pkixcertpathvalidatorspi.java
来自「内容:基于jdk1.4的加密算法的具体实现」· Java 代码 · 共 1,799 行 · 第 1/5 页
JAVA
1,799 行
// (c) // Set excludedSubtreesDN = new HashSet(); Set excludedSubtreesEmail = new HashSet(); Set excludedSubtreesIP = new HashSet(); // // (d) // int explicitPolicy; Set acceptablePolicies = null; if (paramsPKIX.isExplicitPolicyRequired()) { explicitPolicy = 0; } else { explicitPolicy = n + 1; } // // (e) // int inhibitAnyPolicy; if (paramsPKIX.isAnyPolicyInhibited()) { inhibitAnyPolicy = 0; } else { inhibitAnyPolicy = n + 1; } // // (f) // int policyMapping; if (paramsPKIX.isPolicyMappingInhibited()) { policyMapping = 0; } else { policyMapping = n + 1; } // // (g), (h), (i), (j) // PublicKey workingPublicKey; X500Principal workingIssuerName; X509Certificate sign = trust.getTrustedCert(); try { if (sign != null) { workingIssuerName = getSubjectPrincipal(sign); workingPublicKey = sign.getPublicKey(); } else { workingIssuerName = new X500Principal(trust.getCAName()); workingPublicKey = trust.getCAPublicKey(); } } catch (IllegalArgumentException ex) { throw new CertPathValidatorException("TrustAnchor subjectDN: " + ex.toString()); } AlgorithmIdentifier workingAlgId = getAlgorithmIdentifier(workingPublicKey); DERObjectIdentifier workingPublicKeyAlgorithm = workingAlgId.getObjectId(); DEREncodable workingPublicKeyParameters = workingAlgId.getParameters(); // // (k) // int maxPathLength = n; // // 6.1.3 // Iterator tmpIter; int tmpInt; if (paramsPKIX.getTargetCertConstraints() != null && !paramsPKIX.getTargetCertConstraints().match((X509Certificate)certs.get(0))) { throw new CertPathValidatorException("target certificate in certpath does not match targetcertconstraints", null, certPath, 0); } // // initialise CertPathChecker's // List pathCheckers = paramsPKIX.getCertPathCheckers(); certIter = pathCheckers.iterator(); while (certIter.hasNext()) { ((PKIXCertPathChecker)certIter.next()).init(false); } X509Certificate cert = null; for (index = certs.size() - 1; index >= 0 ; index--) { try { // // i as defined in the algorithm description // i = n - index; // // set certificate to be checked in this round // sign and workingPublicKey and workingIssuerName are set // at the end of the for loop and initialied the // first time from the TrustAnchor // cert = (X509Certificate)certs.get(index); // // 6.1.3 // // // (a) verify // try { // (a) (1) // cert.verify(workingPublicKey, "BC"); } catch (GeneralSecurityException e) { throw new CertPathValidatorException("Could not validate certificate signature.", e, certPath, index); } try { // (a) (2) // cert.checkValidity(validDate); } catch (CertificateExpiredException e) { throw new CertPathValidatorException("Could not validate certificate: " + e.getMessage(), e, certPath, index); } catch (CertificateNotYetValidException e) { throw new CertPathValidatorException("Could not validate certificate: " + e.getMessage(), e, certPath, index); } // // (a) (3) // if (paramsPKIX.isRevocationEnabled()) { checkCRLs(paramsPKIX, cert, validDate, sign, workingPublicKey); } // // (a) (4) name chaining // if (!getEncodedIssuerPrincipal(cert).equals(workingIssuerName)) { throw new CertPathValidatorException( "IssuerName(" + getEncodedIssuerPrincipal(cert) + ") does not match SubjectName(" + workingIssuerName + ") of signing certificate", null, certPath, index); } // // (b), (c) permitted and excluded subtree checking. // if (!(isSelfIssued(cert) && (i < n))) { X500Principal principal = getSubjectPrincipal(cert); ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(principal.getEncoded())); ASN1Sequence dns; try { dns = (ASN1Sequence)aIn.readObject(); } catch (IOException e) { throw new CertPathValidatorException("exception extracting subject name when checking subtrees"); } checkPermittedDN(permittedSubtreesDN, dns); checkExcludedDN(excludedSubtreesDN, dns); ASN1Sequence altName = (ASN1Sequence)getExtensionValue(cert, SUBJECT_ALTERNATIVE_NAME); if (altName != null) { for (int j = 0; j < altName.size(); j++) { ASN1TaggedObject o = (ASN1TaggedObject)altName.getObjectAt(j); switch(o.getTagNo()) { case 1: String email = DERIA5String.getInstance(o, true).getString(); checkPermittedEmail(permittedSubtreesEmail, email); checkExcludedEmail(excludedSubtreesEmail, email); break; case 4: ASN1Sequence altDN = ASN1Sequence.getInstance(o, true); checkPermittedDN(permittedSubtreesDN, altDN); checkExcludedDN(excludedSubtreesDN, altDN); break; case 7: byte[] ip = ASN1OctetString.getInstance(o, true).getOctets(); checkPermittedIP(permittedSubtreesIP, ip); checkExcludedIP(excludedSubtreesIP, ip); } } } } // // (d) policy Information checking against initial policy and // policy mapping // ASN1Sequence certPolicies = (ASN1Sequence)getExtensionValue(cert, CERTIFICATE_POLICIES); if (certPolicies != null && validPolicyTree != null) { // // (d) (1) // Enumeration e = certPolicies.getObjects(); Set pols = new HashSet(); while (e.hasMoreElements()) { PolicyInformation pInfo = PolicyInformation.getInstance(e.nextElement()); DERObjectIdentifier pOid = pInfo.getPolicyIdentifier(); pols.add(pOid.getId()); if (!ANY_POLICY.equals(pOid.getId())) { Set pq = getQualifierSet(pInfo.getPolicyQualifiers()); boolean match = processCertD1i(i, policyNodes, pOid, pq); if (!match) { processCertD1ii(i, policyNodes, pOid, pq); } } } if (acceptablePolicies == null || acceptablePolicies.contains(ANY_POLICY)) { acceptablePolicies = pols; } else { Iterator it = acceptablePolicies.iterator(); Set t1 = new HashSet(); while (it.hasNext()) { Object o = it.next(); if (pols.contains(o)) { t1.add(o); } } acceptablePolicies = t1; } // // (d) (2) // if ((inhibitAnyPolicy > 0) || ((i < n) && isSelfIssued(cert))) { e = certPolicies.getObjects(); while (e.hasMoreElements()) { PolicyInformation pInfo = PolicyInformation.getInstance(e.nextElement()); if (ANY_POLICY.equals(pInfo.getPolicyIdentifier().getId())) { Set _apq = getQualifierSet(pInfo.getPolicyQualifiers()); List _nodes = policyNodes[i - 1]; for (int k = 0; k < _nodes.size(); k++) { PKIXPolicyNode _node = (PKIXPolicyNode)_nodes.get(k); Iterator _policySetIter = _node.getExpectedPolicies().iterator(); while (_policySetIter.hasNext()) { Object _tmp = _policySetIter.next(); String _policy; if (_tmp instanceof String) { _policy = (String)_tmp; } else if (_tmp instanceof DERObjectIdentifier) { _policy = ((DERObjectIdentifier)_tmp).getId(); } else { continue; } boolean _found = false; Iterator _childrenIter = _node.getChildren(); while (_childrenIter.hasNext()) { PKIXPolicyNode _child = (PKIXPolicyNode)_childrenIter.next(); if (_policy.equals(_child.getValidPolicy())) { _found = true; } } if (!_found) { Set _newChildExpectedPolicies = new HashSet(); _newChildExpectedPolicies.add(_policy); PKIXPolicyNode _newChild = new PKIXPolicyNode(new ArrayList(), i, _newChildExpectedPolicies, _node, _apq, _policy, false); _node.addChild(_newChild); policyNodes[i].add(_newChild); } } } break; } } } //⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?