Back to index...

	/*
	* Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
	*
	* This code is free software; you can redistribute it and/or modify it
	* under the terms of the GNU General Public License version 2 only, as
	* published by the Free Software Foundation. Oracle designates this
	* particular file as subject to the "Classpath" exception as provided
	* by Oracle in the LICENSE file that accompanied this code.
	*
	* This code is distributed in the hope that it will be useful, but WITHOUT
	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	* version 2 for more details (a copy is included in the LICENSE file that
	* accompanied this code).
	*
	* You should have received a copy of the GNU General Public License version
	* 2 along with this work; if not, write to the Free Software Foundation,
	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
	*
	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
	* or visit www.oracle.com if you need additional information or have any
	* questions.
	*/

	package sun.security.x509;

	import java.io.IOException;
	import java.io.OutputStream;
	import java.security.cert.CertificateException;
	import java.security.cert.CertificateParsingException;
	import java.security.cert.CertificateExpiredException;
	import java.security.cert.CertificateNotYetValidException;
	import java.util.Date;
	import java.util.Enumeration;
	import java.util.Objects;

	import sun.security.util.*;

	/**
	* This class defines the Private Key Usage Extension.
	*
	* <p>The Private Key Usage Period extension allows the certificate issuer
	* to specify a different validity period for the private key than the
	* certificate. This extension is intended for use with digital
	* signature keys. This extension consists of two optional components
	* notBefore and notAfter. The private key associated with the
	* certificate should not be used to sign objects before or after the
	* times specified by the two components, respectively.
	*
	* <pre>
	* PrivateKeyUsagePeriod ::= SEQUENCE {
	* notBefore [0] GeneralizedTime OPTIONAL,
	* notAfter [1] GeneralizedTime OPTIONAL }
	* </pre>
	*
	* @author Amit Kapoor
	* @author Hemma Prafullchandra
	* @see Extension
	* @see CertAttrSet
	*/
	public class PrivateKeyUsageExtension extends Extension
	implements CertAttrSet<String> {
	/**
	* Identifier for this attribute, to be used with the
	* get, set, delete methods of Certificate, x509 type.
	*/
	public static final String IDENT = "x509.info.extensions.PrivateKeyUsage";
	/**
	* Sub attributes name for this CertAttrSet.
	*/
	public static final String NAME = "PrivateKeyUsage";
	public static final String NOT_BEFORE = "not_before";
	public static final String NOT_AFTER = "not_after";

	// Private data members
	private static final byte TAG_BEFORE = 0;
	private static final byte TAG_AFTER = 1;

	private Date notBefore = null;
	private Date notAfter = null;

	// Encode this extension value.
	private void encodeThis() throws IOException {
	if (notBefore == null && notAfter == null) {
	this.extensionValue = null;
	return;
	}
	DerOutputStream seq = new DerOutputStream();

	DerOutputStream tagged = new DerOutputStream();
	if (notBefore != null) {
	DerOutputStream tmp = new DerOutputStream();
	tmp.putGeneralizedTime(notBefore);
	tagged.writeImplicit(DerValue.createTag(DerValue.TAG_CONTEXT,
	false, TAG_BEFORE), tmp);
	}
	if (notAfter != null) {
	DerOutputStream tmp = new DerOutputStream();
	tmp.putGeneralizedTime(notAfter);
	tagged.writeImplicit(DerValue.createTag(DerValue.TAG_CONTEXT,
	false, TAG_AFTER), tmp);
	}
	seq.write(DerValue.tag_Sequence, tagged);
	this.extensionValue = seq.toByteArray();
	}

	/**
	* The default constructor for PrivateKeyUsageExtension.
	*
	* @param notBefore the date/time before which the private key
	* should not be used.
	* @param notAfter the date/time after which the private key
	* should not be used.
	*/
	public PrivateKeyUsageExtension(Date notBefore, Date notAfter)
	throws IOException {
	this.notBefore = notBefore;
	this.notAfter = notAfter;

	this.extensionId = PKIXExtensions.PrivateKeyUsage_Id;
	this.critical = false;
	encodeThis();
	}

	/**
	* Create the extension from the passed DER encoded value.
	*
	* @param critical true if the extension is to be treated as critical.
	* @param value an array of DER encoded bytes of the actual value.
	* @exception ClassCastException if value is not an array of bytes
	* @exception CertificateException on certificate parsing errors.
	* @exception IOException on error.
	*/
	public PrivateKeyUsageExtension(Boolean critical, Object value)
	throws CertificateException, IOException {
	this.extensionId = PKIXExtensions.PrivateKeyUsage_Id;
	this.critical = critical.booleanValue();

	this.extensionValue = (byte[]) value;
	DerInputStream str = new DerInputStream(this.extensionValue);
	DerValue[] seq = str.getSequence(2);

	// NB. this is always encoded with the IMPLICIT tag
	// The checks only make sense if we assume implicit tagging,
	// with explicit tagging the form is always constructed.
	for (int i = 0; i < seq.length; i++) {
	DerValue opt = seq[i];

	if (opt.isContextSpecific(TAG_BEFORE) &&
	!opt.isConstructed()) {
	if (notBefore != null) {
	throw new CertificateParsingException(
	"Duplicate notBefore in PrivateKeyUsage.");
	}
	opt.resetTag(DerValue.tag_GeneralizedTime);
	str = new DerInputStream(opt.toByteArray());
	notBefore = str.getGeneralizedTime();

	} else if (opt.isContextSpecific(TAG_AFTER) &&
	!opt.isConstructed()) {
	if (notAfter != null) {
	throw new CertificateParsingException(
	"Duplicate notAfter in PrivateKeyUsage.");
	}
	opt.resetTag(DerValue.tag_GeneralizedTime);
	str = new DerInputStream(opt.toByteArray());
	notAfter = str.getGeneralizedTime();
	} else
	throw new IOException("Invalid encoding of " +
	"PrivateKeyUsageExtension");
	}
	}

	/**
	* Return the printable string.
	*/
	public String toString() {
	return(super.toString() +
	"PrivateKeyUsage: [\n" +
	((notBefore == null) ? "" : "From: " + notBefore.toString() + ", ")
	+ ((notAfter == null) ? "" : "To: " + notAfter.toString())
	+ "]\n");
	}

	/**
	* Verify that that the current time is within the validity period.
	*
	* @exception CertificateExpiredException if the certificate has expired.
	* @exception CertificateNotYetValidException if the certificate is not
	* yet valid.
	*/
	public void valid()
	throws CertificateNotYetValidException, CertificateExpiredException {
	Date now = new Date();
	valid(now);
	}

	/**
	* Verify that that the passed time is within the validity period.
	*
	* @exception CertificateExpiredException if the certificate has expired
	* with respect to the <code>Date</code> supplied.
	* @exception CertificateNotYetValidException if the certificate is not
	* yet valid with respect to the <code>Date</code> supplied.
	*
	*/
	public void valid(Date now)
	throws CertificateNotYetValidException, CertificateExpiredException {
	Objects.requireNonNull(now);
	/*
	* we use the internal Dates rather than the passed in Date
	* because someone could override the Date methods after()
	* and before() to do something entirely different.
	*/
	if (notBefore != null && notBefore.after(now)) {
	throw new CertificateNotYetValidException("NotBefore: " +
	notBefore.toString());
	}
	if (notAfter != null && notAfter.before(now)) {
	throw new CertificateExpiredException("NotAfter: " +
	notAfter.toString());
	}
	}

	/**
	* Write the extension to the OutputStream.
	*
	* @param out the OutputStream to write the extension to.
	* @exception IOException on encoding errors.
	*/
	public void encode(OutputStream out) throws IOException {
	DerOutputStream tmp = new DerOutputStream();
	if (extensionValue == null) {
	extensionId = PKIXExtensions.PrivateKeyUsage_Id;
	critical = false;
	encodeThis();
	}
	super.encode(tmp);
	out.write(tmp.toByteArray());
	}

	/**
	* Set the attribute value.
	* @exception CertificateException on attribute handling errors.
	*/
	public void set(String name, Object obj)
	throws CertificateException, IOException {
	if (!(obj instanceof Date)) {
	throw new CertificateException("Attribute must be of type Date.");
	}
	if (name.equalsIgnoreCase(NOT_BEFORE)) {
	notBefore = (Date)obj;
	} else if (name.equalsIgnoreCase(NOT_AFTER)) {
	notAfter = (Date)obj;
	} else {
	throw new CertificateException("Attribute name not recognized by"
	+ " CertAttrSet:PrivateKeyUsage.");
	}
	encodeThis();
	}

	/**
	* Get the attribute value.
	* @exception CertificateException on attribute handling errors.
	*/
	public Date get(String name) throws CertificateException {
	if (name.equalsIgnoreCase(NOT_BEFORE)) {
	return (new Date(notBefore.getTime()));
	} else if (name.equalsIgnoreCase(NOT_AFTER)) {
	return (new Date(notAfter.getTime()));
	} else {
	throw new CertificateException("Attribute name not recognized by"
	+ " CertAttrSet:PrivateKeyUsage.");
	}
	}

	/**
	* Delete the attribute value.
	* @exception CertificateException on attribute handling errors.
	*/
	public void delete(String name) throws CertificateException, IOException {
	if (name.equalsIgnoreCase(NOT_BEFORE)) {
	notBefore = null;
	} else if (name.equalsIgnoreCase(NOT_AFTER)) {
	notAfter = null;
	} else {
	throw new CertificateException("Attribute name not recognized by"
	+ " CertAttrSet:PrivateKeyUsage.");
	}
	encodeThis();
	}

	/**
	* Return an enumeration of names of attributes existing within this
	* attribute.
	*/
	public Enumeration<String> getElements() {
	AttributeNameEnumeration elements = new AttributeNameEnumeration();
	elements.addElement(NOT_BEFORE);
	elements.addElement(NOT_AFTER);

	return(elements.elements());
	}

	/**
	* Return the name of this attribute.
	*/
	public String getName() {
	return(NAME);
	}
	}

Back to index...