {
try {
return super.clone();
} catch (CloneNotSupportedException e) {
/* Cannot happen */
throw new InternalError(e.toString(), e);
}
}
}

159
jdkSrc/jdk8/java/security/cert/PKIXCertPathValidatorResult.java Normal file
View File

@@ -0,0 +1,159 @@
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.security.PublicKey;
/**
* This class represents the successful result of the PKIX certification
* path validation algorithm.
*
* <p>Instances of {@code PKIXCertPathValidatorResult} are returned by the
* {@link CertPathValidator#validate validate} method of
* {@code CertPathValidator} objects implementing the PKIX algorithm.
*
* <p> All {@code PKIXCertPathValidatorResult} objects contain the
* valid policy tree and subject public key resulting from the
* validation algorithm, as well as a {@code TrustAnchor} describing
* the certification authority (CA) that served as a trust anchor for the
* certification path.
* <p>
* <b>Concurrent Access</b>
* <p>
* Unless otherwise specified, the methods defined in this class are not
* thread-safe. Multiple threads that need to access a single
* object concurrently should synchronize amongst themselves and
* provide the necessary locking. Multiple threads each manipulating
* separate objects need not synchronize.
*
* @see CertPathValidatorResult
*
* @since 1.4
* @author Yassir Elley
* @author Sean Mullan
*/
public class PKIXCertPathValidatorResult implements CertPathValidatorResult {
private TrustAnchor trustAnchor;
private PolicyNode policyTree;
private PublicKey subjectPublicKey;
/**
* Creates an instance of {@code PKIXCertPathValidatorResult}
* containing the specified parameters.
*
* @param trustAnchor a {@code TrustAnchor} describing the CA that
* served as a trust anchor for the certification path
* @param policyTree the immutable valid policy tree, or {@code null}
* if there are no valid policies
* @param subjectPublicKey the public key of the subject
* @throws NullPointerException if the {@code subjectPublicKey} or
* {@code trustAnchor} parameters are {@code null}
*/
public PKIXCertPathValidatorResult(TrustAnchor trustAnchor,
PolicyNode policyTree, PublicKey subjectPublicKey)
{
if (subjectPublicKey == null)
throw new NullPointerException("subjectPublicKey must be non-null");
if (trustAnchor == null)
throw new NullPointerException("trustAnchor must be non-null");
this.trustAnchor = trustAnchor;
this.policyTree = policyTree;
this.subjectPublicKey = subjectPublicKey;
}
/**
* Returns the {@code TrustAnchor} describing the CA that served
* as a trust anchor for the certification path.
*
* @return the {@code TrustAnchor} (never {@code null})
*/
public TrustAnchor getTrustAnchor() {
return trustAnchor;
}
/**
* Returns the root node of the valid policy tree resulting from the
* PKIX certification path validation algorithm. The
* {@code PolicyNode} object that is returned and any objects that
* it returns through public methods are immutable.
*
* <p>Most applications will not need to examine the valid policy tree.
* They can achieve their policy processing goals by setting the
* policy-related parameters in {@code PKIXParameters}. However, more
* sophisticated applications, especially those that process policy
* qualifiers, may need to traverse the valid policy tree using the
* {@link PolicyNode#getParent PolicyNode.getParent} and
* {@link PolicyNode#getChildren PolicyNode.getChildren} methods.
*
* @return the root node of the valid policy tree, or {@code null}
* if there are no valid policies
*/
public PolicyNode getPolicyTree() {
return policyTree;
}
/**
* Returns the public key of the subject (target) of the certification
* path, including any inherited public key parameters if applicable.
*
* @return the public key of the subject (never {@code null})
*/
public PublicKey getPublicKey() {
return subjectPublicKey;
}
/**
* Returns a copy of this object.
*
* @return the copy
*/
public Object clone() {
try {
return super.clone();
} catch (CloneNotSupportedException e) {
/* Cannot happen */
throw new InternalError(e.toString(), e);
}
}
/**
* Return a printable representation of this
* {@code PKIXCertPathValidatorResult}.
*
* @return a {@code String} describing the contents of this
* {@code PKIXCertPathValidatorResult}
*/
public String toString() {
StringBuffer sb = new StringBuffer();
sb.append("PKIXCertPathValidatorResult: [\n");
sb.append(" Trust Anchor: " + trustAnchor.toString() + "\n");
sb.append(" Policy Tree: " + String.valueOf(policyTree) + "\n");
sb.append(" Subject Public Key: " + subjectPublicKey + "\n");
sb.append("]");
return sb.toString();
}
}

736
jdkSrc/jdk8/java/security/cert/PKIXParameters.java Normal file
View File

@@ -0,0 +1,736 @@
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
/**
* Parameters used as input for the PKIX {@code CertPathValidator}
* algorithm.
* <p>
* A PKIX {@code CertPathValidator} uses these parameters to
* validate a {@code CertPath} according to the PKIX certification path
* validation algorithm.
*
* <p>To instantiate a {@code PKIXParameters} object, an
* application must specify one or more <i>most-trusted CAs</i> as defined by
* the PKIX certification path validation algorithm. The most-trusted CAs
* can be specified using one of two constructors. An application
* can call {@link #PKIXParameters(Set) PKIXParameters(Set)},
* specifying a {@code Set} of {@code TrustAnchor} objects, each
* of which identify a most-trusted CA. Alternatively, an application can call
* {@link #PKIXParameters(KeyStore) PKIXParameters(KeyStore)}, specifying a
* {@code KeyStore} instance containing trusted certificate entries, each
* of which will be considered as a most-trusted CA.
* <p>
* Once a {@code PKIXParameters} object has been created, other parameters
* can be specified (by calling {@link #setInitialPolicies setInitialPolicies}
* or {@link #setDate setDate}, for instance) and then the
* {@code PKIXParameters} is passed along with the {@code CertPath}
* to be validated to {@link CertPathValidator#validate
* CertPathValidator.validate}.
* <p>
* Any parameter that is not set (or is set to {@code null}) will
* be set to the default value for that parameter. The default value for the
* {@code date} parameter is {@code null}, which indicates
* the current time when the path is validated. The default for the
* remaining parameters is the least constrained.
* <p>
* <b>Concurrent Access</b>
* <p>
* Unless otherwise specified, the methods defined in this class are not
* thread-safe. Multiple threads that need to access a single
* object concurrently should synchronize amongst themselves and
* provide the necessary locking. Multiple threads each manipulating
* separate objects need not synchronize.
*
* @see CertPathValidator
*
* @since 1.4
* @author Sean Mullan
* @author Yassir Elley
*/
public class PKIXParameters implements CertPathParameters {
private Set<TrustAnchor> unmodTrustAnchors;
private Date date;
private List<PKIXCertPathChecker> certPathCheckers;
private String sigProvider;
private boolean revocationEnabled = true;
private Set<String> unmodInitialPolicies;
private boolean explicitPolicyRequired = false;
private boolean policyMappingInhibited = false;
private boolean anyPolicyInhibited = false;
private boolean policyQualifiersRejected = true;
private List<CertStore> certStores;
private CertSelector certSelector;
/**
* Creates an instance of {@code PKIXParameters} with the specified
* {@code Set} of most-trusted CAs. Each element of the
* set is a {@link TrustAnchor TrustAnchor}.
* <p>
* Note that the {@code Set} is copied to protect against
* subsequent modifications.
*
* @param trustAnchors a {@code Set} of {@code TrustAnchor}s
* @throws InvalidAlgorithmParameterException if the specified
* {@code Set} is empty {@code (trustAnchors.isEmpty() == true)}
* @throws NullPointerException if the specified {@code Set} is
* {@code null}
* @throws ClassCastException if any of the elements in the {@code Set}
* are not of type {@code java.security.cert.TrustAnchor}
*/
public PKIXParameters(Set<TrustAnchor> trustAnchors)
throws InvalidAlgorithmParameterException
{
setTrustAnchors(trustAnchors);
this.unmodInitialPolicies = Collections.<String>emptySet();
this.certPathCheckers = new ArrayList<PKIXCertPathChecker>();
this.certStores = new ArrayList<CertStore>();
}
/**
* Creates an instance of {@code PKIXParameters} that
* populates the set of most-trusted CAs from the trusted
* certificate entries contained in the specified {@code KeyStore}.
* Only keystore entries that contain trusted {@code X509Certificates}
* are considered; all other certificate types are ignored.
*
* @param keystore a {@code KeyStore} from which the set of
* most-trusted CAs will be populated
* @throws KeyStoreException if the keystore has not been initialized
* @throws InvalidAlgorithmParameterException if the keystore does
* not contain at least one trusted certificate entry
* @throws NullPointerException if the keystore is {@code null}
*/
public PKIXParameters(KeyStore keystore)
throws KeyStoreException, InvalidAlgorithmParameterException
{
if (keystore == null)
throw new NullPointerException("the keystore parameter must be " +
"non-null");
Set<TrustAnchor> hashSet = new HashSet<TrustAnchor>();
Enumeration<String> aliases = keystore.aliases();
while (aliases.hasMoreElements()) {
String alias = aliases.nextElement();
if (keystore.isCertificateEntry(alias)) {
Certificate cert = keystore.getCertificate(alias);
if (cert instanceof X509Certificate)
hashSet.add(new TrustAnchor((X509Certificate)cert, null));
}
}
setTrustAnchors(hashSet);
this.unmodInitialPolicies = Collections.<String>emptySet();
this.certPathCheckers = new ArrayList<PKIXCertPathChecker>();
this.certStores = new ArrayList<CertStore>();
}
/**
* Returns an immutable {@code Set} of the most-trusted
* CAs.
*
* @return an immutable {@code Set} of {@code TrustAnchor}s
* (never {@code null})
*
* @see #setTrustAnchors
*/
public Set<TrustAnchor> getTrustAnchors() {
return this.unmodTrustAnchors;
}
/**
* Sets the {@code Set} of most-trusted CAs.
* <p>
* Note that the {@code Set} is copied to protect against
* subsequent modifications.
*
* @param trustAnchors a {@code Set} of {@code TrustAnchor}s
* @throws InvalidAlgorithmParameterException if the specified
* {@code Set} is empty {@code (trustAnchors.isEmpty() == true)}
* @throws NullPointerException if the specified {@code Set} is
* {@code null}
* @throws ClassCastException if any of the elements in the set
* are not of type {@code java.security.cert.TrustAnchor}
*
* @see #getTrustAnchors
*/
public void setTrustAnchors(Set<TrustAnchor> trustAnchors)
throws InvalidAlgorithmParameterException
{
if (trustAnchors == null) {
throw new NullPointerException("the trustAnchors parameters must" +
" be non-null");
}
if (trustAnchors.isEmpty()) {
throw new InvalidAlgorithmParameterException("the trustAnchors " +
"parameter must be non-empty");
}
for (Iterator<TrustAnchor> i = trustAnchors.iterator(); i.hasNext(); ) {
if (!(i.next() instanceof TrustAnchor)) {
throw new ClassCastException("all elements of set must be "
+ "of type java.security.cert.TrustAnchor");
}
}
this.unmodTrustAnchors = Collections.unmodifiableSet
(new HashSet<TrustAnchor>(trustAnchors));
}
/**
* Returns an immutable {@code Set} of initial
* policy identifiers (OID strings), indicating that any one of these
* policies would be acceptable to the certificate user for the purposes of
* certification path processing. The default return value is an empty
* {@code Set}, which is interpreted as meaning that any policy would
* be acceptable.
*
* @return an immutable {@code Set} of initial policy OIDs in
* {@code String} format, or an empty {@code Set} (implying any
* policy is acceptable). Never returns {@code null}.
*
* @see #setInitialPolicies
*/
public Set<String> getInitialPolicies() {
return this.unmodInitialPolicies;
}
/**
* Sets the {@code Set} of initial policy identifiers
* (OID strings), indicating that any one of these
* policies would be acceptable to the certificate user for the purposes of
* certification path processing. By default, any policy is acceptable
* (i.e. all policies), so a user that wants to allow any policy as
* acceptable does not need to call this method, or can call it
* with an empty {@code Set} (or {@code null}).
* <p>
* Note that the {@code Set} is copied to protect against
* subsequent modifications.
*
* @param initialPolicies a {@code Set} of initial policy
* OIDs in {@code String} format (or {@code null})
* @throws ClassCastException if any of the elements in the set are
* not of type {@code String}
*
* @see #getInitialPolicies
*/
public void setInitialPolicies(Set<String> initialPolicies) {
if (initialPolicies != null) {
for (Iterator<String> i = initialPolicies.iterator();
i.hasNext();) {
if (!(i.next() instanceof String))
throw new ClassCastException("all elements of set must be "
+ "of type java.lang.String");
}
this.unmodInitialPolicies =
Collections.unmodifiableSet(new HashSet<String>(initialPolicies));
} else
this.unmodInitialPolicies = Collections.<String>emptySet();
}
/**
* Sets the list of {@code CertStore}s to be used in finding
* certificates and CRLs. May be {@code null}, in which case
* no {@code CertStore}s will be used. The first
* {@code CertStore}s in the list may be preferred to those that
* appear later.
* <p>
* Note that the {@code List} is copied to protect against
* subsequent modifications.
*
* @param stores a {@code List} of {@code CertStore}s (or
* {@code null})
* @throws ClassCastException if any of the elements in the list are
* not of type {@code java.security.cert.CertStore}
*
* @see #getCertStores
*/
public void setCertStores(List<CertStore> stores) {
if (stores == null) {
this.certStores = new ArrayList<CertStore>();
} else {
for (Iterator<CertStore> i = stores.iterator(); i.hasNext();) {
if (!(i.next() instanceof CertStore)) {
throw new ClassCastException("all elements of list must be "
+ "of type java.security.cert.CertStore");
}
}
this.certStores = new ArrayList<CertStore>(stores);
}
}
/**
* Adds a {@code CertStore} to the end of the list of
* {@code CertStore}s used in finding certificates and CRLs.
*
* @param store the {@code CertStore} to add. If {@code null},
* the store is ignored (not added to list).
*/
public void addCertStore(CertStore store) {
if (store != null) {
this.certStores.add(store);
}
}
/**
* Returns an immutable {@code List} of {@code CertStore}s that
* are used to find certificates and CRLs.
*
* @return an immutable {@code List} of {@code CertStore}s
* (may be empty, but never {@code null})
*
* @see #setCertStores
*/
public List<CertStore> getCertStores() {
return Collections.unmodifiableList
(new ArrayList<CertStore>(this.certStores));
}
/**
* Sets the RevocationEnabled flag. If this flag is true, the default
* revocation checking mechanism of the underlying PKIX service provider
* will be used. If this flag is false, the default revocation checking
* mechanism will be disabled (not used).
* <p>
* When a {@code PKIXParameters} object is created, this flag is set
* to true. This setting reflects the most common strategy for checking
* revocation, since each service provider must support revocation
* checking to be PKIX compliant. Sophisticated applications should set
* this flag to false when it is not practical to use a PKIX service
* provider's default revocation checking mechanism or when an alternative
* revocation checking mechanism is to be substituted (by also calling the
* {@link #addCertPathChecker addCertPathChecker} or {@link
* #setCertPathCheckers setCertPathCheckers} methods).
*
* @param val the new value of the RevocationEnabled flag
*/
public void setRevocationEnabled(boolean val) {
revocationEnabled = val;
}
/**
* Checks the RevocationEnabled flag. If this flag is true, the default
* revocation checking mechanism of the underlying PKIX service provider
* will be used. If this flag is false, the default revocation checking
* mechanism will be disabled (not used). See the {@link
* #setRevocationEnabled setRevocationEnabled} method for more details on
* setting the value of this flag.
*
* @return the current value of the RevocationEnabled flag
*/
public boolean isRevocationEnabled() {
return revocationEnabled;
}
/**
* Sets the ExplicitPolicyRequired flag. If this flag is true, an
* acceptable policy needs to be explicitly identified in every certificate.
* By default, the ExplicitPolicyRequired flag is false.
*
* @param val {@code true} if explicit policy is to be required,
* {@code false} otherwise
*/
public void setExplicitPolicyRequired(boolean val) {
explicitPolicyRequired = val;
}
/**
* Checks if explicit policy is required. If this flag is true, an
* acceptable policy needs to be explicitly identified in every certificate.
* By default, the ExplicitPolicyRequired flag is false.
*
* @return {@code true} if explicit policy is required,
* {@code false} otherwise
*/
public boolean isExplicitPolicyRequired() {
return explicitPolicyRequired;
}
/**
* Sets the PolicyMappingInhibited flag. If this flag is true, policy
* mapping is inhibited. By default, policy mapping is not inhibited (the
* flag is false).
*
* @param val {@code true} if policy mapping is to be inhibited,
* {@code false} otherwise
*/
public void setPolicyMappingInhibited(boolean val) {
policyMappingInhibited = val;
}
/**
* Checks if policy mapping is inhibited. If this flag is true, policy
* mapping is inhibited. By default, policy mapping is not inhibited (the
* flag is false).
*
* @return true if policy mapping is inhibited, false otherwise
*/
public boolean isPolicyMappingInhibited() {
return policyMappingInhibited;
}
/**
* Sets state to determine if the any policy OID should be processed
* if it is included in a certificate. By default, the any policy OID
* is not inhibited ({@link #isAnyPolicyInhibited isAnyPolicyInhibited()}
* returns {@code false}).
*
* @param val {@code true} if the any policy OID is to be
* inhibited, {@code false} otherwise
*/
public void setAnyPolicyInhibited(boolean val) {
anyPolicyInhibited = val;
}
/**
* Checks whether the any policy OID should be processed if it
* is included in a certificate.
*
* @return {@code true} if the any policy OID is inhibited,
* {@code false} otherwise
*/
public boolean isAnyPolicyInhibited() {
return anyPolicyInhibited;
}
/**
* Sets the PolicyQualifiersRejected flag. If this flag is true,
* certificates that include policy qualifiers in a certificate
* policies extension that is marked critical are rejected.
* If the flag is false, certificates are not rejected on this basis.
*
* <p> When a {@code PKIXParameters} object is created, this flag is
* set to true. This setting reflects the most common (and simplest)
* strategy for processing policy qualifiers. Applications that want to use
* a more sophisticated policy must set this flag to false.
* <p>
* Note that the PKIX certification path validation algorithm specifies
* that any policy qualifier in a certificate policies extension that is
* marked critical must be processed and validated. Otherwise the
* certification path must be rejected. If the policyQualifiersRejected flag
* is set to false, it is up to the application to validate all policy
* qualifiers in this manner in order to be PKIX compliant.
*
* @param qualifiersRejected the new value of the PolicyQualifiersRejected
* flag
* @see #getPolicyQualifiersRejected
* @see PolicyQualifierInfo
*/
public void setPolicyQualifiersRejected(boolean qualifiersRejected) {
policyQualifiersRejected = qualifiersRejected;
}
/**
* Gets the PolicyQualifiersRejected flag. If this flag is true,
* certificates that include policy qualifiers in a certificate policies
* extension that is marked critical are rejected.
* If the flag is false, certificates are not rejected on this basis.
*
* <p> When a {@code PKIXParameters} object is created, this flag is
* set to true. This setting reflects the most common (and simplest)
* strategy for processing policy qualifiers. Applications that want to use
* a more sophisticated policy must set this flag to false.
*
* @return the current value of the PolicyQualifiersRejected flag
* @see #setPolicyQualifiersRejected
*/
public boolean getPolicyQualifiersRejected() {
return policyQualifiersRejected;
}
/**
* Returns the time for which the validity of the certification path
* should be determined. If {@code null}, the current time is used.
* <p>
* Note that the {@code Date} returned is copied to protect against
* subsequent modifications.
*
* @return the {@code Date}, or {@code null} if not set
* @see #setDate
*/
public Date getDate() {
if (date == null)
return null;
else
return (Date) this.date.clone();
}
/**
* Sets the time for which the validity of the certification path
* should be determined. If {@code null}, the current time is used.
* <p>
* Note that the {@code Date} supplied here is copied to protect
* against subsequent modifications.
*
* @param date the {@code Date}, or {@code null} for the
* current time
* @see #getDate
*/
public void setDate(Date date) {
if (date != null)
this.date = (Date) date.clone();
else
date = null;
}
/**
* Sets a {@code List} of additional certification path checkers. If
* the specified {@code List} contains an object that is not a
* {@code PKIXCertPathChecker}, it is ignored.
* <p>
* Each {@code PKIXCertPathChecker} specified implements
* additional checks on a certificate. Typically, these are checks to
* process and verify private extensions contained in certificates.
* Each {@code PKIXCertPathChecker} should be instantiated with any
* initialization parameters needed to execute the check.
* <p>
* This method allows sophisticated applications to extend a PKIX
* {@code CertPathValidator} or {@code CertPathBuilder}.
* Each of the specified {@code PKIXCertPathChecker}s will be called,
* in turn, by a PKIX {@code CertPathValidator} or
* {@code CertPathBuilder} for each certificate processed or
* validated.
* <p>
* Regardless of whether these additional {@code PKIXCertPathChecker}s
* are set, a PKIX {@code CertPathValidator} or
* {@code CertPathBuilder} must perform all of the required PKIX
* checks on each certificate. The one exception to this rule is if the
* RevocationEnabled flag is set to false (see the {@link
* #setRevocationEnabled setRevocationEnabled} method).
* <p>
* Note that the {@code List} supplied here is copied and each
* {@code PKIXCertPathChecker} in the list is cloned to protect
* against subsequent modifications.
*
* @param checkers a {@code List} of {@code PKIXCertPathChecker}s.
* May be {@code null}, in which case no additional checkers will be
* used.
* @throws ClassCastException if any of the elements in the list
* are not of type {@code java.security.cert.PKIXCertPathChecker}
* @see #getCertPathCheckers
*/
public void setCertPathCheckers(List<PKIXCertPathChecker> checkers) {
if (checkers != null) {
List<PKIXCertPathChecker> tmpList =
new ArrayList<PKIXCertPathChecker>();
for (PKIXCertPathChecker checker : checkers) {
tmpList.add((PKIXCertPathChecker)checker.clone());
}
this.certPathCheckers = tmpList;
} else {
this.certPathCheckers = new ArrayList<PKIXCertPathChecker>();
}
}
/**
* Returns the {@code List} of certification path checkers.
* The returned {@code List} is immutable, and each
* {@code PKIXCertPathChecker} in the {@code List} is cloned
* to protect against subsequent modifications.
*
* @return an immutable {@code List} of
* {@code PKIXCertPathChecker}s (may be empty, but not
* {@code null})
* @see #setCertPathCheckers
*/
public List<PKIXCertPathChecker> getCertPathCheckers() {
List<PKIXCertPathChecker> tmpList = new ArrayList<PKIXCertPathChecker>();
for (PKIXCertPathChecker ck : certPathCheckers) {
tmpList.add((PKIXCertPathChecker)ck.clone());
}
return Collections.unmodifiableList(tmpList);
}
/**
* Adds a {@code PKIXCertPathChecker} to the list of certification
* path checkers. See the {@link #setCertPathCheckers setCertPathCheckers}
* method for more details.
* <p>
* Note that the {@code PKIXCertPathChecker} is cloned to protect
* against subsequent modifications.
*
* @param checker a {@code PKIXCertPathChecker} to add to the list of
* checks. If {@code null}, the checker is ignored (not added to list).
*/
public void addCertPathChecker(PKIXCertPathChecker checker) {
if (checker != null) {
certPathCheckers.add((PKIXCertPathChecker)checker.clone());
}
}
/**
* Returns the signature provider's name, or {@code null}
* if not set.
*
* @return the signature provider's name (or {@code null})
* @see #setSigProvider
*/
public String getSigProvider() {
return this.sigProvider;
}
/**
* Sets the signature provider's name. The specified provider will be
* preferred when creating {@link java.security.Signature Signature}
* objects. If {@code null} or not set, the first provider found
* supporting the algorithm will be used.
*
* @param sigProvider the signature provider's name (or {@code null})
* @see #getSigProvider
*/
public void setSigProvider(String sigProvider) {
this.sigProvider = sigProvider;
}
/**
* Returns the required constraints on the target certificate.
* The constraints are returned as an instance of {@code CertSelector}.
* If {@code null}, no constraints are defined.
*
* <p>Note that the {@code CertSelector} returned is cloned
* to protect against subsequent modifications.
*
* @return a {@code CertSelector} specifying the constraints
* on the target certificate (or {@code null})
* @see #setTargetCertConstraints
*/
public CertSelector getTargetCertConstraints() {
if (certSelector != null) {
return (CertSelector) certSelector.clone();
} else {
return null;
}
}
/**
* Sets the required constraints on the target certificate.
* The constraints are specified as an instance of
* {@code CertSelector}. If {@code null}, no constraints are
* defined.
*
* <p>Note that the {@code CertSelector} specified is cloned
* to protect against subsequent modifications.
*
* @param selector a {@code CertSelector} specifying the constraints
* on the target certificate (or {@code null})
* @see #getTargetCertConstraints
*/
public void setTargetCertConstraints(CertSelector selector) {
if (selector != null)
certSelector = (CertSelector) selector.clone();
else
certSelector = null;
}
/**
* Makes a copy of this {@code PKIXParameters} object. Changes
* to the copy will not affect the original and vice versa.
*
* @return a copy of this {@code PKIXParameters} object
*/
public Object clone() {
try {
PKIXParameters copy = (PKIXParameters)super.clone();
// must clone these because addCertStore, et al. modify them
if (certStores != null) {
copy.certStores = new ArrayList<CertStore>(certStores);
}
if (certPathCheckers != null) {
copy.certPathCheckers =
new ArrayList<PKIXCertPathChecker>(certPathCheckers.size());
for (PKIXCertPathChecker checker : certPathCheckers) {
copy.certPathCheckers.add(
(PKIXCertPathChecker)checker.clone());
}
}
// other class fields are immutable to public, don't bother
// to clone the read-only fields.
return copy;
} catch (CloneNotSupportedException e) {
/* Cannot happen */
throw new InternalError(e.toString(), e);
}
}
/**
* Returns a formatted string describing the parameters.
*
* @return a formatted string describing the parameters.
*/
public String toString() {
StringBuffer sb = new StringBuffer();
sb.append("[\n");
/* start with trusted anchor info */
if (unmodTrustAnchors != null) {
sb.append(" Trust Anchors: " + unmodTrustAnchors.toString()
+ "\n");
}
/* now, append initial state information */
if (unmodInitialPolicies != null) {
if (unmodInitialPolicies.isEmpty()) {
sb.append(" Initial Policy OIDs: any\n");
} else {
sb.append(" Initial Policy OIDs: ["
+ unmodInitialPolicies.toString() + "]\n");
}
}
/* now, append constraints on all certificates in the path */
sb.append(" Validity Date: " + String.valueOf(date) + "\n");
sb.append(" Signature Provider: " + String.valueOf(sigProvider) + "\n");
sb.append(" Default Revocation Enabled: " + revocationEnabled + "\n");
sb.append(" Explicit Policy Required: " + explicitPolicyRequired + "\n");
sb.append(" Policy Mapping Inhibited: " + policyMappingInhibited + "\n");
sb.append(" Any Policy Inhibited: " + anyPolicyInhibited + "\n");
sb.append(" Policy Qualifiers Rejected: " + policyQualifiersRejected + "\n");
/* now, append target cert requirements */
sb.append(" Target Cert Constraints: " + String.valueOf(certSelector) + "\n");
/* finally, append miscellaneous parameters */
if (certPathCheckers != null)
sb.append(" Certification Path Checkers: ["
+ certPathCheckers.toString() + "]\n");
if (certStores != null)
sb.append(" CertStores: [" + certStores.toString() + "]\n");
sb.append("]");
return sb.toString();
}
}

77
jdkSrc/jdk8/java/security/cert/PKIXReason.java Normal file
View File

@@ -0,0 +1,77 @@
/*
* Copyright (c) 2008, 2014, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
/**
* The {@code PKIXReason} enumerates the potential PKIX-specific reasons
* that an X.509 certification path may be invalid according to the PKIX
* (RFC 5280) standard. These reasons are in addition to those of the
* {@code CertPathValidatorException.BasicReason} enumeration.
*
* @since 1.7
*/
public enum PKIXReason implements CertPathValidatorException.Reason {
/**
* The certificate does not chain correctly.
*/
NAME_CHAINING,
/**
* The certificate's key usage is invalid.
*/
INVALID_KEY_USAGE,
/**
* The policy constraints have been violated.
*/
INVALID_POLICY,
/**
* No acceptable trust anchor found.
*/
NO_TRUST_ANCHOR,
/**
* The certificate contains one or more unrecognized critical
* extensions.
*/
UNRECOGNIZED_CRIT_EXT,
/**
* The certificate is not a CA certificate.
*/
NOT_CA_CERT,
/**
* The path length constraint has been violated.
*/
PATH_TOO_LONG,
/**
* The name constraints have been violated.
*/
INVALID_NAME
}

318
jdkSrc/jdk8/java/security/cert/PKIXRevocationChecker.java Normal file
View File

@@ -0,0 +1,318 @@
/*
* Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.net.URI;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
import java.util.Set;
/**
* A {@code PKIXCertPathChecker} for checking the revocation status of
* certificates with the PKIX algorithm.
*
* <p>A {@code PKIXRevocationChecker} checks the revocation status of
* certificates with the Online Certificate Status Protocol (OCSP) or
* Certificate Revocation Lists (CRLs). OCSP is described in RFC 2560 and
* is a network protocol for determining the status of a certificate. A CRL
* is a time-stamped list identifying revoked certificates, and RFC 5280
* describes an algorithm for determining the revocation status of certificates
* using CRLs.
*
* <p>Each {@code PKIXRevocationChecker} must be able to check the revocation
* status of certificates with OCSP and CRLs. By default, OCSP is the
* preferred mechanism for checking revocation status, with CRLs as the
* fallback mechanism. However, this preference can be switched to CRLs with
* the {@link Option#PREFER_CRLS PREFER_CRLS} option. In addition, the fallback
* mechanism can be disabled with the {@link Option#NO_FALLBACK NO_FALLBACK}
* option.
*
* <p>A {@code PKIXRevocationChecker} is obtained by calling the
* {@link CertPathValidator#getRevocationChecker getRevocationChecker} method
* of a PKIX {@code CertPathValidator}. Additional parameters and options
* specific to revocation can be set (by calling the
* {@link #setOcspResponder setOcspResponder} method for instance). The
* {@code PKIXRevocationChecker} is added to a {@code PKIXParameters} object
* using the {@link PKIXParameters#addCertPathChecker addCertPathChecker}
* or {@link PKIXParameters#setCertPathCheckers setCertPathCheckers} method,
* and then the {@code PKIXParameters} is passed along with the {@code CertPath}
* to be validated to the {@link CertPathValidator#validate validate} method
* of a PKIX {@code CertPathValidator}. When supplying a revocation checker in
* this manner, it will be used to check revocation irrespective of the setting
* of the {@link PKIXParameters#isRevocationEnabled RevocationEnabled} flag.
* Similarly, a {@code PKIXRevocationChecker} may be added to a
* {@code PKIXBuilderParameters} object for use with a PKIX
* {@code CertPathBuilder}.
*
* <p>Note that when a {@code PKIXRevocationChecker} is added to
* {@code PKIXParameters}, it clones the {@code PKIXRevocationChecker};
* thus any subsequent modifications to the {@code PKIXRevocationChecker}
* have no effect.
*
* <p>Any parameter that is not set (or is set to {@code null}) will be set to
* the default value for that parameter.
*
* <p><b>Concurrent Access</b>
*
* <p>Unless otherwise specified, the methods defined in this class are not
* thread-safe. Multiple threads that need to access a single object
* concurrently should synchronize amongst themselves and provide the
* necessary locking. Multiple threads each manipulating separate objects
* need not synchronize.
*
* @since 1.8
*
* @see <a href="http://www.ietf.org/rfc/rfc2560.txt"><i>RFC&nbsp;2560: X.509
* Internet Public Key Infrastructure Online Certificate Status Protocol -
* OCSP</i></a>, <br><a
* href="http://www.ietf.org/rfc/rfc5280.txt"><i>RFC&nbsp;5280: Internet X.509
* Public Key Infrastructure Certificate and Certificate Revocation List (CRL)
* Profile</i></a>
*/
public abstract class PKIXRevocationChecker extends PKIXCertPathChecker {
private URI ocspResponder;
private X509Certificate ocspResponderCert;
private List<Extension> ocspExtensions = Collections.<Extension>emptyList();
private Map<X509Certificate, byte[]> ocspResponses = Collections.emptyMap();
private Set<Option> options = Collections.emptySet();
/**
* Default constructor.
*/
protected PKIXRevocationChecker() {}
/**
* Sets the URI that identifies the location of the OCSP responder. This
* overrides the {@code ocsp.responderURL} security property and any
* responder specified in a certificate's Authority Information Access
* Extension, as defined in RFC 5280.
*
* @param uri the responder URI
*/
public void setOcspResponder(URI uri) {
this.ocspResponder = uri;
}
/**
* Gets the URI that identifies the location of the OCSP responder. This
* overrides the {@code ocsp.responderURL} security property. If this
* parameter or the {@code ocsp.responderURL} property is not set, the
* location is determined from the certificate's Authority Information
* Access Extension, as defined in RFC 5280.
*
* @return the responder URI, or {@code null} if not set
*/
public URI getOcspResponder() {
return ocspResponder;
}
/**
* Sets the OCSP responder's certificate. This overrides the
* {@code ocsp.responderCertSubjectName},
* {@code ocsp.responderCertIssuerName},
* and {@code ocsp.responderCertSerialNumber} security properties.
*
* @param cert the responder's certificate
*/
public void setOcspResponderCert(X509Certificate cert) {
this.ocspResponderCert = cert;
}
/**
* Gets the OCSP responder's certificate. This overrides the
* {@code ocsp.responderCertSubjectName},
* {@code ocsp.responderCertIssuerName},
* and {@code ocsp.responderCertSerialNumber} security properties. If this
* parameter or the aforementioned properties are not set, then the
* responder's certificate is determined as specified in RFC 2560.
*
* @return the responder's certificate, or {@code null} if not set
*/
public X509Certificate getOcspResponderCert() {
return ocspResponderCert;
}
// request extensions; single extensions not supported
/**
* Sets the optional OCSP request extensions.
*
* @param extensions a list of extensions. The list is copied to protect
* against subsequent modification.
*/
public void setOcspExtensions(List<Extension> extensions)
{
this.ocspExtensions = (extensions == null)
? Collections.<Extension>emptyList()
: new ArrayList<Extension>(extensions);
}
/**
* Gets the optional OCSP request extensions.
*
* @return an unmodifiable list of extensions. The list is empty if no
* extensions have been specified.
*/
public List<Extension> getOcspExtensions() {
return Collections.unmodifiableList(ocspExtensions);
}
/**
* Sets the OCSP responses. These responses are used to determine
* the revocation status of the specified certificates when OCSP is used.
*
* @param responses a map of OCSP responses. Each key is an
* {@code X509Certificate} that maps to the corresponding
* DER-encoded OCSP response for that certificate. A deep copy of
* the map is performed to protect against subsequent modification.
*/
public void setOcspResponses(Map<X509Certificate, byte[]> responses)
{
if (responses == null) {
this.ocspResponses = Collections.<X509Certificate, byte[]>emptyMap();
} else {
Map<X509Certificate, byte[]> copy = new HashMap<>(responses.size());
for (Map.Entry<X509Certificate, byte[]> e : responses.entrySet()) {
copy.put(e.getKey(), e.getValue().clone());
}
this.ocspResponses = copy;
}
}
/**
* Gets the OCSP responses. These responses are used to determine
* the revocation status of the specified certificates when OCSP is used.
*
* @return a map of OCSP responses. Each key is an
* {@code X509Certificate} that maps to the corresponding
* DER-encoded OCSP response for that certificate. A deep copy of
* the map is returned to protect against subsequent modification.
* Returns an empty map if no responses have been specified.
*/
public Map<X509Certificate, byte[]> getOcspResponses() {
Map<X509Certificate, byte[]> copy = new HashMap<>(ocspResponses.size());
for (Map.Entry<X509Certificate, byte[]> e : ocspResponses.entrySet()) {
copy.put(e.getKey(), e.getValue().clone());
}
return copy;
}
/**
* Sets the revocation options.
*
* @param options a set of revocation options. The set is copied to protect
* against subsequent modification.
*/
public void setOptions(Set<Option> options) {
this.options = (options == null)
? Collections.<Option>emptySet()
: new HashSet<Option>(options);
}
/**
* Gets the revocation options.
*
* @return an unmodifiable set of revocation options. The set is empty if
* no options have been specified.
*/
public Set<Option> getOptions() {
return Collections.unmodifiableSet(options);
}
/**
* Returns a list containing the exceptions that are ignored by the
* revocation checker when the {@link Option#SOFT_FAIL SOFT_FAIL} option
* is set. The list is cleared each time {@link #init init} is called.
* The list is ordered in ascending order according to the certificate
* index returned by {@link CertPathValidatorException#getIndex getIndex}
* method of each entry.
* <p>
* An implementation of {@code PKIXRevocationChecker} is responsible for
* adding the ignored exceptions to the list.
*
* @return an unmodifiable list containing the ignored exceptions. The list
* is empty if no exceptions have been ignored.
*/
public abstract List<CertPathValidatorException> getSoftFailExceptions();
@Override
public PKIXRevocationChecker clone() {
PKIXRevocationChecker copy = (PKIXRevocationChecker)super.clone();
copy.ocspExtensions = new ArrayList<>(ocspExtensions);
copy.ocspResponses = new HashMap<>(ocspResponses);
// deep-copy the encoded responses, since they are mutable
for (Map.Entry<X509Certificate, byte[]> entry :
copy.ocspResponses.entrySet())
{
byte[] encoded = entry.getValue();
entry.setValue(encoded.clone());
}
copy.options = new HashSet<>(options);
return copy;
}
/**
* Various revocation options that can be specified for the revocation
* checking mechanism.
*/
public enum Option {
/**
* Only check the revocation status of end-entity certificates.
*/
ONLY_END_ENTITY,
/**
* Prefer CRLs to OSCP. The default behavior is to prefer OCSP. Each
* PKIX implementation should document further details of their
* specific preference rules and fallback policies.
*/
PREFER_CRLS,
/**
* Disable the fallback mechanism.
*/
NO_FALLBACK,
/**
* Allow revocation check to succeed if the revocation status cannot be
* determined for one of the following reasons:
* <ul>
* <li>The CRL or OCSP response cannot be obtained because of a
* network error.
* <li>The OCSP responder returns one of the following errors
* specified in section 2.3 of RFC 2560: internalError or tryLater.
* </ul><br>
* Note that these conditions apply to both OCSP and CRLs, and unless
* the {@code NO_FALLBACK} option is set, the revocation check is
* allowed to succeed only if both mechanisms fail under one of the
* conditions as stated above.
* Exceptions that cause the network errors are ignored but can be
* later retrieved by calling the
* {@link #getSoftFailExceptions getSoftFailExceptions} method.
*/
SOFT_FAIL
}
}

133
jdkSrc/jdk8/java/security/cert/PolicyNode.java Normal file
View File

@@ -0,0 +1,133 @@
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.util.Iterator;
import java.util.Set;
/**
* An immutable valid policy tree node as defined by the PKIX certification
* path validation algorithm.
*
* <p>One of the outputs of the PKIX certification path validation
* algorithm is a valid policy tree, which includes the policies that
* were determined to be valid, how this determination was reached,
* and any policy qualifiers encountered. This tree is of depth
* <i>n</i>, where <i>n</i> is the length of the certification
* path that has been validated.
*
* <p>Most applications will not need to examine the valid policy tree.
* They can achieve their policy processing goals by setting the
* policy-related parameters in {@code PKIXParameters}. However,
* the valid policy tree is available for more sophisticated applications,
* especially those that process policy qualifiers.
*
* <p>{@link PKIXCertPathValidatorResult#getPolicyTree()
* PKIXCertPathValidatorResult.getPolicyTree} returns the root node of the
* valid policy tree. The tree can be traversed using the
* {@link #getChildren getChildren} and {@link #getParent getParent} methods.
* Data about a particular node can be retrieved using other methods of
* {@code PolicyNode}.
*
* <p><b>Concurrent Access</b>
* <p>All {@code PolicyNode} objects must be immutable and
* thread-safe. Multiple threads may concurrently invoke the methods defined
* in this class on a single {@code PolicyNode} object (or more than one)
* with no ill effects. This stipulation applies to all public fields and
* methods of this class and any added or overridden by subclasses.
*
* @since 1.4
* @author Sean Mullan
*/
public interface PolicyNode {
/**
* Returns the parent of this node, or {@code null} if this is the
* root node.
*
* @return the parent of this node, or {@code null} if this is the
* root node
*/
PolicyNode getParent();
/**
* Returns an iterator over the children of this node. Any attempts to
* modify the children of this node through the
* {@code Iterator}'s remove method must throw an
* {@code UnsupportedOperationException}.
*
* @return an iterator over the children of this node
*/
Iterator<? extends PolicyNode> getChildren();
/**
* Returns the depth of this node in the valid policy tree.
*
* @return the depth of this node (0 for the root node, 1 for its
* children, and so on)
*/
int getDepth();
/**
* Returns the valid policy represented by this node.
*
* @return the {@code String} OID of the valid policy
* represented by this node. For the root node, this method always returns
* the special anyPolicy OID: "2.5.29.32.0".
*/
String getValidPolicy();
/**
* Returns the set of policy qualifiers associated with the
* valid policy represented by this node.
*
* @return an immutable {@code Set} of
* {@code PolicyQualifierInfo}s. For the root node, this
* is always an empty {@code Set}.
*/
Set<? extends PolicyQualifierInfo> getPolicyQualifiers();
/**
* Returns the set of expected policies that would satisfy this
* node's valid policy in the next certificate to be processed.
*
* @return an immutable {@code Set} of expected policy
* {@code String} OIDs. For the root node, this method
* always returns a {@code Set} with one element, the
* special anyPolicy OID: "2.5.29.32.0".
*/
Set<String> getExpectedPolicies();
/**
* Returns the criticality indicator of the certificate policy extension
* in the most recently processed certificate.
*
* @return {@code true} if extension marked critical,
* {@code false} otherwise. For the root node, {@code false}
* is always returned.
*/
boolean isCritical();
}

173
jdkSrc/jdk8/java/security/cert/PolicyQualifierInfo.java Normal file
View File

@@ -0,0 +1,173 @@
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.io.IOException;
import sun.misc.HexDumpEncoder;
import sun.security.util.DerValue;
/**
* An immutable policy qualifier represented by the ASN.1 PolicyQualifierInfo
* structure.
*
* <p>The ASN.1 definition is as follows:
* <pre>
* PolicyQualifierInfo ::= SEQUENCE {
* policyQualifierId PolicyQualifierId,
* qualifier ANY DEFINED BY policyQualifierId }
* </pre>
* <p>
* A certificate policies extension, if present in an X.509 version 3
* certificate, contains a sequence of one or more policy information terms,
* each of which consists of an object identifier (OID) and optional
* qualifiers. In an end-entity certificate, these policy information terms
* indicate the policy under which the certificate has been issued and the
* purposes for which the certificate may be used. In a CA certificate, these
* policy information terms limit the set of policies for certification paths
* which include this certificate.
* <p>
* A {@code Set} of {@code PolicyQualifierInfo} objects are returned
* by the {@link PolicyNode#getPolicyQualifiers PolicyNode.getPolicyQualifiers}
* method. This allows applications with specific policy requirements to
* process and validate each policy qualifier. Applications that need to
* process policy qualifiers should explicitly set the
* {@code policyQualifiersRejected} flag to false (by calling the
* {@link PKIXParameters#setPolicyQualifiersRejected
* PKIXParameters.setPolicyQualifiersRejected} method) before validating
* a certification path.
*
* <p>Note that the PKIX certification path validation algorithm specifies
* that any policy qualifier in a certificate policies extension that is
* marked critical must be processed and validated. Otherwise the
* certification path must be rejected. If the
* {@code policyQualifiersRejected} flag is set to false, it is up to
* the application to validate all policy qualifiers in this manner in order
* to be PKIX compliant.
*
* <p><b>Concurrent Access</b>
*
* <p>All {@code PolicyQualifierInfo} objects must be immutable and
* thread-safe. That is, multiple threads may concurrently invoke the
* methods defined in this class on a single {@code PolicyQualifierInfo}
* object (or more than one) with no ill effects. Requiring
* {@code PolicyQualifierInfo} objects to be immutable and thread-safe
* allows them to be passed around to various pieces of code without
* worrying about coordinating access.
*
* @author seth proctor
* @author Sean Mullan
* @since 1.4
*/
public class PolicyQualifierInfo {
private byte [] mEncoded;
private String mId;
private byte [] mData;
private String pqiString;
/**
* Creates an instance of {@code PolicyQualifierInfo} from the
* encoded bytes. The encoded byte array is copied on construction.
*
* @param encoded a byte array containing the qualifier in DER encoding
* @exception IOException thrown if the byte array does not represent a
* valid and parsable policy qualifier
*/
public PolicyQualifierInfo(byte[] encoded) throws IOException {
mEncoded = encoded.clone();
DerValue val = new DerValue(mEncoded);
if (val.tag != DerValue.tag_Sequence)
throw new IOException("Invalid encoding for PolicyQualifierInfo");
mId = (val.data.getDerValue()).getOID().toString();
byte [] tmp = val.data.toByteArray();
if (tmp == null) {
mData = null;
} else {
mData = new byte[tmp.length];
System.arraycopy(tmp, 0, mData, 0, tmp.length);
}
}
/**
* Returns the {@code policyQualifierId} field of this
* {@code PolicyQualifierInfo}. The {@code policyQualifierId}
* is an Object Identifier (OID) represented by a set of nonnegative
* integers separated by periods.
*
* @return the OID (never {@code null})
*/
public final String getPolicyQualifierId() {
return mId;
}
/**
* Returns the ASN.1 DER encoded form of this
* {@code PolicyQualifierInfo}.
*
* @return the ASN.1 DER encoded bytes (never {@code null}).
* Note that a copy is returned, so the data is cloned each time
* this method is called.
*/
public final byte[] getEncoded() {
return mEncoded.clone();
}
/**
* Returns the ASN.1 DER encoded form of the {@code qualifier}
* field of this {@code PolicyQualifierInfo}.
*
* @return the ASN.1 DER encoded bytes of the {@code qualifier}
* field. Note that a copy is returned, so the data is cloned each
* time this method is called.
*/
public final byte[] getPolicyQualifier() {
return (mData == null ? null : mData.clone());
}
/**
* Return a printable representation of this
* {@code PolicyQualifierInfo}.
*
* @return a {@code String} describing the contents of this
* {@code PolicyQualifierInfo}
*/
public String toString() {
if (pqiString != null)
return pqiString;
HexDumpEncoder enc = new HexDumpEncoder();
StringBuffer sb = new StringBuffer();
sb.append("PolicyQualifierInfo: [\n");
sb.append(" qualifierID: " + mId + "\n");
sb.append(" qualifier: " +
(mData == null ? "null" : enc.encodeBuffer(mData)) + "\n");
sb.append("]");
pqiString = sb.toString();
return pqiString;
}
}

354
jdkSrc/jdk8/java/security/cert/TrustAnchor.java Normal file
View File

@@ -0,0 +1,354 @@
/*
* Copyright (c) 2001, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.io.IOException;
import java.security.PublicKey;
import javax.security.auth.x500.X500Principal;
import sun.security.util.AnchorCertificates;
import sun.security.x509.NameConstraintsExtension;
import sun.security.x509.X500Name;
/**
* A trust anchor or most-trusted Certification Authority (CA).
* <p>
* This class represents a "most-trusted CA", which is used as a trust anchor
* for validating X.509 certification paths. A most-trusted CA includes the
* public key of the CA, the CA's name, and any constraints upon the set of
* paths which may be validated using this key. These parameters can be
* specified in the form of a trusted {@code X509Certificate} or as
* individual parameters.
* <p>
* <b>Concurrent Access</b>
* <p>All {@code TrustAnchor} objects must be immutable and
* thread-safe. That is, multiple threads may concurrently invoke the
* methods defined in this class on a single {@code TrustAnchor}
* object (or more than one) with no ill effects. Requiring
* {@code TrustAnchor} objects to be immutable and thread-safe
* allows them to be passed around to various pieces of code without
* worrying about coordinating access. This stipulation applies to all
* public fields and methods of this class and any added or overridden
* by subclasses.
*
* @see PKIXParameters#PKIXParameters(Set)
* @see PKIXBuilderParameters#PKIXBuilderParameters(Set, CertSelector)
*
* @since 1.4
* @author Sean Mullan
*/
public class TrustAnchor {
private final PublicKey pubKey;
private final String caName;
private final X500Principal caPrincipal;
private final X509Certificate trustedCert;
private byte[] ncBytes;
private NameConstraintsExtension nc;
private boolean jdkCA;
private boolean hasJdkCABeenChecked;
static {
CertPathHelperImpl.initialize();
}
/**
* Creates an instance of {@code TrustAnchor} with the specified
* {@code X509Certificate} and optional name constraints, which
* are intended to be used as additional constraints when validating
* an X.509 certification path.
* <p>
* The name constraints are specified as a byte array. This byte array
* should contain the DER encoded form of the name constraints, as they
* would appear in the NameConstraints structure defined in
* <a href="http://tools.ietf.org/html/rfc5280">RFC 5280</a>
* and X.509. The ASN.1 definition of this structure appears below.
*
* <pre>{@code
* NameConstraints ::= SEQUENCE {
* permittedSubtrees [0] GeneralSubtrees OPTIONAL,
* excludedSubtrees [1] GeneralSubtrees OPTIONAL }
*
* GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
*
* GeneralSubtree ::= SEQUENCE {
* base GeneralName,
* minimum [0] BaseDistance DEFAULT 0,
* maximum [1] BaseDistance OPTIONAL }
*
* BaseDistance ::= INTEGER (0..MAX)
*
* GeneralName ::= CHOICE {
* otherName [0] OtherName,
* rfc822Name [1] IA5String,
* dNSName [2] IA5String,
* x400Address [3] ORAddress,
* directoryName [4] Name,
* ediPartyName [5] EDIPartyName,
* uniformResourceIdentifier [6] IA5String,
* iPAddress [7] OCTET STRING,
* registeredID [8] OBJECT IDENTIFIER}
* }</pre>
* <p>
* Note that the name constraints byte array supplied is cloned to protect
* against subsequent modifications.
*
* @param trustedCert a trusted {@code X509Certificate}
* @param nameConstraints a byte array containing the ASN.1 DER encoding of
* a NameConstraints extension to be used for checking name constraints.
* Only the value of the extension is included, not the OID or criticality
* flag. Specify {@code null} to omit the parameter.
* @throws IllegalArgumentException if the name constraints cannot be
* decoded
* @throws NullPointerException if the specified
* {@code X509Certificate} is {@code null}
*/
public TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints)
{
if (trustedCert == null)
throw new NullPointerException("the trustedCert parameter must " +
"be non-null");
this.trustedCert = trustedCert;
this.pubKey = null;
this.caName = null;
this.caPrincipal = null;
setNameConstraints(nameConstraints);
}
/**
* Creates an instance of {@code TrustAnchor} where the
* most-trusted CA is specified as an X500Principal and public key.
* Name constraints are an optional parameter, and are intended to be used
* as additional constraints when validating an X.509 certification path.
* <p>
* The name constraints are specified as a byte array. This byte array
* contains the DER encoded form of the name constraints, as they
* would appear in the NameConstraints structure defined in RFC 5280
* and X.509. The ASN.1 notation for this structure is supplied in the
* documentation for
* {@link #TrustAnchor(X509Certificate, byte[])
* TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints) }.
* <p>
* Note that the name constraints byte array supplied here is cloned to
* protect against subsequent modifications.
*
* @param caPrincipal the name of the most-trusted CA as X500Principal
* @param pubKey the public key of the most-trusted CA
* @param nameConstraints a byte array containing the ASN.1 DER encoding of
* a NameConstraints extension to be used for checking name constraints.
* Only the value of the extension is included, not the OID or criticality
* flag. Specify {@code null} to omit the parameter.
* @throws NullPointerException if the specified {@code caPrincipal} or
* {@code pubKey} parameter is {@code null}
* @since 1.5
*/
public TrustAnchor(X500Principal caPrincipal, PublicKey pubKey,
byte[] nameConstraints) {
if ((caPrincipal == null) || (pubKey == null)) {
throw new NullPointerException();
}
this.trustedCert = null;
this.caPrincipal = caPrincipal;
this.caName = caPrincipal.getName();
this.pubKey = pubKey;
setNameConstraints(nameConstraints);
}
/**
* Creates an instance of {@code TrustAnchor} where the
* most-trusted CA is specified as a distinguished name and public key.
* Name constraints are an optional parameter, and are intended to be used
* as additional constraints when validating an X.509 certification path.
* <p>
* The name constraints are specified as a byte array. This byte array
* contains the DER encoded form of the name constraints, as they
* would appear in the NameConstraints structure defined in RFC 5280
* and X.509. The ASN.1 notation for this structure is supplied in the
* documentation for
* {@link #TrustAnchor(X509Certificate, byte[])
* TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints) }.
* <p>
* Note that the name constraints byte array supplied here is cloned to
* protect against subsequent modifications.
*
* @param caName the X.500 distinguished name of the most-trusted CA in
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a>
* {@code String} format
* @param pubKey the public key of the most-trusted CA
* @param nameConstraints a byte array containing the ASN.1 DER encoding of
* a NameConstraints extension to be used for checking name constraints.
* Only the value of the extension is included, not the OID or criticality
* flag. Specify {@code null} to omit the parameter.
* @throws IllegalArgumentException if the specified
* {@code caName} parameter is empty {@code (caName.length() == 0)}
* or incorrectly formatted or the name constraints cannot be decoded
* @throws NullPointerException if the specified {@code caName} or
* {@code pubKey} parameter is {@code null}
*/
public TrustAnchor(String caName, PublicKey pubKey, byte[] nameConstraints)
{
if (pubKey == null)
throw new NullPointerException("the pubKey parameter must be " +
"non-null");
if (caName == null)
throw new NullPointerException("the caName parameter must be " +
"non-null");
if (caName.length() == 0)
throw new IllegalArgumentException("the caName " +
"parameter must be a non-empty String");
// check if caName is formatted correctly
this.caPrincipal = new X500Principal(caName);
this.pubKey = pubKey;
this.caName = caName;
this.trustedCert = null;
setNameConstraints(nameConstraints);
}
/**
* Returns the most-trusted CA certificate.
*
* @return a trusted {@code X509Certificate} or {@code null}
* if the trust anchor was not specified as a trusted certificate
*/
public final X509Certificate getTrustedCert() {
return this.trustedCert;
}
/**
* Returns the name of the most-trusted CA as an X500Principal.
*
* @return the X.500 distinguished name of the most-trusted CA, or
* {@code null} if the trust anchor was not specified as a trusted
* public key and name or X500Principal pair
* @since 1.5
*/
public final X500Principal getCA() {
return this.caPrincipal;
}
/**
* Returns the name of the most-trusted CA in RFC 2253 {@code String}
* format.
*
* @return the X.500 distinguished name of the most-trusted CA, or
* {@code null} if the trust anchor was not specified as a trusted
* public key and name or X500Principal pair
*/
public final String getCAName() {
return this.caName;
}
/**
* Returns the public key of the most-trusted CA.
*
* @return the public key of the most-trusted CA, or {@code null}
* if the trust anchor was not specified as a trusted public key and name
* or X500Principal pair
*/
public final PublicKey getCAPublicKey() {
return this.pubKey;
}
/**
* Decode the name constraints and clone them if not null.
*/
private void setNameConstraints(byte[] bytes) {
if (bytes == null) {
ncBytes = null;
nc = null;
} else {
ncBytes = bytes.clone();
// validate DER encoding
try {
nc = new NameConstraintsExtension(Boolean.FALSE, bytes);
} catch (IOException ioe) {
IllegalArgumentException iae =
new IllegalArgumentException(ioe.getMessage());
iae.initCause(ioe);
throw iae;
}
}
}
/**
* Returns the name constraints parameter. The specified name constraints
* are associated with this trust anchor and are intended to be used
* as additional constraints when validating an X.509 certification path.
* <p>
* The name constraints are returned as a byte array. This byte array
* contains the DER encoded form of the name constraints, as they
* would appear in the NameConstraints structure defined in RFC 5280
* and X.509. The ASN.1 notation for this structure is supplied in the
* documentation for
* {@link #TrustAnchor(X509Certificate, byte[])
* TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints) }.
* <p>
* Note that the byte array returned is cloned to protect against
* subsequent modifications.
*
* @return a byte array containing the ASN.1 DER encoding of
* a NameConstraints extension used for checking name constraints,
* or {@code null} if not set.
*/
public final byte [] getNameConstraints() {
return ncBytes == null ? null : ncBytes.clone();
}
/**
* Returns a formatted string describing the {@code TrustAnchor}.
*
* @return a formatted string describing the {@code TrustAnchor}
*/
public String toString() {
StringBuffer sb = new StringBuffer();
sb.append("[\n");
if (pubKey != null) {
sb.append(" Trusted CA Public Key: " + pubKey.toString() + "\n");
sb.append(" Trusted CA Issuer Name: "
+ String.valueOf(caName) + "\n");
} else {
sb.append(" Trusted CA cert: " + trustedCert.toString() + "\n");
}
if (nc != null)
sb.append(" Name Constraints: " + nc.toString() + "\n");
return sb.toString();
}
/**
* Returns true if anchor is a JDK CA (a root CA that is included by
* default in the cacerts keystore).
*/
synchronized boolean isJdkCA() {
if (!hasJdkCABeenChecked) {
if (trustedCert != null) {
jdkCA = AnchorCertificates.contains(trustedCert);
}
hasJdkCABeenChecked = true;
}
return jdkCA;
}
}

485
jdkSrc/jdk8/java/security/cert/X509CRL.java Normal file
View File

@@ -0,0 +1,485 @@
/*
* Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.security.*;
import java.security.spec.*;
import javax.security.auth.x500.X500Principal;
import java.math.BigInteger;
import java.util.Date;
import java.util.Set;
import java.util.Arrays;
import sun.security.x509.X509CRLImpl;
import sun.security.util.SignatureUtil;
/**
* <p>
* Abstract class for an X.509 Certificate Revocation List (CRL).
* A CRL is a time-stamped list identifying revoked certificates.
* It is signed by a Certificate Authority (CA) and made freely
* available in a public repository.
*
* <p>Each revoked certificate is
* identified in a CRL by its certificate serial number. When a
* certificate-using system uses a certificate (e.g., for verifying a
* remote user's digital signature), that system not only checks the
* certificate signature and validity but also acquires a suitably-
* recent CRL and checks that the certificate serial number is not on
* that CRL. The meaning of "suitably-recent" may vary with local
* policy, but it usually means the most recently-issued CRL. A CA
* issues a new CRL on a regular periodic basis (e.g., hourly, daily, or
* weekly). Entries are added to CRLs as revocations occur, and an
* entry may be removed when the certificate expiration date is reached.
* <p>
* The X.509 v2 CRL format is described below in ASN.1:
* <pre>
* CertificateList ::= SEQUENCE {
* tbsCertList TBSCertList,
* signatureAlgorithm AlgorithmIdentifier,
* signature BIT STRING }
* </pre>
* <p>
* More information can be found in
* <a href="http://tools.ietf.org/html/rfc5280">RFC 5280: Internet X.509
* Public Key Infrastructure Certificate and CRL Profile</a>.
* <p>
* The ASN.1 definition of {@code tbsCertList} is:
* <pre>
* TBSCertList ::= SEQUENCE {
* version Version OPTIONAL,
* -- if present, must be v2
* signature AlgorithmIdentifier,
* issuer Name,
* thisUpdate ChoiceOfTime,
* nextUpdate ChoiceOfTime OPTIONAL,
* revokedCertificates SEQUENCE OF SEQUENCE {
* userCertificate CertificateSerialNumber,
* revocationDate ChoiceOfTime,
* crlEntryExtensions Extensions OPTIONAL
* -- if present, must be v2
* } OPTIONAL,
* crlExtensions [0] EXPLICIT Extensions OPTIONAL
* -- if present, must be v2
* }
* </pre>
* <p>
* CRLs are instantiated using a certificate factory. The following is an
* example of how to instantiate an X.509 CRL:
* <pre>{@code
* try (InputStream inStream = new FileInputStream("fileName-of-crl")) {
* CertificateFactory cf = CertificateFactory.getInstance("X.509");
* X509CRL crl = (X509CRL)cf.generateCRL(inStream);
* }
* }</pre>
*
* @author Hemma Prafullchandra
*
*
* @see CRL
* @see CertificateFactory
* @see X509Extension
*/
public abstract class X509CRL extends CRL implements X509Extension {
private transient X500Principal issuerPrincipal;
/**
* Constructor for X.509 CRLs.
*/
protected X509CRL() {
super("X.509");
}
/**
* Compares this CRL for equality with the given
* object. If the {@code other} object is an
* {@code instanceof} {@code X509CRL}, then
* its encoded form is retrieved and compared with the
* encoded form of this CRL.
*
* @param other the object to test for equality with this CRL.
*
* @return true iff the encoded forms of the two CRLs
* match, false otherwise.
*/
public boolean equals(Object other) {
if (this == other) {
return true;
}
if (!(other instanceof X509CRL)) {
return false;
}
try {
byte[] thisCRL = X509CRLImpl.getEncodedInternal(this);
byte[] otherCRL = X509CRLImpl.getEncodedInternal((X509CRL)other);
return Arrays.equals(thisCRL, otherCRL);
} catch (CRLException e) {
return false;
}
}
/**
* Returns a hashcode value for this CRL from its
* encoded form.
*
* @return the hashcode value.
*/
public int hashCode() {
int retval = 0;
try {
byte[] crlData = X509CRLImpl.getEncodedInternal(this);
for (int i = 1; i < crlData.length; i++) {
retval += crlData[i] * i;
}
return retval;
} catch (CRLException e) {
return retval;
}
}
/**
* Returns the ASN.1 DER-encoded form of this CRL.
*
* @return the encoded form of this certificate
* @exception CRLException if an encoding error occurs.
*/
public abstract byte[] getEncoded()
throws CRLException;
/**
* Verifies that this CRL was signed using the
* private key that corresponds to the given public key.
*
* @param key the PublicKey used to carry out the verification.
*
* @exception NoSuchAlgorithmException on unsupported signature
* algorithms.
* @exception InvalidKeyException on incorrect key.
* @exception NoSuchProviderException if there's no default provider.
* @exception SignatureException on signature errors.
* @exception CRLException on encoding errors.
*/
public abstract void verify(PublicKey key)
throws CRLException, NoSuchAlgorithmException,
InvalidKeyException, NoSuchProviderException,
SignatureException;
/**
* Verifies that this CRL was signed using the
* private key that corresponds to the given public key.
* This method uses the signature verification engine
* supplied by the given provider.
*
* @param key the PublicKey used to carry out the verification.
* @param sigProvider the name of the signature provider.
*
* @exception NoSuchAlgorithmException on unsupported signature
* algorithms.
* @exception InvalidKeyException on incorrect key.
* @exception NoSuchProviderException on incorrect provider.
* @exception SignatureException on signature errors.
* @exception CRLException on encoding errors.
*/
public abstract void verify(PublicKey key, String sigProvider)
throws CRLException, NoSuchAlgorithmException,
InvalidKeyException, NoSuchProviderException,
SignatureException;
/**
* Verifies that this CRL was signed using the
* private key that corresponds to the given public key.
* This method uses the signature verification engine
* supplied by the given provider. Note that the specified Provider object
* does not have to be registered in the provider list.
*
* This method was added to version 1.8 of the Java Platform Standard
* Edition. In order to maintain backwards compatibility with existing
* service providers, this method is not {@code abstract}
* and it provides a default implementation.
*
* @param key the PublicKey used to carry out the verification.
* @param sigProvider the signature provider.
*
* @exception NoSuchAlgorithmException on unsupported signature
* algorithms.
* @exception InvalidKeyException on incorrect key.
* @exception SignatureException on signature errors.
* @exception CRLException on encoding errors.
* @since 1.8
*/
public void verify(PublicKey key, Provider sigProvider)
throws CRLException, NoSuchAlgorithmException,
InvalidKeyException, SignatureException {
String sigAlgName = getSigAlgName();
Signature sig = (sigProvider == null)
? Signature.getInstance(sigAlgName)
: Signature.getInstance(sigAlgName, sigProvider);
try {
byte[] paramBytes = getSigAlgParams();
SignatureUtil.initVerifyWithParam(sig, key,
SignatureUtil.getParamSpec(sigAlgName, paramBytes));
} catch (ProviderException e) {
throw new CRLException(e.getMessage(), e.getCause());
} catch (InvalidAlgorithmParameterException e) {
throw new CRLException(e);
}
byte[] tbsCRL = getTBSCertList();
sig.update(tbsCRL, 0, tbsCRL.length);
if (sig.verify(getSignature()) == false) {
throw new SignatureException("Signature does not match.");
}
}
/**
* Gets the {@code version} (version number) value from the CRL.
* The ASN.1 definition for this is:
* <pre>
* version Version OPTIONAL,
* -- if present, must be v2
*
* Version ::= INTEGER { v1(0), v2(1), v3(2) }
* -- v3 does not apply to CRLs but appears for consistency
* -- with definition of Version for certs
* </pre>
*
* @return the version number, i.e. 1 or 2.
*/
public abstract int getVersion();
/**
* <strong>Denigrated</strong>, replaced by {@linkplain
* #getIssuerX500Principal()}. This method returns the {@code issuer}
* as an implementation specific Principal object, which should not be
* relied upon by portable code.
*
* <p>
* Gets the {@code issuer} (issuer distinguished name) value from
* the CRL. The issuer name identifies the entity that signed (and
* issued) the CRL.
*
* <p>The issuer name field contains an
* X.500 distinguished name (DN).
* The ASN.1 definition for this is:
* <pre>
* issuer Name
*
* Name ::= CHOICE { RDNSequence }
* RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
* RelativeDistinguishedName ::=
* SET OF AttributeValueAssertion
*
* AttributeValueAssertion ::= SEQUENCE {
* AttributeType,
* AttributeValue }
* AttributeType ::= OBJECT IDENTIFIER
* AttributeValue ::= ANY
* </pre>
* The {@code Name} describes a hierarchical name composed of
* attributes,
* such as country name, and corresponding values, such as US.
* The type of the {@code AttributeValue} component is determined by
* the {@code AttributeType}; in general it will be a
* {@code directoryString}. A {@code directoryString} is usually
* one of {@code PrintableString},
* {@code TeletexString} or {@code UniversalString}.
*
* @return a Principal whose name is the issuer distinguished name.
*/
public abstract Principal getIssuerDN();
/**
* Returns the issuer (issuer distinguished name) value from the
* CRL as an {@code X500Principal}.
* <p>
* It is recommended that subclasses override this method.
*
* @return an {@code X500Principal} representing the issuer
* distinguished name
* @since 1.4
*/
public X500Principal getIssuerX500Principal() {
if (issuerPrincipal == null) {
issuerPrincipal = X509CRLImpl.getIssuerX500Principal(this);
}
return issuerPrincipal;
}
/**
* Gets the {@code thisUpdate} date from the CRL.
* The ASN.1 definition for this is:
* <pre>
* thisUpdate ChoiceOfTime
* ChoiceOfTime ::= CHOICE {
* utcTime UTCTime,
* generalTime GeneralizedTime }
* </pre>
*
* @return the {@code thisUpdate} date from the CRL.
*/
public abstract Date getThisUpdate();
/**
* Gets the {@code nextUpdate} date from the CRL.
*
* @return the {@code nextUpdate} date from the CRL, or null if
* not present.
*/
public abstract Date getNextUpdate();
/**
* Gets the CRL entry, if any, with the given certificate serialNumber.
*
* @param serialNumber the serial number of the certificate for which a CRL entry
* is to be looked up
* @return the entry with the given serial number, or null if no such entry
* exists in this CRL.
* @see X509CRLEntry
*/
public abstract X509CRLEntry
getRevokedCertificate(BigInteger serialNumber);
/**
* Get the CRL entry, if any, for the given certificate.
*
* <p>This method can be used to lookup CRL entries in indirect CRLs,
* that means CRLs that contain entries from issuers other than the CRL
* issuer. The default implementation will only return entries for
* certificates issued by the CRL issuer. Subclasses that wish to
* support indirect CRLs should override this method.
*
* @param certificate the certificate for which a CRL entry is to be looked
* up
* @return the entry for the given certificate, or null if no such entry
* exists in this CRL.
* @exception NullPointerException if certificate is null
*
* @since 1.5
*/
public X509CRLEntry getRevokedCertificate(X509Certificate certificate) {
X500Principal certIssuer = certificate.getIssuerX500Principal();
X500Principal crlIssuer = getIssuerX500Principal();
if (certIssuer.equals(crlIssuer) == false) {
return null;
}
return getRevokedCertificate(certificate.getSerialNumber());
}
/**
* Gets all the entries from this CRL.
* This returns a Set of X509CRLEntry objects.
*
* @return all the entries or null if there are none present.
* @see X509CRLEntry
*/
public abstract Set<? extends X509CRLEntry> getRevokedCertificates();
/**
* Gets the DER-encoded CRL information, the
* {@code tbsCertList} from this CRL.
* This can be used to verify the signature independently.
*
* @return the DER-encoded CRL information.
* @exception CRLException if an encoding error occurs.
*/
public abstract byte[] getTBSCertList() throws CRLException;
/**
* Gets the {@code signature} value (the raw signature bits) from
* the CRL.
* The ASN.1 definition for this is:
* <pre>
* signature BIT STRING
* </pre>
*
* @return the signature.
*/
public abstract byte[] getSignature();
/**
* Gets the signature algorithm name for the CRL
* signature algorithm. An example is the string "SHA256withRSA".
* The ASN.1 definition for this is:
* <pre>
* signatureAlgorithm AlgorithmIdentifier
*
* AlgorithmIdentifier ::= SEQUENCE {
* algorithm OBJECT IDENTIFIER,
* parameters ANY DEFINED BY algorithm OPTIONAL }
* -- contains a value of the type
* -- registered for use with the
* -- algorithm object identifier value
* </pre>
*
* <p>The algorithm name is determined from the {@code algorithm}
* OID string.
*
* @return the signature algorithm name.
*/
public abstract String getSigAlgName();
/**
* Gets the signature algorithm OID string from the CRL.
* An OID is represented by a set of nonnegative whole numbers separated
* by periods.
* For example, the string "1.2.840.10040.4.3" identifies the SHA-1
* with DSA signature algorithm defined in
* <a href="http://www.ietf.org/rfc/rfc3279.txt">RFC 3279: Algorithms and
* Identifiers for the Internet X.509 Public Key Infrastructure Certificate
* and CRL Profile</a>.
*
* <p>See {@link #getSigAlgName() getSigAlgName} for
* relevant ASN.1 definitions.
*
* @return the signature algorithm OID string.
*/
public abstract String getSigAlgOID();
/**
* Gets the DER-encoded signature algorithm parameters from this
* CRL's signature algorithm. In most cases, the signature
* algorithm parameters are null; the parameters are usually
* supplied with the public key.
* If access to individual parameter values is needed then use
* {@link java.security.AlgorithmParameters AlgorithmParameters}
* and instantiate with the name returned by
* {@link #getSigAlgName() getSigAlgName}.
*
* <p>See {@link #getSigAlgName() getSigAlgName} for
* relevant ASN.1 definitions.
*
* @return the DER-encoded signature algorithm parameters, or
* null if no parameters are present.
*/
public abstract byte[] getSigAlgParams();
}

191
jdkSrc/jdk8/java/security/cert/X509CRLEntry.java Normal file
View File

@@ -0,0 +1,191 @@
/*
* Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.math.BigInteger;
import java.util.Date;
import javax.security.auth.x500.X500Principal;
import sun.security.x509.X509CRLEntryImpl;
/**
* <p>Abstract class for a revoked certificate in a CRL (Certificate
* Revocation List).
*
* The ASN.1 definition for <em>revokedCertificates</em> is:
* <pre>
* revokedCertificates SEQUENCE OF SEQUENCE {
* userCertificate CertificateSerialNumber,
* revocationDate ChoiceOfTime,
* crlEntryExtensions Extensions OPTIONAL
* -- if present, must be v2
* } OPTIONAL
*
* CertificateSerialNumber ::= INTEGER
*
* Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
*
* Extension ::= SEQUENCE {
* extnId OBJECT IDENTIFIER,
* critical BOOLEAN DEFAULT FALSE,
* extnValue OCTET STRING
* -- contains a DER encoding of a value
* -- of the type registered for use with
* -- the extnId object identifier value
* }
* </pre>
*
* @see X509CRL
* @see X509Extension
*
* @author Hemma Prafullchandra
*/
public abstract class X509CRLEntry implements X509Extension {
/**
* Compares this CRL entry for equality with the given
* object. If the {@code other} object is an
* {@code instanceof} {@code X509CRLEntry}, then
* its encoded form (the inner SEQUENCE) is retrieved and compared
* with the encoded form of this CRL entry.
*
* @param other the object to test for equality with this CRL entry.
* @return true iff the encoded forms of the two CRL entries
* match, false otherwise.
*/
public boolean equals(Object other) {
if (this == other)
return true;
if (!(other instanceof X509CRLEntry))
return false;
try {
byte[] thisCRLEntry = this.getEncoded();
byte[] otherCRLEntry = ((X509CRLEntry)other).getEncoded();
if (thisCRLEntry.length != otherCRLEntry.length)
return false;
for (int i = 0; i < thisCRLEntry.length; i++)
if (thisCRLEntry[i] != otherCRLEntry[i])
return false;
} catch (CRLException ce) {
return false;
}
return true;
}
/**
* Returns a hashcode value for this CRL entry from its
* encoded form.
*
* @return the hashcode value.
*/
public int hashCode() {
int retval = 0;
try {
byte[] entryData = this.getEncoded();
for (int i = 1; i < entryData.length; i++)
retval += entryData[i] * i;
} catch (CRLException ce) {
return(retval);
}
return(retval);
}
/**
* Returns the ASN.1 DER-encoded form of this CRL Entry,
* that is the inner SEQUENCE.
*
* @return the encoded form of this certificate
* @exception CRLException if an encoding error occurs.
*/
public abstract byte[] getEncoded() throws CRLException;
/**
* Gets the serial number from this X509CRLEntry,
* the <em>userCertificate</em>.
*
* @return the serial number.
*/
public abstract BigInteger getSerialNumber();
/**
* Get the issuer of the X509Certificate described by this entry. If
* the certificate issuer is also the CRL issuer, this method returns
* null.
*
* <p>This method is used with indirect CRLs. The default implementation
* always returns null. Subclasses that wish to support indirect CRLs
* should override it.
*
* @return the issuer of the X509Certificate described by this entry
* or null if it is issued by the CRL issuer.
*
* @since 1.5
*/
public X500Principal getCertificateIssuer() {
return null;
}
/**
* Gets the revocation date from this X509CRLEntry,
* the <em>revocationDate</em>.
*
* @return the revocation date.
*/
public abstract Date getRevocationDate();
/**
* Returns true if this CRL entry has extensions.
*
* @return true if this entry has extensions, false otherwise.
*/
public abstract boolean hasExtensions();
/**
* Returns a string representation of this CRL entry.
*
* @return a string representation of this CRL entry.
*/
public abstract String toString();
/**
* Returns the reason the certificate has been revoked, as specified
* in the Reason Code extension of this CRL entry.
*
* @return the reason the certificate has been revoked, or
* {@code null} if this CRL entry does not have
* a Reason Code extension
* @since 1.7
*/
public CRLReason getRevocationReason() {
if (!hasExtensions()) {
return null;
}
return X509CRLEntryImpl.getRevocationReason(this);
}
}

718
jdkSrc/jdk8/java/security/cert/X509CRLSelector.java Normal file
View File

@@ -0,0 +1,718 @@
/*
* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.io.IOException;
import java.math.BigInteger;
import java.util.*;
import javax.security.auth.x500.X500Principal;
import sun.security.util.Debug;
import sun.security.util.DerInputStream;
import sun.security.x509.CRLNumberExtension;
import sun.security.x509.X500Name;
/**
* A {@code CRLSelector} that selects {@code X509CRLs} that
* match all specified criteria. This class is particularly useful when
* selecting CRLs from a {@code CertStore} to check revocation status
* of a particular certificate.
* <p>
* When first constructed, an {@code X509CRLSelector} has no criteria
* enabled and each of the {@code get} methods return a default
* value ({@code null}). Therefore, the {@link #match match} method
* would return {@code true} for any {@code X509CRL}. Typically,
* several criteria are enabled (by calling {@link #setIssuers setIssuers}
* or {@link #setDateAndTime setDateAndTime}, for instance) and then the
* {@code X509CRLSelector} is passed to
* {@link CertStore#getCRLs CertStore.getCRLs} or some similar
* method.
* <p>
* Please refer to <a href="http://tools.ietf.org/html/rfc5280">RFC 5280:
* Internet X.509 Public Key Infrastructure Certificate and CRL Profile</a>
* for definitions of the X.509 CRL fields and extensions mentioned below.
* <p>
* <b>Concurrent Access</b>
* <p>
* Unless otherwise specified, the methods defined in this class are not
* thread-safe. Multiple threads that need to access a single
* object concurrently should synchronize amongst themselves and
* provide the necessary locking. Multiple threads each manipulating
* separate objects need not synchronize.
*
* @see CRLSelector
* @see X509CRL
*
* @since 1.4
* @author Steve Hanna
*/
public class X509CRLSelector implements CRLSelector {
static {
CertPathHelperImpl.initialize();
}
private static final Debug debug = Debug.getInstance("certpath");
private HashSet<Object> issuerNames;
private HashSet<X500Principal> issuerX500Principals;
private BigInteger minCRL;
private BigInteger maxCRL;
private Date dateAndTime;
private X509Certificate certChecking;
private long skew = 0;
/**
* Creates an {@code X509CRLSelector}. Initially, no criteria are set
* so any {@code X509CRL} will match.
*/
public X509CRLSelector() {}
/**
* Sets the issuerNames criterion. The issuer distinguished name in the
* {@code X509CRL} must match at least one of the specified
* distinguished names. If {@code null}, any issuer distinguished name
* will do.
* <p>
* This method allows the caller to specify, with a single method call,
* the complete set of issuer names which {@code X509CRLs} may contain.
* The specified value replaces the previous value for the issuerNames
* criterion.
* <p>
* The {@code names} parameter (if not {@code null}) is a
* {@code Collection} of {@code X500Principal}s.
* <p>
* Note that the {@code names} parameter can contain duplicate
* distinguished names, but they may be removed from the
* {@code Collection} of names returned by the
* {@link #getIssuers getIssuers} method.
* <p>
* Note that a copy is performed on the {@code Collection} to
* protect against subsequent modifications.
*
* @param issuers a {@code Collection} of X500Principals
* (or {@code null})
* @see #getIssuers
* @since 1.5
*/
public void setIssuers(Collection<X500Principal> issuers) {
if ((issuers == null) || issuers.isEmpty()) {
issuerNames = null;
issuerX500Principals = null;
} else {
// clone
issuerX500Principals = new HashSet<X500Principal>(issuers);
issuerNames = new HashSet<Object>();
for (X500Principal p : issuerX500Principals) {
issuerNames.add(p.getEncoded());
}
}
}
/**
* <strong>Note:</strong> use {@linkplain #setIssuers(Collection)} instead
* or only specify the byte array form of distinguished names when using
* this method. See {@link #addIssuerName(String)} for more information.
* <p>
* Sets the issuerNames criterion. The issuer distinguished name in the
* {@code X509CRL} must match at least one of the specified
* distinguished names. If {@code null}, any issuer distinguished name
* will do.
* <p>
* This method allows the caller to specify, with a single method call,
* the complete set of issuer names which {@code X509CRLs} may contain.
* The specified value replaces the previous value for the issuerNames
* criterion.
* <p>
* The {@code names} parameter (if not {@code null}) is a
* {@code Collection} of names. Each name is a {@code String}
* or a byte array representing a distinguished name (in
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> or
* ASN.1 DER encoded form, respectively). If {@code null} is supplied
* as the value for this argument, no issuerNames check will be performed.
* <p>
* Note that the {@code names} parameter can contain duplicate
* distinguished names, but they may be removed from the
* {@code Collection} of names returned by the
* {@link #getIssuerNames getIssuerNames} method.
* <p>
* If a name is specified as a byte array, it should contain a single DER
* encoded distinguished name, as defined in X.501. The ASN.1 notation for
* this structure is as follows.
* <pre>{@code
* Name ::= CHOICE {
* RDNSequence }
*
* RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
*
* RelativeDistinguishedName ::=
* SET SIZE (1 .. MAX) OF AttributeTypeAndValue
*
* AttributeTypeAndValue ::= SEQUENCE {
* type AttributeType,
* value AttributeValue }
*
* AttributeType ::= OBJECT IDENTIFIER
*
* AttributeValue ::= ANY DEFINED BY AttributeType
* ....
* DirectoryString ::= CHOICE {
* teletexString TeletexString (SIZE (1..MAX)),
* printableString PrintableString (SIZE (1..MAX)),
* universalString UniversalString (SIZE (1..MAX)),
* utf8String UTF8String (SIZE (1.. MAX)),
* bmpString BMPString (SIZE (1..MAX)) }
* }</pre>
* <p>
* Note that a deep copy is performed on the {@code Collection} to
* protect against subsequent modifications.
*
* @param names a {@code Collection} of names (or {@code null})
* @throws IOException if a parsing error occurs
* @see #getIssuerNames
*/
public void setIssuerNames(Collection<?> names) throws IOException {
if (names == null || names.size() == 0) {
issuerNames = null;
issuerX500Principals = null;
} else {
HashSet<Object> tempNames = cloneAndCheckIssuerNames(names);
// Ensure that we either set both of these or neither
issuerX500Principals = parseIssuerNames(tempNames);
issuerNames = tempNames;
}
}
/**
* Adds a name to the issuerNames criterion. The issuer distinguished
* name in the {@code X509CRL} must match at least one of the specified
* distinguished names.
* <p>
* This method allows the caller to add a name to the set of issuer names
* which {@code X509CRLs} may contain. The specified name is added to
* any previous value for the issuerNames criterion.
* If the specified name is a duplicate, it may be ignored.
*
* @param issuer the issuer as X500Principal
* @since 1.5
*/
public void addIssuer(X500Principal issuer) {
addIssuerNameInternal(issuer.getEncoded(), issuer);
}
/**
* <strong>Denigrated</strong>, use
* {@linkplain #addIssuer(X500Principal)} or
* {@linkplain #addIssuerName(byte[])} instead. This method should not be
* relied on as it can fail to match some CRLs because of a loss of
* encoding information in the RFC 2253 String form of some distinguished
* names.
* <p>
* Adds a name to the issuerNames criterion. The issuer distinguished
* name in the {@code X509CRL} must match at least one of the specified
* distinguished names.
* <p>
* This method allows the caller to add a name to the set of issuer names
* which {@code X509CRLs} may contain. The specified name is added to
* any previous value for the issuerNames criterion.
* If the specified name is a duplicate, it may be ignored.
*
* @param name the name in RFC 2253 form
* @throws IOException if a parsing error occurs
*/
public void addIssuerName(String name) throws IOException {
addIssuerNameInternal(name, new X500Name(name).asX500Principal());
}
/**
* Adds a name to the issuerNames criterion. The issuer distinguished
* name in the {@code X509CRL} must match at least one of the specified
* distinguished names.
* <p>
* This method allows the caller to add a name to the set of issuer names
* which {@code X509CRLs} may contain. The specified name is added to
* any previous value for the issuerNames criterion. If the specified name
* is a duplicate, it may be ignored.
* If a name is specified as a byte array, it should contain a single DER
* encoded distinguished name, as defined in X.501. The ASN.1 notation for
* this structure is as follows.
* <p>
* The name is provided as a byte array. This byte array should contain
* a single DER encoded distinguished name, as defined in X.501. The ASN.1
* notation for this structure appears in the documentation for
* {@link #setIssuerNames setIssuerNames(Collection names)}.
* <p>
* Note that the byte array supplied here is cloned to protect against
* subsequent modifications.
*
* @param name a byte array containing the name in ASN.1 DER encoded form
* @throws IOException if a parsing error occurs
*/
public void addIssuerName(byte[] name) throws IOException {
// clone because byte arrays are modifiable
addIssuerNameInternal(name.clone(), new X500Name(name).asX500Principal());
}
/**
* A private method that adds a name (String or byte array) to the
* issuerNames criterion. The issuer distinguished
* name in the {@code X509CRL} must match at least one of the specified
* distinguished names.
*
* @param name the name in string or byte array form
* @param principal the name in X500Principal form
* @throws IOException if a parsing error occurs
*/
private void addIssuerNameInternal(Object name, X500Principal principal) {
if (issuerNames == null) {
issuerNames = new HashSet<Object>();
}
if (issuerX500Principals == null) {
issuerX500Principals = new HashSet<X500Principal>();
}
issuerNames.add(name);
issuerX500Principals.add(principal);
}
/**
* Clone and check an argument of the form passed to
* setIssuerNames. Throw an IOException if the argument is malformed.
*
* @param names a {@code Collection} of names. Each entry is a
* String or a byte array (the name, in string or ASN.1
* DER encoded form, respectively). {@code null} is
* not an acceptable value.
* @return a deep copy of the specified {@code Collection}
* @throws IOException if a parsing error occurs
*/
private static HashSet<Object> cloneAndCheckIssuerNames(Collection<?> names)
throws IOException
{
HashSet<Object> namesCopy = new HashSet<Object>();
Iterator<?> i = names.iterator();
while (i.hasNext()) {
Object nameObject = i.next();
if (!(nameObject instanceof byte []) &&
!(nameObject instanceof String))
throw new IOException("name not byte array or String");
if (nameObject instanceof byte [])
namesCopy.add(((byte []) nameObject).clone());
else
namesCopy.add(nameObject);
}
return(namesCopy);
}
/**
* Clone an argument of the form passed to setIssuerNames.
* Throw a RuntimeException if the argument is malformed.
* <p>
* This method wraps cloneAndCheckIssuerNames, changing any IOException
* into a RuntimeException. This method should be used when the object being
* cloned has already been checked, so there should never be any exceptions.
*
* @param names a {@code Collection} of names. Each entry is a
* String or a byte array (the name, in string or ASN.1
* DER encoded form, respectively). {@code null} is
* not an acceptable value.
* @return a deep copy of the specified {@code Collection}
* @throws RuntimeException if a parsing error occurs
*/
private static HashSet<Object> cloneIssuerNames(Collection<Object> names) {
try {
return cloneAndCheckIssuerNames(names);
} catch (IOException ioe) {
throw new RuntimeException(ioe);
}
}
/**
* Parse an argument of the form passed to setIssuerNames,
* returning a Collection of issuerX500Principals.
* Throw an IOException if the argument is malformed.
*
* @param names a {@code Collection} of names. Each entry is a
* String or a byte array (the name, in string or ASN.1
* DER encoded form, respectively). <Code>Null</Code> is
* not an acceptable value.
* @return a HashSet of issuerX500Principals
* @throws IOException if a parsing error occurs
*/
private static HashSet<X500Principal> parseIssuerNames(Collection<Object> names)
throws IOException {
HashSet<X500Principal> x500Principals = new HashSet<X500Principal>();
for (Iterator<Object> t = names.iterator(); t.hasNext(); ) {
Object nameObject = t.next();
if (nameObject instanceof String) {
x500Principals.add(new X500Name((String)nameObject).asX500Principal());
} else {
try {
x500Principals.add(new X500Principal((byte[])nameObject));
} catch (IllegalArgumentException e) {
throw (IOException)new IOException("Invalid name").initCause(e);
}
}
}
return x500Principals;
}
/**
* Sets the minCRLNumber criterion. The {@code X509CRL} must have a
* CRL number extension whose value is greater than or equal to the
* specified value. If {@code null}, no minCRLNumber check will be
* done.
*
* @param minCRL the minimum CRL number accepted (or {@code null})
*/
public void setMinCRLNumber(BigInteger minCRL) {
this.minCRL = minCRL;
}
/**
* Sets the maxCRLNumber criterion. The {@code X509CRL} must have a
* CRL number extension whose value is less than or equal to the
* specified value. If {@code null}, no maxCRLNumber check will be
* done.
*
* @param maxCRL the maximum CRL number accepted (or {@code null})
*/
public void setMaxCRLNumber(BigInteger maxCRL) {
this.maxCRL = maxCRL;
}
/**
* Sets the dateAndTime criterion. The specified date must be
* equal to or later than the value of the thisUpdate component
* of the {@code X509CRL} and earlier than the value of the
* nextUpdate component. There is no match if the {@code X509CRL}
* does not contain a nextUpdate component.
* If {@code null}, no dateAndTime check will be done.
* <p>
* Note that the {@code Date} supplied here is cloned to protect
* against subsequent modifications.
*
* @param dateAndTime the {@code Date} to match against
* (or {@code null})
* @see #getDateAndTime
*/
public void setDateAndTime(Date dateAndTime) {
if (dateAndTime == null)
this.dateAndTime = null;
else
this.dateAndTime = new Date(dateAndTime.getTime());
this.skew = 0;
}
/**
* Sets the dateAndTime criterion and allows for the specified clock skew
* (in milliseconds) when checking against the validity period of the CRL.
*/
void setDateAndTime(Date dateAndTime, long skew) {
this.dateAndTime =
(dateAndTime == null ? null : new Date(dateAndTime.getTime()));
this.skew = skew;
}
/**
* Sets the certificate being checked. This is not a criterion. Rather,
* it is optional information that may help a {@code CertStore}
* find CRLs that would be relevant when checking revocation for the
* specified certificate. If {@code null} is specified, then no
* such optional information is provided.
*
* @param cert the {@code X509Certificate} being checked
* (or {@code null})
* @see #getCertificateChecking
*/
public void setCertificateChecking(X509Certificate cert) {
certChecking = cert;
}
/**
* Returns the issuerNames criterion. The issuer distinguished
* name in the {@code X509CRL} must match at least one of the specified
* distinguished names. If the value returned is {@code null}, any
* issuer distinguished name will do.
* <p>
* If the value returned is not {@code null}, it is a
* unmodifiable {@code Collection} of {@code X500Principal}s.
*
* @return an unmodifiable {@code Collection} of names
* (or {@code null})
* @see #setIssuers
* @since 1.5
*/
public Collection<X500Principal> getIssuers() {
if (issuerX500Principals == null) {
return null;
}
return Collections.unmodifiableCollection(issuerX500Principals);
}
/**
* Returns a copy of the issuerNames criterion. The issuer distinguished
* name in the {@code X509CRL} must match at least one of the specified
* distinguished names. If the value returned is {@code null}, any
* issuer distinguished name will do.
* <p>
* If the value returned is not {@code null}, it is a
* {@code Collection} of names. Each name is a {@code String}
* or a byte array representing a distinguished name (in RFC 2253 or
* ASN.1 DER encoded form, respectively). Note that the
* {@code Collection} returned may contain duplicate names.
* <p>
* If a name is specified as a byte array, it should contain a single DER
* encoded distinguished name, as defined in X.501. The ASN.1 notation for
* this structure is given in the documentation for
* {@link #setIssuerNames setIssuerNames(Collection names)}.
* <p>
* Note that a deep copy is performed on the {@code Collection} to
* protect against subsequent modifications.
*
* @return a {@code Collection} of names (or {@code null})
* @see #setIssuerNames
*/
public Collection<Object> getIssuerNames() {
if (issuerNames == null) {
return null;
}
return cloneIssuerNames(issuerNames);
}
/**
* Returns the minCRLNumber criterion. The {@code X509CRL} must have a
* CRL number extension whose value is greater than or equal to the
* specified value. If {@code null}, no minCRLNumber check will be done.
*
* @return the minimum CRL number accepted (or {@code null})
*/
public BigInteger getMinCRL() {
return minCRL;
}
/**
* Returns the maxCRLNumber criterion. The {@code X509CRL} must have a
* CRL number extension whose value is less than or equal to the
* specified value. If {@code null}, no maxCRLNumber check will be
* done.
*
* @return the maximum CRL number accepted (or {@code null})
*/
public BigInteger getMaxCRL() {
return maxCRL;
}
/**
* Returns the dateAndTime criterion. The specified date must be
* equal to or later than the value of the thisUpdate component
* of the {@code X509CRL} and earlier than the value of the
* nextUpdate component. There is no match if the
* {@code X509CRL} does not contain a nextUpdate component.
* If {@code null}, no dateAndTime check will be done.
* <p>
* Note that the {@code Date} returned is cloned to protect against
* subsequent modifications.
*
* @return the {@code Date} to match against (or {@code null})
* @see #setDateAndTime
*/
public Date getDateAndTime() {
if (dateAndTime == null)
return null;
return (Date) dateAndTime.clone();
}
/**
* Returns the certificate being checked. This is not a criterion. Rather,
* it is optional information that may help a {@code CertStore}
* find CRLs that would be relevant when checking revocation for the
* specified certificate. If the value returned is {@code null}, then
* no such optional information is provided.
*
* @return the certificate being checked (or {@code null})
* @see #setCertificateChecking
*/
public X509Certificate getCertificateChecking() {
return certChecking;
}
/**
* Returns a printable representation of the {@code X509CRLSelector}.
*
* @return a {@code String} describing the contents of the
* {@code X509CRLSelector}.
*/
public String toString() {
StringBuffer sb = new StringBuffer();
sb.append("X509CRLSelector: [\n");
if (issuerNames != null) {
sb.append(" IssuerNames:\n");
Iterator<Object> i = issuerNames.iterator();
while (i.hasNext())
sb.append(" " + i.next() + "\n");
}
if (minCRL != null)
sb.append(" minCRLNumber: " + minCRL + "\n");
if (maxCRL != null)
sb.append(" maxCRLNumber: " + maxCRL + "\n");
if (dateAndTime != null)
sb.append(" dateAndTime: " + dateAndTime + "\n");
if (certChecking != null)
sb.append(" Certificate being checked: " + certChecking + "\n");
sb.append("]");
return sb.toString();
}
/**
* Decides whether a {@code CRL} should be selected.
*
* @param crl the {@code CRL} to be checked
* @return {@code true} if the {@code CRL} should be selected,
* {@code false} otherwise
*/
public boolean match(CRL crl) {
if (!(crl instanceof X509CRL)) {
return false;
}
X509CRL xcrl = (X509CRL)crl;
/* match on issuer name */
if (issuerNames != null) {
X500Principal issuer = xcrl.getIssuerX500Principal();
Iterator<X500Principal> i = issuerX500Principals.iterator();
boolean found = false;
while (!found && i.hasNext()) {
if (i.next().equals(issuer)) {
found = true;
}
}
if (!found) {
if (debug != null) {
debug.println("X509CRLSelector.match: issuer DNs "
+ "don't match");
}
return false;
}
}
if ((minCRL != null) || (maxCRL != null)) {
/* Get CRL number extension from CRL */
byte[] crlNumExtVal = xcrl.getExtensionValue("2.5.29.20");
if (crlNumExtVal == null) {
if (debug != null) {
debug.println("X509CRLSelector.match: no CRLNumber");
}
}
BigInteger crlNum;
try {
DerInputStream in = new DerInputStream(crlNumExtVal);
byte[] encoded = in.getOctetString();
CRLNumberExtension crlNumExt =
new CRLNumberExtension(Boolean.FALSE, encoded);
crlNum = crlNumExt.get(CRLNumberExtension.NUMBER);
} catch (IOException ex) {
if (debug != null) {
debug.println("X509CRLSelector.match: exception in "
+ "decoding CRL number");
}
return false;
}
/* match on minCRLNumber */
if (minCRL != null) {
if (crlNum.compareTo(minCRL) < 0) {
if (debug != null) {
debug.println("X509CRLSelector.match: CRLNumber too small");
}
return false;
}
}
/* match on maxCRLNumber */
if (maxCRL != null) {
if (crlNum.compareTo(maxCRL) > 0) {
if (debug != null) {
debug.println("X509CRLSelector.match: CRLNumber too large");
}
return false;
}
}
}
/* match on dateAndTime */
if (dateAndTime != null) {
Date crlThisUpdate = xcrl.getThisUpdate();
Date nextUpdate = xcrl.getNextUpdate();
if (nextUpdate == null) {
if (debug != null) {
debug.println("X509CRLSelector.match: nextUpdate null");
}
return false;
}
Date nowPlusSkew = dateAndTime;
Date nowMinusSkew = dateAndTime;
if (skew > 0) {
nowPlusSkew = new Date(dateAndTime.getTime() + skew);
nowMinusSkew = new Date(dateAndTime.getTime() - skew);
}
// Check that the test date is within the validity interval:
// [ thisUpdate - MAX_CLOCK_SKEW,
// nextUpdate + MAX_CLOCK_SKEW ]
if (nowMinusSkew.after(nextUpdate)
|| nowPlusSkew.before(crlThisUpdate)) {
if (debug != null) {
debug.println("X509CRLSelector.match: update out-of-range");
}
return false;
}
}
return true;
}
/**
* Returns a copy of this object.
*
* @return the copy
*/
public Object clone() {
try {
X509CRLSelector copy = (X509CRLSelector)super.clone();
if (issuerNames != null) {
copy.issuerNames =
new HashSet<Object>(issuerNames);
copy.issuerX500Principals =
new HashSet<X500Principal>(issuerX500Principals);
}
return copy;
} catch (CloneNotSupportedException e) {
/* Cannot happen */
throw new InternalError(e.toString(), e);
}
}
}

2614
jdkSrc/jdk8/java/security/cert/X509CertSelector.java Normal file
View File

File diff suppressed because it is too large Load Diff

699
jdkSrc/jdk8/java/security/cert/X509Certificate.java Normal file
View File

@@ -0,0 +1,699 @@
/*
* Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.math.BigInteger;
import java.security.*;
import java.security.spec.*;
import java.util.Collection;
import java.util.Date;
import java.util.List;
import javax.security.auth.x500.X500Principal;
import sun.security.x509.X509CertImpl;
import sun.security.util.SignatureUtil;
/**
* <p>
* Abstract class for X.509 certificates. This provides a standard
* way to access all the attributes of an X.509 certificate.
* <p>
* In June of 1996, the basic X.509 v3 format was completed by
* ISO/IEC and ANSI X9, which is described below in ASN.1:
* <pre>
* Certificate ::= SEQUENCE {
* tbsCertificate TBSCertificate,
* signatureAlgorithm AlgorithmIdentifier,
* signature BIT STRING }
* </pre>
* <p>
* These certificates are widely used to support authentication and
* other functionality in Internet security systems. Common applications
* include Privacy Enhanced Mail (PEM), Transport Layer Security (SSL),
* code signing for trusted software distribution, and Secure Electronic
* Transactions (SET).
* <p>
* These certificates are managed and vouched for by <em>Certificate
* Authorities</em> (CAs). CAs are services which create certificates by
* placing data in the X.509 standard format and then digitally signing
* that data. CAs act as trusted third parties, making introductions
* between principals who have no direct knowledge of each other.
* CA certificates are either signed by themselves, or by some other
* CA such as a "root" CA.
* <p>
* More information can be found in
* <a href="http://tools.ietf.org/html/rfc5280">RFC 5280: Internet X.509
* Public Key Infrastructure Certificate and CRL Profile</a>.
* <p>
* The ASN.1 definition of {@code tbsCertificate} is:
* <pre>
* TBSCertificate ::= SEQUENCE {
* version [0] EXPLICIT Version DEFAULT v1,
* serialNumber CertificateSerialNumber,
* signature AlgorithmIdentifier,
* issuer Name,
* validity Validity,
* subject Name,
* subjectPublicKeyInfo SubjectPublicKeyInfo,
* issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
* -- If present, version must be v2 or v3
* subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
* -- If present, version must be v2 or v3
* extensions [3] EXPLICIT Extensions OPTIONAL
* -- If present, version must be v3
* }
* </pre>
* <p>
* Certificates are instantiated using a certificate factory. The following is
* an example of how to instantiate an X.509 certificate:
* <pre>
* try (InputStream inStream = new FileInputStream("fileName-of-cert")) {
* CertificateFactory cf = CertificateFactory.getInstance("X.509");
* X509Certificate cert = (X509Certificate)cf.generateCertificate(inStream);
* }
* </pre>
*
* @author Hemma Prafullchandra
*
*
* @see Certificate
* @see CertificateFactory
* @see X509Extension
*/
public abstract class X509Certificate extends Certificate
implements X509Extension {
private static final long serialVersionUID = -2491127588187038216L;
private transient X500Principal subjectX500Principal, issuerX500Principal;
/**
* Constructor for X.509 certificates.
*/
protected X509Certificate() {
super("X.509");
}
/**
* Checks that the certificate is currently valid. It is if
* the current date and time are within the validity period given in the
* certificate.
* <p>
* The validity period consists of two date/time values:
* the first and last dates (and times) on which the certificate
* is valid. It is defined in
* ASN.1 as:
* <pre>
* validity Validity
*
* Validity ::= SEQUENCE {
* notBefore CertificateValidityDate,
* notAfter CertificateValidityDate }
*
* CertificateValidityDate ::= CHOICE {
* utcTime UTCTime,
* generalTime GeneralizedTime }
* </pre>
*
* @exception CertificateExpiredException if the certificate has expired.
* @exception CertificateNotYetValidException if the certificate is not
* yet valid.
*/
public abstract void checkValidity()
throws CertificateExpiredException, CertificateNotYetValidException;
/**
* Checks that the given date is within the certificate's
* validity period. In other words, this determines whether the
* certificate would be valid at the given date/time.
*
* @param date the Date to check against to see if this certificate
* is valid at that date/time.
*
* @exception CertificateExpiredException if the certificate has expired
* with respect to the {@code date} supplied.
* @exception CertificateNotYetValidException if the certificate is not
* yet valid with respect to the {@code date} supplied.
*
* @see #checkValidity()
*/
public abstract void checkValidity(Date date)
throws CertificateExpiredException, CertificateNotYetValidException;
/**
* Gets the {@code version} (version number) value from the
* certificate.
* The ASN.1 definition for this is:
* <pre>
* version [0] EXPLICIT Version DEFAULT v1
*
* Version ::= INTEGER { v1(0), v2(1), v3(2) }
* </pre>
* @return the version number, i.e. 1, 2 or 3.
*/
public abstract int getVersion();
/**
* Gets the {@code serialNumber} value from the certificate.
* The serial number is an integer assigned by the certification
* authority to each certificate. It must be unique for each
* certificate issued by a given CA (i.e., the issuer name and
* serial number identify a unique certificate).
* The ASN.1 definition for this is:
* <pre>
* serialNumber CertificateSerialNumber
*
* CertificateSerialNumber ::= INTEGER
* </pre>
*
* @return the serial number.
*/
public abstract BigInteger getSerialNumber();
/**
* <strong>Denigrated</strong>, replaced by {@linkplain
* #getIssuerX500Principal()}. This method returns the {@code issuer}
* as an implementation specific Principal object, which should not be
* relied upon by portable code.
*
* <p>
* Gets the {@code issuer} (issuer distinguished name) value from
* the certificate. The issuer name identifies the entity that signed (and
* issued) the certificate.
*
* <p>The issuer name field contains an
* X.500 distinguished name (DN).
* The ASN.1 definition for this is:
* <pre>
* issuer Name
*
* Name ::= CHOICE { RDNSequence }
* RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
* RelativeDistinguishedName ::=
* SET OF AttributeValueAssertion
*
* AttributeValueAssertion ::= SEQUENCE {
* AttributeType,
* AttributeValue }
* AttributeType ::= OBJECT IDENTIFIER
* AttributeValue ::= ANY
* </pre>
* The {@code Name} describes a hierarchical name composed of
* attributes,
* such as country name, and corresponding values, such as US.
* The type of the {@code AttributeValue} component is determined by
* the {@code AttributeType}; in general it will be a
* {@code directoryString}. A {@code directoryString} is usually
* one of {@code PrintableString},
* {@code TeletexString} or {@code UniversalString}.
*
* @return a Principal whose name is the issuer distinguished name.
*/
public abstract Principal getIssuerDN();
/**
* Returns the issuer (issuer distinguished name) value from the
* certificate as an {@code X500Principal}.
* <p>
* It is recommended that subclasses override this method.
*
* @return an {@code X500Principal} representing the issuer
* distinguished name
* @since 1.4
*/
public X500Principal getIssuerX500Principal() {
if (issuerX500Principal == null) {
issuerX500Principal = X509CertImpl.getIssuerX500Principal(this);
}
return issuerX500Principal;
}
/**
* <strong>Denigrated</strong>, replaced by {@linkplain
* #getSubjectX500Principal()}. This method returns the {@code subject}
* as an implementation specific Principal object, which should not be
* relied upon by portable code.
*
* <p>
* Gets the {@code subject} (subject distinguished name) value
* from the certificate. If the {@code subject} value is empty,
* then the {@code getName()} method of the returned
* {@code Principal} object returns an empty string ("").
*
* <p> The ASN.1 definition for this is:
* <pre>
* subject Name
* </pre>
*
* <p>See {@link #getIssuerDN() getIssuerDN} for {@code Name}
* and other relevant definitions.
*
* @return a Principal whose name is the subject name.
*/
public abstract Principal getSubjectDN();
/**
* Returns the subject (subject distinguished name) value from the
* certificate as an {@code X500Principal}. If the subject value
* is empty, then the {@code getName()} method of the returned
* {@code X500Principal} object returns an empty string ("").
* <p>
* It is recommended that subclasses override this method.
*
* @return an {@code X500Principal} representing the subject
* distinguished name
* @since 1.4
*/
public X500Principal getSubjectX500Principal() {
if (subjectX500Principal == null) {
subjectX500Principal = X509CertImpl.getSubjectX500Principal(this);
}
return subjectX500Principal;
}
/**
* Gets the {@code notBefore} date from the validity period of
* the certificate.
* The relevant ASN.1 definitions are:
* <pre>
* validity Validity
*
* Validity ::= SEQUENCE {
* notBefore CertificateValidityDate,
* notAfter CertificateValidityDate }
*
* CertificateValidityDate ::= CHOICE {
* utcTime UTCTime,
* generalTime GeneralizedTime }
* </pre>
*
* @return the start date of the validity period.
* @see #checkValidity
*/
public abstract Date getNotBefore();
/**
* Gets the {@code notAfter} date from the validity period of
* the certificate. See {@link #getNotBefore() getNotBefore}
* for relevant ASN.1 definitions.
*
* @return the end date of the validity period.
* @see #checkValidity
*/
public abstract Date getNotAfter();
/**
* Gets the DER-encoded certificate information, the
* {@code tbsCertificate} from this certificate.
* This can be used to verify the signature independently.
*
* @return the DER-encoded certificate information.
* @exception CertificateEncodingException if an encoding error occurs.
*/
public abstract byte[] getTBSCertificate()
throws CertificateEncodingException;
/**
* Gets the {@code signature} value (the raw signature bits) from
* the certificate.
* The ASN.1 definition for this is:
* <pre>
* signature BIT STRING
* </pre>
*
* @return the signature.
*/
public abstract byte[] getSignature();
/**
* Gets the signature algorithm name for the certificate
* signature algorithm. An example is the string "SHA256withRSA".
* The ASN.1 definition for this is:
* <pre>
* signatureAlgorithm AlgorithmIdentifier
*
* AlgorithmIdentifier ::= SEQUENCE {
* algorithm OBJECT IDENTIFIER,
* parameters ANY DEFINED BY algorithm OPTIONAL }
* -- contains a value of the type
* -- registered for use with the
* -- algorithm object identifier value
* </pre>
*
* <p>The algorithm name is determined from the {@code algorithm}
* OID string.
*
* @return the signature algorithm name.
*/
public abstract String getSigAlgName();
/**
* Gets the signature algorithm OID string from the certificate.
* An OID is represented by a set of nonnegative whole numbers separated
* by periods.
* For example, the string "1.2.840.10040.4.3" identifies the SHA-1
* with DSA signature algorithm defined in
* <a href="http://www.ietf.org/rfc/rfc3279.txt">RFC 3279: Algorithms and
* Identifiers for the Internet X.509 Public Key Infrastructure Certificate
* and CRL Profile</a>.
*
* <p>See {@link #getSigAlgName() getSigAlgName} for
* relevant ASN.1 definitions.
*
* @return the signature algorithm OID string.
*/
public abstract String getSigAlgOID();
/**
* Gets the DER-encoded signature algorithm parameters from this
* certificate's signature algorithm. In most cases, the signature
* algorithm parameters are null; the parameters are usually
* supplied with the certificate's public key.
* If access to individual parameter values is needed then use
* {@link java.security.AlgorithmParameters AlgorithmParameters}
* and instantiate with the name returned by
* {@link #getSigAlgName() getSigAlgName}.
*
* <p>See {@link #getSigAlgName() getSigAlgName} for
* relevant ASN.1 definitions.
*
* @return the DER-encoded signature algorithm parameters, or
* null if no parameters are present.
*/
public abstract byte[] getSigAlgParams();
/**
* Gets the {@code issuerUniqueID} value from the certificate.
* The issuer unique identifier is present in the certificate
* to handle the possibility of reuse of issuer names over time.
* RFC 5280 recommends that names not be reused and that
* conforming certificates not make use of unique identifiers.
* Applications conforming to that profile should be capable of
* parsing unique identifiers and making comparisons.
*
* <p>The ASN.1 definition for this is:
* <pre>
* issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL
*
* UniqueIdentifier ::= BIT STRING
* </pre>
*
* @return the issuer unique identifier or null if it is not
* present in the certificate.
*/
public abstract boolean[] getIssuerUniqueID();
/**
* Gets the {@code subjectUniqueID} value from the certificate.
*
* <p>The ASN.1 definition for this is:
* <pre>
* subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL
*
* UniqueIdentifier ::= BIT STRING
* </pre>
*
* @return the subject unique identifier or null if it is not
* present in the certificate.
*/
public abstract boolean[] getSubjectUniqueID();
/**
* Gets a boolean array representing bits of
* the {@code KeyUsage} extension, (OID = 2.5.29.15).
* The key usage extension defines the purpose (e.g., encipherment,
* signature, certificate signing) of the key contained in the
* certificate.
* The ASN.1 definition for this is:
* <pre>
* KeyUsage ::= BIT STRING {
* digitalSignature (0),
* nonRepudiation (1),
* keyEncipherment (2),
* dataEncipherment (3),
* keyAgreement (4),
* keyCertSign (5),
* cRLSign (6),
* encipherOnly (7),
* decipherOnly (8) }
* </pre>
* RFC 5280 recommends that when used, this be marked
* as a critical extension.
*
* @return the KeyUsage extension of this certificate, represented as
* an array of booleans. The order of KeyUsage values in the array is
* the same as in the above ASN.1 definition. The array will contain a
* value for each KeyUsage defined above. If the KeyUsage list encoded
* in the certificate is longer than the above list, it will not be
* truncated. Returns null if this certificate does not
* contain a KeyUsage extension.
*/
public abstract boolean[] getKeyUsage();
/**
* Gets an unmodifiable list of Strings representing the OBJECT
* IDENTIFIERs of the {@code ExtKeyUsageSyntax} field of the
* extended key usage extension, (OID = 2.5.29.37). It indicates
* one or more purposes for which the certified public key may be
* used, in addition to or in place of the basic purposes
* indicated in the key usage extension field. The ASN.1
* definition for this is:
* <pre>
* ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
*
* KeyPurposeId ::= OBJECT IDENTIFIER
* </pre>
*
* Key purposes may be defined by any organization with a
* need. Object identifiers used to identify key purposes shall be
* assigned in accordance with IANA or ITU-T Rec. X.660 |
* ISO/IEC/ITU 9834-1.
* <p>
* This method was added to version 1.4 of the Java 2 Platform Standard
* Edition. In order to maintain backwards compatibility with existing
* service providers, this method is not {@code abstract}
* and it provides a default implementation. Subclasses
* should override this method with a correct implementation.
*
* @return the ExtendedKeyUsage extension of this certificate,
* as an unmodifiable list of object identifiers represented
* as Strings. Returns null if this certificate does not
* contain an ExtendedKeyUsage extension.
* @throws CertificateParsingException if the extension cannot be decoded
* @since 1.4
*/
public List<String> getExtendedKeyUsage() throws CertificateParsingException {
return X509CertImpl.getExtendedKeyUsage(this);
}
/**
* Gets the certificate constraints path length from the
* critical {@code BasicConstraints} extension, (OID = 2.5.29.19).
* <p>
* The basic constraints extension identifies whether the subject
* of the certificate is a Certificate Authority (CA) and
* how deep a certification path may exist through that CA. The
* {@code pathLenConstraint} field (see below) is meaningful
* only if {@code cA} is set to TRUE. In this case, it gives the
* maximum number of CA certificates that may follow this certificate in a
* certification path. A value of zero indicates that only an end-entity
* certificate may follow in the path.
* <p>
* The ASN.1 definition for this is:
* <pre>
* BasicConstraints ::= SEQUENCE {
* cA BOOLEAN DEFAULT FALSE,
* pathLenConstraint INTEGER (0..MAX) OPTIONAL }
* </pre>
*
* @return the value of {@code pathLenConstraint} if the
* BasicConstraints extension is present in the certificate and the
* subject of the certificate is a CA, otherwise -1.
* If the subject of the certificate is a CA and
* {@code pathLenConstraint} does not appear,
* {@code Integer.MAX_VALUE} is returned to indicate that there is no
* limit to the allowed length of the certification path.
*/
public abstract int getBasicConstraints();
/**
* Gets an immutable collection of subject alternative names from the
* {@code SubjectAltName} extension, (OID = 2.5.29.17).
* <p>
* The ASN.1 definition of the {@code SubjectAltName} extension is:
* <pre>
* SubjectAltName ::= GeneralNames
*
* GeneralNames :: = SEQUENCE SIZE (1..MAX) OF GeneralName
*
* GeneralName ::= CHOICE {
* otherName [0] OtherName,
* rfc822Name [1] IA5String,
* dNSName [2] IA5String,
* x400Address [3] ORAddress,
* directoryName [4] Name,
* ediPartyName [5] EDIPartyName,
* uniformResourceIdentifier [6] IA5String,
* iPAddress [7] OCTET STRING,
* registeredID [8] OBJECT IDENTIFIER}
* </pre>
* <p>
* If this certificate does not contain a {@code SubjectAltName}
* extension, {@code null} is returned. Otherwise, a
* {@code Collection} is returned with an entry representing each
* {@code GeneralName} included in the extension. Each entry is a
* {@code List} whose first entry is an {@code Integer}
* (the name type, 0-8) and whose second entry is a {@code String}
* or a byte array (the name, in string or ASN.1 DER encoded form,
* respectively).
* <p>
* <a href="http://www.ietf.org/rfc/rfc822.txt">RFC 822</a>, DNS, and URI
* names are returned as {@code String}s,
* using the well-established string formats for those types (subject to
* the restrictions included in RFC 5280). IPv4 address names are
* returned using dotted quad notation. IPv6 address names are returned
* in the form "a1:a2:...:a8", where a1-a8 are hexadecimal values
* representing the eight 16-bit pieces of the address. OID names are
* returned as {@code String}s represented as a series of nonnegative
* integers separated by periods. And directory names (distinguished names)
* are returned in <a href="http://www.ietf.org/rfc/rfc2253.txt">
* RFC 2253</a> string format. No standard string format is
* defined for otherNames, X.400 names, EDI party names, or any
* other type of names. They are returned as byte arrays
* containing the ASN.1 DER encoded form of the name.
* <p>
* Note that the {@code Collection} returned may contain more
* than one name of the same type. Also, note that the returned
* {@code Collection} is immutable and any entries containing byte
* arrays are cloned to protect against subsequent modifications.
* <p>
* This method was added to version 1.4 of the Java 2 Platform Standard
* Edition. In order to maintain backwards compatibility with existing
* service providers, this method is not {@code abstract}
* and it provides a default implementation. Subclasses
* should override this method with a correct implementation.
*
* @return an immutable {@code Collection} of subject alternative
* names (or {@code null})
* @throws CertificateParsingException if the extension cannot be decoded
* @since 1.4
*/
public Collection<List<?>> getSubjectAlternativeNames()
throws CertificateParsingException {
return X509CertImpl.getSubjectAlternativeNames(this);
}
/**
* Gets an immutable collection of issuer alternative names from the
* {@code IssuerAltName} extension, (OID = 2.5.29.18).
* <p>
* The ASN.1 definition of the {@code IssuerAltName} extension is:
* <pre>
* IssuerAltName ::= GeneralNames
* </pre>
* The ASN.1 definition of {@code GeneralNames} is defined
* in {@link #getSubjectAlternativeNames getSubjectAlternativeNames}.
* <p>
* If this certificate does not contain an {@code IssuerAltName}
* extension, {@code null} is returned. Otherwise, a
* {@code Collection} is returned with an entry representing each
* {@code GeneralName} included in the extension. Each entry is a
* {@code List} whose first entry is an {@code Integer}
* (the name type, 0-8) and whose second entry is a {@code String}
* or a byte array (the name, in string or ASN.1 DER encoded form,
* respectively). For more details about the formats used for each
* name type, see the {@code getSubjectAlternativeNames} method.
* <p>
* Note that the {@code Collection} returned may contain more
* than one name of the same type. Also, note that the returned
* {@code Collection} is immutable and any entries containing byte
* arrays are cloned to protect against subsequent modifications.
* <p>
* This method was added to version 1.4 of the Java 2 Platform Standard
* Edition. In order to maintain backwards compatibility with existing
* service providers, this method is not {@code abstract}
* and it provides a default implementation. Subclasses
* should override this method with a correct implementation.
*
* @return an immutable {@code Collection} of issuer alternative
* names (or {@code null})
* @throws CertificateParsingException if the extension cannot be decoded
* @since 1.4
*/
public Collection<List<?>> getIssuerAlternativeNames()
throws CertificateParsingException {
return X509CertImpl.getIssuerAlternativeNames(this);
}
/**
* Verifies that this certificate was signed using the
* private key that corresponds to the specified public key.
* This method uses the signature verification engine
* supplied by the specified provider. Note that the specified
* Provider object does not have to be registered in the provider list.
*
* This method was added to version 1.8 of the Java Platform Standard
* Edition. In order to maintain backwards compatibility with existing
* service providers, this method is not {@code abstract}
* and it provides a default implementation.
*
* @param key the PublicKey used to carry out the verification.
* @param sigProvider the signature provider.
*
* @exception NoSuchAlgorithmException on unsupported signature
* algorithms.
* @exception InvalidKeyException on incorrect key.
* @exception SignatureException on signature errors.
* @exception CertificateException on encoding errors.
* @exception UnsupportedOperationException if the method is not supported
* @since 1.8
*/
public void verify(PublicKey key, Provider sigProvider)
throws CertificateException, NoSuchAlgorithmException,
InvalidKeyException, SignatureException {
String sigName = getSigAlgName();
Signature sig = (sigProvider == null)
? Signature.getInstance(sigName)
: Signature.getInstance(sigName, sigProvider);
try {
SignatureUtil.initVerifyWithParam(sig, key,
SignatureUtil.getParamSpec(sigName, getSigAlgParams()));
} catch (ProviderException e) {
throw new CertificateException(e.getMessage(), e.getCause());
} catch (InvalidAlgorithmParameterException e) {
throw new CertificateException(e);
}
byte[] tbsCert = getTBSCertificate();
sig.update(tbsCert, 0, tbsCert.length);
if (sig.verify(getSignature()) == false) {
throw new SignatureException("Signature does not match.");
}
}
}

186
jdkSrc/jdk8/java/security/cert/X509Extension.java Normal file
View File

@@ -0,0 +1,186 @@
/*
* Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security.cert;
import java.util.Set;
/**
* Interface for an X.509 extension.
*
* <p>The extensions defined for X.509 v3
* {@link X509Certificate Certificates} and v2
* {@link X509CRL CRLs} (Certificate Revocation
* Lists) provide methods
* for associating additional attributes with users or public keys,
* for managing the certification hierarchy, and for managing CRL
* distribution. The X.509 extensions format also allows communities
* to define private extensions to carry information unique to those
* communities.
*
* <p>Each extension in a certificate/CRL may be designated as
* critical or non-critical. A certificate/CRL-using system (an application
* validating a certificate/CRL) must reject the certificate/CRL if it
* encounters a critical extension it does not recognize. A non-critical
* extension may be ignored if it is not recognized.
* <p>
* The ASN.1 definition for this is:
* <pre>
* Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
*
* Extension ::= SEQUENCE {
* extnId OBJECT IDENTIFIER,
* critical BOOLEAN DEFAULT FALSE,
* extnValue OCTET STRING
* -- contains a DER encoding of a value
* -- of the type registered for use with
* -- the extnId object identifier value
* }
* </pre>
* Since not all extensions are known, the {@code getExtensionValue}
* method returns the DER-encoded OCTET STRING of the
* extension value (i.e., the {@code extnValue}). This can then
* be handled by a <em>Class</em> that understands the extension.
*
* @author Hemma Prafullchandra
*/
public interface X509Extension {
/**
* Check if there is a critical extension that is not supported.
*
* @return {@code true} if a critical extension is found that is
* not supported, otherwise {@code false}.
*/
public boolean hasUnsupportedCriticalExtension();
/**
* Gets a Set of the OID strings for the extension(s) marked
* CRITICAL in the certificate/CRL managed by the object
* implementing this interface.
*
* Here is sample code to get a Set of critical extensions from an
* X509Certificate and print the OIDs:
* <pre>{@code
* X509Certificate cert = null;
* try (InputStream inStrm = new FileInputStream("DER-encoded-Cert")) {
* CertificateFactory cf = CertificateFactory.getInstance("X.509");
* cert = (X509Certificate)cf.generateCertificate(inStrm);
* }
*
* Set<String> critSet = cert.getCriticalExtensionOIDs();
* if (critSet != null && !critSet.isEmpty()) {
* System.out.println("Set of critical extensions:");
* for (String oid : critSet) {
* System.out.println(oid);
* }
* }
* }</pre>
* @return a Set (or an empty Set if none are marked critical) of
* the extension OID strings for extensions that are marked critical.
* If there are no extensions present at all, then this method returns
* null.
*/
public Set<String> getCriticalExtensionOIDs();
/**
* Gets a Set of the OID strings for the extension(s) marked
* NON-CRITICAL in the certificate/CRL managed by the object
* implementing this interface.
*
* Here is sample code to get a Set of non-critical extensions from an
* X509CRL revoked certificate entry and print the OIDs:
* <pre>{@code
* CertificateFactory cf = null;
* X509CRL crl = null;
* try (InputStream inStrm = new FileInputStream("DER-encoded-CRL")) {
* cf = CertificateFactory.getInstance("X.509");
* crl = (X509CRL)cf.generateCRL(inStrm);
* }
*
* byte[] certData = <DER-encoded certificate data>
* ByteArrayInputStream bais = new ByteArrayInputStream(certData);
* X509Certificate cert = (X509Certificate)cf.generateCertificate(bais);
* X509CRLEntry badCert =
* crl.getRevokedCertificate(cert.getSerialNumber());
*
* if (badCert != null) {
* Set<String> nonCritSet = badCert.getNonCriticalExtensionOIDs();
* if (nonCritSet != null)
* for (String oid : nonCritSet) {
* System.out.println(oid);
* }
* }
* }</pre>
*
* @return a Set (or an empty Set if none are marked non-critical) of
* the extension OID strings for extensions that are marked non-critical.
* If there are no extensions present at all, then this method returns
* null.
*/
public Set<String> getNonCriticalExtensionOIDs();
/**
* Gets the DER-encoded OCTET string for the extension value
* (<em>extnValue</em>) identified by the passed-in {@code oid}
* String.
* The {@code oid} string is
* represented by a set of nonnegative whole numbers separated
* by periods.
*
* <p>For example:<br>
* <table border=groove summary="Examples of OIDs and extension names">
* <tr>
* <th>OID <em>(Object Identifier)</em></th>
* <th>Extension Name</th></tr>
* <tr><td>2.5.29.14</td>
* <td>SubjectKeyIdentifier</td></tr>
* <tr><td>2.5.29.15</td>
* <td>KeyUsage</td></tr>
* <tr><td>2.5.29.16</td>
* <td>PrivateKeyUsage</td></tr>
* <tr><td>2.5.29.17</td>
* <td>SubjectAlternativeName</td></tr>
* <tr><td>2.5.29.18</td>
* <td>IssuerAlternativeName</td></tr>
* <tr><td>2.5.29.19</td>
* <td>BasicConstraints</td></tr>
* <tr><td>2.5.29.30</td>
* <td>NameConstraints</td></tr>
* <tr><td>2.5.29.33</td>
* <td>PolicyMappings</td></tr>
* <tr><td>2.5.29.35</td>
* <td>AuthorityKeyIdentifier</td></tr>
* <tr><td>2.5.29.36</td>
* <td>PolicyConstraints</td></tr>
* </table>
*
* @param oid the Object Identifier value for the extension.
* @return the DER-encoded octet string of the extension value or
* null if it is not present.
*/
public byte[] getExtensionValue(String oid);
}

64
jdkSrc/jdk8/java/security/cert/package-info.java Normal file
View File

@@ -0,0 +1,64 @@
/*
* Copyright (c) 1998, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/**
* Provides classes and interfaces for parsing and managing
* certificates, certificate revocation lists (CRLs), and
* certification paths. It contains support for X.509 v3
* certificates and X.509 v2 CRLs.
*
* <h2>Package Specification</h2>
*
* <ul>
* <li><a href="{@docRoot}/../technotes/guides/security/crypto/CryptoSpec.html">
* <b>Java&trade;
* Cryptography Architecture (JCA) Reference Guide</b></a>
* <li>RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
* Certificate Revocation List (CRL) Profile
* <li>RFC 2560: X.509 Internet Public Key Infrastructure Online Certificate
* Status Protocol - OCSP
* <li><a href="{@docRoot}/../technotes/guides/security/StandardNames.html">
* <b>Java&trade;
* Cryptography Architecture Standard Algorithm Name
* Documentation</b></a></li>
* </ul>
*
* <h2>Related Documentation</h2>
*
* For information about X.509 certificates and CRLs, please see:
* <ul>
* <li><a href="http://www.ietf.org/rfc/rfc5280.txt">
* http://www.ietf.org/rfc/rfc5280.txt</a>
* <li><a href=
* "{@docRoot}/../technotes/guides/security/certpath/CertPathProgGuide.html">
* <b>Java&trade;
* PKI Programmer's Guide</b></a>
* <li><a href="{@docRoot}/../technotes/guides/security/cert3.html">
* <b>X.509 Certificates and Certificate Revocation Lists (CRLs)</b></a>
* </ul>
*
* @since 1.2
*/
package java.security.cert;