📄 rfc3280certpathutilities.java
字号:
{ continue; } boolean _found = false; Iterator _childrenIter = _node.getChildren(); while (_childrenIter.hasNext()) { PKIXPolicyNode _child = (PKIXPolicyNode)_childrenIter.next(); if (_policy.equals(_child.getValidPolicy())) { _found = true; } } if (!_found) { Set _newChildExpectedPolicies = new HashSet(); _newChildExpectedPolicies.add(_policy); PKIXPolicyNode _newChild = new PKIXPolicyNode(new ArrayList(), i, _newChildExpectedPolicies, _node, _apq, _policy, false); _node.addChild(_newChild); policyNodes[i].add(_newChild); } } } break; } } } PKIXPolicyNode _validPolicyTree = validPolicyTree; // // (d) (3) // for (int j = (i - 1); j >= 0; j--) { List nodes = policyNodes[j]; for (int k = 0; k < nodes.size(); k++) { PKIXPolicyNode node = (PKIXPolicyNode)nodes.get(k); if (!node.hasChildren()) { _validPolicyTree = CertPathValidatorUtilities.removePolicyNode(_validPolicyTree, policyNodes, node); if (_validPolicyTree == null) { break; } } } } // // d (4) // Set criticalExtensionOids = cert.getCriticalExtensionOIDs(); if (criticalExtensionOids != null) { boolean critical = criticalExtensionOids.contains(RFC3280CertPathUtilities.CERTIFICATE_POLICIES); List nodes = policyNodes[i]; for (int j = 0; j < nodes.size(); j++) { PKIXPolicyNode node = (PKIXPolicyNode)nodes.get(j); node.setCritical(critical); } } return _validPolicyTree; } return null; } protected static void processCertA( CertPath certPath, ExtendedPKIXParameters paramsPKIX, int index, PublicKey workingPublicKey, boolean verificationAlreadyPerformed, X500Principal workingIssuerName, X509Certificate sign) throws ExtCertPathValidatorException { List certs = certPath.getCertificates(); X509Certificate cert = (X509Certificate)certs.get(index); // // (a) verify // if (!verificationAlreadyPerformed) { try { // (a) (1) // CertPathValidatorUtilities.verifyX509Certificate(cert, workingPublicKey, paramsPKIX.getSigProvider()); } catch (GeneralSecurityException e) { throw new ExtCertPathValidatorException("Could not validate certificate signature.", e, certPath, index); } } try { // (a) (2) // cert.checkValidity(CertPathValidatorUtilities .getValidCertDateFromValidityModel(paramsPKIX, certPath, index)); } catch (CertificateExpiredException e) { throw new ExtCertPathValidatorException("Could not validate certificate: " + e.getMessage(), e, certPath, index); } catch (CertificateNotYetValidException e) { throw new ExtCertPathValidatorException("Could not validate certificate: " + e.getMessage(), e, certPath, index); } catch (AnnotatedException e) { throw new ExtCertPathValidatorException("Could not validate time of certificate.", e, certPath, index); } // // (a) (3) // if (paramsPKIX.isRevocationEnabled()) { try { checkCRLs(paramsPKIX, cert, CertPathValidatorUtilities.getValidCertDateFromValidityModel(paramsPKIX, certPath, index), sign, workingPublicKey, certs); } catch (AnnotatedException e) { throw new ExtCertPathValidatorException(e.getMessage(), e.getCause(), certPath, index); } } // // (a) (4) name chaining // if (!CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert).equals(workingIssuerName)) { throw new ExtCertPathValidatorException("IssuerName(" + CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert) + ") does not match SubjectName(" + workingIssuerName + ") of signing certificate.", null, certPath, index); } } protected static int prepareNextCertI1( CertPath certPath, int index, int explicitPolicy) throws CertPathValidatorException { List certs = certPath.getCertificates(); X509Certificate cert = (X509Certificate)certs.get(index); // // (i) // ASN1Sequence pc = null; try { pc = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.POLICY_CONSTRAINTS)); } catch (Exception e) { throw new ExtCertPathValidatorException("Policy constraints extension cannot be decoded.", e, certPath, index); } int tmpInt; if (pc != null) { Enumeration policyConstraints = pc.getObjects(); while (policyConstraints.hasMoreElements()) { try { ASN1TaggedObject constraint = ASN1TaggedObject.getInstance(policyConstraints.nextElement()); if (constraint.getTagNo() == 0) { tmpInt = DERInteger.getInstance(constraint).getValue().intValue(); if (tmpInt < explicitPolicy) { return tmpInt; } break; } } catch (IllegalArgumentException e) { throw new ExtCertPathValidatorException("Policy constraints extension contents cannot be decoded.", e, certPath, index); } } } return explicitPolicy; } protected static int prepareNextCertI2( CertPath certPath, int index, int policyMapping) throws CertPathValidatorException { List certs = certPath.getCertificates(); X509Certificate cert = (X509Certificate)certs.get(index); // // (i) // ASN1Sequence pc = null; try { pc = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.POLICY_CONSTRAINTS)); } catch (Exception e) { throw new ExtCertPathValidatorException("Policy constraints extension cannot be decoded.", e, certPath, index); } int tmpInt; if (pc != null) { Enumeration policyConstraints = pc.getObjects(); while (policyConstraints.hasMoreElements()) { try { ASN1TaggedObject constraint = ASN1TaggedObject.getInstance(policyConstraints.nextElement()); if (constraint.getTagNo() == 1) { tmpInt = DERInteger.getInstance(constraint).getValue().intValue(); if (tmpInt < policyMapping) { return tmpInt; } break; } } catch (IllegalArgumentException e) { throw new ExtCertPathValidatorException("Policy constraints extension contents cannot be decoded.", e, certPath, index); } } } return policyMapping; } protected static void prepareNextCertG( CertPath certPath, int index, PKIXNameConstraintValidator nameConstraintValidator) throws CertPathValidatorException { List certs = certPath.getCertificates(); X509Certificate cert = (X509Certificate)certs.get(index); // // (g) handle the name constraints extension // NameConstraints nc = null; try { ASN1Sequence ncSeq = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.NAME_CONSTRAINTS)); if (ncSeq != null) { nc = new NameConstraints(ncSeq); } } catch (Exception e) { throw new ExtCertPathValidatorException("Name constraints extension could not be decoded.", e, certPath, index); } if (nc != null) { // // (g) (1) permitted subtrees // ASN1Sequence permitted = nc.getPermittedSubtrees(); if (permitted != null) { try { nameConstraintValidator.intersectPermittedSubtree(permitted); } catch (Exception ex) { throw new ExtCertPathValidatorException( "Permitted subtrees cannot be build from name constraints extension.", ex, certPath, index); } } // // (g) (2) excluded subtrees // ASN1Sequence excluded = nc.getExcludedSubtrees(); if (excluded != null) { Enumeration e = excluded.getObjects(); try { while (e.hasMoreElements()) { GeneralSubtree subtree = GeneralSubtree.getInstance(e.nextElement()); nameConstraintValidator.addExcludedSubtree(subtree); } } catch (Exception ex) { throw new ExtCertPathValidatorException( "Excluded subtrees cannot be build from name constraints extension.", ex, certPath, index); } } } } /** * Checks a distribution point for revocation information for the * certificate <code>cert</code>. * * @param dp The distribution point to consider. * @param paramsPKIX PKIX parameters. * @param cert Certificate to check if it is revoked. * @param validDate The date when the certificate revocation status should be * checked. * @param defaultCRLSignCert The issuer certificate of the c⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -