/* * Copyright (c) 2001, 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this * particular file as subject to the "Classpath" exception as provided * by Oracle in the LICENSE file that accompanied this code. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ package java.security.cert; import java.io.IOException; import java.security.PublicKey; import javax.security.auth.x500.X500Principal; import sun.security.x509.NameConstraintsExtension; import sun.security.x509.X500Name; /** * A trust anchor or most-trusted Certification Authority (CA). *

* This class represents a "most-trusted CA", which is used as a trust anchor * for validating X.509 certification paths. A most-trusted CA includes the * public key of the CA, the CA's name, and any constraints upon the set of * paths which may be validated using this key. These parameters can be * specified in the form of a trusted {@code X509Certificate} or as * individual parameters. *

* Concurrent Access *

All {@code TrustAnchor} objects must be immutable and * thread-safe. That is, multiple threads may concurrently invoke the * methods defined in this class on a single {@code TrustAnchor} * object (or more than one) with no ill effects. Requiring * {@code TrustAnchor} objects to be immutable and thread-safe * allows them to be passed around to various pieces of code without * worrying about coordinating access. This stipulation applies to all * public fields and methods of this class and any added or overridden * by subclasses. * * @see PKIXParameters#PKIXParameters(Set) * @see PKIXBuilderParameters#PKIXBuilderParameters(Set, CertSelector) * * @since 1.4 * @author Sean Mullan */ public class TrustAnchor { private final PublicKey pubKey; private final String caName; private final X500Principal caPrincipal; private final X509Certificate trustedCert; private byte[] ncBytes; private NameConstraintsExtension nc; /** * Creates an instance of {@code TrustAnchor} with the specified * {@code X509Certificate} and optional name constraints, which * are intended to be used as additional constraints when validating * an X.509 certification path. *

* The name constraints are specified as a byte array. This byte array * should contain the DER encoded form of the name constraints, as they * would appear in the NameConstraints structure defined in * RFC 3280 * and X.509. The ASN.1 definition of this structure appears below. * *

{@code
     *  NameConstraints ::= SEQUENCE {
     *       permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
     *       excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }
     *
     *  GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
     *
     *  GeneralSubtree ::= SEQUENCE {
     *       base                    GeneralName,
     *       minimum         [0]     BaseDistance DEFAULT 0,
     *       maximum         [1]     BaseDistance OPTIONAL }
     *
     *  BaseDistance ::= INTEGER (0..MAX)
     *
     *  GeneralName ::= CHOICE {
     *       otherName                       [0]     OtherName,
     *       rfc822Name                      [1]     IA5String,
     *       dNSName                         [2]     IA5String,
     *       x400Address                     [3]     ORAddress,
     *       directoryName                   [4]     Name,
     *       ediPartyName                    [5]     EDIPartyName,
     *       uniformResourceIdentifier       [6]     IA5String,
     *       iPAddress                       [7]     OCTET STRING,
     *       registeredID                    [8]     OBJECT IDENTIFIER}
     * }
*

* Note that the name constraints byte array supplied is cloned to protect * against subsequent modifications. * * @param trustedCert a trusted {@code X509Certificate} * @param nameConstraints a byte array containing the ASN.1 DER encoding of * a NameConstraints extension to be used for checking name constraints. * Only the value of the extension is included, not the OID or criticality * flag. Specify {@code null} to omit the parameter. * @throws IllegalArgumentException if the name constraints cannot be * decoded * @throws NullPointerException if the specified * {@code X509Certificate} is {@code null} */ public TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints) { if (trustedCert == null) throw new NullPointerException("the trustedCert parameter must " + "be non-null"); this.trustedCert = trustedCert; this.pubKey = null; this.caName = null; this.caPrincipal = null; setNameConstraints(nameConstraints); } /** * Creates an instance of {@code TrustAnchor} where the * most-trusted CA is specified as an X500Principal and public key. * Name constraints are an optional parameter, and are intended to be used * as additional constraints when validating an X.509 certification path. *

* The name constraints are specified as a byte array. This byte array * contains the DER encoded form of the name constraints, as they * would appear in the NameConstraints structure defined in RFC 3280 * and X.509. The ASN.1 notation for this structure is supplied in the * documentation for * {@link #TrustAnchor(X509Certificate, byte[]) * TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints) }. *

* Note that the name constraints byte array supplied here is cloned to * protect against subsequent modifications. * * @param caPrincipal the name of the most-trusted CA as X500Principal * @param pubKey the public key of the most-trusted CA * @param nameConstraints a byte array containing the ASN.1 DER encoding of * a NameConstraints extension to be used for checking name constraints. * Only the value of the extension is included, not the OID or criticality * flag. Specify {@code null} to omit the parameter. * @throws NullPointerException if the specified {@code caPrincipal} or * {@code pubKey} parameter is {@code null} * @since 1.5 */ public TrustAnchor(X500Principal caPrincipal, PublicKey pubKey, byte[] nameConstraints) { if ((caPrincipal == null) || (pubKey == null)) { throw new NullPointerException(); } this.trustedCert = null; this.caPrincipal = caPrincipal; this.caName = caPrincipal.getName(); this.pubKey = pubKey; setNameConstraints(nameConstraints); } /** * Creates an instance of {@code TrustAnchor} where the * most-trusted CA is specified as a distinguished name and public key. * Name constraints are an optional parameter, and are intended to be used * as additional constraints when validating an X.509 certification path. *

* The name constraints are specified as a byte array. This byte array * contains the DER encoded form of the name constraints, as they * would appear in the NameConstraints structure defined in RFC 3280 * and X.509. The ASN.1 notation for this structure is supplied in the * documentation for * {@link #TrustAnchor(X509Certificate, byte[]) * TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints) }. *

* Note that the name constraints byte array supplied here is cloned to * protect against subsequent modifications. * * @param caName the X.500 distinguished name of the most-trusted CA in * RFC 2253 * {@code String} format * @param pubKey the public key of the most-trusted CA * @param nameConstraints a byte array containing the ASN.1 DER encoding of * a NameConstraints extension to be used for checking name constraints. * Only the value of the extension is included, not the OID or criticality * flag. Specify {@code null} to omit the parameter. * @throws IllegalArgumentException if the specified * {@code caName} parameter is empty {@code (caName.length() == 0)} * or incorrectly formatted or the name constraints cannot be decoded * @throws NullPointerException if the specified {@code caName} or * {@code pubKey} parameter is {@code null} */ public TrustAnchor(String caName, PublicKey pubKey, byte[] nameConstraints) { if (pubKey == null) throw new NullPointerException("the pubKey parameter must be " + "non-null"); if (caName == null) throw new NullPointerException("the caName parameter must be " + "non-null"); if (caName.length() == 0) throw new IllegalArgumentException("the caName " + "parameter must be a non-empty String"); // check if caName is formatted correctly this.caPrincipal = new X500Principal(caName); this.pubKey = pubKey; this.caName = caName; this.trustedCert = null; setNameConstraints(nameConstraints); } /** * Returns the most-trusted CA certificate. * * @return a trusted {@code X509Certificate} or {@code null} * if the trust anchor was not specified as a trusted certificate */ public final X509Certificate getTrustedCert() { return this.trustedCert; } /** * Returns the name of the most-trusted CA as an X500Principal. * * @return the X.500 distinguished name of the most-trusted CA, or * {@code null} if the trust anchor was not specified as a trusted * public key and name or X500Principal pair * @since 1.5 */ public final X500Principal getCA() { return this.caPrincipal; } /** * Returns the name of the most-trusted CA in RFC 2253 {@code String} * format. * * @return the X.500 distinguished name of the most-trusted CA, or * {@code null} if the trust anchor was not specified as a trusted * public key and name or X500Principal pair */ public final String getCAName() { return this.caName; } /** * Returns the public key of the most-trusted CA. * * @return the public key of the most-trusted CA, or {@code null} * if the trust anchor was not specified as a trusted public key and name * or X500Principal pair */ public final PublicKey getCAPublicKey() { return this.pubKey; } /** * Decode the name constraints and clone them if not null. */ private void setNameConstraints(byte[] bytes) { if (bytes == null) { ncBytes = null; nc = null; } else { ncBytes = bytes.clone(); // validate DER encoding try { nc = new NameConstraintsExtension(Boolean.FALSE, bytes); } catch (IOException ioe) { IllegalArgumentException iae = new IllegalArgumentException(ioe.getMessage()); iae.initCause(ioe); throw iae; } } } /** * Returns the name constraints parameter. The specified name constraints * are associated with this trust anchor and are intended to be used * as additional constraints when validating an X.509 certification path. *

* The name constraints are returned as a byte array. This byte array * contains the DER encoded form of the name constraints, as they * would appear in the NameConstraints structure defined in RFC 3280 * and X.509. The ASN.1 notation for this structure is supplied in the * documentation for * {@link #TrustAnchor(X509Certificate, byte[]) * TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints) }. *

* Note that the byte array returned is cloned to protect against * subsequent modifications. * * @return a byte array containing the ASN.1 DER encoding of * a NameConstraints extension used for checking name constraints, * or {@code null} if not set. */ public final byte [] getNameConstraints() { return ncBytes == null ? null : ncBytes.clone(); } /** * Returns a formatted string describing the {@code TrustAnchor}. * * @return a formatted string describing the {@code TrustAnchor} */ public String toString() { StringBuffer sb = new StringBuffer(); sb.append("[\n"); if (pubKey != null) { sb.append(" Trusted CA Public Key: " + pubKey.toString() + "\n"); sb.append(" Trusted CA Issuer Name: " + String.valueOf(caName) + "\n"); } else { sb.append(" Trusted CA cert: " + trustedCert.toString() + "\n"); } if (nc != null) sb.append(" Name Constraints: " + nc.toString() + "\n"); return sb.toString(); } }