2
|
1 |
/*
|
|
2 |
* Copyright 2000-2006 Sun Microsystems, Inc. All Rights Reserved.
|
|
3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
4 |
*
|
|
5 |
* This code is free software; you can redistribute it and/or modify it
|
|
6 |
* under the terms of the GNU General Public License version 2 only, as
|
|
7 |
* published by the Free Software Foundation. Sun designates this
|
|
8 |
* particular file as subject to the "Classpath" exception as provided
|
|
9 |
* by Sun in the LICENSE file that accompanied this code.
|
|
10 |
*
|
|
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that
|
|
15 |
* accompanied this code).
|
|
16 |
*
|
|
17 |
* You should have received a copy of the GNU General Public License version
|
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
20 |
*
|
|
21 |
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
|
|
22 |
* CA 95054 USA or visit www.sun.com if you need additional information or
|
|
23 |
* have any questions.
|
|
24 |
*/
|
|
25 |
|
|
26 |
package sun.security.provider.certpath;
|
|
27 |
|
|
28 |
import java.util.*;
|
|
29 |
import java.io.IOException;
|
|
30 |
|
|
31 |
import java.security.cert.Certificate;
|
|
32 |
import java.security.cert.CertificateException;
|
|
33 |
import java.security.cert.X509Certificate;
|
|
34 |
import java.security.cert.PKIXCertPathChecker;
|
|
35 |
import java.security.cert.CertPathValidatorException;
|
|
36 |
import java.security.cert.PolicyNode;
|
|
37 |
import java.security.cert.PolicyQualifierInfo;
|
|
38 |
|
|
39 |
import sun.security.util.Debug;
|
|
40 |
import sun.security.x509.CertificatePoliciesExtension;
|
|
41 |
import sun.security.x509.PolicyConstraintsExtension;
|
|
42 |
import sun.security.x509.PolicyMappingsExtension;
|
|
43 |
import sun.security.x509.CertificatePolicyMap;
|
|
44 |
import sun.security.x509.PKIXExtensions;
|
|
45 |
import sun.security.x509.PolicyInformation;
|
|
46 |
import sun.security.x509.X509CertImpl;
|
|
47 |
import sun.security.x509.InhibitAnyPolicyExtension;
|
|
48 |
|
|
49 |
/**
|
|
50 |
* PolicyChecker is a <code>PKIXCertPathChecker</code> that checks policy
|
|
51 |
* information on a PKIX certificate, namely certificate policies, policy
|
|
52 |
* mappings, policy constraints and policy qualifiers.
|
|
53 |
*
|
|
54 |
* @since 1.4
|
|
55 |
* @author Yassir Elley
|
|
56 |
*/
|
|
57 |
class PolicyChecker extends PKIXCertPathChecker {
|
|
58 |
|
|
59 |
private final Set<String> initPolicies;
|
|
60 |
private final int certPathLen;
|
|
61 |
private final boolean expPolicyRequired;
|
|
62 |
private final boolean polMappingInhibited;
|
|
63 |
private final boolean anyPolicyInhibited;
|
|
64 |
private final boolean rejectPolicyQualifiers;
|
|
65 |
private PolicyNodeImpl rootNode;
|
|
66 |
private int explicitPolicy;
|
|
67 |
private int policyMapping;
|
|
68 |
private int inhibitAnyPolicy;
|
|
69 |
private int certIndex;
|
|
70 |
|
|
71 |
private static Set<String> supportedExts;
|
|
72 |
|
|
73 |
private static final Debug debug = Debug.getInstance("certpath");
|
|
74 |
static final String ANY_POLICY = "2.5.29.32.0";
|
|
75 |
|
|
76 |
/**
|
|
77 |
* Constructs a Policy Checker.
|
|
78 |
*
|
|
79 |
* @param initialPolicies Set of initial policies
|
|
80 |
* @param certPathLen length of the certification path to be checked
|
|
81 |
* @param expPolicyRequired true if explicit policy is required
|
|
82 |
* @param polMappingInhibited true if policy mapping is inhibited
|
|
83 |
* @param anyPolicyInhibited true if the ANY_POLICY OID should be inhibited
|
|
84 |
* @param rejectPolicyQualifiers true if pol qualifiers are to be rejected
|
|
85 |
* @param rootNode the initial root node of the valid policy tree
|
|
86 |
*/
|
|
87 |
PolicyChecker(Set<String> initialPolicies, int certPathLen,
|
|
88 |
boolean expPolicyRequired, boolean polMappingInhibited,
|
|
89 |
boolean anyPolicyInhibited, boolean rejectPolicyQualifiers,
|
|
90 |
PolicyNodeImpl rootNode) throws CertPathValidatorException
|
|
91 |
{
|
|
92 |
if (initialPolicies.isEmpty()) {
|
|
93 |
// if no initialPolicies are specified by user, set
|
|
94 |
// initPolicies to be anyPolicy by default
|
|
95 |
this.initPolicies = new HashSet<String>(1);
|
|
96 |
this.initPolicies.add(ANY_POLICY);
|
|
97 |
} else {
|
|
98 |
this.initPolicies = new HashSet<String>(initialPolicies);
|
|
99 |
}
|
|
100 |
this.certPathLen = certPathLen;
|
|
101 |
this.expPolicyRequired = expPolicyRequired;
|
|
102 |
this.polMappingInhibited = polMappingInhibited;
|
|
103 |
this.anyPolicyInhibited = anyPolicyInhibited;
|
|
104 |
this.rejectPolicyQualifiers = rejectPolicyQualifiers;
|
|
105 |
this.rootNode = rootNode;
|
|
106 |
init(false);
|
|
107 |
}
|
|
108 |
|
|
109 |
/**
|
|
110 |
* Initializes the internal state of the checker from parameters
|
|
111 |
* specified in the constructor
|
|
112 |
*
|
|
113 |
* @param forward a boolean indicating whether this checker should
|
|
114 |
* be initialized capable of building in the forward direction
|
|
115 |
* @exception CertPathValidatorException Exception thrown if user
|
|
116 |
* wants to enable forward checking and forward checking is not supported.
|
|
117 |
*/
|
|
118 |
public void init(boolean forward) throws CertPathValidatorException {
|
|
119 |
if (forward) {
|
|
120 |
throw new CertPathValidatorException
|
|
121 |
("forward checking not supported");
|
|
122 |
}
|
|
123 |
|
|
124 |
certIndex = 1;
|
|
125 |
explicitPolicy = (expPolicyRequired ? 0 : certPathLen + 1);
|
|
126 |
policyMapping = (polMappingInhibited ? 0 : certPathLen + 1);
|
|
127 |
inhibitAnyPolicy = (anyPolicyInhibited ? 0 : certPathLen + 1);
|
|
128 |
}
|
|
129 |
|
|
130 |
/**
|
|
131 |
* Checks if forward checking is supported. Forward checking refers
|
|
132 |
* to the ability of the PKIXCertPathChecker to perform its checks
|
|
133 |
* when presented with certificates in the forward direction (from
|
|
134 |
* target to anchor).
|
|
135 |
*
|
|
136 |
* @return true if forward checking is supported, false otherwise
|
|
137 |
*/
|
|
138 |
public boolean isForwardCheckingSupported() {
|
|
139 |
return false;
|
|
140 |
}
|
|
141 |
|
|
142 |
/**
|
|
143 |
* Gets an immutable Set of the OID strings for the extensions that
|
|
144 |
* the PKIXCertPathChecker supports (i.e. recognizes, is able to
|
|
145 |
* process), or null if no extensions are
|
|
146 |
* supported. All OID strings that a PKIXCertPathChecker might
|
|
147 |
* possibly be able to process should be included.
|
|
148 |
*
|
|
149 |
* @return the Set of extensions supported by this PKIXCertPathChecker,
|
|
150 |
* or null if no extensions are supported
|
|
151 |
*/
|
|
152 |
public Set<String> getSupportedExtensions() {
|
|
153 |
if (supportedExts == null) {
|
|
154 |
supportedExts = new HashSet<String>();
|
|
155 |
supportedExts.add(PKIXExtensions.CertificatePolicies_Id.toString());
|
|
156 |
supportedExts.add(PKIXExtensions.PolicyMappings_Id.toString());
|
|
157 |
supportedExts.add(PKIXExtensions.PolicyConstraints_Id.toString());
|
|
158 |
supportedExts.add(PKIXExtensions.InhibitAnyPolicy_Id.toString());
|
|
159 |
supportedExts = Collections.unmodifiableSet(supportedExts);
|
|
160 |
}
|
|
161 |
return supportedExts;
|
|
162 |
}
|
|
163 |
|
|
164 |
/**
|
|
165 |
* Performs the policy processing checks on the certificate using its
|
|
166 |
* internal state.
|
|
167 |
*
|
|
168 |
* @param cert the Certificate to be processed
|
|
169 |
* @param unresCritExts the unresolved critical extensions
|
|
170 |
* @exception CertPathValidatorException Exception thrown if
|
|
171 |
* the certificate does not verify.
|
|
172 |
*/
|
|
173 |
public void check(Certificate cert, Collection<String> unresCritExts)
|
|
174 |
throws CertPathValidatorException
|
|
175 |
{
|
|
176 |
// now do the policy checks
|
|
177 |
checkPolicy((X509Certificate) cert);
|
|
178 |
|
|
179 |
if (unresCritExts != null && !unresCritExts.isEmpty()) {
|
|
180 |
unresCritExts.remove(PKIXExtensions.CertificatePolicies_Id.toString());
|
|
181 |
unresCritExts.remove(PKIXExtensions.PolicyMappings_Id.toString());
|
|
182 |
unresCritExts.remove(PKIXExtensions.PolicyConstraints_Id.toString());
|
|
183 |
unresCritExts.remove(PKIXExtensions.InhibitAnyPolicy_Id.toString());
|
|
184 |
}
|
|
185 |
}
|
|
186 |
|
|
187 |
/**
|
|
188 |
* Internal method to run through all the checks.
|
|
189 |
*
|
|
190 |
* @param currCert the certificate to be processed
|
|
191 |
* @exception CertPathValidatorException Exception thrown if
|
|
192 |
* the certificate does not verify
|
|
193 |
*/
|
|
194 |
private void checkPolicy(X509Certificate currCert)
|
|
195 |
throws CertPathValidatorException
|
|
196 |
{
|
|
197 |
String msg = "certificate policies";
|
|
198 |
if (debug != null) {
|
|
199 |
debug.println("PolicyChecker.checkPolicy() ---checking " + msg
|
|
200 |
+ "...");
|
|
201 |
debug.println("PolicyChecker.checkPolicy() certIndex = "
|
|
202 |
+ certIndex);
|
|
203 |
debug.println("PolicyChecker.checkPolicy() BEFORE PROCESSING: "
|
|
204 |
+ "explicitPolicy = " + explicitPolicy);
|
|
205 |
debug.println("PolicyChecker.checkPolicy() BEFORE PROCESSING: "
|
|
206 |
+ "policyMapping = " + policyMapping);
|
|
207 |
debug.println("PolicyChecker.checkPolicy() BEFORE PROCESSING: "
|
|
208 |
+ "inhibitAnyPolicy = " + inhibitAnyPolicy);
|
|
209 |
debug.println("PolicyChecker.checkPolicy() BEFORE PROCESSING: "
|
|
210 |
+ "policyTree = " + rootNode);
|
|
211 |
}
|
|
212 |
|
|
213 |
X509CertImpl currCertImpl = null;
|
|
214 |
try {
|
|
215 |
currCertImpl = X509CertImpl.toImpl(currCert);
|
|
216 |
} catch (CertificateException ce) {
|
|
217 |
throw new CertPathValidatorException(ce);
|
|
218 |
}
|
|
219 |
|
|
220 |
boolean finalCert = (certIndex == certPathLen);
|
|
221 |
|
|
222 |
rootNode = processPolicies(certIndex, initPolicies, explicitPolicy,
|
|
223 |
policyMapping, inhibitAnyPolicy, rejectPolicyQualifiers, rootNode,
|
|
224 |
currCertImpl, finalCert);
|
|
225 |
|
|
226 |
if (!finalCert) {
|
|
227 |
explicitPolicy = mergeExplicitPolicy(explicitPolicy, currCertImpl,
|
|
228 |
finalCert);
|
|
229 |
policyMapping = mergePolicyMapping(policyMapping, currCertImpl);
|
|
230 |
inhibitAnyPolicy = mergeInhibitAnyPolicy(inhibitAnyPolicy,
|
|
231 |
currCertImpl);
|
|
232 |
}
|
|
233 |
|
|
234 |
certIndex++;
|
|
235 |
|
|
236 |
if (debug != null) {
|
|
237 |
debug.println("PolicyChecker.checkPolicy() AFTER PROCESSING: "
|
|
238 |
+ "explicitPolicy = " + explicitPolicy);
|
|
239 |
debug.println("PolicyChecker.checkPolicy() AFTER PROCESSING: "
|
|
240 |
+ "policyMapping = " + policyMapping);
|
|
241 |
debug.println("PolicyChecker.checkPolicy() AFTER PROCESSING: "
|
|
242 |
+ "inhibitAnyPolicy = " + inhibitAnyPolicy);
|
|
243 |
debug.println("PolicyChecker.checkPolicy() AFTER PROCESSING: "
|
|
244 |
+ "policyTree = " + rootNode);
|
|
245 |
debug.println("PolicyChecker.checkPolicy() " + msg + " verified");
|
|
246 |
}
|
|
247 |
}
|
|
248 |
|
|
249 |
/**
|
|
250 |
* Merges the specified explicitPolicy value with the
|
|
251 |
* requireExplicitPolicy field of the <code>PolicyConstraints</code>
|
|
252 |
* extension obtained from the certificate. An explicitPolicy
|
|
253 |
* value of -1 implies no constraint.
|
|
254 |
*
|
|
255 |
* @param explicitPolicy an integer which indicates if a non-null
|
|
256 |
* valid policy tree is required
|
|
257 |
* @param currCert the Certificate to be processed
|
|
258 |
* @param finalCert a boolean indicating whether currCert is
|
|
259 |
* the final cert in the cert path
|
|
260 |
* @return returns the new explicitPolicy value
|
|
261 |
* @exception CertPathValidatorException Exception thrown if an error
|
|
262 |
* occurs
|
|
263 |
*/
|
|
264 |
static int mergeExplicitPolicy(int explicitPolicy, X509CertImpl currCert,
|
|
265 |
boolean finalCert) throws CertPathValidatorException
|
|
266 |
{
|
|
267 |
if ((explicitPolicy > 0) && !X509CertImpl.isSelfIssued(currCert)) {
|
|
268 |
explicitPolicy--;
|
|
269 |
}
|
|
270 |
|
|
271 |
try {
|
|
272 |
PolicyConstraintsExtension polConstExt
|
|
273 |
= currCert.getPolicyConstraintsExtension();
|
|
274 |
if (polConstExt == null)
|
|
275 |
return explicitPolicy;
|
|
276 |
int require = ((Integer)
|
|
277 |
polConstExt.get(PolicyConstraintsExtension.REQUIRE)).intValue();
|
|
278 |
if (debug != null) {
|
|
279 |
debug.println("PolicyChecker.mergeExplicitPolicy() "
|
|
280 |
+ "require Index from cert = " + require);
|
|
281 |
}
|
|
282 |
if (!finalCert) {
|
|
283 |
if (require != -1) {
|
|
284 |
if ((explicitPolicy == -1) || (require < explicitPolicy)) {
|
|
285 |
explicitPolicy = require;
|
|
286 |
}
|
|
287 |
}
|
|
288 |
} else {
|
|
289 |
if (require == 0)
|
|
290 |
explicitPolicy = require;
|
|
291 |
}
|
|
292 |
} catch (Exception e) {
|
|
293 |
if (debug != null) {
|
|
294 |
debug.println("PolicyChecker.mergeExplicitPolicy "
|
|
295 |
+ "unexpected exception");
|
|
296 |
e.printStackTrace();
|
|
297 |
}
|
|
298 |
throw new CertPathValidatorException(e);
|
|
299 |
}
|
|
300 |
|
|
301 |
return explicitPolicy;
|
|
302 |
}
|
|
303 |
|
|
304 |
/**
|
|
305 |
* Merges the specified policyMapping value with the
|
|
306 |
* inhibitPolicyMapping field of the <code>PolicyConstraints</code>
|
|
307 |
* extension obtained from the certificate. A policyMapping
|
|
308 |
* value of -1 implies no constraint.
|
|
309 |
*
|
|
310 |
* @param policyMapping an integer which indicates if policy mapping
|
|
311 |
* is inhibited
|
|
312 |
* @param currCert the Certificate to be processed
|
|
313 |
* @return returns the new policyMapping value
|
|
314 |
* @exception CertPathValidatorException Exception thrown if an error
|
|
315 |
* occurs
|
|
316 |
*/
|
|
317 |
static int mergePolicyMapping(int policyMapping, X509CertImpl currCert)
|
|
318 |
throws CertPathValidatorException
|
|
319 |
{
|
|
320 |
if ((policyMapping > 0) && !X509CertImpl.isSelfIssued(currCert)) {
|
|
321 |
policyMapping--;
|
|
322 |
}
|
|
323 |
|
|
324 |
try {
|
|
325 |
PolicyConstraintsExtension polConstExt
|
|
326 |
= currCert.getPolicyConstraintsExtension();
|
|
327 |
if (polConstExt == null)
|
|
328 |
return policyMapping;
|
|
329 |
|
|
330 |
int inhibit = ((Integer)
|
|
331 |
polConstExt.get(PolicyConstraintsExtension.INHIBIT)).intValue();
|
|
332 |
if (debug != null)
|
|
333 |
debug.println("PolicyChecker.mergePolicyMapping() "
|
|
334 |
+ "inhibit Index from cert = " + inhibit);
|
|
335 |
|
|
336 |
if (inhibit != -1) {
|
|
337 |
if ((policyMapping == -1) || (inhibit < policyMapping)) {
|
|
338 |
policyMapping = inhibit;
|
|
339 |
}
|
|
340 |
}
|
|
341 |
} catch (Exception e) {
|
|
342 |
if (debug != null) {
|
|
343 |
debug.println("PolicyChecker.mergePolicyMapping "
|
|
344 |
+ "unexpected exception");
|
|
345 |
e.printStackTrace();
|
|
346 |
}
|
|
347 |
throw new CertPathValidatorException(e);
|
|
348 |
}
|
|
349 |
|
|
350 |
return policyMapping;
|
|
351 |
}
|
|
352 |
|
|
353 |
/**
|
|
354 |
* Merges the specified inhibitAnyPolicy value with the
|
|
355 |
* SkipCerts value of the InhibitAnyPolicy
|
|
356 |
* extension obtained from the certificate.
|
|
357 |
*
|
|
358 |
* @param inhibitAnyPolicy an integer which indicates whether
|
|
359 |
* "any-policy" is considered a match
|
|
360 |
* @param currCert the Certificate to be processed
|
|
361 |
* @return returns the new inhibitAnyPolicy value
|
|
362 |
* @exception CertPathValidatorException Exception thrown if an error
|
|
363 |
* occurs
|
|
364 |
*/
|
|
365 |
static int mergeInhibitAnyPolicy(int inhibitAnyPolicy,
|
|
366 |
X509CertImpl currCert) throws CertPathValidatorException
|
|
367 |
{
|
|
368 |
if ((inhibitAnyPolicy > 0) && !X509CertImpl.isSelfIssued(currCert)) {
|
|
369 |
inhibitAnyPolicy--;
|
|
370 |
}
|
|
371 |
|
|
372 |
try {
|
|
373 |
InhibitAnyPolicyExtension inhAnyPolExt = (InhibitAnyPolicyExtension)
|
|
374 |
currCert.getExtension(PKIXExtensions.InhibitAnyPolicy_Id);
|
|
375 |
if (inhAnyPolExt == null)
|
|
376 |
return inhibitAnyPolicy;
|
|
377 |
|
|
378 |
int skipCerts = ((Integer)
|
|
379 |
inhAnyPolExt.get(InhibitAnyPolicyExtension.SKIP_CERTS)).intValue();
|
|
380 |
if (debug != null)
|
|
381 |
debug.println("PolicyChecker.mergeInhibitAnyPolicy() "
|
|
382 |
+ "skipCerts Index from cert = " + skipCerts);
|
|
383 |
|
|
384 |
if (skipCerts != -1) {
|
|
385 |
if (skipCerts < inhibitAnyPolicy) {
|
|
386 |
inhibitAnyPolicy = skipCerts;
|
|
387 |
}
|
|
388 |
}
|
|
389 |
} catch (Exception e) {
|
|
390 |
if (debug != null) {
|
|
391 |
debug.println("PolicyChecker.mergeInhibitAnyPolicy "
|
|
392 |
+ "unexpected exception");
|
|
393 |
e.printStackTrace();
|
|
394 |
}
|
|
395 |
throw new CertPathValidatorException(e);
|
|
396 |
}
|
|
397 |
|
|
398 |
return inhibitAnyPolicy;
|
|
399 |
}
|
|
400 |
|
|
401 |
/**
|
|
402 |
* Processes certificate policies in the certificate.
|
|
403 |
*
|
|
404 |
* @param certIndex the index of the certificate
|
|
405 |
* @param initPolicies the initial policies required by the user
|
|
406 |
* @param explicitPolicy an integer which indicates if a non-null
|
|
407 |
* valid policy tree is required
|
|
408 |
* @param policyMapping an integer which indicates if policy
|
|
409 |
* mapping is inhibited
|
|
410 |
* @param inhibitAnyPolicy an integer which indicates whether
|
|
411 |
* "any-policy" is considered a match
|
|
412 |
* @param rejectPolicyQualifiers a boolean indicating whether the
|
|
413 |
* user wants to reject policies that have qualifiers
|
|
414 |
* @param origRootNode the root node of the valid policy tree
|
|
415 |
* @param currCert the Certificate to be processed
|
|
416 |
* @param finalCert a boolean indicating whether currCert is the final
|
|
417 |
* cert in the cert path
|
|
418 |
* @return the root node of the valid policy tree after modification
|
|
419 |
* @exception CertPathValidatorException Exception thrown if an
|
|
420 |
* error occurs while processing policies.
|
|
421 |
*/
|
|
422 |
static PolicyNodeImpl processPolicies(int certIndex, Set<String> initPolicies,
|
|
423 |
int explicitPolicy, int policyMapping, int inhibitAnyPolicy,
|
|
424 |
boolean rejectPolicyQualifiers, PolicyNodeImpl origRootNode,
|
|
425 |
X509CertImpl currCert, boolean finalCert)
|
|
426 |
throws CertPathValidatorException
|
|
427 |
{
|
|
428 |
boolean policiesCritical = false;
|
|
429 |
List<PolicyInformation> policyInfo;
|
|
430 |
PolicyNodeImpl rootNode = null;
|
|
431 |
Set<PolicyQualifierInfo> anyQuals = new HashSet<PolicyQualifierInfo>();
|
|
432 |
|
|
433 |
if (origRootNode == null)
|
|
434 |
rootNode = null;
|
|
435 |
else
|
|
436 |
rootNode = origRootNode.copyTree();
|
|
437 |
|
|
438 |
// retrieve policyOIDs from currCert
|
|
439 |
CertificatePoliciesExtension currCertPolicies
|
|
440 |
= currCert.getCertificatePoliciesExtension();
|
|
441 |
|
|
442 |
// PKIX: Section 6.1.3: Step (d)
|
|
443 |
if ((currCertPolicies != null) && (rootNode != null)) {
|
|
444 |
policiesCritical = currCertPolicies.isCritical();
|
|
445 |
if (debug != null)
|
|
446 |
debug.println("PolicyChecker.processPolicies() "
|
|
447 |
+ "policiesCritical = " + policiesCritical);
|
|
448 |
|
|
449 |
try {
|
|
450 |
policyInfo = (List<PolicyInformation>)
|
|
451 |
currCertPolicies.get(CertificatePoliciesExtension.POLICIES);
|
|
452 |
} catch (IOException ioe) {
|
|
453 |
throw new CertPathValidatorException("Exception while "
|
|
454 |
+ "retrieving policyOIDs", ioe);
|
|
455 |
}
|
|
456 |
|
|
457 |
if (debug != null)
|
|
458 |
debug.println("PolicyChecker.processPolicies() "
|
|
459 |
+ "rejectPolicyQualifiers = " + rejectPolicyQualifiers);
|
|
460 |
|
|
461 |
boolean foundAnyPolicy = false;
|
|
462 |
|
|
463 |
// process each policy in cert
|
|
464 |
for (PolicyInformation curPolInfo : policyInfo) {
|
|
465 |
String curPolicy =
|
|
466 |
curPolInfo.getPolicyIdentifier().getIdentifier().toString();
|
|
467 |
|
|
468 |
if (curPolicy.equals(ANY_POLICY)) {
|
|
469 |
foundAnyPolicy = true;
|
|
470 |
anyQuals = curPolInfo.getPolicyQualifiers();
|
|
471 |
} else {
|
|
472 |
// PKIX: Section 6.1.3: Step (d)(1)
|
|
473 |
if (debug != null)
|
|
474 |
debug.println("PolicyChecker.processPolicies() "
|
|
475 |
+ "processing policy: " + curPolicy);
|
|
476 |
|
|
477 |
// retrieve policy qualifiers from cert
|
|
478 |
Set<PolicyQualifierInfo> pQuals =
|
|
479 |
curPolInfo.getPolicyQualifiers();
|
|
480 |
|
|
481 |
// reject cert if we find critical policy qualifiers and
|
|
482 |
// the policyQualifiersRejected flag is set in the params
|
|
483 |
if (!pQuals.isEmpty() && rejectPolicyQualifiers &&
|
|
484 |
policiesCritical) {
|
|
485 |
throw new CertPathValidatorException("critical " +
|
|
486 |
"policy qualifiers present in certificate");
|
|
487 |
}
|
|
488 |
|
|
489 |
// PKIX: Section 6.1.3: Step (d)(1)(i)
|
|
490 |
boolean foundMatch = processParents(certIndex,
|
|
491 |
policiesCritical, rejectPolicyQualifiers, rootNode,
|
|
492 |
curPolicy, pQuals, false);
|
|
493 |
|
|
494 |
if (!foundMatch) {
|
|
495 |
// PKIX: Section 6.1.3: Step (d)(1)(ii)
|
|
496 |
processParents(certIndex, policiesCritical,
|
|
497 |
rejectPolicyQualifiers, rootNode, curPolicy,
|
|
498 |
pQuals, true);
|
|
499 |
}
|
|
500 |
}
|
|
501 |
}
|
|
502 |
|
|
503 |
// PKIX: Section 6.1.3: Step (d)(2)
|
|
504 |
if (foundAnyPolicy) {
|
|
505 |
if ((inhibitAnyPolicy > 0) ||
|
|
506 |
(!finalCert && X509CertImpl.isSelfIssued(currCert))) {
|
|
507 |
if (debug != null) {
|
|
508 |
debug.println("PolicyChecker.processPolicies() "
|
|
509 |
+ "processing policy: " + ANY_POLICY);
|
|
510 |
}
|
|
511 |
processParents(certIndex, policiesCritical,
|
|
512 |
rejectPolicyQualifiers, rootNode, ANY_POLICY, anyQuals,
|
|
513 |
true);
|
|
514 |
}
|
|
515 |
}
|
|
516 |
|
|
517 |
// PKIX: Section 6.1.3: Step (d)(3)
|
|
518 |
rootNode.prune(certIndex);
|
|
519 |
if (!rootNode.getChildren().hasNext()) {
|
|
520 |
rootNode = null;
|
|
521 |
}
|
|
522 |
} else if (currCertPolicies == null) {
|
|
523 |
if (debug != null)
|
|
524 |
debug.println("PolicyChecker.processPolicies() "
|
|
525 |
+ "no policies present in cert");
|
|
526 |
// PKIX: Section 6.1.3: Step (e)
|
|
527 |
rootNode = null;
|
|
528 |
}
|
|
529 |
|
|
530 |
// We delay PKIX: Section 6.1.3: Step (f) to the end
|
|
531 |
// because the code that follows may delete some nodes
|
|
532 |
// resulting in a null tree
|
|
533 |
if (rootNode != null) {
|
|
534 |
if (!finalCert) {
|
|
535 |
// PKIX: Section 6.1.4: Steps (a)-(b)
|
|
536 |
rootNode = processPolicyMappings(currCert, certIndex,
|
|
537 |
policyMapping, rootNode, policiesCritical, anyQuals);
|
|
538 |
}
|
|
539 |
}
|
|
540 |
|
|
541 |
// At this point, we optimize the PKIX algorithm by
|
|
542 |
// removing those nodes which would later have
|
|
543 |
// been removed by PKIX: Section 6.1.5: Step (g)(iii)
|
|
544 |
|
|
545 |
if ((rootNode != null) && (!initPolicies.contains(ANY_POLICY))
|
|
546 |
&& (currCertPolicies != null)) {
|
|
547 |
rootNode = removeInvalidNodes(rootNode, certIndex,
|
|
548 |
initPolicies, currCertPolicies);
|
|
549 |
|
|
550 |
// PKIX: Section 6.1.5: Step (g)(iii)
|
|
551 |
if ((rootNode != null) && finalCert) {
|
|
552 |
// rewrite anyPolicy leaf nodes (see method comments)
|
|
553 |
rootNode = rewriteLeafNodes(certIndex, initPolicies, rootNode);
|
|
554 |
}
|
|
555 |
}
|
|
556 |
|
|
557 |
|
|
558 |
if (finalCert) {
|
|
559 |
// PKIX: Section 6.1.5: Steps (a) and (b)
|
|
560 |
explicitPolicy = mergeExplicitPolicy(explicitPolicy, currCert,
|
|
561 |
finalCert);
|
|
562 |
}
|
|
563 |
|
|
564 |
// PKIX: Section 6.1.3: Step (f)
|
|
565 |
// verify that either explicit policy is greater than 0 or
|
|
566 |
// the valid_policy_tree is not equal to NULL
|
|
567 |
|
|
568 |
if ((explicitPolicy == 0) && (rootNode == null)) {
|
|
569 |
throw new CertPathValidatorException
|
|
570 |
("non-null policy tree required and policy tree is null");
|
|
571 |
}
|
|
572 |
|
|
573 |
return rootNode;
|
|
574 |
}
|
|
575 |
|
|
576 |
/**
|
|
577 |
* Rewrite leaf nodes at the end of validation as described in RFC 3280
|
|
578 |
* section 6.1.5: Step (g)(iii). Leaf nodes with anyPolicy are replaced
|
|
579 |
* by nodes explicitly representing initial policies not already
|
|
580 |
* represented by leaf nodes.
|
|
581 |
*
|
|
582 |
* This method should only be called when processing the final cert
|
|
583 |
* and if the policy tree is not null and initial policies is not
|
|
584 |
* anyPolicy.
|
|
585 |
*
|
|
586 |
* @param certIndex the depth of the tree
|
|
587 |
* @param initPolicies Set of user specified initial policies
|
|
588 |
* @param rootNode the root of the policy tree
|
|
589 |
*/
|
|
590 |
private static PolicyNodeImpl rewriteLeafNodes(int certIndex,
|
|
591 |
Set<String> initPolicies, PolicyNodeImpl rootNode) {
|
|
592 |
Set<PolicyNodeImpl> anyNodes =
|
|
593 |
rootNode.getPolicyNodesValid(certIndex, ANY_POLICY);
|
|
594 |
if (anyNodes.isEmpty()) {
|
|
595 |
return rootNode;
|
|
596 |
}
|
|
597 |
PolicyNodeImpl anyNode = anyNodes.iterator().next();
|
|
598 |
PolicyNodeImpl parentNode = (PolicyNodeImpl)anyNode.getParent();
|
|
599 |
parentNode.deleteChild(anyNode);
|
|
600 |
// see if there are any initialPolicies not represented by leaf nodes
|
|
601 |
Set<String> initial = new HashSet<String>(initPolicies);
|
|
602 |
for (PolicyNodeImpl node : rootNode.getPolicyNodes(certIndex)) {
|
|
603 |
initial.remove(node.getValidPolicy());
|
|
604 |
}
|
|
605 |
if (initial.isEmpty()) {
|
|
606 |
// we deleted the anyPolicy node and have nothing to re-add,
|
|
607 |
// so we need to prune the tree
|
|
608 |
rootNode.prune(certIndex);
|
|
609 |
if (rootNode.getChildren().hasNext() == false) {
|
|
610 |
rootNode = null;
|
|
611 |
}
|
|
612 |
} else {
|
|
613 |
boolean anyCritical = anyNode.isCritical();
|
|
614 |
Set<PolicyQualifierInfo> anyQualifiers =
|
|
615 |
anyNode.getPolicyQualifiers();
|
|
616 |
for (String policy : initial) {
|
|
617 |
Set<String> expectedPolicies = Collections.singleton(policy);
|
|
618 |
PolicyNodeImpl node = new PolicyNodeImpl(parentNode, policy,
|
|
619 |
anyQualifiers, anyCritical, expectedPolicies, false);
|
|
620 |
}
|
|
621 |
}
|
|
622 |
return rootNode;
|
|
623 |
}
|
|
624 |
|
|
625 |
/**
|
|
626 |
* Finds the policy nodes of depth (certIndex-1) where curPolicy
|
|
627 |
* is in the expected policy set and creates a new child node
|
|
628 |
* appropriately. If matchAny is true, then a value of ANY_POLICY
|
|
629 |
* in the expected policy set will match any curPolicy. If matchAny
|
|
630 |
* is false, then the expected policy set must exactly contain the
|
|
631 |
* curPolicy to be considered a match. This method returns a boolean
|
|
632 |
* value indicating whether a match was found.
|
|
633 |
*
|
|
634 |
* @param certIndex the index of the certificate whose policy is
|
|
635 |
* being processed
|
|
636 |
* @param policiesCritical a boolean indicating whether the certificate
|
|
637 |
* policies extension is critical
|
|
638 |
* @param rejectPolicyQualifiers a boolean indicating whether the
|
|
639 |
* user wants to reject policies that have qualifiers
|
|
640 |
* @param rootNode the root node of the valid policy tree
|
|
641 |
* @param curPolicy a String representing the policy being processed
|
|
642 |
* @param pQuals the policy qualifiers of the policy being processed or an
|
|
643 |
* empty Set if there are no qualifiers
|
|
644 |
* @param matchAny a boolean indicating whether a value of ANY_POLICY
|
|
645 |
* in the expected policy set will be considered a match
|
|
646 |
* @return a boolean indicating whether a match was found
|
|
647 |
* @exception CertPathValidatorException Exception thrown if error occurs.
|
|
648 |
*/
|
|
649 |
private static boolean processParents(int certIndex,
|
|
650 |
boolean policiesCritical, boolean rejectPolicyQualifiers,
|
|
651 |
PolicyNodeImpl rootNode, String curPolicy,
|
|
652 |
Set<PolicyQualifierInfo> pQuals,
|
|
653 |
boolean matchAny) throws CertPathValidatorException
|
|
654 |
{
|
|
655 |
boolean foundMatch = false;
|
|
656 |
|
|
657 |
if (debug != null)
|
|
658 |
debug.println("PolicyChecker.processParents(): matchAny = "
|
|
659 |
+ matchAny);
|
|
660 |
|
|
661 |
// find matching parents
|
|
662 |
Set<PolicyNodeImpl> parentNodes =
|
|
663 |
rootNode.getPolicyNodesExpected(certIndex - 1,
|
|
664 |
curPolicy, matchAny);
|
|
665 |
|
|
666 |
// for each matching parent, extend policy tree
|
|
667 |
for (PolicyNodeImpl curParent : parentNodes) {
|
|
668 |
if (debug != null)
|
|
669 |
debug.println("PolicyChecker.processParents() "
|
|
670 |
+ "found parent:\n" + curParent.asString());
|
|
671 |
|
|
672 |
foundMatch = true;
|
|
673 |
String curParPolicy = curParent.getValidPolicy();
|
|
674 |
|
|
675 |
PolicyNodeImpl curNode = null;
|
|
676 |
Set<String> curExpPols = null;
|
|
677 |
|
|
678 |
if (curPolicy.equals(ANY_POLICY)) {
|
|
679 |
// do step 2
|
|
680 |
Set<String> parExpPols = curParent.getExpectedPolicies();
|
|
681 |
parentExplicitPolicies:
|
|
682 |
for (String curParExpPol : parExpPols) {
|
|
683 |
|
|
684 |
Iterator<PolicyNodeImpl> childIter =
|
|
685 |
curParent.getChildren();
|
|
686 |
while (childIter.hasNext()) {
|
|
687 |
PolicyNodeImpl childNode = childIter.next();
|
|
688 |
String childPolicy = childNode.getValidPolicy();
|
|
689 |
if (curParExpPol.equals(childPolicy)) {
|
|
690 |
if (debug != null)
|
|
691 |
debug.println(childPolicy + " in parent's "
|
|
692 |
+ "expected policy set already appears in "
|
|
693 |
+ "child node");
|
|
694 |
continue parentExplicitPolicies;
|
|
695 |
}
|
|
696 |
}
|
|
697 |
|
|
698 |
Set<String> expPols = new HashSet<String>();
|
|
699 |
expPols.add(curParExpPol);
|
|
700 |
|
|
701 |
curNode = new PolicyNodeImpl
|
|
702 |
(curParent, curParExpPol, pQuals,
|
|
703 |
policiesCritical, expPols, false);
|
|
704 |
}
|
|
705 |
} else {
|
|
706 |
curExpPols = new HashSet<String>();
|
|
707 |
curExpPols.add(curPolicy);
|
|
708 |
|
|
709 |
curNode = new PolicyNodeImpl
|
|
710 |
(curParent, curPolicy, pQuals,
|
|
711 |
policiesCritical, curExpPols, false);
|
|
712 |
}
|
|
713 |
}
|
|
714 |
|
|
715 |
return foundMatch;
|
|
716 |
}
|
|
717 |
|
|
718 |
/**
|
|
719 |
* Processes policy mappings in the certificate.
|
|
720 |
*
|
|
721 |
* @param currCert the Certificate to be processed
|
|
722 |
* @param certIndex the index of the current certificate
|
|
723 |
* @param policyMapping an integer which indicates if policy
|
|
724 |
* mapping is inhibited
|
|
725 |
* @param rootNode the root node of the valid policy tree
|
|
726 |
* @param policiesCritical a boolean indicating if the certificate policies
|
|
727 |
* extension is critical
|
|
728 |
* @param anyQuals the qualifiers associated with ANY-POLICY, or an empty
|
|
729 |
* Set if there are no qualifiers associated with ANY-POLICY
|
|
730 |
* @return the root node of the valid policy tree after modification
|
|
731 |
* @exception CertPathValidatorException exception thrown if an error
|
|
732 |
* occurs while processing policy mappings
|
|
733 |
*/
|
|
734 |
private static PolicyNodeImpl processPolicyMappings(X509CertImpl currCert,
|
|
735 |
int certIndex, int policyMapping, PolicyNodeImpl rootNode,
|
|
736 |
boolean policiesCritical, Set<PolicyQualifierInfo> anyQuals)
|
|
737 |
throws CertPathValidatorException
|
|
738 |
{
|
|
739 |
PolicyMappingsExtension polMappingsExt
|
|
740 |
= currCert.getPolicyMappingsExtension();
|
|
741 |
|
|
742 |
if (polMappingsExt == null)
|
|
743 |
return rootNode;
|
|
744 |
|
|
745 |
if (debug != null)
|
|
746 |
debug.println("PolicyChecker.processPolicyMappings() "
|
|
747 |
+ "inside policyMapping check");
|
|
748 |
|
|
749 |
List<CertificatePolicyMap> maps = null;
|
|
750 |
try {
|
|
751 |
maps = (List<CertificatePolicyMap>)polMappingsExt.get
|
|
752 |
(PolicyMappingsExtension.MAP);
|
|
753 |
} catch (IOException e) {
|
|
754 |
if (debug != null) {
|
|
755 |
debug.println("PolicyChecker.processPolicyMappings() "
|
|
756 |
+ "mapping exception");
|
|
757 |
e.printStackTrace();
|
|
758 |
}
|
|
759 |
throw new CertPathValidatorException("Exception while checking "
|
|
760 |
+ "mapping", e);
|
|
761 |
}
|
|
762 |
|
|
763 |
boolean childDeleted = false;
|
|
764 |
for (int j = 0; j < maps.size(); j++) {
|
|
765 |
CertificatePolicyMap polMap = maps.get(j);
|
|
766 |
String issuerDomain
|
|
767 |
= polMap.getIssuerIdentifier().getIdentifier().toString();
|
|
768 |
String subjectDomain
|
|
769 |
= polMap.getSubjectIdentifier().getIdentifier().toString();
|
|
770 |
if (debug != null) {
|
|
771 |
debug.println("PolicyChecker.processPolicyMappings() "
|
|
772 |
+ "issuerDomain = " + issuerDomain);
|
|
773 |
debug.println("PolicyChecker.processPolicyMappings() "
|
|
774 |
+ "subjectDomain = " + subjectDomain);
|
|
775 |
}
|
|
776 |
|
|
777 |
if (issuerDomain.equals(ANY_POLICY)) {
|
|
778 |
throw new CertPathValidatorException
|
|
779 |
("encountered an issuerDomainPolicy of ANY_POLICY");
|
|
780 |
}
|
|
781 |
|
|
782 |
if (subjectDomain.equals(ANY_POLICY)) {
|
|
783 |
throw new CertPathValidatorException
|
|
784 |
("encountered a subjectDomainPolicy of ANY_POLICY");
|
|
785 |
}
|
|
786 |
|
|
787 |
Set<PolicyNodeImpl> validNodes =
|
|
788 |
rootNode.getPolicyNodesValid(certIndex, issuerDomain);
|
|
789 |
if (!validNodes.isEmpty()) {
|
|
790 |
for (PolicyNodeImpl curNode : validNodes) {
|
|
791 |
if ((policyMapping > 0) || (policyMapping == -1)) {
|
|
792 |
curNode.addExpectedPolicy(subjectDomain);
|
|
793 |
} else if (policyMapping == 0) {
|
|
794 |
PolicyNodeImpl parentNode =
|
|
795 |
(PolicyNodeImpl) curNode.getParent();
|
|
796 |
if (debug != null)
|
|
797 |
debug.println("PolicyChecker.processPolicyMappings"
|
|
798 |
+ "() before deleting: policy tree = "
|
|
799 |
+ rootNode);
|
|
800 |
parentNode.deleteChild(curNode);
|
|
801 |
childDeleted = true;
|
|
802 |
if (debug != null)
|
|
803 |
debug.println("PolicyChecker.processPolicyMappings"
|
|
804 |
+ "() after deleting: policy tree = "
|
|
805 |
+ rootNode);
|
|
806 |
}
|
|
807 |
}
|
|
808 |
} else { // no node of depth i has a valid policy
|
|
809 |
if ((policyMapping > 0) || (policyMapping == -1)) {
|
|
810 |
Set<PolicyNodeImpl> validAnyNodes =
|
|
811 |
rootNode.getPolicyNodesValid(certIndex, ANY_POLICY);
|
|
812 |
for (PolicyNodeImpl curAnyNode : validAnyNodes) {
|
|
813 |
PolicyNodeImpl curAnyNodeParent =
|
|
814 |
(PolicyNodeImpl) curAnyNode.getParent();
|
|
815 |
|
|
816 |
Set<String> expPols = new HashSet<String>();
|
|
817 |
expPols.add(subjectDomain);
|
|
818 |
|
|
819 |
PolicyNodeImpl curNode = new PolicyNodeImpl
|
|
820 |
(curAnyNodeParent, issuerDomain, anyQuals,
|
|
821 |
policiesCritical, expPols, true);
|
|
822 |
}
|
|
823 |
}
|
|
824 |
}
|
|
825 |
}
|
|
826 |
|
|
827 |
if (childDeleted) {
|
|
828 |
rootNode.prune(certIndex);
|
|
829 |
if (!rootNode.getChildren().hasNext()) {
|
|
830 |
if (debug != null)
|
|
831 |
debug.println("setting rootNode to null");
|
|
832 |
rootNode = null;
|
|
833 |
}
|
|
834 |
}
|
|
835 |
|
|
836 |
return rootNode;
|
|
837 |
}
|
|
838 |
|
|
839 |
/**
|
|
840 |
* Removes those nodes which do not intersect with the initial policies
|
|
841 |
* specified by the user.
|
|
842 |
*
|
|
843 |
* @param rootNode the root node of the valid policy tree
|
|
844 |
* @param certIndex the index of the certificate being processed
|
|
845 |
* @param initPolicies the Set of policies required by the user
|
|
846 |
* @param currCertPolicies the CertificatePoliciesExtension of the
|
|
847 |
* certificate being processed
|
|
848 |
* @returns the root node of the valid policy tree after modification
|
|
849 |
* @exception CertPathValidatorException Exception thrown if error occurs.
|
|
850 |
*/
|
|
851 |
private static PolicyNodeImpl removeInvalidNodes(PolicyNodeImpl rootNode,
|
|
852 |
int certIndex, Set<String> initPolicies,
|
|
853 |
CertificatePoliciesExtension currCertPolicies)
|
|
854 |
throws CertPathValidatorException
|
|
855 |
{
|
|
856 |
List<PolicyInformation> policyInfo = null;
|
|
857 |
try {
|
|
858 |
policyInfo = (List<PolicyInformation>)
|
|
859 |
currCertPolicies.get(CertificatePoliciesExtension.POLICIES);
|
|
860 |
} catch (IOException ioe) {
|
|
861 |
throw new CertPathValidatorException("Exception while "
|
|
862 |
+ "retrieving policyOIDs", ioe);
|
|
863 |
}
|
|
864 |
|
|
865 |
boolean childDeleted = false;
|
|
866 |
for (PolicyInformation curPolInfo : policyInfo) {
|
|
867 |
String curPolicy =
|
|
868 |
curPolInfo.getPolicyIdentifier().getIdentifier().toString();
|
|
869 |
|
|
870 |
if (debug != null)
|
|
871 |
debug.println("PolicyChecker.processPolicies() "
|
|
872 |
+ "processing policy second time: " + curPolicy);
|
|
873 |
|
|
874 |
Set<PolicyNodeImpl> validNodes =
|
|
875 |
rootNode.getPolicyNodesValid(certIndex, curPolicy);
|
|
876 |
for (PolicyNodeImpl curNode : validNodes) {
|
|
877 |
PolicyNodeImpl parentNode = (PolicyNodeImpl)curNode.getParent();
|
|
878 |
if (parentNode.getValidPolicy().equals(ANY_POLICY)) {
|
|
879 |
if ((!initPolicies.contains(curPolicy)) &&
|
|
880 |
(!curPolicy.equals(ANY_POLICY))) {
|
|
881 |
if (debug != null)
|
|
882 |
debug.println("PolicyChecker.processPolicies() "
|
|
883 |
+ "before deleting: policy tree = " + rootNode);
|
|
884 |
parentNode.deleteChild(curNode);
|
|
885 |
childDeleted = true;
|
|
886 |
if (debug != null)
|
|
887 |
debug.println("PolicyChecker.processPolicies() "
|
|
888 |
+ "after deleting: policy tree = " + rootNode);
|
|
889 |
}
|
|
890 |
}
|
|
891 |
}
|
|
892 |
}
|
|
893 |
|
|
894 |
if (childDeleted) {
|
|
895 |
rootNode.prune(certIndex);
|
|
896 |
if (!rootNode.getChildren().hasNext()) {
|
|
897 |
rootNode = null;
|
|
898 |
}
|
|
899 |
}
|
|
900 |
|
|
901 |
return rootNode;
|
|
902 |
}
|
|
903 |
|
|
904 |
/**
|
|
905 |
* Gets the root node of the valid policy tree, or null if the
|
|
906 |
* valid policy tree is null. Marks each node of the returned tree
|
|
907 |
* immutable and thread-safe.
|
|
908 |
*
|
|
909 |
* @returns the root node of the valid policy tree, or null if
|
|
910 |
* the valid policy tree is null
|
|
911 |
*/
|
|
912 |
PolicyNode getPolicyTree() {
|
|
913 |
if (rootNode == null)
|
|
914 |
return null;
|
|
915 |
else {
|
|
916 |
PolicyNodeImpl policyTree = rootNode.copyTree();
|
|
917 |
policyTree.setImmutable();
|
|
918 |
return policyTree;
|
|
919 |
}
|
|
920 |
}
|
|
921 |
}
|