Class CertificateParser
- java.lang.Object
-
- javacardx.security.cert.CertificateParser
-
public abstract class CertificateParser extends Object
TheCertificateParser
class is used to parse certificates and createCertificate
instances.A parser instance is created for a specific certificate format (e.g. X509)
The parser can be used in two ways:
- to parse certificate elements from a provided byte array
- to allocate a Certificate instance and initialize it with a subset of selected elements copied from the specified byte array
Certificate Parsing
The
CertificateParser
instance can be used to parse certificates from a byte array and to trigger aCertificateParser.ParserHandler
for each element found. The handler receives information on each element found including its value.Example: parsing and verification
public class CertExample1 implements FieldHandler, KeyHandler, ExtensionHandler { private final CertificateParser parser = CertificateParser.getInstance(CertificateParser.TYPE_X509_DER); private PublicKey pubKey; private final Certificate rootCert; public CertExample1(Certificate root) { this.rootCert = root; } // parse certificate, verify signature with root cert, extract and return public key public PublicKey parse(byte[] data, short offset, short length) throws CertificateException { parser.parseCert(data, offset, length, this, rootCert.getPublicKey()); return pubKey; } // --- FieldHandler ---------------------------------------------------------- @Override public boolean onField(short fieldID, byte[] field) { switch (fieldID) { case X509Certificate.FIELD_TBS_NOT_AFTER: if (expired(field)) { CertificateException.throwIt(EXPIRED); } break; case X509Certificate.FIELD_TBS_PUBLIC_KEY_INFO: if (pubKey == null) { // KeyHandler has not been called because type not supported // use proprietary decoder pubKey = decodeKey(value); } break; } return false; } // --- ExtensionHandler ------------------------------------------------------ @Override public boolean onExtension(byte[] oid, boolean isCritical, byte[] value) { if (Util.arrayCompare(oid, (short) 0, OID_KEY_USAGE, (short) 0, OID_KEY_USAGE.length) == 0) { // check usage } } // --- KeyHandler ------------------------------------------------------------ @Override public PublicKey onKey(byte keytype, short params) { if (keytype == KeyBuilder.TYPE_XEC) { pubKey = (PublicKey) KeyBuilder.buildXECKey( NamedParameterSpec.getInstance(params), JCSystem.MEMORY_TYPE_PERSISTENT, false); } else { pubKey = (PublicKey) KeyBuilder.buildKey(keytype, params, false); } return pubKey; } }
Note: The parsing may fail at any time due to an invalid element encoding (fail-fast processing since there is no copy of the source buffer). Consequently, the handler is not called for subsequent elements if an invalid element is found. This could also be the case if the buffer is modified during parsing with invalid data after the ones already parsed (for example if the handler modifies the buffer)Parsing and allocating a Certificate instance
The
CertificateParser
instance can be used to parse an existing byte array and to create a new Certificate instance. AX509Certificate.FieldHandler
is used to specify which certificate fields should be stored to be used to initialize a new Certificate instance.Example: Parsing and creation of a new Certificate instance
public class CertExample2 implements FieldHandler, ExtensionHandler { private final CertificateParser parser = CertificateParser.getInstance(CertificateParser.TYPE_X509_DER); public Certificate buildCert(byte[] data, short offset, short length) throws CertificateException { return parser.buildCert(data, offset, length, this); } // --- FieldHandler ---------------------------------------------------------- @Override public boolean onField(short fieldID, byte[] field) { switch (fieldID) { case X509Certificate.FIELD_TBS_ISSUER: // store issuer name case X509Certificate.FIELD_TBS_NOT_AFTER: // store validity date case X509Certificate.FIELD_TBS_NOT_BEFORE:// store validity date case X509Certificate.FIELD_TBS_SUBJECT: // store subject return true; } // skip other fields return false; } // --- ExtensionHandler ------------------------------------------------------ @Override public boolean onExtension(byte[] oid, boolean isCritical, byte[] value) { // keep critical extensions // and Subject Alternative Name (OID: 2.5.29.17) return isCritical || Util.arrayCompare(oid, (short)0, OID_SUBJECT_ALT_NAME, (short)0, OID_SUBJECT_ALT_NAME.length) == 0); } }
- Since:
- 3.1
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static interface
CertificateParser.KeyHandler
AKeyHandler
is triggered by aCertificateParser
and allows to fill the fields of aPublicKey
pre-allocated by the application with the values of the public key of the certificate.static interface
CertificateParser.ParserHandler
ParserHandler
is the base interface for all handlers that can be triggered by the CertificateParser at the time a certificate is built or parsed.
-
Field Summary
Fields Modifier and Type Field Description static short
TYPE_X509_DER
Parser for X.509 v1, v2 and v3 DER-encoded certificates (see RFC 5280)
-
Method Summary
All Methods Static Methods Instance Methods Abstract Methods Concrete Methods Modifier and Type Method Description abstract Certificate
buildCert(byte[] data, short offset, short length, CertificateParser.ParserHandler handler)
Parse certificate data and create aCertificate
instance.abstract Certificate
buildCert(byte[] data, short offset, short length, CertificateParser.ParserHandler handler, PublicKey key)
Parse certificate data and create aCertificate
instance.static CertificateParser
getInstance(short type)
Creates an instance of a parser for the specified certificate formatabstract void
parseCert(byte[] data, short offset, short length, CertificateParser.ParserHandler handler)
Parse certificate data and trigger the handle for each element found.abstract boolean
parseCert(byte[] data, short offset, short length, CertificateParser.ParserHandler handler, PublicKey key)
Parse certificate data, trigger the handle for each element found, and verify it using the specified public key.
-
-
-
Field Detail
-
TYPE_X509_DER
public static final short TYPE_X509_DER
Parser for X.509 v1, v2 and v3 DER-encoded certificates (see RFC 5280)- See Also:
- Constant Field Values
-
-
Method Detail
-
getInstance
public static CertificateParser getInstance(short type) throws CertificateException
Creates an instance of a parser for the specified certificate format- Parameters:
type
- the certificate format to parse- Returns:
- a CertificateParser instance
- Throws:
CertificateException
- with the following reason codes:- INVALID_PARAM if the certificate type is not supported
SystemException
- with the following reason code:SystemException.NO_RESOURCE
if not enough resources to allocate the instance
-
buildCert
public abstract Certificate buildCert(byte[] data, short offset, short length, CertificateParser.ParserHandler handler) throws CertificateException
Parse certificate data and create aCertificate
instance. The specified handler is triggered for each certificate element found. The handler can typically be used to optimize storage and select elements to include in the certificate instance being created.- Parameters:
data
- input buffer with the certificate dataoffset
- the offset into the input buffer where parsing should startlength
- the byte length of the certificate datahandler
- the handler triggered when an element is found during parsing. Ifnull
, no filtering is performed and all elements are included in the certificate being built.- Returns:
- A new
Certificate
instance - Throws:
CertificateException
- with the following reason codes:- CertificateException.INVALID_ENCODING if the certificate encoding is incorrect. It includes the case where the length parameter is not equal to the parsed certificate.
- CertificateException.PARSER_HANDLER_EXCEPTION if an exception has been thrown by a certificate parser handler.
- CertificateException.PARSER_HANDLER_INVALID_KEY if the key returned by
CertificateParser.KeyHandler.onKey(byte, short)
} was not matching the certificate public keytype
,length
orstandard name
.
-
buildCert
public abstract Certificate buildCert(byte[] data, short offset, short length, CertificateParser.ParserHandler handler, PublicKey key) throws CryptoException, CertificateException
Parse certificate data and create aCertificate
instance. This can be used in the specific case where the caller already knows the key required to verify the certificate and allows to save some internal storage in the certificate being created.The verification is performed first, then the specified handler is triggered each time a certificate element is found. The handler can typically be used to optimize storage and select elements to include in the certificate instance being created.
- Parameters:
data
- input buffer with the certificate dataoffset
- the offset into the input buffer where parsing should startlength
- the byte length of the certificate datahandler
- the handler triggered when an element is found during parsing. Ifnull
, no filtering is performed and all elements are included in the certificate being built.key
- the public key to verify the certificate - Notnull
- Returns:
- A new
Certificate
instance - Throws:
CryptoException
- with the following reasons code:- CryptoException.NO_SUCH_ALGORITHM if the signature algorithm is not supported
- CryptoException.UNINITIALIZED_KEY if the key object is not initialized.
- CryptoException.ILLEGAL_VALUE if the key object is inconsistent with the signature
CertificateException
- with the following reason codes:- CertificateException.INVALID_ENCODING if the certificate encoding is incorrect. It includes the case where the length parameter is not equal to the parsed certificate.
- CertificateException.INVALID_SIGNATURE if the signature verification failed
- CertificateException.PARSER_HANDLER_EXCEPTION if an exception has been thrown by a certificate parser handler.
- CertificateException.PARSER_HANDLER_INVALID_KEY if the key returned by
CertificateParser.KeyHandler.onKey(byte, short)
} was not matching the certificate public keytype
,length
orstandard name
.
-
parseCert
public abstract void parseCert(byte[] data, short offset, short length, CertificateParser.ParserHandler handler) throws CertificateException
Parse certificate data and trigger the handle for each element found.- Parameters:
data
- input buffer with the certificate dataoffset
- the offset into the input buffer where parsing should startlength
- the byte length of the certificate datahandler
- the handler triggered when an element is found during parsing. It may benull
.- Throws:
CertificateException
- with the following reason codes:- CertificateException.INVALID_ENCODING if the certificate encoding is incorrect. It includes the case where the length parameter is not equal to the parsed certificate.
- CertificateException.PARSER_HANDLER_EXCEPTION if an exception has been thrown by a certificate parser handler.
- CertificateException.PARSER_HANDLER_INVALID_KEY if the key returned by
CertificateParser.KeyHandler.onKey(byte, short)
} was not matching the certificate public keytype
,length
orstandard name
.
-
parseCert
public abstract boolean parseCert(byte[] data, short offset, short length, CertificateParser.ParserHandler handler, PublicKey key) throws CryptoException, CertificateException
Parse certificate data, trigger the handle for each element found, and verify it using the specified public key. This can be used in the specific case where the caller already knows the key required to verify the certificate.The verification is performed first, then the specified handler is triggered each time a certificate element is found.
In addition to returning a
boolean
result, this method sets the result in an internal state which can be rechecked using assertion methods of theSensitiveResult
class, if supported by the platform.- Parameters:
data
- input buffer with the certificate dataoffset
- the offset into the input buffer where parsing should startlength
- the byte length of the certificate datahandler
- the handler triggered when an element is found during parsing. It may benull
.key
- the public key to verify the certificate - Notnull
- Returns:
true
if the signature verifies,false
otherwise.- Throws:
CryptoException
- with the following reasons code:- CryptoException.NO_SUCH_ALGORITHM if the signature algorithm is not supported
- CryptoException.UNINITIALIZED_KEY if the key object is not initialized.
- CryptoException.ILLEGAL_VALUE if the key object is inconsistent with the signature
CertificateException
- with the following reason codes:- CertificateException.INVALID_ENCODING if the certificate encoding is incorrect. It includes the case where the length parameter is not equal to the parsed certificate.
- CertificateException.PARSER_HANDLER_EXCEPTION if an exception has been thrown by a certificate parser handler.
- CertificateException.PARSER_HANDLER_INVALID_KEY if the key returned by
CertificateParser.KeyHandler.onKey(byte, short)
} was not matching the certificate public keytype
,length
orstandard name
.
-
-