pkixcertpathvalidatorspi.java
来自「bouncycastle 是一个JAVA安全提供者」· Java 代码 · 共 1,907 行 · 第 1/5 页
JAVA
1,907 行
package org.bouncycastle.jce.provider;import java.io.ByteArrayInputStream;import java.io.ByteArrayOutputStream;import java.io.IOException;import java.math.BigInteger;import java.security.GeneralSecurityException;import java.security.InvalidAlgorithmParameterException;import java.security.PublicKey;import java.security.cert.CRL;import java.security.cert.CertPath;import java.security.cert.CertPathParameters;import java.security.cert.CertPathValidatorException;import java.security.cert.CertPathValidatorResult;import java.security.cert.CertPathValidatorSpi;import java.security.cert.CertSelector;import java.security.cert.CertStore;import java.security.cert.CertStoreException;import java.security.cert.CertificateExpiredException;import java.security.cert.CertificateNotYetValidException;import java.security.cert.PKIXCertPathChecker;import java.security.cert.PKIXCertPathValidatorResult;import java.security.cert.PKIXParameters;import java.security.cert.PolicyQualifierInfo;import java.security.cert.TrustAnchor;import java.security.cert.X509CRL;import java.security.cert.X509CRLEntry;import java.security.cert.X509CRLSelector;import java.security.cert.X509CertSelector;import java.security.cert.X509Certificate;import java.util.ArrayList;import java.util.Collection;import java.util.Date;import java.util.Enumeration;import java.util.HashSet;import java.util.Iterator;import java.util.List;import java.util.Set;import javax.security.auth.x500.X500Principal;import org.bouncycastle.asn1.ASN1InputStream;import org.bouncycastle.asn1.ASN1OctetString;import org.bouncycastle.asn1.ASN1OutputStream;import org.bouncycastle.asn1.ASN1Sequence;import org.bouncycastle.asn1.ASN1TaggedObject;import org.bouncycastle.asn1.DEREncodable;import org.bouncycastle.asn1.DEREnumerated;import org.bouncycastle.asn1.DERIA5String;import org.bouncycastle.asn1.DERInteger;import org.bouncycastle.asn1.DERObject;import org.bouncycastle.asn1.DERObjectIdentifier;import org.bouncycastle.asn1.x509.AlgorithmIdentifier;import org.bouncycastle.asn1.x509.BasicConstraints;import org.bouncycastle.asn1.x509.GeneralName;import org.bouncycastle.asn1.x509.GeneralSubtree;import org.bouncycastle.asn1.x509.IssuingDistributionPoint;import org.bouncycastle.asn1.x509.NameConstraints;import org.bouncycastle.asn1.x509.PolicyInformation;import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;import org.bouncycastle.asn1.x509.X509Extensions;/** * CertPathValidatorSpi implemenation for X.509 Certificate validation ala rfc 3280<br /> **/public class PKIXCertPathValidatorSpi extends CertPathValidatorSpi{ private static final String CERTIFICATE_POLICIES = X509Extensions.CertificatePolicies.getId(); private static final String POLICY_MAPPINGS = X509Extensions.PolicyMappings.getId(); private static final String INHIBIT_ANY_POLICY = X509Extensions.InhibitAnyPolicy.getId(); private static final String ISSUING_DISTRIBUTION_POINT = X509Extensions.IssuingDistributionPoint.getId(); private static final String DELTA_CRL_INDICATOR = X509Extensions.DeltaCRLIndicator.getId(); private static final String POLICY_CONSTRAINTS = X509Extensions.PolicyConstraints.getId(); private static final String BASIC_CONSTRAINTS = X509Extensions.BasicConstraints.getId(); private static final String SUBJECT_ALTERNATIVE_NAME = X509Extensions.SubjectAlternativeName.getId(); private static final String NAME_CONSTRAINTS = X509Extensions.NameConstraints.getId(); private static final String KEY_USAGE = X509Extensions.KeyUsage.getId(); private static final String CRL_NUMBER = X509Extensions.CRLNumber.getId(); private static final String ANY_POLICY = "2.5.29.32.0"; /* * key usage bits */ private static final int KEY_CERT_SIGN = 5; private static final int CRL_SIGN = 6; private static final String[] crlReasons = new String[] { "unspecified", "keyCompromise", "cACompromise", "affiliationChanged", "superseded", "cessationOfOperation", "certificateHold", "unknown", "removeFromCRL", "privilegeWithdrawn", "aACompromise" }; /** * extract the value of the given extension, if it exists. */ private DERObject getExtensionValue( java.security.cert.X509Extension ext, String oid) throws CertPathValidatorException { byte[] bytes = ext.getExtensionValue(oid); if (bytes == null) { return null; } return getObject(oid, bytes); } private DERObject getObject( String oid, byte[] ext) throws CertPathValidatorException { try { ASN1InputStream aIn = new ASN1InputStream(ext); ASN1OctetString octs = (ASN1OctetString)aIn.readObject(); aIn = new ASN1InputStream(octs.getOctets()); return aIn.readObject(); } catch (IOException e) { throw new CertPathValidatorException("exception processing extension " + oid); } } private boolean withinDNSubtree( ASN1Sequence dns, ASN1Sequence subtree) { if (subtree.size() < 1) { return false; } if (subtree.size() > dns.size()) { return false; } for (int j = subtree.size() - 1; j >= 0; j--) { if (!subtree.getObjectAt(j).equals(dns.getObjectAt(j))) { return false; } } return true; } private void checkPermittedDN( Set permitted, ASN1Sequence dns) throws CertPathValidatorException { if (permitted.isEmpty()) { return; } Iterator it = permitted.iterator(); while (it.hasNext()) { ASN1Sequence subtree = (ASN1Sequence)it.next(); if (withinDNSubtree(dns, subtree)) { return; } } throw new CertPathValidatorException("Subject distinguished name is not from a permitted subtree"); } private void checkExcludedDN( Set excluded, ASN1Sequence dns) throws CertPathValidatorException { if (excluded.isEmpty()) { return; } Iterator it = excluded.iterator(); while (it.hasNext()) { ASN1Sequence subtree = (ASN1Sequence)it.next(); if (withinDNSubtree(dns, subtree)) { throw new CertPathValidatorException("Subject distinguished name is from an excluded subtree"); } } } private Set intersectDN( Set permitted, ASN1Sequence dn) { if (permitted.isEmpty()) { permitted.add(dn); return permitted; } else { Set intersect = new HashSet(); Iterator _iter = permitted.iterator(); while (_iter.hasNext()) { ASN1Sequence subtree = (ASN1Sequence)_iter.next(); if (withinDNSubtree(dn, subtree)) { intersect.add(dn); } else if (withinDNSubtree(subtree, dn)) { intersect.add(subtree); } } return intersect; } } private Set unionDN( Set excluded, ASN1Sequence dn) { if (excluded.isEmpty()) { excluded.add(dn); return excluded; } else { Set intersect = new HashSet(); Iterator _iter = excluded.iterator(); while (_iter.hasNext()) { ASN1Sequence subtree = (ASN1Sequence)_iter.next(); if (withinDNSubtree(dn, subtree)) { intersect.add(subtree); } else if (withinDNSubtree(subtree, dn)) { intersect.add(dn); } else { intersect.add(subtree); intersect.add(dn); } } return intersect; } } private Set intersectEmail( Set permitted, String email) { String _sub = email.substring(email.indexOf('@') + 1); if (permitted.isEmpty()) { permitted.add(_sub); return permitted; } else { Set intersect = new HashSet(); Iterator _iter = permitted.iterator(); while (_iter.hasNext()) { String _permitted = (String)_iter.next(); if (_sub.endsWith(_permitted)) { intersect.add(_sub); } else if (_permitted.endsWith(_sub)) { intersect.add(_permitted); } } return intersect; } } private Set unionEmail( Set excluded, String email) { String _sub = email.substring(email.indexOf('@') + 1); if (excluded.isEmpty()) { excluded.add(_sub); return excluded; } else { Set intersect = new HashSet(); Iterator _iter = excluded.iterator(); while (_iter.hasNext()) { String _excluded = (String)_iter.next(); if (_sub.endsWith(_excluded)) { intersect.add(_excluded); } else if (_excluded.endsWith(_sub)) { intersect.add(_sub); } else { intersect.add(_excluded); intersect.add(_sub); } } return intersect; } } private Set intersectIP( Set permitted, byte[] ip) { // TBD return permitted; } private Set unionIP( Set excluded, byte[] ip) { // TBD return excluded; } private void checkPermittedEmail( Set permitted, String email) throws CertPathValidatorException { if (permitted.isEmpty()) { return; } String sub = email.substring(email.indexOf('@') + 1);⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?