author | weijun |
Wed, 01 Aug 2018 13:35:08 +0800 | |
changeset 51272 | 9d92ff04a29c |
parent 47216 | 71c04702a3d5 |
child 53082 | 4c539cb11633 |
permissions | -rw-r--r-- |
2 | 1 |
/* |
43701
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
33820
diff
changeset
|
2 |
* Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
package sun.security.provider.certpath; |
|
27 |
||
28 |
import java.io.*; |
|
29 |
import java.net.URI; |
|
30 |
import java.security.*; |
|
31 |
import java.security.cert.*; |
|
32 |
import javax.security.auth.x500.X500Principal; |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
33 |
import java.util.*; |
2 | 34 |
|
35 |
import sun.security.util.Debug; |
|
43701
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
33820
diff
changeset
|
36 |
import sun.security.validator.Validator; |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
37 |
import static sun.security.x509.PKIXExtensions.*; |
2 | 38 |
import sun.security.x509.*; |
39 |
||
40 |
/** |
|
41 |
* Class to obtain CRLs via the CRLDistributionPoints extension. |
|
42 |
* Note that the functionality of this class must be explicitly enabled |
|
43 |
* via a system property, see the USE_CRLDP variable below. |
|
44 |
* |
|
45 |
* This class uses the URICertStore class to fetch CRLs. The URICertStore |
|
46 |
* class also implements CRL caching: see the class description for more |
|
47 |
* information. |
|
48 |
* |
|
49 |
* @author Andreas Sterbenz |
|
50 |
* @author Sean Mullan |
|
51 |
* @since 1.4.2 |
|
52 |
*/ |
|
17044
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
16492
diff
changeset
|
53 |
public class DistributionPointFetcher { |
2 | 54 |
|
55 |
private static final Debug debug = Debug.getInstance("certpath"); |
|
56 |
||
57 |
private static final boolean[] ALL_REASONS = |
|
58 |
{true, true, true, true, true, true, true, true, true}; |
|
59 |
||
60 |
/** |
|
61 |
* Private instantiation only. |
|
62 |
*/ |
|
63 |
private DistributionPointFetcher() {} |
|
64 |
||
65 |
/** |
|
66 |
* Return the X509CRLs matching this selector. The selector must be |
|
67 |
* an X509CRLSelector with certificateChecking set. |
|
68 |
*/ |
|
17044
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
16492
diff
changeset
|
69 |
public static Collection<X509CRL> getCRLs(X509CRLSelector selector, |
43701
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
33820
diff
changeset
|
70 |
boolean signFlag, PublicKey prevKey, String provider, |
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
33820
diff
changeset
|
71 |
List<CertStore> certStores, boolean[] reasonsMask, |
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
33820
diff
changeset
|
72 |
Set<TrustAnchor> trustAnchors, Date validity, String variant) |
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
33820
diff
changeset
|
73 |
throws CertStoreException |
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
33820
diff
changeset
|
74 |
{ |
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
33820
diff
changeset
|
75 |
return getCRLs(selector, signFlag, prevKey, null, provider, certStores, |
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
33820
diff
changeset
|
76 |
reasonsMask, trustAnchors, validity, variant); |
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
33820
diff
changeset
|
77 |
} |
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
33820
diff
changeset
|
78 |
/** |
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
33820
diff
changeset
|
79 |
* Return the X509CRLs matching this selector. The selector must be |
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
33820
diff
changeset
|
80 |
* an X509CRLSelector with certificateChecking set. |
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
33820
diff
changeset
|
81 |
*/ |
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
33820
diff
changeset
|
82 |
// Called by com.sun.deploy.security.RevocationChecker |
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
33820
diff
changeset
|
83 |
public static Collection<X509CRL> getCRLs(X509CRLSelector selector, |
17044
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
16492
diff
changeset
|
84 |
boolean signFlag, |
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
16492
diff
changeset
|
85 |
PublicKey prevKey, |
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
16492
diff
changeset
|
86 |
String provider, |
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
16492
diff
changeset
|
87 |
List<CertStore> certStores, |
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
16492
diff
changeset
|
88 |
boolean[] reasonsMask, |
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
16492
diff
changeset
|
89 |
Set<TrustAnchor> trustAnchors, |
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
16492
diff
changeset
|
90 |
Date validity) |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
91 |
throws CertStoreException |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
92 |
{ |
22107
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
93 |
return getCRLs(selector, signFlag, prevKey, null, provider, certStores, |
43701
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
33820
diff
changeset
|
94 |
reasonsMask, trustAnchors, validity, Validator.VAR_GENERIC); |
22107
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
95 |
} |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
96 |
|
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
97 |
/** |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
98 |
* Return the X509CRLs matching this selector. The selector must be |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
99 |
* an X509CRLSelector with certificateChecking set. |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
100 |
*/ |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
101 |
public static Collection<X509CRL> getCRLs(X509CRLSelector selector, |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
102 |
boolean signFlag, |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
103 |
PublicKey prevKey, |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
104 |
X509Certificate prevCert, |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
105 |
String provider, |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
106 |
List<CertStore> certStores, |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
107 |
boolean[] reasonsMask, |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
108 |
Set<TrustAnchor> trustAnchors, |
43701
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
33820
diff
changeset
|
109 |
Date validity, |
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
33820
diff
changeset
|
110 |
String variant) |
22107
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
111 |
throws CertStoreException |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
112 |
{ |
2 | 113 |
X509Certificate cert = selector.getCertificateChecking(); |
114 |
if (cert == null) { |
|
115 |
return Collections.emptySet(); |
|
116 |
} |
|
117 |
try { |
|
118 |
X509CertImpl certImpl = X509CertImpl.toImpl(cert); |
|
119 |
if (debug != null) { |
|
120 |
debug.println("DistributionPointFetcher.getCRLs: Checking " |
|
121 |
+ "CRLDPs for " + certImpl.getSubjectX500Principal()); |
|
122 |
} |
|
123 |
CRLDistributionPointsExtension ext = |
|
124 |
certImpl.getCRLDistributionPointsExtension(); |
|
125 |
if (ext == null) { |
|
126 |
if (debug != null) { |
|
127 |
debug.println("No CRLDP ext"); |
|
128 |
} |
|
129 |
return Collections.emptySet(); |
|
130 |
} |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9511
diff
changeset
|
131 |
List<DistributionPoint> points = |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9511
diff
changeset
|
132 |
ext.get(CRLDistributionPointsExtension.POINTS); |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
133 |
Set<X509CRL> results = new HashSet<>(); |
2 | 134 |
for (Iterator<DistributionPoint> t = points.iterator(); |
135 |
t.hasNext() && !Arrays.equals(reasonsMask, ALL_REASONS); ) { |
|
136 |
DistributionPoint point = t.next(); |
|
137 |
Collection<X509CRL> crls = getCRLs(selector, certImpl, |
|
22107
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
138 |
point, reasonsMask, signFlag, prevKey, prevCert, provider, |
43701
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
33820
diff
changeset
|
139 |
certStores, trustAnchors, validity, variant); |
2 | 140 |
results.addAll(crls); |
141 |
} |
|
142 |
if (debug != null) { |
|
143 |
debug.println("Returning " + results.size() + " CRLs"); |
|
144 |
} |
|
145 |
return results; |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
146 |
} catch (CertificateException | IOException e) { |
2 | 147 |
return Collections.emptySet(); |
148 |
} |
|
149 |
} |
|
150 |
||
151 |
/** |
|
152 |
* Download CRLs from the given distribution point, verify and return them. |
|
153 |
* See the top of the class for current limitations. |
|
13800
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
154 |
* |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
155 |
* @throws CertStoreException if there is an error retrieving the CRLs |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
156 |
* from one of the GeneralNames and no other CRLs are retrieved from |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
157 |
* the other GeneralNames. If more than one GeneralName throws an |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
158 |
* exception then the one from the last GeneralName is thrown. |
2 | 159 |
*/ |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
160 |
private static Collection<X509CRL> getCRLs(X509CRLSelector selector, |
2 | 161 |
X509CertImpl certImpl, DistributionPoint point, boolean[] reasonsMask, |
22107
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
162 |
boolean signFlag, PublicKey prevKey, X509Certificate prevCert, |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
163 |
String provider, List<CertStore> certStores, |
43701
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
33820
diff
changeset
|
164 |
Set<TrustAnchor> trustAnchors, Date validity, String variant) |
22107
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
165 |
throws CertStoreException { |
9256
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
166 |
|
2 | 167 |
// check for full name |
168 |
GeneralNames fullName = point.getFullName(); |
|
169 |
if (fullName == null) { |
|
170 |
// check for relative name |
|
171 |
RDN relativeName = point.getRelativeName(); |
|
172 |
if (relativeName == null) { |
|
173 |
return Collections.emptySet(); |
|
174 |
} |
|
175 |
try { |
|
176 |
GeneralNames crlIssuers = point.getCRLIssuer(); |
|
177 |
if (crlIssuers == null) { |
|
178 |
fullName = getFullNames |
|
179 |
((X500Name) certImpl.getIssuerDN(), relativeName); |
|
180 |
} else { |
|
181 |
// should only be one CRL Issuer |
|
182 |
if (crlIssuers.size() != 1) { |
|
183 |
return Collections.emptySet(); |
|
184 |
} else { |
|
185 |
fullName = getFullNames |
|
186 |
((X500Name) crlIssuers.get(0).getName(), relativeName); |
|
187 |
} |
|
188 |
} |
|
189 |
} catch (IOException ioe) { |
|
190 |
return Collections.emptySet(); |
|
191 |
} |
|
192 |
} |
|
13800
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
193 |
Collection<X509CRL> possibleCRLs = new ArrayList<>(); |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
194 |
CertStoreException savedCSE = null; |
2 | 195 |
for (Iterator<GeneralName> t = fullName.iterator(); t.hasNext(); ) { |
13800
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
196 |
try { |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
197 |
GeneralName name = t.next(); |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
198 |
if (name.getType() == GeneralNameInterface.NAME_DIRECTORY) { |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
199 |
X500Name x500Name = (X500Name) name.getName(); |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
200 |
possibleCRLs.addAll( |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
201 |
getCRLs(x500Name, certImpl.getIssuerX500Principal(), |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
202 |
certStores)); |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
203 |
} else if (name.getType() == GeneralNameInterface.NAME_URI) { |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
204 |
URIName uriName = (URIName)name.getName(); |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
205 |
X509CRL crl = getCRL(uriName); |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
206 |
if (crl != null) { |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
207 |
possibleCRLs.add(crl); |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
208 |
} |
2 | 209 |
} |
13800
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
210 |
} catch (CertStoreException cse) { |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
211 |
savedCSE = cse; |
2 | 212 |
} |
213 |
} |
|
13800
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
214 |
// only throw CertStoreException if no CRLs are retrieved |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
215 |
if (possibleCRLs.isEmpty() && savedCSE != null) { |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
216 |
throw savedCSE; |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
217 |
} |
2 | 218 |
|
13800
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
219 |
Collection<X509CRL> crls = new ArrayList<>(2); |
2 | 220 |
for (X509CRL crl : possibleCRLs) { |
221 |
try { |
|
222 |
// make sure issuer is not set |
|
223 |
// we check the issuer in verifyCRLs method |
|
224 |
selector.setIssuerNames(null); |
|
225 |
if (selector.match(crl) && verifyCRL(certImpl, point, crl, |
|
22107
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
226 |
reasonsMask, signFlag, prevKey, prevCert, provider, |
43701
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
33820
diff
changeset
|
227 |
trustAnchors, certStores, validity, variant)) { |
2 | 228 |
crls.add(crl); |
229 |
} |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
230 |
} catch (IOException | CRLException e) { |
2 | 231 |
// don't add the CRL |
232 |
if (debug != null) { |
|
233 |
debug.println("Exception verifying CRL: " + e.getMessage()); |
|
234 |
e.printStackTrace(); |
|
235 |
} |
|
236 |
} |
|
237 |
} |
|
238 |
return crls; |
|
239 |
} |
|
240 |
||
241 |
/** |
|
242 |
* Download CRL from given URI. |
|
243 |
*/ |
|
13800
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
244 |
private static X509CRL getCRL(URIName name) throws CertStoreException { |
2 | 245 |
URI uri = name.getURI(); |
246 |
if (debug != null) { |
|
247 |
debug.println("Trying to fetch CRL from DP " + uri); |
|
248 |
} |
|
13800
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
249 |
CertStore ucs = null; |
2 | 250 |
try { |
32502
03f7450aec42
8134708: Certpath validation fails to load certs and CRLs if AIA and CRLDP extensions point to LDAP resources
asmotrak
parents:
29917
diff
changeset
|
251 |
ucs = URICertStore.getInstance(new URICertStoreParameters(uri)); |
13800
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
252 |
} catch (InvalidAlgorithmParameterException | |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
253 |
NoSuchAlgorithmException e) { |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
254 |
if (debug != null) { |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
255 |
debug.println("Can't create URICertStore: " + e.getMessage()); |
2 | 256 |
} |
13800
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
257 |
return null; |
2 | 258 |
} |
13800
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
259 |
|
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
260 |
Collection<? extends CRL> crls = ucs.getCRLs(null); |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
261 |
if (crls.isEmpty()) { |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
262 |
return null; |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
263 |
} else { |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
264 |
return (X509CRL) crls.iterator().next(); |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
265 |
} |
2 | 266 |
} |
267 |
||
268 |
/** |
|
269 |
* Fetch CRLs from certStores. |
|
13800
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
270 |
* |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
271 |
* @throws CertStoreException if there is an error retrieving the CRLs from |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
272 |
* one of the CertStores and no other CRLs are retrieved from |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
273 |
* the other CertStores. If more than one CertStore throws an |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
274 |
* exception then the one from the last CertStore is thrown. |
2 | 275 |
*/ |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
276 |
private static Collection<X509CRL> getCRLs(X500Name name, |
13800
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
277 |
X500Principal certIssuer, |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
278 |
List<CertStore> certStores) |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
279 |
throws CertStoreException |
2 | 280 |
{ |
281 |
if (debug != null) { |
|
282 |
debug.println("Trying to fetch CRL from DP " + name); |
|
283 |
} |
|
284 |
X509CRLSelector xcs = new X509CRLSelector(); |
|
285 |
xcs.addIssuer(name.asX500Principal()); |
|
286 |
xcs.addIssuer(certIssuer); |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
287 |
Collection<X509CRL> crls = new ArrayList<>(); |
13800
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
288 |
CertStoreException savedCSE = null; |
2 | 289 |
for (CertStore store : certStores) { |
290 |
try { |
|
291 |
for (CRL crl : store.getCRLs(xcs)) { |
|
292 |
crls.add((X509CRL)crl); |
|
293 |
} |
|
294 |
} catch (CertStoreException cse) { |
|
295 |
if (debug != null) { |
|
13800
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
296 |
debug.println("Exception while retrieving " + |
2 | 297 |
"CRLs: " + cse); |
298 |
cse.printStackTrace(); |
|
299 |
} |
|
13800
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
300 |
savedCSE = new PKIX.CertStoreTypeException(store.getType(),cse); |
2 | 301 |
} |
302 |
} |
|
13800
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
303 |
// only throw CertStoreException if no CRLs are retrieved |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
304 |
if (crls.isEmpty() && savedCSE != null) { |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
305 |
throw savedCSE; |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
306 |
} else { |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
307 |
return crls; |
2fd4a82efe9c
7176627: CertPath/jep124/PreferCRL_SoftFail test fails (Could not determine revocation status)
mullan
parents:
12860
diff
changeset
|
308 |
} |
2 | 309 |
} |
310 |
||
311 |
/** |
|
312 |
* Verifies a CRL for the given certificate's Distribution Point to |
|
313 |
* ensure it is appropriate for checking the revocation status. |
|
314 |
* |
|
315 |
* @param certImpl the certificate whose revocation status is being checked |
|
316 |
* @param point one of the distribution points of the certificate |
|
317 |
* @param crl the CRL |
|
318 |
* @param reasonsMask the interim reasons mask |
|
319 |
* @param signFlag true if prevKey can be used to verify the CRL |
|
320 |
* @param prevKey the public key that verifies the certificate's signature |
|
22107
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
321 |
* @param prevCert the certificate whose public key verifies |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
322 |
* {@code certImpl}'s signature |
2 | 323 |
* @param provider the Signature provider to use |
9256
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
324 |
* @param trustAnchors a {@code Set} of {@code TrustAnchor}s |
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
325 |
* @param certStores a {@code List} of {@code CertStore}s to be used in |
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
326 |
* finding certificates and CRLs |
9511
8f315e0a7b18
7038175: Expired PKITS certificates causing CertPathBuilder and CertPathValidator regression test failures
mullan
parents:
9256
diff
changeset
|
327 |
* @param validity the time for which the validity of the CRL issuer's |
8f315e0a7b18
7038175: Expired PKITS certificates causing CertPathBuilder and CertPathValidator regression test failures
mullan
parents:
9256
diff
changeset
|
328 |
* certification path should be determined |
2 | 329 |
* @return true if ok, false if not |
330 |
*/ |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
331 |
static boolean verifyCRL(X509CertImpl certImpl, DistributionPoint point, |
2 | 332 |
X509CRL crl, boolean[] reasonsMask, boolean signFlag, |
22107
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
333 |
PublicKey prevKey, X509Certificate prevCert, String provider, |
9511
8f315e0a7b18
7038175: Expired PKITS certificates causing CertPathBuilder and CertPathValidator regression test failures
mullan
parents:
9256
diff
changeset
|
334 |
Set<TrustAnchor> trustAnchors, List<CertStore> certStores, |
43701
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
33820
diff
changeset
|
335 |
Date validity, String variant) throws CRLException, IOException { |
9256
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
336 |
|
29264
5172066a2da6
8054037: Improve tracing for java.security.debug=certpath
juh
parents:
26967
diff
changeset
|
337 |
if (debug != null) { |
5172066a2da6
8054037: Improve tracing for java.security.debug=certpath
juh
parents:
26967
diff
changeset
|
338 |
debug.println("DistributionPointFetcher.verifyCRL: " + |
5172066a2da6
8054037: Improve tracing for java.security.debug=certpath
juh
parents:
26967
diff
changeset
|
339 |
"checking revocation status for" + |
5172066a2da6
8054037: Improve tracing for java.security.debug=certpath
juh
parents:
26967
diff
changeset
|
340 |
"\n SN: " + Debug.toHexString(certImpl.getSerialNumber()) + |
5172066a2da6
8054037: Improve tracing for java.security.debug=certpath
juh
parents:
26967
diff
changeset
|
341 |
"\n Subject: " + certImpl.getSubjectX500Principal() + |
5172066a2da6
8054037: Improve tracing for java.security.debug=certpath
juh
parents:
26967
diff
changeset
|
342 |
"\n Issuer: " + certImpl.getIssuerX500Principal()); |
5172066a2da6
8054037: Improve tracing for java.security.debug=certpath
juh
parents:
26967
diff
changeset
|
343 |
} |
5172066a2da6
8054037: Improve tracing for java.security.debug=certpath
juh
parents:
26967
diff
changeset
|
344 |
|
2 | 345 |
boolean indirectCRL = false; |
346 |
X509CRLImpl crlImpl = X509CRLImpl.toImpl(crl); |
|
347 |
IssuingDistributionPointExtension idpExt = |
|
348 |
crlImpl.getIssuingDistributionPointExtension(); |
|
349 |
X500Name certIssuer = (X500Name) certImpl.getIssuerDN(); |
|
350 |
X500Name crlIssuer = (X500Name) crlImpl.getIssuerDN(); |
|
351 |
||
352 |
// if crlIssuer is set, verify that it matches the issuer of the |
|
353 |
// CRL and the CRL contains an IDP extension with the indirectCRL |
|
354 |
// boolean asserted. Otherwise, verify that the CRL issuer matches the |
|
355 |
// certificate issuer. |
|
356 |
GeneralNames pointCrlIssuers = point.getCRLIssuer(); |
|
357 |
X500Name pointCrlIssuer = null; |
|
358 |
if (pointCrlIssuers != null) { |
|
359 |
if (idpExt == null || |
|
360 |
((Boolean) idpExt.get |
|
361 |
(IssuingDistributionPointExtension.INDIRECT_CRL)).equals |
|
362 |
(Boolean.FALSE)) { |
|
363 |
return false; |
|
364 |
} |
|
365 |
boolean match = false; |
|
366 |
for (Iterator<GeneralName> t = pointCrlIssuers.iterator(); |
|
367 |
!match && t.hasNext(); ) { |
|
368 |
GeneralNameInterface name = t.next().getName(); |
|
369 |
if (crlIssuer.equals(name) == true) { |
|
370 |
pointCrlIssuer = (X500Name) name; |
|
371 |
match = true; |
|
372 |
} |
|
373 |
} |
|
374 |
if (match == false) { |
|
375 |
return false; |
|
376 |
} |
|
3225
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
377 |
|
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
378 |
// we accept the case that a CRL issuer provide status |
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
379 |
// information for itself. |
8163
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
380 |
if (issues(certImpl, crlImpl, provider)) { |
3225
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
381 |
// reset the public key used to verify the CRL's signature |
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
382 |
prevKey = certImpl.getPublicKey(); |
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
383 |
} else { |
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
384 |
indirectCRL = true; |
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
385 |
} |
2 | 386 |
} else if (crlIssuer.equals(certIssuer) == false) { |
387 |
if (debug != null) { |
|
29264
5172066a2da6
8054037: Improve tracing for java.security.debug=certpath
juh
parents:
26967
diff
changeset
|
388 |
debug.println("crl issuer does not equal cert issuer.\n" + |
5172066a2da6
8054037: Improve tracing for java.security.debug=certpath
juh
parents:
26967
diff
changeset
|
389 |
"crl issuer: " + crlIssuer + "\n" + |
5172066a2da6
8054037: Improve tracing for java.security.debug=certpath
juh
parents:
26967
diff
changeset
|
390 |
"cert issuer: " + certIssuer); |
2 | 391 |
} |
392 |
return false; |
|
2927
7780913dc7d6
6720721: CRL check with circular depency support needed
xuelei
parents:
2
diff
changeset
|
393 |
} else { |
7780913dc7d6
6720721: CRL check with circular depency support needed
xuelei
parents:
2
diff
changeset
|
394 |
// in case of self-issued indirect CRL issuer. |
16492
4cd9aa345503
8010112: NullPointerException in sun.security.provider.certpath.CertId()
mullan
parents:
13800
diff
changeset
|
395 |
KeyIdentifier certAKID = certImpl.getAuthKeyId(); |
4cd9aa345503
8010112: NullPointerException in sun.security.provider.certpath.CertId()
mullan
parents:
13800
diff
changeset
|
396 |
KeyIdentifier crlAKID = crlImpl.getAuthKeyId(); |
2927
7780913dc7d6
6720721: CRL check with circular depency support needed
xuelei
parents:
2
diff
changeset
|
397 |
|
9256
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
398 |
if (certAKID == null || crlAKID == null) { |
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
399 |
// cannot recognize indirect CRL without AKID |
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
400 |
|
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
401 |
// we accept the case that a CRL issuer provide status |
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
402 |
// information for itself. |
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
403 |
if (issues(certImpl, crlImpl, provider)) { |
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
404 |
// reset the public key used to verify the CRL's signature |
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
405 |
prevKey = certImpl.getPublicKey(); |
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
406 |
} |
16492
4cd9aa345503
8010112: NullPointerException in sun.security.provider.certpath.CertId()
mullan
parents:
13800
diff
changeset
|
407 |
} else if (!certAKID.equals(crlAKID)) { |
3225
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
408 |
// we accept the case that a CRL issuer provide status |
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
409 |
// information for itself. |
8163
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
410 |
if (issues(certImpl, crlImpl, provider)) { |
3225
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
411 |
// reset the public key used to verify the CRL's signature |
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
412 |
prevKey = certImpl.getPublicKey(); |
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
413 |
} else { |
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
414 |
indirectCRL = true; |
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
415 |
} |
2927
7780913dc7d6
6720721: CRL check with circular depency support needed
xuelei
parents:
2
diff
changeset
|
416 |
} |
2 | 417 |
} |
418 |
||
419 |
if (!indirectCRL && !signFlag) { |
|
420 |
// cert's key cannot be used to verify the CRL |
|
421 |
return false; |
|
422 |
} |
|
423 |
||
424 |
if (idpExt != null) { |
|
425 |
DistributionPointName idpPoint = (DistributionPointName) |
|
426 |
idpExt.get(IssuingDistributionPointExtension.POINT); |
|
427 |
if (idpPoint != null) { |
|
428 |
GeneralNames idpNames = idpPoint.getFullName(); |
|
429 |
if (idpNames == null) { |
|
430 |
RDN relativeName = idpPoint.getRelativeName(); |
|
431 |
if (relativeName == null) { |
|
432 |
if (debug != null) { |
|
433 |
debug.println("IDP must be relative or full DN"); |
|
434 |
} |
|
435 |
return false; |
|
436 |
} |
|
437 |
if (debug != null) { |
|
438 |
debug.println("IDP relativeName:" + relativeName); |
|
439 |
} |
|
440 |
idpNames = getFullNames(crlIssuer, relativeName); |
|
441 |
} |
|
442 |
// if the DP name is present in the IDP CRL extension and the |
|
443 |
// DP field is present in the DP, then verify that one of the |
|
444 |
// names in the IDP matches one of the names in the DP |
|
445 |
if (point.getFullName() != null || |
|
446 |
point.getRelativeName() != null) { |
|
447 |
GeneralNames pointNames = point.getFullName(); |
|
448 |
if (pointNames == null) { |
|
449 |
RDN relativeName = point.getRelativeName(); |
|
450 |
if (relativeName == null) { |
|
451 |
if (debug != null) { |
|
452 |
debug.println("DP must be relative or full DN"); |
|
453 |
} |
|
454 |
return false; |
|
455 |
} |
|
456 |
if (debug != null) { |
|
457 |
debug.println("DP relativeName:" + relativeName); |
|
458 |
} |
|
459 |
if (indirectCRL) { |
|
460 |
if (pointCrlIssuers.size() != 1) { |
|
26967
c182469301ee
8037550: Update RFC references in javadoc to RFC 5280
juh
parents:
25859
diff
changeset
|
461 |
// RFC 5280: there must be only 1 CRL issuer |
2 | 462 |
// name when relativeName is present |
463 |
if (debug != null) { |
|
464 |
debug.println("must only be one CRL " + |
|
465 |
"issuer when relative name present"); |
|
466 |
} |
|
467 |
return false; |
|
468 |
} |
|
469 |
pointNames = getFullNames |
|
470 |
(pointCrlIssuer, relativeName); |
|
471 |
} else { |
|
472 |
pointNames = getFullNames(certIssuer, relativeName); |
|
473 |
} |
|
474 |
} |
|
475 |
boolean match = false; |
|
476 |
for (Iterator<GeneralName> i = idpNames.iterator(); |
|
477 |
!match && i.hasNext(); ) { |
|
478 |
GeneralNameInterface idpName = i.next().getName(); |
|
479 |
if (debug != null) { |
|
480 |
debug.println("idpName: " + idpName); |
|
481 |
} |
|
482 |
for (Iterator<GeneralName> p = pointNames.iterator(); |
|
483 |
!match && p.hasNext(); ) { |
|
484 |
GeneralNameInterface pointName = p.next().getName(); |
|
485 |
if (debug != null) { |
|
486 |
debug.println("pointName: " + pointName); |
|
487 |
} |
|
488 |
match = idpName.equals(pointName); |
|
489 |
} |
|
490 |
} |
|
491 |
if (!match) { |
|
492 |
if (debug != null) { |
|
493 |
debug.println("IDP name does not match DP name"); |
|
494 |
} |
|
495 |
return false; |
|
496 |
} |
|
497 |
// if the DP name is present in the IDP CRL extension and the |
|
498 |
// DP field is absent from the DP, then verify that one of the |
|
499 |
// names in the IDP matches one of the names in the crlIssuer |
|
500 |
// field of the DP |
|
501 |
} else { |
|
502 |
// verify that one of the names in the IDP matches one of |
|
503 |
// the names in the cRLIssuer of the cert's DP |
|
504 |
boolean match = false; |
|
505 |
for (Iterator<GeneralName> t = pointCrlIssuers.iterator(); |
|
506 |
!match && t.hasNext(); ) { |
|
507 |
GeneralNameInterface crlIssuerName = t.next().getName(); |
|
508 |
for (Iterator<GeneralName> i = idpNames.iterator(); |
|
509 |
!match && i.hasNext(); ) { |
|
510 |
GeneralNameInterface idpName = i.next().getName(); |
|
511 |
match = crlIssuerName.equals(idpName); |
|
512 |
} |
|
513 |
} |
|
514 |
if (!match) { |
|
515 |
return false; |
|
516 |
} |
|
517 |
} |
|
518 |
} |
|
519 |
||
520 |
// if the onlyContainsUserCerts boolean is asserted, verify that the |
|
521 |
// cert is not a CA cert |
|
522 |
Boolean b = (Boolean) |
|
523 |
idpExt.get(IssuingDistributionPointExtension.ONLY_USER_CERTS); |
|
524 |
if (b.equals(Boolean.TRUE) && certImpl.getBasicConstraints() != -1) { |
|
525 |
if (debug != null) { |
|
526 |
debug.println("cert must be a EE cert"); |
|
527 |
} |
|
528 |
return false; |
|
529 |
} |
|
530 |
||
531 |
// if the onlyContainsCACerts boolean is asserted, verify that the |
|
532 |
// cert is a CA cert |
|
533 |
b = (Boolean) |
|
534 |
idpExt.get(IssuingDistributionPointExtension.ONLY_CA_CERTS); |
|
535 |
if (b.equals(Boolean.TRUE) && certImpl.getBasicConstraints() == -1) { |
|
536 |
if (debug != null) { |
|
537 |
debug.println("cert must be a CA cert"); |
|
538 |
} |
|
539 |
return false; |
|
540 |
} |
|
541 |
||
542 |
// verify that the onlyContainsAttributeCerts boolean is not |
|
543 |
// asserted |
|
544 |
b = (Boolean) idpExt.get |
|
545 |
(IssuingDistributionPointExtension.ONLY_ATTRIBUTE_CERTS); |
|
546 |
if (b.equals(Boolean.TRUE)) { |
|
547 |
if (debug != null) { |
|
548 |
debug.println("cert must not be an AA cert"); |
|
549 |
} |
|
550 |
return false; |
|
551 |
} |
|
552 |
} |
|
553 |
||
554 |
// compute interim reasons mask |
|
555 |
boolean[] interimReasonsMask = new boolean[9]; |
|
556 |
ReasonFlags reasons = null; |
|
557 |
if (idpExt != null) { |
|
558 |
reasons = (ReasonFlags) |
|
559 |
idpExt.get(IssuingDistributionPointExtension.REASONS); |
|
560 |
} |
|
561 |
||
562 |
boolean[] pointReasonFlags = point.getReasonFlags(); |
|
563 |
if (reasons != null) { |
|
564 |
if (pointReasonFlags != null) { |
|
565 |
// set interim reasons mask to the intersection of |
|
566 |
// reasons in the DP and onlySomeReasons in the IDP |
|
567 |
boolean[] idpReasonFlags = reasons.getFlags(); |
|
29917 | 568 |
for (int i = 0; i < interimReasonsMask.length; i++) { |
569 |
interimReasonsMask[i] = |
|
570 |
(i < idpReasonFlags.length && idpReasonFlags[i]) && |
|
571 |
(i < pointReasonFlags.length && pointReasonFlags[i]); |
|
2 | 572 |
} |
573 |
} else { |
|
574 |
// set interim reasons mask to the value of |
|
575 |
// onlySomeReasons in the IDP (and clone it since we may |
|
576 |
// modify it) |
|
577 |
interimReasonsMask = reasons.getFlags().clone(); |
|
578 |
} |
|
579 |
} else if (idpExt == null || reasons == null) { |
|
580 |
if (pointReasonFlags != null) { |
|
581 |
// set interim reasons mask to the value of DP reasons |
|
582 |
interimReasonsMask = pointReasonFlags.clone(); |
|
583 |
} else { |
|
584 |
// set interim reasons mask to the special value all-reasons |
|
585 |
Arrays.fill(interimReasonsMask, true); |
|
586 |
} |
|
587 |
} |
|
588 |
||
589 |
// verify that interim reasons mask includes one or more reasons |
|
590 |
// not included in the reasons mask |
|
591 |
boolean oneOrMore = false; |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
592 |
for (int i = 0; i < interimReasonsMask.length && !oneOrMore; i++) { |
29917 | 593 |
if (interimReasonsMask[i] && |
594 |
!(i < reasonsMask.length && reasonsMask[i])) |
|
595 |
{ |
|
2 | 596 |
oneOrMore = true; |
597 |
} |
|
598 |
} |
|
599 |
if (!oneOrMore) { |
|
600 |
return false; |
|
601 |
} |
|
602 |
||
603 |
// Obtain and validate the certification path for the complete |
|
604 |
// CRL issuer (if indirect CRL). If a key usage extension is present |
|
605 |
// in the CRL issuer's certificate, verify that the cRLSign bit is set. |
|
606 |
if (indirectCRL) { |
|
607 |
X509CertSelector certSel = new X509CertSelector(); |
|
608 |
certSel.setSubject(crlIssuer.asX500Principal()); |
|
609 |
boolean[] crlSign = {false,false,false,false,false,false,true}; |
|
610 |
certSel.setKeyUsage(crlSign); |
|
3225
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
611 |
|
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
612 |
// Currently by default, forward builder does not enable |
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
613 |
// subject/authority key identifier identifying for target |
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
614 |
// certificate, instead, it only compares the CRL issuer and |
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
615 |
// the target certificate subject. If the certificate of the |
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
616 |
// delegated CRL issuer is a self-issued certificate, the |
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
617 |
// builder is unable to find the proper CRL issuer by issuer |
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
618 |
// name only, there is a potential dead loop on finding the |
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
619 |
// proper issuer. It is of great help to narrow the target |
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
620 |
// scope down to aware of authority key identifiers in the |
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
621 |
// selector, for the purposes of breaking the dead loop. |
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
622 |
AuthorityKeyIdentifierExtension akidext = |
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
623 |
crlImpl.getAuthKeyIdExtension(); |
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
624 |
if (akidext != null) { |
33820
be91931ea4b2
8072463: Remove requirement that AKID and SKID have to match when building certificate chain
mullan
parents:
32502
diff
changeset
|
625 |
byte[] kid = akidext.getEncodedKeyIdentifier(); |
be91931ea4b2
8072463: Remove requirement that AKID and SKID have to match when building certificate chain
mullan
parents:
32502
diff
changeset
|
626 |
if (kid != null) { |
be91931ea4b2
8072463: Remove requirement that AKID and SKID have to match when building certificate chain
mullan
parents:
32502
diff
changeset
|
627 |
certSel.setSubjectKeyIdentifier(kid); |
3225
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
628 |
} |
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
629 |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9511
diff
changeset
|
630 |
SerialNumber asn = (SerialNumber)akidext.get( |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9511
diff
changeset
|
631 |
AuthorityKeyIdentifierExtension.SERIAL_NUMBER); |
3225
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
632 |
if (asn != null) { |
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
633 |
certSel.setSerialNumber(asn.getNumber()); |
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
634 |
} |
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
635 |
// the subject criterion will be set by builder automatically. |
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
636 |
} |
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
637 |
|
22107
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
638 |
// By now, we have validated the previous certificate, so we can |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
639 |
// trust it during the validation of the CRL issuer. |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
640 |
// In addition to the performance improvement, another benefit is to |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
641 |
// break the dead loop while looking for the issuer back and forth |
3225
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
642 |
// between the delegated self-issued certificate and its issuer. |
9256
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
643 |
Set<TrustAnchor> newTrustAnchors = new HashSet<>(trustAnchors); |
3225
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
644 |
|
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
645 |
if (prevKey != null) { |
9256
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
646 |
// Add the previous certificate as a trust anchor. |
22107
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
647 |
// If prevCert is not null, we want to construct a TrustAnchor |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
648 |
// using the cert object because when the certpath for the CRL |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
649 |
// is built later, the CertSelector will make comparisons with |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
650 |
// the TrustAnchor's trustedCert member rather than its pubKey. |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
651 |
TrustAnchor temporary; |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
652 |
if (prevCert != null) { |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
653 |
temporary = new TrustAnchor(prevCert, null); |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
654 |
} else { |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
655 |
X500Principal principal = certImpl.getIssuerX500Principal(); |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
656 |
temporary = new TrustAnchor(principal, prevKey, null); |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
17044
diff
changeset
|
657 |
} |
9256
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
658 |
newTrustAnchors.add(temporary); |
3225
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
659 |
} |
023603ebeb1f
6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
xuelei
parents:
2927
diff
changeset
|
660 |
|
2 | 661 |
PKIXBuilderParameters params = null; |
662 |
try { |
|
9256
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
663 |
params = new PKIXBuilderParameters(newTrustAnchors, certSel); |
2 | 664 |
} catch (InvalidAlgorithmParameterException iape) { |
665 |
throw new CRLException(iape); |
|
666 |
} |
|
667 |
params.setCertStores(certStores); |
|
668 |
params.setSigProvider(provider); |
|
9511
8f315e0a7b18
7038175: Expired PKITS certificates causing CertPathBuilder and CertPathValidator regression test failures
mullan
parents:
9256
diff
changeset
|
669 |
params.setDate(validity); |
2 | 670 |
try { |
671 |
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); |
|
672 |
PKIXCertPathBuilderResult result = |
|
673 |
(PKIXCertPathBuilderResult) builder.build(params); |
|
674 |
prevKey = result.getPublicKey(); |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
675 |
} catch (GeneralSecurityException e) { |
2 | 676 |
throw new CRLException(e); |
677 |
} |
|
678 |
} |
|
679 |
||
7040
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
680 |
// check the crl signature algorithm |
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
681 |
try { |
43701
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
33820
diff
changeset
|
682 |
AlgorithmChecker.check(prevKey, crl, variant); |
7040
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
683 |
} catch (CertPathValidatorException cpve) { |
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
684 |
if (debug != null) { |
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
685 |
debug.println("CRL signature algorithm check failed: " + cpve); |
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
686 |
} |
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
687 |
return false; |
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
688 |
} |
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
689 |
|
2 | 690 |
// validate the signature on the CRL |
691 |
try { |
|
692 |
crl.verify(prevKey, provider); |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
693 |
} catch (GeneralSecurityException e) { |
2 | 694 |
if (debug != null) { |
695 |
debug.println("CRL signature failed to verify"); |
|
696 |
} |
|
697 |
return false; |
|
698 |
} |
|
699 |
||
700 |
// reject CRL if any unresolved critical extensions remain in the CRL. |
|
701 |
Set<String> unresCritExts = crl.getCriticalExtensionOIDs(); |
|
702 |
// remove any that we have processed |
|
703 |
if (unresCritExts != null) { |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
704 |
unresCritExts.remove(IssuingDistributionPoint_Id.toString()); |
2 | 705 |
if (!unresCritExts.isEmpty()) { |
706 |
if (debug != null) { |
|
707 |
debug.println("Unrecognized critical extension(s) in CRL: " |
|
708 |
+ unresCritExts); |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
709 |
for (String ext : unresCritExts) { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
710 |
debug.println(ext); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
711 |
} |
2 | 712 |
} |
713 |
return false; |
|
714 |
} |
|
715 |
} |
|
716 |
||
717 |
// update reasonsMask |
|
29917 | 718 |
for (int i = 0; i < reasonsMask.length; i++) { |
719 |
reasonsMask[i] = reasonsMask[i] || |
|
720 |
(i < interimReasonsMask.length && interimReasonsMask[i]); |
|
2 | 721 |
} |
29917 | 722 |
|
2 | 723 |
return true; |
724 |
} |
|
725 |
||
726 |
/** |
|
727 |
* Append relative name to the issuer name and return a new |
|
728 |
* GeneralNames object. |
|
729 |
*/ |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
730 |
private static GeneralNames getFullNames(X500Name issuer, RDN rdn) |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
731 |
throws IOException |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
732 |
{ |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
733 |
List<RDN> rdns = new ArrayList<>(issuer.rdns()); |
2 | 734 |
rdns.add(rdn); |
735 |
X500Name fullName = new X500Name(rdns.toArray(new RDN[0])); |
|
736 |
GeneralNames fullNames = new GeneralNames(); |
|
737 |
fullNames.add(new GeneralName(fullName)); |
|
738 |
return fullNames; |
|
739 |
} |
|
8163
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
740 |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
741 |
/** |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
742 |
* Verifies whether a CRL is issued by a certain certificate |
8163
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
743 |
* |
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
744 |
* @param cert the certificate |
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
745 |
* @param crl the CRL to be verified |
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
746 |
* @param provider the name of the signature provider |
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
747 |
*/ |
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
748 |
private static boolean issues(X509CertImpl cert, X509CRLImpl crl, |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
749 |
String provider) throws IOException |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
750 |
{ |
9256
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
751 |
boolean matched = false; |
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
752 |
|
8163
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
753 |
AdaptableX509CertSelector issuerSelector = |
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
754 |
new AdaptableX509CertSelector(); |
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
755 |
|
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
756 |
// check certificate's key usage |
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
757 |
boolean[] usages = cert.getKeyUsage(); |
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
758 |
if (usages != null) { |
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
759 |
usages[6] = true; // cRLSign |
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
760 |
issuerSelector.setKeyUsage(usages); |
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
761 |
} |
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
762 |
|
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
763 |
// check certificate's subject |
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
764 |
X500Principal crlIssuer = crl.getIssuerX500Principal(); |
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
765 |
issuerSelector.setSubject(crlIssuer); |
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
766 |
|
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
767 |
/* |
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
768 |
* Facilitate certification path construction with authority |
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
769 |
* key identifier and subject key identifier. |
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
770 |
* |
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
771 |
* In practice, conforming CAs MUST use the key identifier method, |
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
772 |
* and MUST include authority key identifier extension in all CRLs |
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
773 |
* issued. [section 5.2.1, RFC 2459] |
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
774 |
*/ |
9256
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
775 |
AuthorityKeyIdentifierExtension crlAKID = crl.getAuthKeyIdExtension(); |
22977
f8f315760941
8025708: Certificate Path Building problem with AKI serial number
mullan
parents:
22107
diff
changeset
|
776 |
issuerSelector.setSkiAndSerialNumber(crlAKID); |
9256
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
777 |
|
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
778 |
matched = issuerSelector.match(cert); |
8163
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
779 |
|
9256
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
780 |
// if AKID is unreliable, verify the CRL signature with the cert |
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
781 |
if (matched && (crlAKID == null || |
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
782 |
cert.getAuthorityKeyIdentifierExtension() == null)) { |
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
783 |
try { |
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
784 |
crl.verify(cert.getPublicKey(), provider); |
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
785 |
matched = true; |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
786 |
} catch (GeneralSecurityException e) { |
9256
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
787 |
matched = false; |
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
788 |
} |
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
789 |
} |
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
790 |
|
230442708954
6882437: CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62
xuelei
parents:
8163
diff
changeset
|
791 |
return matched; |
8163
d9bcc1208691
7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
xuelei
parents:
7040
diff
changeset
|
792 |
} |
2 | 793 |
} |