|
Java example source code file (X509CRLSelector.java)
The X509CRLSelector.java Java example source code/* * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this * particular file as subject to the "Classpath" exception as provided * by Oracle in the LICENSE file that accompanied this code. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ package java.security.cert; import java.io.IOException; import java.math.BigInteger; import java.util.*; import javax.security.auth.x500.X500Principal; import sun.security.util.Debug; import sun.security.util.DerInputStream; import sun.security.x509.CRLNumberExtension; import sun.security.x509.X500Name; /** * A {@code CRLSelector} that selects {@code X509CRLs} that * match all specified criteria. This class is particularly useful when * selecting CRLs from a {@code CertStore} to check revocation status * of a particular certificate. * <p> * When first constructed, an {@code X509CRLSelector} has no criteria * enabled and each of the {@code get} methods return a default * value ({@code null}). Therefore, the {@link #match match} method * would return {@code true} for any {@code X509CRL}. Typically, * several criteria are enabled (by calling {@link #setIssuers setIssuers} * or {@link #setDateAndTime setDateAndTime}, for instance) and then the * {@code X509CRLSelector} is passed to * {@link CertStore#getCRLs CertStore.getCRLs} or some similar * method. * <p> * Please refer to <a href="http://www.ietf.org/rfc/rfc3280.txt">RFC 3280: * Internet X.509 Public Key Infrastructure Certificate and CRL Profile</a> * for definitions of the X.509 CRL fields and extensions mentioned below. * <p> * <b>Concurrent Access * <p> * Unless otherwise specified, the methods defined in this class are not * thread-safe. Multiple threads that need to access a single * object concurrently should synchronize amongst themselves and * provide the necessary locking. Multiple threads each manipulating * separate objects need not synchronize. * * @see CRLSelector * @see X509CRL * * @since 1.4 * @author Steve Hanna */ public class X509CRLSelector implements CRLSelector { static { CertPathHelperImpl.initialize(); } private static final Debug debug = Debug.getInstance("certpath"); private HashSet<Object> issuerNames; private HashSet<X500Principal> issuerX500Principals; private BigInteger minCRL; private BigInteger maxCRL; private Date dateAndTime; private X509Certificate certChecking; private long skew = 0; /** * Creates an {@code X509CRLSelector}. Initially, no criteria are set * so any {@code X509CRL} will match. */ public X509CRLSelector() {} /** * Sets the issuerNames criterion. The issuer distinguished name in the * {@code X509CRL} must match at least one of the specified * distinguished names. If {@code null}, any issuer distinguished name * will do. * <p> * This method allows the caller to specify, with a single method call, * the complete set of issuer names which {@code X509CRLs} may contain. * The specified value replaces the previous value for the issuerNames * criterion. * <p> * The {@code names} parameter (if not {@code null}) is a * {@code Collection} of {@code X500Principal}s. * <p> * Note that the {@code names} parameter can contain duplicate * distinguished names, but they may be removed from the * {@code Collection} of names returned by the * {@link #getIssuers getIssuers} method. * <p> * Note that a copy is performed on the {@code Collection} to * protect against subsequent modifications. * * @param issuers a {@code Collection} of X500Principals * (or {@code null}) * @see #getIssuers * @since 1.5 */ public void setIssuers(Collection<X500Principal> issuers) { if ((issuers == null) || issuers.isEmpty()) { issuerNames = null; issuerX500Principals = null; } else { // clone issuerX500Principals = new HashSet<X500Principal>(issuers); issuerNames = new HashSet<Object>(); for (X500Principal p : issuerX500Principals) { issuerNames.add(p.getEncoded()); } } } /** * <strong>Note: use {@linkplain #setIssuers(Collection)} instead * or only specify the byte array form of distinguished names when using * this method. See {@link #addIssuerName(String)} for more information. * <p> * Sets the issuerNames criterion. The issuer distinguished name in the * {@code X509CRL} must match at least one of the specified * distinguished names. If {@code null}, any issuer distinguished name * will do. * <p> * This method allows the caller to specify, with a single method call, * the complete set of issuer names which {@code X509CRLs} may contain. * The specified value replaces the previous value for the issuerNames * criterion. * <p> * The {@code names} parameter (if not {@code null}) is a * {@code Collection} of names. Each name is a {@code String} * or a byte array representing a distinguished name (in * <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253 or * ASN.1 DER encoded form, respectively). If {@code null} is supplied * as the value for this argument, no issuerNames check will be performed. * <p> * Note that the {@code names} parameter can contain duplicate * distinguished names, but they may be removed from the * {@code Collection} of names returned by the * {@link #getIssuerNames getIssuerNames} method. * <p> * If a name is specified as a byte array, it should contain a single DER * encoded distinguished name, as defined in X.501. The ASN.1 notation for * this structure is as follows. * <pre>{@code * Name ::= CHOICE { * RDNSequence } * * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName * * RelativeDistinguishedName ::= * SET SIZE (1 .. MAX) OF AttributeTypeAndValue * * AttributeTypeAndValue ::= SEQUENCE { * type AttributeType, * value AttributeValue } * * AttributeType ::= OBJECT IDENTIFIER * * AttributeValue ::= ANY DEFINED BY AttributeType * .... * DirectoryString ::= CHOICE { * teletexString TeletexString (SIZE (1..MAX)), * printableString PrintableString (SIZE (1..MAX)), * universalString UniversalString (SIZE (1..MAX)), * utf8String UTF8String (SIZE (1.. MAX)), * bmpString BMPString (SIZE (1..MAX)) } * }</pre> * <p> * Note that a deep copy is performed on the {@code Collection} to * protect against subsequent modifications. * * @param names a {@code Collection} of names (or {@code null}) * @throws IOException if a parsing error occurs * @see #getIssuerNames */ public void setIssuerNames(Collection<?> names) throws IOException { if (names == null || names.size() == 0) { issuerNames = null; issuerX500Principals = null; } else { HashSet<Object> tempNames = cloneAndCheckIssuerNames(names); // Ensure that we either set both of these or neither issuerX500Principals = parseIssuerNames(tempNames); issuerNames = tempNames; } } /** * Adds a name to the issuerNames criterion. The issuer distinguished * name in the {@code X509CRL} must match at least one of the specified * distinguished names. * <p> * This method allows the caller to add a name to the set of issuer names * which {@code X509CRLs} may contain. The specified name is added to * any previous value for the issuerNames criterion. * If the specified name is a duplicate, it may be ignored. * * @param issuer the issuer as X500Principal * @since 1.5 */ public void addIssuer(X500Principal issuer) { addIssuerNameInternal(issuer.getEncoded(), issuer); } /** * <strong>Denigrated, use * {@linkplain #addIssuer(X500Principal)} or * {@linkplain #addIssuerName(byte[])} instead. This method should not be * relied on as it can fail to match some CRLs because of a loss of * encoding information in the RFC 2253 String form of some distinguished * names. * <p> * Adds a name to the issuerNames criterion. The issuer distinguished * name in the {@code X509CRL} must match at least one of the specified * distinguished names. * <p> * This method allows the caller to add a name to the set of issuer names * which {@code X509CRLs} may contain. The specified name is added to * any previous value for the issuerNames criterion. * If the specified name is a duplicate, it may be ignored. * * @param name the name in RFC 2253 form * @throws IOException if a parsing error occurs */ public void addIssuerName(String name) throws IOException { addIssuerNameInternal(name, new X500Name(name).asX500Principal()); } /** * Adds a name to the issuerNames criterion. The issuer distinguished * name in the {@code X509CRL} must match at least one of the specified * distinguished names. * <p> * This method allows the caller to add a name to the set of issuer names * which {@code X509CRLs} may contain. The specified name is added to * any previous value for the issuerNames criterion. If the specified name * is a duplicate, it may be ignored. * If a name is specified as a byte array, it should contain a single DER * encoded distinguished name, as defined in X.501. The ASN.1 notation for * this structure is as follows. * <p> * The name is provided as a byte array. This byte array should contain * a single DER encoded distinguished name, as defined in X.501. The ASN.1 * notation for this structure appears in the documentation for * {@link #setIssuerNames setIssuerNames(Collection names)}. * <p> * Note that the byte array supplied here is cloned to protect against * subsequent modifications. * * @param name a byte array containing the name in ASN.1 DER encoded form * @throws IOException if a parsing error occurs */ public void addIssuerName(byte[] name) throws IOException { // clone because byte arrays are modifiable addIssuerNameInternal(name.clone(), new X500Name(name).asX500Principal()); } /** * A private method that adds a name (String or byte array) to the * issuerNames criterion. The issuer distinguished * name in the {@code X509CRL} must match at least one of the specified * distinguished names. * * @param name the name in string or byte array form * @param principal the name in X500Principal form * @throws IOException if a parsing error occurs */ private void addIssuerNameInternal(Object name, X500Principal principal) { if (issuerNames == null) { issuerNames = new HashSet<Object>(); } if (issuerX500Principals == null) { issuerX500Principals = new HashSet<X500Principal>(); } issuerNames.add(name); issuerX500Principals.add(principal); } /** * Clone and check an argument of the form passed to * setIssuerNames. Throw an IOException if the argument is malformed. * * @param names a {@code Collection} of names. Each entry is a * String or a byte array (the name, in string or ASN.1 * DER encoded form, respectively). {@code null} is * not an acceptable value. * @return a deep copy of the specified {@code Collection} * @throws IOException if a parsing error occurs */ private static HashSet<Object> cloneAndCheckIssuerNames(Collection names) throws IOException { HashSet<Object> namesCopy = new HashSet |
... this post is sponsored by my books ... | |
#1 New Release! |
FP Best Seller |
Copyright 1998-2021 Alvin Alexander, alvinalexander.com
All Rights Reserved.
A percentage of advertising revenue from
pages under the /java/jwarehouse
URI on this website is
paid back to open source projects.