x509certselector.java

JAVA基本类源代码,大家可以学习学习!

     */
    public void setNameConstraints(byte[] bytes) throws IOException {
	if (bytes == null) {
	    ncBytes = null;
	    nc = null;
	} else {
	    ncBytes = (byte[])bytes.clone();
	    nc = new NameConstraintsExtension(FALSE, bytes);
	}
    }

    /**
     * Sets the basic constraints constraint. If the value is greater than or
     * equal to zero, <code>X509Certificates</code> must include a 
     * basicConstraints extension with
     * a pathLen of at least this value. If the value is -2, only end-entity
     * certificates are accepted. If the value is -1, no check is done.
     * <p>
     * This constraint is useful when building a certification path forward 
     * (from the target toward the trust anchor. If a partial path has been 
     * built, any candidate certificate must have a maxPathLen value greater 
     * than or equal to the number of certificates in the partial path.
     *
     * @param minMaxPathLen the value for the basic constraints constraint
     * @throws IllegalArgumentException if the value is less than -2
     * @see #getBasicConstraints
     */
    public void setBasicConstraints(int minMaxPathLen) {
	if (minMaxPathLen < -2) {
	    throw new IllegalArgumentException("basic constraints less than -2");
	}
	basicConstraints = minMaxPathLen;
    }

    /**
     * Sets the policy constraint. The <code>X509Certificate</code> must
     * include at least one of the specified policies in its certificate 
     * policies extension. If <code>certPolicySet</code> is empty, then the 
     * <code>X509Certificate</code> must include at least some specified policy
     * in its certificate policies extension. If <code>certPolicySet</code> is
     * <code>null</code>, no policy check will be performed.
     * <p>
     * Note that the <code>Set</code> is cloned to protect against
     * subsequent modifications.
     *
     * @param certPolicySet a <code>Set</code> of certificate policy OIDs in
     *                      string format (or <code>null</code>). Each OID is 
     *                      represented by a set of nonnegative integers 
     *			  separated by periods.
     * @throws IOException if a parsing error occurs on the OID such as
     * the first component is not 0, 1 or 2 or the second component is
     * greater than 39.
     * @see #getPolicy
     */
    public void setPolicy(Set certPolicySet) throws IOException {
	if (certPolicySet == null) {
	    policySet = null;
	    policy = null;
	} else {
	    // Snapshot set and parse it
	    Set tempSet = Collections.unmodifiableSet(
						  new HashSet(certPolicySet));
	    /* Convert to Vector of ObjectIdentifiers */
	    Iterator i = tempSet.iterator();
	    Vector polIdVector = new Vector();
	    while (i.hasNext()) {
		Object o = i.next();
		if (!(o instanceof String)) {
		    throw new IOException("non String in certPolicySet");
		}
		polIdVector.add(new CertificatePolicyId(new ObjectIdentifier(
		  (String)o)));
	    }
	    // If everything went OK, make the changes
	    policySet = tempSet;
	    policy = new CertificatePolicySet(polIdVector);
	}
    }

    /**
     * Sets the pathToNames criterion. The <code>X509Certificate</code> must
     * not include name constraints that would prohibit building a
     * path to the specified names.
     * <p>
     * This method allows the caller to specify, with a single method call,
     * the complete set of names which the <code>X509Certificates</code>'s
     * name constraints must permit. The specified value replaces
     * the previous value for the pathToNames criterion.
     * <p>
     * This constraint is useful when building a certification path forward 
     * (from the target toward the trust anchor. If a partial path has been 
     * built, any candidate certificate must not include name constraints that
     * would prohibit building a path to any of the names in the partial path.
     * <p>
     * The <code>names</code> parameter (if not <code>null</code>) is a
     * <code>Collection</code> with one
     * entry for each name to be included in the pathToNames
     * criterion. Each entry is a <code>List</code> whose first entry is an
     * <code>Integer</code> (the name type, 0-8) and whose second
     * entry is a <code>String</code> or a byte array (the name, in
     * string or ASN.1 DER encoded form, respectively).
     * There can be multiple names of the same type. If <code>null</code>
     * is supplied as the value for this argument, no
     * pathToNames check will be performed.
     * <p>
     * Each name in the <code>Collection</code>
     * may be specified either as a <code>String</code> or as an ASN.1 encoded
     * byte array. For more details about the formats used, see
     * {@link #addPathToName(int type, String name) 
     * addPathToName(int type, String name)} and
     * {@link #addPathToName(int type, byte [] name) 
     * addPathToName(int type, byte [] name)}.
     * <p>
     * Note that the <code>names</code> parameter can contain duplicate
     * names (same name and name type), but they may be removed from the
     * <code>Collection</code> of names returned by the
     * {@link #getPathToNames getPathToNames} method.
     * <p>
     * Note that a deep copy is performed on the <code>Collection</code> to
     * protect against subsequent modifications.
     *
     * @param names a <code>Collection</code> with one entry per name
     *              (or <code>null</code>)
     * @throws IOException if a parsing error occurs
     * @see #getPathToNames
     */
    public void setPathToNames(Collection names) throws IOException {
	if ((names == null) || names.isEmpty()) {
	    pathToNames = null;
	    pathToGeneralNames = null;
	} else {
	    Set tempNames = cloneAndCheckNames(names);
	    pathToGeneralNames = parseNames(tempNames);
	    // Ensure that we either set both of these or neither
	    pathToNames = tempNames;
	}
    }
  
    // called from CertPathHelper
    void setPathToNamesInternal(Set names) {
	// set names to non-null dummy value
	// this breaks getPathToNames()
	pathToNames = Collections.EMPTY_SET;
	pathToGeneralNames = names;
    }

    /**
     * Adds a name to the pathToNames criterion. The <code>X509Certificate</code>
     * must not include name constraints that would prohibit building a
     * path to the specified name.
     * <p>
     * This method allows the caller to add a name to the set of names which
     * the <code>X509Certificates</code>'s name constraints must permit.
     * The specified name is added to any previous value for the
     * pathToNames criterion.  If the name is a duplicate, it may be ignored.
     * <p>
     * The name is provided in string format. RFC 822, DNS, and URI names
     * use the well-established string formats for those types (subject to
     * the restrictions included in RFC 2459). IPv4 address names are
     * supplied using dotted quad notation. OID address names are represented
     * as a series of nonnegative integers separated by periods. And
     * directory names (distinguished names) are supplied in RFC 2253 format.
     * No standard string format is defined for otherNames, X.400 names,
     * EDI party names, IPv6 address names, or any other type of names. They
     * should be specified using the 
     * {@link #addPathToName(int type, byte [] name) 
     * addPathToName(int type, byte [] name)} method.
     *
     * @param type the name type (0-8, as specified in
     *             RFC 2459, section 4.2.1.7)
     * @param name the name in string form
     * @throws IOException if a parsing error occurs
     */
    public void addPathToName(int type, String name) throws IOException {
	addPathToNameInternal(type, name);
    }

    /**
     * Adds a name to the pathToNames criterion. The <code>X509Certificate</code>
     * must not include name constraints that would prohibit building a
     * path to the specified name.
     * <p>
     * This method allows the caller to add a name to the set of names which
     * the <code>X509Certificates</code>'s name constraints must permit.
     * The specified name is added to any previous value for the
     * pathToNames criterion. If the name is a duplicate, it may be ignored.
     * <p>
     * The name is provided as a byte array. This byte array should contain
     * the DER encoded name, as it would appear in the GeneralName structure
     * defined in RFC 2459 and X.509. The ASN.1 definition of this structure
     * appears in the documentation for
     * {@link #addSubjectAlternativeName(int type, byte [] name) 
     * addSubjectAlternativeName(int type, byte [] name)}.
     * <p>
     * Note that the byte array supplied here is cloned to protect against
     * subsequent modifications.
     *
     * @param type the name type (0-8, as specified in
     *             RFC 2459, section 4.2.1.7)
     * @param name a byte array containing the name in ASN.1 DER encoded form
     * @throws IOException if a parsing error occurs
     */
    public void addPathToName(int type, byte [] name) throws IOException {
	// clone because byte arrays are modifiable
	addPathToNameInternal(type, name.clone());
    }

    /**
     * A private method that adds a name (String or byte array) to the
     * pathToNames criterion. The <code>X509Certificate</code> must contain
     * the specified pathToName.
     *
     * @param type the name type (0-8, as specified in
     *             RFC 2459, section 4.2.1.7)
     * @param name the name in string or byte array form
     * @throws IOException if an encoding error occurs (incorrect form for DN)
     */
    private void addPathToNameInternal(int type, Object name)
	    throws IOException {
	// First, ensure that the name parses
	GeneralNameInterface tempName = makeGeneralNameInterface(type, name);
	if (pathToGeneralNames == null) {
	    pathToNames = new HashSet();
	    pathToGeneralNames = new HashSet();
	}
	ArrayList list = new ArrayList(2);
	list.add(new Integer(type));
	list.add(name);
	pathToNames.add(list);
	pathToGeneralNames.add(tempName);
    }

    /**
     * Returns the certificateEquals criterion. The specified
     * <code>X509Certificate</code> must be equal to the 
     * <code>X509Certificate</code> passed to the <code>match</code> method.
     * If <code>null</code>, this check is not applied.
     *
     * @return the <code>X509Certificate</code> to match (or <code>null</code>)
     * @see #setCertificate
     */
    public X509Certificate getCertificate() {
	return x509Cert;
    }

    /**
     * Returns the serialNumber criterion. The specified serial number
     * must match the certificate serial number in the
     * <code>X509Certificate</code>. If <code>null</code>, any certificate
     * serial number will do.
     *
     * @return the certificate serial number to match
     *                (or <code>null</code>)
     * @see #setSerialNumber
     */
    public BigInteger getSerialNumber() {
	return serialNumber;
    }
  
    // called from CertPathHelperImpl, to be made public in a future release
    X500Principal getIssuer() {
	return issuer;
    }

    /**
     * Returns the issuer criterion as a <code>String</code>. This
     * distinguished name must match the issuer distinguished name in the
     * <code>X509Certificate</code>. If <code>null</code>, the issuer criterion
     * is disabled and any issuer distinguished name will do.
     * <p>
     * If the value returned is not <code>null</code>, it is a
     * distinguished name, in RFC 2253 format.
     *
     * @return the required issuer distinguished name in RFC 2253 format
     *         (or <code>null</code>)
     */
    public String getIssuerAsString() {
	return (issuer == null ? null : issuer.getName());
    }

    /**
     * Returns the issuer criterion as a byte array. This distinguished name
     * must match the issuer distinguished name in the
     * <code>X509Certificate</code>. If <code>null</code>, the issuer criterion
     * is disabled and any issuer distinguished name will do.
     * <p>
     * If the value returned is not <code>null</code>, it is a byte
     * array containing a single DER encoded distinguished name, as defined in
     * X.501. The ASN.1 notation for this structure is supplied in the
     * documentation for
     * {@link #setIssuer(byte [] issuerDN) setIssuer(byte [] issuerDN)}.
     * <p>
     * Note that the byte array returned is cloned to protect against
     * subsequent modifications.
     *
     * @return a byte array containing the required issuer distinguished name
     *         in ASN.1 DER format (or <code>null</code>)
     * @throws IOException if an encoding error occurs
     */
    public byte[] getIssuerAsBytes() throws IOException {
	return (issuer == null ? null: issuer.getEncoded()); 
    }
  
    // called from CertPathHelperImpl, to be made public in a future release
    X500Principal getSubject() {
	return subject;
    }

    /**
     * Returns the subject criterion as a <code>String</code>. This
     * distinguished name must match the subject distinguished name in the
     * <code>X509Certificate</code>. If <code>null</code>, the subject criterion
     * is disabled and any subject distinguished name will do.
     * <p>
     * If the value returned is not <code>null</code>, it is a
     * distinguished name, in RFC 2253 format.
     *
     * @return the required subject distinguished name in RFC 2253 format
     *         (or <code>null</code>)
     */
    public String getSubjectAsString() {
	return (subject == null ? null : subject.getName());
    }

    /**
     * Returns the subject criterion as a byte array. This distinguished name
     * must match the subject distinguished name in the