pkixcertpathvalidatorspi.java
来自「bouncycastle 是一个JAVA安全提供者」· Java 代码 · 共 1,907 行 · 第 1/5 页
JAVA
1,907 行
policyMapping = 0; } else { policyMapping = n + 1; } // // (g), (h), (i), (j) // PublicKey workingPublicKey; X500Principal workingIssuerName; X509Certificate sign = trust.getTrustedCert(); try { if (sign != null) { workingIssuerName = getSubjectPrincipal(sign); workingPublicKey = sign.getPublicKey(); } else { workingIssuerName = new X500Principal(trust.getCAName()); workingPublicKey = trust.getCAPublicKey(); } } catch (IllegalArgumentException ex) { throw new CertPathValidatorException("TrustAnchor subjectDN: " + ex.toString()); } AlgorithmIdentifier workingAlgId = getAlgorithmIdentifier(workingPublicKey); DERObjectIdentifier workingPublicKeyAlgorithm = workingAlgId.getObjectId(); DEREncodable workingPublicKeyParameters = workingAlgId.getParameters(); // // (k) // int maxPathLength = n; // // 6.1.3 // Iterator tmpIter; byte[] tmpData; int tmpInt; boolean tmpTest; X509CRLSelector crlselect; X509CertSelector certselect; CertStore certstore; if (paramsPKIX.getTargetCertConstraints() != null && !paramsPKIX.getTargetCertConstraints().match((X509Certificate)certs.get(0))) { throw new CertPathValidatorException("target certificate in certpath does not match targetcertconstraints", null, certPath, 0); } // // initialise CertPathChecker's // List pathCheckers = paramsPKIX.getCertPathCheckers(); certIter = pathCheckers.iterator(); while (certIter.hasNext()) { ((PKIXCertPathChecker)certIter.next()).init(false); } X509Certificate cert = null; for (index = certs.size() - 1; index >= 0 ; index--) { // // i as defined in the algorithm description // i = n - index; // // set certificate to be checked in this round // sign and workingPublicKey and workingIssuerName are set // at the end of the for loop and initialied the // first time from the TrustAnchor // cert = (X509Certificate)certs.get(index); // // 6.1.3 // // // (a) verify // try { // (a) (1) // cert.verify(workingPublicKey, "BC"); } catch (GeneralSecurityException e) { throw new CertPathValidatorException("Could not validate certificate signature.", e, certPath, index); } try { // (a) (2) // cert.checkValidity(validDate); } catch (CertificateExpiredException e) { throw new CertPathValidatorException("Could not validate certificate: " + e.getMessage(), e, certPath, index); } catch (CertificateNotYetValidException e) { throw new CertPathValidatorException("Could not validate certificate: " + e.getMessage(), e, certPath, index); } // // (a) (3) // if (paramsPKIX.isRevocationEnabled()) { tmpTest = false; crlselect = new X509CRLSelector(); try { crlselect.addIssuerName(getEncodedIssuerPrincipal(cert).getEncoded()); } catch (IOException e) { throw new CertPathValidatorException("Cannot extract issuer from certificate: " + e); } crlselect.setCertificateChecking(cert); Iterator crl_iter = findCRLs(crlselect, paramsPKIX.getCertStores()).iterator(); X509CRLEntry crl_entry; while (crl_iter.hasNext()) { X509CRL crl = (X509CRL)crl_iter.next(); if (cert.getNotAfter().after(crl.getThisUpdate())) { if (crl.getNextUpdate() == null || validDate.before(crl.getNextUpdate())) { tmpTest = true; } if (sign != null) { boolean[] keyusage = sign.getKeyUsage(); if (keyusage != null && (keyusage.length < 7 || !keyusage[CRL_SIGN])) { throw new CertPathValidatorException( "Issuer certificate keyusage extension does not permit crl signing.\n" + sign, null, certPath, index); } } try { crl.verify(workingPublicKey, "BC"); } catch (Exception e) { throw new CertPathValidatorException("can't verify CRL: " + e); } crl_entry = crl.getRevokedCertificate(cert.getSerialNumber()); if (crl_entry != null && !validDate.before(crl_entry.getRevocationDate())) { String reason = null; if (crl_entry.hasExtensions()) { DEREnumerated reasonCode = DEREnumerated.getInstance(getExtensionValue(crl_entry, X509Extensions.ReasonCode.getId())); if (reasonCode != null) { reason = crlReasons[reasonCode.getValue().intValue()]; } } String message = "Certificate revocation after " + crl_entry.getRevocationDate(); if (reason != null) { message += ", reason: " + reason; } throw new CertPathValidatorException(message, null, certPath, index); } // // check the DeltaCRL indicator, base point and the issuing distribution point // DERObject idp = getExtensionValue(crl, ISSUING_DISTRIBUTION_POINT); DERObject dci = getExtensionValue(crl, DELTA_CRL_INDICATOR); if (dci != null) { X509CRLSelector baseSelect = new X509CRLSelector(); try { baseSelect.addIssuerName(getIssuerPrincipal(crl).getEncoded()); } catch (IOException e) { throw new CertPathValidatorException("can't extract issuer from certificate: " + e); } baseSelect.setMinCRLNumber(((DERInteger)dci).getPositiveValue()); baseSelect.setMaxCRLNumber(((DERInteger)getExtensionValue(crl, CRL_NUMBER)).getPositiveValue().subtract(BigInteger.valueOf(1))); boolean foundBase = false; Iterator it = findCRLs(baseSelect, paramsPKIX.getCertStores()).iterator(); while (it.hasNext()) { X509CRL base = (X509CRL)it.next(); DERObject baseIdp = getExtensionValue(base, ISSUING_DISTRIBUTION_POINT); if (idp == null) { if (baseIdp == null) { foundBase = true; break; } } else { if (idp.equals(baseIdp)) { foundBase = true; break; } } } if (!foundBase) { throw new CertPathValidatorException("No base CRL for delta CRL"); } } if (idp != null) { IssuingDistributionPoint p = IssuingDistributionPoint.getInstance(idp); BasicConstraints bc = BasicConstraints.getInstance(getExtensionValue(cert, BASIC_CONSTRAINTS)); if (p.onlyContainsUserCerts() && (bc == null || bc.isCA())) { throw new CertPathValidatorException("CA Cert CRL only contains user certificates"); } if (p.onlyContainsCACerts() && (bc == null || !bc.isCA())) { throw new CertPathValidatorException("End CRL only contains CA certificates"); } if (p.onlyContainsAttributeCerts()) { throw new CertPathValidatorException("onlyContainsAttributeCerts boolean is asserted"); } } } } if (!tmpTest) { throw new CertPathValidatorException("no valid CRL found", null, certPath, index); } } // // (a) (4) name chaining // if (!getEncodedIssuerPrincipal(cert).equals(workingIssuerName)) { throw new CertPathValidatorException( "IssuerName(" + getEncodedIssuerPrincipal(cert) + ") does not match SubjectName(" + workingIssuerName + ") of signing certificate", null, certPath, index); } // // (b), (c) permitted and excluded subtree checking. // if (!(isSelfIssued(cert) && (i < n))) { X500Principal principal = getSubjectPrincipal(cert); ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(principal.getEncoded())); ASN1Sequence dns; try { dns = (ASN1Sequence)aIn.readObject(); } catch (IOException e) { throw new CertPathValidatorException("exception extracting subject name when checking subtrees"); } checkPermittedDN(permittedSubtreesDN, dns); checkExcludedDN(excludedSubtreesDN, dns); ASN1Sequence altName = (ASN1Sequence)getExtensionValue(cert, SUBJECT_ALTERNATIVE_NAME); if (altName != null) { for (int j = 0; j < altName.size(); j++) { ASN1TaggedObject o = (ASN1TaggedObject)altName.getObjectAt(j); switch(o.getTagNo()) { case 1: String email = DERIA5String.getInstance(o, true).getString(); checkPermittedEmail(permittedSubtreesEmail, email); checkExcludedEmail(excludedSubtreesEmail, email); break; case 4: ASN1Sequence altDN = ASN1Sequence.getInstance(o, true); checkPermittedDN(permittedSubtreesDN, altDN); checkExcludedDN(excludedSubtreesDN, altDN); break; case 7: byte[] ip = ASN1OctetString.getInstance(o, true).getOctets(); checkPermittedIP(permittedSubtreesIP, ip); checkExcludedIP(excludedSubtreesIP, ip); } } } } // // (d) policy Information checking against initial policy and // policy mapping // ASN1Sequence certPolicies = (ASN1Sequence)getExtensionValue(cert, CERTIFICATE_POLICIES); if (certPolicies != null && validPolicyTree != null) { // // (d) (1) // Enumeration e = certPolicies.getObjects(); Set pols = new HashSet(); while (e.hasMoreElements()) { PolicyInformation pInfo = PolicyInformation.getInstance(e.nextElement()); DERObjectIdentifier pOid = pInfo.getPolicyIdentifier(); pols.add(pOid.getId()); if (!ANY_POLICY.equals(pOid.getId())) { Set pq = getQualifierSet(pInfo.getPolicyQualifiers()); boolean match = processCertD1i(i, policyNodes, pOid, pq); if (!match) { processCertD1ii(i, policyNodes, pOid, pq); } } } if (acceptablePolicies == null || acceptablePolicies.contains(ANY_POLICY)) { acceptablePolicies = pols;⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?