x509certselector.java

JAVA基本类源代码,大家可以学习学习!

     * <code>X509Certificate</code>. If <code>null</code>, the subject criterion
     * is disabled and any subject distinguished name will do.
     * <p>
     * If the value returned is not <code>null</code>, it is a byte
     * array containing a single DER encoded distinguished name, as defined in
     * X.501. The ASN.1 notation for this structure is supplied in the
     * documentation for
     * {@link #setSubject(byte [] subjectDN) setSubject(byte [] subjectDN)}.
     * <p>
     * Note that the byte array returned is cloned to protect against
     * subsequent modifications.
     *
     * @return a byte array containing the required subject distinguished name
     *         in ASN.1 DER format (or <code>null</code>)
     * @throws IOException if an encoding error occurs
     */
    public byte[] getSubjectAsBytes() throws IOException {
	return (subject == null ? null : subject.getEncoded());
    }

    /**
     * Returns the subjectKeyIdentifier criterion. The
     * <code>X509Certificate</code> must contain a SubjectKeyIdentifier
     * extension with the specified value. If <code>null</code>, no
     * subjectKeyIdentifier check will be done.
     * <p>
     * Note that the byte array returned is cloned to protect against
     * subsequent modifications.
     *
     * @return the key identifier (or <code>null</code>)
     * @see #setSubjectKeyIdentifier
     */
    public byte[] getSubjectKeyIdentifier() {
	if (subjectKeyID == null) {
	    return null;
	}
	return (byte[])subjectKeyID.clone();
    }

    /**
     * Returns the authorityKeyIdentifier criterion. The
     * <code>X509Certificate</code> must contain a AuthorityKeyIdentifier
     * extension with the specified value. If <code>null</code>, no
     * authorityKeyIdentifier check will be done.
     * <p>
     * Note that the byte array returned is cloned to protect against
     * subsequent modifications.
     *
     * @return the key identifier (or <code>null</code>)
     * @see #setAuthorityKeyIdentifier
     */
    public byte[] getAuthorityKeyIdentifier() {
	if (authorityKeyID == null) {
	  return null;
	}
	return (byte[])authorityKeyID.clone();
    }

    /**
     * Returns the certificateValid criterion. The specified date must fall
     * within the certificate validity period for the
     * <code>X509Certificate</code>. If <code>null</code>, no certificateValid
     * check will be done.
     * <p>
     * Note that the <code>Date</code> returned is cloned to protect against
     * subsequent modifications.
     *
     * @return the <code>Date</code> to check (or <code>null</code>)
     * @see #setCertificateValid
     */
    public Date getCertificateValid() {
	if (certificateValid == null) {
	    return null;
	}
	return (Date)certificateValid.clone();
    }

    /**
     * Returns the privateKeyValid criterion. The specified date must fall
     * within the private key validity period for the
     * <code>X509Certificate</code>. If <code>null</code>, no privateKeyValid
     * check will be done.
     * <p>
     * Note that the <code>Date</code> returned is cloned to protect against
     * subsequent modifications.
     *
     * @return the <code>Date</code> to check (or <code>null</code>)
     * @see #setPrivateKeyValid
     */
    public Date getPrivateKeyValid() {
	if (privateKeyValid == null) {
	    return null;
	}
	return (Date)privateKeyValid.clone();
    }

    /**
     * Returns the subjectPublicKeyAlgID criterion. The
     * <code>X509Certificate</code> must contain a subject public key
     * with the specified algorithm. If <code>null</code>, no
     * subjectPublicKeyAlgID check will be done.
     * 
     * @return the object identifier (OID) of the signature algorithm to check
     *         for (or <code>null</code>). An OID is represented by a set of
     *         nonnegative integers separated by periods.
     * @see #setSubjectPublicKeyAlgID
     */
    public String getSubjectPublicKeyAlgID() {
	if (subjectPublicKeyAlgID == null) {
	    return null;
	}
	return subjectPublicKeyAlgID.toString();
    }

    /**
     * Returns the subjectPublicKey criterion. The
     * <code>X509Certificate</code> must contain the specified subject
     * public key. If <code>null</code>, no subjectPublicKey check will be done.
     * 
     * @return the subject public key to check for (or <code>null</code>)
     * @see #setSubjectPublicKey
     */
    public PublicKey getSubjectPublicKey() {
	return subjectPublicKey;
    }

    /**
     * Returns the keyUsage criterion. The <code>X509Certificate</code>
     * must allow the specified keyUsage values. If null, no keyUsage
     * check will be done.
     * <p>
     * Note that the boolean array returned is cloned to protect against
     * subsequent modifications.
     *
     * @return a boolean array in the same format as the boolean
     *                 array returned by
     * {@link X509Certificate#getKeyUsage() X509Certificate.getKeyUsage()}.
     *                 Or <code>null</code>.
     * @see #setKeyUsage
     */
    public boolean[] getKeyUsage() {
	if (keyUsage == null) {
	    return null;
	}
	return (boolean[])keyUsage.clone();
    }

    /**
     * Returns the extendedKeyUsage criterion. The <code>X509Certificate</code>
     * must allow the specified key purposes in its extended key usage
     * extension. If the <code>keyPurposeSet</code> returned is empty or
     * <code>null</code>, no extendedKeyUsage check will be done. Note that an 
     * <code>X509Certificate</code> that has no extendedKeyUsage extension 
     * implicitly allows all key purposes.
     * 
     * @return an immutable <code>Set</code> of key purpose OIDs in string
     * format (or <code>null</code>)
     * @see #setExtendedKeyUsage
     */
    public Set getExtendedKeyUsage() {
	return keyPurposeSet;
    }

    /**
     * Indicates if the <code>X509Certificate</code> must contain all
     * or at least one of the subjectAlternativeNames 
     * specified in the {@link #setSubjectAlternativeNames
     * setSubjectAlternativeNames} or {@link #addSubjectAlternativeName
     * addSubjectAlternativeName} methods. If <code>true</code>, 
     * the <code>X509Certificate</code> must contain all of the 
     * specified subject alternative names. If <code>false</code>, the 
     * <code>X509Certificate</code> must contain at least one of the 
     * specified subject alternative names.
     *
     * @return <code>true</code> if the flag is enabled;
     * <code>false</code> if the flag is disabled. The flag is
     * <code>true</code> by default.
     * @see #setMatchAllSubjectAltNames
     */
    public boolean getMatchAllSubjectAltNames() {
	return matchAllSubjectAltNames;
    }

    /**
     * Returns a copy of the subjectAlternativeNames criterion.
     * The <code>X509Certificate</code> must contain all or at least one
     * of the specified subjectAlternativeNames, depending on the value
     * of the matchAllNames flag (see {@link #getMatchAllSubjectAltNames
     * getMatchAllSubjectAltNames}). If the value returned is 
     * <code>null</code>, no subjectAlternativeNames check will be performed.
     * <p>
     * If the value returned is not <code>null</code>, it is a
     * <code>Collection</code> with
     * one entry for each name to be included in the subject alternative name
     * criterion. Each entry is a <code>List</code> whose first entry is an
     * <code>Integer</code> (the name type, 0-8) and whose second
     * entry is a <code>String</code> or a byte array (the name, in
     * string or ASN.1 DER encoded form, respectively).
     * There can be multiple names of the same type.  Note that the
     * <code>Collection</code> returned may contain duplicate names (same name
     * and name type).
     * <p>
     * Each subject alternative name in the <code>Collection</code>
     * may be specified either as a <code>String</code> or as an ASN.1 encoded
     * byte array. For more details about the formats used, see
     * {@link #addSubjectAlternativeName(int type, String name) 
     * addSubjectAlternativeName(int type, String name)} and
     * {@link #addSubjectAlternativeName(int type, byte [] name) 
     * addSubjectAlternativeName(int type, byte [] name)}.
     * <p>
     * Note that a deep copy is performed on the <code>Collection</code> to
     * protect against subsequent modifications.
     *
     * @return a <code>Collection</code> of names (or <code>null</code>)
     * @see #setSubjectAlternativeNames
     */
    public Collection getSubjectAlternativeNames() {
	if (subjectAlternativeNames == null) {
	    return null;
	}
	return cloneNames(subjectAlternativeNames);
    }

    /**
     * Clone an object of the form passed to
     * setSubjectAlternativeNames and setPathToNames.
     * Throw a <code>RuntimeException</code> if the argument is malformed.
     * <p>
     * This method wraps cloneAndCheckNames, changing any
     * <code>IOException</code> into a <code>RuntimeException</code>. This
     * method should be used when the object being
     * cloned has already been checked, so there should never be any exceptions.
     *
     * @param names a <code>Collection</code> with one entry per name.
     *              Each entry is a <code>List</code> whose first entry
     *              is an Integer (the name type, 0-8) and whose second
     *              entry is a String or a byte array (the name, in
     *              string or ASN.1 DER encoded form, respectively).
     *              There can be multiple names of the same type. Null
     *              is not an acceptable value.
     * @return a deep copy of the specified <code>Collection</code>
     * @throws RuntimeException if a parsing error occurs
     */
    private static Set cloneNames(Collection names) {
	try {
	    return cloneAndCheckNames(names);
	} catch (IOException e) {
	    throw new RuntimeException("cloneNames encountered IOException: " +
				       e.getMessage());
	}
    }

    /**
     * Clone and check an argument of the form passed to
     * setSubjectAlternativeNames and setPathToNames.
     * Throw an <code>IOException</code> if the argument is malformed.
     *
     * @param names a <code>Collection</code> with one entry per name.
     *              Each entry is a <code>List</code> whose first entry
     *              is an Integer (the name type, 0-8) and whose second
     *              entry is a String or a byte array (the name, in
     *              string or ASN.1 DER encoded form, respectively).
     *              There can be multiple names of the same type.
     *              <code>null</code> is not an acceptable value.
     * @return a deep copy of the specified <code>Collection</code>
     * @throws IOException if a parsing error occurs
     */
    private static Set cloneAndCheckNames(Collection names) throws IOException {
	// Copy the Lists and Collection
	Set namesCopy = new HashSet();
	Iterator i = names.iterator();
	while (i.hasNext()) {
	    Object o = i.next();
	    if (!(o instanceof List)) {
		throw new IOException("expected a List");
	    }
	    namesCopy.add(new ArrayList((List) o));
	}
    
	// Check the contents of the Lists and clone any byte arrays
	i = namesCopy.iterator();
	while (i.hasNext()) {
	    List nameList = (List) i.next();
	    if (nameList.size() != 2) {
		throw new IOException("name list size not 2");
	    }
	    Object o = nameList.get(0);
	    if (!(o instanceof Integer)) {
		throw new IOException("expected an Integer");
	    }
	    int nameType = ((Integer) o).intValue();
	    if ((nameType < 0) || (nameType > 8)) {
		throw new IOException("name type not 0-8");
	    }
	    Object nameObject = nameList.get(1);
	    if (!(nameObject instanceof byte[]) &&
		!(nameObject instanceof String)) {
		if (debug != null) {
		    debug.println("X509CertSelector.cloneAndCheckNames() "
		        + "name not byte array");
		}
		throw new IOException("name not byte array or String");
	    }
	    if (nameObject instanceof byte[]) {
		nameList.set(1, ((byte[]) nameObject).clone());
	    }
	}
	return namesCopy;
    }

    /**
     * Returns the name constraints criterion. The <code>X509Certificate</code>
     * must have subject and subject alternative names that
     * meet the specified name constraints.
     * <p>
     * The name constraints are returned as a byte array. This byte array
     * contains the DER encoded form of the name constraints, as they
     * would appear in the NameConstraints structure defined in RFC 2459
     * and X.509. The ASN.1 notation for this structure is supplied in the
     * documentation for
     * {@link #setNameConstraints(byte [] bytes) setNameConstraints(byte [] bytes)}.
     * <p>
     * Note that the byte array returned is cloned to protect again