/* * Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package java.security.cert; import java.io.IOException; import java.security.PublicKey; import javax.security.auth.x500.X500Principal; import org.apache.harmony.security.utils.Array; import org.apache.harmony.security.x509.NameConstraints; /** * This class represents a trust anchor for validation of X.509 certification * path. *
* It is a trusted certificate authority (CA) and includes the public key * of the CA, the CA's name and the constraints for the validation of * certification paths. The constructor also allows to specify a binary * representation of a so called "Name Constraints" extension as a byte array. */ public class TrustAnchor { // Most trusted CA as a X500Principal private final X500Principal caPrincipal; // Most trusted CA name private final String caName; // Most trusted CA public key private final PublicKey caPublicKey; // Most trusted CA certificate private final X509Certificate trustedCert; // Name constraints extension private final byte[] nameConstraints; /** * Creates a new {@code TrustAnchor} with the specified certificate and name * constraints. *
* The name constraints will be used as additional constraints during the * validation of certification paths. * * @param trustedCert * the trusted certificate * @param nameConstraints * the ASN.1 DER encoded form of the name constraints or {@code * null} if none. * @throws IllegalArgumentException * if the decoding of the name constraints fail. */ public TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints) { if (trustedCert == null) { throw new NullPointerException("trustedCert == null"); } this.trustedCert = trustedCert; // copy nameConstraints if not null if (nameConstraints != null) { this.nameConstraints = new byte[nameConstraints.length]; System.arraycopy(nameConstraints, 0, this.nameConstraints, 0, this.nameConstraints.length); processNameConstraints(); } else { this.nameConstraints = null; } this.caName = null; this.caPrincipal = null; this.caPublicKey = null; } /** * Creates a new {@code TrustAnchor} with the specified certificate * authority name, its public key and the specified name constraints. *
* The name constraints will be used as additional constraints during the * validation of certification paths. * * @param caName * the X.500 name of the certificate authority in RFC 2253 * {@code String} format. * @param caPublicKey * the public key of the certificate authority * @param nameConstraints * the ASN.1 DER encoded form of the name constraints or {@code * null} if none. * @throws IllegalArgumentException * if the {@code caName} is empty or if decoding of the name * constraints fail. */ public TrustAnchor(String caName, PublicKey caPublicKey, byte[] nameConstraints) { if (caName == null) { throw new NullPointerException("caName == null"); } this.caName = caName; if (caPublicKey == null) { throw new NullPointerException("caPublicKey == null"); } this.caPublicKey = caPublicKey; // copy nameConstraints if not null if (nameConstraints != null) { this.nameConstraints = new byte[nameConstraints.length]; System.arraycopy(nameConstraints, 0, this.nameConstraints, 0, this.nameConstraints.length); processNameConstraints(); } else { this.nameConstraints = null; } this.trustedCert = null; // X500Principal checks caName validity if (caName.isEmpty()) { throw new IllegalArgumentException("caName.isEmpty()"); } this.caPrincipal = new X500Principal(this.caName); } /** * Creates a new {@code TrustAnchor} with the specified certificate * authority name as principal, its public key and the specified name * constraints. *
* The name constraints will be used as additional constraints during the * validation of certification paths. * * @param caPrincipal * the name of the certificate authority as X500 principal. * @param caPublicKey * the public key of the certificate authority. * @param nameConstraints * the ASN.1 DER encoded form of the name constraints or {@code * null} if none. * @throws IllegalArgumentException * if decoding of the name constraints fail. */ public TrustAnchor(X500Principal caPrincipal, PublicKey caPublicKey, byte[] nameConstraints) { if (caPrincipal == null) { throw new NullPointerException("caPrincipal == null"); } this.caPrincipal = caPrincipal; if (caPublicKey == null) { throw new NullPointerException("caPublicKey == null"); } this.caPublicKey = caPublicKey; // copy nameConstraints if not null if (nameConstraints != null) { this.nameConstraints = new byte[nameConstraints.length]; System.arraycopy(nameConstraints, 0, this.nameConstraints, 0, this.nameConstraints.length); processNameConstraints(); } else { this.nameConstraints = null; } this.trustedCert = null; this.caName = caPrincipal.getName(); } /** * Returns a copy of the name constraints in ASN.1 DER encoded form. * * @return a copy of the name constraints in ASN.1 DER encoded form. */ public final byte[] getNameConstraints() { if (nameConstraints == null) { return null; } byte[] ret = new byte[nameConstraints.length]; System.arraycopy(nameConstraints, 0, ret, 0, nameConstraints.length); return ret; } /** * Returns the certificate of this trusted certificate authority. * * @return the certificate of this CA or {@code null}, if the trust anchor * of this instance was not created with a certificate. */ public final X509Certificate getTrustedCert() { return trustedCert; } /** * Returns the name of the certificate authority as {@code X500Principal}. * * @return the name of the certificate authority or {@code null} if the * trust anchor of this instance was not created with a {@code * X500Principal}. */ public final X500Principal getCA() { return caPrincipal; } /** * Returns the name of the certificate authority as {@code String} in RFC * 2253 format. * * @return the name of the certificate authority as {@code String} in RFC * 2253 format or {@code null} if the trust anchor of this instance * was not created with a CA name. */ public final String getCAName() { return caName; } /** * Returns the public key of the certificate authority. * * @return the public key of the certificate authority or {@code null} if * the trust anchor if this instance was not created with a public * key. */ public final PublicKey getCAPublicKey() { return caPublicKey; } /** * Returns a string representation of this {@code TrustAnchor} instance. * * @return a string representation of this {@code TrustAnchor} instance. */ public String toString() { StringBuilder sb = new StringBuilder("TrustAnchor: [\n"); if (trustedCert != null) { sb.append("Trusted CA certificate: "); sb.append(trustedCert); sb.append("\n"); } if (caPrincipal != null) { sb.append("Trusted CA Name: "); sb.append(caPrincipal); sb.append("\n"); } if (caPublicKey != null) { sb.append("Trusted CA Public Key: "); sb.append(caPublicKey); sb.append("\n"); } // FIXME if needed: if (nameConstraints != null) { sb.append("Name Constraints:\n"); sb.append(Array.toString(nameConstraints, " ")); } sb.append("\n]"); return sb.toString(); } // // Private stuff // // Decodes and checks NameConstraints structure. // Throws IllegalArgumentException if NameConstraints // encoding is invalid. private void processNameConstraints() { try { // decode and check nameConstraints NameConstraints.ASN1.decode(nameConstraints); } catch (IOException e) { throw new IllegalArgumentException(e.getMessage()); } } }