x509certselector.java

JAVA基本类源代码,大家可以学习学习!

/*
 * @(#)X509CertSelector.java	1.14 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.security.cert;

import java.io.IOException;
import java.math.BigInteger;
import java.security.PublicKey;
import java.util.*;
import javax.security.auth.x500.X500Principal;

import sun.misc.HexDumpEncoder;
import sun.security.util.Debug;
import sun.security.util.DerInputStream;
import sun.security.util.DerValue;
import sun.security.util.ObjectIdentifier;
import sun.security.x509.*;

/**
 * A <code>CertSelector</code> that selects <code>X509Certificates</code> that
 * match all specified criteria. This class is particularly useful when
 * selecting certificates from a <code>CertStore</code> to build a
 * PKIX-compliant certification path.
 * <p>
 * When first constructed, an <code>X509CertSelector</code> has no criteria
 * enabled and each of the <code>get</code> methods return a default value
 * (<code>null</code>, or <code>-1</code> for the {@link #getBasicConstraints
 * getBasicConstraints} method). Therefore, the {@link #match match} 
 * method would return <code>true</code> for any <code>X509Certificate</code>. 
 * Typically, several criteria are enabled (by calling 
 * {@link #setIssuer setIssuer} or
 * {@link #setKeyUsage setKeyUsage}, for instance) and then the
 * <code>X509CertSelector</code> is passed to
 * {@link CertStore#getCertificates CertStore.getCertificates} or some similar
 * method.
 * <p>
 * Several criteria can be enabled (by calling {@link #setIssuer setIssuer}
 * and {@link #setSerialNumber setSerialNumber},
 * for example) such that the <code>match</code> method 
 * usually uniquely matches a single <code>X509Certificate</code>. We say
 * usually, since it is possible for two issuing CAs to have the same
 * distinguished name and each issue a certificate with the same serial
 * number. Other unique combinations include the issuer, subject, 
 * subjectKeyIdentifier and/or the subjectPublicKey criteria.
 * <p>
 * Please refer to RFC 2459 for definitions of the X.509 certificate
 * extensions mentioned below.
 * <p>
 * <b>Concurrent Access</b>
 * <p>
 * Unless otherwise specified, the methods defined in this class are not
 * thread-safe. Multiple threads that need to access a single
 * object concurrently should synchronize amongst themselves and
 * provide the necessary locking. Multiple threads each manipulating
 * separate objects need not synchronize.
 *
 * @see CertSelector
 * @see X509Certificate
 *
 * @version 	1.14, 01/23/03
 * @since	1.4
 * @author	Steve Hanna
 */
public class X509CertSelector implements CertSelector {

    private static final Debug debug = Debug.getInstance("certpath");
    
    private final static ObjectIdentifier ANY_EXTENDED_KEY_USAGE = 
	ObjectIdentifier.newInternal(new int[] {2, 5, 29, 37, 0});
    
    static {
	CertPathHelperImpl.initialize();
    }
  
    private BigInteger serialNumber;
    private X500Principal issuer;
    private X500Principal subject;
    private byte[] subjectKeyID;
    private byte[] authorityKeyID;
    private Date certificateValid;
    private Date privateKeyValid;
    private ObjectIdentifier subjectPublicKeyAlgID;
    private PublicKey subjectPublicKey;
    private byte[] subjectPublicKeyBytes;
    private boolean[] keyUsage;
    private Set keyPurposeSet, keyPurposeOIDSet;
    private Set subjectAlternativeNames;
    private Set subjectAlternativeGeneralNames;
    private CertificatePolicySet policy;
    private Set policySet;
    private Set pathToNames;
    private Set pathToGeneralNames;
    private NameConstraintsExtension nc;
    private byte[] ncBytes;
    private int basicConstraints = -1;
    private X509Certificate x509Cert;
    private boolean matchAllSubjectAltNames = true;

    private static final Boolean FALSE = Boolean.FALSE;

    private static final int PRIVATE_KEY_USAGE_ID = 0;
    private static final int SUBJECT_ALT_NAME_ID = 1;
    private static final int NAME_CONSTRAINTS_ID = 2;  
    private static final int CERT_POLICIES_ID = 3; 
    private static final int EXTENDED_KEY_USAGE_ID = 4;
    private static final int NUM_OF_EXTENSIONS = 5;
    private static final String[] EXTENSION_OIDS = new String[NUM_OF_EXTENSIONS];
    
    static {
	EXTENSION_OIDS[PRIVATE_KEY_USAGE_ID]  = "2.5.29.16";
	EXTENSION_OIDS[SUBJECT_ALT_NAME_ID]   = "2.5.29.17";
	EXTENSION_OIDS[NAME_CONSTRAINTS_ID]   = "2.5.29.30";
	EXTENSION_OIDS[CERT_POLICIES_ID]      = "2.5.29.32";
	EXTENSION_OIDS[EXTENDED_KEY_USAGE_ID] = "2.5.29.37";
    };
    
    /* Constants representing the GeneralName types */
    static final int NAME_ANY = 0;
    static final int NAME_RFC822 = 1;
    static final int NAME_DNS = 2;
    static final int NAME_X400 = 3;
    static final int NAME_DIRECTORY = 4;
    static final int NAME_EDI = 5;
    static final int NAME_URI = 6;
    static final int NAME_IP = 7;
    static final int NAME_OID = 8;

    /**
     * Creates an <code>X509CertSelector</code>. Initially, no criteria are set
     * so any <code>X509Certificate</code> will match.
     */
    public X509CertSelector() {
	// empty
    }
 
    /**
     * Sets the certificateEquals criterion. The specified 
     * <code>X509Certificate</code> must be equal to the 
     * <code>X509Certificate</code> passed to the <code>match</code> method.
     * If <code>null</code>, then this check is not applied.
     *
     * <p>This method is particularly useful when it is necessary to
     * match a single certificate. Although other criteria can be specified 
     * in conjunction with the certificateEquals criterion, it is usually not 
     * practical or necessary.
     *
     * @param cert the <code>X509Certificate</code> to match (or 
     * <code>null</code>)
     * @see #getCertificate
     */
    public void setCertificate(X509Certificate cert) {
	x509Cert = cert;
    }

    /**
     * Sets the serialNumber criterion. The specified serial number
     * must match the certificate serial number in the
     * <code>X509Certificate</code>. If <code>null</code>, any certificate 
     * serial number will do.
     *
     * @param serial the certificate serial number to match 
     *        (or <code>null</code>)
     * @see #getSerialNumber
     */
    public void setSerialNumber(BigInteger serial) {
	serialNumber = serial;
    }
  
    // called from CertPathHelperImpl, to be made public in a future release
    void setIssuer(X500Principal issuer) {
	this.issuer = issuer;
    }

    /**
     * Sets the issuer criterion. The specified distinguished name
     * must match the issuer distinguished name in the
     * <code>X509Certificate</code>. If <code>null</code>, any issuer
     * distinguished name will do.
     * <p>
     * If <code>issuerDN</code> is not <code>null</code>, it should contain a
     * distinguished name, in RFC 2253 format.
     *
     * @param issuerDN a distinguished name in RFC 2253 format
     *                 (or <code>null</code>)
     * @throws IOException if a parsing error occurs (incorrect form for DN)
     */
    public void setIssuer(String issuerDN) throws IOException {
	if (issuerDN == null) {
	    issuer = null;
	} else {
	    issuer = new X500Name(issuerDN, "RFC2253").asX500Principal();
	}
    }

    /**
     * Sets the issuer criterion. The specified distinguished name
     * must match the issuer distinguished name in the
     * <code>X509Certificate</code>. If <code>null</code> is specified,
     * the issuer criterion is disabled and any issuer distinguished name will
     * do.
     * <p>
     * If <code>issuerDN</code> is not <code>null</code>, it should contain a
     * single DER encoded distinguished name, as defined in X.501. The ASN.1
     * notation for this structure is as follows.
     * <pre><code>
     * Name ::= CHOICE {
     *   RDNSequence }
     *
     * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
     *
     * RelativeDistinguishedName ::=
     *   SET SIZE (1 .. MAX) OF AttributeTypeAndValue
     *
     * AttributeTypeAndValue ::= SEQUENCE {
     *   type     AttributeType,
     *   value    AttributeValue }
     *
     * AttributeType ::= OBJECT IDENTIFIER
     *
     * AttributeValue ::= ANY DEFINED BY AttributeType
     * ....
     * DirectoryString ::= CHOICE {
     *       teletexString           TeletexString (SIZE (1..MAX)),
     *       printableString         PrintableString (SIZE (1..MAX)),
     *       universalString         UniversalString (SIZE (1..MAX)),
     *       utf8String              UTF8String (SIZE (1.. MAX)),
     *       bmpString               BMPString (SIZE (1..MAX)) }
     * </code></pre>
     * <p>
     * Note that the byte array specified here is cloned to protect against
     * subsequent modifications.
     *
     * @param issuerDN a byte array containing the distinguished name
     *                 in ASN.1 DER encoded form (or <code>null</code>)
     * @throws IOException if an encoding error occurs (incorrect form for DN)
     */
    public void setIssuer(byte [] issuerDN) throws IOException {
	try {
	    issuer = (issuerDN == null ? null : new X500Principal(issuerDN));
	} catch (IllegalArgumentException e) {
	    throw (IOException)new IOException("Invalid name").initCause(e);
	}
    }
  
    // called from CertPathHelperImpl, to be made public in a future release
    void setSubject(X500Principal subject) {
	this.subject = subject;
    }

    /**
     * Sets the subject criterion. The specified distinguished name
     * must match the subject distinguished name in the
     * <code>X509Certificate</code>. If <code>null</code>, any subject
     * distinguished name will do.
     * <p>
     * If <code>subjectDN</code> is not <code>null</code>, it should contain a
     * distinguished name, in RFC 2253 format.
     *
     * @param subjectDN a distinguished name in RFC 2253 format
     *                  (or <code>null</code>)
     * @throws IOException if a parsing error occurs (incorrect form for DN)
     */
    public void setSubject(String subjectDN) throws IOException {
	if (subjectDN == null) {
	    subject = null;
	} else {
	    subject = new X500Name(subjectDN, "RFC2253").asX500Principal();
	}
    }

    /**
     * Sets the subject criterion. The specified distinguished name
     * must match the subject distinguished name in the
     * <code>X509Certificate</code>. If <code>null</code>, any subject
     * distinguished name will do.
     * <p>
     * If <code>subjectDN</code> is not <code>null</code>, it should contain a
     * single DER encoded distinguished name, as defined in X.501. For the ASN.1
     * notation for this structure, see
     * {@link #setIssuer(byte [] issuerDN) setIssuer(byte [] issuerDN)}.
     *
     * @param subjectDN a byte array containing the distinguished name in
     *                  ASN.1 DER format (or <code>null</code>)
     * @throws IOException if an encoding error occurs (incorrect form for DN)
     */
    public void setSubject(byte [] subjectDN) throws IOException {
	try {
	    subject = (subjectDN == null ? null : new X500Principal(subjectDN));
	} catch (IllegalArgumentException e) {
	    throw (IOException)new IOException("Invalid name").initCause(e);
	}
    }

    /**
     * Sets the subjectKeyIdentifier criterion. The
     * <code>X509Certificate</code> must contain a SubjectKeyIdentifier
     * extension for which the contents of the extension
     * matches the specified criterion value.
     * If the criterion value is <code>null</code>, no
     * subjectKeyIdentifier check will be done.
     * <p>
     * If <code>subjectKeyID</code> is not <code>null</code>, it
     * should contain a single DER encoded value corresponding to the contents
     * of the extension value (not including the object identifier,
     * criticality setting, and encapsulating OCTET STRING)
     * for a SubjectKeyIdentifier extension.
     * The ASN.1 notation for this structure follows.
     * <p>
     * <pre><code>
     * SubjectKeyIdentifier ::= KeyIdentifier
     *
     * KeyIdentifier ::= OCTET STRING
     * </code></pre>
     * <p>
     * Since the format of subject key identifiers is not mandated by
     * any standard, subject key identifiers are not parsed by the
     * <code>X509CertSelector</code>. Instead, the values are compared using
     * a byte-by-byte comparison.
     * <p>
     * Note that the byte array supplied here is cloned to protect against
     * subsequent modifications.
     *
     * @param subjectKeyID the subject key identifier (or <code>null</code>)