android-platform-libcore/luni/src/main/java/java/security/cert/TrustAnchor.java - nest-cam/4320010/android-platform-libcore - Git at Google

 /*
  *  Licensed to the Apache Software Foundation (ASF) under one or more
  *  contributor license agreements.  See the NOTICE file distributed with
  *  this work for additional information regarding copyright ownership.
  *  The ASF licenses this file to You under the Apache License, Version 2.0
  *  (the "License"); you may not use this file except in compliance with
  *  the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  *  Unless required by applicable law or agreed to in writing, software
  *  distributed under the License is distributed on an "AS IS" BASIS,
  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
  */

 package java.security.cert;

 import java.io.IOException;
 import java.security.PublicKey;
 import javax.security.auth.x500.X500Principal;
 import org.apache.harmony.security.utils.Array;
 import org.apache.harmony.security.x509.NameConstraints;


 /**
  * This class represents a trust anchor for validation of X.509 certification
  * path.
  * <p>
  * It is a <i>trusted</i> certificate authority (CA) and includes the public key
  * of the CA, the CA's name and the constraints for the validation of
  * certification paths. The constructor also allows to specify a binary
  * representation of a so called "Name Constraints" extension as a byte array.
  */
 public class TrustAnchor {
     // Most trusted CA as a X500Principal
     private final X500Principal caPrincipal;
     // Most trusted CA name
     private final String caName;
     // Most trusted CA public key
     private final PublicKey caPublicKey;
     // Most trusted CA certificate
     private final X509Certificate trustedCert;
     // Name constraints extension
     private final byte[] nameConstraints;

     /**
      * Creates a new {@code TrustAnchor} with the specified certificate and name
      * constraints.
      * <p>
      * The name constraints will be used as additional constraints during the
      * validation of certification paths.
      *
      * @param trustedCert
      *            the trusted certificate
      * @param nameConstraints
      *            the ASN.1 DER encoded form of the name constraints or {@code
      *            null} if none.
      * @throws IllegalArgumentException
      *             if the decoding of the name constraints fail.
      */
     public TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints) {
         if (trustedCert == null) {
             throw new NullPointerException("trustedCert == null");
         }
         this.trustedCert = trustedCert;
         // copy nameConstraints if not null
         if (nameConstraints != null) {
             this.nameConstraints = new byte[nameConstraints.length];
             System.arraycopy(nameConstraints, 0,
                     this.nameConstraints, 0, this.nameConstraints.length);
             processNameConstraints();
         } else {
             this.nameConstraints = null;
         }
         this.caName = null;
         this.caPrincipal = null;
         this.caPublicKey = null;
     }

     /**
      * Creates a new {@code TrustAnchor} with the specified certificate
      * authority name, its public key and the specified name constraints.
      * <p>
      * The name constraints will be used as additional constraints during the
      * validation of certification paths.
      *
      * @param caName
      *            the X.500 name of the certificate authority in RFC 2253
      *            {@code String} format.
      * @param caPublicKey
      *            the public key of the certificate authority
      * @param nameConstraints
      *            the ASN.1 DER encoded form of the name constraints or {@code
      *            null} if none.
      * @throws IllegalArgumentException
      *             if the {@code caName} is empty or if decoding of the name
      *             constraints fail.
      */
     public TrustAnchor(String caName, PublicKey caPublicKey,
             byte[] nameConstraints) {
         if (caName == null) {
             throw new NullPointerException("caName == null");
         }
         this.caName = caName;
         if (caPublicKey == null) {
             throw new NullPointerException("caPublicKey == null");
         }
         this.caPublicKey = caPublicKey;
         // copy nameConstraints if not null
         if (nameConstraints != null) {
             this.nameConstraints = new byte[nameConstraints.length];
             System.arraycopy(nameConstraints, 0,
                     this.nameConstraints, 0, this.nameConstraints.length);
             processNameConstraints();
         } else {
             this.nameConstraints = null;
         }

         this.trustedCert = null;

         // X500Principal checks caName validity
         if (caName.isEmpty()) {
             throw new IllegalArgumentException("caName.isEmpty()");
         }
         this.caPrincipal = new X500Principal(this.caName);
     }

     /**
      * Creates a new {@code TrustAnchor} with the specified certificate
      * authority name as principal, its public key and the specified name
      * constraints.
      * <p>
      * The name constraints will be used as additional constraints during the
      * validation of certification paths.
      *
      * @param caPrincipal
      *            the name of the certificate authority as X500 principal.
      * @param caPublicKey
      *            the public key of the certificate authority.
      * @param nameConstraints
      *            the ASN.1 DER encoded form of the name constraints or {@code
      *            null} if none.
      * @throws IllegalArgumentException
      *             if decoding of the name constraints fail.
      */
     public TrustAnchor(X500Principal caPrincipal,
             PublicKey caPublicKey, byte[] nameConstraints) {
         if (caPrincipal == null) {
             throw new NullPointerException("caPrincipal == null");
         }
         this.caPrincipal = caPrincipal;
         if (caPublicKey == null) {
             throw new NullPointerException("caPublicKey == null");
         }
         this.caPublicKey = caPublicKey;
         // copy nameConstraints if not null
         if (nameConstraints != null) {
             this.nameConstraints = new byte[nameConstraints.length];
             System.arraycopy(nameConstraints, 0,
                     this.nameConstraints, 0, this.nameConstraints.length);
             processNameConstraints();
         } else {
             this.nameConstraints = null;
         }

         this.trustedCert = null;
         this.caName = caPrincipal.getName();
     }

     /**
      * Returns a copy of the name constraints in ASN.1 DER encoded form.
      *
      * @return a copy of the name constraints in ASN.1 DER encoded form.
      */
     public final byte[] getNameConstraints() {
         if (nameConstraints == null) {
             return null;
         }
         byte[] ret = new byte[nameConstraints.length];
             System.arraycopy(nameConstraints, 0,
                     ret, 0, nameConstraints.length);
         return ret;
     }

     /**
      * Returns the certificate of this <i>trusted</i> certificate authority.
      *
      * @return the certificate of this CA or {@code null}, if the trust anchor
      *         of this instance was not created with a certificate.
      */
     public final X509Certificate getTrustedCert() {
         return trustedCert;
     }

     /**
      * Returns the name of the certificate authority as {@code X500Principal}.
      *
      * @return the name of the certificate authority or {@code null} if the
      *         trust anchor of this instance was not created with a {@code
      *         X500Principal}.
      */
     public final X500Principal getCA() {
         return caPrincipal;
     }

     /**
      * Returns the name of the certificate authority as {@code String} in RFC
      * 2253 format.
      *
      * @return the name of the certificate authority as {@code String} in RFC
      *         2253 format or {@code null} if the trust anchor of this instance
      *         was not created with a CA name.
      */
     public final String getCAName() {
         return caName;
     }

     /**
      * Returns the public key of the certificate authority.
      *
      * @return the public key of the certificate authority or {@code null} if
      *         the trust anchor if this instance was not created with a public
      *         key.
      */
     public final PublicKey getCAPublicKey() {
         return caPublicKey;
     }

     /**
      * Returns a string representation of this {@code TrustAnchor} instance.
      *
      * @return a string representation of this {@code TrustAnchor} instance.
      */
     public String toString() {
         StringBuilder sb = new StringBuilder("TrustAnchor: [\n");
         if (trustedCert != null) {
             sb.append("Trusted CA certificate: ");
             sb.append(trustedCert);
             sb.append("\n");
         }
         if (caPrincipal != null) {
             sb.append("Trusted CA Name: ");
             sb.append(caPrincipal);
             sb.append("\n");
         }
         if (caPublicKey != null) {
             sb.append("Trusted CA Public Key: ");
             sb.append(caPublicKey);
             sb.append("\n");
         }
         // FIXME if needed:
         if (nameConstraints != null) {
             sb.append("Name Constraints:\n");
             sb.append(Array.toString(nameConstraints, "    "));
         }
         sb.append("\n]");
         return sb.toString();
     }

     //
     // Private stuff
     //

     // Decodes and checks NameConstraints structure.
     // Throws IllegalArgumentException if NameConstraints
     // encoding is invalid.
     private void processNameConstraints() {
         try {
             // decode and check nameConstraints
             NameConstraints.ASN1.decode(nameConstraints);
         } catch (IOException e) {
             throw new IllegalArgumentException(e.getMessage());
         }
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package java.security.cert;

	import java.io.IOException;
	import java.security.PublicKey;
	import javax.security.auth.x500.X500Principal;
	import org.apache.harmony.security.utils.Array;
	import org.apache.harmony.security.x509.NameConstraints;



	/**
	* This class represents a trust anchor for validation of X.509 certification
	* path.
	* <p>
	* It is a <i>trusted</i> certificate authority (CA) and includes the public key
	* of the CA, the CA's name and the constraints for the validation of
	* certification paths. The constructor also allows to specify a binary
	* representation of a so called "Name Constraints" extension as a byte array.
	*/
	public class TrustAnchor {
	// Most trusted CA as a X500Principal
	private final X500Principal caPrincipal;
	// Most trusted CA name
	private final String caName;
	// Most trusted CA public key
	private final PublicKey caPublicKey;
	// Most trusted CA certificate
	private final X509Certificate trustedCert;
	// Name constraints extension
	private final byte[] nameConstraints;

	/**
	* Creates a new {@code TrustAnchor} with the specified certificate and name
	* constraints.
	* <p>
	* The name constraints will be used as additional constraints during the
	* validation of certification paths.
	*
	* @param trustedCert
	* the trusted certificate
	* @param nameConstraints
	* the ASN.1 DER encoded form of the name constraints or {@code
	* null} if none.
	* @throws IllegalArgumentException
	* if the decoding of the name constraints fail.
	*/
	public TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints) {
	if (trustedCert == null) {
	throw new NullPointerException("trustedCert == null");
	}
	this.trustedCert = trustedCert;
	// copy nameConstraints if not null
	if (nameConstraints != null) {
	this.nameConstraints = new byte[nameConstraints.length];
	System.arraycopy(nameConstraints, 0,
	this.nameConstraints, 0, this.nameConstraints.length);
	processNameConstraints();
	} else {
	this.nameConstraints = null;
	}
	this.caName = null;
	this.caPrincipal = null;
	this.caPublicKey = null;
	}

	/**
	* Creates a new {@code TrustAnchor} with the specified certificate
	* authority name, its public key and the specified name constraints.
	* <p>
	* The name constraints will be used as additional constraints during the
	* validation of certification paths.
	*
	* @param caName
	* the X.500 name of the certificate authority in RFC 2253
	* {@code String} format.
	* @param caPublicKey
	* the public key of the certificate authority
	* @param nameConstraints
	* the ASN.1 DER encoded form of the name constraints or {@code
	* null} if none.
	* @throws IllegalArgumentException
	* if the {@code caName} is empty or if decoding of the name
	* constraints fail.
	*/
	public TrustAnchor(String caName, PublicKey caPublicKey,
	byte[] nameConstraints) {
	if (caName == null) {
	throw new NullPointerException("caName == null");
	}
	this.caName = caName;
	if (caPublicKey == null) {
	throw new NullPointerException("caPublicKey == null");
	}
	this.caPublicKey = caPublicKey;
	// copy nameConstraints if not null
	if (nameConstraints != null) {
	this.nameConstraints = new byte[nameConstraints.length];
	System.arraycopy(nameConstraints, 0,
	this.nameConstraints, 0, this.nameConstraints.length);
	processNameConstraints();
	} else {
	this.nameConstraints = null;
	}

	this.trustedCert = null;

	// X500Principal checks caName validity
	if (caName.isEmpty()) {
	throw new IllegalArgumentException("caName.isEmpty()");
	}
	this.caPrincipal = new X500Principal(this.caName);
	}

	/**
	* Creates a new {@code TrustAnchor} with the specified certificate
	* authority name as principal, its public key and the specified name
	* constraints.
	* <p>
	* The name constraints will be used as additional constraints during the
	* validation of certification paths.
	*
	* @param caPrincipal
	* the name of the certificate authority as X500 principal.
	* @param caPublicKey
	* the public key of the certificate authority.
	* @param nameConstraints
	* the ASN.1 DER encoded form of the name constraints or {@code
	* null} if none.
	* @throws IllegalArgumentException
	* if decoding of the name constraints fail.
	*/
	public TrustAnchor(X500Principal caPrincipal,
	PublicKey caPublicKey, byte[] nameConstraints) {
	if (caPrincipal == null) {
	throw new NullPointerException("caPrincipal == null");
	}
	this.caPrincipal = caPrincipal;
	if (caPublicKey == null) {
	throw new NullPointerException("caPublicKey == null");
	}
	this.caPublicKey = caPublicKey;
	// copy nameConstraints if not null
	if (nameConstraints != null) {
	this.nameConstraints = new byte[nameConstraints.length];
	System.arraycopy(nameConstraints, 0,
	this.nameConstraints, 0, this.nameConstraints.length);
	processNameConstraints();
	} else {
	this.nameConstraints = null;
	}

	this.trustedCert = null;
	this.caName = caPrincipal.getName();
	}

	/**
	* Returns a copy of the name constraints in ASN.1 DER encoded form.
	*
	* @return a copy of the name constraints in ASN.1 DER encoded form.
	*/
	public final byte[] getNameConstraints() {
	if (nameConstraints == null) {
	return null;
	}
	byte[] ret = new byte[nameConstraints.length];
	System.arraycopy(nameConstraints, 0,
	ret, 0, nameConstraints.length);
	return ret;
	}

	/**
	* Returns the certificate of this <i>trusted</i> certificate authority.
	*
	* @return the certificate of this CA or {@code null}, if the trust anchor
	* of this instance was not created with a certificate.
	*/
	public final X509Certificate getTrustedCert() {
	return trustedCert;
	}

	/**
	* Returns the name of the certificate authority as {@code X500Principal}.
	*
	* @return the name of the certificate authority or {@code null} if the
	* trust anchor of this instance was not created with a {@code
	* X500Principal}.
	*/
	public final X500Principal getCA() {
	return caPrincipal;
	}

	/**
	* Returns the name of the certificate authority as {@code String} in RFC
	* 2253 format.
	*
	* @return the name of the certificate authority as {@code String} in RFC
	* 2253 format or {@code null} if the trust anchor of this instance
	* was not created with a CA name.
	*/
	public final String getCAName() {
	return caName;
	}

	/**
	* Returns the public key of the certificate authority.
	*
	* @return the public key of the certificate authority or {@code null} if
	* the trust anchor if this instance was not created with a public
	* key.
	*/
	public final PublicKey getCAPublicKey() {
	return caPublicKey;
	}

	/**
	* Returns a string representation of this {@code TrustAnchor} instance.
	*
	* @return a string representation of this {@code TrustAnchor} instance.
	*/
	public String toString() {
	StringBuilder sb = new StringBuilder("TrustAnchor: [\n");
	if (trustedCert != null) {
	sb.append("Trusted CA certificate: ");
	sb.append(trustedCert);
	sb.append("\n");
	}
	if (caPrincipal != null) {
	sb.append("Trusted CA Name: ");
	sb.append(caPrincipal);
	sb.append("\n");
	}
	if (caPublicKey != null) {
	sb.append("Trusted CA Public Key: ");
	sb.append(caPublicKey);
	sb.append("\n");
	}
	// FIXME if needed:
	if (nameConstraints != null) {
	sb.append("Name Constraints:\n");
	sb.append(Array.toString(nameConstraints, " "));
	}
	sb.append("\n]");
	return sb.toString();
	}

	//
	// Private stuff
	//

	// Decodes and checks NameConstraints structure.
	// Throws IllegalArgumentException if NameConstraints
	// encoding is invalid.
	private void processNameConstraints() {
	try {
	// decode and check nameConstraints
	NameConstraints.ASN1.decode(nameConstraints);
	} catch (IOException e) {
	throw new IllegalArgumentException(e.getMessage());
	}
	}
	}