📄 rfc3281certpathutilities.java
字号:
package org.bouncycastle.jce.provider;import org.bouncycastle.asn1.ASN1InputStream;import org.bouncycastle.asn1.DERObject;import org.bouncycastle.asn1.x509.CRLDistPoint;import org.bouncycastle.asn1.x509.CRLReason;import org.bouncycastle.asn1.x509.DistributionPoint;import org.bouncycastle.asn1.x509.DistributionPointName;import org.bouncycastle.asn1.x509.GeneralName;import org.bouncycastle.asn1.x509.GeneralNames;import org.bouncycastle.asn1.x509.TargetInformation;import org.bouncycastle.asn1.x509.X509Extensions;import org.bouncycastle.jce.exception.ExtCertPathValidatorException;import org.bouncycastle.x509.ExtendedPKIXBuilderParameters;import org.bouncycastle.x509.ExtendedPKIXParameters;import org.bouncycastle.x509.PKIXAttrCertChecker;import org.bouncycastle.x509.X509AttributeCertificate;import org.bouncycastle.x509.X509CertStoreSelector;import java.io.IOException;import java.security.InvalidAlgorithmParameterException;import java.security.NoSuchAlgorithmException;import java.security.NoSuchProviderException;import java.security.Principal;import java.security.PublicKey;import java.security.cert.CertPath;import java.security.cert.CertPathBuilder;import java.security.cert.CertPathBuilderException;import java.security.cert.CertPathBuilderResult;import java.security.cert.CertPathValidator;import java.security.cert.CertPathValidatorException;import java.security.cert.CertPathValidatorResult;import java.security.cert.CertificateExpiredException;import java.security.cert.CertificateNotYetValidException;import java.security.cert.TrustAnchor;import java.security.cert.X509CRL;import java.security.cert.X509Certificate;import java.util.Date;import java.util.HashSet;import java.util.Iterator;import java.util.List;import java.util.Set;import javax.security.auth.x500.X500Principal;class RFC3281CertPathUtilities{ private static final String TARGET_INFORMATION = X509Extensions.TargetInformation .getId(); private static final String NO_REV_AVAIL = X509Extensions.NoRevAvail .getId(); private static final String CRL_DISTRIBUTION_POINTS = X509Extensions.CRLDistributionPoints .getId(); private static final String AUTHORITY_INFO_ACCESS = X509Extensions.AuthorityInfoAccess .getId(); protected static void processAttrCert7(X509AttributeCertificate attrCert, CertPath certPath, CertPath holderCertPath, ExtendedPKIXParameters pkixParams) throws CertPathValidatorException { // TODO: // AA Controls // Attribute encryption // Proxy Set set = attrCert.getCriticalExtensionOIDs(); // 7.1 // process extensions // target information checked in step 6 / X509AttributeCertStoreSelector if (set.contains(TARGET_INFORMATION)) { try { TargetInformation.getInstance(CertPathValidatorUtilities .getExtensionValue(attrCert, TARGET_INFORMATION)); } catch (AnnotatedException e) { throw new ExtCertPathValidatorException( "Target information extension could not be read.", e); } catch (IllegalArgumentException e) { throw new ExtCertPathValidatorException( "Target information extension could not be read.", e); } } set.remove(TARGET_INFORMATION); for (Iterator it = pkixParams.getAttrCertCheckers().iterator(); it .hasNext();) { ((PKIXAttrCertChecker) it.next()).check(attrCert, certPath, holderCertPath, set); } if (!set.isEmpty()) { throw new CertPathValidatorException( "Attribute certificate contains unsupported critical extensions: " + set); } } /** * Checks if an attribute certificate is revoked. * * @param attrCert Attribute certificate to check if it is revoked. * @param paramsPKIX PKIX parameters. * @param issuerCert The issuer certificate of the attribute certificate * <code>attrCert</code>. * @param validDate The date when the certificate revocation status should * be checked. * @param certPathCerts The certificates of the certification path to be * checked. * * @throws CertPathValidatorException if the certificate is revoked or the * status cannot be checked or some error occurs. */ protected static void checkCRLs(X509AttributeCertificate attrCert, ExtendedPKIXParameters paramsPKIX, X509Certificate issuerCert, Date validDate, List certPathCerts) throws CertPathValidatorException { if (paramsPKIX.isRevocationEnabled()) { // check if revocation is available if (attrCert.getExtensionValue(NO_REV_AVAIL) == null) { CRLDistPoint crldp = null; try { crldp = CRLDistPoint.getInstance(CertPathValidatorUtilities .getExtensionValue(attrCert, CRL_DISTRIBUTION_POINTS)); } catch (AnnotatedException e) { throw new CertPathValidatorException( "CRL distribution point extension could not be read.", e); } try { CertPathValidatorUtilities .addAdditionalStoresFromCRLDistributionPoint(crldp, paramsPKIX); } catch (AnnotatedException e) { throw new CertPathValidatorException( "No additional CRL locations could be decoded from CRL distribution point extension.", e); } CertStatus certStatus = new CertStatus(); ReasonsMask reasonsMask = new ReasonsMask(); AnnotatedException lastException = null; boolean validCrlFound = false; // for each distribution point if (crldp != null) { DistributionPoint dps[] = null; try { dps = crldp.getDistributionPoints(); } catch (Exception e) { throw new ExtCertPathValidatorException( "Distribution points could not be read.", e); } try { for (int i = 0; i < dps.length && certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons(); i++) { ExtendedPKIXParameters paramsPKIXClone = (ExtendedPKIXParameters) paramsPKIX .clone(); checkCRL(dps[i], attrCert, paramsPKIXClone, validDate, issuerCert, certStatus, reasonsMask, certPathCerts); validCrlFound = true; } } catch (AnnotatedException e) { lastException = new AnnotatedException( "No valid CRL for distribution point found.", e); } } /* * If the revocation status has not been determined, repeat the * process above with any available CRLs not specified in a * distribution point but issued by the certificate issuer. */ if (certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons()) { try { /* * assume a DP with both the reasons and the cRLIssuer * fields omitted and a distribution point name of the * certificate issuer. */ DERObject issuer = null; try { issuer = new ASN1InputStream( ((X500Principal) attrCert.getIssuer() .getPrincipals()[0]).getEncoded()) .readObject(); } catch (Exception e) { throw new AnnotatedException( "Issuer from certificate for CRL could not be reencoded.", e); } DistributionPoint dp = new DistributionPoint( new DistributionPointName(0, new GeneralNames( new GeneralName(GeneralName.directoryName, issuer))), null, null); ExtendedPKIXParameters paramsPKIXClone = (ExtendedPKIXParameters) paramsPKIX .clone(); checkCRL(dp, attrCert, paramsPKIXClone, validDate, issuerCert, certStatus, reasonsMask, certPathCerts); validCrlFound = true; } catch (AnnotatedException e) { lastException = new AnnotatedException( "No valid CRL for distribution point found.", e); } } if (!validCrlFound) { throw new ExtCertPathValidatorException( "No valid CRL found.", lastException); } if (certStatus.getCertStatus() != CertStatus.UNREVOKED) { String message = "Attribute certificate revocation after " + certStatus.getRevocationDate(); message += ", reason: " + RFC3280CertPathUtilities.crlReasons[certStatus .getCertStatus()]; throw new CertPathValidatorException(message); } if (!reasonsMask.isAllReasons() && certStatus.getCertStatus() == CertStatus.UNREVOKED) { certStatus.setCertStatus(CertStatus.UNDETERMINED); } if (certStatus.getCertStatus() == CertStatus.UNDETERMINED) { throw new CertPathValidatorException( "Attribute certificate status could not be determined."); } } else { if (attrCert.getExtensionValue(CRL_DISTRIBUTION_POINTS) != null || attrCert.getExtensionValue(AUTHORITY_INFO_ACCESS) != null) { throw new CertPathValidatorException( "No rev avail extension is set, but also an AC revocation pointer."); } } } } protected static void additionalChecks(X509AttributeCertificate attrCert, ExtendedPKIXParameters pkixParams) throws CertPathValidatorException { // 1 for (Iterator it = pkixParams.getProhibitedACAttributes().iterator(); it .hasNext();) { String oid = (String) it.next(); if (attrCert.getAttributes(oid) != null) { throw new CertPathValidatorException( "Attribute certificate contains prohibited attribute: " + oid + "."); } } for (Iterator it = pkixParams.getNecessaryACAttributes().iterator(); it .hasNext();) { String oid = (String) it.next(); if (attrCert.getAttributes(oid) == null) { throw new CertPathValidatorException( "Attribute certificate does not contain necessary attribute: " + oid + "."); } } } protected static void processAttrCert5(X509AttributeCertificate attrCert, ExtendedPKIXParameters pkixParams) throws CertPathValidatorException { try { attrCert.checkValidity(CertPathValidatorUtilities .getValidDate(pkixParams)); } catch (CertificateExpiredException e) { throw new ExtCertPathValidatorException( "Attribute certificate is not valid.", e); } catch (CertificateNotYetValidException e) { throw new ExtCertPathValidatorException( "Attribute certificate is not valid.", e); } } protected static void processAttrCert4(X509Certificate acIssuerCert, ExtendedPKIXParameters pkixParams) throws CertPathValidatorException { Set set = pkixParams.getTrustedACIssuers(); boolean trusted = false; for (Iterator it = set.iterator(); it.hasNext();) { TrustAnchor anchor = (TrustAnchor) it.next(); if (acIssuerCert.getSubjectX500Principal().getName("RFC2253") .equals(anchor.getCAName()) || acIssuerCert.equals(anchor.getTrustedCert())) { trusted = true; } } if (!trusted) { throw new CertPathValidatorException( "Attribute certificate issuer is not directly trusted."); } } protected static void processAttrCert3(X509Certificate acIssuerCert, ExtendedPKIXParameters pkixParams) throws CertPathValidatorException {⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -