1. /*

  2.  * @(#)CertificateFactory.java	1.24 03/01/23

  3.  *

  4.  * Copyright 2003 Sun Microsystems, Inc. All rights reserved.

  5.  * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.

  6.  */

  7. 

  8. package java.security.cert;

  9. 

  10. import java.io.InputStream;

  11. import java.util.Collection;

  12. import java.util.Iterator;

  13. import java.util.List;

  14. import java.security.Provider;

  15. import java.security.AccessController;

  16. import java.security.PrivilegedAction;

  17. import java.security.NoSuchAlgorithmException;

  18. import java.security.NoSuchProviderException;

  19. import java.lang.reflect.Method;

  20. import java.lang.reflect.InvocationTargetException;

  21. 

  22. /**

  23.  * This class defines the functionality of a certificate factory, which is

  24.  * used to generate certificate, certification path (<code>CertPath</code>)

  25.  * and certificate revocation list (CRL) objects from their encodings.

  26.  *

  27.  * <p>For encodings consisting of multiple certificates, use

  28.  * <code>generateCertificates</code> when you want to

  29.  * parse a collection of possibly unrelated certificates. Otherwise,

  30.  * use <code>generateCertPath</code> when you want to generate

  31.  * a <code>CertPath</code> (a certificate chain) and subsequently

  32.  * validate it with a <code>CertPathValidator</code>.

  33.  *

  34.  * <p>A certificate factory for X.509 must return certificates that are an

  35.  * instance of <code>java.security.cert.X509Certificate</code>, and CRLs

  36.  * that are an instance of <code>java.security.cert.X509CRL</code>.

  37.  *

  38.  * <p>The following example reads a file with Base64 encoded certificates,

  39.  * which are each bounded at the beginning by -----BEGIN CERTIFICATE-----, and

  40.  * bounded at the end by -----END CERTIFICATE-----. We convert the

  41.  * <code>FileInputStream</code> (which does not support <code>mark</code>

  42.  * and <code>reset</code>) to a <code>BufferedInputStream</code> (which

  43.  * supports those methods), so that each call to

  44.  * <code>generateCertificate</code> consumes only one certificate, and the

  45.  * read position of the input stream is positioned to the next certificate in

  46.  * the file:<p>

  47.  *

  48.  * <pre>

  49.  * FileInputStream fis = new FileInputStream(filename);

  50.  * BufferedInputStream bis = new BufferedInputStream(fis);

  51.  *

  52.  * CertificateFactory cf = CertificateFactory.getInstance("X.509");

  53.  *

  54.  * while (bis.available() > 0) {

  55.  *    Certificate cert = cf.generateCertificate(bis);

  56.  *    System.out.println(cert.toString());

  57.  * }

  58.  * </pre>

  59.  *

  60.  * <p>The following example parses a PKCS#7-formatted certificate reply stored

  61.  * in a file and extracts all the certificates from it:<p>

  62.  *

  63.  * <pre>

  64.  * FileInputStream fis = new FileInputStream(filename);

  65.  * CertificateFactory cf = CertificateFactory.getInstance("X.509");

  66.  * Collection c = cf.generateCertificates(fis);

  67.  * Iterator i = c.iterator();

  68.  * while (i.hasNext()) {

  69.  *    Certificate cert = (Certificate)i.next();

  70.  *    System.out.println(cert);

  71.  * }

  72.  * </pre>

  73.  *

  74.  * @author Hemma Prafullchandra

  75.  * @author Jan Luehe

  76.  * @author Sean Mullan

  77.  *

  78.  * @version 1.24, 01/23/03

  79.  *

  80.  * @see Certificate

  81.  * @see X509Certificate

  82.  * @see CertPath

  83.  * @see CRL

  84.  * @see X509CRL

  85.  *

  86.  * @since 1.2

  87.  */

  88. 

  89. public class CertificateFactory {

  90.     // for use with the reflection API

  91.     private static final Class cl = java.security.Security.class;

  92.     private static final Class[] GET_IMPL_PARAMS = { String.class,

  93. 						     String.class,

  94. 						     String.class };

  95.     private static final Class[] GET_IMPL_PARAMS2 = { String.class,

  96. 						      String.class,

  97. 						      Provider.class };

  98.     // Get the implMethod via the name of a provider. Note: the name could

  99.     // be null. 

  100.     private static Method implMethod;

  101.     // Get the implMethod2 via a Provider object. 

  102.     private static Method implMethod2;

  103.     private static Boolean implMethod2Set = new Boolean(false);

  104. 

  105.     static {

  106. 	implMethod = (Method)

  107. 	    AccessController.doPrivileged(new PrivilegedAction() {

  108. 	    public Object run() {

  109. 		Method m = null;

  110. 		try {

  111. 		    m = cl.getDeclaredMethod("getImpl", GET_IMPL_PARAMS);

  112. 		    if (m != null)

  113. 			m.setAccessible(true);

  114. 		} catch (NoSuchMethodException nsme) {

  115. 		}

  116. 		return m;

  117. 	    }

  118. 	});

  119.     }

  120. 

  121.     // The certificate type

  122.     private String type;

  123. 

  124.     // The provider

  125.     private Provider provider;

  126. 

  127.     // The provider implementation

  128.     private CertificateFactorySpi certFacSpi;

  129. 

  130.     /**

  131.      * Creates a CertificateFactory object of the given type, and encapsulates

  132.      * the given provider implementation (SPI object) in it.

  133.      *

  134.      * @param certFacSpi the provider implementation.

  135.      * @param provider the provider.

  136.      * @param type the certificate type.

  137.      */

  138.     protected CertificateFactory(CertificateFactorySpi certFacSpi,

  139. 				 Provider provider, String type)

  140.     {

  141. 	this.certFacSpi = certFacSpi;

  142. 	this.provider = provider;

  143. 	this.type = type;

  144.     }

  145. 

  146.     /**

  147.      * Generates a certificate factory object that implements the

  148.      * specified certificate type. If the default provider package

  149.      * provides an implementation of the requested certificate type,

  150.      * an instance of certificate factory containing that

  151.      * implementation is returned.

  152.      * If the type is not available in the default

  153.      * package, other packages are searched.

  154.      *

  155.      * @param type the name of the requested certificate type.

  156.      * See Appendix A in the <a href=

  157.      * "../../../../guide/security/CryptoSpec.html#AppA">

  158.      * Java Cryptography Architecture API Specification & Reference </a>

  159.      * for information about standard certificate types.

  160.      *

  161.      * @return a certificate factory object for the specified type.

  162.      *

  163.      * @exception CertificateException if the requested certificate type is

  164.      * not available in the default provider package or any of the other

  165.      * provider packages that were searched.

  166.      */

  167.     public static final CertificateFactory getInstance(String type)

  168. 	throws CertificateException

  169.     {

  170. 	try {

  171. 	    if (implMethod == null) {

  172. 		throw new CertificateException(type + " not found");

  173. 	    }

  174. 

  175. 	    // The underlying method is static, so we set the object

  176. 	    // argument to null.

  177. 	    Object[] objs = (Object[])implMethod.invoke(null,

  178. 					       new Object[]

  179. 					       { type,

  180. 						 "CertificateFactory",

  181. 						 null

  182. 					       } );

  183. 	    return new CertificateFactory((CertificateFactorySpi)objs[0],

  184. 					  (Provider)objs[1], type);

  185. 	} catch (IllegalAccessException iae) {

  186. 	    CertificateException ce = new

  187. 	               CertificateException(type + " not found");

  188. 	    ce.initCause(iae);

  189. 	    throw ce;

  190. 	} catch (InvocationTargetException ite) {

  191. 	    CertificateException ce = new

  192. 	               CertificateException(type + " not found");

  193. 	    ce.initCause(ite);

  194. 	    throw ce;

  195. 	}

  196.     }

  197. 

  198.     /**

  199.      * Generates a certificate factory object for the specified

  200.      * certificate type from the specified provider.

  201.      *

  202.      * @param type the certificate type

  203.      * @param provider the name of the provider.

  204.      *

  205.      * @return a certificate factory object for the specified type.

  206.      *

  207.      * @exception CertificateException if the certificate type is

  208.      * not available from the specified provider.

  209.      *

  210.      * @exception NoSuchProviderException if the provider has not been

  211.      * configured.

  212.      *

  213.      * @see Provider

  214.      */

  215.     public static final CertificateFactory getInstance(String type,

  216. 					  	       String provider)

  217. 	throws CertificateException, NoSuchProviderException

  218.     {

  219. 	if (provider == null || provider.length() == 0)

  220. 	    throw new IllegalArgumentException("missing provider");

  221. 	try {

  222. 	    if (implMethod == null) {

  223. 		throw new CertificateException(type + " not found");

  224. 	    }

  225. 

  226. 	    // The underlying method is static, so we set the object

  227. 	    // argument to null.

  228. 	    Object[] objs = (Object[])implMethod.invoke(null,

  229. 					       new Object[]

  230. 					       { type,

  231. 						 "CertificateFactory",

  232. 						 provider

  233. 					       } );

  234. 	    return new CertificateFactory((CertificateFactorySpi)objs[0],

  235. 					  (Provider)objs[1], type);

  236. 	} catch (IllegalAccessException iae) {

  237. 	    CertificateException ce = new

  238. 	               CertificateException(type + " not found");

  239. 	    ce.initCause(iae);

  240. 	    throw ce;

  241. 	} catch (InvocationTargetException ite) {

  242. 	    Throwable t = ite.getTargetException();

  243. 	    if (t != null && t instanceof NoSuchProviderException)

  244. 		throw (NoSuchProviderException)t;

  245. 	    CertificateException ce = new 

  246.                 CertificateException(type + " not found");

  247. 	    ce.initCause(ite);

  248. 	    throw ce;

  249. 	}

  250.     }

  251. 

  252.     /**

  253.      * Generates a certificate factory object for the specified

  254.      * certificate type from the specified provider.

  255.      * Note: the <code>provider</code> doesn't have to be registered.

  256.      *

  257.      * @param type the certificate type

  258.      * @param provider the provider

  259.      *

  260.      * @return a certificate factory object for the specified type.

  261.      *

  262.      * @exception CertificateException if the certificate type is

  263.      * not available from the specified provider.

  264.      *

  265.      * @exception IllegalArgumentException if the <code>provider</code> is

  266.      * null.

  267.      *

  268.      * @see Provider

  269.      *

  270.      * @since 1.4

  271.      */

  272.     public static final CertificateFactory getInstance(String type,

  273.                                                        Provider provider)

  274.         throws CertificateException

  275.     {

  276. 	if (provider == null)

  277. 	    throw new IllegalArgumentException("missing provider");

  278. 

  279. 	if (implMethod2Set.booleanValue() == false) {

  280. 	    synchronized (implMethod2Set) {

  281. 		if (implMethod2Set.booleanValue() == false) {

  282. 		    implMethod2 = (Method)

  283. 			AccessController.doPrivileged(

  284. 					   new PrivilegedAction() {

  285. 			    public Object run() {

  286. 				Method m = null;

  287. 				try {

  288. 				    m = cl.getDeclaredMethod("getImpl",

  289. 							     GET_IMPL_PARAMS2);

  290. 				    if (m != null)

  291. 					m.setAccessible(true);

  292. 				} catch (NoSuchMethodException nsme) {

  293. 				}

  294. 				return m;

  295. 			    }

  296. 			});

  297. 		    implMethod2Set = new Boolean(true);

  298. 		}		

  299. 	    }

  300. 	}

  301. 

  302. 	if (implMethod2 == null) {

  303. 	    throw new CertificateException(type + " not found");

  304. 	}

  305. 

  306. 	try {

  307. 	    // The underlying method is static, so we set the object

  308. 	    // argument to null.

  309. 	    Object[] objs = (Object[])implMethod2.invoke(null,

  310. 					       new Object[]

  311. 					       { type,

  312. 						 "CertificateFactory",

  313. 						 provider

  314. 					       } );

  315. 	    return new CertificateFactory((CertificateFactorySpi)objs[0],

  316. 					  (Provider)objs[1], type);

  317. 	} catch (IllegalAccessException iae) {

  318. 	    CertificateException ce = new 

  319.                        CertificateException(type + " not found");

  320. 	    ce.initCause(iae);

  321. 	    throw ce;

  322. 	} catch (InvocationTargetException ite) {

  323. 	    CertificateException ce = new 

  324.                        CertificateException(type + " not found");

  325. 	    ce.initCause(ite);

  326. 	    throw ce;

  327. 	}

  328.     }    

  329. 	    

  330.     /**

  331.      * Returns the provider of this certificate factory.

  332.      *

  333.      * @return the provider of this certificate factory.

  334.      */

  335.     public final Provider getProvider() {

  336. 	return this.provider;

  337.     }

  338. 

  339.     /**

  340.      * Returns the name of the certificate type associated with this

  341.      * certificate factory.

  342.      *

  343.      * @return the name of the certificate type associated with this

  344.      * certificate factory.

  345.      */

  346.     public final String getType() {

  347. 	return this.type;

  348.     }

  349. 

  350.     /**

  351.      * Generates a certificate object and initializes it with

  352.      * the data read from the input stream <code>inStream</code>.

  353.      *

  354.      * <p>In order to take advantage of the specialized certificate format

  355.      * supported by this certificate factory,

  356.      * the returned certificate object can be typecast to the corresponding

  357.      * certificate class. For example, if this certificate

  358.      * factory implements X.509 certificates, the returned certificate object

  359.      * can be typecast to the <code>X509Certificate</code> class.

  360.      *

  361.      * <p>In the case of a certificate factory for X.509 certificates, the

  362.      * certificate provided in <code>inStream</code> must be DER-encoded and

  363.      * may be supplied in binary or printable (Base64) encoding. If the

  364.      * certificate is provided in Base64 encoding, it must be bounded at

  365.      * the beginning by -----BEGIN CERTIFICATE-----, and must be bounded at

  366.      * the end by -----END CERTIFICATE-----.

  367.      *

  368.      * <p>Note that if the given input stream does not support

  369.      * {@link java.io.InputStream#mark(int) mark} and

  370.      * {@link java.io.InputStream#reset() reset}, this method will

  371.      * consume the entire input stream. Otherwise, each call to this 

  372.      * method consumes one certificate and the read position of the

  373.      * input stream is positioned to the next available byte after

  374.      * the inherent end-of-certificate marker. If the data in the input stream

  375.      * does not contain an inherent end-of-certificate marker (other

  376.      * than EOF) and there is trailing data after the certificate is parsed, a 

  377.      * <code>CertificateException</code> is thrown.

  378.      *

  379.      * @param inStream an input stream with the certificate data.

  380.      *

  381.      * @return a certificate object initialized with the data

  382.      * from the input stream.

  383.      *

  384.      * @exception CertificateException on parsing errors.

  385.      */

  386.     public final Certificate generateCertificate(InputStream inStream)

  387.         throws CertificateException

  388.     {

  389. 	return certFacSpi.engineGenerateCertificate(inStream);

  390.     }

  391. 

  392.     /**

  393.      * Returns an iteration of the <code>CertPath</code> encodings supported 

  394.      * by this certificate factory, with the default encoding first. See 

  395.      * Appendix A in the 

  396.      * <a href="../../../../guide/security/certpath/CertPathProgGuide.html#AppA">

  397.      * Java Certification Path API Programmer's Guide</a> for information about 

  398.      * standard encoding names and their formats. 

  399.      * <p>

  400.      * Attempts to modify the returned <code>Iterator</code> via its 

  401.      * <code>remove</code> method result in an 

  402.      * <code>UnsupportedOperationException</code>.

  403.      *

  404.      * @return an <code>Iterator</code> over the names of the supported

  405.      *         <code>CertPath</code> encodings (as <code>String</code>s)

  406.      * @since 1.4

  407.      */

  408.     public final Iterator getCertPathEncodings() {

  409.         return(certFacSpi.engineGetCertPathEncodings());

  410.     }

  411. 

  412.     /**

  413.      * Generates a <code>CertPath</code> object and initializes it with

  414.      * the data read from the <code>InputStream</code> inStream. The data

  415.      * is assumed to be in the default encoding. The name of the default

  416.      * encoding is the first element of the <code>Iterator</code> returned by

  417.      * the {@link #getCertPathEncodings getCertPathEncodings} method.

  418.      *

  419.      * @param inStream an <code>InputStream</code> containing the data

  420.      * @return a <code>CertPath</code> initialized with the data from the

  421.      *   <code>InputStream</code>

  422.      * @exception CertificateException if an exception occurs while decoding

  423.      * @since 1.4

  424.      */

  425.     public final CertPath generateCertPath(InputStream inStream)

  426.         throws CertificateException

  427.     {

  428.         return(certFacSpi.engineGenerateCertPath(inStream));

  429.     }

  430. 

  431.     /**

  432.      * Generates a <code>CertPath</code> object and initializes it with

  433.      * the data read from the <code>InputStream</code> inStream. The data

  434.      * is assumed to be in the specified encoding. See Appendix A in the 

  435.      * <a href="../../../../guide/security/certpath/CertPathProgGuide.html#AppA">

  436.      * Java Certification Path API Programmer's Guide</a>

  437.      * for information about standard encoding names and their formats.

  438.      *

  439.      * @param inStream an <code>InputStream</code> containing the data

  440.      * @param encoding the encoding used for the data

  441.      * @return a <code>CertPath</code> initialized with the data from the

  442.      *   <code>InputStream</code>

  443.      * @exception CertificateException if an exception occurs while decoding or

  444.      *   the encoding requested is not supported

  445.      * @since 1.4

  446.      */

  447.     public final CertPath generateCertPath(InputStream inStream,

  448.         String encoding) throws CertificateException

  449.     {

  450.         return(certFacSpi.engineGenerateCertPath(inStream, encoding));

  451.     }

  452. 

  453.     /**

  454.      * Generates a <code>CertPath</code> object and initializes it with

  455.      * a <code>List</code> of <code>Certificate</code>s.

  456.      * <p>

  457.      * The certificates supplied must be of a type supported by the

  458.      * <code>CertificateFactory</code>. They will be copied out of the supplied

  459.      * <code>List</code> object.

  460.      *

  461.      * @param certificates a <code>List</code> of <code>Certificate</code>s

  462.      * @return a <code>CertPath</code> initialized with the supplied list of

  463.      *   certificates

  464.      * @exception CertificateException if an exception occurs

  465.      * @since 1.4

  466.      */

  467.     public final CertPath generateCertPath(List certificates)

  468.         throws CertificateException

  469.     {

  470.         return(certFacSpi.engineGenerateCertPath(certificates));

  471.     }

  472. 

  473.     /**

  474.      * Returns a (possibly empty) collection view of the certificates read

  475.      * from the given input stream <code>inStream</code>.

  476.      *

  477.      * <p>In order to take advantage of the specialized certificate format

  478.      * supported by this certificate factory, each element in

  479.      * the returned collection view can be typecast to the corresponding

  480.      * certificate class. For example, if this certificate

  481.      * factory implements X.509 certificates, the elements in the returned

  482.      * collection can be typecast to the <code>X509Certificate</code> class.

  483.      *

  484.      * <p>In the case of a certificate factory for X.509 certificates,

  485.      * <code>inStream</code> may contain a sequence of DER-encoded certificates

  486.      * in the formats described for

  487.      * {@link #generateCertificate(java.io.InputStream) generateCertificate}.

  488.      * In addition, <code>inStream</code> may contain a PKCS#7 certificate

  489.      * chain. This is a PKCS#7 <i>SignedData</i> object, with the only

  490.      * significant field being <i>certificates</i>. In particular, the

  491.      * signature and the contents are ignored. This format allows multiple

  492.      * certificates to be downloaded at once. If no certificates are present,

  493.      * an empty collection is returned.

  494.      *

  495.      * <p>Note that if the given input stream does not support

  496.      * {@link java.io.InputStream#mark(int) mark} and

  497.      * {@link java.io.InputStream#reset() reset}, this method will

  498.      * consume the entire input stream.

  499.      *

  500.      * @param inStream the input stream with the certificates.

  501.      *

  502.      * @return a (possibly empty) collection view of

  503.      * java.security.cert.Certificate objects

  504.      * initialized with the data from the input stream.

  505.      *

  506.      * @exception CertificateException on parsing errors.

  507.      */

  508.     public final Collection generateCertificates(InputStream inStream)

  509.         throws CertificateException

  510.     {

  511. 	return certFacSpi.engineGenerateCertificates(inStream);

  512.     }

  513. 

  514.     /**

  515.      * Generates a certificate revocation list (CRL) object and initializes it

  516.      * with the data read from the input stream <code>inStream</code>.

  517.      *

  518.      * <p>In order to take advantage of the specialized CRL format

  519.      * supported by this certificate factory,

  520.      * the returned CRL object can be typecast to the corresponding

  521.      * CRL class. For example, if this certificate

  522.      * factory implements X.509 CRLs, the returned CRL object

  523.      * can be typecast to the <code>X509CRL</code> class.

  524.      *

  525.      * <p>Note that if the given input stream does not support

  526.      * {@link java.io.InputStream#mark(int) mark} and

  527.      * {@link java.io.InputStream#reset() reset}, this method will

  528.      * consume the entire input stream. Otherwise, each call to this 

  529.      * method consumes one CRL and the read position of the input stream

  530.      * is positioned to the next available byte after the the inherent 

  531.      * end-of-CRL marker. If the data in the

  532.      * input stream does not contain an inherent end-of-CRL marker (other

  533.      * than EOF) and there is trailing data after the CRL is parsed, a 

  534.      * <code>CRLException</code> is thrown.

  535.      *

  536.      * @param inStream an input stream with the CRL data.

  537.      *

  538.      * @return a CRL object initialized with the data

  539.      * from the input stream.

  540.      *

  541.      * @exception CRLException on parsing errors.

  542.      */

  543.     public final CRL generateCRL(InputStream inStream)

  544.         throws CRLException

  545.     {

  546. 	return certFacSpi.engineGenerateCRL(inStream);

  547.     }

  548. 

  549.     /**

  550.      * Returns a (possibly empty) collection view of the CRLs read

  551.      * from the given input stream <code>inStream</code>.

  552.      *

  553.      * <p>In order to take advantage of the specialized CRL format

  554.      * supported by this certificate factory, each element in

  555.      * the returned collection view can be typecast to the corresponding

  556.      * CRL class. For example, if this certificate

  557.      * factory implements X.509 CRLs, the elements in the returned

  558.      * collection can be typecast to the <code>X509CRL</code> class.

  559.      *

  560.      * <p>In the case of a certificate factory for X.509 CRLs,

  561.      * <code>inStream</code> may contain a sequence of DER-encoded CRLs.

  562.      * In addition, <code>inStream</code> may contain a PKCS#7 CRL

  563.      * set. This is a PKCS#7 <i>SignedData</i> object, with the only

  564.      * significant field being <i>crls</i>. In particular, the

  565.      * signature and the contents are ignored. This format allows multiple

  566.      * CRLs to be downloaded at once. If no CRLs are present,

  567.      * an empty collection is returned.

  568.      *

  569.      * <p>Note that if the given input stream does not support

  570.      * {@link java.io.InputStream#mark(int) mark} and

  571.      * {@link java.io.InputStream#reset() reset}, this method will

  572.      * consume the entire input stream.

  573.      *

  574.      * @param inStream the input stream with the CRLs.

  575.      *

  576.      * @return a (possibly empty) collection view of

  577.      * java.security.cert.CRL objects initialized with the data from the input

  578.      * stream.

  579.      *

  580.      * @exception CRLException on parsing errors.

  581.      */

  582.     public final Collection generateCRLs(InputStream inStream)

  583.         throws CRLException

  584.     {

  585. 	return certFacSpi.engineGenerateCRLs(inStream);

  586.     }

  587. }