Path: blob/master/src/java.base/share/classes/sun/security/x509/InhibitAnyPolicyExtension.java
41159 views
/*1* Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation. Oracle designates this7* particular file as subject to the "Classpath" exception as provided8* by Oracle in the LICENSE file that accompanied this code.9*10* This code is distributed in the hope that it will be useful, but WITHOUT11* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or12* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License13* version 2 for more details (a copy is included in the LICENSE file that14* accompanied this code).15*16* You should have received a copy of the GNU General Public License version17* 2 along with this work; if not, write to the Free Software Foundation,18* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.19*20* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA21* or visit www.oracle.com if you need additional information or have any22* questions.23*/2425package sun.security.x509;2627import java.io.IOException;28import java.io.OutputStream;29import java.util.Enumeration;3031import sun.security.util.*;3233/**34* This class represents the Inhibit Any-Policy Extension.35*36* <p>The inhibit any-policy extension can be used in certificates issued37* to CAs. The inhibit any-policy indicates that the special any-policy38* OID, with the value {2 5 29 32 0}, is not considered an explicit39* match for other certificate policies. The value indicates the number40* of additional certificates that may appear in the path before any-41* policy is no longer permitted. For example, a value of one indicates42* that any-policy may be processed in certificates issued by the sub-43* ject of this certificate, but not in additional certificates in the44* path.45* <p>46* This extension MUST be critical.47* <p>48* The ASN.1 syntax for this extension is:49* <pre>{@code50* id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-ce 54 }51*52* InhibitAnyPolicy ::= SkipCerts53*54* SkipCerts ::= INTEGER (0..MAX)55* }</pre>56* @author Anne Anderson57* @see CertAttrSet58* @see Extension59*/60public class InhibitAnyPolicyExtension extends Extension61implements CertAttrSet<String> {6263private static final Debug debug = Debug.getInstance("certpath");6465/**66* Identifier for this attribute, to be used with the67* get, set, delete methods of Certificate, x509 type.68*/69public static final String IDENT = "x509.info.extensions.InhibitAnyPolicy";7071/**72* Object identifier for "any-policy"73*/74public static ObjectIdentifier AnyPolicy_Id =75ObjectIdentifier.of(KnownOIDs.CE_CERT_POLICIES_ANY);7677/**78* Attribute names.79*/80public static final String NAME = "InhibitAnyPolicy";81public static final String SKIP_CERTS = "skip_certs";8283// Private data members84private int skipCerts = Integer.MAX_VALUE;8586// Encode this extension value87private void encodeThis() throws IOException {88DerOutputStream out = new DerOutputStream();89out.putInteger(skipCerts);90this.extensionValue = out.toByteArray();91}9293/**94* Default constructor for this object.95*96* @param skipCerts specifies the depth of the certification path.97* Use value of -1 to request unlimited depth.98*/99public InhibitAnyPolicyExtension(int skipCerts) throws IOException {100if (skipCerts < -1)101throw new IOException("Invalid value for skipCerts");102if (skipCerts == -1)103this.skipCerts = Integer.MAX_VALUE;104else105this.skipCerts = skipCerts;106this.extensionId = PKIXExtensions.InhibitAnyPolicy_Id;107critical = true;108encodeThis();109}110111/**112* Create the extension from the passed DER encoded value of the same.113*114* @param critical criticality flag to use. Must be true for this115* extension.116* @param value a byte array holding the DER-encoded extension value.117* @exception ClassCastException if value is not an array of bytes118* @exception IOException on error.119*/120public InhibitAnyPolicyExtension(Boolean critical, Object value)121throws IOException {122123this.extensionId = PKIXExtensions.InhibitAnyPolicy_Id;124125if (!critical.booleanValue())126throw new IOException("Criticality cannot be false for " +127"InhibitAnyPolicy");128this.critical = critical.booleanValue();129130this.extensionValue = (byte[]) value;131DerValue val = new DerValue(this.extensionValue);132if (val.tag != DerValue.tag_Integer)133throw new IOException("Invalid encoding of InhibitAnyPolicy: "134+ "data not integer");135136if (val.data == null)137throw new IOException("Invalid encoding of InhibitAnyPolicy: "138+ "null data");139int skipCertsValue = val.getInteger();140if (skipCertsValue < -1)141throw new IOException("Invalid value for skipCerts");142if (skipCertsValue == -1) {143this.skipCerts = Integer.MAX_VALUE;144} else {145this.skipCerts = skipCertsValue;146}147}148149/**150* Return user readable form of extension.151*/152public String toString() {153String s = super.toString() + "InhibitAnyPolicy: " + skipCerts + "\n";154return s;155}156157/**158* Encode this extension value to the output stream.159*160* @param out the DerOutputStream to encode the extension to.161*/162public void encode(OutputStream out) throws IOException {163DerOutputStream tmp = new DerOutputStream();164if (extensionValue == null) {165this.extensionId = PKIXExtensions.InhibitAnyPolicy_Id;166critical = true;167encodeThis();168}169super.encode(tmp);170171out.write(tmp.toByteArray());172}173174/**175* Set the attribute value.176*177* @param name name of attribute to set. Must be SKIP_CERTS.178* @param obj value to which attribute is to be set. Must be Integer179* type.180* @throws IOException on error181*/182public void set(String name, Object obj) throws IOException {183if (name.equalsIgnoreCase(SKIP_CERTS)) {184if (!(obj instanceof Integer))185throw new IOException("Attribute value should be of type Integer.");186int skipCertsValue = ((Integer)obj).intValue();187if (skipCertsValue < -1)188throw new IOException("Invalid value for skipCerts");189if (skipCertsValue == -1) {190skipCerts = Integer.MAX_VALUE;191} else {192skipCerts = skipCertsValue;193}194} else195throw new IOException("Attribute name not recognized by " +196"CertAttrSet:InhibitAnyPolicy.");197encodeThis();198}199200/**201* Get the attribute value.202*203* @param name name of attribute to get. Must be SKIP_CERTS.204* @return value of the attribute. In this case it will be of type205* Integer.206* @throws IOException on error207*/208public Integer get(String name) throws IOException {209if (name.equalsIgnoreCase(SKIP_CERTS))210return (skipCerts);211else212throw new IOException("Attribute name not recognized by " +213"CertAttrSet:InhibitAnyPolicy.");214}215216/**217* Delete the attribute value.218*219* @param name name of attribute to delete. Must be SKIP_CERTS.220* @throws IOException on error. In this case, IOException will always be221* thrown, because the only attribute, SKIP_CERTS, is222* required.223*/224public void delete(String name) throws IOException {225if (name.equalsIgnoreCase(SKIP_CERTS))226throw new IOException("Attribute " + SKIP_CERTS +227" may not be deleted.");228else229throw new IOException("Attribute name not recognized by " +230"CertAttrSet:InhibitAnyPolicy.");231}232233/**234* Return an enumeration of names of attributes existing within this235* attribute.236*237* @return enumeration of elements238*/239public Enumeration<String> getElements() {240AttributeNameEnumeration elements = new AttributeNameEnumeration();241elements.addElement(SKIP_CERTS);242return (elements.elements());243}244245/**246* Return the name of this attribute.247*248* @return name of attribute.249*/250public String getName() {251return (NAME);252}253}254255256