jdk-sandbox: jdk/src/share/classes/sun/security/provider/certpath/AdaptableX509CertSelector.java@0bb1999251f8 (annotated)

8163 d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	1	/*
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	2	* Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	3	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	4	*
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	5	* This code is free software; you can redistribute it and/or modify it
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	6	* under the terms of the GNU General Public License version 2 only, as
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	7	* published by the Free Software Foundation. Oracle designates this
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	8	* particular file as subject to the "Classpath" exception as provided
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	9	* by Oracle in the LICENSE file that accompanied this code.
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	10	*
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	11	* This code is distributed in the hope that it will be useful, but WITHOUT
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	12	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	13	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	14	* version 2 for more details (a copy is included in the LICENSE file that
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	15	* accompanied this code).
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	16	*
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	17	* You should have received a copy of the GNU General Public License version
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	18	* 2 along with this work; if not, write to the Free Software Foundation,
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	19	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	20	*
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	21	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	22	* or visit www.oracle.com if you need additional information or have any
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	23	* questions.
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	24	*/
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	25
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	26	package sun.security.provider.certpath;
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	27
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	28	import java.io.IOException;
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	29	import java.util.Date;
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	30
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	31	import java.security.cert.Certificate;
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	32	import java.security.cert.X509Certificate;
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	33	import java.security.cert.X509CertSelector;
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	34	import java.security.cert.CertificateException;
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	35
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	36	import sun.security.util.DerOutputStream;
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	37	import sun.security.x509.SerialNumber;
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	38	import sun.security.x509.KeyIdentifier;
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	39	import sun.security.x509.AuthorityKeyIdentifierExtension;
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	40
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	41	/**
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	42	* An adaptable X509 certificate selector for forward certification path
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	43	* building.
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	44	*
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	45	* @since 1.7
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	46	*/
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	47	class AdaptableX509CertSelector extends X509CertSelector {
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	48	// The start date of a validity period.
8790 2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	49	private Date startDate;
8163 d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	50
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	51	// The end date of a validity period.
8790 2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	52	private Date endDate;
2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	53
2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	54	// Is subject key identifier sensitive?
2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	55	private boolean isSKIDSensitive = false;
2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	56
2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	57	// Is serial number sensitive?
2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	58	private boolean isSNSensitive = false;
8163 d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	59
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	60	AdaptableX509CertSelector() {
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	61	super();
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	62	}
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	63
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	64	/**
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	65	* Sets the criterion of the X509Certificate validity period.
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	66	*
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	67	* Normally, we may not have to check that a certificate validity period
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	68	* must fall within its issuer's certificate validity period. However,
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	69	* when we face root CA key updates for version 1 certificates, according
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	70	* to scheme of RFC 4210 or 2510, the validity periods should be checked
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	71	* to determine the right issuer's certificate.
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	72	*
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	73	* Conservatively, we will only check the validity periods for version
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	74	* 1 and version 2 certificates. For version 3 certificates, we can
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	75	* determine the right issuer by authority and subject key identifier
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	76	* extensions.
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	77	*
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	78	* @param startDate the start date of a validity period that must fall
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	79	* within the certificate validity period for the X509Certificate
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	80	* @param endDate the end date of a validity period that must fall
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	81	* within the certificate validity period for the X509Certificate
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	82	*/
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	83	void setValidityPeriod(Date startDate, Date endDate) {
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	84	this.startDate = startDate;
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	85	this.endDate = endDate;
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	86	}
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	87
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	88	/**
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	89	* Parse the authority key identifier extension.
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	90	*
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	91	* If the keyIdentifier field of the extension is non-null, set the
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	92	* subjectKeyIdentifier criterion. If the authorityCertSerialNumber
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	93	* field is non-null, set the serialNumber criterion.
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	94	*
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	95	* Note that we will not set the subject criterion according to the
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	96	* authorityCertIssuer field of the extension. The caller MUST set
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	97	* the subject criterion before call match().
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	98	*
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	99	* @param akidext the authorityKeyIdentifier extension
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	100	*/
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	101	void parseAuthorityKeyIdentifierExtension(
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	102	AuthorityKeyIdentifierExtension akidext) throws IOException {
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	103	if (akidext != null) {
10336 0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror jjg parents: 8798 diff changeset	104	KeyIdentifier akid = (KeyIdentifier)akidext.get(
0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror jjg parents: 8798 diff changeset	105	AuthorityKeyIdentifierExtension.KEY_ID);
8163 d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	106	if (akid != null) {
8798 088871daae86 7028422: regression: SKID miss-matching xuelei parents: 8790 diff changeset	107	// Do not override the previous setting for initial selection.
088871daae86 7028422: regression: SKID miss-matching xuelei parents: 8790 diff changeset	108	if (isSKIDSensitive \|\| getSubjectKeyIdentifier() == null) {
8790 2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	109	DerOutputStream derout = new DerOutputStream();
2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	110	derout.putOctetString(akid.getIdentifier());
2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	111	super.setSubjectKeyIdentifier(derout.toByteArray());
2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	112
2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	113	isSKIDSensitive = true;
2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	114	}
8163 d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	115	}
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	116
10336 0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror jjg parents: 8798 diff changeset	117	SerialNumber asn = (SerialNumber)akidext.get(
0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror jjg parents: 8798 diff changeset	118	AuthorityKeyIdentifierExtension.SERIAL_NUMBER);
8163 d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	119	if (asn != null) {
8798 088871daae86 7028422: regression: SKID miss-matching xuelei parents: 8790 diff changeset	120	// Do not override the previous setting for initial selection.
088871daae86 7028422: regression: SKID miss-matching xuelei parents: 8790 diff changeset	121	if (isSNSensitive \|\| getSerialNumber() == null) {
8790 2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	122	super.setSerialNumber(asn.getNumber());
2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	123	isSNSensitive = true;
2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	124	}
8163 d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	125	}
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	126
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	127	// the subject criterion should be set by the caller.
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	128	}
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	129	}
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	130
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	131	/**
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	132	* Decides whether a <code>Certificate</code> should be selected.
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	133	*
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	134	* For the purpose of compatibility, when a certificate is of
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	135	* version 1 and version 2, or the certificate does not include
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	136	* a subject key identifier extension, the selection criterion
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	137	* of subjectKeyIdentifier will be disabled.
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	138	*/
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	139	@Override
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	140	public boolean match(Certificate cert) {
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	141	if (!(cert instanceof X509Certificate)) {
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	142	return false;
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	143	}
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	144
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	145	X509Certificate xcert = (X509Certificate)cert;
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	146	int version = xcert.getVersion();
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	147
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	148	// Check the validity period for version 1 and 2 certificate.
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	149	if (version < 3) {
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	150	if (startDate != null) {
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	151	try {
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	152	xcert.checkValidity(startDate);
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	153	} catch (CertificateException ce) {
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	154	return false;
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	155	}
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	156	}
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	157
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	158	if (endDate != null) {
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	159	try {
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	160	xcert.checkValidity(endDate);
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	161	} catch (CertificateException ce) {
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	162	return false;
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	163	}
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	164	}
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	165	}
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	166
8790 2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	167	// If no SubjectKeyIdentifier extension, don't bother to check it.
2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	168	if (isSKIDSensitive &&
2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	169	(version < 3 \|\| xcert.getExtensionValue("2.5.29.14") == null)) {
8163 d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	170	setSubjectKeyIdentifier(null);
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	171	}
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	172
8790 2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	173	// In practice, a CA may replace its root certificate and require that
2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	174	// the existing certificate is still valid, even if the AKID extension
2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	175	// does not match the replacement root certificate fields.
2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	176	//
2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	177	// Conservatively, we only support the replacement for version 1 and
2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	178	// version 2 certificate. As for version 2, the certificate extension
2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	179	// may contain sensitive information (for example, policies), the
2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	180	// AKID need to be respected to seek the exact certificate in case
2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	181	// of key or certificate abuse.
2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	182	if (isSNSensitive && version < 3) {
2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	183	setSerialNumber(null);
2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	184	}
2a8d836ee007 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail xuelei parents: 8163 diff changeset	185
8163 d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	186	return super.match(cert);
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	187	}
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	188
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	189	@Override
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	190	public Object clone() {
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	191	AdaptableX509CertSelector copy =
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	192	(AdaptableX509CertSelector)super.clone();
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	193	if (startDate != null) {
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	194	copy.startDate = (Date)startDate.clone();
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	195	}
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	196
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	197	if (endDate != null) {
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	198	copy.endDate = (Date)endDate.clone();
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	199	}
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	200
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	201	return copy;
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	202	}
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: diff changeset	203	}

author	jjg
	Mon, 15 Aug 2011 11:48:20 -0700
changeset 10336	0bb1999251f8
parent 8798	088871daae86
child 22977	f8f315760941
permissions	-rw-r--r--