jdk-sandbox: jdk/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java@659824c2a550 (annotated)

4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	1	/*
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	2	* Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	3	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	4	*
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	5	* This code is free software; you can redistribute it and/or modify it
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	6	* under the terms of the GNU General Public License version 2 only, as
5506 202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 4190 diff changeset	7	* published by the Free Software Foundation. Oracle designates this
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	8	* particular file as subject to the "Classpath" exception as provided
5506 202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 4190 diff changeset	9	* by Oracle in the LICENSE file that accompanied this code.
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	10	*
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	11	* This code is distributed in the hope that it will be useful, but WITHOUT
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	12	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	13	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	14	* version 2 for more details (a copy is included in the LICENSE file that
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	15	* accompanied this code).
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	16	*
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	17	* You should have received a copy of the GNU General Public License version
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	18	* 2 along with this work; if not, write to the Free Software Foundation,
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	19	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	20	*
5506 202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 4190 diff changeset	21	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 4190 diff changeset	22	* or visit www.oracle.com if you need additional information or have any
202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 4190 diff changeset	23	* questions.
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	24	*/
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	25
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	26	package sun.security.provider.certpath;
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	27
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	28	import java.security.AlgorithmConstraints;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	29	import java.security.CryptoPrimitive;
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	30	import java.util.Collection;
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	31	import java.util.Collections;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	32	import java.util.Set;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	33	import java.util.EnumSet;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	34	import java.util.HashSet;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	35	import java.math.BigInteger;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	36	import java.security.PublicKey;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	37	import java.security.KeyFactory;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	38	import java.security.AlgorithmParameters;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	39	import java.security.NoSuchAlgorithmException;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	40	import java.security.GeneralSecurityException;
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	41	import java.security.cert.Certificate;
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	42	import java.security.cert.X509CRL;
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	43	import java.security.cert.X509Certificate;
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	44	import java.security.cert.PKIXCertPathChecker;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	45	import java.security.cert.TrustAnchor;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	46	import java.security.cert.CRLException;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	47	import java.security.cert.CertificateException;
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	48	import java.security.cert.CertPathValidatorException;
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	49	import java.io.IOException;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	50	import java.security.interfaces.*;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	51	import java.security.spec.*;
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	52
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	53	import sun.security.util.DisabledAlgorithmConstraints;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	54	import sun.security.x509.X509CertImpl;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	55	import sun.security.x509.X509CRLImpl;
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	56	import sun.security.x509.AlgorithmId;
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	57
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	58	/**
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	59	* A <code>PKIXCertPathChecker</code> implementation to check whether a
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	60	* specified certificate contains the required algorithm constraints.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	61	* <p>
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	62	* Certificate fields such as the subject public key, the signature
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	63	* algorithm, key usage, extended key usage, etc. need to conform to
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	64	* the specified algorithm constraints.
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	65	*
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	66	* @see PKIXCertPathChecker
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	67	* @see PKIXParameters
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	68	*/
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	69	final public class AlgorithmChecker extends PKIXCertPathChecker {
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	70
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	71	private final AlgorithmConstraints constraints;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	72	private final PublicKey trustedPubKey;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	73	private PublicKey prevPubKey;
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	74
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	75	private final static Set<CryptoPrimitive> SIGNATURE_PRIMITIVE_SET =
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	76	EnumSet.of(CryptoPrimitive.SIGNATURE);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	77
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	78	private final static DisabledAlgorithmConstraints
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	79	certPathDefaultConstraints = new DisabledAlgorithmConstraints(
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	80	DisabledAlgorithmConstraints.PROPERTY_CERTPATH_DISABLED_ALGS);
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	81
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	82	/**
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	83	* Create a new <code>AlgorithmChecker</code> with the algorithm
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	84	* constraints specified in security property
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	85	* "jdk.certpath.disabledAlgorithms".
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	86	*
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	87	* @param anchor the trust anchor selected to validate the target
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	88	* certificate
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	89	*/
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	90	public AlgorithmChecker(TrustAnchor anchor) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	91	this(anchor, certPathDefaultConstraints);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	92	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	93
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	94	/**
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	95	* Create a new <code>AlgorithmChecker</code> with the
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	96	* given {@code AlgorithmConstraints}.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	97	* <p>
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	98	* Note that this constructor will be used to check a certification
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	99	* path where the trust anchor is unknown, or a certificate list which may
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	100	* contain the trust anchor. This constructor is used by SunJSSE.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	101	*
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	102	* @param constraints the algorithm constraints (or null)
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	103	*/
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	104	public AlgorithmChecker(AlgorithmConstraints constraints) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	105	this.prevPubKey = null;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	106	this.trustedPubKey = null;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	107	this.constraints = constraints;
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	108	}
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	109
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	110	/**
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	111	* Create a new <code>AlgorithmChecker</code> with the
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	112	* given <code>TrustAnchor</code> and <code>AlgorithmConstraints</code>.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	113	*
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	114	* @param anchor the trust anchor selected to validate the target
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	115	* certificate
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	116	* @param constraints the algorithm constraints (or null)
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	117	*
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	118	* @throws IllegalArgumentException if the <code>anchor</code> is null
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	119	*/
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	120	public AlgorithmChecker(TrustAnchor anchor,
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	121	AlgorithmConstraints constraints) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	122
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	123	if (anchor == null) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	124	throw new IllegalArgumentException(
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	125	"The trust anchor cannot be null");
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	126	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	127
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	128	if (anchor.getTrustedCert() != null) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	129	this.trustedPubKey = anchor.getTrustedCert().getPublicKey();
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	130	} else {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	131	this.trustedPubKey = anchor.getCAPublicKey();
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	132	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	133
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	134	this.prevPubKey = trustedPubKey;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	135	this.constraints = constraints;
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	136	}
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	137
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	138	@Override
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	139	public void init(boolean forward) throws CertPathValidatorException {
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	140	// Note that this class does not support forward mode.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	141	if (!forward) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	142	if (trustedPubKey != null) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	143	prevPubKey = trustedPubKey;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	144	} else {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	145	prevPubKey = null;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	146	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	147	} else {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	148	throw new
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	149	CertPathValidatorException("forward checking not supported");
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	150	}
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	151	}
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	152
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	153	@Override
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	154	public boolean isForwardCheckingSupported() {
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	155	// Note that as this class does not support forward mode, the method
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	156	// will always returns false.
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	157	return false;
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	158	}
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	159
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	160	@Override
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	161	public Set<String> getSupportedExtensions() {
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	162	return null;
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	163	}
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	164
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	165	@Override
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	166	public void check(Certificate cert,
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	167	Collection<String> unresolvedCritExts)
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	168	throws CertPathValidatorException {
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	169
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	170	if (!(cert instanceof X509Certificate) \|\| constraints == null) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	171	// ignore the check for non-x.509 certificate or null constraints
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	172	return;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	173	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	174
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	175	X509CertImpl x509Cert = null;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	176	try {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	177	x509Cert = X509CertImpl.toImpl((X509Certificate)cert);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	178	} catch (CertificateException ce) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	179	throw new CertPathValidatorException(ce);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	180	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	181
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	182	PublicKey currPubKey = x509Cert.getPublicKey();
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	183	String currSigAlg = x509Cert.getSigAlgName();
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	184
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	185	AlgorithmId algorithmId = null;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	186	try {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	187	algorithmId = (AlgorithmId)x509Cert.get(X509CertImpl.SIG_ALG);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	188	} catch (CertificateException ce) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	189	throw new CertPathValidatorException(ce);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	190	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	191
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	192	AlgorithmParameters currSigAlgParams = algorithmId.getParameters();
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	193
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	194	// Check the current signature algorithm
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	195	if (!constraints.permits(
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	196	SIGNATURE_PRIMITIVE_SET,
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	197	currSigAlg, currSigAlgParams)) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	198	throw new CertPathValidatorException(
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	199	"Algorithm constraints check failed: " + currSigAlg);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	200	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	201
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	202	// check the key usage and key size
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	203	boolean[] keyUsage = x509Cert.getKeyUsage();
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	204	if (keyUsage != null && keyUsage.length < 9) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	205	throw new CertPathValidatorException(
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	206	"incorrect KeyUsage extension");
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	207	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	208
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	209	if (keyUsage != null) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	210	Set<CryptoPrimitive> primitives =
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	211	EnumSet.noneOf(CryptoPrimitive.class);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	212
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	213	if (keyUsage[0] \|\| keyUsage[1] \|\| keyUsage[5] \|\| keyUsage[6]) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	214	// keyUsage[0]: KeyUsage.digitalSignature
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	215	// keyUsage[1]: KeyUsage.nonRepudiation
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	216	// keyUsage[5]: KeyUsage.keyCertSign
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	217	// keyUsage[6]: KeyUsage.cRLSign
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	218	primitives.add(CryptoPrimitive.SIGNATURE);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	219	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	220
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	221	if (keyUsage[2]) { // KeyUsage.keyEncipherment
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	222	primitives.add(CryptoPrimitive.KEY_ENCAPSULATION);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	223	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	224
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	225	if (keyUsage[3]) { // KeyUsage.dataEncipherment
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	226	primitives.add(CryptoPrimitive.PUBLIC_KEY_ENCRYPTION);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	227	}
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	228
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	229	if (keyUsage[4]) { // KeyUsage.keyAgreement
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	230	primitives.add(CryptoPrimitive.KEY_AGREEMENT);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	231	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	232
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	233	// KeyUsage.encipherOnly and KeyUsage.decipherOnly are
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	234	// undefined in the absence of the keyAgreement bit.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	235
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	236	if (!primitives.isEmpty()) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	237	if (!constraints.permits(primitives, currPubKey)) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	238	throw new CertPathValidatorException(
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	239	"algorithm constraints check failed");
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	240	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	241	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	242	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	243
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	244	// Check with previous cert for signature algorithm and public key
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	245	if (prevPubKey != null) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	246	if (currSigAlg != null) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	247	if (!constraints.permits(
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	248	SIGNATURE_PRIMITIVE_SET,
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	249	currSigAlg, prevPubKey, currSigAlgParams)) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	250	throw new CertPathValidatorException(
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	251	"Algorithm constraints check failed: " + currSigAlg);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	252	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	253	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	254
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	255	// Inherit key parameters from previous key
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	256	if (currPubKey instanceof DSAPublicKey &&
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	257	((DSAPublicKey)currPubKey).getParams() == null) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	258	// Inherit DSA parameters from previous key
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	259	if (!(prevPubKey instanceof DSAPublicKey)) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	260	throw new CertPathValidatorException("Input key is not " +
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	261	"of a appropriate type for inheriting parameters");
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	262	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	263
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	264	DSAParams params = ((DSAPublicKey)prevPubKey).getParams();
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	265	if (params == null) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	266	throw new CertPathValidatorException(
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	267	"Key parameters missing");
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	268	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	269
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	270	try {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	271	BigInteger y = ((DSAPublicKey)currPubKey).getY();
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	272	KeyFactory kf = KeyFactory.getInstance("DSA");
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	273	DSAPublicKeySpec ks = new DSAPublicKeySpec(y,
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	274	params.getP(),
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	275	params.getQ(),
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	276	params.getG());
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	277	currPubKey = kf.generatePublic(ks);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	278	} catch (GeneralSecurityException e) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	279	throw new CertPathValidatorException("Unable to generate " +
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	280	"key with inherited parameters: " + e.getMessage(), e);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	281	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	282	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	283	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	284
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	285	// reset the previous public key
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	286	prevPubKey = currPubKey;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	287
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	288	// check the extended key usage, ignore the check now
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	289	// List<String> extendedKeyUsages = x509Cert.getExtendedKeyUsage();
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	290
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	291	// DO NOT remove any unresolved critical extensions
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	292	}
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	293
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	294	/**
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	295	* Try to set the trust anchor of the checker.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	296	* <p>
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	297	* If there is no trust anchor specified and the checker has not started,
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	298	* set the trust anchor.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	299	*
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	300	* @param anchor the trust anchor selected to validate the target
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	301	* certificate
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	302	*/
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	303	void trySetTrustAnchor(TrustAnchor anchor) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	304	// Don't bother if the check has started or trust anchor has already
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	305	// specified.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	306	if (prevPubKey == null) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	307	if (anchor == null) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	308	throw new IllegalArgumentException(
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	309	"The trust anchor cannot be null");
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	310	}
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	311
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	312	// Don't bother to change the trustedPubKey.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	313	if (anchor.getTrustedCert() != null) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	314	prevPubKey = anchor.getTrustedCert().getPublicKey();
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	315	} else {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	316	prevPubKey = anchor.getCAPublicKey();
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	317	}
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	318	}
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	319	}
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	320
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	321	/**
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	322	* Check the signature algorithm with the specified public key.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	323	*
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	324	* @param key the public key to verify the CRL signature
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	325	* @param crl the target CRL
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	326	*/
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	327	static void check(PublicKey key, X509CRL crl)
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	328	throws CertPathValidatorException {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	329
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	330	X509CRLImpl x509CRLImpl = null;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	331	try {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	332	x509CRLImpl = X509CRLImpl.toImpl(crl);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	333	} catch (CRLException ce) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	334	throw new CertPathValidatorException(ce);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	335	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	336
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	337	AlgorithmId algorithmId = x509CRLImpl.getSigAlgId();
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	338	check(key, algorithmId);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	339	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	340
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	341	/**
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	342	* Check the signature algorithm with the specified public key.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	343	*
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	344	* @param key the public key to verify the CRL signature
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	345	* @param crl the target CRL
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	346	*/
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	347	static void check(PublicKey key, AlgorithmId algorithmId)
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	348	throws CertPathValidatorException {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	349	String sigAlgName = algorithmId.getName();
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	350	AlgorithmParameters sigAlgParams = algorithmId.getParameters();
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	351
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	352	if (!certPathDefaultConstraints.permits(
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	353	SIGNATURE_PRIMITIVE_SET, sigAlgName, key, sigAlgParams)) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	354	throw new CertPathValidatorException(
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	355	"algorithm check failed: " + sigAlgName + " is disabled");
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	356	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	357	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	358
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	359	}
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	360

author	xuelei
	Mon, 01 Nov 2010 07:57:46 -0700
changeset 7040	659824c2a550
parent 5506	202f599c92aa
child 8163	d9bcc1208691
permissions	-rw-r--r--