1   /*
2    * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved.
3    * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4    *
5    * This code is free software; you can redistribute it and/or modify it
6    * under the terms of the GNU General Public License version 2 only, as
7    * published by the Free Software Foundation.  Oracle designates this
8    * particular file as subject to the "Classpath" exception as provided
9    * by Oracle in the LICENSE file that accompanied this code.
10   *
11   * This code is distributed in the hope that it will be useful, but WITHOUT
12   * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13   * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14   * version 2 for more details (a copy is included in the LICENSE file that
15   * accompanied this code).
16   *
17   * You should have received a copy of the GNU General Public License version
18   * 2 along with this work; if not, write to the Free Software Foundation,
19   * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20   *
21   * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22   * or visit www.oracle.com if you need additional information or have any
23   * questions.
24   */
25  
26  package sun.security.pkcs;
27  
28  import java.io.IOException;
29  import java.io.OutputStream;
30  import java.security.cert.CertificateException;
31  import java.util.Locale;
32  import java.util.Date;
33  import java.util.Hashtable;
34  import sun.security.x509.CertificateExtensions;
35  import sun.security.util.Debug;
36  import sun.security.util.DerEncoder;
37  import sun.security.util.DerValue;
38  import sun.security.util.DerInputStream;
39  import sun.security.util.DerOutputStream;
40  import sun.security.util.ObjectIdentifier;
41  import sun.misc.HexDumpEncoder;
42  
43  /**
44   * Class supporting any PKCS9 attributes.
45   * Supports DER decoding and access to attribute values, but not
46   * DER encoding or setting of values.
47   *
48   * <a name="classTable"><h3>Type/Class Table</h3></a>
49   * The following table shows the correspondence between
50   * PKCS9 attribute types and value component classes.
51   *
52   * <P>
53   * <TABLE BORDER CELLPADDING=8 ALIGN=CENTER>
54   *
55   * <TR>
56   * <TH>Object Identifier</TH>
57   * <TH>Attribute Name</TH>
58   * <TH>Type</TH>
59   * <TH>Value Class</TH>
60   * </TR>
61   *
62   * <TR>
63   * <TD>1.2.840.113549.1.9.1</TD>
64   * <TD>EmailAddress</TD>
65   * <TD>Multi-valued</TD>
66   * <TD><code>String[]</code></TD>
67   * </TR>
68   *
69   * <TR>
70   * <TD>1.2.840.113549.1.9.2</TD>
71   * <TD>UnstructuredName</TD>
72   * <TD>Multi-valued</TD>
73   * <TD><code>String[]</code></TD>
74   * </TR>
75   *
76   * <TR>
77   * <TD>1.2.840.113549.1.9.3</TD>
78   * <TD>ContentType</TD>
79   * <TD>Single-valued</TD>
80   * <TD><code>ObjectIdentifier</code></TD>
81   * </TR>
82   *
83   * <TR>
84   * <TD>1.2.840.113549.1.9.4</TD>
85   * <TD>MessageDigest</TD>
86   * <TD>Single-valued</TD>
87   * <TD><code>byte[]</code></TD>
88   * </TR>
89   *
90   * <TR>
91   * <TD>1.2.840.113549.1.9.5</TD>
92   * <TD>SigningTime</TD>
93   * <TD>Single-valued</TD>
94   * <TD><code>Date</code></TD>
95   * </TR>
96   *
97   * <TR>
98   * <TD>1.2.840.113549.1.9.6</TD>
99   * <TD>Countersignature</TD>
100  * <TD>Multi-valued</TD>
101  * <TD><code>SignerInfo[]</code></TD>
102  * </TR>
103  *
104  * <TR>
105  * <TD>1.2.840.113549.1.9.7</TD>
106  * <TD>ChallengePassword</TD>
107  * <TD>Single-valued</TD>
108  * <TD><code>String</code></TD>
109  * </TR>
110  *
111  * <TR>
112  * <TD>1.2.840.113549.1.9.8</TD>
113  * <TD>UnstructuredAddress</TD>
114  * <TD>Single-valued</TD>
115  * <TD><code>String</code></TD>
116  * </TR>
117  *
118  * <TR>
119  * <TD>1.2.840.113549.1.9.9</TD>
120  * <TD>ExtendedCertificateAttributes</TD>
121  * <TD>Multi-valued</TD>
122  * <TD>(not supported)</TD>
123  * </TR>
124  *
125  * <TR>
126  * <TD>1.2.840.113549.1.9.10</TD>
127  * <TD>IssuerAndSerialNumber</TD>
128  * <TD>Single-valued</TD>
129  * <TD>(not supported)</TD>
130  * </TR>
131  *
132  * <TR>
133  * <TD>1.2.840.113549.1.9.{11,12}</TD>
134  * <TD>RSA DSI proprietary</TD>
135  * <TD>Single-valued</TD>
136  * <TD>(not supported)</TD>
137  * </TR>
138  *
139  * <TR>
140  * <TD>1.2.840.113549.1.9.13</TD>
141  * <TD>S/MIME unused assignment</TD>
142  * <TD>Single-valued</TD>
143  * <TD>(not supported)</TD>
144  * </TR>
145  *
146  * <TR>
147  * <TD>1.2.840.113549.1.9.14</TD>
148  * <TD>ExtensionRequest</TD>
149  * <TD>Single-valued</TD>
150  * <TD>CertificateExtensions</TD>
151  * </TR>
152  *
153  * <TR>
154  * <TD>1.2.840.113549.1.9.15</TD>
155  * <TD>SMIMECapability</TD>
156  * <TD>Single-valued</TD>
157  * <TD>(not supported)</TD>
158  * </TR>
159  *
160  * <TR>
161  * <TD>1.2.840.113549.1.9.16.2.12</TD>
162  * <TD>SigningCertificate</TD>
163  * <TD>Single-valued</TD>
164  * <TD>SigningCertificateInfo</TD>
165  * </TR>
166  *
167  * <TR>
168  * <TD>1.2.840.113549.1.9.16.2.14</TD>
169  * <TD>SignatureTimestampToken</TD>
170  * <TD>Single-valued</TD>
171  * <TD>byte[]</TD>
172  * </TR>
173  *
174  * </TABLE>
175  *
176  * @author Douglas Hoover
177  */
178 public class PKCS9Attribute implements DerEncoder {
179 
180     /* Are we debugging ? */
181     private static final Debug debug = Debug.getInstance("jar");
182 
183     /**
184      * Array of attribute OIDs defined in PKCS9, by number.
185      */
186     static final ObjectIdentifier[] PKCS9_OIDS = new ObjectIdentifier[18];
187 
188     static {   // static initializer for PKCS9_OIDS
189         for (int i = 1; i < PKCS9_OIDS.length - 2; i++) {
190             PKCS9_OIDS[i] =
191                 ObjectIdentifier.newInternal(new int[]{1,2,840,113549,1,9,i});
192         }
193         // Initialize SigningCertificate and SignatureTimestampToken
194         // separately (because their values are out of sequence)
195         PKCS9_OIDS[PKCS9_OIDS.length - 2] =
196             ObjectIdentifier.newInternal(new int[]{1,2,840,113549,1,9,16,2,12});
197         PKCS9_OIDS[PKCS9_OIDS.length - 1] =
198             ObjectIdentifier.newInternal(new int[]{1,2,840,113549,1,9,16,2,14});
199     }
200 
201     // first element [0] not used
202     public static final ObjectIdentifier EMAIL_ADDRESS_OID = PKCS9_OIDS[1];
203     public static final ObjectIdentifier UNSTRUCTURED_NAME_OID = PKCS9_OIDS[2];
204     public static final ObjectIdentifier CONTENT_TYPE_OID = PKCS9_OIDS[3];
205     public static final ObjectIdentifier MESSAGE_DIGEST_OID = PKCS9_OIDS[4];
206     public static final ObjectIdentifier SIGNING_TIME_OID = PKCS9_OIDS[5];
207     public static final ObjectIdentifier COUNTERSIGNATURE_OID = PKCS9_OIDS[6];
208     public static final ObjectIdentifier CHALLENGE_PASSWORD_OID = PKCS9_OIDS[7];
209     public static final ObjectIdentifier UNSTRUCTURED_ADDRESS_OID = PKCS9_OIDS[8];
210     public static final ObjectIdentifier EXTENDED_CERTIFICATE_ATTRIBUTES_OID
211                                          = PKCS9_OIDS[9];
212     public static final ObjectIdentifier ISSUER_SERIALNUMBER_OID = PKCS9_OIDS[10];
213     // [11], [12] are RSA DSI proprietary
214     // [13] ==> signingDescription, S/MIME, not used anymore
215     public static final ObjectIdentifier EXTENSION_REQUEST_OID = PKCS9_OIDS[14];
216     public static final ObjectIdentifier SMIME_CAPABILITY_OID = PKCS9_OIDS[15];
217     public static final ObjectIdentifier SIGNING_CERTIFICATE_OID = PKCS9_OIDS[16];
218     public static final ObjectIdentifier SIGNATURE_TIMESTAMP_TOKEN_OID =
219                                 PKCS9_OIDS[17];
220     public static final String EMAIL_ADDRESS_STR = "EmailAddress";
221     public static final String UNSTRUCTURED_NAME_STR = "UnstructuredName";
222     public static final String CONTENT_TYPE_STR = "ContentType";
223     public static final String MESSAGE_DIGEST_STR = "MessageDigest";
224     public static final String SIGNING_TIME_STR = "SigningTime";
225     public static final String COUNTERSIGNATURE_STR = "Countersignature";
226     public static final String CHALLENGE_PASSWORD_STR = "ChallengePassword";
227     public static final String UNSTRUCTURED_ADDRESS_STR = "UnstructuredAddress";
228     public static final String EXTENDED_CERTIFICATE_ATTRIBUTES_STR =
229                                "ExtendedCertificateAttributes";
230     public static final String ISSUER_SERIALNUMBER_STR = "IssuerAndSerialNumber";
231     // [11], [12] are RSA DSI proprietary
232     private static final String RSA_PROPRIETARY_STR = "RSAProprietary";
233     // [13] ==> signingDescription, S/MIME, not used anymore
234     private static final String SMIME_SIGNING_DESC_STR = "SMIMESigningDesc";
235     public static final String EXTENSION_REQUEST_STR = "ExtensionRequest";
236     public static final String SMIME_CAPABILITY_STR = "SMIMECapability";
237     public static final String SIGNING_CERTIFICATE_STR = "SigningCertificate";
238     public static final String SIGNATURE_TIMESTAMP_TOKEN_STR =
239                                 "SignatureTimestampToken";
240 
241     /**
242      * Hashtable mapping names and variant names of supported
243      * attributes to their OIDs. This table contains all name forms
244      * that occur in PKCS9, in lower case.
245      */
246     private static final Hashtable<String, ObjectIdentifier> NAME_OID_TABLE =
247         new Hashtable<String, ObjectIdentifier>(18);
248 
249     static { // static initializer for PCKS9_NAMES
250         NAME_OID_TABLE.put("emailaddress", PKCS9_OIDS[1]);
251         NAME_OID_TABLE.put("unstructuredname", PKCS9_OIDS[2]);
252         NAME_OID_TABLE.put("contenttype", PKCS9_OIDS[3]);
253         NAME_OID_TABLE.put("messagedigest", PKCS9_OIDS[4]);
254         NAME_OID_TABLE.put("signingtime", PKCS9_OIDS[5]);
255         NAME_OID_TABLE.put("countersignature", PKCS9_OIDS[6]);
256         NAME_OID_TABLE.put("challengepassword", PKCS9_OIDS[7]);
257         NAME_OID_TABLE.put("unstructuredaddress", PKCS9_OIDS[8]);
258         NAME_OID_TABLE.put("extendedcertificateattributes", PKCS9_OIDS[9]);
259         NAME_OID_TABLE.put("issuerandserialnumber", PKCS9_OIDS[10]);
260         NAME_OID_TABLE.put("rsaproprietary", PKCS9_OIDS[11]);
261         NAME_OID_TABLE.put("rsaproprietary", PKCS9_OIDS[12]);
262         NAME_OID_TABLE.put("signingdescription", PKCS9_OIDS[13]);
263         NAME_OID_TABLE.put("extensionrequest", PKCS9_OIDS[14]);
264         NAME_OID_TABLE.put("smimecapability", PKCS9_OIDS[15]);
265         NAME_OID_TABLE.put("signingcertificate", PKCS9_OIDS[16]);
266         NAME_OID_TABLE.put("signaturetimestamptoken", PKCS9_OIDS[17]);
267     };
268 
269     /**
270      * Hashtable mapping attribute OIDs defined in PKCS9 to the
271      * corresponding attribute value type.
272      */
273     private static final Hashtable<ObjectIdentifier, String> OID_NAME_TABLE =
274         new Hashtable<ObjectIdentifier, String>(16);
275     static {
276         OID_NAME_TABLE.put(PKCS9_OIDS[1], EMAIL_ADDRESS_STR);
277         OID_NAME_TABLE.put(PKCS9_OIDS[2], UNSTRUCTURED_NAME_STR);
278         OID_NAME_TABLE.put(PKCS9_OIDS[3], CONTENT_TYPE_STR);
279         OID_NAME_TABLE.put(PKCS9_OIDS[4], MESSAGE_DIGEST_STR);
280         OID_NAME_TABLE.put(PKCS9_OIDS[5], SIGNING_TIME_STR);
281         OID_NAME_TABLE.put(PKCS9_OIDS[6], COUNTERSIGNATURE_STR);
282         OID_NAME_TABLE.put(PKCS9_OIDS[7], CHALLENGE_PASSWORD_STR);
283         OID_NAME_TABLE.put(PKCS9_OIDS[8], UNSTRUCTURED_ADDRESS_STR);
284         OID_NAME_TABLE.put(PKCS9_OIDS[9], EXTENDED_CERTIFICATE_ATTRIBUTES_STR);
285         OID_NAME_TABLE.put(PKCS9_OIDS[10], ISSUER_SERIALNUMBER_STR);
286         OID_NAME_TABLE.put(PKCS9_OIDS[11], RSA_PROPRIETARY_STR);
287         OID_NAME_TABLE.put(PKCS9_OIDS[12], RSA_PROPRIETARY_STR);
288         OID_NAME_TABLE.put(PKCS9_OIDS[13], SMIME_SIGNING_DESC_STR);
289         OID_NAME_TABLE.put(PKCS9_OIDS[14], EXTENSION_REQUEST_STR);
290         OID_NAME_TABLE.put(PKCS9_OIDS[15], SMIME_CAPABILITY_STR);
291         OID_NAME_TABLE.put(PKCS9_OIDS[16], SIGNING_CERTIFICATE_STR);
292         OID_NAME_TABLE.put(PKCS9_OIDS[17], SIGNATURE_TIMESTAMP_TOKEN_STR);
293     }
294 
295     /**
296      * Acceptable ASN.1 tags for DER encodings of values of PKCS9
297      * attributes, by index in <code>PKCS9_OIDS</code>.
298      * Sets of acceptable tags are represented as arrays.
299      */
300     private static final Byte[][] PKCS9_VALUE_TAGS = {
301         null,
302         {new Byte(DerValue.tag_IA5String)},   // EMailAddress
303         {new Byte(DerValue.tag_IA5String)},   // UnstructuredName
304         {new Byte(DerValue.tag_ObjectId)},    // ContentType
305         {new Byte(DerValue.tag_OctetString)}, // MessageDigest
306         {new Byte(DerValue.tag_UtcTime)},     // SigningTime
307         {new Byte(DerValue.tag_Sequence)},    // Countersignature
308         {new Byte(DerValue.tag_PrintableString),
309          new Byte(DerValue.tag_T61String)},   // ChallengePassword
310         {new Byte(DerValue.tag_PrintableString),
311          new Byte(DerValue.tag_T61String)},   // UnstructuredAddress
312         {new Byte(DerValue.tag_SetOf)},       // ExtendedCertificateAttributes
313         {new Byte(DerValue.tag_Sequence)},    // issuerAndSerialNumber
314         null,
315         null,
316         null,
317         {new Byte(DerValue.tag_Sequence)},    // extensionRequest
318         {new Byte(DerValue.tag_Sequence)},    // SMIMECapability
319         {new Byte(DerValue.tag_Sequence)},    // SigningCertificate
320         {new Byte(DerValue.tag_Sequence)}     // SignatureTimestampToken
321     };
322 
323     private static final Class[] VALUE_CLASSES = new Class[18];
324 
325     static {
326         try {
327             Class str = Class.forName("[Ljava.lang.String;");
328 
329             VALUE_CLASSES[0] = null;  // not used
330             VALUE_CLASSES[1] = str;   // EMailAddress
331             VALUE_CLASSES[2] = str;   // UnstructuredName
332             VALUE_CLASSES[3] =        // ContentType
333                 Class.forName("sun.security.util.ObjectIdentifier");
334             VALUE_CLASSES[4] = Class.forName("[B"); // MessageDigest (byte[])
335             VALUE_CLASSES[5] = Class.forName("java.util.Date"); // SigningTime
336             VALUE_CLASSES[6] =        // Countersignature
337                 Class.forName("[Lsun.security.pkcs.SignerInfo;");
338             VALUE_CLASSES[7] =        // ChallengePassword
339                 Class.forName("java.lang.String");
340             VALUE_CLASSES[8] = str;   // UnstructuredAddress
341             VALUE_CLASSES[9] = null;  // ExtendedCertificateAttributes
342             VALUE_CLASSES[10] = null;  // IssuerAndSerialNumber
343             VALUE_CLASSES[11] = null;  // not used
344             VALUE_CLASSES[12] = null;  // not used
345             VALUE_CLASSES[13] = null;  // not used
346             VALUE_CLASSES[14] =        // ExtensionRequest
347                 Class.forName("sun.security.x509.CertificateExtensions");
348             VALUE_CLASSES[15] = null;  // not supported yet
349             VALUE_CLASSES[16] = null;  // not supported yet
350             VALUE_CLASSES[17] = Class.forName("[B");  // SignatureTimestampToken
351         } catch (ClassNotFoundException e) {
352             throw new ExceptionInInitializerError(e.toString());
353         }
354     }
355 
356     /**
357      * Array indicating which PKCS9 attributes are single-valued,
358      * by index in <code>PKCS9_OIDS</code>.
359      */
360     private static final boolean[] SINGLE_VALUED = {
361       false,
362       false,   // EMailAddress
363       false,   // UnstructuredName
364       true,    // ContentType
365       true,    // MessageDigest
366       true,    // SigningTime
367       false,   // Countersignature
368       true,    // ChallengePassword
369       false,   // UnstructuredAddress
370       false,   // ExtendedCertificateAttributes
371       true,    // IssuerAndSerialNumber - not supported yet
372       false,   // not used
373       false,   // not used
374       false,   // not used
375       true,    // ExtensionRequest
376       true,    // SMIMECapability - not supported yet
377       true,    // SigningCertificate
378       true     // SignatureTimestampToken
379     };
380 
381     /**
382      * The OID of this attribute is <code>PKCS9_OIDS[index]</code>.
383      */
384     private int index;
385 
386     /**
387      * Value set of this attribute.  Its class is given by
388      * <code>VALUE_CLASSES[index]</code>.
389      */
390     private Object value;
391 
392     /**
393      * Construct an attribute object from the attribute's OID and
394      * value.  If the attribute is single-valued, provide only one
395      * value.  If the attribute is multi-valued, provide an array
396      * containing all the values.
397      * Arrays of length zero are accepted, though probably useless.
398      *
399      * <P> The
400      * <a href=#classTable>table</a> gives the class that <code>value</code>
401      * must have for a given attribute.
402      *
403      */
404     public PKCS9Attribute(ObjectIdentifier oid, Object value)
405     throws IllegalArgumentException {
406         init(oid, value);
407     }
408 
409     /**
410      * Construct an attribute object from the attribute's name and
411      * value.  If the attribute is single-valued, provide only one
412      * value.  If the attribute is multi-valued, provide an array
413      * containing all the values.
414      * Arrays of length zero are accepted, though probably useless.
415      *
416      * <P> The
417      * <a href=#classTable>table</a> gives the class that <code>value</code>
418      * must have for a given attribute. Reasonable variants of these
419      * attributes are accepted; in particular, case does not matter.
420      *
421      * @exception IllegalArgumentException
422      * if the <code>name</code> is not recognized of the
423      * <code>value</code> has the wrong type.
424      */
425     public PKCS9Attribute(String name, Object value)
426     throws IllegalArgumentException {
427         ObjectIdentifier oid = getOID(name);
428 
429         if (oid == null)
430             throw new IllegalArgumentException(
431                        "Unrecognized attribute name " + name +
432                        " constructing PKCS9Attribute.");
433 
434         init(oid, value);
435     }
436 
437     private void init(ObjectIdentifier oid, Object value)
438         throws IllegalArgumentException {
439 
440         index = indexOf(oid, PKCS9_OIDS, 1);
441 
442         if (index == -1)
443             throw new IllegalArgumentException(
444                        "Unsupported OID " + oid +
445                        " constructing PKCS9Attribute.");
446 
447         if (!VALUE_CLASSES[index].isInstance(value))
448                 throw new IllegalArgumentException(
449                            "Wrong value class " +
450                            " for attribute " + oid +
451                            " constructing PKCS9Attribute; was " +
452                            value.getClass().toString() + ", should be " +
453                            VALUE_CLASSES[index].toString());
454 
455         this.value = value;
456     }
457 
458 
459     /**
460      * Construct a PKCS9Attribute from its encoding on an input
461      * stream.
462      *
463      * @param val the DerValue representing the DER encoding of the attribute.
464      * @exception IOException on parsing error.
465      */
466     public PKCS9Attribute(DerValue derVal) throws IOException {
467 
468         DerInputStream derIn = new DerInputStream(derVal.toByteArray());
469         DerValue[] val =  derIn.getSequence(2);
470 
471         if (derIn.available() != 0)
472             throw new IOException("Excess data parsing PKCS9Attribute");
473 
474         if (val.length != 2)
475             throw new IOException("PKCS9Attribute doesn't have two components");
476 
477         // get the oid
478         ObjectIdentifier oid = val[0].getOID();
479         index = indexOf(oid, PKCS9_OIDS, 1);
480         if (index == -1) {
481             if (debug != null) {
482                 debug.println("ignoring unsupported signer attribute: " + oid);
483             }
484             throw new ParsingException("Unsupported PKCS9 attribute: " + oid);
485         }
486 
487         DerValue[] elems = new DerInputStream(val[1].toByteArray()).getSet(1);
488         // check single valued have only one value
489         if (SINGLE_VALUED[index] && elems.length > 1)
490             throwSingleValuedException();
491 
492         // check for illegal element tags
493         Byte tag;
494         for (int i=0; i < elems.length; i++) {
495             tag = new Byte(elems[i].tag);
496 
497             if (indexOf(tag, PKCS9_VALUE_TAGS[index], 0) == -1)
498                 throwTagException(tag);
499         }
500 
501         switch (index) {
502         case 1:     // email address
503         case 2:     // unstructured name
504         case 8:     // unstructured address
505             { // open scope
506                 String[] values = new String[elems.length];
507 
508                 for (int i=0; i < elems.length; i++)
509                     values[i] = elems[i].getAsString();
510                 value = values;
511             } // close scope
512             break;
513 
514         case 3:     // content type
515             value = elems[0].getOID();
516             break;
517 
518         case 4:     // message digest
519             value = elems[0].getOctetString();
520             break;
521 
522         case 5:     // signing time
523             value = (new DerInputStream(elems[0].toByteArray())).getUTCTime();
524             break;
525 
526         case 6:     // countersignature
527             { // open scope
528                 SignerInfo[] values = new SignerInfo[elems.length];
529                 for (int i=0; i < elems.length; i++)
530                     values[i] =
531                         new SignerInfo(elems[i].toDerInputStream());
532                 value = values;
533             } // close scope
534             break;
535 
536         case 7:     // challenge password
537             value = elems[0].getAsString();
538             break;
539 
540         case 9:     // extended-certificate attribute -- not supported
541             throw new IOException("PKCS9 extended-certificate " +
542                                   "attribute not supported.");
543             // break unnecessary
544         case 10:    // issuerAndserialNumber attribute -- not supported
545             throw new IOException("PKCS9 IssuerAndSerialNumber" +
546                                   "attribute not supported.");
547             // break unnecessary
548         case 11:    // RSA DSI proprietary
549         case 12:    // RSA DSI proprietary
550             throw new IOException("PKCS9 RSA DSI attributes" +
551                                   "11 and 12, not supported.");
552             // break unnecessary
553         case 13:    // S/MIME unused attribute
554             throw new IOException("PKCS9 attribute #13 not supported.");
555             // break unnecessary
556 
557         case 14:     // ExtensionRequest
558             value = new CertificateExtensions(
559                        new DerInputStream(elems[0].toByteArray()));
560             break;
561 
562         case 15:     // SMIME-capability attribute -- not supported
563             throw new IOException("PKCS9 SMIMECapability " +
564                                   "attribute not supported.");
565             // break unnecessary
566         case 16:     // SigningCertificate attribute
567             value = new SigningCertificateInfo(elems[0].toByteArray());
568             break;
569 
570         case 17:     // SignatureTimestampToken attribute
571             value = elems[0].toByteArray();
572             break;
573         default: // can't happen
574         }
575     }
576 
577     /**
578      * Write the DER encoding of this attribute to an output stream.
579      *
580      * <P> N.B.: This method always encodes values of
581      * ChallengePassword and UnstructuredAddress attributes as ASN.1
582      * <code>PrintableString</code>s, without checking whether they
583      * should be encoded as <code>T61String</code>s.
584      */
585     public void derEncode(OutputStream out) throws IOException {
586         DerOutputStream temp = new DerOutputStream();
587         temp.putOID(getOID());
588         switch (index) {
589         case 1:     // email address
590         case 2:     // unstructured name
591             { // open scope
592                 String[] values = (String[]) value;
593                 DerOutputStream[] temps = new
594                     DerOutputStream[values.length];
595 
596                 for (int i=0; i < values.length; i++) {
597                     temps[i] = new DerOutputStream();
598                     temps[i].putIA5String( values[i]);
599                 }
600                 temp.putOrderedSetOf(DerValue.tag_Set, temps);
601             } // close scope
602             break;
603 
604         case 3:     // content type
605             {
606                 DerOutputStream temp2 = new DerOutputStream();
607                 temp2.putOID((ObjectIdentifier) value);
608                 temp.write(DerValue.tag_Set, temp2.toByteArray());
609             }
610             break;
611 
612         case 4:     // message digest
613             {
614                 DerOutputStream temp2 = new DerOutputStream();
615                 temp2.putOctetString((byte[]) value);
616                 temp.write(DerValue.tag_Set, temp2.toByteArray());
617             }
618             break;
619 
620         case 5:     // signing time
621             {
622                 DerOutputStream temp2 = new DerOutputStream();
623                 temp2.putUTCTime((Date) value);
624                 temp.write(DerValue.tag_Set, temp2.toByteArray());
625             }
626             break;
627 
628         case 6:     // countersignature
629             temp.putOrderedSetOf(DerValue.tag_Set, (DerEncoder[]) value);
630             break;
631 
632         case 7:     // challenge password
633             {
634                 DerOutputStream temp2 = new DerOutputStream();
635                 temp2.putPrintableString((String) value);
636                 temp.write(DerValue.tag_Set, temp2.toByteArray());
637             }
638             break;
639 
640         case 8:     // unstructured address
641             { // open scope
642                 String[] values = (String[]) value;
643                 DerOutputStream[] temps = new
644                     DerOutputStream[values.length];
645 
646                 for (int i=0; i < values.length; i++) {
647                     temps[i] = new DerOutputStream();
648                     temps[i].putPrintableString(values[i]);
649                 }
650                 temp.putOrderedSetOf(DerValue.tag_Set, temps);
651             } // close scope
652             break;
653 
654         case 9:     // extended-certificate attribute -- not supported
655             throw new IOException("PKCS9 extended-certificate " +
656                                   "attribute not supported.");
657             // break unnecessary
658         case 10:    // issuerAndserialNumber attribute -- not supported
659             throw new IOException("PKCS9 IssuerAndSerialNumber" +
660                                   "attribute not supported.");
661             // break unnecessary
662         case 11:    // RSA DSI proprietary
663         case 12:    // RSA DSI proprietary
664             throw new IOException("PKCS9 RSA DSI attributes" +
665                                   "11 and 12, not supported.");
666             // break unnecessary
667         case 13:    // S/MIME unused attribute
668             throw new IOException("PKCS9 attribute #13 not supported.");
669             // break unnecessary
670 
671         case 14:     // ExtensionRequest
672             {
673                 DerOutputStream temp2 = new DerOutputStream();
674                 CertificateExtensions exts = (CertificateExtensions)value;
675                 try {
676                     exts.encode(temp2, true);
677                 } catch (CertificateException ex) {
678                     throw new IOException(ex.toString());
679                 }
680                 temp.write(DerValue.tag_Set, temp2.toByteArray());
681             }
682             break;
683         case 15:    // SMIMECapability
684             throw new IOException("PKCS9 attribute #15 not supported.");
685             // break unnecessary
686 
687         case 16:    // SigningCertificate
688             throw new IOException(
689                 "PKCS9 SigningCertificate attribute not supported.");
690             // break unnecessary
691 
692         case 17:    // SignatureTimestampToken
693             temp.write(DerValue.tag_Set, (byte[])value);
694             break;
695 
696         default: // can't happen
697         }
698 
699         DerOutputStream derOut = new DerOutputStream();
700         derOut.write(DerValue.tag_Sequence, temp.toByteArray());
701 
702         out.write(derOut.toByteArray());
703 
704     }
705 
706     /**
707      * Get the value of this attribute.  If the attribute is
708      * single-valued, return just the one value.  If the attribute is
709      * multi-valued, return an array containing all the values.
710      * It is possible for this array to be of length 0.
711      *
712      * <P> The
713      * <a href=#classTable>table</a> gives the class of the value returned,
714      * depending on the type of this attribute.
715      */
716     public Object getValue() {
717         return value;
718     }
719 
720     /**
721      * Show whether this attribute is single-valued.
722      */
723     public boolean isSingleValued() {
724         return SINGLE_VALUED[index];
725     }
726 
727     /**
728      *  Return the OID of this attribute.
729      */
730     public ObjectIdentifier getOID() {
731         return PKCS9_OIDS[index];
732     }
733 
734     /**
735      *  Return the name of this attribute.
736      */
737     public String getName() {
738         return OID_NAME_TABLE.get(PKCS9_OIDS[index]);
739     }
740 
741     /**
742      * Return the OID for a given attribute name or null if we don't recognize
743      * the name.
744      */
745     public static ObjectIdentifier getOID(String name) {
746         return NAME_OID_TABLE.get(name.toLowerCase(Locale.ENGLISH));
747     }
748 
749     /**
750      * Return the attribute name for a given OID or null if we don't recognize
751      * the oid.
752      */
753     public static String getName(ObjectIdentifier oid) {
754         return OID_NAME_TABLE.get(oid);
755     }
756 
757     /**
758      * Returns a string representation of this attribute.
759      */
760     public String toString() {
761         StringBuffer buf = new StringBuffer(100);
762 
763         buf.append("[");
764 
765         buf.append(OID_NAME_TABLE.get(PKCS9_OIDS[index]));
766         buf.append(": ");
767 
768         if (SINGLE_VALUED[index]) {
769             if (value instanceof byte[]) { // special case for octet string
770                 HexDumpEncoder hexDump = new HexDumpEncoder();
771                 buf.append(hexDump.encodeBuffer((byte[]) value));
772             } else {
773                 buf.append(value.toString());
774             }
775             buf.append("]");
776             return buf.toString();
777         } else { // multi-valued
778             boolean first = true;
779             Object[] values = (Object[]) value;
780 
781             for (int j=0; j < values.length; j++) {
782                 if (first)
783                     first = false;
784                 else
785                     buf.append(", ");
786 
787                 buf.append(values[j].toString());
788             }
789             return buf.toString();
790         }
791     }
792 
793     /**
794      * Beginning the search at <code>start</code>, find the first
795      * index <code>i</code> such that <code>a[i] = obj</code>.
796      *
797      * @return the index, if found, and -1 otherwise.
798      */
799     static int indexOf(Object obj, Object[] a, int start) {
800         for (int i=start; i < a.length; i++) {
801             if (obj.equals(a[i])) return i;
802         }
803         return -1;
804     }
805 
806     /**
807      * Throw an exception when there are multiple values for
808      * a single-valued attribute.
809      */
810     private void throwSingleValuedException() throws IOException {
811         throw new IOException("Single-value attribute " +
812                               getOID() + " (" + getName() + ")" +
813                               " has multiple values.");
814     }
815 
816     /**
817      * Throw an exception when the tag on a value encoding is
818      * wrong for the attribute whose value it is.
819      */
820     private void throwTagException(Byte tag)
821     throws IOException {
822         Byte[] expectedTags = PKCS9_VALUE_TAGS[index];
823         StringBuffer msg = new StringBuffer(100);
824         msg.append("Value of attribute ");
825         msg.append(getOID().toString());
826         msg.append(" (");
827         msg.append(getName());
828         msg.append(") has wrong tag: ");
829         msg.append(tag.toString());
830         msg.append(".  Expected tags: ");
831 
832         msg.append(expectedTags[0].toString());
833 
834         for (int i = 1; i < expectedTags.length; i++) {
835             msg.append(", ");
836             msg.append(expectedTags[i].toString());
837         }
838         msg.append(".");
839         throw new IOException(msg.toString());
840     }
841 }