/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/**
* @author Alexander Y. Kleymenov
* @version $Revision$
*/
package org.apache.harmony.security.x509;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import org.apache.harmony.security.asn1.ASN1SequenceOf;
import org.apache.harmony.security.asn1.ASN1Type;
import org.apache.harmony.security.asn1.BerInputStream;
/**
* The class encapsulates the ASN.1 DER encoding/decoding work
* with the Extensions part of X.509 certificate
* (as specified in RFC 3280 -
* Internet X.509 Public Key Infrastructure.
* Certificate and Certificate Revocation List (CRL) Profile.
* http://www.ietf.org/rfc/rfc3280.txt):
*
* <pre>
* Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
* </pre>
*/
public final class Extensions {
// Supported critical extensions oids:
private static List SUPPORTED_CRITICAL = Arrays.asList(
"2.5.29.15", "2.5.29.19", "2.5.29.32", "2.5.29.17",
"2.5.29.30", "2.5.29.36", "2.5.29.37", "2.5.29.54");
// the values of extensions of the structure
private final List<Extension> extensions;
// to speed up access, the following fields cache values computed
// from the extensions field, initialized using the "single-check
// idiom".
private volatile Set<String> critical;
private volatile Set<String> noncritical;
// the flag showing is there any unsupported critical extension
// in the list of extensions or not.
private volatile Boolean hasUnsupported;
// map containing the oid of extensions as a keys and
// Extension objects as values
private volatile HashMap<String, Extension> oidMap;
// the ASN.1 encoded form of Extensions
private byte[] encoding;
/**
* Constructs an object representing the value of Extensions.
*/
public Extensions() {
this.extensions = null;
}
public Extensions(List<Extension> extensions) {
this.extensions = extensions;
}
public int size() {
return (extensions == null) ? 0 : extensions.size();
}
/**
* Returns the list of critical extensions.
*/
public Set<String> getCriticalExtensions() {
Set<String> resultCritical = critical;
if (resultCritical == null) {
makeOidsLists();
resultCritical = critical;
}
return resultCritical;
}
/**
* Returns the list of critical extensions.
*/
public Set<String> getNonCriticalExtensions() {
Set<String> resultNoncritical = noncritical;
if (resultNoncritical == null) {
makeOidsLists();
resultNoncritical = noncritical;
}
return resultNoncritical;
}
public boolean hasUnsupportedCritical() {
Boolean resultHasUnsupported = hasUnsupported;
if (resultHasUnsupported == null) {
makeOidsLists();
resultHasUnsupported = hasUnsupported;
}
return resultHasUnsupported.booleanValue();
}
//
// Makes the separated lists with oids of critical
// and non-critical extensions
//
private void makeOidsLists() {
if (extensions == null) {
return;
}
int size = extensions.size();
Set<String> localCritical = new HashSet<String>(size);
Set<String> localNoncritical = new HashSet<String>(size);
Boolean localHasUnsupported = Boolean.FALSE;
for (Extension extension : extensions) {
String oid = extension.getId();
if (extension.isCritical()) {
if (!SUPPORTED_CRITICAL.contains(oid)) {
localHasUnsupported = Boolean.TRUE;
}
localCritical.add(oid);
} else {
localNoncritical.add(oid);
}
}
this.critical = localCritical;
this.noncritical = localNoncritical;
this.hasUnsupported = localHasUnsupported;
}
/**
* Returns the values of extensions.
*/
public Extension getExtensionByOID(String oid) {
if (extensions == null) {
return null;
}
HashMap<String, Extension> localOidMap = oidMap;
if (localOidMap == null) {
localOidMap = new HashMap<String, Extension>();
for (Extension extension : extensions) {
localOidMap.put(extension.getId(), extension);
}
this.oidMap = localOidMap;
}
return localOidMap.get(oid);
}
/**
* Returns the value of Key Usage extension (OID == 2.5.29.15).
* The ASN.1 definition of Key Usage Extension is:
*
* <pre>
* id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
*
* KeyUsage ::= BIT STRING {
* digitalSignature (0),
* nonRepudiation (1),
* keyEncipherment (2),
* dataEncipherment (3),
* keyAgreement (4),
* keyCertSign (5),
* cRLSign (6),
* encipherOnly (7),
* decipherOnly (8)
* }
* </pre>
* (as specified in RFC 3280)
*
* @return the value of Key Usage Extension if it is in the list,
* and null if there is no such extension or its value can not be decoded
* otherwise. Note, that the length of returned array can be greater
* than 9.
*/
public boolean[] valueOfKeyUsage() {
Extension extension = getExtensionByOID("2.5.29.15");
KeyUsage kUsage;
if ((extension == null) || ((kUsage = extension.getKeyUsageValue()) == null)) {
return null;
}
return kUsage.getKeyUsage();
}
/**
* Returns the value of Extended Key Usage extension (OID == 2.5.29.37).
* The ASN.1 definition of Extended Key Usage Extension is:
*
* <pre>
* id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 }
*
* ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
*
* KeyPurposeId ::= OBJECT IDENTIFIER
* </pre>
* (as specified in RFC 3280)
*
* @return the list with string representations of KeyPurposeId's OIDs
* and null
* @throws IOException if extension was incorrectly encoded.
*/
public List<String> valueOfExtendedKeyUsage() throws IOException {
Extension extension = getExtensionByOID("2.5.29.37");
if (extension == null) {
return null;
}
return ((ExtendedKeyUsage) extension.getDecodedExtensionValue()).getExtendedKeyUsage();
}
/**
* Returns the value of Basic Constraints Extension (OID = 2.5.29.19).
* The ASN.1 definition of Basic Constraints Extension is:
*
* <pre>
* id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 }
*
* BasicConstraints ::= SEQUENCE {
* cA BOOLEAN DEFAULT FALSE,
* pathLenConstraint INTEGER (0..MAX) OPTIONAL
* }
* </pre>
* (as specified in RFC 3280)
*
* @return-1 if the Basic Constraints Extension is not present or
* it is present but it indicates the certificate is not a
* certificate authority. If the certificate is a certificate
* authority, returns the path length constraint if present, or
* Integer.MAX_VALUE if it is not.
*/
public int valueOfBasicConstraints() {
Extension extension = getExtensionByOID("2.5.29.19");
if (extension == null) {
return -1;
}
BasicConstraints bc = extension.getBasicConstraintsValue();
if (bc == null || !bc.getCa()) {
return -1;
}
return bc.getPathLenConstraint();
}
/**
* Returns the value of Subject Alternative Name (OID = 2.5.29.17).
* The ASN.1 definition for Subject Alternative Name is:
*
* <pre>
* id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 }
*
* SubjectAltName ::= GeneralNames
* </pre>
* (as specified in RFC 3280)
*
* @return Returns the collection of pairs:
* (Integer (tag), Object (name value)) if extension presents, and
* null if does not.
*/
public Collection<List<?>> valueOfSubjectAlternativeName() throws IOException {
return decodeGeneralNames(getExtensionByOID("2.5.29.17"));
}
/**
* Returns the value of Issuer Alternative Name Extension (OID = 2.5.29.18).
* The ASN.1 definition for Issuer Alternative Name is:
*
* <pre>
* id-ce-issuerAltName OBJECT IDENTIFIER ::= { id-ce 18 }
*
* IssuerAltName ::= GeneralNames
* </pre>
* (as specified in RFC 3280)
*
* @return Returns the collection of pairs:
* (Integer (tag), Object (name value)) if extension presents, and
* null if does not.
*/
public Collection<List<?>> valueOfIssuerAlternativeName() throws IOException {
return decodeGeneralNames(getExtensionByOID("2.5.29.18"));
}
/**
* Given an X.509 extension that encodes GeneralNames, return it in the
* format expected by APIs.
*/
private static Collection<List<?>> decodeGeneralNames(Extension extension)
throws IOException {
if (extension == null) {
return null;
}
Collection<List<?>> collection = ((GeneralNames) GeneralNames.ASN1.decode(extension
.getValue())).getPairsList();
/*
* If the extension had any invalid entries, we may have an empty
* collection at this point, so just return null.
*/
if (collection.size() == 0) {
return null;
}
return Collections.unmodifiableCollection(collection);
}
/**
* Returns the value of Certificate Issuer Extension (OID = 2.5.29.29).
* It is a CRL entry extension and contains the GeneralNames describing
* the issuer of revoked certificate. Its ASN.1 notation is as follows:
* <pre>
* id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 }
*
* certificateIssuer ::= GeneralNames
* </pre>
* (as specified in RFC 3280)
*
* @return the value of Certificate Issuer Extension
*/
public X500Principal valueOfCertificateIssuerExtension() throws IOException {
Extension extension = getExtensionByOID("2.5.29.29");
if (extension == null) {
return null;
}
return ((CertificateIssuer) extension.getDecodedExtensionValue()).getIssuer();
}
/**
* Returns ASN.1 encoded form of this X.509 Extensions value.
*/
public byte[] getEncoded() {
if (encoding == null) {
encoding = ASN1.encode(this);
}
return encoding;
}
@Override public boolean equals(Object other) {
if (!(other instanceof Extensions)) {
return false;
}
Extensions that = (Extensions) other;
return (this.extensions == null || this.extensions.isEmpty())
? (that.extensions == null || that.extensions.isEmpty())
: (this.extensions.equals(that.extensions));
}
@Override public int hashCode() {
int hashCode = 0;
if (extensions != null) {
hashCode = extensions.hashCode();
}
return hashCode;
}
public void dumpValue(StringBuilder sb, String prefix) {
if (extensions == null) {
return;
}
int num = 1;
for (Extension extension: extensions) {
sb.append('\n').append(prefix).append('[').append(num++).append("]: ");
extension.dumpValue(sb, prefix);
}
}
/**
* Custom X.509 Extensions decoder.
*/
public static final ASN1Type ASN1 = new ASN1SequenceOf(Extension.ASN1) {
@Override public Object getDecodedObject(BerInputStream in) {
return new Extensions((List<Extension>) in.content);
}
@Override public Collection getValues(Object object) {
Extensions extensions = (Extensions) object;
return (extensions.extensions == null) ? new ArrayList() : extensions.extensions;
}
};
}