pkixcertpathvalidatorspi.java
来自「内容:基于jdk1.4的加密算法的具体实现」· Java 代码 · 共 1,799 行 · 第 1/5 页
JAVA
1,799 行
if (_inhibitAnyPolicy < inhibitAnyPolicy) { inhibitAnyPolicy = _inhibitAnyPolicy; } } // // (k) // BasicConstraints bc = BasicConstraints.getInstance( getExtensionValue(cert, BASIC_CONSTRAINTS)); if (bc != null) { if (!(bc.isCA())) { throw new CertPathValidatorException("Not a CA certificate"); } } else { throw new CertPathValidatorException("Intermediate certificate lacks BasicConstraints"); } // // (l) // if (!isSelfIssued(cert)) { if (maxPathLength <= 0) { throw new CertPathValidatorException("Max path length not greater than zero"); } maxPathLength--; } // // (m) // if (bc != null) { BigInteger _pathLengthConstraint = bc.getPathLenConstraint(); if (_pathLengthConstraint != null) { int _plc = _pathLengthConstraint.intValue(); if (_plc < maxPathLength) { maxPathLength = _plc; } } } // // (n) // boolean[] _usage = cert.getKeyUsage(); if ((_usage != null) && !_usage[5]) { throw new CertPathValidatorException( "Issuer certificate keyusage extension is critical an does not permit key signing.\n", null, certPath, index); } // // (o) // Set criticalExtensions = new HashSet(cert.getCriticalExtensionOIDs()); // these extensions are handle by the algorithem criticalExtensions.remove(KEY_USAGE); criticalExtensions.remove(CERTIFICATE_POLICIES); criticalExtensions.remove(POLICY_MAPPINGS); criticalExtensions.remove(INHIBIT_ANY_POLICY); criticalExtensions.remove(ISSUING_DISTRIBUTION_POINT); criticalExtensions.remove(DELTA_CRL_INDICATOR); criticalExtensions.remove(POLICY_CONSTRAINTS); criticalExtensions.remove(BASIC_CONSTRAINTS); criticalExtensions.remove(SUBJECT_ALTERNATIVE_NAME); criticalExtensions.remove(NAME_CONSTRAINTS); tmpIter = pathCheckers.iterator(); while (tmpIter.hasNext()) { try { ((PKIXCertPathChecker)tmpIter.next()).check(cert, criticalExtensions); } catch (CertPathValidatorException e) { throw new CertPathValidatorException(e.getMessage(), e.getCause(), certPath, index); } } if (!criticalExtensions.isEmpty()) { throw new CertPathValidatorException( "Certificate has unsupported critical extension", null, certPath, index); } } // set signing certificate for next round sign = cert; workingPublicKey = sign.getPublicKey(); try { workingIssuerName = getSubjectPrincipal(sign); } catch (IllegalArgumentException ex) { throw new CertPathValidatorException(sign.getSubjectDN().getName() + " :" + ex.toString()); } workingAlgId = getAlgorithmIdentifier(workingPublicKey); workingPublicKeyAlgorithm = workingAlgId.getObjectId(); workingPublicKeyParameters = workingAlgId.getParameters(); } catch (AnnotatedException e) { throw new CertPathValidatorException(e.getMessage(), e.getUnderlyingException(), certPath, index); } } // // 6.1.5 Wrap-up procedure // // // (a) // if (!isSelfIssued(cert) && (explicitPolicy != 0)) { explicitPolicy--; } // // (b) // try { ASN1Sequence pc = (ASN1Sequence)getExtensionValue(cert, POLICY_CONSTRAINTS); if (pc != null) { Enumeration policyConstraints = pc.getObjects(); while (policyConstraints.hasMoreElements()) { ASN1TaggedObject constraint = (ASN1TaggedObject)policyConstraints.nextElement(); switch (constraint.getTagNo()) { case 0: tmpInt = DERInteger.getInstance(constraint).getValue().intValue(); if (tmpInt == 0) { explicitPolicy = 0; } break; } } } } catch (AnnotatedException e) { throw new CertPathValidatorException(e.getMessage(), e.getUnderlyingException(), certPath, index); } // // (c) (d) and (e) are already done // // // (f) // Set criticalExtensions = cert.getCriticalExtensionOIDs(); if (criticalExtensions != null) { criticalExtensions = new HashSet(criticalExtensions); // these extensions are handle by the algorithm criticalExtensions.remove(KEY_USAGE); criticalExtensions.remove(CERTIFICATE_POLICIES); criticalExtensions.remove(POLICY_MAPPINGS); criticalExtensions.remove(INHIBIT_ANY_POLICY); criticalExtensions.remove(ISSUING_DISTRIBUTION_POINT); criticalExtensions.remove(DELTA_CRL_INDICATOR); criticalExtensions.remove(POLICY_CONSTRAINTS); criticalExtensions.remove(BASIC_CONSTRAINTS); criticalExtensions.remove(SUBJECT_ALTERNATIVE_NAME); criticalExtensions.remove(NAME_CONSTRAINTS); } else { criticalExtensions = new HashSet(); } tmpIter = pathCheckers.iterator(); while (tmpIter.hasNext()) { try { ((PKIXCertPathChecker)tmpIter.next()).check(cert, criticalExtensions); } catch (CertPathValidatorException e) { throw new CertPathValidatorException(e.getMessage(), e.getCause(), certPath, index); } } if (!criticalExtensions.isEmpty()) { throw new CertPathValidatorException( "Certificate has unsupported critical extension", null, certPath, index); } // // (g) // PKIXPolicyNode intersection; // // (g) (i) // if (validPolicyTree == null) { if (paramsPKIX.isExplicitPolicyRequired()) { throw new CertPathValidatorException("Explicit policy requested but none available."); } intersection = null; } else if (isAnyPolicy(userInitialPolicySet)) // (g) (ii) { if (paramsPKIX.isExplicitPolicyRequired()) { if (acceptablePolicies.isEmpty()) { throw new CertPathValidatorException("Explicit policy requested but none available."); } else { Set _validPolicyNodeSet = new HashSet(); for (int j = 0; j < policyNodes.length; j++) { List _nodeDepth = policyNodes[j]; for (int k = 0; k < _nodeDepth.size(); k++) { PKIXPolicyNode _node = (PKIXPolicyNode)_nodeDepth.get(k); if (ANY_POLICY.equals(_node.getValidPolicy())) { Iterator _iter = _node.getChildren(); while (_iter.hasNext()) { _validPolicyNodeSet.add(_iter.next()); } } } } Iterator _vpnsIter = _validPolicyNodeSet.iterator(); while (_vpnsIter.hasNext()) { PKIXPolicyNode _node = (PKIXPolicyNode)_vpnsIter.next(); String _validPolicy = _node.getValidPolicy(); if (!acceptablePolicies.contains(_validPolicy)) { //validPolicyTree = removePolicyNode(validPolicyTree, policyNodes, _node); } } if (validPolicyTree != null) { for (int j = (n - 1); j >= 0; j--) { List nodes = policyNodes[j]; for (int k = 0; k < nodes.size(); k++) { PKIXPolicyNode node = (PKIXPolicyNode)nodes.get(k); if (!node.hasChildren()) { validPolicyTree = removePolicyNode(validPolicyTree, policyNodes, node); } } } } } } intersection = validPolicyTree; } else { // // (g) (iii) // // This implementation is not exactly same as the one described in RFC3280. // However, as far as the validation result is concerned, both produce // adequate result. The only difference is whether AnyPolicy is remain // in the policy tree or not. // // (g) (iii) 1 // Set _validPolicyNodeSet = new HashSet(); for (int j = 0; j < policyNodes.length; j++) { List _nodeDepth = policyNodes[j]; for (int k = 0; k < _nodeDepth.size(); k++) { PKIXPolicyNode _node = (PKIXPolicyNode)_nodeDepth.get(k); if (ANY_POLICY.equals(_node.getValidPolicy())) { Iterator _iter = _node.getChildren(); while (_iter.hasNext()) { PKIXPolicyNode _c_node = (PKIXPolicyNode)_iter.next(); if (!ANY_POLICY.equals(_c_node.getValidPolicy())) { _validPolicyNodeSet.add(_c_node); } } } } } // // (g) (iii) 2 // Iterator _vpnsIter = _validPolicyNodeSet.iterator(); while (_vpnsIter.hasNext()) { PKIXPolicyNode _node = (PKIXPolicyNode)_vpnsIter.next(); String _validPolicy = _node.getValidPolicy(); if (!userInitialPolicySet.contains(_validPolicy)) { validPolicyTree = removePolicyNode(validPolicyTree, policyNodes, _node); } } // // (g) (iii) 4 // if (validPolicyTree != null) { for (int j = (n - 1); j >= 0; j--) { List nodes = policyNodes[j]; for (int k = 0; k < nodes.size(); k++) { PKIXPolicyNode node = (PKIXPolicyNode)nodes.get(k); if (!nod⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?