📄 pkixnameconstraintvalidator.java
字号:
package org.bouncycastle.jce.provider;import org.bouncycastle.asn1.ASN1OctetString;import org.bouncycastle.asn1.ASN1Sequence;import org.bouncycastle.asn1.DERIA5String;import org.bouncycastle.asn1.x509.GeneralName;import org.bouncycastle.asn1.x509.GeneralSubtree;import org.bouncycastle.util.Arrays;import org.bouncycastle.util.Strings;import java.util.Collection;import java.util.Collections;import java.util.Enumeration;import java.util.HashMap;import java.util.HashSet;import java.util.Iterator;import java.util.Map;import java.util.Set;public class PKIXNameConstraintValidator{ private Set excludedSubtreesDN = new HashSet(); private Set excludedSubtreesDNS = new HashSet(); private Set excludedSubtreesEmail = new HashSet(); private Set excludedSubtreesURI = new HashSet(); private Set excludedSubtreesIP = new HashSet(); private Set permittedSubtreesDN; private Set permittedSubtreesDNS; private Set permittedSubtreesEmail; private Set permittedSubtreesURI; private Set permittedSubtreesIP; public PKIXNameConstraintValidator() { } private static boolean withinDNSubtree( ASN1Sequence dns, ASN1Sequence subtree) { if (subtree.size() < 1) { return false; } if (subtree.size() > dns.size()) { return false; } for (int j = subtree.size() - 1; j >= 0; j--) { if (!subtree.getObjectAt(j).equals(dns.getObjectAt(j))) { return false; } } return true; } public void checkPermittedDN(ASN1Sequence dns) throws PKIXNameConstraintValidatorException { checkPermittedDN(permittedSubtreesDN, dns); } public void checkExcludedDN(ASN1Sequence dns) throws PKIXNameConstraintValidatorException { checkExcludedDN(excludedSubtreesDN, dns); } private void checkPermittedDN(Set permitted, ASN1Sequence dns) throws PKIXNameConstraintValidatorException { if (permitted == null) { return; } if (permitted.isEmpty() && dns.size() == 0) { return; } Iterator it = permitted.iterator(); while (it.hasNext()) { ASN1Sequence subtree = (ASN1Sequence)it.next(); if (withinDNSubtree(dns, subtree)) { return; } } throw new PKIXNameConstraintValidatorException( "Subject distinguished name is not from a permitted subtree"); } private void checkExcludedDN(Set excluded, ASN1Sequence dns) throws PKIXNameConstraintValidatorException { if (excluded.isEmpty()) { return; } Iterator it = excluded.iterator(); while (it.hasNext()) { ASN1Sequence subtree = (ASN1Sequence)it.next(); if (withinDNSubtree(dns, subtree)) { throw new PKIXNameConstraintValidatorException( "Subject distinguished name is from an excluded subtree"); } } } private Set intersectDN(Set permitted, Set dns) { Set intersect = new HashSet(); for (Iterator it = dns.iterator(); it.hasNext();) { ASN1Sequence dn = ASN1Sequence.getInstance(((GeneralSubtree)it .next()).getBase().getName().getDERObject()); if (permitted == null) { if (dn != null) { intersect.add(dn); } } else { Iterator _iter = permitted.iterator(); while (_iter.hasNext()) { ASN1Sequence subtree = (ASN1Sequence)_iter.next(); if (withinDNSubtree(dn, subtree)) { intersect.add(dn); } else if (withinDNSubtree(subtree, dn)) { intersect.add(subtree); } } } } return intersect; } private Set unionDN(Set excluded, ASN1Sequence dn) { if (excluded.isEmpty()) { if (dn == null) { return excluded; } excluded.add(dn); return excluded; } else { Set intersect = new HashSet(); Iterator it = excluded.iterator(); while (it.hasNext()) { ASN1Sequence subtree = (ASN1Sequence)it.next(); if (withinDNSubtree(dn, subtree)) { intersect.add(subtree); } else if (withinDNSubtree(subtree, dn)) { intersect.add(dn); } else { intersect.add(subtree); intersect.add(dn); } } return intersect; } } private Set intersectEmail(Set permitted, Set emails) { Set intersect = new HashSet(); for (Iterator it = emails.iterator(); it.hasNext();) { String email = extractNameAsString(((GeneralSubtree)it.next()) .getBase()); if (permitted == null) { if (email != null) { intersect.add(email); } } else { Iterator it2 = permitted.iterator(); while (it2.hasNext()) { String _permitted = (String)it2.next(); intersectEmail(email, _permitted, intersect); } } } return intersect; } private Set unionEmail(Set excluded, String email) { if (excluded.isEmpty()) { if (email == null) { return excluded; } excluded.add(email); return excluded; } else { Set union = new HashSet(); Iterator it = excluded.iterator(); while (it.hasNext()) { String _excluded = (String)it.next(); unionEmail(_excluded, email, union); } return union; } } /** * Returns the intersection of the permitted IP ranges in * <code>permitted</code> with <code>ip</code>. * * @param permitted A <code>Set</code> of permitted IP addresses with * their subnet mask as byte arrays. * @param ips The IP address with its subnet mask. * @return The <code>Set</code> of permitted IP ranges intersected with * <code>ip</code>. */ private Set intersectIP(Set permitted, Set ips) { Set intersect = new HashSet(); for (Iterator it = ips.iterator(); it.hasNext();) { byte[] ip = ASN1OctetString.getInstance( ((GeneralSubtree)it.next()).getBase().getName()).getOctets(); if (permitted == null) { if (ip != null) { intersect.add(ip); } } else { Iterator it2 = permitted.iterator(); while (it2.hasNext()) { byte[] _permitted = (byte[])it2.next(); intersect.addAll(intersectIPRange(_permitted, ip)); } } } return intersect; } /** * Returns the union of the excluded IP ranges in <code>excluded</code> * with <code>ip</code>. * * @param excluded A <code>Set</code> of excluded IP addresses with their * subnet mask as byte arrays. * @param ip The IP address with its subnet mask. * @return The <code>Set</code> of excluded IP ranges unified with * <code>ip</code> as byte arrays. */ private Set unionIP(Set excluded, byte[] ip) { if (excluded.isEmpty()) { if (ip == null) { return excluded; } excluded.add(ip); return excluded; } else { Set union = new HashSet(); Iterator it = excluded.iterator(); while (it.hasNext()) { byte[] _excluded = (byte[])it.next(); union.addAll(unionIPRange(_excluded, ip)); } return union; } } /** * Calculates the union if two IP ranges. * * @param ipWithSubmask1 The first IP address with its subnet mask. * @param ipWithSubmask2 The second IP address with its subnet mask. * @return A <code>Set</code> with the union of both addresses. */ private Set unionIPRange(byte[] ipWithSubmask1, byte[] ipWithSubmask2) { Set set = new HashSet(); // difficult, adding always all IPs is not wrong if (Arrays.areEqual(ipWithSubmask1, ipWithSubmask2)) { set.add(ipWithSubmask1); } else { set.add(ipWithSubmask1); set.add(ipWithSubmask2); } return set; } /** * Calculates the interesction if two IP ranges. * * @param ipWithSubmask1 The first IP address with its subnet mask. * @param ipWithSubmask2 The second IP address with its subnet mask. * @return A <code>Set</code> with the single IP address with its subnet * mask as a byte array or an empty <code>Set</code>. */ private Set intersectIPRange(byte[] ipWithSubmask1, byte[] ipWithSubmask2) { if (ipWithSubmask1.length != ipWithSubmask2.length) { return Collections.EMPTY_SET; } byte[][] temp = extractIPsAndSubnetMasks(ipWithSubmask1, ipWithSubmask2); byte ip1[] = temp[0]; byte subnetmask1[] = temp[1]; byte ip2[] = temp[2]; byte subnetmask2[] = temp[3]; byte minMax[][] = minMaxIPs(ip1, subnetmask1, ip2, subnetmask2); byte[] min; byte[] max; max = min(minMax[1], minMax[3]); min = max(minMax[0], minMax[2]); // minimum IP address must be bigger than max if (compareTo(min, max) == 1) { return Collections.EMPTY_SET; } // OR keeps all significant bits byte[] ip = or(minMax[0], minMax[2]); byte[] subnetmask = or(subnetmask1, subnetmask2); return Collections.singleton(ipWithSubnetMask(ip, subnetmask)); } /** * Concatenates the IP address with its subnet mask. * * @param ip The IP address. * @param subnetMask Its subnet mask. * @return The concatenated IP address with its subnet mask. */ private byte[] ipWithSubnetMask(byte[] ip, byte[] subnetMask) { int ipLength = ip.length; byte[] temp = new byte[ipLength * 2]; System.arraycopy(ip, 0, temp, 0, ipLength); System.arraycopy(subnetMask, 0, temp, ipLength, ipLength); return temp; } /** * Splits the IP addresses and their subnet mask. * * @param ipWithSubmask1 The first IP address with the subnet mask. * @param ipWithSubmask2 The second IP address with the subnet mask. * @return An array with two elements. Each element contains the IP address * and the subnet mask in this order. */ private byte[][] extractIPsAndSubnetMasks( byte[] ipWithSubmask1, byte[] ipWithSubmask2) { int ipLength = ipWithSubmask1.length / 2; byte ip1[] = new byte[ipLength]; byte subnetmask1[] = new byte[ipLength]; System.arraycopy(ipWithSubmask1, 0, ip1, 0, ipLength); System.arraycopy(ipWithSubmask1, ipLength, subnetmask1, 0, ipLength); byte ip2[] = new byte[ipLength]; byte subnetmask2[] = new byte[ipLength]; System.arraycopy(ipWithSubmask2, 0, ip2, 0, ipLength); System.arraycopy(ipWithSubmask2, ipLength, subnetmask2, 0, ipLength); return new byte[][] {ip1, subnetmask1, ip2, subnetmask2}; } /** * Based on the two IP addresses and their subnet masks the IP range is * computed for each IP address - subnet mask pair and returned as the * minimum IP address and the maximum address of the range. * * @param ip1 The first IP address. * @param subnetmask1 The subnet mask of the first IP address. * @param ip2 The second IP address. * @param subnetmask2 The subnet mask of the second IP address. * @return A array with two elements. The first/second element contains the * min and max IP address of the first/second IP address and its * subnet mask. */ private byte[][] minMaxIPs( byte[] ip1, byte[] subnetmask1, byte[] ip2, byte[] subnetmask2) { int ipLength = ip1.length; byte[] min1 = new byte[ipLength]; byte[] max1 = new byte[ipLength]; byte[] min2 = new byte[ipLength]; byte[] max2 = new byte[ipLength]; for (int i = 0; i < ipLength; i++) { min1[i] = (byte)(ip1[i] & subnetmask1[i]); max1[i] = (byte)(ip1[i] & subnetmask1[i] | ~subnetmask1[i]); min2[i] = (byte)(ip2[i] & subnetmask2[i]); max2[i] = (byte)(ip2[i] & subnetmask2[i] | ~subnetmask2[i]); } return new byte[][]{min1, max1, min2, max2}; } private void checkPermittedEmail(Set permitted, String email) throws PKIXNameConstraintValidatorException {⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -