2362N/A * Copyright (c) 1996, 2006, Oracle and/or its affiliates. All rights reserved. 0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 0N/A * This code is free software; you can redistribute it and/or modify it 0N/A * under the terms of the GNU General Public License version 2 only, as 2362N/A * published by the Free Software Foundation. Oracle designates this 0N/A * particular file as subject to the "Classpath" exception as provided 2362N/A * by Oracle in the LICENSE file that accompanied this code. 0N/A * This code is distributed in the hope that it will be useful, but WITHOUT 0N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 0N/A * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 0N/A * version 2 for more details (a copy is included in the LICENSE file that 0N/A * accompanied this code). 0N/A * You should have received a copy of the GNU General Public License version 0N/A * 2 along with this work; if not, write to the Free Software Foundation, 0N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 2362N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 2362N/A * or visit www.oracle.com if you need additional information or have any 0N/A * Note: As of 1.4, the public class, 0N/A * javax.security.auth.x500.X500Principal, 0N/A * should be used when parsing, generating, and comparing X.500 DNs. 0N/A * This class contains other useful methods for checking name constraints 0N/A * and retrieving DNs by keyword. 0N/A * <p> X.500 names are used to identify entities, such as those which are 0N/A * identified by X.509 certificates. They are world-wide, hierarchical, 0N/A * and descriptive. Entities can be identified by attributes, and in 0N/A * some systems can be searched for according to those attributes. 0N/A * The ASN.1 for this is: 0N/A * GeneralName ::= CHOICE { 0N/A * directoryName [4] Name, 0N/A * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName 0N/A * RelativeDistinguishedName ::= 0N/A * SET OF AttributeTypeAndValue 0N/A * AttributeTypeAndValue ::= SEQUENCE { 0N/A * type AttributeType, 0N/A * value AttributeValue } 0N/A * AttributeType ::= OBJECT IDENTIFIER 0N/A * AttributeValue ::= ANY DEFINED BY AttributeType 0N/A * DirectoryString ::= CHOICE { 0N/A * teletexString TeletexString (SIZE (1..MAX)), 0N/A * printableString PrintableString (SIZE (1..MAX)), 0N/A * universalString UniversalString (SIZE (1..MAX)), 0N/A * utf8String UTF8String (SIZE (1.. MAX)), 0N/A * bmpString BMPString (SIZE (1..MAX)) } 0N/A * This specification requires only a subset of the name comparison 0N/A * functionality specified in the X.500 series of specifications. The 0N/A * requirements for conforming implementations are as follows: 0N/A * <li>attribute values encoded in different types (e.g., 0N/A * PrintableString and BMPString) may be assumed to represent 0N/A * different strings; 0N/A * <li>attribute values in types other than PrintableString are case 0N/A * sensitive (this permits matching of attribute values as binary 0N/A * <li>attribute values in PrintableString are not case sensitive 0N/A * (e.g., "Marianne Swanson" is the same as "MARIANNE SWANSON"); and 0N/A * <li>attribute values in PrintableString are compared after 0N/A * removing leading and trailing white space and converting internal 0N/A * substrings of one or more consecutive white space characters to a 0N/A * These name comparison rules permit a certificate user to validate 0N/A * certificates issued using languages or encodings unfamiliar to the 0N/A * In addition, implementations of this specification MAY use these 0N/A * comparison rules to process unfamiliar attribute types for name 0N/A * chaining. This allows implementations to process certificates with 0N/A * unfamiliar attributes in the issuer name. 0N/A * Note that the comparison rules defined in the X.500 series of 0N/A * specifications indicate that the character sets used to encode data 0N/A * in distinguished names are irrelevant. The characters themselves are 0N/A * compared without regard to encoding. Implementations of the profile 0N/A * are permitted to use the comparison algorithm defined in the X.500 0N/A * series. Such an implementation will recognize a superset of name 0N/A * matches recognized by the algorithm specified above. 0N/A * Note that instances of this class are immutable. 0N/A * @author David Brownell 0N/A * @author Amit Kapoor 0N/A * @author Hemma Prafullchandra 0N/A * @see GeneralNameInterface 0N/A // cached immutable list of the RDNs and all the AVAs 0N/A * Constructs a name from a conventionally formatted string, such 0N/A * as "CN=Dave, OU=JavaSoft, O=Sun Microsystems, C=US". 0N/A * (RFC 1779 or RFC 2253 style). 0N/A * @param DN X.500 Distinguished Name 0N/A * Constructs a name from a conventionally formatted string, such 0N/A * as "CN=Dave, OU=JavaSoft, O=Sun Microsystems, C=US". 0N/A * (RFC 1779 or RFC 2253 style). 0N/A * @param DN X.500 Distinguished Name 0N/A * Constructs a name from a string formatted according to format. 0N/A * Currently, the formats DEFAULT and RFC2253 are supported. 0N/A * DEFAULT is the default format used by the X500Name(String) 0N/A * constructor. RFC2253 is format strictly according to RFC2253 0N/A * without extensions. 0N/A * @param DN X.500 Distinguished Name 0N/A * Constructs a name from fields common in enterprise application 0N/A * <P><EM><STRONG>NOTE:</STRONG> The behaviour when any of 0N/A * these strings contain characters outside the ASCII range 0N/A * is unspecified in currently relevant standards.</EM> 0N/A * @param commonName common name of a person, e.g. "Vivette Davis" 0N/A * @param organizationUnit small organization name, e.g. "Purchasing" 0N/A * @param organizationName large organization name, e.g. "Onizuka, Inc." 0N/A * @param country two letter country code, e.g. "CH" 0N/A * NOTE: it's only on output that little-endian 0N/A * Constructs a name from fields common in Internet application 0N/A * <P><EM><STRONG>NOTE:</STRONG> The behaviour when any of 0N/A * these strings contain characters outside the ASCII range 0N/A * is unspecified in currently relevant standards.</EM> 0N/A * @param commonName common name of a person, e.g. "Vivette Davis" 0N/A * @param organizationUnit small organization name, e.g. "Purchasing" 0N/A * @param organizationName large organization name, e.g. "Onizuka, Inc." 0N/A * @param localityName locality (city) name, e.g. "Palo Alto" 0N/A * @param stateName state name, e.g. "California" 0N/A * @param country two letter country code, e.g. "CH" 0N/A * NOTE: it's only on output that little-endian 0N/A * Constructs a name from an array of relative distinguished names 0N/A * @param rdnArray array of relative distinguished names 0N/A * @throws IOException on error 0N/A * Constructs a name from an ASN.1 encoded value. The encoding 0N/A * of the name in the stream uses DER (a BER/1 subset). 0N/A * @param value a DER-encoded value holding an X.500 name. 0N/A //Note that toDerInputStream uses only the buffer (data) and not 0N/A //the tag, so an empty SEQUENCE (OF) will yield an empty DerInputStream 0N/A * Constructs a name from an ASN.1 encoded input stream. The encoding 0N/A * of the name in the stream uses DER (a BER/1 subset). 0N/A * @param in DER-encoded data holding an X.500 name. 0N/A * Constructs a name from an ASN.1 encoded byte array. 0N/A * @param name DER-encoded byte array holding an X.500 name. 0N/A * Return an immutable List of all RDNs in this X500Name. 0N/A * Return the number of RDNs in this X500Name. 0N/A * Return an immutable List of the the AVAs contained in all the 0N/A * RDNs of this X500Name. 0N/A * Return the total number of AVAs contained in all the RDNs of 0N/A * Return whether this X500Name is empty. An X500Name is not empty 0N/A * if it has at least one RDN containing at least one AVA. 0N/A for (
int i =
0; i < n; i++) {
0N/A * Calculates a hash code value for the object. Objects 0N/A * which are equal will also have the same hashcode. 0N/A * Compares this name with another, for equality. 0N/A * @return true iff the names are identical. 0N/A // if we already have the canonical forms, compare now 0N/A // quick check that number of RDNs and AVAs match before canonicalizing 0N/A for (
int i =
0; i < n; i++) {
0N/A // definite check via canonical form 0N/A * Returns the name component as a Java string, regardless of its 0N/A * encoding restrictions. 0N/A * Return type of GeneralName. 0N/A * Returns a "Country" name component. If more than one 0N/A * such attribute exists, the topmost one is returned. 0N/A * @return "C=" component of the name, if any. 0N/A * Returns an "Organization" name component. If more than 0N/A * one such attribute exists, the topmost one is returned. 0N/A * @return "O=" component of the name, if any. 0N/A * Returns an "Organizational Unit" name component. If more 0N/A * than one such attribute exists, the topmost one is returned. 0N/A * @return "OU=" component of the name, if any. 0N/A * Returns a "Common Name" component. If more than one such 0N/A * attribute exists, the topmost one is returned. 0N/A * @return "CN=" component of the name, if any. 0N/A * Returns a "Locality" name component. If more than one 0N/A * such component exists, the topmost one is returned. 0N/A * @return "L=" component of the name, if any. 0N/A * Returns a "State" name component. If more than one 0N/A * such component exists, the topmost one is returned. 0N/A * @return "S=" component of the name, if any. 0N/A * Returns a "Domain" name component. If more than one 0N/A * such component exists, the topmost one is returned. 0N/A * @return "DC=" component of the name, if any. 0N/A * Returns a "DN Qualifier" name component. If more than one 0N/A * such component exists, the topmost one is returned. 0N/A * @return "DNQ=" component of the name, if any. 0N/A * Returns a "Surname" name component. If more than one 0N/A * such component exists, the topmost one is returned. 0N/A * @return "SURNAME=" component of the name, if any. 0N/A * Returns a "Given Name" name component. If more than one 0N/A * such component exists, the topmost one is returned. 0N/A * @return "GIVENNAME=" component of the name, if any. 0N/A * Returns an "Initials" name component. If more than one 0N/A * such component exists, the topmost one is returned. 0N/A * @return "INITIALS=" component of the name, if any. 0N/A * Returns a "Generation Qualifier" name component. If more than one 0N/A * such component exists, the topmost one is returned. 0N/A * @return "GENERATION=" component of the name, if any. 0N/A * Returns an "IP address" name component. If more than one 0N/A * such component exists, the topmost one is returned. 0N/A * @return "IP=" component of the name, if any. 0N/A * Returns a string form of the X.500 distinguished name. 0N/A * The format of the string is from RFC 1779. The returned string 0N/A * may contain non-standardised keywords for more readability 0N/A * (keywords from RFCs 1779, 2253, and 3280). 0N/A * Returns a string form of the X.500 distinguished name 0N/A * using the algorithm defined in RFC 1779. Only standard attribute type 0N/A * keywords defined in RFC 1779 are emitted. 0N/A * Returns a string form of the X.500 distinguished name 0N/A * using the algorithm defined in RFC 1779. Attribute type 0N/A * keywords defined in RFC 1779 are emitted, as well as additional 0N/A // return cached result 0N/A * Returns a string form of the X.500 distinguished name 0N/A * using the algorithm defined in RFC 2253. Only standard attribute type 0N/A * keywords defined in RFC 2253 are emitted. 0N/A * Returns a string form of the X.500 distinguished name 0N/A * using the algorithm defined in RFC 2253. Attribute type 0N/A * keywords defined in RFC 2253 are emitted, as well as additional 0N/A /* check for and return cached name */ 0N/A * Section 2.1 : if the RDNSequence is an empty sequence 0N/A * the result is the empty or zero length string. 0N/A * 2.1 (continued) : Otherwise, the output consists of the string 0N/A * encodings of each RelativeDistinguishedName in the RDNSequence 0N/A * (according to 2.2), starting with the last element of the sequence 0N/A * and moving backwards toward the first. 0N/A * The encodings of adjoining RelativeDistinguishedNames are separated 0N/A * by a comma character (',' ASCII 44). 0N/A /* check for and return cached name */ 0N/A * Section 2.1 : if the RDNSequence is an empty sequence 0N/A * the result is the empty or zero length string. 0N/A * 2.1 (continued) : Otherwise, the output consists of the string 0N/A * encodings of each RelativeDistinguishedName in the RDNSequence 0N/A * (according to 2.2), starting with the last element of the sequence 0N/A * and moving backwards toward the first. 0N/A * The encodings of adjoining RelativeDistinguishedNames are separated 0N/A * by a comma character (',' ASCII 44). 0N/A * Returns the value of toString(). This call is needed to 0N/A * implement the java.security.Principal interface. 0N/A * Find the first instance of this attribute in a "top down" 0N/A * search of all the attributes in the name. 0N/A * Find the most specific ("last") attribute of the given 0N/A /****************************************************************/ 0N/A // X.500 names are a "SEQUENCE OF" RDNs, which means zero or 0N/A // more and order matters. We scan them in order, which 0N/A // conventionally is big-endian. 0N/A * Encodes the name in DER-encoded form. 0N/A * @deprecated Use encode() instead 0N/A * @param out where to put the DER-encoded X.500 name 0N/A * Encodes the name in DER-encoded form. 0N/A * @param out where to put the DER-encoded X.500 name 0N/A * Returned the encoding as an uncloned byte array. Callers must 0N/A * guarantee that they neither modify it not expose it to untrusted 0N/A * Gets the name in DER-encoded form. 0N/A * @return the DER encoded byte array of this name. 0N/A * Parses a Distinguished Name (DN) in printable representation. 0N/A * According to RFC 1779, RDNs in a DN are separated by comma. 0N/A * The following examples show both methods of quoting a comma, so that it 0N/A * is not considered a separator: 0N/A * O="Sue, Grabbit and Runn" or 0N/A * O=Sue\, Grabbit and Runn 0N/A * This method can parse 1779 or 2253 DNs and non-standard 3280 keywords. 0N/A * We have encountered an RDN delimiter (comma or a semicolon). 0N/A * If the comma or semicolon in the RDN under consideration is 0N/A * preceded by a backslash (escape), or by a double quote, it 0N/A * is part of the RDN. Otherwise, it is used as a separator, to 0N/A * delimit the RDN under consideration from any subsequent RDNs. 0N/A // Parse RDN, and store it in vector 0N/A // Increase the offset 0N/A // Set quote counter back to zero 0N/A // Parse last or only RDN, and store it in vector 0N/A * Store the vector elements as an array of RDNs 0N/A * NOTE: It's only on output that little-endian ordering is used. 0N/A * We have encountered an RDN delimiter (comma). 0N/A * If the comma in the RDN under consideration is 0N/A * preceded by a backslash (escape), it 0N/A * is part of the RDN. Otherwise, it is used as a separator, to 0N/A * delimit the RDN under consideration from any subsequent RDNs. 0N/A * Comma is a separator 0N/A // Parse RDN, and store it in vector 0N/A // Increase the offset 0N/A // Parse last or only RDN, and store it in vector 0N/A * Store the vector elements as an array of RDNs 0N/A * NOTE: It's only on output that little-endian ordering is used. 0N/A * Counts double quotes in string. 0N/A * Escaped quotes are ignored. 0N/A count++;
// count consecutive backslashes 0N/A // if count is odd, then rdnEnd is escaped 0N/A * Dump the printable form of a distinguished name. Each relative 0N/A * name is separated from the next by a ",", and assertions in the 0N/A * relative names have "label=value" syntax. 0N/A * Uses RFC 1779 syntax (i.e. little-endian, comma separators) 0N/A * Dump the printable form of a distinguished name. Each relative 0N/A * name is separated from the next by a ",", and assertions in the 0N/A * relative names have "label=value" syntax. 0N/A * Uses RFC 1779 syntax (i.e. little-endian, comma separators) 0N/A * Valid keywords from RFC 1779 are used. Additional keywords can be 0N/A /****************************************************************/ 0N/A * Maybe return a preallocated OID, to reduce storage costs 0N/A * and speed recognition of common X.500 attributes. 0N/A * Selected OIDs from X.520 0N/A * Includes all those specified in RFC 3280 as MUST or SHOULD 0N/A private static final int ipAddress_data[] = {
1,
3,
6,
1,
4,
1,
42,
2,
11,
2,
1 };
0N/A {
0,
9,
2342,
19200300,
100,
1,
25 };
0N/A {
0,
9,
2342,
19200300,
100,
1,
1 };
0N/A /** OID for the "CN=" attribute, denoting a person's common name. */ 0N/A /** OID for the "SERIALNUMBER=" attribute, denoting a serial number for. 0N/A a name. Do not confuse with PKCS#9 issuerAndSerialNumber or the 0N/A certificate serial number. */ 0N/A /** OID for the "C=" attribute, denoting a country. */ 0N/A /** OID for the "L=" attribute, denoting a locality (such as a city) */ 0N/A /** OID for the "O=" attribute, denoting an organization name */ 0N/A /** OID for the "OU=" attribute, denoting an organizational unit name */ 0N/A /** OID for the "S=" attribute, denoting a state (such as Delaware) */ 0N/A /** OID for the "STREET=" attribute, denoting a street address. */ 0N/A /** OID for the "T=" attribute, denoting a person's title. */ 0N/A /** OID for the "DNQUALIFIER=" or "DNQ=" attribute, denoting DN 0N/A disambiguating information.*/ 0N/A /** OID for the "SURNAME=" attribute, denoting a person's surname.*/ 0N/A /** OID for the "GIVENNAME=" attribute, denoting a person's given name.*/ 0N/A /** OID for the "INITIALS=" attribute, denoting a person's initials.*/ 0N/A /** OID for the "GENERATION=" attribute, denoting Jr., II, etc.*/ 0N/A * OIDs from other sources which show up in X.500 names we 0N/A * expect to deal with often 0N/A /** OID for "IP=" IP address attributes, used with SKIP. */ 0N/A * Domain component OID from RFC 1274, RFC 2247, RFC 3280 0N/A * OID for "DC=" domain component attributes, used with DNS names in DN 0N/A /** OID for "UID=" denoting a user id, defined in RFCs 1274 & 2798. */ 0N/A * Return constraint type:<ul> 0N/A * <li>NAME_DIFF_TYPE = -1: input name is different type from this name 0N/A * (i.e. does not constrain) 0N/A * <li>NAME_MATCH = 0: input name matches this name 0N/A * <li>NAME_NARROWS = 1: input name narrows this name 0N/A * <li>NAME_WIDENS = 2: input name widens this name 0N/A * <li>NAME_SAME_TYPE = 3: input name does not match or narrow this name, 0N/A * </ul>. These results are used in checking NameConstraints during 0N/A * certification path verification. 0N/A * @param inputName to be checked for being constrained 0N/A * @returns constraint type above 0N/A * @throws UnsupportedOperationException if name is not exact match, but 0N/A * narrowing and widening are not supported for this name type. 0N/A }
else {
// type == NAME_DIRECTORY 0N/A * Compares this name with another and determines if 0N/A * it is within the subtree of the other. Useful for 0N/A * checking against the name constraints extension. 0N/A * @return true iff this name is within the subtree of other. 0N/A * Return subtree depth of this name for purposes of determining 0N/A * NameConstraints minimum and maximum bounds and for calculating 0N/A * path lengths in name subtrees. 0N/A * @returns distance of name from root 0N/A * @throws UnsupportedOperationException if not supported for this name type 0N/A * Return lowest common ancestor of this name and other name 0N/A * @param other another X500Name 0N/A * @return X500Name of lowest common ancestor; null if none 0N/A //Compare names from highest RDN down the naming tree 0N/A //Note that these are stored in RDN[0]... 0N/A //Copy matching RDNs into new RDN array 0N/A for (
int j=
0; j < i; j++) {
0N/A * Constructor object for use by asX500Principal(). 0N/A * Field object for use by asX500Name(). 0N/A * Retrieve the Constructor and Field we need for reflective access 0N/A * and make them accessible. 0N/A * Get an X500Principal backed by this X500Name. 0N/A * Note that we are using privileged reflection to access the hidden 0N/A * package private constructor in X500Principal. 0N/A * Get the X500Name contained in the given X500Principal. 0N/A * Note that the X500Name is retrieved using reflection.