/* * Copyright (c) 2000, 2002, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this * particular file as subject to the "Classpath" exception as provided * by Oracle in the LICENSE file that accompanied this code. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ package sun.security.provider.certpath; import java.io.IOException; import java.security.GeneralSecurityException; import java.security.PublicKey; import java.security.cert.CertificateEncodingException; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.security.interfaces.DSAPublicKey; import javax.security.auth.x500.X500Principal; import sun.security.util.DerOutputStream; import sun.security.util.DerValue; import sun.security.util.Cache; import sun.security.x509.X509CertImpl; import sun.security.provider.X509Factory; /** * This class represents an X.509 Certificate Pair object, which is primarily * used to hold a pair of cross certificates issued between Certification * Authorities. The ASN.1 structure is listed below. The forward certificate * of the CertificatePair contains a certificate issued to this CA by another * CA. The reverse certificate of the CertificatePair contains a certificate * issued by this CA to another CA. When both the forward and the reverse * certificates are present in the CertificatePair, the issuer name in one * certificate shall match the subject name in the other and vice versa, and * the subject public key in one certificate shall be capable of verifying the * digital signature on the other certificate and vice versa. If a subject * public key in one certificate does not contain required key algorithm * parameters, then the signature check involving that key is not done.
* * The ASN.1 syntax for this object is: *
* CertificatePair ::= SEQUENCE { * forward [0] Certificate OPTIONAL, * reverse [1] Certificate OPTIONAL * -- at least one of the pair shall be present -- } *
* * This structure uses EXPLICIT tagging. References: Annex A of * X.509(2000), X.509(1997). * * @author Sean Mullan * @since 1.4 */ public class X509CertificatePair { /* ASN.1 explicit tags */ private static final byte TAG_FORWARD = 0; private static final byte TAG_REVERSE = 1; private X509Certificate forward; private X509Certificate reverse; private byte[] encoded; private static final Cache cache = Cache.newSoftMemoryCache(750); /** * Creates an empty instance of X509CertificatePair. */ public X509CertificatePair() {} /** * Creates an instance of X509CertificatePair. At least one of * the pair must be non-null. * * @param forward The forward component of the certificate pair * which represents a certificate issued to this CA by other CAs. * @param reverse The reverse component of the certificate pair * which represents a certificate issued by this CA to other CAs. * @throws CertificateException If an exception occurs. */ public X509CertificatePair(X509Certificate forward, X509Certificate reverse) throws CertificateException { if (forward == null && reverse == null) { throw new CertificateException("at least one of certificate pair " + "must be non-null"); } this.forward = forward; this.reverse = reverse; checkPair(); } /** * Create a new X509CertificatePair from its encoding. * * For internal use only, external code should use generateCertificatePair. */ private X509CertificatePair(byte[] encoded)throws CertificateException { try { parse(new DerValue(encoded)); this.encoded = encoded; } catch (IOException ex) { throw new CertificateException(ex.toString()); } checkPair(); } /** * Clear the cache for debugging. */ public static synchronized void clearCache() { cache.clear(); } /** * Create a X509CertificatePair from its encoding. Uses cache lookup * if possible. */ public static synchronized X509CertificatePair generateCertificatePair (byte[] encoded) throws CertificateException { Object key = new Cache.EqualByteArray(encoded); X509CertificatePair pair = (X509CertificatePair)cache.get(key); if (pair != null) { return pair; } pair = new X509CertificatePair(encoded); key = new Cache.EqualByteArray(pair.encoded); cache.put(key, pair); return pair; } /** * Sets the forward component of the certificate pair. */ public void setForward(X509Certificate cert) throws CertificateException { checkPair(); forward = cert; } /** * Sets the reverse component of the certificate pair. */ public void setReverse(X509Certificate cert) throws CertificateException { checkPair(); reverse = cert; } /** * Returns the forward component of the certificate pair. * * @return The forward certificate, or null if not set. */ public X509Certificate getForward() { return forward; } /** * Returns the reverse component of the certificate pair. * * @return The reverse certificate, or null if not set. */ public X509Certificate getReverse() { return reverse; } /** * Return the DER encoded form of the certificate pair. * * @return The encoded form of the certificate pair. * @throws CerticateEncodingException If an encoding exception occurs. */ public byte[] getEncoded() throws CertificateEncodingException { try { if (encoded == null) { DerOutputStream tmp = new DerOutputStream(); emit(tmp); encoded = tmp.toByteArray(); } } catch (IOException ex) { throw new CertificateEncodingException(ex.toString()); } return encoded; } /** * Return a printable representation of the certificate pair. * * @return A String describing the contents of the pair. */ public String toString() { StringBuffer sb = new StringBuffer(); sb.append("X.509 Certificate Pair: [\n"); if (forward != null) sb.append(" Forward: " + forward + "\n"); if (reverse != null) sb.append(" Reverse: " + reverse + "\n"); sb.append("]"); return sb.toString(); } /* Parse the encoded bytes */ private void parse(DerValue val) throws IOException, CertificateException { if (val.tag != DerValue.tag_Sequence) { throw new IOException ("Sequence tag missing for X509CertificatePair"); } while (val.data != null && val.data.available() != 0) { DerValue opt = val.data.getDerValue(); short tag = (byte) (opt.tag & 0x01f); switch (tag) { case TAG_FORWARD: if (opt.isContextSpecific() && opt.isConstructed()) { if (forward != null) { throw new IOException("Duplicate forward " + "certificate in X509CertificatePair"); } opt = opt.data.getDerValue(); forward = X509Factory.intern (new X509CertImpl(opt.toByteArray())); } break; case TAG_REVERSE: if (opt.isContextSpecific() && opt.isConstructed()) { if (reverse != null) { throw new IOException("Duplicate reverse " + "certificate in X509CertificatePair"); } opt = opt.data.getDerValue(); reverse = X509Factory.intern (new X509CertImpl(opt.toByteArray())); } break; default: throw new IOException("Invalid encoding of " + "X509CertificatePair"); } } if (forward == null && reverse == null) { throw new CertificateException("at least one of certificate pair " + "must be non-null"); } } /* Translate to encoded bytes */ private void emit(DerOutputStream out) throws IOException, CertificateEncodingException { DerOutputStream tagged = new DerOutputStream(); if (forward != null) { DerOutputStream tmp = new DerOutputStream(); tmp.putDerValue(new DerValue(forward.getEncoded())); tagged.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, TAG_FORWARD), tmp); } if (reverse != null) { DerOutputStream tmp = new DerOutputStream(); tmp.putDerValue(new DerValue(reverse.getEncoded())); tagged.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, TAG_REVERSE), tmp); } out.write(DerValue.tag_Sequence, tagged); } /* * Check for a valid certificate pair */ private void checkPair() throws CertificateException { /* if either of pair is missing, return w/o error */ if (forward == null || reverse == null) { return; } /* * If both elements of the pair are present, check that they * are a valid pair. */ X500Principal fwSubject = forward.getSubjectX500Principal(); X500Principal fwIssuer = forward.getIssuerX500Principal(); X500Principal rvSubject = reverse.getSubjectX500Principal(); X500Principal rvIssuer = reverse.getIssuerX500Principal(); if (!fwIssuer.equals(rvSubject) || !rvIssuer.equals(fwSubject)) { throw new CertificateException("subject and issuer names in " + "forward and reverse certificates do not match"); } /* check signatures unless key parameters are missing */ try { PublicKey pk = reverse.getPublicKey(); if (!(pk instanceof DSAPublicKey) || ((DSAPublicKey)pk).getParams() != null) { forward.verify(pk); } pk = forward.getPublicKey(); if (!(pk instanceof DSAPublicKey) || ((DSAPublicKey)pk).getParams() != null) { reverse.verify(pk); } } catch (GeneralSecurityException e) { throw new CertificateException("invalid signature: " + e.getMessage()); } } }