| Methods Summary |
|---|
| public void | addPathToName(int type, java.lang.String name)Adds a name to the pathToNames criterion. The X509Certificate
must not include name constraints that would prohibit building a
path to the specified name.
This method allows the caller to add a name to the set of names which
the X509Certificates's name constraints must permit.
The specified name is added to any previous value for the
pathToNames criterion. If the name is a duplicate, it may be ignored.
The name is provided in string format. RFC 822, DNS, and URI names
use the well-established string formats for those types (subject to
the restrictions included in RFC 2459). IPv4 address names are
supplied using dotted quad notation. OID address names are represented
as a series of nonnegative integers separated by periods. And
directory names (distinguished names) are supplied in RFC 2253 format.
No standard string format is defined for otherNames, X.400 names,
EDI party names, IPv6 address names, or any other type of names. They
should be specified using the
{@link #addPathToName(int type, byte [] name)
addPathToName(int type, byte [] name)} method.
Note: for distinguished names, use
{@linkplain #addPathToName(int, byte[])} instead.
This method should not be relied on as it can fail to match some
certificates because of a loss of encoding information in the RFC 2253
String form of some distinguished names.
addPathToNameInternal(type, name);
|
| public void | addPathToName(int type, byte[] name)Adds a name to the pathToNames criterion. The X509Certificate
must not include name constraints that would prohibit building a
path to the specified name.
This method allows the caller to add a name to the set of names which
the X509Certificates's name constraints must permit.
The specified name is added to any previous value for the
pathToNames criterion. If the name is a duplicate, it may be ignored.
The name is provided as a byte array. This byte array should contain
the DER encoded name, as it would appear in the GeneralName structure
defined in RFC 2459 and X.509. The ASN.1 definition of this structure
appears in the documentation for
{@link #addSubjectAlternativeName(int type, byte [] name)
addSubjectAlternativeName(int type, byte [] name)}.
Note that the byte array supplied here is cloned to protect against
subsequent modifications.
// clone because byte arrays are modifiable
addPathToNameInternal(type, name.clone());
|
| private void | addPathToNameInternal(int type, java.lang.Object name)A private method that adds a name (String or byte array) to the
pathToNames criterion. The X509Certificate must contain
the specified pathToName.
// First, ensure that the name parses
GeneralNameInterface tempName = makeGeneralNameInterface(type, name);
if (pathToGeneralNames == null) {
pathToNames = new HashSet<List<?>>();
pathToGeneralNames = new HashSet<GeneralNameInterface>();
}
List<Object> list = new ArrayList<Object>(2);
list.add(Integer.valueOf(type));
list.add(name);
pathToNames.add(list);
pathToGeneralNames.add(tempName);
|
| public void | addSubjectAlternativeName(int type, java.lang.String name)Adds a name to the subjectAlternativeNames criterion. The
X509Certificate must contain all or at least one
of the specified subjectAlternativeNames, depending on the value of
the matchAllNames flag (see {@link #setMatchAllSubjectAltNames
setMatchAllSubjectAltNames}).
This method allows the caller to add a name to the set of subject
alternative names.
The specified name is added to any previous value for the
subjectAlternativeNames criterion. If the specified name is a
duplicate, it may be ignored.
The name is provided in string format. RFC 822, DNS, and URI names
use the well-established string formats for those types (subject to
the restrictions included in RFC 2459). IPv4 address names are
supplied using dotted quad notation. OID address names are represented
as a series of nonnegative integers separated by periods. And
directory names (distinguished names) are supplied in RFC 2253 format.
No standard string format is defined for otherNames, X.400 names,
EDI party names, IPv6 address names, or any other type of names. They
should be specified using the
{@link #addSubjectAlternativeName(int type, byte [] name)
addSubjectAlternativeName(int type, byte [] name)}
method.
Note: for distinguished names, use
{@linkplain #addSubjectAlternativeName(int, byte[])} instead.
This method should not be relied on as it can fail to match some
certificates because of a loss of encoding information in the RFC 2253
String form of some distinguished names.
addSubjectAlternativeNameInternal(type, name);
|
| public void | addSubjectAlternativeName(int type, byte[] name)Adds a name to the subjectAlternativeNames criterion. The
X509Certificate must contain all or at least one
of the specified subjectAlternativeNames, depending on the value of
the matchAllNames flag (see {@link #setMatchAllSubjectAltNames
setMatchAllSubjectAltNames}).
This method allows the caller to add a name to the set of subject
alternative names.
The specified name is added to any previous value for the
subjectAlternativeNames criterion. If the specified name is a
duplicate, it may be ignored.
The name is provided as a byte array. This byte array should contain
the DER encoded name, as it would appear in the GeneralName structure
defined in RFC 2459 and X.509. The encoded byte array should only contain
the encoded value of the name, and should not include the tag associated
with the name in the GeneralName structure. The ASN.1 definition of this
structure appears below.
GeneralName ::= CHOICE {
otherName [0] OtherName,
rfc822Name [1] IA5String,
dNSName [2] IA5String,
x400Address [3] ORAddress,
directoryName [4] Name,
ediPartyName [5] EDIPartyName,
uniformResourceIdentifier [6] IA5String,
iPAddress [7] OCTET STRING,
registeredID [8] OBJECT IDENTIFIER}
Note that the byte array supplied here is cloned to protect against
subsequent modifications.
// clone because byte arrays are modifiable
addSubjectAlternativeNameInternal(type, name.clone());
|
| private void | addSubjectAlternativeNameInternal(int type, java.lang.Object name)A private method that adds a name (String or byte array) to the
subjectAlternativeNames criterion. The X509Certificate
must contain the specified subjectAlternativeName.
// First, ensure that the name parses
GeneralNameInterface tempName = makeGeneralNameInterface(type, name);
if (subjectAlternativeNames == null) {
subjectAlternativeNames = new HashSet<List<?>>();
}
if (subjectAlternativeGeneralNames == null) {
subjectAlternativeGeneralNames = new HashSet<GeneralNameInterface>();
}
List<Object> list = new ArrayList<Object>(2);
list.add(Integer.valueOf(type));
list.add(name);
subjectAlternativeNames.add(list);
subjectAlternativeGeneralNames.add(tempName);
|
| public java.lang.Object | clone()Returns a copy of this object.
try {
X509CertSelector copy = (X509CertSelector)super.clone();
// Must clone these because addPathToName et al. modify them
if (subjectAlternativeNames != null) {
copy.subjectAlternativeNames =
(Set<List<?>>)cloneSet(subjectAlternativeNames);
copy.subjectAlternativeGeneralNames =
(Set<GeneralNameInterface>)cloneSet
(subjectAlternativeGeneralNames);
}
if (pathToGeneralNames != null) {
copy.pathToNames =
(Set<List<?>>)cloneSet(pathToNames);
copy.pathToGeneralNames =
(Set<GeneralNameInterface>)cloneSet
(pathToGeneralNames);
}
return copy;
} catch (CloneNotSupportedException e) {
/* Cannot happen */
throw new InternalError(e.toString());
}
|
| private static java.util.Set | cloneAndCheckNames(java.util.Collection names)Clone and check an argument of the form passed to
setSubjectAlternativeNames and setPathToNames.
Throw an IOException if the argument is malformed.
// Copy the Lists and Collection
Set<List<?>> namesCopy = new HashSet<List<?>>();
Iterator<List<?>> i = names.iterator();
while (i.hasNext()) {
Object o = i.next();
if (!(o instanceof List)) {
throw new IOException("expected a List");
}
namesCopy.add(new ArrayList<Object>((List<?>)o));
}
// Check the contents of the Lists and clone any byte arrays
i = namesCopy.iterator();
while (i.hasNext()) {
List<Object> nameList = (List<Object>)i.next();
if (nameList.size() != 2) {
throw new IOException("name list size not 2");
}
Object o = nameList.get(0);
if (!(o instanceof Integer)) {
throw new IOException("expected an Integer");
}
int nameType = ((Integer) o).intValue();
if ((nameType < 0) || (nameType > 8)) {
throw new IOException("name type not 0-8");
}
Object nameObject = nameList.get(1);
if (!(nameObject instanceof byte[]) &&
!(nameObject instanceof String)) {
if (debug != null) {
debug.println("X509CertSelector.cloneAndCheckNames() "
+ "name not byte array");
}
throw new IOException("name not byte array or String");
}
if (nameObject instanceof byte[]) {
nameList.set(1, ((byte[]) nameObject).clone());
}
}
return namesCopy;
|
| private static java.util.Set | cloneNames(java.util.Collection names)Clone an object of the form passed to
setSubjectAlternativeNames and setPathToNames.
Throw a RuntimeException if the argument is malformed.
This method wraps cloneAndCheckNames, changing any
IOException into a RuntimeException. This
method should be used when the object being
cloned has already been checked, so there should never be any exceptions.
try {
return cloneAndCheckNames(names);
} catch (IOException e) {
throw new RuntimeException("cloneNames encountered IOException: " +
e.getMessage());
}
|
| private static java.util.Set | cloneSet(java.util.Set set)
if (set instanceof HashSet) {
Object clone = ((HashSet<?>)set).clone();
return (Set<?>)clone;
} else {
return new HashSet<Object>(set);
}
|
| static boolean | equalNames(java.util.Collection object1, java.util.Collection object2)Compare for equality two objects of the form passed to
setSubjectAlternativeNames (or X509CRLSelector.setIssuerNames).
Throw an IllegalArgumentException or a
ClassCastException if one of the objects is malformed.
if ((object1 == null) || (object2 == null)) {
return object1 == object2;
}
return object1.equals(object2);
|
| public byte[] | getAuthorityKeyIdentifier()Returns the authorityKeyIdentifier criterion. The
X509Certificate must contain a AuthorityKeyIdentifier
extension with the specified value. If null, no
authorityKeyIdentifier check will be done.
Note that the byte array returned is cloned to protect against
subsequent modifications.
if (authorityKeyID == null) {
return null;
}
return (byte[])authorityKeyID.clone();
|
| public int | getBasicConstraints()Returns the basic constraints constraint. If the value is greater than
or equal to zero, the X509Certificates must include a
basicConstraints extension with a pathLen of at least this value.
If the value is -2, only end-entity certificates are accepted. If
the value is -1, no basicConstraints check is done.
return basicConstraints;
|
| public java.security.cert.X509Certificate | getCertificate()Returns the certificateEquals criterion. The specified
X509Certificate must be equal to the
X509Certificate passed to the match method.
If null, this check is not applied.
return x509Cert;
|
| public java.util.Date | getCertificateValid()Returns the certificateValid criterion. The specified date must fall
within the certificate validity period for the
X509Certificate. If null, no certificateValid
check will be done.
Note that the Date returned is cloned to protect against
subsequent modifications.
if (certificateValid == null) {
return null;
}
return (Date)certificateValid.clone();
|
| public java.util.Set | getExtendedKeyUsage()Returns the extendedKeyUsage criterion. The X509Certificate
must allow the specified key purposes in its extended key usage
extension. If the keyPurposeSet returned is empty or
null, no extendedKeyUsage check will be done. Note that an
X509Certificate that has no extendedKeyUsage extension
implicitly allows all key purposes.
return keyPurposeSet;
|
| private static java.security.cert.Extension | getExtensionObject(java.security.cert.X509Certificate cert, int extId)Returns an Extension object given any X509Certificate and extension oid.
Throw an IOException if the extension byte value is
malformed.
if (cert instanceof X509CertImpl) {
X509CertImpl impl = (X509CertImpl)cert;
switch (extId) {
case PRIVATE_KEY_USAGE_ID:
return impl.getPrivateKeyUsageExtension();
case SUBJECT_ALT_NAME_ID:
return impl.getSubjectAlternativeNameExtension();
case NAME_CONSTRAINTS_ID:
return impl.getNameConstraintsExtension();
case CERT_POLICIES_ID:
return impl.getCertificatePoliciesExtension();
case EXTENDED_KEY_USAGE_ID:
return impl.getExtendedKeyUsageExtension();
default:
return null;
}
}
byte[] rawExtVal = cert.getExtensionValue(EXTENSION_OIDS[extId]);
if (rawExtVal == null) {
return null;
}
DerInputStream in = new DerInputStream(rawExtVal);
byte[] encoded = in.getOctetString();
switch (extId) {
case PRIVATE_KEY_USAGE_ID:
try {
return new PrivateKeyUsageExtension(FALSE, encoded);
} catch (CertificateException ex) {
throw new IOException(ex.getMessage());
}
case SUBJECT_ALT_NAME_ID:
return new SubjectAlternativeNameExtension(FALSE, encoded);
case NAME_CONSTRAINTS_ID:
return new NameConstraintsExtension(FALSE, encoded);
case CERT_POLICIES_ID:
return new CertificatePoliciesExtension(FALSE, encoded);
case EXTENDED_KEY_USAGE_ID:
return new ExtendedKeyUsageExtension(FALSE, encoded);
default:
return null;
}
|
| public javax.security.auth.x500.X500Principal | getIssuer()Returns the issuer criterion as an X500Principal. This
distinguished name must match the issuer distinguished name in the
X509Certificate. If null, the issuer criterion
is disabled and any issuer distinguished name will do.
return issuer;
|
| public byte[] | getIssuerAsBytes()Returns the issuer criterion as a byte array. This distinguished name
must match the issuer distinguished name in the
X509Certificate. If null, the issuer criterion
is disabled and any issuer distinguished name will do.
If the value returned is not null, it is a byte
array containing a single DER encoded distinguished name, as defined in
X.501. The ASN.1 notation for this structure is supplied in the
documentation for
{@link #setIssuer(byte [] issuerDN) setIssuer(byte [] issuerDN)}.
Note that the byte array returned is cloned to protect against
subsequent modifications.
return (issuer == null ? null: issuer.getEncoded());
|
| public java.lang.String | getIssuerAsString()Denigrated, use {@linkplain #getIssuer()} or
{@linkplain #getIssuerAsBytes()} instead. This method should not be
relied on as it can fail to match some certificates because of a loss of
encoding information in the RFC 2253 String form of some distinguished
names.
Returns the issuer criterion as a String. This
distinguished name must match the issuer distinguished name in the
X509Certificate. If null, the issuer criterion
is disabled and any issuer distinguished name will do.
If the value returned is not null, it is a
distinguished name, in RFC 2253 format.
return (issuer == null ? null : issuer.getName());
|
| public boolean[] | getKeyUsage()Returns the keyUsage criterion. The X509Certificate
must allow the specified keyUsage values. If null, no keyUsage
check will be done.
Note that the boolean array returned is cloned to protect against
subsequent modifications.
if (keyUsage == null) {
return null;
}
return (boolean[])keyUsage.clone();
|
| public boolean | getMatchAllSubjectAltNames()Indicates if the X509Certificate must contain all
or at least one of the subjectAlternativeNames
specified in the {@link #setSubjectAlternativeNames
setSubjectAlternativeNames} or {@link #addSubjectAlternativeName
addSubjectAlternativeName} methods. If true,
the X509Certificate must contain all of the
specified subject alternative names. If false, the
X509Certificate must contain at least one of the
specified subject alternative names.
return matchAllSubjectAltNames;
|
| public byte[] | getNameConstraints()Returns the name constraints criterion. The X509Certificate
must have subject and subject alternative names that
meet the specified name constraints.
The name constraints are returned as a byte array. This byte array
contains the DER encoded form of the name constraints, as they
would appear in the NameConstraints structure defined in RFC 2459
and X.509. The ASN.1 notation for this structure is supplied in the
documentation for
{@link #setNameConstraints(byte [] bytes) setNameConstraints(byte [] bytes)}.
Note that the byte array returned is cloned to protect against
subsequent modifications.
if (ncBytes == null) {
return null;
} else {
return (byte[]) ncBytes.clone();
}
|
| public java.util.Collection | getPathToNames()Returns a copy of the pathToNames criterion. The
X509Certificate must not include name constraints that would
prohibit building a path to the specified names. If the value
returned is null, no pathToNames check will be performed.
If the value returned is not null, it is a
Collection with one
entry for each name to be included in the pathToNames
criterion. Each entry is a List whose first entry is an
Integer (the name type, 0-8) and whose second
entry is a String or a byte array (the name, in
string or ASN.1 DER encoded form, respectively).
There can be multiple names of the same type. Note that the
Collection returned may contain duplicate names (same
name and name type).
Each name in the Collection
may be specified either as a String or as an ASN.1 encoded
byte array. For more details about the formats used, see
{@link #addPathToName(int type, String name)
addPathToName(int type, String name)} and
{@link #addPathToName(int type, byte [] name)
addPathToName(int type, byte [] name)}.
Note that a deep copy is performed on the Collection to
protect against subsequent modifications.
if (pathToNames == null) {
return null;
}
return cloneNames(pathToNames);
|
| public java.util.Set | getPolicy()Returns the policy criterion. The X509Certificate must
include at least one of the specified policies in its certificate policies
extension. If the Set returned is empty, then the
X509Certificate must include at least some specified policy
in its certificate policies extension. If the Set returned is
null, no policy check will be performed.
return policySet;
|
| public java.util.Date | getPrivateKeyValid()Returns the privateKeyValid criterion. The specified date must fall
within the private key validity period for the
X509Certificate. If null, no privateKeyValid
check will be done.
Note that the Date returned is cloned to protect against
subsequent modifications.
if (privateKeyValid == null) {
return null;
}
return (Date)privateKeyValid.clone();
|
| public java.math.BigInteger | getSerialNumber()Returns the serialNumber criterion. The specified serial number
must match the certificate serial number in the
X509Certificate. If null, any certificate
serial number will do.
return serialNumber;
|
| public javax.security.auth.x500.X500Principal | getSubject()Returns the subject criterion as an X500Principal. This
distinguished name must match the subject distinguished name in the
X509Certificate. If null, the subject criterion
is disabled and any subject distinguished name will do.
return subject;
|
| public java.util.Collection | getSubjectAlternativeNames()Returns a copy of the subjectAlternativeNames criterion.
The X509Certificate must contain all or at least one
of the specified subjectAlternativeNames, depending on the value
of the matchAllNames flag (see {@link #getMatchAllSubjectAltNames
getMatchAllSubjectAltNames}). If the value returned is
null, no subjectAlternativeNames check will be performed.
If the value returned is not null, it is a
Collection with
one entry for each name to be included in the subject alternative name
criterion. Each entry is a List whose first entry is an
Integer (the name type, 0-8) and whose second
entry is a String or a byte array (the name, in
string or ASN.1 DER encoded form, respectively).
There can be multiple names of the same type. Note that the
Collection returned may contain duplicate names (same name
and name type).
Each subject alternative name in the Collection
may be specified either as a String or as an ASN.1 encoded
byte array. For more details about the formats used, see
{@link #addSubjectAlternativeName(int type, String name)
addSubjectAlternativeName(int type, String name)} and
{@link #addSubjectAlternativeName(int type, byte [] name)
addSubjectAlternativeName(int type, byte [] name)}.
Note that a deep copy is performed on the Collection to
protect against subsequent modifications.
if (subjectAlternativeNames == null) {
return null;
}
return cloneNames(subjectAlternativeNames);
|
| public byte[] | getSubjectAsBytes()Returns the subject criterion as a byte array. This distinguished name
must match the subject distinguished name in the
X509Certificate. If null, the subject criterion
is disabled and any subject distinguished name will do.
If the value returned is not null, it is a byte
array containing a single DER encoded distinguished name, as defined in
X.501. The ASN.1 notation for this structure is supplied in the
documentation for
{@link #setSubject(byte [] subjectDN) setSubject(byte [] subjectDN)}.
Note that the byte array returned is cloned to protect against
subsequent modifications.
return (subject == null ? null : subject.getEncoded());
|
| public java.lang.String | getSubjectAsString()Denigrated, use {@linkplain #getSubject()} or
{@linkplain #getSubjectAsBytes()} instead. This method should not be
relied on as it can fail to match some certificates because of a loss of
encoding information in the RFC 2253 String form of some distinguished
names.
Returns the subject criterion as a String. This
distinguished name must match the subject distinguished name in the
X509Certificate. If null, the subject criterion
is disabled and any subject distinguished name will do.
If the value returned is not null, it is a
distinguished name, in RFC 2253 format.
return (subject == null ? null : subject.getName());
|
| public byte[] | getSubjectKeyIdentifier()Returns the subjectKeyIdentifier criterion. The
X509Certificate must contain a SubjectKeyIdentifier
extension with the specified value. If null, no
subjectKeyIdentifier check will be done.
Note that the byte array returned is cloned to protect against
subsequent modifications.
if (subjectKeyID == null) {
return null;
}
return (byte[])subjectKeyID.clone();
|
| public java.security.PublicKey | getSubjectPublicKey()Returns the subjectPublicKey criterion. The
X509Certificate must contain the specified subject
public key. If null, no subjectPublicKey check will be done.
return subjectPublicKey;
|
| public java.lang.String | getSubjectPublicKeyAlgID()Returns the subjectPublicKeyAlgID criterion. The
X509Certificate must contain a subject public key
with the specified algorithm. If null, no
subjectPublicKeyAlgID check will be done.
if (subjectPublicKeyAlgID == null) {
return null;
}
return subjectPublicKeyAlgID.toString();
|
| private static java.lang.String | keyUsageToString(boolean[] k)Returns a printable representation of the KeyUsage.
String s = "KeyUsage [\n";
try {
if (k[0]) {
s += " DigitalSignature\n";
}
if (k[1]) {
s += " Non_repudiation\n";
}
if (k[2]) {
s += " Key_Encipherment\n";
}
if (k[3]) {
s += " Data_Encipherment\n";
}
if (k[4]) {
s += " Key_Agreement\n";
}
if (k[5]) {
s += " Key_CertSign\n";
}
if (k[6]) {
s += " Crl_Sign\n";
}
if (k[7]) {
s += " Encipher_Only\n";
}
if (k[8]) {
s += " Decipher_Only\n";
}
} catch (ArrayIndexOutOfBoundsException ex) {}
s += "]\n";
return (s);
|
| static sun.security.x509.GeneralNameInterface | makeGeneralNameInterface(int type, java.lang.Object name)Make a GeneralNameInterface out of a name type (0-8) and an
Object that may be a byte array holding the ASN.1 DER encoded
name or a String form of the name. Except for X.509
Distinguished Names, the String form of the name must not be the
result from calling toString on an existing GeneralNameInterface
implementing class. The output of toString is not compatible
with the String constructors for names other than Distinguished
Names.
GeneralNameInterface result;
if (debug != null) {
debug.println("X509CertSelector.makeGeneralNameInterface("
+ type + ")...");
}
if (name instanceof String) {
if (debug != null) {
debug.println("X509CertSelector.makeGeneralNameInterface() "
+ "name is String: " + name);
}
switch (type) {
case NAME_RFC822:
result = new RFC822Name((String)name);
break;
case NAME_DNS:
result = new DNSName((String)name);
break;
case NAME_DIRECTORY:
result = new X500Name((String)name);
break;
case NAME_URI:
result = new URIName((String)name);
break;
case NAME_IP:
result = new IPAddressName((String)name);
break;
case NAME_OID:
result = new OIDName((String)name);
break;
default:
throw new IOException("unable to parse String names of type "
+ type);
}
if (debug != null) {
debug.println("X509CertSelector.makeGeneralNameInterface() "
+ "result: " + result.toString());
}
} else if (name instanceof byte[]) {
DerValue val = new DerValue((byte[]) name);
if (debug != null) {
debug.println
("X509CertSelector.makeGeneralNameInterface() is byte[]");
}
switch (type) {
case NAME_ANY:
result = new OtherName(val);
break;
case NAME_RFC822:
result = new RFC822Name(val);
break;
case NAME_DNS:
result = new DNSName(val);
break;
case NAME_X400:
result = new X400Address(val);
break;
case NAME_DIRECTORY:
result = new X500Name(val);
break;
case NAME_EDI:
result = new EDIPartyName(val);
break;
case NAME_URI:
result = new URIName(val);
break;
case NAME_IP:
result = new IPAddressName(val);
break;
case NAME_OID:
result = new OIDName(val);
break;
default:
throw new IOException("unable to parse byte array names of "
+ "type " + type);
}
if (debug != null) {
debug.println("X509CertSelector.makeGeneralNameInterface() result: "
+ result.toString());
}
} else {
if (debug != null) {
debug.println("X509CertSelector.makeGeneralName() input name "
+ "not String or byte array");
}
throw new IOException("name not String or byte array");
}
return result;
|
| public boolean | match(java.security.cert.Certificate cert)Decides whether a Certificate should be selected.
if (!(cert instanceof X509Certificate)) {
return false;
}
X509Certificate xcert = (X509Certificate)cert;
if (debug != null) {
debug.println("X509CertSelector.match(SN: "
+ (xcert.getSerialNumber()).toString(16) + "\n Issuer: "
+ xcert.getIssuerDN() + "\n Subject: " + xcert.getSubjectDN()
+ ")");
}
/* match on X509Certificate */
if (x509Cert != null) {
if (!x509Cert.equals(xcert)) {
if (debug != null) {
debug.println("X509CertSelector.match: "
+ "certs don't match");
}
return false;
}
}
/* match on serial number */
if (serialNumber != null) {
if (!serialNumber.equals(xcert.getSerialNumber())) {
if (debug != null) {
debug.println("X509CertSelector.match: "
+ "serial numbers don't match");
}
return false;
}
}
/* match on issuer name */
if (issuer != null) {
if (!issuer.equals(xcert.getIssuerX500Principal())) {
if (debug != null) {
debug.println("X509CertSelector.match: "
+ "issuer DNs don't match");
}
return false;
}
}
/* match on subject name */
if (subject != null) {
if (!subject.equals(xcert.getSubjectX500Principal())) {
if (debug != null) {
debug.println("X509CertSelector.match: "
+ "subject DNs don't match");
}
return false;
}
}
/* match on certificate validity range */
if (certificateValid != null) {
try {
xcert.checkValidity(certificateValid);
} catch (CertificateException e) {
if (debug != null) {
debug.println("X509CertSelector.match: "
+ "certificate not within validity period");
}
return false;
}
}
/* match on subject public key */
if (subjectPublicKeyBytes != null) {
byte[] certKey = xcert.getPublicKey().getEncoded();
if (!Arrays.equals(subjectPublicKeyBytes, certKey)) {
if (debug != null) {
debug.println("X509CertSelector.match: "
+ "subject public keys don't match");
}
return false;
}
}
boolean result = matchBasicConstraints(xcert)
&& matchKeyUsage(xcert)
&& matchExtendedKeyUsage(xcert)
&& matchSubjectKeyID(xcert)
&& matchAuthorityKeyID(xcert)
&& matchPrivateKeyValid(xcert)
&& matchSubjectPublicKeyAlgID(xcert)
&& matchPolicy(xcert)
&& matchSubjectAlternativeNames(xcert)
&& matchPathToNames(xcert)
&& matchNameConstraints(xcert);
if (result && (debug != null)) {
debug.println("X509CertSelector.match returning: true");
}
return result;
|
| private boolean | matchAuthorityKeyID(java.security.cert.X509Certificate xcert)
if (authorityKeyID == null) {
return true;
}
try {
byte[] extVal = xcert.getExtensionValue("2.5.29.35");
if (extVal == null) {
if (debug != null) {
debug.println("X509CertSelector.match: "
+ "no authority key ID extension");
}
return false;
}
DerInputStream in = new DerInputStream(extVal);
byte[] certAuthKeyID = in.getOctetString();
if (certAuthKeyID == null ||
!Arrays.equals(authorityKeyID, certAuthKeyID)) {
if (debug != null) {
debug.println("X509CertSelector.match: "
+ "authority key IDs don't match");
}
return false;
}
} catch (IOException ex) {
if (debug != null) {
debug.println("X509CertSelector.match: "
+ "exception in authority key ID check");
}
return false;
}
return true;
|
| private boolean | matchBasicConstraints(java.security.cert.X509Certificate xcert)
if (basicConstraints == -1) {
return true;
}
int maxPathLen = xcert.getBasicConstraints();
if (basicConstraints == -2) {
if (maxPathLen != -1) {
if (debug != null) {
debug.println("X509CertSelector.match: not an EE cert");
}
return false;
}
} else {
if (maxPathLen < basicConstraints) {
if (debug != null) {
debug.println("X509CertSelector.match: maxPathLen too small ("
+ maxPathLen + " < " + basicConstraints + ")");
}
return false;
}
}
return true;
|
| private boolean | matchExcluded(sun.security.x509.GeneralSubtrees excluded)
/*
* Enumerate through excluded and compare each entry
* to all pathToNames. If any pathToName is within any of the
* subtrees listed in excluded, return false.
*/
for (Iterator t = excluded.iterator(); t.hasNext(); ) {
GeneralSubtree tree = (GeneralSubtree)t.next();
GeneralNameInterface excludedName = tree.getName().getName();
Iterator i = pathToGeneralNames.iterator();
while (i.hasNext()) {
GeneralNameInterface pathToName = (GeneralNameInterface) i.next();
if (excludedName.getType() == pathToName.getType()) {
switch (pathToName.constrains(excludedName)) {
case GeneralNameInterface.NAME_WIDENS:
case GeneralNameInterface.NAME_MATCH:
if (debug != null) {
debug.println("X509CertSelector.match: name constraints "
+ "inhibit path to specified name");
debug.println("X509CertSelector.match: excluded name: " +
pathToName);
}
return false;
default:
}
}
}
}
return true;
|
| private boolean | matchExtendedKeyUsage(java.security.cert.X509Certificate xcert)
if ((keyPurposeSet == null) || keyPurposeSet.isEmpty()) {
return true;
}
try {
ExtendedKeyUsageExtension ext =
(ExtendedKeyUsageExtension)getExtensionObject(xcert,
EXTENDED_KEY_USAGE_ID);
if (ext != null) {
Vector<ObjectIdentifier> certKeyPurposeVector =
(Vector<ObjectIdentifier>)ext.get(ExtendedKeyUsageExtension.USAGES);
if (!certKeyPurposeVector.contains(ANY_EXTENDED_KEY_USAGE)
&& !certKeyPurposeVector.containsAll(keyPurposeOIDSet)) {
if (debug != null) {
debug.println("X509CertSelector.match: cert failed "
+ "extendedKeyUsage criterion");
}
return false;
}
}
} catch (IOException ex) {
if (debug != null) {
debug.println("X509CertSelector.match: "
+ "IOException in extended key usage check");
}
return false;
}
return true;
|
| private boolean | matchKeyUsage(java.security.cert.X509Certificate xcert)
if (keyUsage == null) {
return true;
}
boolean[] certKeyUsage = xcert.getKeyUsage();
if (certKeyUsage != null) {
for (int keyBit = 0; keyBit < keyUsage.length; keyBit++) {
if (keyUsage[keyBit] &&
((keyBit >= certKeyUsage.length) || !certKeyUsage[keyBit])) {
if (debug != null) {
debug.println("X509CertSelector.match: "
+ "key usage bits don't match");
}
return false;
}
}
}
return true;
|
| private boolean | matchNameConstraints(java.security.cert.X509Certificate xcert)
if (nc == null) {
return true;
}
try {
if (!nc.verify(xcert)) {
if (debug != null) {
debug.println("X509CertSelector.match: "
+ "name constraints not satisfied");
}
return false;
}
} catch (IOException e) {
if (debug != null) {
debug.println("X509CertSelector.match: "
+ "IOException in name constraints check");
}
return false;
}
return true;
|
| private boolean | matchPathToNames(java.security.cert.X509Certificate xcert)
if (pathToGeneralNames == null) {
return true;
}
try {
NameConstraintsExtension ext = (NameConstraintsExtension)
getExtensionObject(xcert, NAME_CONSTRAINTS_ID);
if (ext == null) {
return true;
}
if ((debug != null) && debug.isOn("certpath")) {
debug.println("X509CertSelector.match pathToNames:\n");
Iterator i = pathToGeneralNames.iterator();
while (i.hasNext()) {
debug.println(" " + i.next() + "\n");
}
}
GeneralSubtrees permitted = (GeneralSubtrees)
ext.get(NameConstraintsExtension.PERMITTED_SUBTREES);
GeneralSubtrees excluded = (GeneralSubtrees)
ext.get(NameConstraintsExtension.EXCLUDED_SUBTREES);
if (excluded != null) {
if (matchExcluded(excluded) == false) {
return false;
}
}
if (permitted != null) {
if (matchPermitted(permitted) == false) {
return false;
}
}
} catch (IOException ex) {
if (debug != null) {
debug.println("X509CertSelector.match: "
+ "IOException in name constraints check");
}
return false;
}
return true;
|
| private boolean | matchPermitted(sun.security.x509.GeneralSubtrees permitted)
/*
* Enumerate through pathToNames, checking that each pathToName
* is in at least one of the subtrees listed in permitted.
* If not, return false. However, if no subtrees of a given type
* are listed, all names of that type are permitted.
*/
Iterator i = pathToGeneralNames.iterator();
while (i.hasNext()) {
GeneralNameInterface pathToName = (GeneralNameInterface)i.next();
Iterator t = permitted.iterator();
boolean permittedNameFound = false;
boolean nameTypeFound = false;
String names = "";
while (t.hasNext() && !permittedNameFound) {
GeneralSubtree tree = (GeneralSubtree)t.next();
GeneralNameInterface permittedName = tree.getName().getName();
if (permittedName.getType() == pathToName.getType()) {
nameTypeFound = true;
names = names + " " + permittedName;
switch (pathToName.constrains(permittedName)) {
case GeneralNameInterface.NAME_WIDENS:
case GeneralNameInterface.NAME_MATCH:
permittedNameFound = true;
break;
default:
}
}
}
if (!permittedNameFound && nameTypeFound) {
if (debug != null)
debug.println("X509CertSelector.match: " +
"name constraints inhibit path to specified name; " +
"permitted names of type " + pathToName.getType() +
": " + names);
return false;
}
}
return true;
|
| private boolean | matchPolicy(java.security.cert.X509Certificate xcert)
if (policy == null) {
return true;
}
try {
CertificatePoliciesExtension ext = (CertificatePoliciesExtension)
getExtensionObject(xcert, CERT_POLICIES_ID);
if (ext == null) {
if (debug != null) {
debug.println("X509CertSelector.match: "
+ "no certificate policy extension");
}
return false;
}
List<PolicyInformation> policies = (List<PolicyInformation>)ext.get(CertificatePoliciesExtension.POLICIES);
/*
* Convert the Vector of PolicyInformation to a Vector
* of CertificatePolicyIds for easier comparison.
*/
List<CertificatePolicyId> policyIDs = new ArrayList<CertificatePolicyId>(policies.size());
for (PolicyInformation info : policies) {
policyIDs.add(info.getPolicyIdentifier());
}
if (policy != null) {
boolean foundOne = false;
/*
* if the user passes in an empty policy Set, then
* we just want to make sure that the candidate certificate
* has some policy OID in its CertPoliciesExtension
*/
if (policy.getCertPolicyIds().isEmpty()) {
if (policyIDs.isEmpty()) {
if (debug != null) {
debug.println("X509CertSelector.match: "
+ "cert failed policyAny criterion");
}
return false;
}
} else {
for (CertificatePolicyId id : policy.getCertPolicyIds()) {
if (policyIDs.contains(id)) {
foundOne = true;
break;
}
}
if (!foundOne) {
if (debug != null) {
debug.println("X509CertSelector.match: "
+ "cert failed policyAny criterion");
}
return false;
}
}
}
} catch (IOException ex) {
if (debug != null) {
debug.println("X509CertSelector.match: "
+ "IOException in certificate policy ID check");
}
return false;
}
return true;
|
| private boolean | matchPrivateKeyValid(java.security.cert.X509Certificate xcert)
if (privateKeyValid == null) {
return true;
}
PrivateKeyUsageExtension ext = null;
try {
ext = (PrivateKeyUsageExtension)
getExtensionObject(xcert, PRIVATE_KEY_USAGE_ID);
if (ext != null) {
ext.valid(privateKeyValid);
}
} catch (CertificateExpiredException e1) {
if (debug != null) {
String time = "n/a";
try {
Date notAfter =
(Date)ext.get(PrivateKeyUsageExtension.NOT_AFTER);
time = notAfter.toString();
} catch (CertificateException ex) {
// not able to retrieve notAfter value
}
debug.println("X509CertSelector.match: private key usage not "
+ "within validity date; ext.NOT_After: "
+ time + "; X509CertSelector: "
+ this.toString());
e1.printStackTrace();
}
return false;
} catch (CertificateNotYetValidException e2) {
if (debug != null) {
String time = "n/a";
try {
Date notBefore = (Date)
ext.get(PrivateKeyUsageExtension.NOT_BEFORE);
time = notBefore.toString();
} catch (CertificateException ex) {
// not able to retrieve notBefore value
}
debug.println("X509CertSelector.match: private key usage not "
+ "within validity date; ext.NOT_BEFORE: "
+ time + "; X509CertSelector: "
+ this.toString());
e2.printStackTrace();
}
return false;
} catch (CertificateException e3) {
if (debug != null) {
debug.println("X509CertSelector.match: CertificateException "
+ "in private key usage check; X509CertSelector: "
+ this.toString());
e3.printStackTrace();
}
return false;
} catch (IOException e4) {
if (debug != null) {
debug.println("X509CertSelector.match: IOException in "
+ "private key usage check; X509CertSelector: "
+ this.toString());
e4.printStackTrace();
}
return false;
}
return true;
|
| private boolean | matchSubjectAlternativeNames(java.security.cert.X509Certificate xcert)
if ((subjectAlternativeNames == null) || subjectAlternativeNames.isEmpty()) {
return true;
}
try {
SubjectAlternativeNameExtension sanExt =
(SubjectAlternativeNameExtension) getExtensionObject(xcert,
SUBJECT_ALT_NAME_ID);
if (sanExt == null) {
if (debug != null) {
debug.println("X509CertSelector.match: "
+ "no subject alternative name extension");
}
return false;
}
GeneralNames certNames = (GeneralNames)
sanExt.get(SubjectAlternativeNameExtension.SUBJECT_NAME);
Iterator i = subjectAlternativeGeneralNames.iterator();
while (i.hasNext()) {
GeneralNameInterface matchName = (GeneralNameInterface) i.next();
boolean found = false;
for (Iterator t = certNames.iterator(); t.hasNext() && !found; ) {
GeneralNameInterface certName =
((GeneralName)t.next()).getName();
found = certName.equals(matchName);
}
if (!found && (matchAllSubjectAltNames || !i.hasNext())) {
if (debug != null) {
debug.println("X509CertSelector.match: subject alternative "
+ "name " + matchName + " not found");
}
return false;
} else if (found && !matchAllSubjectAltNames) {
break;
}
}
} catch (IOException ex) {
if (debug != null)
debug.println("X509CertSelector.match: IOException in subject "
+ "alternative name check");
return false;
}
return true;
|
| private boolean | matchSubjectKeyID(java.security.cert.X509Certificate xcert)
if (subjectKeyID == null) {
return true;
}
try {
byte[] extVal = xcert.getExtensionValue("2.5.29.14");
if (extVal == null) {
if (debug != null) {
debug.println("X509CertSelector.match: "
+ "no subject key ID extension");
}
return false;
}
DerInputStream in = new DerInputStream(extVal);
byte[] certSubjectKeyID = in.getOctetString();
if (certSubjectKeyID == null ||
!Arrays.equals(subjectKeyID, certSubjectKeyID)) {
if (debug != null) {
debug.println("X509CertSelector.match: "
+ "subject key IDs don't match");
}
return false;
}
} catch (IOException ex) {
if (debug != null) {
debug.println("X509CertSelector.match: "
+ "exception in subject key ID check");
}
return false;
}
return true;
|
| private boolean | matchSubjectPublicKeyAlgID(java.security.cert.X509Certificate xcert)
if (subjectPublicKeyAlgID == null) {
return true;
}
try {
byte[] encodedKey = xcert.getPublicKey().getEncoded();
DerValue val = new DerValue(encodedKey);
if (val.tag != DerValue.tag_Sequence) {
throw new IOException("invalid key format");
}
AlgorithmId algID = AlgorithmId.parse(val.data.getDerValue());
if (debug != null) {
debug.println("X509CertSelector.match: subjectPublicKeyAlgID = "
+ subjectPublicKeyAlgID + ", xcert subjectPublicKeyAlgID = "
+ algID.getOID());
}
if (!subjectPublicKeyAlgID.equals(algID.getOID())) {
if (debug != null) {
debug.println("X509CertSelector.match: "
+ "subject public key alg IDs don't match");
}
return false;
}
} catch (IOException e5) {
if (debug != null) {
debug.println("X509CertSelector.match: IOException in subject "
+ "public key algorithm OID check");
}
return false;
}
return true;
|
| private static java.util.Set | parseNames(java.util.Collection names)Parse an argument of the form passed to setSubjectAlternativeNames,
returning a Collection of
GeneralNameInterfaces.
Throw an IllegalArgumentException or a ClassCastException
if the argument is malformed.
Set<GeneralNameInterface> genNames = new HashSet<GeneralNameInterface>();
Iterator<List<?>> i = names.iterator();
while (i.hasNext()) {
Object o = i.next();
if (!(o instanceof List)) {
throw new IOException("expected List");
}
List<Object> nameList = (List<Object>)o;
if (nameList.size() != 2) {
throw new IOException("name list size not 2");
}
o = nameList.get(0);
if (!(o instanceof Integer)) {
throw new IOException("expected an Integer");
}
int nameType = ((Integer)o).intValue();
o = nameList.get(1);
genNames.add(makeGeneralNameInterface(nameType, o));
}
return genNames;
|
| public void | setAuthorityKeyIdentifier(byte[] authorityKeyID)Sets the authorityKeyIdentifier criterion. The
X509Certificate must contain an
AuthorityKeyIdentifier extension for which the contents of the
extension value matches the specified criterion value.
If the criterion value is null, no
authorityKeyIdentifier check will be done.
If authorityKeyID is not null, it
should contain a single DER encoded value corresponding to the contents
of the extension value (not including the object identifier,
criticality setting, and encapsulating OCTET STRING)
for an AuthorityKeyIdentifier extension.
The ASN.1 notation for this structure follows.
AuthorityKeyIdentifier ::= SEQUENCE {
keyIdentifier [0] KeyIdentifier OPTIONAL,
authorityCertIssuer [1] GeneralNames OPTIONAL,
authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
KeyIdentifier ::= OCTET STRING
Authority key identifiers are not parsed by the
X509CertSelector. Instead, the values are
compared using a byte-by-byte comparison.
When the keyIdentifier field of
AuthorityKeyIdentifier is populated, the value is
usually taken from the SubjectKeyIdentifier extension
in the issuer's certificate. Note, however, that the result of
X509Certificate.getExtensionValue(<SubjectKeyIdentifier Object
Identifier>) on the issuer's certificate may NOT be used
directly as the input to setAuthorityKeyIdentifier.
This is because the SubjectKeyIdentifier contains
only a KeyIdentifier OCTET STRING, and not a SEQUENCE of
KeyIdentifier, GeneralNames, and CertificateSerialNumber.
In order to use the extension value of the issuer certificate's
SubjectKeyIdentifier
extension, it will be necessary to extract the value of the embedded
KeyIdentifier OCTET STRING, then DER encode this OCTET
STRING inside a SEQUENCE.
For more details on SubjectKeyIdentifier, see
{@link #setSubjectKeyIdentifier(byte[] subjectKeyID)}.
Note also that the byte array supplied here is cloned to protect against
subsequent modifications.
if (authorityKeyID == null) {
this.authorityKeyID = null;
} else {
this.authorityKeyID = (byte[])authorityKeyID.clone();
}
|
| public void | setBasicConstraints(int minMaxPathLen)Sets the basic constraints constraint. If the value is greater than or
equal to zero, X509Certificates must include a
basicConstraints extension with
a pathLen of at least this value. If the value is -2, only end-entity
certificates are accepted. If the value is -1, no check is done.
This constraint is useful when building a certification path forward
(from the target toward the trust anchor. If a partial path has been
built, any candidate certificate must have a maxPathLen value greater
than or equal to the number of certificates in the partial path.
if (minMaxPathLen < -2) {
throw new IllegalArgumentException("basic constraints less than -2");
}
basicConstraints = minMaxPathLen;
|
| public void | setCertificate(java.security.cert.X509Certificate cert)Sets the certificateEquals criterion. The specified
X509Certificate must be equal to the
X509Certificate passed to the match method.
If null, then this check is not applied.
This method is particularly useful when it is necessary to
match a single certificate. Although other criteria can be specified
in conjunction with the certificateEquals criterion, it is usually not
practical or necessary.
x509Cert = cert;
|
| public void | setCertificateValid(java.util.Date certValid)Sets the certificateValid criterion. The specified date must fall
within the certificate validity period for the
X509Certificate. If null, no certificateValid
check will be done.
Note that the Date supplied here is cloned to protect
against subsequent modifications.
if (certValid == null) {
certificateValid = null;
} else {
certificateValid = (Date)certValid.clone();
}
|
| public void | setExtendedKeyUsage(java.util.Set keyPurposeSet)Sets the extendedKeyUsage criterion. The X509Certificate
must allow the specified key purposes in its extended key usage
extension. If keyPurposeSet is empty or null,
no extendedKeyUsage check will be done. Note that an
X509Certificate that has no extendedKeyUsage extension
implicitly allows all key purposes.
Note that the Set is cloned to protect against
subsequent modifications.
if ((keyPurposeSet == null) || keyPurposeSet.isEmpty()) {
this.keyPurposeSet = null;
keyPurposeOIDSet = null;
} else {
this.keyPurposeSet =
Collections.unmodifiableSet(new HashSet<String>(keyPurposeSet));
keyPurposeOIDSet = new HashSet<ObjectIdentifier>();
for (String s : this.keyPurposeSet) {
keyPurposeOIDSet.add(new ObjectIdentifier(s));
}
}
|
| public void | setIssuer(javax.security.auth.x500.X500Principal issuer)Sets the issuer criterion. The specified distinguished name
must match the issuer distinguished name in the
X509Certificate. If null, any issuer
distinguished name will do.
this.issuer = issuer;
|
| public void | setIssuer(java.lang.String issuerDN)Denigrated, use {@linkplain #setIssuer(X500Principal)}
or {@linkplain #setIssuer(byte[])} instead. This method should not be
relied on as it can fail to match some certificates because of a loss of
encoding information in the RFC 2253 String form of some distinguished
names.
Sets the issuer criterion. The specified distinguished name
must match the issuer distinguished name in the
X509Certificate. If null, any issuer
distinguished name will do.
If issuerDN is not null, it should contain a
distinguished name, in RFC 2253 format.
if (issuerDN == null) {
issuer = null;
} else {
issuer = new X500Name(issuerDN).asX500Principal();
}
|
| public void | setIssuer(byte[] issuerDN)Sets the issuer criterion. The specified distinguished name
must match the issuer distinguished name in the
X509Certificate. If null is specified,
the issuer criterion is disabled and any issuer distinguished name will
do.
If issuerDN is not null, it should contain a
single DER encoded distinguished name, as defined in X.501. The ASN.1
notation for this structure is as follows.
Name ::= CHOICE {
RDNSequence }
RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
RelativeDistinguishedName ::=
SET SIZE (1 .. MAX) OF AttributeTypeAndValue
AttributeTypeAndValue ::= SEQUENCE {
type AttributeType,
value AttributeValue }
AttributeType ::= OBJECT IDENTIFIER
AttributeValue ::= ANY DEFINED BY AttributeType
....
DirectoryString ::= CHOICE {
teletexString TeletexString (SIZE (1..MAX)),
printableString PrintableString (SIZE (1..MAX)),
universalString UniversalString (SIZE (1..MAX)),
utf8String UTF8String (SIZE (1.. MAX)),
bmpString BMPString (SIZE (1..MAX)) }
Note that the byte array specified here is cloned to protect against
subsequent modifications.
try {
issuer = (issuerDN == null ? null : new X500Principal(issuerDN));
} catch (IllegalArgumentException e) {
throw (IOException)new IOException("Invalid name").initCause(e);
}
|
| public void | setKeyUsage(boolean[] keyUsage)Sets the keyUsage criterion. The X509Certificate
must allow the specified keyUsage values. If null, no
keyUsage check will be done. Note that an X509Certificate
that has no keyUsage extension implicitly allows all keyUsage values.
Note that the boolean array supplied here is cloned to protect against
subsequent modifications.
if (keyUsage == null) {
this.keyUsage = null;
} else {
this.keyUsage = (boolean[])keyUsage.clone();
}
|
| public void | setMatchAllSubjectAltNames(boolean matchAllNames)Enables/disables matching all of the subjectAlternativeNames
specified in the {@link #setSubjectAlternativeNames
setSubjectAlternativeNames} or {@link #addSubjectAlternativeName
addSubjectAlternativeName} methods. If enabled,
the X509Certificate must contain all of the
specified subject alternative names. If disabled, the
X509Certificate must contain at least one of the
specified subject alternative names.
The matchAllNames flag is true by default.
this.matchAllSubjectAltNames = matchAllNames;
|
| public void | setNameConstraints(byte[] bytes)Sets the name constraints criterion. The X509Certificate
must have subject and subject alternative names that
meet the specified name constraints.
The name constraints are specified as a byte array. This byte array
should contain the DER encoded form of the name constraints, as they
would appear in the NameConstraints structure defined in RFC 2459
and X.509. The ASN.1 definition of this structure appears below.
NameConstraints ::= SEQUENCE {
permittedSubtrees [0] GeneralSubtrees OPTIONAL,
excludedSubtrees [1] GeneralSubtrees OPTIONAL }
GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
GeneralSubtree ::= SEQUENCE {
base GeneralName,
minimum [0] BaseDistance DEFAULT 0,
maximum [1] BaseDistance OPTIONAL }
BaseDistance ::= INTEGER (0..MAX)
GeneralName ::= CHOICE {
otherName [0] OtherName,
rfc822Name [1] IA5String,
dNSName [2] IA5String,
x400Address [3] ORAddress,
directoryName [4] Name,
ediPartyName [5] EDIPartyName,
uniformResourceIdentifier [6] IA5String,
iPAddress [7] OCTET STRING,
registeredID [8] OBJECT IDENTIFIER}
Note that the byte array supplied here is cloned to protect against
subsequent modifications.
if (bytes == null) {
ncBytes = null;
nc = null;
} else {
ncBytes = (byte[])bytes.clone();
nc = new NameConstraintsExtension(FALSE, bytes);
}
|
| public void | setPathToNames(java.util.Collection names)Sets the pathToNames criterion. The X509Certificate must
not include name constraints that would prohibit building a
path to the specified names.
This method allows the caller to specify, with a single method call,
the complete set of names which the X509Certificates's
name constraints must permit. The specified value replaces
the previous value for the pathToNames criterion.
This constraint is useful when building a certification path forward
(from the target toward the trust anchor. If a partial path has been
built, any candidate certificate must not include name constraints that
would prohibit building a path to any of the names in the partial path.
The names parameter (if not null) is a
Collection with one
entry for each name to be included in the pathToNames
criterion. Each entry is a List whose first entry is an
Integer (the name type, 0-8) and whose second
entry is a String or a byte array (the name, in
string or ASN.1 DER encoded form, respectively).
There can be multiple names of the same type. If null
is supplied as the value for this argument, no
pathToNames check will be performed.
Each name in the Collection
may be specified either as a String or as an ASN.1 encoded
byte array. For more details about the formats used, see
{@link #addPathToName(int type, String name)
addPathToName(int type, String name)} and
{@link #addPathToName(int type, byte [] name)
addPathToName(int type, byte [] name)}.
Note: for distinguished names, specify the byte
array form instead of the String form. See the note in
{@link #addPathToName(int, String)} for more information.
Note that the names parameter can contain duplicate
names (same name and name type), but they may be removed from the
Collection of names returned by the
{@link #getPathToNames getPathToNames} method.
Note that a deep copy is performed on the Collection to
protect against subsequent modifications.
if ((names == null) || names.isEmpty()) {
pathToNames = null;
pathToGeneralNames = null;
} else {
Set<List<?>> tempNames = cloneAndCheckNames(names);
pathToGeneralNames = parseNames(tempNames);
// Ensure that we either set both of these or neither
pathToNames = tempNames;
}
|
| void | setPathToNamesInternal(java.util.Set names)
// set names to non-null dummy value
// this breaks getPathToNames()
pathToNames = Collections.<List<?>>emptySet();
pathToGeneralNames = names;
|
| public void | setPolicy(java.util.Set certPolicySet)Sets the policy constraint. The X509Certificate must
include at least one of the specified policies in its certificate
policies extension. If certPolicySet is empty, then the
X509Certificate must include at least some specified policy
in its certificate policies extension. If certPolicySet is
null, no policy check will be performed.
Note that the Set is cloned to protect against
subsequent modifications.
if (certPolicySet == null) {
policySet = null;
policy = null;
} else {
// Snapshot set and parse it
Set<String> tempSet = Collections.unmodifiableSet
(new HashSet<String>(certPolicySet));
/* Convert to Vector of ObjectIdentifiers */
Iterator i = tempSet.iterator();
Vector<CertificatePolicyId> polIdVector = new Vector<CertificatePolicyId>();
while (i.hasNext()) {
Object o = i.next();
if (!(o instanceof String)) {
throw new IOException("non String in certPolicySet");
}
polIdVector.add(new CertificatePolicyId(new ObjectIdentifier(
(String)o)));
}
// If everything went OK, make the changes
policySet = tempSet;
policy = new CertificatePolicySet(polIdVector);
}
|
| public void | setPrivateKeyValid(java.util.Date privateKeyValid)Sets the privateKeyValid criterion. The specified date must fall
within the private key validity period for the
X509Certificate. If null, no privateKeyValid
check will be done.
Note that the Date supplied here is cloned to protect
against subsequent modifications.
if (privateKeyValid == null) {
this.privateKeyValid = null;
} else {
this.privateKeyValid = (Date)privateKeyValid.clone();
}
|
| public void | setSerialNumber(java.math.BigInteger serial)Sets the serialNumber criterion. The specified serial number
must match the certificate serial number in the
X509Certificate. If null, any certificate
serial number will do.
serialNumber = serial;
|
| public void | setSubject(javax.security.auth.x500.X500Principal subject)Sets the subject criterion. The specified distinguished name
must match the subject distinguished name in the
X509Certificate. If null, any subject
distinguished name will do.
this.subject = subject;
|
| public void | setSubject(java.lang.String subjectDN)Denigrated, use {@linkplain #setSubject(X500Principal)}
or {@linkplain #setSubject(byte[])} instead. This method should not be
relied on as it can fail to match some certificates because of a loss of
encoding information in the RFC 2253 String form of some distinguished
names.
Sets the subject criterion. The specified distinguished name
must match the subject distinguished name in the
X509Certificate. If null, any subject
distinguished name will do.
If subjectDN is not null, it should contain a
distinguished name, in RFC 2253 format.
if (subjectDN == null) {
subject = null;
} else {
subject = new X500Name(subjectDN).asX500Principal();
}
|
| public void | setSubject(byte[] subjectDN)Sets the subject criterion. The specified distinguished name
must match the subject distinguished name in the
X509Certificate. If null, any subject
distinguished name will do.
If subjectDN is not null, it should contain a
single DER encoded distinguished name, as defined in X.501. For the ASN.1
notation for this structure, see
{@link #setIssuer(byte [] issuerDN) setIssuer(byte [] issuerDN)}.
try {
subject = (subjectDN == null ? null : new X500Principal(subjectDN));
} catch (IllegalArgumentException e) {
throw (IOException)new IOException("Invalid name").initCause(e);
}
|
| public void | setSubjectAlternativeNames(java.util.Collection names)Sets the subjectAlternativeNames criterion. The
X509Certificate must contain all or at least one of the
specified subjectAlternativeNames, depending on the value of
the matchAllNames flag (see {@link #setMatchAllSubjectAltNames
setMatchAllSubjectAltNames}).
This method allows the caller to specify, with a single method call,
the complete set of subject alternative names for the
subjectAlternativeNames criterion. The specified value replaces
the previous value for the subjectAlternativeNames criterion.
The names parameter (if not null) is a
Collection with one
entry for each name to be included in the subject alternative name
criterion. Each entry is a List whose first entry is an
Integer (the name type, 0-8) and whose second
entry is a String or a byte array (the name, in
string or ASN.1 DER encoded form, respectively).
There can be multiple names of the same type. If null
is supplied as the value for this argument, no
subjectAlternativeNames check will be performed.
Each subject alternative name in the Collection
may be specified either as a String or as an ASN.1 encoded
byte array. For more details about the formats used, see
{@link #addSubjectAlternativeName(int type, String name)
addSubjectAlternativeName(int type, String name)} and
{@link #addSubjectAlternativeName(int type, byte [] name)
addSubjectAlternativeName(int type, byte [] name)}.
Note: for distinguished names, specify the byte
array form instead of the String form. See the note in
{@link #addSubjectAlternativeName(int, String)} for more information.
Note that the names parameter can contain duplicate
names (same name and name type), but they may be removed from the
Collection of names returned by the
{@link #getSubjectAlternativeNames getSubjectAlternativeNames} method.
Note that a deep copy is performed on the Collection to
protect against subsequent modifications.
if (names == null) {
subjectAlternativeNames = null;
subjectAlternativeGeneralNames = null;
} else {
if (names.isEmpty()) {
subjectAlternativeNames = null;
subjectAlternativeGeneralNames = null;
return;
}
Set<List<?>> tempNames = cloneAndCheckNames(names);
// Ensure that we either set both of these or neither
subjectAlternativeGeneralNames = parseNames(tempNames);
subjectAlternativeNames = tempNames;
}
|
| public void | setSubjectKeyIdentifier(byte[] subjectKeyID)Sets the subjectKeyIdentifier criterion. The
X509Certificate must contain a SubjectKeyIdentifier
extension for which the contents of the extension
matches the specified criterion value.
If the criterion value is null, no
subjectKeyIdentifier check will be done.
If subjectKeyID is not null, it
should contain a single DER encoded value corresponding to the contents
of the extension value (not including the object identifier,
criticality setting, and encapsulating OCTET STRING)
for a SubjectKeyIdentifier extension.
The ASN.1 notation for this structure follows.
SubjectKeyIdentifier ::= KeyIdentifier
KeyIdentifier ::= OCTET STRING
Since the format of subject key identifiers is not mandated by
any standard, subject key identifiers are not parsed by the
X509CertSelector. Instead, the values are compared using
a byte-by-byte comparison.
Note that the byte array supplied here is cloned to protect against
subsequent modifications.
if (subjectKeyID == null) {
this.subjectKeyID = null;
} else {
this.subjectKeyID = (byte[])subjectKeyID.clone();
}
|
| public void | setSubjectPublicKey(java.security.PublicKey key)Sets the subjectPublicKey criterion. The
X509Certificate must contain the specified subject public
key. If null, no subjectPublicKey check will be done.
if (key == null) {
subjectPublicKey = null;
subjectPublicKeyBytes = null;
} else {
subjectPublicKey = key;
subjectPublicKeyBytes = key.getEncoded();
}
|
| public void | setSubjectPublicKey(byte[] key)Sets the subjectPublicKey criterion. The X509Certificate
must contain the specified subject public key. If null,
no subjectPublicKey check will be done.
Because this method allows the public key to be specified as a byte
array, it may be used for unknown key types.
If key is not null, it should contain a
single DER encoded SubjectPublicKeyInfo structure, as defined in X.509.
The ASN.1 notation for this structure is as follows.
SubjectPublicKeyInfo ::= SEQUENCE {
algorithm AlgorithmIdentifier,
subjectPublicKey BIT STRING }
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL }
-- contains a value of the type
-- registered for use with the
-- algorithm object identifier value
Note that the byte array supplied here is cloned to protect against
subsequent modifications.
if (key == null) {
subjectPublicKey = null;
subjectPublicKeyBytes = null;
} else {
subjectPublicKeyBytes = (byte[])key.clone();
subjectPublicKey = X509Key.parse(new DerValue(subjectPublicKeyBytes));
}
|
| public void | setSubjectPublicKeyAlgID(java.lang.String oid)Sets the subjectPublicKeyAlgID criterion. The
X509Certificate must contain a subject public key
with the specified algorithm. If null, no
subjectPublicKeyAlgID check will be done.
if (oid == null) {
subjectPublicKeyAlgID = null;
} else {
subjectPublicKeyAlgID = new ObjectIdentifier(oid);
}
|
| public java.lang.String | toString()Return a printable representation of the CertSelector.
StringBuffer sb = new StringBuffer();
sb.append("X509CertSelector: [\n");
if (x509Cert != null) {
sb.append(" Certificate: " + x509Cert.toString() + "\n");
}
if (serialNumber != null) {
sb.append(" Serial Number: " + serialNumber.toString() + "\n");
}
if (issuer != null) {
sb.append(" Issuer: " + getIssuerAsString() + "\n");
}
if (subject != null) {
sb.append(" Subject: " + getSubjectAsString() + "\n");
}
sb.append(" matchAllSubjectAltNames flag: "
+ String.valueOf(matchAllSubjectAltNames) + "\n");
if (subjectAlternativeNames != null) {
sb.append(" SubjectAlternativeNames:\n");
Iterator i = subjectAlternativeNames.iterator();
while (i.hasNext()) {
List list = (List) i.next();
sb.append(" type " + list.get(0) +
", name " + list.get(1) + "\n");
}
}
if (subjectKeyID != null) {
HexDumpEncoder enc = new HexDumpEncoder();
sb.append(" Subject Key Identifier: " +
enc.encodeBuffer(subjectKeyID) + "\n");
}
if (authorityKeyID != null) {
HexDumpEncoder enc = new HexDumpEncoder();
sb.append(" Authority Key Identifier: " +
enc.encodeBuffer(authorityKeyID) + "\n");
}
if (certificateValid != null) {
sb.append(" Certificate Valid: " +
certificateValid.toString() + "\n");
}
if (privateKeyValid != null) {
sb.append(" Private Key Valid: " +
privateKeyValid.toString() + "\n");
}
if (subjectPublicKeyAlgID != null) {
sb.append(" Subject Public Key AlgID: " +
subjectPublicKeyAlgID.toString() + "\n");
}
if (subjectPublicKey != null) {
sb.append(" Subject Public Key: " +
subjectPublicKey.toString() + "\n");
}
if (keyUsage != null) {
sb.append(" Key Usage: " + keyUsageToString(keyUsage) + "\n");
}
if (keyPurposeSet != null) {
sb.append(" Extended Key Usage: " +
keyPurposeSet.toString() + "\n");
}
if (policy != null) {
sb.append(" Policy: " + policy.toString() + "\n");
}
if (pathToGeneralNames != null) {
sb.append(" Path to names:\n");
Iterator i = pathToGeneralNames.iterator();
while (i.hasNext()) {
sb.append(" " + i.next() + "\n");
}
}
sb.append("]");
return sb.toString();
|
