1. /*

  2.  * @(#)CertStore.java	1.9 03/01/23

  3.  *

  4.  * Copyright 2003 Sun Microsystems, Inc. All rights reserved.

  5.  * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.

  6.  */

  7. 

  8. package java.security.cert;

  9. 

  10. import java.security.AccessController;

  11. import java.security.InvalidAlgorithmParameterException;

  12. import java.security.NoSuchAlgorithmException;

  13. import java.security.NoSuchProviderException;

  14. import java.security.PrivilegedAction;

  15. import java.security.Provider;

  16. import java.security.Security;

  17. import java.util.Collection;

  18. import java.lang.reflect.Method;

  19. import java.lang.reflect.InvocationTargetException;

  20. 

  21. /**

  22.  * A class for retrieving <code>Certificate</code>s and <code>CRL</code>s

  23.  * from a repository.

  24.  * <p>

  25.  * This class uses a provider-based architecture, as described in the

  26.  * Java Cryptography Architecture.

  27.  * To create a <code>CertStore</code>, call one of the static

  28.  * <code>getInstance</code> methods, passing in the type of

  29.  * <code>CertStore</code> desired, any applicable initialization parameters 

  30.  * and optionally the name of the provider desired. 

  31.  * <p>

  32.  * Once the <code>CertStore</code> has been created, it can be used to 

  33.  * retrieve <code>Certificate</code>s and <code>CRL</code>s by calling its

  34.  * {@link #getCertificates(CertSelector selector) getCertificates} and

  35.  * {@link #getCRLs(CRLSelector selector) getCRLs} methods.

  36.  * <p>

  37.  * Unlike a {@link java.security.KeyStore KeyStore}, which provides access

  38.  * to a cache of private keys and trusted certificates, a 

  39.  * <code>CertStore</code> is designed to provide access to a potentially

  40.  * vast repository of untrusted certificates and CRLs. For example, an LDAP 

  41.  * implementation of <code>CertStore</code> provides access to certificates

  42.  * and CRLs stored in one or more directories using the LDAP protocol and the

  43.  * schema as defined in the RFC service attribute. See Appendix A in the

  44.  * <a href= "../../../../guide/security/certpath/CertPathProgGuide.html#AppA"> 

  45.  * Java Certification Path API Programmer's Guide</a> for more information about

  46.  * standard <code>CertStore</code> types.

  47.  * <p>

  48.  * <b>Concurrent Access</b>

  49.  * <p>

  50.  * All public methods of <code>CertStore</code> objects must be thread-safe. 

  51.  * That is, multiple threads may concurrently invoke these methods on a

  52.  * single <code>CertStore</code> object (or more than one) with no

  53.  * ill effects. This allows a <code>CertPathBuilder</code> to search for a

  54.  * CRL while simultaneously searching for further certificates, for instance.

  55.  * <p>

  56.  * The static methods of this class are also guaranteed to be thread-safe.

  57.  * Multiple threads may concurrently invoke the static methods defined in

  58.  * this class with no ill effects.

  59.  *

  60.  * @version 	1.9 01/23/03

  61.  * @since	1.4

  62.  * @author	Sean Mullan, Steve Hanna

  63.  */

  64. public class CertStore {

  65.     /*

  66.      * Constant to lookup in the Security properties file to determine

  67.      * the default certstore type. In the Security properties file, the 

  68.      * default certstore type is given as:

  69.      * <pre>

  70.      * certstore.type=LDAP

  71.      * </pre>

  72.      */

  73.     private static final String CERTSTORE_TYPE = "certstore.type";

  74.     private CertStoreSpi storeSpi;

  75.     private Provider provider;

  76.     private String type;

  77.     private CertStoreParameters params;

  78. 

  79.     // for use with the reflection API

  80.     private static final Class cl = java.security.Security.class;

  81.     private static final Class[] GET_IMPL_PARAMS = { String.class,

  82. 						     String.class,

  83. 						     String.class,

  84. 						     Object.class };

  85.     private static final Class[] GET_IMPL_PARAMS2 = { String.class,

  86. 						      String.class,

  87. 						      Provider.class,

  88. 						      Object.class };

  89.     // Get the implMethod via the name of a provider. Note: the name could

  90.     // be null. 

  91.     private static Method implMethod;

  92.     // Get the implMethod2 via a Provider object. 

  93.     private static Method implMethod2;

  94.     private static Boolean implMethod2Set = new Boolean(false);

  95. 

  96.     static {

  97. 	implMethod = (Method)

  98. 	    AccessController.doPrivileged(new PrivilegedAction() {

  99. 	    public Object run() {

  100. 		Method m = null;

  101. 		try {

  102. 		    m = cl.getDeclaredMethod("getImpl", GET_IMPL_PARAMS);

  103. 		    if (m != null)

  104. 			m.setAccessible(true);

  105. 		} catch (NoSuchMethodException nsme) {

  106. 		}

  107. 		return m;

  108. 	    }

  109. 	});

  110.     }

  111. 

  112.     /**

  113.      * Creates a <code>CertStore</code> object of the given type, and

  114.      * encapsulates the given provider implementation (SPI object) in it.

  115.      *

  116.      * @param storeSpi the provider implementation

  117.      * @param provider the provider

  118.      * @param type the type

  119.      * @param params the initialization parameters (may be <code>null</code>)

  120.      */

  121.     protected CertStore(CertStoreSpi storeSpi, Provider provider, 

  122. 			String type, CertStoreParameters params) {

  123.         this.storeSpi = storeSpi;

  124.         this.provider = provider;

  125.         this.type = type;

  126. 	if (params != null)

  127. 	    this.params = (CertStoreParameters) params.clone();

  128.     }

  129. 

  130.     /**

  131.      * Returns a <code>Collection</code> of <code>Certificate</code>s that

  132.      * match the specified selector. If no <code>Certificate</code>s

  133.      * match the selector, an empty <code>Collection</code> will be returned.

  134.      * <p>

  135.      * For some <code>CertStore</code> types, the resulting

  136.      * <code>Collection</code> may not contain <b>all</b> of the

  137.      * <code>Certificate</code>s that match the selector. For instance,

  138.      * an LDAP <code>CertStore</code> may not search all entries in the

  139.      * directory. Instead, it may just search entries that are likely to

  140.      * contain the <code>Certificate</code>s it is looking for. 

  141.      * <p>

  142.      * Some <code>CertStore</code> implementations (especially LDAP 

  143.      * <code>CertStore</code>s) may throw a <code>CertStoreException</code> 

  144.      * unless a non-null <code>CertSelector</code> is provided that 

  145.      * includes specific criteria that can be used to find the certificates.

  146.      * Issuer and/or subject names are especially useful criteria.

  147.      *

  148.      * @param selector A <code>CertSelector</code> used to select which

  149.      *  <code>Certificate</code>s should be returned. Specify <code>null</code>

  150.      *  to return all <code>Certificate</code>s (if supported).

  151.      * @return A <code>Collection</code> of <code>Certificate</code>s that

  152.      *         match the specified selector (never <code>null</code>)

  153.      * @throws CertStoreException if an exception occurs 

  154.      */

  155.     public final Collection getCertificates(CertSelector selector)

  156.         throws CertStoreException 

  157.     {

  158.         return(storeSpi.engineGetCertificates(selector));

  159.     }

  160.    

  161.     /**

  162.      * Returns a <code>Collection</code> of <code>CRL</code>s that

  163.      * match the specified selector. If no <code>CRL</code>s

  164.      * match the selector, an empty <code>Collection</code> will be returned.

  165.      * <p>

  166.      * For some <code>CertStore</code> types, the resulting

  167.      * <code>Collection</code> may not contain <b>all</b> of the

  168.      * <code>CRL</code>s that match the selector. For instance,

  169.      * an LDAP <code>CertStore</code> may not search all entries in the

  170.      * directory. Instead, it may just search entries that are likely to

  171.      * contain the <code>CRL</code>s it is looking for. 

  172.      * <p>

  173.      * Some <code>CertStore</code> implementations (especially LDAP 

  174.      * <code>CertStore</code>s) may throw a <code>CertStoreException</code> 

  175.      * unless a non-null <code>CRLSelector</code> is provided that 

  176.      * includes specific criteria that can be used to find the CRLs.

  177.      * Issuer names and/or the certificate to be checked are especially useful.

  178.      *

  179.      * @param selector A <code>CRLSelector</code> used to select which

  180.      *  <code>CRL</code>s should be returned. Specify <code>null</code>

  181.      *  to return all <code>CRL</code>s (if supported).

  182.      * @return A <code>Collection</code> of <code>CRL</code>s that

  183.      *         match the specified selector (never <code>null</code>)

  184.      * @throws CertStoreException if an exception occurs 

  185.      */

  186.     public final Collection getCRLs(CRLSelector selector)

  187.         throws CertStoreException 

  188.     {

  189.         return(storeSpi.engineGetCRLs(selector));

  190.     }

  191.    

  192.     /**

  193.      * Returns a <code>CertStore</code> object that implements the specified

  194.      * <code>CertStore</code> type and is initialized with the specified

  195.      * parameters.

  196.      *

  197.      * <p>If the default provider package provides an implementation

  198.      * of the specified <code>CertStore</code> type, an instance of

  199.      * <code>CertStore</code> containing that implementation is returned.

  200.      * If the requested type is not available in the default package, other

  201.      * packages are searched.

  202.      *

  203.      * <p>The <code>CertStore</code> that is returned is initialized with the 

  204.      * specified <code>CertStoreParameters</code>. The type of parameters 

  205.      * needed may vary between different types of <code>CertStore</code>s.

  206.      * Note that the specified <code>CertStoreParameters</code> object is 

  207.      * cloned.

  208.      * 

  209.      * @param type the name of the requested <code>CertStore</code> type

  210.      * @param params the initialization parameters (may be <code>null</code>)

  211.      * @return a <code>CertStore</code> object that implements the specified

  212.      *  <code>CertStore</code> type

  213.      * @throws NoSuchAlgorithmException if the requested type is not

  214.      *  available in the default provider package or any of the other provider

  215.      *  packages that were searched

  216.      * @throws InvalidAlgorithmParameterException if the specified

  217.      * initialization parameters are inappropriate for this 

  218.      * <code>CertStore</code>

  219.      */

  220.     public static CertStore getInstance(String type, CertStoreParameters params)

  221.         throws InvalidAlgorithmParameterException, NoSuchAlgorithmException 

  222.     {

  223. 	try {

  224. 	    if (implMethod == null) {

  225. 		throw new NoSuchAlgorithmException(type + " not found");

  226. 	    }

  227. 

  228. 	    // The underlying method is static, so we set the object

  229. 	    // argument to null.

  230. 	    Object[] objs = (Object[])implMethod.invoke(null,

  231. 					       new Object[]

  232. 					       { type,

  233. 						 "CertStore",

  234. 						 (String)null,

  235. 						 params

  236. 					       } );

  237. 	    return new CertStore((CertStoreSpi)objs[0],

  238. 				 (Provider)objs[1], type, params);

  239. 	} catch (IllegalAccessException iae) {

  240. 	    NoSuchAlgorithmException nsae = new

  241. 	                   NoSuchAlgorithmException(type + " not found");

  242. 	    nsae.initCause(iae);

  243. 	    throw nsae;

  244. 	} catch (InvocationTargetException ite) {

  245.             Throwable t = ite.getCause();

  246.             if (t != null) {

  247. 	        if (t instanceof InvalidAlgorithmParameterException)

  248. 	            throw (InvalidAlgorithmParameterException)t;

  249. 	        if (t instanceof NoSuchAlgorithmException)

  250. 	            throw (NoSuchAlgorithmException)t;

  251.             }

  252. 	    NoSuchAlgorithmException nsae = new

  253. 	        NoSuchAlgorithmException(type + " not found");

  254. 	    nsae.initCause(ite);

  255. 	    throw nsae;

  256. 	}

  257.     }

  258. 

  259.     /**

  260.      * Returns a <code>CertStore</code> object that implements the specified

  261.      * <code>CertStore</code> type, as supplied by the specified provider

  262.      * and initialized with the specified parameters.

  263.      *

  264.      * <p>The <code>CertStore</code> that is returned is initialized with the 

  265.      * specified <code>CertStoreParameters</code>. The type of parameters 

  266.      * needed may vary between different types of <code>CertStore</code>s.

  267.      * Note that the specified <code>CertStoreParameters</code> object is 

  268.      * cloned.

  269.      *

  270.      * @param type the requested <code>CertStore</code> type

  271.      * @param params the initialization parameters (may be <code>null</code>)

  272.      * @param provider the name of the provider

  273.      * @return a <code>CertStore</code> object that implements the

  274.      * specified type, as supplied by the specified provider

  275.      * @throws NoSuchAlgorithmException if the requested type is not

  276.      *  available from the specified provider

  277.      * @throws InvalidAlgorithmParameterException if the specified

  278.      * initialization parameters are inappropriate for this 

  279.      * <code>CertStore</code>

  280.      * @throws NoSuchProviderException if the provider has not been configured

  281.      * @exception IllegalArgumentException if the <code>provider</code> is

  282.      * null

  283.      */

  284.     public static CertStore getInstance(String type, 

  285. 	CertStoreParameters params, String provider)

  286.         throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, 

  287. 	       NoSuchProviderException 

  288.     {

  289. 	if (provider == null || provider.length() == 0)

  290. 	    throw new IllegalArgumentException("missing provider");

  291. 	try {

  292. 	    if (implMethod == null) {

  293. 		throw new NoSuchAlgorithmException(type + " not found");

  294. 	    }

  295. 

  296. 	    // The underlying method is static, so we set the object

  297. 	    // argument to null.

  298. 	    Object[] objs = (Object[])implMethod.invoke(null,

  299. 					       new Object[]

  300. 					       { type,

  301. 						 "CertStore",

  302. 						 provider,

  303. 						 params

  304. 					       } );

  305. 	    return new CertStore((CertStoreSpi)objs[0],

  306. 				 (Provider)objs[1], type, params);

  307. 	} catch (IllegalAccessException iae) {

  308. 	    NoSuchAlgorithmException nsae = new

  309. 	                   NoSuchAlgorithmException(type + " not found");

  310. 	    nsae.initCause(iae);

  311. 	    throw nsae;

  312. 	} catch (InvocationTargetException ite) {

  313.             Throwable t = ite.getCause();

  314.             if (t != null) {

  315.                 if (t instanceof NoSuchProviderException)

  316. 	            throw (NoSuchProviderException)t;

  317. 	        if (t instanceof InvalidAlgorithmParameterException)

  318. 	            throw (InvalidAlgorithmParameterException)t;

  319. 	        if (t instanceof NoSuchAlgorithmException)

  320. 	            throw (NoSuchAlgorithmException)t;

  321.             }

  322. 	    NoSuchAlgorithmException nsae = new

  323. 	        NoSuchAlgorithmException(type + " not found");

  324. 	    nsae.initCause(ite);

  325. 	    throw nsae;

  326.         }

  327.     }

  328. 

  329.     /**

  330.      * Returns a <code>CertStore</code> object that implements the specified

  331.      * <code>CertStore</code> type, as supplied by the specified provider and

  332.      * initialized with the specified parameters.

  333.      * Note: the <code>provider</code> doesn't have to be registered.

  334.      *

  335.      * <p>The <code>CertStore</code> that is returned is initialized with the 

  336.      * specified <code>CertStoreParameters</code>. The type of parameters 

  337.      * needed may vary between different types of <code>CertStore</code>s.

  338.      * Note that the specified <code>CertStoreParameters</code> object is 

  339.      * cloned.

  340.      *

  341.      * @param type the requested <code>CertStore</code> type

  342.      * @param params the initialization parameters (may be <code>null</code>)

  343.      * @param provider the provider

  344.      * @return a <code>CertStore</code> object that implements the

  345.      * specified type, as supplied by the specified provider

  346.      * @exception NoSuchAlgorithmException if the requested type is not

  347.      *  available from the specified provider

  348.      * @throws InvalidAlgorithmParameterException if the specified

  349.      * initialization parameters are inappropriate for this 

  350.      * <code>CertStore</code>

  351.      * @exception IllegalArgumentException if the <code>provider</code> is

  352.      * null 

  353.      */

  354.     public static CertStore getInstance(String type, CertStoreParameters params,

  355. 	Provider provider) 

  356.         throws NoSuchAlgorithmException, InvalidAlgorithmParameterException

  357.     {

  358. 	if (provider == null)

  359. 	    throw new IllegalArgumentException("missing provider");

  360. 

  361. 	if (implMethod2Set.booleanValue() == false) {

  362. 	    synchronized (implMethod2Set) {

  363. 		if (implMethod2Set.booleanValue() == false) {

  364. 		    implMethod2 = (Method)

  365. 			AccessController.doPrivileged(

  366. 					   new PrivilegedAction() {

  367. 			    public Object run() {

  368. 				Method m = null;

  369. 				try {

  370. 				    m = cl.getDeclaredMethod("getImpl",

  371. 							     GET_IMPL_PARAMS2);

  372. 				    if (m != null)

  373. 					m.setAccessible(true);

  374. 				} catch (NoSuchMethodException nsme) {

  375. 				}

  376. 				return m;

  377. 			    }

  378. 			});

  379. 		    implMethod2Set = new Boolean(true);

  380. 		}		

  381. 	    }

  382. 	}

  383. 

  384. 	if (implMethod2 == null) {

  385. 	    throw new NoSuchAlgorithmException(type + " not found");

  386. 	}

  387. 

  388. 	try {

  389. 	    // The underlying method is static, so we set the object

  390. 	    // argument to null.

  391. 	    Object[] objs = (Object[])implMethod2.invoke(null,

  392. 					       new Object[]

  393. 					       { type,

  394. 						 "CertStore",

  395. 						 provider,

  396. 						 params

  397. 					       } );

  398. 	    return new CertStore((CertStoreSpi)objs[0],

  399. 				 (Provider)objs[1], type, params);

  400. 	} catch (IllegalAccessException iae) {

  401. 	    NoSuchAlgorithmException nsae = new

  402. 	                   NoSuchAlgorithmException(type + " not found");

  403. 	    nsae.initCause(iae);

  404. 	    throw nsae;

  405. 	} catch (InvocationTargetException ite) {

  406.             Throwable t = ite.getCause();

  407.             if (t != null) {

  408. 	        if (t instanceof InvalidAlgorithmParameterException)

  409. 	            throw (InvalidAlgorithmParameterException)t;

  410. 	        if (t instanceof NoSuchAlgorithmException)

  411. 	            throw (NoSuchAlgorithmException)t;

  412.             }

  413. 	    NoSuchAlgorithmException nsae = new

  414. 	        NoSuchAlgorithmException(type + " not found");

  415. 	    nsae.initCause(ite);

  416. 	    throw nsae;

  417. 	}

  418.     }

  419. 

  420.     /**

  421.      * Returns the parameters used to initialize this <code>CertStore</code>.

  422.      * Note that the <code>CertStoreParameters</code> object is cloned before 

  423.      * it is returned.

  424.      *

  425.      * @return the parameters used to initialize this <code>CertStore</code>

  426.      * (may be <code>null</code>)

  427.      */

  428.     public final CertStoreParameters getCertStoreParameters() {

  429.         return (params == null ? null : (CertStoreParameters) params.clone());

  430.     }

  431. 

  432.     /**

  433.      * Returns the type of this <code>CertStore</code>.

  434.      *

  435.      * @return the type of this <code>CertStore</code>

  436.      */

  437.     public final String getType() {

  438.         return this.type;

  439.     }

  440. 

  441.     /**

  442.      * Returns the provider of this <code>CertStore</code>.

  443.      *

  444.      * @return the provider of this <code>CertStore</code>

  445.      */

  446.     public final Provider getProvider() {

  447.         return this.provider;

  448.     }

  449. 

  450.     /**

  451.      * Returns the default <code>CertStore</code> type as specified in the 

  452.      * Java security properties file, or the string "LDAP" if no 

  453.      * such property exists. The Java security properties file is located in 

  454.      * the file named <JAVA_HOME>/lib/security/java.security, where 

  455.      * <JAVA_HOME> refers to the directory where the SDK was installed.

  456.      *

  457.      * <p>The default <code>CertStore</code> type can be used by applications 

  458.      * that do not want to use a hard-coded type when calling one of the

  459.      * <code>getInstance</code> methods, and want to provide a default 

  460.      * <code>CertStore</code> type in case a user does not specify its own.

  461.      *

  462.      * <p>The default <code>CertStore</code> type can be changed by setting 

  463.      * the value of the "certstore.type" security property (in the Java 

  464.      * security properties file) to the desired type.

  465.      *

  466.      * @return the default <code>CertStore</code> type as specified in the

  467.      * Java security properties file, or the string "LDAP"

  468.      * if no such property exists.

  469.      */

  470.     public final static String getDefaultType() {

  471.         String cstype;

  472.         cstype = (String)AccessController.doPrivileged(new PrivilegedAction() {

  473.             public Object run() {

  474.                 return Security.getProperty(CERTSTORE_TYPE);

  475.             }

  476.         });

  477.         if (cstype == null) {

  478.             cstype = "LDAP";

  479.         }

  480.         return cstype;

  481.     }

  482. }