| /* |
| * Copyright (C) 2012 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| package org.conscrypt; |
| |
| import java.io.IOException; |
| import java.io.InputStream; |
| import java.io.PushbackInputStream; |
| import java.security.cert.CRL; |
| import java.security.cert.CRLException; |
| import java.security.cert.CertPath; |
| import java.security.cert.Certificate; |
| import java.security.cert.CertificateException; |
| import java.security.cert.CertificateFactorySpi; |
| import java.security.cert.X509Certificate; |
| import java.util.ArrayList; |
| import java.util.Arrays; |
| import java.util.Collection; |
| import java.util.Collections; |
| import java.util.Iterator; |
| import java.util.List; |
| |
| public class OpenSSLX509CertificateFactory extends CertificateFactorySpi { |
| private static final byte[] PKCS7_MARKER = new byte[] { |
| '-', '-', '-', '-', '-', 'B', 'E', 'G', 'I', 'N', ' ', 'P', 'K', 'C', 'S', '7' |
| }; |
| |
| private static final int PUSHBACK_SIZE = 64; |
| |
| static class ParsingException extends Exception { |
| private static final long serialVersionUID = 8390802697728301325L; |
| |
| public ParsingException(String message) { |
| super(message); |
| } |
| |
| public ParsingException(Exception cause) { |
| super(cause); |
| } |
| |
| public ParsingException(String message, Exception cause) { |
| super(message, cause); |
| } |
| } |
| |
| /** |
| * The code for X509 Certificates and CRL is pretty much the same. We use |
| * this abstract class to share the code between them. This makes it ugly, |
| * but it's already written in this language anyway. |
| */ |
| private static abstract class Parser<T> { |
| public T generateItem(InputStream inStream) throws ParsingException { |
| if (inStream == null) { |
| throw new ParsingException("inStream == null"); |
| } |
| |
| final boolean markable = inStream.markSupported(); |
| if (markable) { |
| inStream.mark(PKCS7_MARKER.length); |
| } |
| |
| final PushbackInputStream pbis = new PushbackInputStream(inStream, PUSHBACK_SIZE); |
| try { |
| final byte[] buffer = new byte[PKCS7_MARKER.length]; |
| |
| final int len = pbis.read(buffer); |
| if (len < 0) { |
| /* No need to reset here. The stream was empty or EOF. */ |
| throw new ParsingException("inStream is empty"); |
| } |
| pbis.unread(buffer, 0, len); |
| |
| if (buffer[0] == '-') { |
| if (len == PKCS7_MARKER.length && Arrays.equals(PKCS7_MARKER, buffer)) { |
| List<? extends T> items = fromPkcs7PemInputStream(pbis); |
| if (items.size() == 0) { |
| return null; |
| } |
| items.get(0); |
| } else { |
| return fromX509PemInputStream(pbis); |
| } |
| } |
| |
| /* PKCS#7 bags have a byte 0x06 at position 4 in the stream. */ |
| if (buffer[4] == 0x06) { |
| List<? extends T> certs = fromPkcs7DerInputStream(pbis); |
| if (certs.size() == 0) { |
| return null; |
| } |
| return certs.get(0); |
| } else { |
| return fromX509DerInputStream(pbis); |
| } |
| } catch (Exception e) { |
| if (markable) { |
| try { |
| inStream.reset(); |
| } catch (IOException ignored) { |
| } |
| } |
| throw new ParsingException(e); |
| } |
| } |
| |
| public Collection<? extends T> generateItems(InputStream inStream) |
| throws ParsingException { |
| if (inStream == null) { |
| throw new ParsingException("inStream == null"); |
| } |
| try { |
| if (inStream.available() == 0) { |
| return Collections.emptyList(); |
| } |
| } catch (IOException e) { |
| throw new ParsingException("Problem reading input stream", e); |
| } |
| |
| final boolean markable = inStream.markSupported(); |
| if (markable) { |
| inStream.mark(PUSHBACK_SIZE); |
| } |
| |
| /* Attempt to see if this is a PKCS#7 bag. */ |
| final PushbackInputStream pbis = new PushbackInputStream(inStream, PUSHBACK_SIZE); |
| try { |
| final byte[] buffer = new byte[PKCS7_MARKER.length]; |
| |
| final int len = pbis.read(buffer); |
| if (len < 0) { |
| /* No need to reset here. The stream was empty or EOF. */ |
| throw new ParsingException("inStream is empty"); |
| } |
| pbis.unread(buffer, 0, len); |
| |
| if (len == PKCS7_MARKER.length && Arrays.equals(PKCS7_MARKER, buffer)) { |
| return fromPkcs7PemInputStream(pbis); |
| } |
| |
| /* PKCS#7 bags have a byte 0x06 at position 4 in the stream. */ |
| if (buffer[4] == 0x06) { |
| return fromPkcs7DerInputStream(pbis); |
| } |
| } catch (Exception e) { |
| if (markable) { |
| try { |
| inStream.reset(); |
| } catch (IOException ignored) { |
| } |
| } |
| throw new ParsingException(e); |
| } |
| |
| /* |
| * It wasn't, so just try to keep grabbing certificates until we |
| * can't anymore. |
| */ |
| final List<T> coll = new ArrayList<T>(); |
| T c = null; |
| do { |
| /* |
| * If this stream supports marking, try to mark here in case |
| * there is an error during certificate generation. |
| */ |
| if (markable) { |
| inStream.mark(PUSHBACK_SIZE); |
| } |
| |
| try { |
| c = generateItem(pbis); |
| coll.add(c); |
| } catch (ParsingException e) { |
| /* |
| * If this stream supports marking, attempt to reset it to |
| * the mark before the failure. |
| */ |
| if (markable) { |
| try { |
| inStream.reset(); |
| } catch (IOException ignored) { |
| } |
| } |
| |
| c = null; |
| } |
| } while (c != null); |
| |
| return coll; |
| } |
| |
| protected abstract T fromX509PemInputStream(InputStream pbis) throws ParsingException; |
| |
| protected abstract T fromX509DerInputStream(InputStream pbis) throws ParsingException; |
| |
| protected abstract List<? extends T> fromPkcs7PemInputStream(InputStream is) |
| throws ParsingException; |
| |
| protected abstract List<? extends T> fromPkcs7DerInputStream(InputStream is) |
| throws ParsingException; |
| } |
| |
| private Parser<OpenSSLX509Certificate> certificateParser = |
| new Parser<OpenSSLX509Certificate>() { |
| @Override |
| public OpenSSLX509Certificate fromX509PemInputStream(InputStream is) |
| throws ParsingException { |
| return OpenSSLX509Certificate.fromX509PemInputStream(is); |
| } |
| |
| @Override |
| public OpenSSLX509Certificate fromX509DerInputStream(InputStream is) |
| throws ParsingException { |
| return OpenSSLX509Certificate.fromX509DerInputStream(is); |
| } |
| |
| @Override |
| public List<? extends OpenSSLX509Certificate> |
| fromPkcs7PemInputStream(InputStream is) throws ParsingException { |
| return OpenSSLX509Certificate.fromPkcs7PemInputStream(is); |
| } |
| |
| @Override |
| public List<? extends OpenSSLX509Certificate> |
| fromPkcs7DerInputStream(InputStream is) throws ParsingException { |
| return OpenSSLX509Certificate.fromPkcs7DerInputStream(is); |
| } |
| }; |
| |
| private Parser<OpenSSLX509CRL> crlParser = |
| new Parser<OpenSSLX509CRL>() { |
| @Override |
| public OpenSSLX509CRL fromX509PemInputStream(InputStream is) |
| throws ParsingException { |
| return OpenSSLX509CRL.fromX509PemInputStream(is); |
| } |
| |
| @Override |
| public OpenSSLX509CRL fromX509DerInputStream(InputStream is) |
| throws ParsingException { |
| return OpenSSLX509CRL.fromX509DerInputStream(is); |
| } |
| |
| @Override |
| public List<? extends OpenSSLX509CRL> fromPkcs7PemInputStream(InputStream is) |
| throws ParsingException { |
| return OpenSSLX509CRL.fromPkcs7PemInputStream(is); |
| } |
| |
| @Override |
| public List<? extends OpenSSLX509CRL> fromPkcs7DerInputStream(InputStream is) |
| throws ParsingException { |
| return OpenSSLX509CRL.fromPkcs7DerInputStream(is); |
| } |
| }; |
| |
| @Override |
| public Certificate engineGenerateCertificate(InputStream inStream) throws CertificateException { |
| try { |
| return certificateParser.generateItem(inStream); |
| } catch (ParsingException e) { |
| throw new CertificateException(e); |
| } |
| } |
| |
| @Override |
| public Collection<? extends Certificate> engineGenerateCertificates( |
| InputStream inStream) throws CertificateException { |
| try { |
| return certificateParser.generateItems(inStream); |
| } catch (ParsingException e) { |
| throw new CertificateException(e); |
| } |
| } |
| |
| @Override |
| public CRL engineGenerateCRL(InputStream inStream) throws CRLException { |
| try { |
| return crlParser.generateItem(inStream); |
| } catch (ParsingException e) { |
| throw new CRLException(e); |
| } |
| } |
| |
| @Override |
| public Collection<? extends CRL> engineGenerateCRLs(InputStream inStream) throws CRLException { |
| if (inStream == null) { |
| return Collections.emptyList(); |
| } |
| |
| try { |
| return crlParser.generateItems(inStream); |
| } catch (ParsingException e) { |
| throw new CRLException(e); |
| } |
| } |
| |
| @Override |
| public Iterator<String> engineGetCertPathEncodings() { |
| return OpenSSLX509CertPath.getEncodingsIterator(); |
| } |
| |
| @Override |
| public CertPath engineGenerateCertPath(InputStream inStream) throws CertificateException { |
| return OpenSSLX509CertPath.fromEncoding(inStream); |
| } |
| |
| @Override |
| public CertPath engineGenerateCertPath(InputStream inStream, String encoding) |
| throws CertificateException { |
| return OpenSSLX509CertPath.fromEncoding(inStream, encoding); |
| } |
| |
| @Override |
| public CertPath engineGenerateCertPath(List<? extends Certificate> certificates) |
| throws CertificateException { |
| final List<X509Certificate> filtered = new ArrayList<X509Certificate>(certificates.size()); |
| for (int i = 0; i < certificates.size(); i++) { |
| final Certificate c = certificates.get(i); |
| |
| if (!(c instanceof X509Certificate)) { |
| throw new CertificateException("Certificate not X.509 type at index " + i); |
| } |
| |
| filtered.add((X509Certificate) c); |
| } |
| |
| return new OpenSSLX509CertPath(filtered); |
| } |
| } |
