diff options
Diffstat (limited to 'pki/base/util/src/netscape/security/x509/X509Cert.java')
| -rw-r--r-- | pki/base/util/src/netscape/security/x509/X509Cert.java | 1112 |
1 files changed, 525 insertions, 587 deletions
diff --git a/pki/base/util/src/netscape/security/x509/X509Cert.java b/pki/base/util/src/netscape/security/x509/X509Cert.java index 873d25ab..c9ec68db 100644 --- a/pki/base/util/src/netscape/security/x509/X509Cert.java +++ b/pki/base/util/src/netscape/security/x509/X509Cert.java @@ -41,14 +41,12 @@ import netscape.security.util.DerValue; /** * @author David Brownell * @version 1.5 - * + * * @see CertAndKeyGen - * @deprecated Use the new X509Certificate class. - * This class is only restored for backwards compatibility. + * @deprecated Use the new X509Certificate class. This class is only restored + * for backwards compatibility. */ -public -class X509Cert implements Certificate, Serializable -{ +public class X509Cert implements Certificate, Serializable { /** * @@ -62,224 +60,203 @@ class X509Cert implements Certificate, Serializable * decode</a> must later be called (or which may be deserialized). */ // XXX deprecated, delete this - public X509Cert () { } - + public X509Cert() { + } /** - * Unmarshals a certificate from its encoded form, parsing the - * encoded bytes. This form of constructor is used by agents which - * need to examine and use certificate contents. That is, this is - * one of the more commonly used constructors. Note that the buffer - * must include only a certificate, and no "garbage" may be left at - * the end. If you need to ignore data at the end of a certificate, - * use another constructor. - * + * Unmarshals a certificate from its encoded form, parsing the encoded + * bytes. This form of constructor is used by agents which need to examine + * and use certificate contents. That is, this is one of the more commonly + * used constructors. Note that the buffer must include only a certificate, + * and no "garbage" may be left at the end. If you need to ignore data at + * the end of a certificate, use another constructor. + * * @param cert the encoded bytes, with no terminatu (CONSUMED) * @exception IOException when the certificate is improperly encoded. */ - public X509Cert ( - byte cert [] - ) throws IOException - { - DerValue in = new DerValue (cert); + public X509Cert(byte cert[]) throws IOException { + DerValue in = new DerValue(cert); - parse (in); - if (in.data.available () != 0) - throw new CertParseError ("garbage at end"); - signedCert = cert; + parse(in); + if (in.data.available() != 0) + throw new CertParseError("garbage at end"); + signedCert = cert; } - /** - * Unmarshals a certificate from its encoded form, parsing the - * encoded bytes. This form of constructor is used by agents which - * need to examine and use certificate contents. That is, this is - * one of the most commonly used constructors. - * + * Unmarshals a certificate from its encoded form, parsing the encoded + * bytes. This form of constructor is used by agents which need to examine + * and use certificate contents. That is, this is one of the most commonly + * used constructors. + * * @param buf the buffer holding the encoded bytes * @param offset the offset in the buffer where the bytes begin * @param len how many bytes of certificate exist - * + * * @exception IOException when the certificate is improperly encoded. */ - public X509Cert ( - byte buf [], - int offset, - int len - ) throws IOException - { - DerValue in = new DerValue (buf, offset, len); + public X509Cert(byte buf[], int offset, int len) throws IOException { + DerValue in = new DerValue(buf, offset, len); - parse (in); - if (in.data.available () != 0) - throw new CertParseError ("garbage at end"); - signedCert = new byte [len]; - System.arraycopy (buf, offset, signedCert, 0, len); + parse(in); + if (in.data.available() != 0) + throw new CertParseError("garbage at end"); + signedCert = new byte[len]; + System.arraycopy(buf, offset, signedCert, 0, len); } - /** - * Unmarshal a certificate from its encoded form, parsing a DER value. - * This form of constructor is used by agents which need to examine - * and use certificate contents. - * + * Unmarshal a certificate from its encoded form, parsing a DER value. This + * form of constructor is used by agents which need to examine and use + * certificate contents. + * * @param derVal the der value containing the encoded cert. * @exception IOException when the certificate is improperly encoded. */ - public X509Cert (DerValue derVal) throws IOException - { - parse (derVal); - if (derVal.data.available () != 0) - throw new CertParseError ("garbage at end"); - signedCert = derVal.toByteArray (); + public X509Cert(DerValue derVal) throws IOException { + parse(derVal); + if (derVal.data.available() != 0) + throw new CertParseError("garbage at end"); + signedCert = derVal.toByteArray(); } - /** - * Partially constructs a certificate from descriptive parameters. - * This constructor may be used by Certificate Authority (CA) code, - * which later <a href="#signAndEncode">signs and encodes</a> the - * certificate. Also, self-signed certificates serve as CA certificates, - * and are sometimes used as certificate requests. - * - * <P>Until the certificate has been signed and encoded, some of - * the mandatory fields in the certificate will not be available - * via accessor functions: the serial number, issuer name and signing - * algorithm, and of course the signed certificate. The fields passed - * to this constructor are available, and must be non-null. - * - * <P>Note that the public key being signed is generally independent of - * the signature algorithm being used. So for example Diffie-Hellman - * keys (which do not support signatures) can be placed in X.509 - * certificates when some other signature algorithm (e.g. DSS/DSA, - * or one of the RSA based algorithms) is used. - * + * Partially constructs a certificate from descriptive parameters. This + * constructor may be used by Certificate Authority (CA) code, which later + * <a href="#signAndEncode">signs and encodes</a> the certificate. Also, + * self-signed certificates serve as CA certificates, and are sometimes used + * as certificate requests. + * + * <P> + * Until the certificate has been signed and encoded, some of the mandatory + * fields in the certificate will not be available via accessor functions: + * the serial number, issuer name and signing algorithm, and of course the + * signed certificate. The fields passed to this constructor are available, + * and must be non-null. + * + * <P> + * Note that the public key being signed is generally independent of the + * signature algorithm being used. So for example Diffie-Hellman keys (which + * do not support signatures) can be placed in X.509 certificates when some + * other signature algorithm (e.g. DSS/DSA, or one of the RSA based + * algorithms) is used. + * * @see CertAndKeyGen - * + * * @param subjectName the X.500 distinguished name being certified - * @param subjectPublicKey the public key being certified. This - * must be an "X509Key" implementing the "PublicKey" interface. + * @param subjectPublicKey the public key being certified. This must be an + * "X509Key" implementing the "PublicKey" interface. * @param notBefore the first time the certificate is valid * @param notAfter the last time the certificate is valid - * + * * @exception CertException if the public key is inappropriate */ - public X509Cert ( - X500Name subjectName, - X509Key subjectPublicKey, - Date notBefore, - Date notAfter - ) throws CertException - { - subject = subjectName; - - if (!(subjectPublicKey instanceof PublicKey)) - throw new CertException (CertException.err_INVALID_PUBLIC_KEY, - "Doesn't implement PublicKey interface"); + public X509Cert(X500Name subjectName, X509Key subjectPublicKey, + Date notBefore, Date notAfter) throws CertException { + subject = subjectName; - /* - * The X509 cert API requires X509 keys, else things break. - */ - pubkey = subjectPublicKey; - notbefore = notBefore; - notafter = notAfter; - version = 0; - } + if (!(subjectPublicKey instanceof PublicKey)) + throw new CertException(CertException.err_INVALID_PUBLIC_KEY, + "Doesn't implement PublicKey interface"); + /* + * The X509 cert API requires X509 keys, else things break. + */ + pubkey = subjectPublicKey; + notbefore = notBefore; + notafter = notAfter; + version = 0; + } /** * Decode an X.509 certificate from an input stream. - * + * * @param in an input stream holding at least one certificate * @exception IOException when the certificate is improperly encoded. */ - public void decode (InputStream in) throws IOException - { - DerValue val = new DerValue (in); + public void decode(InputStream in) throws IOException { + DerValue val = new DerValue(in); - parse (val); - if (val.data.available () != 0) - throw new CertParseError ("garbage at end"); - signedCert = val.toByteArray (); + parse(val); + if (val.data.available() != 0) + throw new CertParseError("garbage at end"); + signedCert = val.toByteArray(); } - /** * Appends the certificate to an output stream. - * + * * @param out an input stream to which the certificate is appended. * @exception IOException when appending fails. */ - public void encode (OutputStream out) throws IOException - { out.write (getSignedCert ()); } - + public void encode(OutputStream out) throws IOException { + out.write(getSignedCert()); + } /** - * Compares two certificates. This is false if the - * certificates are not both X.509 certs, otherwise it - * compares them as binary data. - * + * Compares two certificates. This is false if the certificates are not both + * X.509 certs, otherwise it compares them as binary data. + * * @param other the object being compared with this one * @return true iff the certificates are equivalent */ - public boolean equals (Object other) - { - if (other instanceof X509Cert) - return equals ((X509Cert) other); - else - return false; + public boolean equals(Object other) { + if (other instanceof X509Cert) + return equals((X509Cert) other); + else + return false; } - /** - * Compares two certificates, returning false if any data - * differs between the two. - * + * Compares two certificates, returning false if any data differs between + * the two. + * * @param other the object being compared with this one * @return true iff the certificates are equivalent */ - public boolean equals (X509Cert src) - { - if (this == src) - return true; - if (signedCert == null || src.signedCert == null) - return false; - if (signedCert.length != src.signedCert.length) - return false; - for (int i = 0; i < signedCert.length; i++) - if (signedCert [i] != src.signedCert [i]) - return false; - return true; + public boolean equals(X509Cert src) { + if (this == src) + return true; + if (signedCert == null || src.signedCert == null) + return false; + if (signedCert.length != src.signedCert.length) + return false; + for (int i = 0; i < signedCert.length; i++) + if (signedCert[i] != src.signedCert[i]) + return false; + return true; } - /** Returns the "X.509" format identifier. */ - public String getFormat () // for Certificate - { return "X.509"; } - + public String getFormat() // for Certificate + { + return "X.509"; + } /** Returns <a href="#getIssuerName">getIssuerName</a> */ - public Principal getGuarantor () // for Certificate - { return getIssuerName (); } - + public Principal getGuarantor() // for Certificate + { + return getIssuerName(); + } /** Returns <a href="#getSubjectName">getSubjectName</a> */ - public Principal getPrincipal () - { return getSubjectName (); } - + public Principal getPrincipal() { + return getSubjectName(); + } /** - * Throws an exception if the certificate is invalid because it is - * now outside of the certificate's validity period, or because it - * was not signed using the verification key provided. Successfully - * verifying a certificate does <em>not</em> indicate that one should - * trust the entity which it represents. - * - * <P><em>Note that since this class represents only a single X.509 + * Throws an exception if the certificate is invalid because it is now + * outside of the certificate's validity period, or because it was not + * signed using the verification key provided. Successfully verifying a + * certificate does <em>not</em> indicate that one should trust the entity + * which it represents. + * + * <P> + * <em>Note that since this class represents only a single X.509 * certificate, it cannot know anything about the certificate chain * which is used to provide the verification key and to establish trust. * Other code must manage and use those cert chains. - * + * * <P>For now, you must walk the cert chain being used to verify any * given cert. Start at the root, which is a self-signed certificate; * verify it using the key inside the certificate. Then use that to @@ -289,351 +266,331 @@ class X509Cert implements Certificate, Serializable * if any of the verification operations for its certificate chain * were unsuccessful. * </em> - * + * * @param issuerPublicKey the public key of the issuing CA * @exception CertException when the certificate is not valid. */ - public void verify (PublicKey issuerPublicKey) - throws CertException - { - Date now = new Date (); - - if (now.before (notbefore)) - throw new CertException (CertException.verf_INVALID_NOTBEFORE); - if (now.after (notafter)) - throw new CertException (CertException.verf_INVALID_EXPIRED); - if (signedCert == null) - throw new CertException (CertException.verf_INVALID_SIG, - "?? certificate is not signed yet ??"); - - // - // Verify the signature ... - // - String algName = null; - - try { - Signature sigVerf = null; - - algName = issuerSigAlg.getName(); - sigVerf = Signature.getInstance(algName); - sigVerf.initVerify (issuerPublicKey); - sigVerf.update (rawCert, 0, rawCert.length); - - if (!sigVerf.verify (signature)) { - throw new CertException (CertException.verf_INVALID_SIG, - "Signature ... by <" + issuer + "> for <" + subject + ">"); - } - - // Gag -- too many catch clauses, let most through. - - } catch (NoSuchAlgorithmException e) { - throw new CertException (CertException.verf_INVALID_SIG, - "Unsupported signature algorithm (" + algName + ")"); - - } catch (InvalidKeyException e) { - // e.printStackTrace(); - throw new CertException (CertException.err_INVALID_PUBLIC_KEY, - "Algorithm (" + algName + ") rejected public key"); - - } catch (SignatureException e) { - throw new CertException (CertException.verf_INVALID_SIG, - "Signature by <" + issuer + "> for <" + subject + ">"); - } + public void verify(PublicKey issuerPublicKey) throws CertException { + Date now = new Date(); + + if (now.before(notbefore)) + throw new CertException(CertException.verf_INVALID_NOTBEFORE); + if (now.after(notafter)) + throw new CertException(CertException.verf_INVALID_EXPIRED); + if (signedCert == null) + throw new CertException(CertException.verf_INVALID_SIG, + "?? certificate is not signed yet ??"); + + // + // Verify the signature ... + // + String algName = null; + + try { + Signature sigVerf = null; + + algName = issuerSigAlg.getName(); + sigVerf = Signature.getInstance(algName); + sigVerf.initVerify(issuerPublicKey); + sigVerf.update(rawCert, 0, rawCert.length); + + if (!sigVerf.verify(signature)) { + throw new CertException(CertException.verf_INVALID_SIG, + "Signature ... by <" + issuer + "> for <" + subject + + ">"); + } + + // Gag -- too many catch clauses, let most through. + + } catch (NoSuchAlgorithmException e) { + throw new CertException(CertException.verf_INVALID_SIG, + "Unsupported signature algorithm (" + algName + ")"); + + } catch (InvalidKeyException e) { + // e.printStackTrace(); + throw new CertException(CertException.err_INVALID_PUBLIC_KEY, + "Algorithm (" + algName + ") rejected public key"); + + } catch (SignatureException e) { + throw new CertException(CertException.verf_INVALID_SIG, + "Signature by <" + issuer + "> for <" + subject + ">"); + } } - /** - * Creates an X.509 certificate, and signs it using the issuer - * passed (associating a signature algorithm and an X.500 name). - * This operation is used to implement the certificate generation - * functionality of a certificate authority. - * + * Creates an X.509 certificate, and signs it using the issuer passed + * (associating a signature algorithm and an X.500 name). This operation is + * used to implement the certificate generation functionality of a + * certificate authority. + * * @see #getSignedCert * @see #getSigner * @see CertAndKeyGen - * + * * @param serial the serial number of the certificate (non-null) * @param issuer the certificate issuer (CA) (non-null) * @return the signed certificate, as returned by getSignedCert - * - * @exception IOException if any of the data could not be encoded, - * or when any mandatory data was omitted + * + * @exception IOException if any of the data could not be encoded, or when + * any mandatory data was omitted * @exception SignatureException on signing failures */ - public byte [] - encodeAndSign ( - BigInt serial, - X500Signer issuer - ) throws IOException, SignatureException - { - rawCert = null; - - /* - * Get the remaining cert parameters, and make sure we have enough. - * - * We deduce version based on what attribute data are available - * For now, we have no attributes, so we always deduce X.509v1 ! - */ - version = 0; - serialnum = serial; - this.issuer = issuer.getSigner (); - issuerSigAlg = issuer.getAlgorithmId (); + public byte[] encodeAndSign(BigInt serial, X500Signer issuer) + throws IOException, SignatureException { + rawCert = null; - if (subject == null || pubkey == null - || notbefore == null || notafter == null) - throw new IOException ("not enough cert parameters"); + /* + * Get the remaining cert parameters, and make sure we have enough. + * + * We deduce version based on what attribute data are available For now, + * we have no attributes, so we always deduce X.509v1 ! + */ + version = 0; + serialnum = serial; + this.issuer = issuer.getSigner(); + issuerSigAlg = issuer.getAlgorithmId(); + + if (subject == null || pubkey == null || notbefore == null + || notafter == null) + throw new IOException("not enough cert parameters"); - /* - * Encode the raw cert, create its signature and put it - * into the envelope. - */ - rawCert = DERencode (); - signedCert = sign (issuer, rawCert); - return signedCert; + /* + * Encode the raw cert, create its signature and put it into the + * envelope. + */ + rawCert = DERencode(); + signedCert = sign(issuer, rawCert); + return signedCert; } - /** - * Returns an X500Signer that may be used to create signatures. Those - * signature may in turn be verified using this certificate (or a - * copy of it). - * - * <P><em><b>NOTE:</b> If the private key is by itself capable of + * Returns an X500Signer that may be used to create signatures. Those + * signature may in turn be verified using this certificate (or a copy of + * it). + * + * <P> + * <em><b>NOTE:</b> If the private key is by itself capable of * creating signatures, this fact may not be recognized at this time. * Specifically, the case of DSS/DSA keys which get their algorithm * parameters from higher in the certificate chain is not supportable * without using an X509CertChain API, and there is no current support * for other sources of algorithm parameters.</em> - * - * @param algorithm the signature algorithm to be used. Note that a - * given public/private key pair may support several such algorithms. - * @param privateKey the private key used to create the signature, - * which must correspond to the public key in this certificate + * + * @param algorithm the signature algorithm to be used. Note that a given + * public/private key pair may support several such algorithms. + * @param privateKey the private key used to create the signature, which + * must correspond to the public key in this certificate * @return the Signer object - * - * @exception NoSuchAlgorithmException if the signature - * algorithm is not supported - * @exception InvalidKeyException if either the key in the certificate, - * or the private key parameter, does not support the requested - * signature algorithm - */ - public X500Signer getSigner (AlgorithmId algorithmId, - PrivateKey privateKey) - throws NoSuchAlgorithmException, InvalidKeyException - { - String algorithm; - Signature sig; - - if (privateKey instanceof Key) { - Key key = (Key)privateKey; - algorithm = key.getAlgorithm(); - } else { - throw new InvalidKeyException("private key not a key!"); - } - - sig = Signature.getInstance(algorithmId.getName()); - - if (!pubkey.getAlgorithm ().equals (algorithm)) { - - throw new InvalidKeyException( "Private key algorithm " + - algorithm + - " incompatible with certificate " + - pubkey.getAlgorithm()); - } - sig.initSign (privateKey); - return new X500Signer (sig, subject); + * + * @exception NoSuchAlgorithmException if the signature algorithm is not + * supported + * @exception InvalidKeyException if either the key in the certificate, or + * the private key parameter, does not support the requested + * signature algorithm + */ + public X500Signer getSigner(AlgorithmId algorithmId, PrivateKey privateKey) + throws NoSuchAlgorithmException, InvalidKeyException { + String algorithm; + Signature sig; + + if (privateKey instanceof Key) { + Key key = (Key) privateKey; + algorithm = key.getAlgorithm(); + } else { + throw new InvalidKeyException("private key not a key!"); + } + + sig = Signature.getInstance(algorithmId.getName()); + + if (!pubkey.getAlgorithm().equals(algorithm)) { + + throw new InvalidKeyException("Private key algorithm " + algorithm + + " incompatible with certificate " + pubkey.getAlgorithm()); + } + sig.initSign(privateKey); + return new X500Signer(sig, subject); } - /** - * Returns a signature object that may be used to verify signatures - * created using a specified signature algorithm and the public key - * contained in this certificate. - * - * <P><em><b>NOTE:</b> If the public key in this certificate is not by + * Returns a signature object that may be used to verify signatures created + * using a specified signature algorithm and the public key contained in + * this certificate. + * + * <P> + * <em><b>NOTE:</b> If the public key in this certificate is not by * itself capable of verifying signatures, this may not be recognized * at this time. Specifically, the case of DSS/DSA keys which get * their algorithm parameters from higher in the certificate chain * is not supportable without using an X509CertChain API, and there * is no current support for other sources of algorithm parameters.</em> - * + * * @param algorithm the algorithm of the signature to be verified * @return the Signature object - * @exception NoSuchAlgorithmException if the signature - * algorithm is not supported - * @exception InvalidKeyException if the key in the certificate - * does not support the requested signature algorithm + * @exception NoSuchAlgorithmException if the signature algorithm is not + * supported + * @exception InvalidKeyException if the key in the certificate does not + * support the requested signature algorithm */ public Signature getVerifier(String algorithm) - throws NoSuchAlgorithmException, InvalidKeyException - { - String algName; - Signature sig; + throws NoSuchAlgorithmException, InvalidKeyException { + String algName; + Signature sig; - sig = Signature.getInstance(algorithm); - sig.initVerify (pubkey); - return sig; + sig = Signature.getInstance(algorithm); + sig.initVerify(pubkey); + return sig; } - - /** - * Return the signed X.509 certificate as a byte array. - * The bytes are in standard DER marshaled form. - * Null is returned in the case of a partially constructed cert. + * Return the signed X.509 certificate as a byte array. The bytes are in + * standard DER marshaled form. Null is returned in the case of a partially + * constructed cert. */ - public byte [] getSignedCert () - { return signedCert; } - + public byte[] getSignedCert() { + return signedCert; + } /** - * Returns the certificate's serial number. - * Null is returned in the case of a partially constructed cert. + * Returns the certificate's serial number. Null is returned in the case of + * a partially constructed cert. */ - public BigInt getSerialNumber () - { return serialnum; } - + public BigInt getSerialNumber() { + return serialnum; + } /** * Returns the subject's X.500 distinguished name. */ - public X500Name getSubjectName () - { return subject; } - + public X500Name getSubjectName() { + return subject; + } /** - * Returns the certificate issuer's X.500 distinguished name. - * Null is returned in the case of a partially constructed cert. + * Returns the certificate issuer's X.500 distinguished name. Null is + * returned in the case of a partially constructed cert. */ - public X500Name getIssuerName () - { return issuer; } - + public X500Name getIssuerName() { + return issuer; + } /** - * Returns the algorithm used by the issuer to sign the certificate. - * Null is returned in the case of a partially constructed cert. + * Returns the algorithm used by the issuer to sign the certificate. Null is + * returned in the case of a partially constructed cert. */ - public AlgorithmId getIssuerAlgorithmId () - { return issuerSigAlg; } - + public AlgorithmId getIssuerAlgorithmId() { + return issuerSigAlg; + } /** * Returns the first time the certificate is valid. */ - public Date getNotBefore () - { return notbefore; } - + public Date getNotBefore() { + return notbefore; + } /** * Returns the last time the certificate is valid. */ - public Date getNotAfter () - { return notafter; } - + public Date getNotAfter() { + return notafter; + } /** - * Returns the subject's public key. Note that some public key - * algorithms support an optional certificate generation policy - * where the keys in the certificates are not in themselves sufficient - * to perform a public key operation. Those keys need to be augmented - * by algorithm parameters, which the certificate generation policy - * chose not to place in the certificate. - * - * <P>Two such public key algorithms are: DSS/DSA, where algorithm - * parameters could be acquired from a CA certificate in the chain - * of issuers; and Diffie-Hellman, with a similar solution although - * the CA then needs both a Diffie-Hellman certificate and a signature - * capable certificate. - */ - public PublicKey getPublicKey () - { return pubkey; } - + * Returns the subject's public key. Note that some public key algorithms + * support an optional certificate generation policy where the keys in the + * certificates are not in themselves sufficient to perform a public key + * operation. Those keys need to be augmented by algorithm parameters, which + * the certificate generation policy chose not to place in the certificate. + * + * <P> + * Two such public key algorithms are: DSS/DSA, where algorithm parameters + * could be acquired from a CA certificate in the chain of issuers; and + * Diffie-Hellman, with a similar solution although the CA then needs both a + * Diffie-Hellman certificate and a signature capable certificate. + */ + public PublicKey getPublicKey() { + return pubkey; + } /** - * Returns the X.509 version number of this certificate, zero based. - * That is, "2" indicates an X.509 version 3 (1993) certificate, - * and "0" indicates X.509v1 (1988). - * Zero is returned in the case of a partially constructed cert. + * Returns the X.509 version number of this certificate, zero based. That + * is, "2" indicates an X.509 version 3 (1993) certificate, and "0" + * indicates X.509v1 (1988). Zero is returned in the case of a partially + * constructed cert. */ - public int getVersion () - { return version; } + public int getVersion() { + return version; + } - /** - * Calculates a hash code value for the object. Objects - * which are equal will also have the same hashcode. + * Calculates a hash code value for the object. Objects which are equal will + * also have the same hashcode. */ - public int hashCode () - { - int retval = 0; + public int hashCode() { + int retval = 0; - for (int i = 0; i < signedCert.length; i++) - retval += signedCert [i] * i; - return retval; + for (int i = 0; i < signedCert.length; i++) + retval += signedCert[i] * i; + return retval; } - /** - * Returns a printable representation of the certificate. This does not - * contain all the information available to distinguish this from any - * other certificate. The certificate must be fully constructed - * before this function may be called; in particular, if you are - * creating certificates you must call encodeAndSign() before calling - * this function. - */ - public String toString () - { - String s; + * Returns a printable representation of the certificate. This does not + * contain all the information available to distinguish this from any other + * certificate. The certificate must be fully constructed before this + * function may be called; in particular, if you are creating certificates + * you must call encodeAndSign() before calling this function. + */ + public String toString() { + String s; - if (subject == null || pubkey == null - || notbefore == null || notafter == null - || issuer == null || issuerSigAlg == null - || serialnum == null) - throw new NullPointerException ("X.509 cert is incomplete"); + if (subject == null || pubkey == null || notbefore == null + || notafter == null || issuer == null || issuerSigAlg == null + || serialnum == null) + throw new NullPointerException("X.509 cert is incomplete"); s = " X.509v" + (version + 1) + " certificate,\n"; s += " Subject is " + subject + "\n"; s += " Key: " + pubkey; s += " Validity <" + notbefore + "> until <" + notafter + ">\n"; s += " Issuer is " + issuer + "\n"; - s += " Issuer signature used " + issuerSigAlg.toString () + "\n"; - s += " Serial number = " + serialnum + "\n"; + s += " Issuer signature used " + issuerSigAlg.toString() + "\n"; + s += " Serial number = " + serialnum + "\n"; // optional v2, v3 extras return "[\n" + s + "]"; } - /** * Returns a printable representation of the certificate. - * + * * @param detailed true iff lots of detail is requested */ - public String toString (boolean detailed) - { return toString (); } - + public String toString(boolean detailed) { + return toString(); + } /* * Certificate data, and its envelope */ - private byte rawCert []; - private byte signature []; - private byte signedCert []; + private byte rawCert[]; + private byte signature[]; + private byte signedCert[]; /* * X509.v1 data (parsed) */ - private X500Name subject; // from subject - private X509Key pubkey; + private X500Name subject; // from subject + private X509Key pubkey; - private Date notafter; // from CA (constructor) - private Date notbefore; + private Date notafter; // from CA (constructor) + private Date notbefore; - private int version; // from CA (signAndEncode) - private BigInt serialnum; - private X500Name issuer; - private AlgorithmId issuerSigAlg; + private int version; // from CA (signAndEncode) + private BigInt serialnum; + private X500Name issuer; + private AlgorithmId issuerSigAlg; /* * X509.v2 extensions @@ -647,244 +604,225 @@ class X509Cert implements Certificate, Serializable * Other extensions ... Netscape, Verisign, SET, etc */ - /************************************************************/ /* * Cert is a SIGNED ASN.1 macro, a three elment sequence: - * - * - Data to be signed (ToBeSigned) -- the "raw" cert - * - Signature algorithm (SigAlgId) - * - The signature bits - * - * This routine unmarshals the certificate, saving the signature - * parts away for later verification. + * + * - Data to be signed (ToBeSigned) -- the "raw" cert - Signature algorithm + * (SigAlgId) - The signature bits + * + * This routine unmarshals the certificate, saving the signature parts away + * for later verification. */ - private void parse (DerValue val) - throws IOException - { - DerValue seq [] = new DerValue [3]; - - seq [0] = val.data.getDerValue (); - seq [1] = val.data.getDerValue (); - seq [2] = val.data.getDerValue (); - - if (val.data.available () != 0) - throw new CertParseError ("signed overrun, bytes = " - + val.data.available ()); - if (seq [0].tag != DerValue.tag_Sequence) - throw new CertParseError ("signed fields invalid"); - - rawCert = seq [0].toByteArray (); // XXX slow; fixme! - - - issuerSigAlg = AlgorithmId.parse (seq [1]); - signature = seq [2].getBitString (); - - if (seq [1].data.available () != 0) { - // XXX why was this error check commented out? - // It was originally part of the next check. - throw new CertParseError ("algid field overrun"); - } - - if (seq [2].data.available () != 0) - throw new CertParseError ("signed fields overrun"); - - /* - * Let's have fun parsing the cert itself. - */ - DerInputStream in; - DerValue tmp; - - in = seq [0].data; - - /* - * Version -- this is optional (default zero). If it's there it's - * the first field and is specially tagged. - * - * Both branches leave "tmp" holding a value for the serial - * number that comes next. - */ - version = 0; - tmp = in.getDerValue (); - if (tmp.isConstructed () && tmp.isContextSpecific ()) { - version = tmp.data.getInteger ().toInt (); - if (tmp.data.available () != 0) - throw new IOException ("X.509 version, bad format"); - tmp = in.getDerValue (); - } + private void parse(DerValue val) throws IOException { + DerValue seq[] = new DerValue[3]; + + seq[0] = val.data.getDerValue(); + seq[1] = val.data.getDerValue(); + seq[2] = val.data.getDerValue(); + + if (val.data.available() != 0) + throw new CertParseError("signed overrun, bytes = " + + val.data.available()); + if (seq[0].tag != DerValue.tag_Sequence) + throw new CertParseError("signed fields invalid"); + + rawCert = seq[0].toByteArray(); // XXX slow; fixme! + + issuerSigAlg = AlgorithmId.parse(seq[1]); + signature = seq[2].getBitString(); + + if (seq[1].data.available() != 0) { + // XXX why was this error check commented out? + // It was originally part of the next check. + throw new CertParseError("algid field overrun"); + } + + if (seq[2].data.available() != 0) + throw new CertParseError("signed fields overrun"); /* - * serial number ... an integer - */ - serialnum = tmp.getInteger (); + * Let's have fun parsing the cert itself. + */ + DerInputStream in; + DerValue tmp; + + in = seq[0].data; + + /* + * Version -- this is optional (default zero). If it's there it's the + * first field and is specially tagged. + * + * Both branches leave "tmp" holding a value for the serial number that + * comes next. + */ + version = 0; + tmp = in.getDerValue(); + if (tmp.isConstructed() && tmp.isContextSpecific()) { + version = tmp.data.getInteger().toInt(); + if (tmp.data.available() != 0) + throw new IOException("X.509 version, bad format"); + tmp = in.getDerValue(); + } + + /* + * serial number ... an integer + */ + serialnum = tmp.getInteger(); /* - * algorithm type for CA's signature ... needs to match the - * one on the envelope, and that's about it! different IDs - * may represent a signature attack. In general we want to - * inherit parameters. - */ - tmp = in.getDerValue (); - { - AlgorithmId algid; - + * algorithm type for CA's signature ... needs to match the one on the + * envelope, and that's about it! different IDs may represent a + * signature attack. In general we want to inherit parameters. + */ + tmp = in.getDerValue(); + { + AlgorithmId algid; - algid = AlgorithmId.parse(tmp); + algid = AlgorithmId.parse(tmp); - if (!algid.equals (issuerSigAlg)) - throw new CertParseError ("CA Algorithm mismatch!"); + if (!algid.equals(issuerSigAlg)) + throw new CertParseError("CA Algorithm mismatch!"); - this.algid = algid; - } + this.algid = algid; + } /* - * issuer name - */ - issuer = new X500Name (in); + * issuer name + */ + issuer = new X500Name(in); /* - * validity: SEQUENCE { start date, end date } - */ - tmp = in.getDerValue (); - if (tmp.tag != DerValue.tag_Sequence) - throw new CertParseError ("corrupt validity field"); + * validity: SEQUENCE { start date, end date } + */ + tmp = in.getDerValue(); + if (tmp.tag != DerValue.tag_Sequence) + throw new CertParseError("corrupt validity field"); - notbefore = tmp.data.getUTCTime (); - notafter = tmp.data.getUTCTime (); - if (tmp.data.available () != 0) - throw new CertParseError ("excess validity data"); + notbefore = tmp.data.getUTCTime(); + notafter = tmp.data.getUTCTime(); + if (tmp.data.available() != 0) + throw new CertParseError("excess validity data"); /* - * subject name and public key - */ - subject = new X500Name (in); + * subject name and public key + */ + subject = new X500Name(in); - tmp = in.getDerValue (); - pubkey = X509Key.parse (tmp); + tmp = in.getDerValue(); + pubkey = X509Key.parse(tmp); /* - * XXX for v2 and later, a bunch of tagged options follow - */ - - if (in.available () != 0) { - /* - * Until we parse V2/V3 data ... ignore it. - * - // throw new CertParseError ("excess cert data"); - System.out.println ( - "@end'o'cert, optional V2/V3 data unparsed: " - + in.available () - + " bytes" - ); - */ - } + * XXX for v2 and later, a bunch of tagged options follow + */ + + if (in.available() != 0) { + /* + * Until we parse V2/V3 data ... ignore it. + * + * // throw new CertParseError ("excess cert data"); + * System.out.println ( + * "@end'o'cert, optional V2/V3 data unparsed: " + in.available () + * + " bytes" ); + */ + } } - /* * Encode only the parts that will later be signed. */ - private byte [] DERencode () throws IOException - { - DerOutputStream raw = new DerOutputStream (); - - encode (raw); - return raw.toByteArray (); - } + private byte[] DERencode() throws IOException { + DerOutputStream raw = new DerOutputStream(); + encode(raw); + return raw.toByteArray(); + } /* * Marshal the contents of a "raw" certificate into a DER sequence. */ - private void encode (DerOutputStream out) throws IOException - { - DerOutputStream tmp = new DerOutputStream (); + private void encode(DerOutputStream out) throws IOException { + DerOutputStream tmp = new DerOutputStream(); - /* - * encode serial number, issuer signing algorithm, - * and issuer name into the data we'll return - */ - tmp.putInteger (serialnum); - issuerSigAlg.encode (tmp); - issuer.encode (tmp); + /* + * encode serial number, issuer signing algorithm, and issuer name into + * the data we'll return + */ + tmp.putInteger(serialnum); + issuerSigAlg.encode(tmp); + issuer.encode(tmp); - /* - * Validity is a two element sequence ... encode the - * elements, then wrap them into the data we'll return - */ - { - DerOutputStream seq = new DerOutputStream (); + /* + * Validity is a two element sequence ... encode the elements, then wrap + * them into the data we'll return + */ + { + DerOutputStream seq = new DerOutputStream(); - seq.putUTCTime (notbefore); - seq.putUTCTime (notafter); - tmp.write (DerValue.tag_Sequence, seq); - } + seq.putUTCTime(notbefore); + seq.putUTCTime(notafter); + tmp.write(DerValue.tag_Sequence, seq); + } - /* - * Encode subject (principal) and associated key - */ - subject.encode (tmp); - pubkey.encode (tmp); + /* + * Encode subject (principal) and associated key + */ + subject.encode(tmp); + pubkey.encode(tmp); - /* - * Wrap the data; encoding of the "raw" cert is now complete. - */ - out.write (DerValue.tag_Sequence, tmp); + /* + * Wrap the data; encoding of the "raw" cert is now complete. + */ + out.write(DerValue.tag_Sequence, tmp); } - /* - * Calculate the signature of the "raw" certificate, - * and marshal the cert with the signature and a - * description of the signing algorithm. + * Calculate the signature of the "raw" certificate, and marshal the cert + * with the signature and a description of the signing algorithm. */ - private byte [] sign (X500Signer issuer, byte data []) - throws IOException, SignatureException - { - /* - * Encode the to-be-signed data, then the algorithm used - * to create the signature. - */ - DerOutputStream out = new DerOutputStream (); - DerOutputStream tmp = new DerOutputStream (); - - tmp.write (data); - issuer.getAlgorithmId ().encode(tmp); + private byte[] sign(X500Signer issuer, byte data[]) throws IOException, + SignatureException { + /* + * Encode the to-be-signed data, then the algorithm used to create the + * signature. + */ + DerOutputStream out = new DerOutputStream(); + DerOutputStream tmp = new DerOutputStream(); + tmp.write(data); + issuer.getAlgorithmId().encode(tmp); - /* - * Create and encode the signature itself. - */ - issuer.update (data, 0, data.length); - signature = issuer.sign (); - tmp.putBitString (signature); + /* + * Create and encode the signature itself. + */ + issuer.update(data, 0, data.length); + signature = issuer.sign(); + tmp.putBitString(signature); - /* - * Wrap the signed data in a SEQUENCE { data, algorithm, sig } - */ - out.write (DerValue.tag_Sequence, tmp); - return out.toByteArray (); + /* + * Wrap the signed data in a SEQUENCE { data, algorithm, sig } + */ + out.write(DerValue.tag_Sequence, tmp); + return out.toByteArray(); } - /** - * Serialization write ... X.509 certificates serialize as - * themselves, and they're parsed when they get read back. - * (Actually they serialize as some type data from the - * serialization subsystem, then the cert data.) + * Serialization write ... X.509 certificates serialize as themselves, and + * they're parsed when they get read back. (Actually they serialize as some + * type data from the serialization subsystem, then the cert data.) */ - private synchronized void - writeObject (java.io.ObjectOutputStream stream) - throws IOException - { encode(stream); } + private synchronized void writeObject(java.io.ObjectOutputStream stream) + throws IOException { + encode(stream); + } /** - * Serialization read ... X.509 certificates serialize as - * themselves, and they're parsed when they get read back. + * Serialization read ... X.509 certificates serialize as themselves, and + * they're parsed when they get read back. */ - private synchronized void - readObject (ObjectInputStream stream) - throws IOException - { decode(stream); } + private synchronized void readObject(ObjectInputStream stream) + throws IOException { + decode(stream); + } } |