/*
 * Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * particular file as subject to the "Classpath" exception as provided
 * by Oracle in the LICENSE file that accompanied this code.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */

package sun.security.provider.certpath;

import java.io.IOException;
import java.math.BigInteger;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.cert.X509CertSelector;
import java.security.cert.CertificateException;
import java.util.Arrays;
import java.util.Date;

import sun.security.util.Debug;
import sun.security.util.DerInputStream;
import sun.security.x509.SerialNumber;
import sun.security.x509.AuthorityKeyIdentifierExtension;

An adaptable X509 certificate selector for forward certification path building. This selector overrides the default X509CertSelector matching rules for the subjectKeyIdentifier and serialNumber criteria, and adds additional rules for certificate validity.
Since:1.7
/** * An adaptable X509 certificate selector for forward certification path * building. This selector overrides the default X509CertSelector matching * rules for the subjectKeyIdentifier and serialNumber criteria, and adds * additional rules for certificate validity. * * @since 1.7 */
class AdaptableX509CertSelector extends X509CertSelector { private static final Debug debug = Debug.getInstance("certpath"); // The start date of a validity period. private Date startDate; // The end date of a validity period. private Date endDate; // The subject key identifier private byte[] ski; // The serial number private BigInteger serial;
Sets the criterion of the X509Certificate validity period. Normally, we may not have to check that a certificate validity period must fall within its issuer's certificate validity period. However, when we face root CA key updates for version 1 certificates, according to scheme of RFC 4210 or 2510, the validity periods should be checked to determine the right issuer's certificate. Conservatively, we will only check the validity periods for version 1 and version 2 certificates. For version 3 certificates, we can determine the right issuer by authority and subject key identifier extensions.
Params:
  • startDate – the start date of a validity period that must fall within the certificate validity period for the X509Certificate
  • endDate – the end date of a validity period that must fall within the certificate validity period for the X509Certificate
/** * Sets the criterion of the X509Certificate validity period. * * Normally, we may not have to check that a certificate validity period * must fall within its issuer's certificate validity period. However, * when we face root CA key updates for version 1 certificates, according * to scheme of RFC 4210 or 2510, the validity periods should be checked * to determine the right issuer's certificate. * * Conservatively, we will only check the validity periods for version * 1 and version 2 certificates. For version 3 certificates, we can * determine the right issuer by authority and subject key identifier * extensions. * * @param startDate the start date of a validity period that must fall * within the certificate validity period for the X509Certificate * @param endDate the end date of a validity period that must fall * within the certificate validity period for the X509Certificate */
void setValidityPeriod(Date startDate, Date endDate) { this.startDate = startDate; this.endDate = endDate; }
This selector overrides the subjectKeyIdentifier matching rules of X509CertSelector, so it throws IllegalArgumentException if this method is ever called.
/** * This selector overrides the subjectKeyIdentifier matching rules of * X509CertSelector, so it throws IllegalArgumentException if this method * is ever called. */
@Override public void setSubjectKeyIdentifier(byte[] subjectKeyID) { throw new IllegalArgumentException(); }
This selector overrides the serialNumber matching rules of X509CertSelector, so it throws IllegalArgumentException if this method is ever called.
/** * This selector overrides the serialNumber matching rules of * X509CertSelector, so it throws IllegalArgumentException if this method * is ever called. */
@Override public void setSerialNumber(BigInteger serial) { throw new IllegalArgumentException(); }
Sets the subjectKeyIdentifier and serialNumber criteria from the authority key identifier extension. The subjectKeyIdentifier criterion is set to the keyIdentifier field of the extension, or null if it is empty. The serialNumber criterion is set to the authorityCertSerialNumber field, or null if it is empty. Note that we do not set the subject criterion to the authorityCertIssuer field of the extension. The caller MUST set the subject criterion before calling match().
Params:
  • ext – the authorityKeyIdentifier extension
Throws:
  • IOException – if there is an error parsing the extension
/** * Sets the subjectKeyIdentifier and serialNumber criteria from the * authority key identifier extension. * * The subjectKeyIdentifier criterion is set to the keyIdentifier field * of the extension, or null if it is empty. The serialNumber criterion * is set to the authorityCertSerialNumber field, or null if it is empty. * * Note that we do not set the subject criterion to the * authorityCertIssuer field of the extension. The caller MUST set * the subject criterion before calling match(). * * @param ext the authorityKeyIdentifier extension * @throws IOException if there is an error parsing the extension */
void setSkiAndSerialNumber(AuthorityKeyIdentifierExtension ext) throws IOException { ski = null; serial = null; if (ext != null) { ski = ext.getEncodedKeyIdentifier(); SerialNumber asn = (SerialNumber)ext.get( AuthorityKeyIdentifierExtension.SERIAL_NUMBER); if (asn != null) { serial = asn.getNumber(); } // the subject criterion should be set by the caller } }
Decides whether a Certificate should be selected. This method overrides the matching rules for the subjectKeyIdentifier and serialNumber criteria and adds additional rules for certificate validity. For the purpose of compatibility, when a certificate is of version 1 and version 2, or the certificate does not include a subject key identifier extension, the selection criterion of subjectKeyIdentifier will be disabled.
/** * Decides whether a <code>Certificate</code> should be selected. * * This method overrides the matching rules for the subjectKeyIdentifier * and serialNumber criteria and adds additional rules for certificate * validity. * * For the purpose of compatibility, when a certificate is of * version 1 and version 2, or the certificate does not include * a subject key identifier extension, the selection criterion * of subjectKeyIdentifier will be disabled. */
@Override public boolean match(Certificate cert) { X509Certificate xcert = (X509Certificate)cert; // match subject key identifier if (!matchSubjectKeyID(xcert)) { return false; } // In practice, a CA may replace its root certificate and require that // the existing certificate is still valid, even if the AKID extension // does not match the replacement root certificate fields. // // Conservatively, we only support the replacement for version 1 and // version 2 certificate. As for version 3, the certificate extension // may contain sensitive information (for example, policies), the // AKID need to be respected to seek the exact certificate in case // of key or certificate abuse. int version = xcert.getVersion(); if (serial != null && version > 2) { if (!serial.equals(xcert.getSerialNumber())) { return false; } } // Check the validity period for version 1 and 2 certificate. if (version < 3) { if (startDate != null) { try { xcert.checkValidity(startDate); } catch (CertificateException ce) { return false; } } if (endDate != null) { try { xcert.checkValidity(endDate); } catch (CertificateException ce) { return false; } } } if (!super.match(cert)) { return false; } return true; } /* * Match on subject key identifier extension value. These matching rules * are identical to X509CertSelector except that if the certificate does * not have a subject key identifier extension, it returns true. */ private boolean matchSubjectKeyID(X509Certificate xcert) { if (ski == null) { return true; } try { byte[] extVal = xcert.getExtensionValue("2.5.29.14"); if (extVal == null) { if (debug != null) { debug.println("AdaptableX509CertSelector.match: " + "no subject key ID extension. Subject: " + xcert.getSubjectX500Principal()); } return true; } DerInputStream in = new DerInputStream(extVal); byte[] certSubjectKeyID = in.getOctetString(); if (certSubjectKeyID == null || !Arrays.equals(ski, certSubjectKeyID)) { if (debug != null) { debug.println("AdaptableX509CertSelector.match: " + "subject key IDs don't match. " + "Expected: " + Arrays.toString(ski) + " " + "Cert's: " + Arrays.toString(certSubjectKeyID)); } return false; } } catch (IOException ex) { if (debug != null) { debug.println("AdaptableX509CertSelector.match: " + "exception in subject key ID check"); } return false; } return true; } @Override public Object clone() { AdaptableX509CertSelector copy = (AdaptableX509CertSelector)super.clone(); if (startDate != null) { copy.startDate = (Date)startDate.clone(); } if (endDate != null) { copy.endDate = (Date)endDate.clone(); } if (ski != null) { copy.ski = ski.clone(); } return copy; } }