org.bouncycastle.cert.dane.DANEEntry Maven / Gradle / Ivy
package org.bouncycastle.cert.dane;
import java.io.IOException;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.util.Arrays;
/**
* Carrier class for a DANE entry.
*/
public class DANEEntry
{
public static final int CERT_USAGE_CA = 0;
public static final int CERT_USAGE_PKIX_VALIDATE = 1;
public static final int CERT_USAGE_TRUST_ANCHOR = 2;
public static final int CERT_USAGE_ACCEPT = 3;
static final int CERT_USAGE = 0;
static final int SELECTOR = 1;
static final int MATCHING_TYPE = 2;
private final String domainName;
private final byte[] flags;
private final X509CertificateHolder certHolder;
DANEEntry(String domainName, byte[] flags, X509CertificateHolder certHolder)
{
this.flags = flags;
this.domainName = domainName;
this.certHolder = certHolder;
}
public DANEEntry(String domainName, byte[] data)
throws IOException
{
this(domainName, Arrays.copyOfRange(data, 0, 3), new X509CertificateHolder(Arrays.copyOfRange(data, 3, data.length)));
}
public byte[] getFlags()
{
return Arrays.clone(flags);
}
/**
* Return the certificate associated with this entry.
*
* @return the entry's certificate.
*/
public X509CertificateHolder getCertificate()
{
return certHolder;
}
public String getDomainName()
{
return domainName;
}
/**
* Return the full data string as it would appear in the DNS record - flags + encoding
*
* @return byte array representing the full data string.
* @throws IOException if there is an issue encoding the certificate inside this entry.
*/
public byte[] getRDATA()
throws IOException
{
byte[] certEnc = certHolder.getEncoded();
byte[] data = new byte[flags.length + certEnc.length];
System.arraycopy(flags, 0, data, 0, flags.length);
System.arraycopy(certEnc, 0, data, flags.length, certEnc.length);
return data;
}
/**
* Return true if the byte string has the correct flag bytes to indicate a certificate entry.
*
* @param data the byte string of interest.
* @return true if flags indicate a valid certificate, false otherwise.
*/
public static boolean isValidCertificate(byte[] data)
{
// TODO: perhaps validate ASN.1 data as well...
return ((data[CERT_USAGE] >= 0 || data[CERT_USAGE] <= 3)&& data[SELECTOR] == 0 && data[MATCHING_TYPE] == 0);
}
}