1 /* 2 * Copyright (c) 2001, 2014, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package java.security.cert; 27 28 import java.io.IOException; 29 import java.security.PublicKey; 30 31 import javax.security.auth.x500.X500Principal; 32 33 import sun.security.x509.NameConstraintsExtension; 34 import sun.security.x509.X500Name; 35 36 /** 37 * A trust anchor or most-trusted Certification Authority (CA). 38 * <p> 39 * This class represents a "most-trusted CA", which is used as a trust anchor 40 * for validating X.509 certification paths. A most-trusted CA includes the 41 * public key of the CA, the CA's name, and any constraints upon the set of 42 * paths which may be validated using this key. These parameters can be 43 * specified in the form of a trusted {@code X509Certificate} or as 44 * individual parameters. 45 * <p> 46 * <b>Concurrent Access</b> 47 * <p>All {@code TrustAnchor} objects must be immutable and 48 * thread-safe. That is, multiple threads may concurrently invoke the 49 * methods defined in this class on a single {@code TrustAnchor} 50 * object (or more than one) with no ill effects. Requiring 51 * {@code TrustAnchor} objects to be immutable and thread-safe 52 * allows them to be passed around to various pieces of code without 53 * worrying about coordinating access. This stipulation applies to all 54 * public fields and methods of this class and any added or overridden 55 * by subclasses. 56 * 57 * @see PKIXParameters#PKIXParameters(Set) 58 * @see PKIXBuilderParameters#PKIXBuilderParameters(Set, CertSelector) 59 * 60 * @since 1.4 61 * @author Sean Mullan 62 */ 63 public class TrustAnchor { 64 65 private final PublicKey pubKey; 66 private final String caName; 67 private final X500Principal caPrincipal; 68 private final X509Certificate trustedCert; 69 private byte[] ncBytes; 70 private NameConstraintsExtension nc; 71 72 /** 73 * Creates an instance of {@code TrustAnchor} with the specified 74 * {@code X509Certificate} and optional name constraints, which 75 * are intended to be used as additional constraints when validating 76 * an X.509 certification path. 77 * <p> 78 * The name constraints are specified as a byte array. This byte array 79 * should contain the DER encoded form of the name constraints, as they 80 * would appear in the NameConstraints structure defined in 81 * <a href="http://tools.ietf.org/html/rfc5280">RFC 5280</a> 82 * and X.509. The ASN.1 definition of this structure appears below. 83 * 84 * <pre>{@code 85 * NameConstraints ::= SEQUENCE { 86 * permittedSubtrees [0] GeneralSubtrees OPTIONAL, 87 * excludedSubtrees [1] GeneralSubtrees OPTIONAL } 88 * 89 * GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree 90 * 91 * GeneralSubtree ::= SEQUENCE { 92 * base GeneralName, 93 * minimum [0] BaseDistance DEFAULT 0, 94 * maximum [1] BaseDistance OPTIONAL } 95 * 96 * BaseDistance ::= INTEGER (0..MAX) 97 * 98 * GeneralName ::= CHOICE { 99 * otherName [0] OtherName, 100 * rfc822Name [1] IA5String, 101 * dNSName [2] IA5String, 102 * x400Address [3] ORAddress, 103 * directoryName [4] Name, 104 * ediPartyName [5] EDIPartyName, 105 * uniformResourceIdentifier [6] IA5String, 106 * iPAddress [7] OCTET STRING, 107 * registeredID [8] OBJECT IDENTIFIER} 108 * }</pre> 109 * <p> 110 * Note that the name constraints byte array supplied is cloned to protect 111 * against subsequent modifications. 112 * 113 * @param trustedCert a trusted {@code X509Certificate} 114 * @param nameConstraints a byte array containing the ASN.1 DER encoding of 115 * a NameConstraints extension to be used for checking name constraints. 116 * Only the value of the extension is included, not the OID or criticality 117 * flag. Specify {@code null} to omit the parameter. 118 * @throws IllegalArgumentException if the name constraints cannot be 119 * decoded 120 * @throws NullPointerException if the specified 121 * {@code X509Certificate} is {@code null} 122 */ TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints)123 public TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints) 124 { 125 if (trustedCert == null) 126 throw new NullPointerException("the trustedCert parameter must " + 127 "be non-null"); 128 this.trustedCert = trustedCert; 129 this.pubKey = null; 130 this.caName = null; 131 this.caPrincipal = null; 132 setNameConstraints(nameConstraints); 133 } 134 135 /** 136 * Creates an instance of {@code TrustAnchor} where the 137 * most-trusted CA is specified as an X500Principal and public key. 138 * Name constraints are an optional parameter, and are intended to be used 139 * as additional constraints when validating an X.509 certification path. 140 * <p> 141 * The name constraints are specified as a byte array. This byte array 142 * contains the DER encoded form of the name constraints, as they 143 * would appear in the NameConstraints structure defined in RFC 5280 144 * and X.509. The ASN.1 notation for this structure is supplied in the 145 * documentation for 146 * {@link #TrustAnchor(X509Certificate, byte[]) 147 * TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints) }. 148 * <p> 149 * Note that the name constraints byte array supplied here is cloned to 150 * protect against subsequent modifications. 151 * 152 * @param caPrincipal the name of the most-trusted CA as X500Principal 153 * @param pubKey the public key of the most-trusted CA 154 * @param nameConstraints a byte array containing the ASN.1 DER encoding of 155 * a NameConstraints extension to be used for checking name constraints. 156 * Only the value of the extension is included, not the OID or criticality 157 * flag. Specify {@code null} to omit the parameter. 158 * @throws NullPointerException if the specified {@code caPrincipal} or 159 * {@code pubKey} parameter is {@code null} 160 * @since 1.5 161 */ TrustAnchor(X500Principal caPrincipal, PublicKey pubKey, byte[] nameConstraints)162 public TrustAnchor(X500Principal caPrincipal, PublicKey pubKey, 163 byte[] nameConstraints) { 164 if ((caPrincipal == null) || (pubKey == null)) { 165 throw new NullPointerException(); 166 } 167 this.trustedCert = null; 168 this.caPrincipal = caPrincipal; 169 this.caName = caPrincipal.getName(); 170 this.pubKey = pubKey; 171 setNameConstraints(nameConstraints); 172 } 173 174 /** 175 * Creates an instance of {@code TrustAnchor} where the 176 * most-trusted CA is specified as a distinguished name and public key. 177 * Name constraints are an optional parameter, and are intended to be used 178 * as additional constraints when validating an X.509 certification path. 179 * <p> 180 * The name constraints are specified as a byte array. This byte array 181 * contains the DER encoded form of the name constraints, as they 182 * would appear in the NameConstraints structure defined in RFC 5280 183 * and X.509. The ASN.1 notation for this structure is supplied in the 184 * documentation for 185 * {@link #TrustAnchor(X509Certificate, byte[]) 186 * TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints) }. 187 * <p> 188 * Note that the name constraints byte array supplied here is cloned to 189 * protect against subsequent modifications. 190 * 191 * @param caName the X.500 distinguished name of the most-trusted CA in 192 * <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> 193 * {@code String} format 194 * @param pubKey the public key of the most-trusted CA 195 * @param nameConstraints a byte array containing the ASN.1 DER encoding of 196 * a NameConstraints extension to be used for checking name constraints. 197 * Only the value of the extension is included, not the OID or criticality 198 * flag. Specify {@code null} to omit the parameter. 199 * @throws IllegalArgumentException if the specified 200 * {@code caName} parameter is empty {@code (caName.length() == 0)} 201 * or incorrectly formatted or the name constraints cannot be decoded 202 * @throws NullPointerException if the specified {@code caName} or 203 * {@code pubKey} parameter is {@code null} 204 */ TrustAnchor(String caName, PublicKey pubKey, byte[] nameConstraints)205 public TrustAnchor(String caName, PublicKey pubKey, byte[] nameConstraints) 206 { 207 if (pubKey == null) 208 throw new NullPointerException("the pubKey parameter must be " + 209 "non-null"); 210 if (caName == null) 211 throw new NullPointerException("the caName parameter must be " + 212 "non-null"); 213 if (caName.length() == 0) 214 throw new IllegalArgumentException("the caName " + 215 "parameter must be a non-empty String"); 216 // check if caName is formatted correctly 217 this.caPrincipal = new X500Principal(caName); 218 this.pubKey = pubKey; 219 this.caName = caName; 220 this.trustedCert = null; 221 setNameConstraints(nameConstraints); 222 } 223 224 /** 225 * Returns the most-trusted CA certificate. 226 * 227 * @return a trusted {@code X509Certificate} or {@code null} 228 * if the trust anchor was not specified as a trusted certificate 229 */ getTrustedCert()230 public final X509Certificate getTrustedCert() { 231 return this.trustedCert; 232 } 233 234 /** 235 * Returns the name of the most-trusted CA as an X500Principal. 236 * 237 * @return the X.500 distinguished name of the most-trusted CA, or 238 * {@code null} if the trust anchor was not specified as a trusted 239 * public key and name or X500Principal pair 240 * @since 1.5 241 */ getCA()242 public final X500Principal getCA() { 243 return this.caPrincipal; 244 } 245 246 /** 247 * Returns the name of the most-trusted CA in RFC 2253 {@code String} 248 * format. 249 * 250 * @return the X.500 distinguished name of the most-trusted CA, or 251 * {@code null} if the trust anchor was not specified as a trusted 252 * public key and name or X500Principal pair 253 */ getCAName()254 public final String getCAName() { 255 return this.caName; 256 } 257 258 /** 259 * Returns the public key of the most-trusted CA. 260 * 261 * @return the public key of the most-trusted CA, or {@code null} 262 * if the trust anchor was not specified as a trusted public key and name 263 * or X500Principal pair 264 */ getCAPublicKey()265 public final PublicKey getCAPublicKey() { 266 return this.pubKey; 267 } 268 269 /** 270 * Decode the name constraints and clone them if not null. 271 */ setNameConstraints(byte[] bytes)272 private void setNameConstraints(byte[] bytes) { 273 if (bytes == null) { 274 ncBytes = null; 275 nc = null; 276 } else { 277 ncBytes = bytes.clone(); 278 // validate DER encoding 279 try { 280 nc = new NameConstraintsExtension(Boolean.FALSE, bytes); 281 } catch (IOException ioe) { 282 IllegalArgumentException iae = 283 new IllegalArgumentException(ioe.getMessage()); 284 iae.initCause(ioe); 285 throw iae; 286 } 287 } 288 } 289 290 /** 291 * Returns the name constraints parameter. The specified name constraints 292 * are associated with this trust anchor and are intended to be used 293 * as additional constraints when validating an X.509 certification path. 294 * <p> 295 * The name constraints are returned as a byte array. This byte array 296 * contains the DER encoded form of the name constraints, as they 297 * would appear in the NameConstraints structure defined in RFC 5280 298 * and X.509. The ASN.1 notation for this structure is supplied in the 299 * documentation for 300 * {@link #TrustAnchor(X509Certificate, byte[]) 301 * TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints) }. 302 * <p> 303 * Note that the byte array returned is cloned to protect against 304 * subsequent modifications. 305 * 306 * @return a byte array containing the ASN.1 DER encoding of 307 * a NameConstraints extension used for checking name constraints, 308 * or {@code null} if not set. 309 */ getNameConstraints()310 public final byte [] getNameConstraints() { 311 return ncBytes == null ? null : ncBytes.clone(); 312 } 313 314 /** 315 * Returns a formatted string describing the {@code TrustAnchor}. 316 * 317 * @return a formatted string describing the {@code TrustAnchor} 318 */ toString()319 public String toString() { 320 StringBuilder sb = new StringBuilder(); 321 sb.append("[\n"); 322 if (pubKey != null) { 323 sb.append(" Trusted CA Public Key: " + pubKey.toString() + "\n"); 324 sb.append(" Trusted CA Issuer Name: " 325 + String.valueOf(caName) + "\n"); 326 } else { 327 sb.append(" Trusted CA cert: " + trustedCert.toString() + "\n"); 328 } 329 if (nc != null) 330 sb.append(" Name Constraints: " + nc.toString() + "\n"); 331 return sb.toString(); 332 } 333 } 334