0N/A/*
2362N/A * Copyright (c) 1997, 2002, Oracle and/or its affiliates. All rights reserved.
0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
0N/A *
0N/A * This code is free software; you can redistribute it and/or modify it
0N/A * under the terms of the GNU General Public License version 2 only, as
2362N/A * published by the Free Software Foundation. Oracle designates this
0N/A * particular file as subject to the "Classpath" exception as provided
2362N/A * by Oracle in the LICENSE file that accompanied this code.
0N/A *
0N/A * This code is distributed in the hope that it will be useful, but WITHOUT
0N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
0N/A * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
0N/A * version 2 for more details (a copy is included in the LICENSE file that
0N/A * accompanied this code).
0N/A *
0N/A * You should have received a copy of the GNU General Public License version
0N/A * 2 along with this work; if not, write to the Free Software Foundation,
0N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
0N/A *
2362N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
2362N/A * or visit www.oracle.com if you need additional information or have any
2362N/A * questions.
0N/A */
0N/A
0N/Apackage sun.security.x509;
0N/A
0N/Aimport java.io.IOException;
0N/Aimport java.lang.Integer;
0N/Aimport java.net.InetAddress;
0N/Aimport java.util.Arrays;
0N/Aimport sun.misc.HexDumpEncoder;
0N/Aimport sun.security.util.BitArray;
0N/Aimport sun.security.util.DerOutputStream;
0N/Aimport sun.security.util.DerValue;
0N/A
0N/A/**
0N/A * This class implements the IPAddressName as required by the GeneralNames
0N/A * ASN.1 object. Both IPv4 and IPv6 addresses are supported using the
0N/A * formats specified in IETF PKIX RFC2459.
0N/A * <p>
0N/A * [RFC2459 4.2.1.7 Subject Alternative Name]
0N/A * When the subjectAltName extension contains a iPAddress, the address
0N/A * MUST be stored in the octet string in "network byte order," as
0N/A * specified in RFC 791. The least significant bit (LSB) of
0N/A * each octet is the LSB of the corresponding byte in the network
0N/A * address. For IP Version 4, as specified in RFC 791, the octet string
0N/A * MUST contain exactly four octets. For IP Version 6, as specified in
0N/A * RFC 1883, the octet string MUST contain exactly sixteen octets.
0N/A * <p>
0N/A * [RFC2459 4.2.1.11 Name Constraints]
0N/A * The syntax of iPAddress MUST be as described in section 4.2.1.7 with
0N/A * the following additions specifically for Name Constraints. For IPv4
0N/A * addresses, the ipAddress field of generalName MUST contain eight (8)
0N/A * octets, encoded in the style of RFC 1519 (CIDR) to represent an
0N/A * address range.[RFC 1519] For IPv6 addresses, the ipAddress field
0N/A * MUST contain 32 octets similarly encoded. For example, a name
0N/A * constraint for "class C" subnet 10.9.8.0 shall be represented as the
0N/A * octets 0A 09 08 00 FF FF FF 00, representing the CIDR notation
0N/A * 10.9.8.0/255.255.255.0.
0N/A * <p>
0N/A * @see GeneralName
0N/A * @see GeneralNameInterface
0N/A * @see GeneralNames
0N/A *
0N/A *
0N/A * @author Amit Kapoor
0N/A * @author Hemma Prafullchandra
0N/A */
0N/Apublic class IPAddressName implements GeneralNameInterface {
0N/A private byte[] address;
0N/A private boolean isIPv4;
0N/A private String name;
0N/A
0N/A /**
0N/A * Create the IPAddressName object from the passed encoded Der value.
0N/A *
0N/A * @params derValue the encoded DER IPAddressName.
0N/A * @exception IOException on error.
0N/A */
0N/A public IPAddressName(DerValue derValue) throws IOException {
0N/A this(derValue.getOctetString());
0N/A }
0N/A
0N/A /**
0N/A * Create the IPAddressName object with the specified octets.
0N/A *
0N/A * @params address the IP address
0N/A * @throws IOException if address is not a valid IPv4 or IPv6 address
0N/A */
0N/A public IPAddressName(byte[] address) throws IOException {
0N/A /*
0N/A * A valid address must consist of 4 bytes of address and
0N/A * optional 4 bytes of 4 bytes of mask, or 16 bytes of address
0N/A * and optional 16 bytes of mask.
0N/A */
0N/A if (address.length == 4 || address.length == 8) {
0N/A isIPv4 = true;
0N/A } else if (address.length == 16 || address.length == 32) {
0N/A isIPv4 = false;
0N/A } else {
0N/A throw new IOException("Invalid IPAddressName");
0N/A }
0N/A this.address = address;
0N/A }
0N/A
0N/A /**
0N/A * Create an IPAddressName from a String.
0N/A * [IETF RFC1338 Supernetting & IETF RFC1519 Classless Inter-Domain
0N/A * Routing (CIDR)] For IPv4 addresses, the forms are
0N/A * "b1.b2.b3.b4" or "b1.b2.b3.b4/m1.m2.m3.m4", where b1 - b4 are decimal
0N/A * byte values 0-255 and m1 - m4 are decimal mask values
0N/A * 0 - 255.
0N/A * <p>
0N/A * [IETF RFC2373 IP Version 6 Addressing Architecture]
0N/A * For IPv6 addresses, the forms are "a1:a2:...:a8" or "a1:a2:...:a8/n",
0N/A * where a1-a8 are hexadecimal values representing the eight 16-bit pieces
0N/A * of the address. If /n is used, n is a decimal number indicating how many
0N/A * of the leftmost contiguous bits of the address comprise the prefix for
0N/A * this subnet. Internally, a mask value is created using the prefix length.
0N/A * <p>
0N/A * @param name String form of IPAddressName
0N/A * @throws IOException if name can not be converted to a valid IPv4 or IPv6
0N/A * address
0N/A */
0N/A public IPAddressName(String name) throws IOException {
0N/A
0N/A if (name == null || name.length() == 0) {
0N/A throw new IOException("IPAddress cannot be null or empty");
0N/A }
0N/A if (name.charAt(name.length() - 1) == '/') {
0N/A throw new IOException("Invalid IPAddress: " + name);
0N/A }
0N/A
0N/A if (name.indexOf(':') >= 0) {
0N/A // name is IPv6: uses colons as value separators
0N/A // Parse name into byte-value address components and optional
0N/A // prefix
0N/A parseIPv6(name);
0N/A isIPv4 = false;
0N/A } else if (name.indexOf('.') >= 0) {
0N/A //name is IPv4: uses dots as value separators
0N/A parseIPv4(name);
0N/A isIPv4 = true;
0N/A } else {
0N/A throw new IOException("Invalid IPAddress: " + name);
0N/A }
0N/A }
0N/A
0N/A /**
0N/A * Parse an IPv4 address.
0N/A *
0N/A * @param name IPv4 address with optional mask values
0N/A * @throws IOException on error
0N/A */
0N/A private void parseIPv4(String name) throws IOException {
0N/A
0N/A // Parse name into byte-value address components
0N/A int slashNdx = name.indexOf('/');
0N/A if (slashNdx == -1) {
0N/A address = InetAddress.getByName(name).getAddress();
0N/A } else {
0N/A address = new byte[8];
0N/A
0N/A // parse mask
0N/A byte[] mask = InetAddress.getByName
0N/A (name.substring(slashNdx+1)).getAddress();
0N/A
0N/A // parse base address
0N/A byte[] host = InetAddress.getByName
0N/A (name.substring(0, slashNdx)).getAddress();
0N/A
0N/A System.arraycopy(host, 0, address, 0, 4);
0N/A System.arraycopy(mask, 0, address, 4, 4);
0N/A }
0N/A }
0N/A
0N/A /**
0N/A * Parse an IPv6 address.
0N/A *
0N/A * @param name String IPv6 address with optional /<prefix length>
0N/A * If /<prefix length> is present, address[] array will
0N/A * be 32 bytes long, otherwise 16.
0N/A * @throws IOException on error
0N/A */
0N/A private final static int MASKSIZE = 16;
0N/A private void parseIPv6(String name) throws IOException {
0N/A
0N/A int slashNdx = name.indexOf('/');
0N/A if (slashNdx == -1) {
0N/A address = InetAddress.getByName(name).getAddress();
0N/A } else {
0N/A address = new byte[32];
0N/A byte[] base = InetAddress.getByName
0N/A (name.substring(0, slashNdx)).getAddress();
0N/A System.arraycopy(base, 0, address, 0, 16);
0N/A
0N/A // append a mask corresponding to the num of prefix bits specified
0N/A int prefixLen = Integer.parseInt(name.substring(slashNdx+1));
0N/A if (prefixLen > 128)
0N/A throw new IOException("IPv6Address prefix is longer than 128");
0N/A
0N/A // create new bit array initialized to zeros
0N/A BitArray bitArray = new BitArray(MASKSIZE * 8);
0N/A
0N/A // set all most significant bits up to prefix length
0N/A for (int i = 0; i < prefixLen; i++)
0N/A bitArray.set(i, true);
0N/A byte[] maskArray = bitArray.toByteArray();
0N/A
0N/A // copy mask bytes into mask portion of address
0N/A for (int i = 0; i < MASKSIZE; i++)
0N/A address[MASKSIZE+i] = maskArray[i];
0N/A }
0N/A }
0N/A
0N/A /**
0N/A * Return the type of the GeneralName.
0N/A */
0N/A public int getType() {
0N/A return NAME_IP;
0N/A }
0N/A
0N/A /**
0N/A * Encode the IPAddress name into the DerOutputStream.
0N/A *
0N/A * @params out the DER stream to encode the IPAddressName to.
0N/A * @exception IOException on encoding errors.
0N/A */
0N/A public void encode(DerOutputStream out) throws IOException {
0N/A out.putOctetString(address);
0N/A }
0N/A
0N/A /**
0N/A * Return a printable string of IPaddress
0N/A */
0N/A public String toString() {
0N/A try {
0N/A return "IPAddress: " + getName();
0N/A } catch (IOException ioe) {
0N/A // dump out hex rep for debugging purposes
0N/A HexDumpEncoder enc = new HexDumpEncoder();
0N/A return "IPAddress: " + enc.encodeBuffer(address);
0N/A }
0N/A }
0N/A
0N/A /**
0N/A * Return a standard String representation of IPAddress.
0N/A * See IPAddressName(String) for the formats used for IPv4
0N/A * and IPv6 addresses.
0N/A *
0N/A * @throws IOException if the IPAddress cannot be converted to a String
0N/A */
0N/A public String getName() throws IOException {
0N/A if (name != null)
0N/A return name;
0N/A
0N/A if (isIPv4) {
0N/A //IPv4 address or subdomain
0N/A byte[] host = new byte[4];
0N/A System.arraycopy(address, 0, host, 0, 4);
0N/A name = InetAddress.getByAddress(host).getHostAddress();
0N/A if (address.length == 8) {
0N/A byte[] mask = new byte[4];
0N/A System.arraycopy(address, 4, mask, 0, 4);
0N/A name = name + "/" +
0N/A InetAddress.getByAddress(mask).getHostAddress();
0N/A }
0N/A } else {
0N/A //IPv6 address or subdomain
0N/A byte[] host = new byte[16];
0N/A System.arraycopy(address, 0, host, 0, 16);
0N/A name = InetAddress.getByAddress(host).getHostAddress();
0N/A if (address.length == 32) {
0N/A // IPv6 subdomain: display prefix length
0N/A
0N/A // copy subdomain into new array and convert to BitArray
0N/A byte[] maskBytes = new byte[16];
0N/A for (int i=16; i < 32; i++)
0N/A maskBytes[i-16] = address[i];
0N/A BitArray ba = new BitArray(16*8, maskBytes);
0N/A // Find first zero bit
0N/A int i=0;
0N/A for (; i < 16*8; i++) {
0N/A if (!ba.get(i))
0N/A break;
0N/A }
0N/A name = name + "/" + i;
0N/A // Verify remaining bits 0
0N/A for (; i < 16*8; i++) {
0N/A if (ba.get(i)) {
0N/A throw new IOException("Invalid IPv6 subdomain - set " +
0N/A "bit " + i + " not contiguous");
0N/A }
0N/A }
0N/A }
0N/A }
0N/A return name;
0N/A }
0N/A
0N/A /**
0N/A * Returns this IPAddress name as a byte array.
0N/A */
0N/A public byte[] getBytes() {
0N/A return address.clone();
0N/A }
0N/A
0N/A /**
0N/A * Compares this name with another, for equality.
0N/A *
0N/A * @return true iff the names are identical.
0N/A */
0N/A public boolean equals(Object obj) {
0N/A if (this == obj)
0N/A return true;
0N/A
0N/A if (!(obj instanceof IPAddressName))
0N/A return false;
0N/A
0N/A byte[] other = ((IPAddressName)obj).getBytes();
0N/A
0N/A if (other.length != address.length)
0N/A return false;
0N/A
0N/A if (address.length == 8 || address.length == 32) {
0N/A // Two subnet addresses
0N/A // Mask each and compare masked values
0N/A int maskLen = address.length/2;
0N/A byte[] maskedThis = new byte[maskLen];
0N/A byte[] maskedOther = new byte[maskLen];
0N/A for (int i=0; i < maskLen; i++) {
0N/A maskedThis[i] = (byte)(address[i] & address[i+maskLen]);
0N/A maskedOther[i] = (byte)(other[i] & other[i+maskLen]);
0N/A if (maskedThis[i] != maskedOther[i]) {
0N/A return false;
0N/A }
0N/A }
0N/A // Now compare masks
0N/A for (int i=maskLen; i < address.length; i++)
0N/A if (address[i] != other[i])
0N/A return false;
0N/A return true;
0N/A } else {
0N/A // Two IPv4 host addresses or two IPv6 host addresses
0N/A // Compare bytes
0N/A return Arrays.equals(other, address);
0N/A }
0N/A }
0N/A
0N/A /**
0N/A * Returns the hash code value for this object.
0N/A *
0N/A * @return a hash code value for this object.
0N/A */
0N/A public int hashCode() {
0N/A int retval = 0;
0N/A
0N/A for (int i=0; i<address.length; i++)
0N/A retval += address[i] * i;
0N/A
0N/A return retval;
0N/A }
0N/A
0N/A /**
0N/A * Return type of constraint inputName places on this name:<ul>
0N/A * <li>NAME_DIFF_TYPE = -1: input name is different type from name
0N/A * (i.e. does not constrain).
0N/A * <li>NAME_MATCH = 0: input name matches name.
0N/A * <li>NAME_NARROWS = 1: input name narrows name (is lower in the naming
0N/A * subtree)
0N/A * <li>NAME_WIDENS = 2: input name widens name (is higher in the naming
0N/A * subtree)
0N/A * <li>NAME_SAME_TYPE = 3: input name does not match or narrow name, but
0N/A * is same type.
0N/A * </ul>. These results are used in checking NameConstraints during
0N/A * certification path verification.
0N/A * <p>
0N/A * [RFC2459] The syntax of iPAddress MUST be as described in section
0N/A * 4.2.1.7 with the following additions specifically for Name Constraints.
0N/A * For IPv4 addresses, the ipAddress field of generalName MUST contain
0N/A * eight (8) octets, encoded in the style of RFC 1519 (CIDR) to represent an
0N/A * address range.[RFC 1519] For IPv6 addresses, the ipAddress field
0N/A * MUST contain 32 octets similarly encoded. For example, a name
0N/A * constraint for "class C" subnet 10.9.8.0 shall be represented as the
0N/A * octets 0A 09 08 00 FF FF FF 00, representing the CIDR notation
0N/A * 10.9.8.0/255.255.255.0.
0N/A * <p>
0N/A * @param inputName to be checked for being constrained
0N/A * @returns constraint type above
0N/A * @throws UnsupportedOperationException if name is not exact match, but
0N/A * narrowing and widening are not supported for this name type.
0N/A */
0N/A public int constrains(GeneralNameInterface inputName)
0N/A throws UnsupportedOperationException {
0N/A int constraintType;
0N/A if (inputName == null)
0N/A constraintType = NAME_DIFF_TYPE;
0N/A else if (inputName.getType() != NAME_IP)
0N/A constraintType = NAME_DIFF_TYPE;
0N/A else if (((IPAddressName)inputName).equals(this))
0N/A constraintType = NAME_MATCH;
0N/A else {
0N/A byte[] otherAddress = ((IPAddressName)inputName).getBytes();
0N/A if (otherAddress.length == 4 && address.length == 4)
0N/A // Two host addresses
0N/A constraintType = NAME_SAME_TYPE;
0N/A else if ((otherAddress.length == 8 && address.length == 8) ||
0N/A (otherAddress.length == 32 && address.length == 32)) {
0N/A // Two subnet addresses
0N/A // See if one address fully encloses the other address
0N/A boolean otherSubsetOfThis = true;
0N/A boolean thisSubsetOfOther = true;
0N/A boolean thisEmpty = false;
0N/A boolean otherEmpty = false;
0N/A int maskOffset = address.length/2;
0N/A for (int i=0; i < maskOffset; i++) {
0N/A if ((byte)(address[i] & address[i+maskOffset]) != address[i])
0N/A thisEmpty=true;
0N/A if ((byte)(otherAddress[i] & otherAddress[i+maskOffset]) != otherAddress[i])
0N/A otherEmpty=true;
0N/A if (!(((byte)(address[i+maskOffset] & otherAddress[i+maskOffset]) == address[i+maskOffset]) &&
0N/A ((byte)(address[i] & address[i+maskOffset]) == (byte)(otherAddress[i] & address[i+maskOffset])))) {
0N/A otherSubsetOfThis = false;
0N/A }
0N/A if (!(((byte)(otherAddress[i+maskOffset] & address[i+maskOffset]) == otherAddress[i+maskOffset]) &&
0N/A ((byte)(otherAddress[i] & otherAddress[i+maskOffset]) == (byte)(address[i] & otherAddress[i+maskOffset])))) {
0N/A thisSubsetOfOther = false;
0N/A }
0N/A }
0N/A if (thisEmpty || otherEmpty) {
0N/A if (thisEmpty && otherEmpty)
0N/A constraintType = NAME_MATCH;
0N/A else if (thisEmpty)
0N/A constraintType = NAME_WIDENS;
0N/A else
0N/A constraintType = NAME_NARROWS;
0N/A } else if (otherSubsetOfThis)
0N/A constraintType = NAME_NARROWS;
0N/A else if (thisSubsetOfOther)
0N/A constraintType = NAME_WIDENS;
0N/A else
0N/A constraintType = NAME_SAME_TYPE;
0N/A } else if (otherAddress.length == 8 || otherAddress.length == 32) {
0N/A //Other is a subnet, this is a host address
0N/A int i = 0;
0N/A int maskOffset = otherAddress.length/2;
0N/A for (; i < maskOffset; i++) {
0N/A // Mask this address by other address mask and compare to other address
0N/A // If all match, then this address is in other address subnet
0N/A if ((address[i] & otherAddress[i+maskOffset]) != otherAddress[i])
0N/A break;
0N/A }
0N/A if (i == maskOffset)
0N/A constraintType = NAME_WIDENS;
0N/A else
0N/A constraintType = NAME_SAME_TYPE;
0N/A } else if (address.length == 8 || address.length == 32) {
0N/A //This is a subnet, other is a host address
0N/A int i = 0;
0N/A int maskOffset = address.length/2;
0N/A for (; i < maskOffset; i++) {
0N/A // Mask other address by this address mask and compare to this address
0N/A if ((otherAddress[i] & address[i+maskOffset]) != address[i])
0N/A break;
0N/A }
0N/A if (i == maskOffset)
0N/A constraintType = NAME_NARROWS;
0N/A else
0N/A constraintType = NAME_SAME_TYPE;
0N/A } else {
0N/A constraintType = NAME_SAME_TYPE;
0N/A }
0N/A }
0N/A return constraintType;
0N/A }
0N/A
0N/A /**
0N/A * Return subtree depth of this name for purposes of determining
0N/A * NameConstraints minimum and maximum bounds and for calculating
0N/A * path lengths in name subtrees.
0N/A *
0N/A * @returns distance of name from root
0N/A * @throws UnsupportedOperationException if not supported for this name type
0N/A */
0N/A public int subtreeDepth() throws UnsupportedOperationException {
0N/A throw new UnsupportedOperationException
0N/A ("subtreeDepth() not defined for IPAddressName");
0N/A }
0N/A}