| /* |
| * Licensed to the Apache Software Foundation (ASF) under one or more |
| * contributor license agreements. See the NOTICE file distributed with |
| * this work for additional information regarding copyright ownership. |
| * The ASF licenses this file to You under the Apache License, Version 2.0 |
| * (the "License"); you may not use this file except in compliance with |
| * the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| /** |
| * @author Vladimir N. Molotkov, Alexander Y. Kleymenov |
| * @version $Revision$ |
| */ |
| |
| package org.apache.harmony.security.x509; |
| |
| import java.io.IOException; |
| import java.security.cert.X509Certificate; |
| import java.util.ArrayList; |
| import java.util.List; |
| import org.apache.harmony.security.asn1.ASN1Implicit; |
| import org.apache.harmony.security.asn1.ASN1OctetString; |
| import org.apache.harmony.security.asn1.ASN1Sequence; |
| import org.apache.harmony.security.asn1.ASN1Type; |
| import org.apache.harmony.security.asn1.BerInputStream; |
| |
| /** |
| * The class encapsulates the ASN.1 DER encoding/decoding work |
| * with the following structure which is a part of X.509 certificate |
| * (as specified in RFC 3280 - |
| * Internet X.509 Public Key Infrastructure. |
| * Certificate and Certificate Revocation List (CRL) Profile. |
| * http://www.ietf.org/rfc/rfc3280.txt): |
| * |
| * <pre> |
| * |
| * NameConstraints ::= SEQUENCE { |
| * permittedSubtrees [0] GeneralSubtrees OPTIONAL, |
| * excludedSubtrees [1] GeneralSubtrees OPTIONAL } |
| * |
| * GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree |
| * |
| * </pre> |
| * |
| * @see org.apache.harmony.security.x509.GeneralSubtree |
| * @see org.apache.harmony.security.x509.GeneralName |
| */ |
| public final class NameConstraints extends ExtensionValue { |
| /** the value of permittedSubtrees field of the structure */ |
| private final GeneralSubtrees permittedSubtrees; |
| /** the value of excludedSubtrees field of the structure */ |
| private final GeneralSubtrees excludedSubtrees; |
| /** the ASN.1 encoded form of NameConstraints */ |
| private byte[] encoding; |
| |
| private ArrayList<GeneralName>[] permitted_names; |
| private ArrayList<GeneralName>[] excluded_names; |
| |
| /** |
| * Constructs <code>NameConstrains</code> object |
| */ |
| public NameConstraints(GeneralSubtrees permittedSubtrees, |
| GeneralSubtrees excludedSubtrees) { |
| if (permittedSubtrees != null) { |
| List<GeneralSubtree> ps = permittedSubtrees.getSubtrees(); |
| if (ps == null || ps.isEmpty()) { |
| throw new IllegalArgumentException("permittedSubtrees are empty"); |
| } |
| } |
| if (excludedSubtrees != null) { |
| List<GeneralSubtree> es = excludedSubtrees.getSubtrees(); |
| if (es == null || es.isEmpty()) { |
| throw new IllegalArgumentException("excludedSubtrees are empty"); |
| } |
| } |
| this.permittedSubtrees = permittedSubtrees; |
| this.excludedSubtrees = excludedSubtrees; |
| } |
| |
| private NameConstraints(GeneralSubtrees permittedSubtrees, |
| GeneralSubtrees excludedSubtrees, byte[] encoding) { |
| this(permittedSubtrees, excludedSubtrees); |
| this.encoding = encoding; |
| } |
| |
| public static NameConstraints decode(byte[] encoding) throws IOException { |
| return (NameConstraints) ASN1.decode(encoding); |
| } |
| |
| @Override public byte[] getEncoded() { |
| if (encoding == null) { |
| encoding = ASN1.encode(this); |
| } |
| return encoding; |
| } |
| |
| /** |
| * Prepare the data structure to speed up the checking process. |
| */ |
| private void prepareNames() { |
| // array of lists with permitted General Names divided by type |
| permitted_names = new ArrayList[9]; |
| if (permittedSubtrees != null) { |
| for (GeneralSubtree generalSubtree : permittedSubtrees.getSubtrees()) { |
| GeneralName name = generalSubtree.getBase(); |
| int tag = name.getTag(); |
| if (permitted_names[tag] == null) { |
| permitted_names[tag] = new ArrayList<GeneralName>(); |
| } |
| permitted_names[tag].add(name); |
| } |
| } |
| // array of lists with excluded General Names divided by type |
| excluded_names = new ArrayList[9]; |
| if (excludedSubtrees != null) { |
| for (GeneralSubtree generalSubtree : excludedSubtrees.getSubtrees()) { |
| GeneralName name = generalSubtree.getBase(); |
| int tag = name.getTag(); |
| if (excluded_names[tag] == null) { |
| excluded_names[tag] = new ArrayList<GeneralName>(); |
| } |
| excluded_names[tag].add(name); |
| } |
| } |
| } |
| |
| /** |
| * Returns the value of certificate extension |
| */ |
| private byte[] getExtensionValue(X509Certificate cert, String OID) { |
| try { |
| byte[] bytes = cert.getExtensionValue(OID); |
| if (bytes == null) { |
| return null; |
| } |
| return (byte[]) ASN1OctetString.getInstance().decode(bytes); |
| } catch (IOException e) { |
| return null; |
| } |
| } |
| |
| /** |
| * Apply the name restrictions specified by this NameConstraints |
| * instance to the subject distinguished name and subject alternative |
| * names of specified X509Certificate. Restrictions apply only |
| * if specified name form is present in the certificate. |
| * The restrictions are applied according the RFC 3280 |
| * (see 4.2.1.11 Name Constraints), excepting that restrictions are applied |
| * and to CA certificates, and to certificates which issuer and subject |
| * names the same (i.e. method does not check if it CA's certificate or not, |
| * or if the names differ or not. This check if it is needed should be done |
| * by caller before calling this method). |
| * @param cert X.509 Certificate to be checked. |
| * @return true if the certificate is acceptable according |
| * these NameConstraints restrictions |
| */ |
| public boolean isAcceptable(X509Certificate cert) { |
| if (permitted_names == null) { |
| prepareNames(); |
| } |
| |
| byte[] bytes = getExtensionValue(cert, "2.5.29.17"); |
| List<GeneralName> names; |
| try { |
| names = (bytes == null) |
| ? new ArrayList<GeneralName>(1) // will check the subject field only |
| : ((GeneralNames) GeneralNames.ASN1.decode(bytes)).getNames(); |
| } catch (IOException e) { |
| // the certificate is broken; |
| e.printStackTrace(); |
| return false; |
| } |
| if ((excluded_names[4] != null) || (permitted_names[4] != null)) { |
| try { |
| names.add(new GeneralName(4, |
| cert.getSubjectX500Principal().getName())); |
| } catch (IOException e) { |
| // should never be happened |
| } |
| } |
| return isAcceptable(names); |
| } |
| |
| /** |
| * Check if this list of names is acceptable according to this |
| * NameConstraints object. |
| */ |
| public boolean isAcceptable(List<GeneralName> names) { |
| if (permitted_names == null) { |
| prepareNames(); |
| } |
| |
| // check map: shows which types of permitted alternative names are |
| // presented in the certificate |
| boolean[] types_presented = new boolean[9]; |
| // check map: shows if permitted name of presented type is found |
| // among the certificate's alternative names |
| boolean[] permitted_found = new boolean[9]; |
| for (GeneralName name : names) { |
| int type = name.getTag(); |
| // search the name in excluded names |
| if (excluded_names[type] != null) { |
| for (int i = 0; i < excluded_names[type].size(); i++) { |
| if (excluded_names[type].get(i).isAcceptable(name)) { |
| return false; |
| } |
| } |
| } |
| // Search the name in permitted names |
| // (if we already found the name of such type between the alt |
| // names - we do not need to check others) |
| if ((permitted_names[type] != null) && (!permitted_found[type])) { |
| types_presented[type] = true; |
| for (int i = 0; i < permitted_names[type].size(); i++) { |
| if (permitted_names[type].get(i).isAcceptable(name)) { |
| // found one permitted name of such type |
| permitted_found[type] = true; |
| } |
| } |
| } |
| } |
| for (int type = 0; type < 9; type++) { |
| if (types_presented[type] && !permitted_found[type]) { |
| return false; |
| } |
| } |
| return true; |
| } |
| |
| @Override public void dumpValue(StringBuilder sb, String prefix) { |
| sb.append(prefix).append("Name Constraints: [\n"); |
| if (permittedSubtrees != null) { |
| sb.append(prefix).append(" Permitted: [\n"); |
| for (GeneralSubtree generalSubtree : permittedSubtrees.getSubtrees()) { |
| generalSubtree.dumpValue(sb, prefix + " "); |
| } |
| sb.append(prefix).append(" ]\n"); |
| } |
| if (excludedSubtrees != null) { |
| sb.append(prefix).append(" Excluded: [\n"); |
| for (GeneralSubtree generalSubtree : excludedSubtrees.getSubtrees()) { |
| generalSubtree.dumpValue(sb, prefix + " "); |
| } |
| sb.append(prefix).append(" ]\n"); |
| } |
| sb.append('\n').append(prefix).append("]\n"); |
| } |
| |
| /** |
| * X.509 NameConstraints encoder/decoder. |
| */ |
| public static final ASN1Sequence ASN1 = new ASN1Sequence(new ASN1Type[] { |
| new ASN1Implicit(0, GeneralSubtrees.ASN1), |
| new ASN1Implicit(1, GeneralSubtrees.ASN1) }) { |
| { |
| setOptional(0); |
| setOptional(1); |
| } |
| |
| @Override protected Object getDecodedObject(BerInputStream in) { |
| Object[] values = (Object[]) in.content; |
| return new NameConstraints( |
| (GeneralSubtrees) values[0], |
| (GeneralSubtrees) values[1], |
| in.getEncoded()); |
| } |
| |
| @Override protected void getValues(Object object, Object[] values) { |
| NameConstraints nc = (NameConstraints) object; |
| values[0] = nc.permittedSubtrees; |
| values[1] = nc.excludedSubtrees; |
| } |
| }; |
| } |
