📄 pkixcertpathvalidatorimpl.java
字号:
else selector.addIssuerName(anchor.getCAName()); List certStores = ((PKIXParameters) params).getCertStores(); List crls = new LinkedList(); for (Iterator it = certStores.iterator(); it.hasNext(); ) { CertStore cs = (CertStore) it.next(); try { Collection c = cs.getCRLs(selector); crls.addAll(c); } catch (CertStoreException cse) { } } if (crls.isEmpty()) continue; for (Iterator it = crls.iterator(); it.hasNext(); ) { CRL crl = (CRL) it.next(); if (!(crl instanceof X509CRL)) continue; X509CRL xcrl = (X509CRL) crl; try { xcrl.verify(anchorKey); } catch (Exception x) { continue; } Date nextUpdate = xcrl.getNextUpdate(); if (nextUpdate != null && nextUpdate.compareTo(now) < 0) continue; if (xcrl.isRevoked(p[p.length-1])) throw new CertPathValidatorException("certificate is revoked"); } } // The chain is valid; return the result. return new PKIXCertPathValidatorResult(anchor, rootNode, p[0].getPublicKey()); } catch (Exception ignored) { cause = ignored; continue; } } // The path is not valid. CertPathValidatorException cpve = new CertPathValidatorException("path validation failed"); if (cause != null) cpve.initCause (cause); throw cpve; } // Own methods. // ------------------------------------------------------------------------- /** * Check if a given CRL is acceptable for checking the revocation status * of certificates in the path being checked. * * <p>The CRL is accepted iff:</p> * * <ol> * <li>The <i>nextUpdate</i> field (if present) is in the future.</li> * <li>The CRL does not contain any unsupported critical extensions.</li> * <li>The CRL is signed by one of the certificates in the path, or,</li> * <li>The CRL is signed by the given public key and was issued by the * public key's subject, or,</li> * <li>The CRL is signed by a certificate in the given cert stores, and * that cert is signed by one of the certificates in the path.</li> * </ol> * * @param crl The CRL being checked. * @param path The path this CRL is being checked against. * @param now The value to use as 'now'. * @param pubKeySubject The subject of the public key. * @param pubKey The public key to check. * @return True if the CRL is acceptable. */ private static boolean checkCRL(X509CRL crl, X509Certificate[] path, Date now, X509Certificate pubKeyCert, PublicKey pubKey, List certStores) { Date nextUpdate = crl.getNextUpdate(); if (nextUpdate != null && nextUpdate.compareTo(now) < 0) return false; if (crl.hasUnsupportedCriticalExtension()) return false; for (int i = 0; i < path.length; i++) { if (!path[i].getSubjectDN().equals(crl.getIssuerDN())) continue; boolean[] keyUsage = path[i].getKeyUsage(); if (keyUsage != null) { if (!keyUsage[KeyUsage.CRL_SIGN]) continue; } try { crl.verify(path[i].getPublicKey()); return true; } catch (Exception x) { } } if (crl.getIssuerDN().equals(pubKeyCert.getSubjectDN())) { try { boolean[] keyUsage = pubKeyCert.getKeyUsage(); if (keyUsage != null) { if (!keyUsage[KeyUsage.CRL_SIGN]) throw new Exception(); } crl.verify(pubKey); return true; } catch (Exception x) { } } try { X509CertSelectorImpl select = new X509CertSelectorImpl(); select.addSubjectName(crl.getIssuerDN()); List certs = new LinkedList(); for (Iterator it = certStores.iterator(); it.hasNext(); ) { CertStore cs = (CertStore) it.next(); try { certs.addAll(cs.getCertificates(select)); } catch (CertStoreException cse) { } } for (Iterator it = certs.iterator(); it.hasNext(); ) { X509Certificate c = (X509Certificate) it.next(); for (int i = 0; i < path.length; i++) { if (!c.getIssuerDN().equals(path[i].getSubjectDN())) continue; boolean[] keyUsage = c.getKeyUsage(); if (keyUsage != null) { if (!keyUsage[KeyUsage.CRL_SIGN]) continue; } try { c.verify(path[i].getPublicKey()); crl.verify(c.getPublicKey()); return true; } catch (Exception x) { } } if (c.getIssuerDN().equals(pubKeyCert.getSubjectDN())) { c.verify(pubKey); crl.verify(c.getPublicKey()); } } } catch (Exception x) { } return false; } private static Set getCritExts(X509Certificate cert) { HashSet s = new HashSet(); if (cert instanceof GnuPKIExtension) { Collection exts = ((GnuPKIExtension) cert).getExtensions(); for (Iterator it = exts.iterator(); it.hasNext(); ) { Extension ext = (Extension) it.next(); if (ext.isCritical() && !ext.isSupported()) s.add(ext.getOid().toString()); } } else s.addAll(cert.getCriticalExtensionOIDs()); return s; } /** * Perform a basic sanity check on the CA certificate at <code>index</code>. */ private static void basicSanity(X509Certificate[] path, int index) throws CertPathValidatorException { X509Certificate cert = path[index]; int pathLen = 0; for (int i = index - 1; i > 0; i--) { if (!path[i].getIssuerDN().equals(path[i].getSubjectDN())) pathLen++; } Extension e = null; if (cert instanceof GnuPKIExtension) { e = ((GnuPKIExtension) cert).getExtension(BasicConstraints.ID); } else { try { e = new Extension(cert.getExtensionValue(BasicConstraints.ID.toString())); } catch (Exception x) { } } if (e == null) throw new CertPathValidatorException("no basicConstraints"); BasicConstraints bc = (BasicConstraints) e.getValue(); if (!bc.isCA()) throw new CertPathValidatorException("certificate cannot be used to verify signatures"); if (bc.getPathLengthConstraint() >= 0 && bc.getPathLengthConstraint() < pathLen) throw new CertPathValidatorException("path is too long"); boolean[] keyUsage = cert.getKeyUsage(); if (keyUsage != null) { if (!keyUsage[KeyUsage.KEY_CERT_SIGN]) throw new CertPathValidatorException("certificate cannot be used to sign certificates"); } } private static void updatePolicyTree(X509Certificate cert, PolicyNodeImpl root, int depth, PKIXParameters params, boolean explicitPolicy) throws CertPathValidatorException { if (DEBUG) debug("updatePolicyTree depth == " + depth); Set nodes = new HashSet(); LinkedList stack = new LinkedList(); Iterator current = null; stack.addLast(Collections.singleton(root).iterator()); do { current = (Iterator) stack.removeLast(); while (current.hasNext()) { PolicyNodeImpl p = (PolicyNodeImpl) current.next(); if (DEBUG) debug("visiting node == " + p); if (p.getDepth() == depth - 1) { if (DEBUG) debug("added node"); nodes.add(p); } else { if (DEBUG) debug("skipped node"); stack.addLast(current); current = p.getChildren(); } } } while (!stack.isEmpty()); Extension e = null; CertificatePolicies policies = null; List qualifierInfos = null; if (cert instanceof GnuPKIExtension) { e = ((GnuPKIExtension) cert).getExtension(CertificatePolicies.ID); if (e != null) policies = (CertificatePolicies) e.getValue(); } List cp = null; if (policies != null) cp = policies.getPolicies(); else cp = Collections.EMPTY_LIST; boolean match = false; if (DEBUG) debug("nodes are == " + nodes); if (DEBUG) debug("cert policies are == " + cp); for (Iterator it = nodes.iterator(); it.hasNext(); ) { PolicyNodeImpl parent = (PolicyNodeImpl) it.next(); if (DEBUG) debug("adding policies to " + parent); for (Iterator it2 = cp.iterator(); it2.hasNext(); ) { OID policy = (OID) it2.next(); if (DEBUG) debug("trying to add policy == " + policy); if (policy.toString().equals(ANY_POLICY) && params.isAnyPolicyInhibited()) continue; PolicyNodeImpl child = new PolicyNodeImpl(); child.setValidPolicy(policy.toString()); child.addExpectedPolicy(policy.toString()); if (parent.getExpectedPolicies().contains(policy.toString())) { parent.addChild(child); match = true; } else if (parent.getExpectedPolicies().contains(ANY_POLICY)) { parent.addChild(child); match = true; } else if (ANY_POLICY.equals (policy.toString())) { parent.addChild (child); match = true; } if (match && policies != null) { List qualifiers = policies.getPolicyQualifierInfos (policy); if (qualifiers != null) child.addAllPolicyQualifiers (qualifiers); } } } if (!match && (params.isExplicitPolicyRequired() || explicitPolicy)) throw new CertPathValidatorException("policy tree building failed"); } private boolean checkExplicitPolicy (int depth, List explicitPolicies) { if (DEBUG) debug ("checkExplicitPolicy depth=" + depth); for (Iterator it = explicitPolicies.iterator(); it.hasNext(); ) { int[] i = (int[]) it.next(); int caDepth = i[0]; int limit = i[1]; if (DEBUG) debug (" caDepth=" + caDepth + " limit=" + limit); if (depth - caDepth >= limit) return true; } return false; }}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -