157 lines
6.2 KiB
Java
157 lines
6.2 KiB
Java
/*
|
|
* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
*
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License version 2 only, as
|
|
* published by the Free Software Foundation. Oracle designates this
|
|
* particular file as subject to the "Classpath" exception as provided
|
|
* by Oracle in the LICENSE file that accompanied this code.
|
|
*
|
|
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
* version 2 for more details (a copy is included in the LICENSE file that
|
|
* accompanied this code).
|
|
*
|
|
* You should have received a copy of the GNU General Public License version
|
|
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
*
|
|
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
* or visit www.oracle.com if you need additional information or have any
|
|
* questions.
|
|
*/
|
|
|
|
package sun.security.provider.certpath;
|
|
|
|
import sun.security.util.Debug;
|
|
|
|
import java.util.Collections;
|
|
import java.util.List;
|
|
import java.util.Set;
|
|
import java.util.StringJoiner;
|
|
import java.security.cert.CertPath;
|
|
import java.security.cert.CertPathValidatorException;
|
|
import java.security.cert.PKIXCertPathChecker;
|
|
import java.security.cert.PKIXReason;
|
|
import java.security.cert.X509Certificate;
|
|
|
|
/**
|
|
* This class is initialized with a list of <code>PKIXCertPathChecker</code>s
|
|
* and is used to verify the certificates in a <code>CertPath</code> by
|
|
* feeding each certificate to each <code>PKIXCertPathChecker</code>.
|
|
*
|
|
* @since 1.4
|
|
* @author Yassir Elley
|
|
*/
|
|
class PKIXMasterCertPathValidator {
|
|
|
|
private static final Debug debug = Debug.getInstance("certpath");
|
|
|
|
/**
|
|
* Validates a certification path consisting exclusively of
|
|
* <code>X509Certificate</code>s using the specified
|
|
* <code>PKIXCertPathChecker</code>s. It is assumed that the
|
|
* <code>PKIXCertPathChecker</code>s
|
|
* have been initialized with any input parameters they may need.
|
|
*
|
|
* @param cpOriginal the original X509 CertPath passed in by the user
|
|
* @param reversedCertList the reversed X509 CertPath (as a List)
|
|
* @param certPathCheckers the PKIXCertPathCheckers
|
|
* @throws CertPathValidatorException if cert path does not validate
|
|
*/
|
|
static void validate(CertPath cpOriginal,
|
|
List<X509Certificate> reversedCertList,
|
|
List<PKIXCertPathChecker> certPathCheckers)
|
|
throws CertPathValidatorException
|
|
{
|
|
// we actually process reversedCertList, but we keep cpOriginal because
|
|
// we need to return the original certPath when we throw an exception.
|
|
// we will also need to modify the index appropriately when we
|
|
// throw an exception.
|
|
|
|
int cpSize = reversedCertList.size();
|
|
|
|
if (debug != null) {
|
|
debug.println("--------------------------------------------------"
|
|
+ "------------");
|
|
debug.println("Executing PKIX certification path validation "
|
|
+ "algorithm.");
|
|
}
|
|
|
|
for (int i = 0; i < cpSize; i++) {
|
|
|
|
/* The basic loop algorithm is that we get the
|
|
* current certificate, we verify the current certificate using
|
|
* information from the previous certificate and from the state,
|
|
* and we modify the state for the next loop by setting the
|
|
* current certificate of this loop to be the previous certificate
|
|
* of the next loop. The state is initialized during first loop.
|
|
*/
|
|
X509Certificate currCert = reversedCertList.get(i);
|
|
|
|
if (debug != null) {
|
|
debug.println("Checking cert" + (i+1) + " - Subject: " +
|
|
currCert.getSubjectX500Principal());
|
|
}
|
|
|
|
Set<String> unresCritExts = currCert.getCriticalExtensionOIDs();
|
|
if (unresCritExts == null) {
|
|
unresCritExts = Collections.<String>emptySet();
|
|
}
|
|
|
|
if (debug != null && !unresCritExts.isEmpty()) {
|
|
StringJoiner joiner = new StringJoiner(", ", "{", "}");
|
|
for (String oid : unresCritExts) {
|
|
joiner.add(oid);
|
|
}
|
|
debug.println("Set of critical extensions: " +
|
|
joiner.toString());
|
|
}
|
|
|
|
for (int j = 0; j < certPathCheckers.size(); j++) {
|
|
|
|
PKIXCertPathChecker currChecker = certPathCheckers.get(j);
|
|
if (debug != null) {
|
|
debug.println("-Using checker" + (j + 1) + " ... [" +
|
|
currChecker.getClass().getName() + "]");
|
|
}
|
|
|
|
if (i == 0)
|
|
currChecker.init(false);
|
|
|
|
try {
|
|
currChecker.check(currCert, unresCritExts);
|
|
|
|
if (debug != null) {
|
|
debug.println("-checker" + (j + 1) +
|
|
" validation succeeded");
|
|
}
|
|
|
|
} catch (CertPathValidatorException cpve) {
|
|
throw new CertPathValidatorException(cpve.getMessage(),
|
|
(cpve.getCause() != null) ? cpve.getCause() : cpve,
|
|
cpOriginal, cpSize - (i + 1), cpve.getReason());
|
|
}
|
|
}
|
|
|
|
if (!unresCritExts.isEmpty()) {
|
|
throw new CertPathValidatorException("unrecognized " +
|
|
"critical extension(s)", null, cpOriginal, cpSize-(i+1),
|
|
PKIXReason.UNRECOGNIZED_CRIT_EXT);
|
|
}
|
|
|
|
if (debug != null)
|
|
debug.println("\ncert" + (i+1) + " validation succeeded.\n");
|
|
}
|
|
|
|
if (debug != null) {
|
|
debug.println("Cert path validation succeeded. (PKIX validation "
|
|
+ "algorithm)");
|
|
debug.println("-------------------------------------------------"
|
|
+ "-------------");
|
|
}
|
|
}
|
|
}
|