verifierimpl.java
来自「This is a resource based on j2me embedde」· Java 代码 · 共 481 行 · 第 1/2 页
JAVA
481 行
} if (chain == 1) { throw new InvalidJadException(InvalidJadException.MISSING_PROVIDER_CERT); } // None of the certificates were issued by a known CA throw new InvalidJadException(InvalidJadException.UNKNOWN_CA, authPath[0]); } /** * Check to see if a provider certificate chain is issued by a known * CA. Set the authPath field to names of the auth chain in any case. * Authenticate the chain and set the cpCert field to the provider's * certificate if the CA is known. * * @param chainNum the number of the chain * * @return 1 if the CA of the chain is known, 0 if not, -1 if the * chain is not found * * @exception InvalidJadException if something other wrong with a * other than an unknown CA */ private int checkCertChain(int chainNum) throws InvalidJadException { int certNum; Vector derCerts = new Vector(); String base64Cert; byte[] derCert; WebPublicKeyStore keyStore; Vector keys; PublicKeyInfo keyInfo; for (certNum = 1; ; certNum++) { base64Cert = state.getAppProperty(CERT_PROP + chainNum + "-" + certNum); if (base64Cert == null) { break; } try { derCert = Base64.decode(base64Cert); derCerts.addElement(X509Certificate.generateCertificate( derCert, 0, derCert.length)); } catch (Exception e) { throw new InvalidJadException( InvalidJadException.CORRUPT_PROVIDER_CERT); } } if (certNum == 1) { // Chain not found return -1; } Vector issuer = new Vector(1); try { keyStore = WebPublicKeyStore.getTrustedKeyStore(); authPath = X509Certificate.verifyChain(derCerts, X509Certificate.DIGITAL_SIG_KEY_USAGE, X509Certificate.CODE_SIGN_EXT_KEY_USAGE, keyStore, issuer); } catch (CertificateException ce) { switch (ce.getReason()) { case CertificateException.UNRECOGNIZED_ISSUER: authPath = new String[1]; authPath[0] = ce.getCertificate().getIssuer(); // Issuer not found return 0; case CertificateException.EXPIRED: case CertificateException.NOT_YET_VALID: throw new InvalidJadException( InvalidJadException.EXPIRED_PROVIDER_CERT, ce.getCertificate().getSubject()); case CertificateException.ROOT_CA_EXPIRED: throw new InvalidJadException( InvalidJadException.EXPIRED_CA_KEY, ce.getCertificate().getIssuer()); } throw new InvalidJadException( InvalidJadException.INVALID_PROVIDER_CERT, ce.getCertificate().getSubject()); } // The root CA may have been disabled for software authorization. keys = keyStore.findKeys(authPath[0]); keyInfo = (PublicKeyInfo)keys.elementAt(0); if (!keyInfo.isEnabled()) { throw new InvalidJadException( InvalidJadException.CA_DISABLED, authPath[0]); } if (isOCSPEnabled) { /* * If USE_OSCP=true, the following code checks the certificate's * validity using Online Certificate Status Protocol. * Otherwise, certValidator.checkCertStatus() always returns * CertStatus.GOOD. */ if (certValidator == null) { certValidator = new OCSPValidatorImpl(); } /* * Go through the authorization path and send OCSP requests * begin with the most trusted certificate. */ for (int i = 0; i < derCerts.size(); i++) { int status; X509Certificate cert = (X509Certificate) derCerts.elementAt(derCerts.size() - i - 1); if (!cert.hasAuthorityInfoAccess()) { /* * Don't use OCSP for the certificates that have not * AuthorityInfoAccess extension. */ continue; } else { /* * Searching for an entry in AuthorityInfoAccess having * access method with OID == id-ad-ocsp. */ Vector authInfoAccess = cert.getAuthorityInfoAccess( AuthorityInfoAccessEntry.ACCESS_METHOD_OCSP); if (authInfoAccess == null || authInfoAccess.size() == 0) { // unsupported access method throw new InvalidJadException( InvalidJadException.UNKNOWN_CERT_STATUS, cert.getSubject()); } } try { status = certValidator.checkCertStatus(cert, (i == 0 ? (X509Certificate)issuer.elementAt(0) : (X509Certificate) derCerts.elementAt(derCerts.size() - i))); } catch (OCSPException ocspEx) { /* * IMPL_NOTE: exception with some status other then * UNKNOWN_CERT_STATUS should be thrown here to allow * the caller to display a proper message to the user. */ status = CertStatus.UNKNOWN; } if (status == CertStatus.REVOKED) { throw new InvalidJadException( InvalidJadException.REVOKED_CERT, cert.getSubject()); } else if (status != CertStatus.GOOD) { throw new InvalidJadException( InvalidJadException.UNKNOWN_CERT_STATUS, cert.getSubject()); } } } cpCert = (X509Certificate)derCerts.elementAt(0); // Authenticated return 1; } /** * Common routine that verifies a stream of bytes. * The cpCert field must be set before calling. * * @param stream stream to verify * @param base64Signature The base64 encoding of the PKCS v1.5 SHA with * RSA signature of this stream. * * @exception NullPointerException if the public keystore has not been * established. * @exception InvalidJadException the JAR signature is not valid * @exception IOException if any error prevents the reading * of the JAR */ private void verifyStream(InputStream stream, String base64Signature) throws InvalidJadException, IOException { PublicKey cpKey; byte[] sig; Signature sigVerifier; byte[] temp; int bytesRead; byte[] hash; try { cpKey = cpCert.getPublicKey(); } catch (CertificateException e) { throw new InvalidJadException(InvalidJadException.INVALID_PROVIDER_CERT); } try { sig = Base64.decode(base64Signature); } catch (IOException e) { throw new InvalidJadException(InvalidJadException.CORRUPT_SIGNATURE); } try { // verify the jad signature sigVerifier = Signature.getInstance("SHA1withRSA"); sigVerifier.initVerify(cpKey); temp = new byte[1024]; for (; ; ) { bytesRead = stream.read(temp); if (bytesRead == -1) { break; } sigVerifier.update(temp, 0, bytesRead); } if (!sigVerifier.verify(sig)) { throw new InvalidJadException(InvalidJadException.INVALID_SIGNATURE); } } catch (GeneralSecurityException e) { throw new InvalidJadException(InvalidJadException.INVALID_SIGNATURE); } }}⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?