author | mullan |
Tue, 17 Jun 2008 10:34:51 -0400 | |
changeset 790 | b91742db13e2 |
parent 2 | 90ce3da70b43 |
child 1238 | 6d1f4b722acd |
permissions | -rw-r--r-- |
2 | 1 |
/* |
2 |
* Copyright 2000-2006 Sun Microsystems, Inc. All Rights Reserved. |
|
3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
|
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
7 |
* published by the Free Software Foundation. Sun designates this |
|
8 |
* particular file as subject to the "Classpath" exception as provided |
|
9 |
* by Sun in the LICENSE file that accompanied this code. |
|
10 |
* |
|
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
21 |
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, |
|
22 |
* CA 95054 USA or visit www.sun.com if you need additional information or |
|
23 |
* have any questions. |
|
24 |
*/ |
|
25 |
||
26 |
package sun.security.provider.certpath; |
|
27 |
||
28 |
import java.util.*; |
|
29 |
import java.io.IOException; |
|
30 |
||
31 |
import java.security.cert.Certificate; |
|
32 |
import java.security.cert.CertificateException; |
|
33 |
import java.security.cert.X509Certificate; |
|
34 |
import java.security.cert.PKIXCertPathChecker; |
|
35 |
import java.security.cert.CertPathValidatorException; |
|
36 |
import java.security.cert.PolicyNode; |
|
37 |
import java.security.cert.PolicyQualifierInfo; |
|
38 |
||
39 |
import sun.security.util.Debug; |
|
40 |
import sun.security.x509.CertificatePoliciesExtension; |
|
41 |
import sun.security.x509.PolicyConstraintsExtension; |
|
42 |
import sun.security.x509.PolicyMappingsExtension; |
|
43 |
import sun.security.x509.CertificatePolicyMap; |
|
44 |
import sun.security.x509.PKIXExtensions; |
|
45 |
import sun.security.x509.PolicyInformation; |
|
46 |
import sun.security.x509.X509CertImpl; |
|
47 |
import sun.security.x509.InhibitAnyPolicyExtension; |
|
48 |
||
49 |
/** |
|
50 |
* PolicyChecker is a <code>PKIXCertPathChecker</code> that checks policy |
|
51 |
* information on a PKIX certificate, namely certificate policies, policy |
|
52 |
* mappings, policy constraints and policy qualifiers. |
|
53 |
* |
|
54 |
* @since 1.4 |
|
55 |
* @author Yassir Elley |
|
56 |
*/ |
|
57 |
class PolicyChecker extends PKIXCertPathChecker { |
|
58 |
||
59 |
private final Set<String> initPolicies; |
|
60 |
private final int certPathLen; |
|
61 |
private final boolean expPolicyRequired; |
|
62 |
private final boolean polMappingInhibited; |
|
63 |
private final boolean anyPolicyInhibited; |
|
64 |
private final boolean rejectPolicyQualifiers; |
|
65 |
private PolicyNodeImpl rootNode; |
|
66 |
private int explicitPolicy; |
|
67 |
private int policyMapping; |
|
68 |
private int inhibitAnyPolicy; |
|
69 |
private int certIndex; |
|
70 |
||
790
b91742db13e2
6673277: Thread unsafe lazy initialization code in sun.security.provider.certpath.*Checker classes
mullan
parents:
2
diff
changeset
|
71 |
private Set<String> supportedExts; |
2 | 72 |
|
73 |
private static final Debug debug = Debug.getInstance("certpath"); |
|
74 |
static final String ANY_POLICY = "2.5.29.32.0"; |
|
75 |
||
76 |
/** |
|
77 |
* Constructs a Policy Checker. |
|
78 |
* |
|
79 |
* @param initialPolicies Set of initial policies |
|
80 |
* @param certPathLen length of the certification path to be checked |
|
81 |
* @param expPolicyRequired true if explicit policy is required |
|
82 |
* @param polMappingInhibited true if policy mapping is inhibited |
|
83 |
* @param anyPolicyInhibited true if the ANY_POLICY OID should be inhibited |
|
84 |
* @param rejectPolicyQualifiers true if pol qualifiers are to be rejected |
|
85 |
* @param rootNode the initial root node of the valid policy tree |
|
86 |
*/ |
|
87 |
PolicyChecker(Set<String> initialPolicies, int certPathLen, |
|
88 |
boolean expPolicyRequired, boolean polMappingInhibited, |
|
89 |
boolean anyPolicyInhibited, boolean rejectPolicyQualifiers, |
|
90 |
PolicyNodeImpl rootNode) throws CertPathValidatorException |
|
91 |
{ |
|
92 |
if (initialPolicies.isEmpty()) { |
|
93 |
// if no initialPolicies are specified by user, set |
|
94 |
// initPolicies to be anyPolicy by default |
|
95 |
this.initPolicies = new HashSet<String>(1); |
|
96 |
this.initPolicies.add(ANY_POLICY); |
|
97 |
} else { |
|
98 |
this.initPolicies = new HashSet<String>(initialPolicies); |
|
99 |
} |
|
100 |
this.certPathLen = certPathLen; |
|
101 |
this.expPolicyRequired = expPolicyRequired; |
|
102 |
this.polMappingInhibited = polMappingInhibited; |
|
103 |
this.anyPolicyInhibited = anyPolicyInhibited; |
|
104 |
this.rejectPolicyQualifiers = rejectPolicyQualifiers; |
|
105 |
this.rootNode = rootNode; |
|
106 |
init(false); |
|
107 |
} |
|
108 |
||
109 |
/** |
|
110 |
* Initializes the internal state of the checker from parameters |
|
111 |
* specified in the constructor |
|
112 |
* |
|
113 |
* @param forward a boolean indicating whether this checker should |
|
114 |
* be initialized capable of building in the forward direction |
|
115 |
* @exception CertPathValidatorException Exception thrown if user |
|
116 |
* wants to enable forward checking and forward checking is not supported. |
|
117 |
*/ |
|
118 |
public void init(boolean forward) throws CertPathValidatorException { |
|
119 |
if (forward) { |
|
120 |
throw new CertPathValidatorException |
|
121 |
("forward checking not supported"); |
|
122 |
} |
|
123 |
||
124 |
certIndex = 1; |
|
125 |
explicitPolicy = (expPolicyRequired ? 0 : certPathLen + 1); |
|
126 |
policyMapping = (polMappingInhibited ? 0 : certPathLen + 1); |
|
127 |
inhibitAnyPolicy = (anyPolicyInhibited ? 0 : certPathLen + 1); |
|
128 |
} |
|
129 |
||
130 |
/** |
|
131 |
* Checks if forward checking is supported. Forward checking refers |
|
132 |
* to the ability of the PKIXCertPathChecker to perform its checks |
|
133 |
* when presented with certificates in the forward direction (from |
|
134 |
* target to anchor). |
|
135 |
* |
|
136 |
* @return true if forward checking is supported, false otherwise |
|
137 |
*/ |
|
138 |
public boolean isForwardCheckingSupported() { |
|
139 |
return false; |
|
140 |
} |
|
141 |
||
142 |
/** |
|
143 |
* Gets an immutable Set of the OID strings for the extensions that |
|
144 |
* the PKIXCertPathChecker supports (i.e. recognizes, is able to |
|
145 |
* process), or null if no extensions are |
|
146 |
* supported. All OID strings that a PKIXCertPathChecker might |
|
147 |
* possibly be able to process should be included. |
|
148 |
* |
|
149 |
* @return the Set of extensions supported by this PKIXCertPathChecker, |
|
150 |
* or null if no extensions are supported |
|
151 |
*/ |
|
152 |
public Set<String> getSupportedExtensions() { |
|
153 |
if (supportedExts == null) { |
|
154 |
supportedExts = new HashSet<String>(); |
|
155 |
supportedExts.add(PKIXExtensions.CertificatePolicies_Id.toString()); |
|
156 |
supportedExts.add(PKIXExtensions.PolicyMappings_Id.toString()); |
|
157 |
supportedExts.add(PKIXExtensions.PolicyConstraints_Id.toString()); |
|
158 |
supportedExts.add(PKIXExtensions.InhibitAnyPolicy_Id.toString()); |
|
159 |
supportedExts = Collections.unmodifiableSet(supportedExts); |
|
160 |
} |
|
161 |
return supportedExts; |
|
162 |
} |
|
163 |
||
164 |
/** |
|
165 |
* Performs the policy processing checks on the certificate using its |
|
166 |
* internal state. |
|
167 |
* |
|
168 |
* @param cert the Certificate to be processed |
|
169 |
* @param unresCritExts the unresolved critical extensions |
|
170 |
* @exception CertPathValidatorException Exception thrown if |
|
171 |
* the certificate does not verify. |
|
172 |
*/ |
|
173 |
public void check(Certificate cert, Collection<String> unresCritExts) |
|
174 |
throws CertPathValidatorException |
|
175 |
{ |
|
176 |
// now do the policy checks |
|
177 |
checkPolicy((X509Certificate) cert); |
|
178 |
||
179 |
if (unresCritExts != null && !unresCritExts.isEmpty()) { |
|
180 |
unresCritExts.remove(PKIXExtensions.CertificatePolicies_Id.toString()); |
|
181 |
unresCritExts.remove(PKIXExtensions.PolicyMappings_Id.toString()); |
|
182 |
unresCritExts.remove(PKIXExtensions.PolicyConstraints_Id.toString()); |
|
183 |
unresCritExts.remove(PKIXExtensions.InhibitAnyPolicy_Id.toString()); |
|
184 |
} |
|
185 |
} |
|
186 |
||
187 |
/** |
|
188 |
* Internal method to run through all the checks. |
|
189 |
* |
|
190 |
* @param currCert the certificate to be processed |
|
191 |
* @exception CertPathValidatorException Exception thrown if |
|
192 |
* the certificate does not verify |
|
193 |
*/ |
|
194 |
private void checkPolicy(X509Certificate currCert) |
|
195 |
throws CertPathValidatorException |
|
196 |
{ |
|
197 |
String msg = "certificate policies"; |
|
198 |
if (debug != null) { |
|
199 |
debug.println("PolicyChecker.checkPolicy() ---checking " + msg |
|
200 |
+ "..."); |
|
201 |
debug.println("PolicyChecker.checkPolicy() certIndex = " |
|
202 |
+ certIndex); |
|
203 |
debug.println("PolicyChecker.checkPolicy() BEFORE PROCESSING: " |
|
204 |
+ "explicitPolicy = " + explicitPolicy); |
|
205 |
debug.println("PolicyChecker.checkPolicy() BEFORE PROCESSING: " |
|
206 |
+ "policyMapping = " + policyMapping); |
|
207 |
debug.println("PolicyChecker.checkPolicy() BEFORE PROCESSING: " |
|
208 |
+ "inhibitAnyPolicy = " + inhibitAnyPolicy); |
|
209 |
debug.println("PolicyChecker.checkPolicy() BEFORE PROCESSING: " |
|
210 |
+ "policyTree = " + rootNode); |
|
211 |
} |
|
212 |
||
213 |
X509CertImpl currCertImpl = null; |
|
214 |
try { |
|
215 |
currCertImpl = X509CertImpl.toImpl(currCert); |
|
216 |
} catch (CertificateException ce) { |
|
217 |
throw new CertPathValidatorException(ce); |
|
218 |
} |
|
219 |
||
220 |
boolean finalCert = (certIndex == certPathLen); |
|
221 |
||
222 |
rootNode = processPolicies(certIndex, initPolicies, explicitPolicy, |
|
223 |
policyMapping, inhibitAnyPolicy, rejectPolicyQualifiers, rootNode, |
|
224 |
currCertImpl, finalCert); |
|
225 |
||
226 |
if (!finalCert) { |
|
227 |
explicitPolicy = mergeExplicitPolicy(explicitPolicy, currCertImpl, |
|
228 |
finalCert); |
|
229 |
policyMapping = mergePolicyMapping(policyMapping, currCertImpl); |
|
230 |
inhibitAnyPolicy = mergeInhibitAnyPolicy(inhibitAnyPolicy, |
|
231 |
currCertImpl); |
|
232 |
} |
|
233 |
||
234 |
certIndex++; |
|
235 |
||
236 |
if (debug != null) { |
|
237 |
debug.println("PolicyChecker.checkPolicy() AFTER PROCESSING: " |
|
238 |
+ "explicitPolicy = " + explicitPolicy); |
|
239 |
debug.println("PolicyChecker.checkPolicy() AFTER PROCESSING: " |
|
240 |
+ "policyMapping = " + policyMapping); |
|
241 |
debug.println("PolicyChecker.checkPolicy() AFTER PROCESSING: " |
|
242 |
+ "inhibitAnyPolicy = " + inhibitAnyPolicy); |
|
243 |
debug.println("PolicyChecker.checkPolicy() AFTER PROCESSING: " |
|
244 |
+ "policyTree = " + rootNode); |
|
245 |
debug.println("PolicyChecker.checkPolicy() " + msg + " verified"); |
|
246 |
} |
|
247 |
} |
|
248 |
||
249 |
/** |
|
250 |
* Merges the specified explicitPolicy value with the |
|
251 |
* requireExplicitPolicy field of the <code>PolicyConstraints</code> |
|
252 |
* extension obtained from the certificate. An explicitPolicy |
|
253 |
* value of -1 implies no constraint. |
|
254 |
* |
|
255 |
* @param explicitPolicy an integer which indicates if a non-null |
|
256 |
* valid policy tree is required |
|
257 |
* @param currCert the Certificate to be processed |
|
258 |
* @param finalCert a boolean indicating whether currCert is |
|
259 |
* the final cert in the cert path |
|
260 |
* @return returns the new explicitPolicy value |
|
261 |
* @exception CertPathValidatorException Exception thrown if an error |
|
262 |
* occurs |
|
263 |
*/ |
|
264 |
static int mergeExplicitPolicy(int explicitPolicy, X509CertImpl currCert, |
|
265 |
boolean finalCert) throws CertPathValidatorException |
|
266 |
{ |
|
267 |
if ((explicitPolicy > 0) && !X509CertImpl.isSelfIssued(currCert)) { |
|
268 |
explicitPolicy--; |
|
269 |
} |
|
270 |
||
271 |
try { |
|
272 |
PolicyConstraintsExtension polConstExt |
|
273 |
= currCert.getPolicyConstraintsExtension(); |
|
274 |
if (polConstExt == null) |
|
275 |
return explicitPolicy; |
|
276 |
int require = ((Integer) |
|
277 |
polConstExt.get(PolicyConstraintsExtension.REQUIRE)).intValue(); |
|
278 |
if (debug != null) { |
|
279 |
debug.println("PolicyChecker.mergeExplicitPolicy() " |
|
280 |
+ "require Index from cert = " + require); |
|
281 |
} |
|
282 |
if (!finalCert) { |
|
283 |
if (require != -1) { |
|
284 |
if ((explicitPolicy == -1) || (require < explicitPolicy)) { |
|
285 |
explicitPolicy = require; |
|
286 |
} |
|
287 |
} |
|
288 |
} else { |
|
289 |
if (require == 0) |
|
290 |
explicitPolicy = require; |
|
291 |
} |
|
292 |
} catch (Exception e) { |
|
293 |
if (debug != null) { |
|
294 |
debug.println("PolicyChecker.mergeExplicitPolicy " |
|
295 |
+ "unexpected exception"); |
|
296 |
e.printStackTrace(); |
|
297 |
} |
|
298 |
throw new CertPathValidatorException(e); |
|
299 |
} |
|
300 |
||
301 |
return explicitPolicy; |
|
302 |
} |
|
303 |
||
304 |
/** |
|
305 |
* Merges the specified policyMapping value with the |
|
306 |
* inhibitPolicyMapping field of the <code>PolicyConstraints</code> |
|
307 |
* extension obtained from the certificate. A policyMapping |
|
308 |
* value of -1 implies no constraint. |
|
309 |
* |
|
310 |
* @param policyMapping an integer which indicates if policy mapping |
|
311 |
* is inhibited |
|
312 |
* @param currCert the Certificate to be processed |
|
313 |
* @return returns the new policyMapping value |
|
314 |
* @exception CertPathValidatorException Exception thrown if an error |
|
315 |
* occurs |
|
316 |
*/ |
|
317 |
static int mergePolicyMapping(int policyMapping, X509CertImpl currCert) |
|
318 |
throws CertPathValidatorException |
|
319 |
{ |
|
320 |
if ((policyMapping > 0) && !X509CertImpl.isSelfIssued(currCert)) { |
|
321 |
policyMapping--; |
|
322 |
} |
|
323 |
||
324 |
try { |
|
325 |
PolicyConstraintsExtension polConstExt |
|
326 |
= currCert.getPolicyConstraintsExtension(); |
|
327 |
if (polConstExt == null) |
|
328 |
return policyMapping; |
|
329 |
||
330 |
int inhibit = ((Integer) |
|
331 |
polConstExt.get(PolicyConstraintsExtension.INHIBIT)).intValue(); |
|
332 |
if (debug != null) |
|
333 |
debug.println("PolicyChecker.mergePolicyMapping() " |
|
334 |
+ "inhibit Index from cert = " + inhibit); |
|
335 |
||
336 |
if (inhibit != -1) { |
|
337 |
if ((policyMapping == -1) || (inhibit < policyMapping)) { |
|
338 |
policyMapping = inhibit; |
|
339 |
} |
|
340 |
} |
|
341 |
} catch (Exception e) { |
|
342 |
if (debug != null) { |
|
343 |
debug.println("PolicyChecker.mergePolicyMapping " |
|
344 |
+ "unexpected exception"); |
|
345 |
e.printStackTrace(); |
|
346 |
} |
|
347 |
throw new CertPathValidatorException(e); |
|
348 |
} |
|
349 |
||
350 |
return policyMapping; |
|
351 |
} |
|
352 |
||
353 |
/** |
|
354 |
* Merges the specified inhibitAnyPolicy value with the |
|
355 |
* SkipCerts value of the InhibitAnyPolicy |
|
356 |
* extension obtained from the certificate. |
|
357 |
* |
|
358 |
* @param inhibitAnyPolicy an integer which indicates whether |
|
359 |
* "any-policy" is considered a match |
|
360 |
* @param currCert the Certificate to be processed |
|
361 |
* @return returns the new inhibitAnyPolicy value |
|
362 |
* @exception CertPathValidatorException Exception thrown if an error |
|
363 |
* occurs |
|
364 |
*/ |
|
365 |
static int mergeInhibitAnyPolicy(int inhibitAnyPolicy, |
|
366 |
X509CertImpl currCert) throws CertPathValidatorException |
|
367 |
{ |
|
368 |
if ((inhibitAnyPolicy > 0) && !X509CertImpl.isSelfIssued(currCert)) { |
|
369 |
inhibitAnyPolicy--; |
|
370 |
} |
|
371 |
||
372 |
try { |
|
373 |
InhibitAnyPolicyExtension inhAnyPolExt = (InhibitAnyPolicyExtension) |
|
374 |
currCert.getExtension(PKIXExtensions.InhibitAnyPolicy_Id); |
|
375 |
if (inhAnyPolExt == null) |
|
376 |
return inhibitAnyPolicy; |
|
377 |
||
378 |
int skipCerts = ((Integer) |
|
379 |
inhAnyPolExt.get(InhibitAnyPolicyExtension.SKIP_CERTS)).intValue(); |
|
380 |
if (debug != null) |
|
381 |
debug.println("PolicyChecker.mergeInhibitAnyPolicy() " |
|
382 |
+ "skipCerts Index from cert = " + skipCerts); |
|
383 |
||
384 |
if (skipCerts != -1) { |
|
385 |
if (skipCerts < inhibitAnyPolicy) { |
|
386 |
inhibitAnyPolicy = skipCerts; |
|
387 |
} |
|
388 |
} |
|
389 |
} catch (Exception e) { |
|
390 |
if (debug != null) { |
|
391 |
debug.println("PolicyChecker.mergeInhibitAnyPolicy " |
|
392 |
+ "unexpected exception"); |
|
393 |
e.printStackTrace(); |
|
394 |
} |
|
395 |
throw new CertPathValidatorException(e); |
|
396 |
} |
|
397 |
||
398 |
return inhibitAnyPolicy; |
|
399 |
} |
|
400 |
||
401 |
/** |
|
402 |
* Processes certificate policies in the certificate. |
|
403 |
* |
|
404 |
* @param certIndex the index of the certificate |
|
405 |
* @param initPolicies the initial policies required by the user |
|
406 |
* @param explicitPolicy an integer which indicates if a non-null |
|
407 |
* valid policy tree is required |
|
408 |
* @param policyMapping an integer which indicates if policy |
|
409 |
* mapping is inhibited |
|
410 |
* @param inhibitAnyPolicy an integer which indicates whether |
|
411 |
* "any-policy" is considered a match |
|
412 |
* @param rejectPolicyQualifiers a boolean indicating whether the |
|
413 |
* user wants to reject policies that have qualifiers |
|
414 |
* @param origRootNode the root node of the valid policy tree |
|
415 |
* @param currCert the Certificate to be processed |
|
416 |
* @param finalCert a boolean indicating whether currCert is the final |
|
417 |
* cert in the cert path |
|
418 |
* @return the root node of the valid policy tree after modification |
|
419 |
* @exception CertPathValidatorException Exception thrown if an |
|
420 |
* error occurs while processing policies. |
|
421 |
*/ |
|
422 |
static PolicyNodeImpl processPolicies(int certIndex, Set<String> initPolicies, |
|
423 |
int explicitPolicy, int policyMapping, int inhibitAnyPolicy, |
|
424 |
boolean rejectPolicyQualifiers, PolicyNodeImpl origRootNode, |
|
425 |
X509CertImpl currCert, boolean finalCert) |
|
426 |
throws CertPathValidatorException |
|
427 |
{ |
|
428 |
boolean policiesCritical = false; |
|
429 |
List<PolicyInformation> policyInfo; |
|
430 |
PolicyNodeImpl rootNode = null; |
|
431 |
Set<PolicyQualifierInfo> anyQuals = new HashSet<PolicyQualifierInfo>(); |
|
432 |
||
433 |
if (origRootNode == null) |
|
434 |
rootNode = null; |
|
435 |
else |
|
436 |
rootNode = origRootNode.copyTree(); |
|
437 |
||
438 |
// retrieve policyOIDs from currCert |
|
439 |
CertificatePoliciesExtension currCertPolicies |
|
440 |
= currCert.getCertificatePoliciesExtension(); |
|
441 |
||
442 |
// PKIX: Section 6.1.3: Step (d) |
|
443 |
if ((currCertPolicies != null) && (rootNode != null)) { |
|
444 |
policiesCritical = currCertPolicies.isCritical(); |
|
445 |
if (debug != null) |
|
446 |
debug.println("PolicyChecker.processPolicies() " |
|
447 |
+ "policiesCritical = " + policiesCritical); |
|
448 |
||
449 |
try { |
|
450 |
policyInfo = (List<PolicyInformation>) |
|
451 |
currCertPolicies.get(CertificatePoliciesExtension.POLICIES); |
|
452 |
} catch (IOException ioe) { |
|
453 |
throw new CertPathValidatorException("Exception while " |
|
454 |
+ "retrieving policyOIDs", ioe); |
|
455 |
} |
|
456 |
||
457 |
if (debug != null) |
|
458 |
debug.println("PolicyChecker.processPolicies() " |
|
459 |
+ "rejectPolicyQualifiers = " + rejectPolicyQualifiers); |
|
460 |
||
461 |
boolean foundAnyPolicy = false; |
|
462 |
||
463 |
// process each policy in cert |
|
464 |
for (PolicyInformation curPolInfo : policyInfo) { |
|
465 |
String curPolicy = |
|
466 |
curPolInfo.getPolicyIdentifier().getIdentifier().toString(); |
|
467 |
||
468 |
if (curPolicy.equals(ANY_POLICY)) { |
|
469 |
foundAnyPolicy = true; |
|
470 |
anyQuals = curPolInfo.getPolicyQualifiers(); |
|
471 |
} else { |
|
472 |
// PKIX: Section 6.1.3: Step (d)(1) |
|
473 |
if (debug != null) |
|
474 |
debug.println("PolicyChecker.processPolicies() " |
|
475 |
+ "processing policy: " + curPolicy); |
|
476 |
||
477 |
// retrieve policy qualifiers from cert |
|
478 |
Set<PolicyQualifierInfo> pQuals = |
|
479 |
curPolInfo.getPolicyQualifiers(); |
|
480 |
||
481 |
// reject cert if we find critical policy qualifiers and |
|
482 |
// the policyQualifiersRejected flag is set in the params |
|
483 |
if (!pQuals.isEmpty() && rejectPolicyQualifiers && |
|
484 |
policiesCritical) { |
|
485 |
throw new CertPathValidatorException("critical " + |
|
486 |
"policy qualifiers present in certificate"); |
|
487 |
} |
|
488 |
||
489 |
// PKIX: Section 6.1.3: Step (d)(1)(i) |
|
490 |
boolean foundMatch = processParents(certIndex, |
|
491 |
policiesCritical, rejectPolicyQualifiers, rootNode, |
|
492 |
curPolicy, pQuals, false); |
|
493 |
||
494 |
if (!foundMatch) { |
|
495 |
// PKIX: Section 6.1.3: Step (d)(1)(ii) |
|
496 |
processParents(certIndex, policiesCritical, |
|
497 |
rejectPolicyQualifiers, rootNode, curPolicy, |
|
498 |
pQuals, true); |
|
499 |
} |
|
500 |
} |
|
501 |
} |
|
502 |
||
503 |
// PKIX: Section 6.1.3: Step (d)(2) |
|
504 |
if (foundAnyPolicy) { |
|
505 |
if ((inhibitAnyPolicy > 0) || |
|
506 |
(!finalCert && X509CertImpl.isSelfIssued(currCert))) { |
|
507 |
if (debug != null) { |
|
508 |
debug.println("PolicyChecker.processPolicies() " |
|
509 |
+ "processing policy: " + ANY_POLICY); |
|
510 |
} |
|
511 |
processParents(certIndex, policiesCritical, |
|
512 |
rejectPolicyQualifiers, rootNode, ANY_POLICY, anyQuals, |
|
513 |
true); |
|
514 |
} |
|
515 |
} |
|
516 |
||
517 |
// PKIX: Section 6.1.3: Step (d)(3) |
|
518 |
rootNode.prune(certIndex); |
|
519 |
if (!rootNode.getChildren().hasNext()) { |
|
520 |
rootNode = null; |
|
521 |
} |
|
522 |
} else if (currCertPolicies == null) { |
|
523 |
if (debug != null) |
|
524 |
debug.println("PolicyChecker.processPolicies() " |
|
525 |
+ "no policies present in cert"); |
|
526 |
// PKIX: Section 6.1.3: Step (e) |
|
527 |
rootNode = null; |
|
528 |
} |
|
529 |
||
530 |
// We delay PKIX: Section 6.1.3: Step (f) to the end |
|
531 |
// because the code that follows may delete some nodes |
|
532 |
// resulting in a null tree |
|
533 |
if (rootNode != null) { |
|
534 |
if (!finalCert) { |
|
535 |
// PKIX: Section 6.1.4: Steps (a)-(b) |
|
536 |
rootNode = processPolicyMappings(currCert, certIndex, |
|
537 |
policyMapping, rootNode, policiesCritical, anyQuals); |
|
538 |
} |
|
539 |
} |
|
540 |
||
541 |
// At this point, we optimize the PKIX algorithm by |
|
542 |
// removing those nodes which would later have |
|
543 |
// been removed by PKIX: Section 6.1.5: Step (g)(iii) |
|
544 |
||
545 |
if ((rootNode != null) && (!initPolicies.contains(ANY_POLICY)) |
|
546 |
&& (currCertPolicies != null)) { |
|
547 |
rootNode = removeInvalidNodes(rootNode, certIndex, |
|
548 |
initPolicies, currCertPolicies); |
|
549 |
||
550 |
// PKIX: Section 6.1.5: Step (g)(iii) |
|
551 |
if ((rootNode != null) && finalCert) { |
|
552 |
// rewrite anyPolicy leaf nodes (see method comments) |
|
553 |
rootNode = rewriteLeafNodes(certIndex, initPolicies, rootNode); |
|
554 |
} |
|
555 |
} |
|
556 |
||
557 |
||
558 |
if (finalCert) { |
|
559 |
// PKIX: Section 6.1.5: Steps (a) and (b) |
|
560 |
explicitPolicy = mergeExplicitPolicy(explicitPolicy, currCert, |
|
561 |
finalCert); |
|
562 |
} |
|
563 |
||
564 |
// PKIX: Section 6.1.3: Step (f) |
|
565 |
// verify that either explicit policy is greater than 0 or |
|
566 |
// the valid_policy_tree is not equal to NULL |
|
567 |
||
568 |
if ((explicitPolicy == 0) && (rootNode == null)) { |
|
569 |
throw new CertPathValidatorException |
|
570 |
("non-null policy tree required and policy tree is null"); |
|
571 |
} |
|
572 |
||
573 |
return rootNode; |
|
574 |
} |
|
575 |
||
576 |
/** |
|
577 |
* Rewrite leaf nodes at the end of validation as described in RFC 3280 |
|
578 |
* section 6.1.5: Step (g)(iii). Leaf nodes with anyPolicy are replaced |
|
579 |
* by nodes explicitly representing initial policies not already |
|
580 |
* represented by leaf nodes. |
|
581 |
* |
|
582 |
* This method should only be called when processing the final cert |
|
583 |
* and if the policy tree is not null and initial policies is not |
|
584 |
* anyPolicy. |
|
585 |
* |
|
586 |
* @param certIndex the depth of the tree |
|
587 |
* @param initPolicies Set of user specified initial policies |
|
588 |
* @param rootNode the root of the policy tree |
|
589 |
*/ |
|
590 |
private static PolicyNodeImpl rewriteLeafNodes(int certIndex, |
|
591 |
Set<String> initPolicies, PolicyNodeImpl rootNode) { |
|
592 |
Set<PolicyNodeImpl> anyNodes = |
|
593 |
rootNode.getPolicyNodesValid(certIndex, ANY_POLICY); |
|
594 |
if (anyNodes.isEmpty()) { |
|
595 |
return rootNode; |
|
596 |
} |
|
597 |
PolicyNodeImpl anyNode = anyNodes.iterator().next(); |
|
598 |
PolicyNodeImpl parentNode = (PolicyNodeImpl)anyNode.getParent(); |
|
599 |
parentNode.deleteChild(anyNode); |
|
600 |
// see if there are any initialPolicies not represented by leaf nodes |
|
601 |
Set<String> initial = new HashSet<String>(initPolicies); |
|
602 |
for (PolicyNodeImpl node : rootNode.getPolicyNodes(certIndex)) { |
|
603 |
initial.remove(node.getValidPolicy()); |
|
604 |
} |
|
605 |
if (initial.isEmpty()) { |
|
606 |
// we deleted the anyPolicy node and have nothing to re-add, |
|
607 |
// so we need to prune the tree |
|
608 |
rootNode.prune(certIndex); |
|
609 |
if (rootNode.getChildren().hasNext() == false) { |
|
610 |
rootNode = null; |
|
611 |
} |
|
612 |
} else { |
|
613 |
boolean anyCritical = anyNode.isCritical(); |
|
614 |
Set<PolicyQualifierInfo> anyQualifiers = |
|
615 |
anyNode.getPolicyQualifiers(); |
|
616 |
for (String policy : initial) { |
|
617 |
Set<String> expectedPolicies = Collections.singleton(policy); |
|
618 |
PolicyNodeImpl node = new PolicyNodeImpl(parentNode, policy, |
|
619 |
anyQualifiers, anyCritical, expectedPolicies, false); |
|
620 |
} |
|
621 |
} |
|
622 |
return rootNode; |
|
623 |
} |
|
624 |
||
625 |
/** |
|
626 |
* Finds the policy nodes of depth (certIndex-1) where curPolicy |
|
627 |
* is in the expected policy set and creates a new child node |
|
628 |
* appropriately. If matchAny is true, then a value of ANY_POLICY |
|
629 |
* in the expected policy set will match any curPolicy. If matchAny |
|
630 |
* is false, then the expected policy set must exactly contain the |
|
631 |
* curPolicy to be considered a match. This method returns a boolean |
|
632 |
* value indicating whether a match was found. |
|
633 |
* |
|
634 |
* @param certIndex the index of the certificate whose policy is |
|
635 |
* being processed |
|
636 |
* @param policiesCritical a boolean indicating whether the certificate |
|
637 |
* policies extension is critical |
|
638 |
* @param rejectPolicyQualifiers a boolean indicating whether the |
|
639 |
* user wants to reject policies that have qualifiers |
|
640 |
* @param rootNode the root node of the valid policy tree |
|
641 |
* @param curPolicy a String representing the policy being processed |
|
642 |
* @param pQuals the policy qualifiers of the policy being processed or an |
|
643 |
* empty Set if there are no qualifiers |
|
644 |
* @param matchAny a boolean indicating whether a value of ANY_POLICY |
|
645 |
* in the expected policy set will be considered a match |
|
646 |
* @return a boolean indicating whether a match was found |
|
647 |
* @exception CertPathValidatorException Exception thrown if error occurs. |
|
648 |
*/ |
|
649 |
private static boolean processParents(int certIndex, |
|
650 |
boolean policiesCritical, boolean rejectPolicyQualifiers, |
|
651 |
PolicyNodeImpl rootNode, String curPolicy, |
|
652 |
Set<PolicyQualifierInfo> pQuals, |
|
653 |
boolean matchAny) throws CertPathValidatorException |
|
654 |
{ |
|
655 |
boolean foundMatch = false; |
|
656 |
||
657 |
if (debug != null) |
|
658 |
debug.println("PolicyChecker.processParents(): matchAny = " |
|
659 |
+ matchAny); |
|
660 |
||
661 |
// find matching parents |
|
662 |
Set<PolicyNodeImpl> parentNodes = |
|
663 |
rootNode.getPolicyNodesExpected(certIndex - 1, |
|
664 |
curPolicy, matchAny); |
|
665 |
||
666 |
// for each matching parent, extend policy tree |
|
667 |
for (PolicyNodeImpl curParent : parentNodes) { |
|
668 |
if (debug != null) |
|
669 |
debug.println("PolicyChecker.processParents() " |
|
670 |
+ "found parent:\n" + curParent.asString()); |
|
671 |
||
672 |
foundMatch = true; |
|
673 |
String curParPolicy = curParent.getValidPolicy(); |
|
674 |
||
675 |
PolicyNodeImpl curNode = null; |
|
676 |
Set<String> curExpPols = null; |
|
677 |
||
678 |
if (curPolicy.equals(ANY_POLICY)) { |
|
679 |
// do step 2 |
|
680 |
Set<String> parExpPols = curParent.getExpectedPolicies(); |
|
681 |
parentExplicitPolicies: |
|
682 |
for (String curParExpPol : parExpPols) { |
|
683 |
||
684 |
Iterator<PolicyNodeImpl> childIter = |
|
685 |
curParent.getChildren(); |
|
686 |
while (childIter.hasNext()) { |
|
687 |
PolicyNodeImpl childNode = childIter.next(); |
|
688 |
String childPolicy = childNode.getValidPolicy(); |
|
689 |
if (curParExpPol.equals(childPolicy)) { |
|
690 |
if (debug != null) |
|
691 |
debug.println(childPolicy + " in parent's " |
|
692 |
+ "expected policy set already appears in " |
|
693 |
+ "child node"); |
|
694 |
continue parentExplicitPolicies; |
|
695 |
} |
|
696 |
} |
|
697 |
||
698 |
Set<String> expPols = new HashSet<String>(); |
|
699 |
expPols.add(curParExpPol); |
|
700 |
||
701 |
curNode = new PolicyNodeImpl |
|
702 |
(curParent, curParExpPol, pQuals, |
|
703 |
policiesCritical, expPols, false); |
|
704 |
} |
|
705 |
} else { |
|
706 |
curExpPols = new HashSet<String>(); |
|
707 |
curExpPols.add(curPolicy); |
|
708 |
||
709 |
curNode = new PolicyNodeImpl |
|
710 |
(curParent, curPolicy, pQuals, |
|
711 |
policiesCritical, curExpPols, false); |
|
712 |
} |
|
713 |
} |
|
714 |
||
715 |
return foundMatch; |
|
716 |
} |
|
717 |
||
718 |
/** |
|
719 |
* Processes policy mappings in the certificate. |
|
720 |
* |
|
721 |
* @param currCert the Certificate to be processed |
|
722 |
* @param certIndex the index of the current certificate |
|
723 |
* @param policyMapping an integer which indicates if policy |
|
724 |
* mapping is inhibited |
|
725 |
* @param rootNode the root node of the valid policy tree |
|
726 |
* @param policiesCritical a boolean indicating if the certificate policies |
|
727 |
* extension is critical |
|
728 |
* @param anyQuals the qualifiers associated with ANY-POLICY, or an empty |
|
729 |
* Set if there are no qualifiers associated with ANY-POLICY |
|
730 |
* @return the root node of the valid policy tree after modification |
|
731 |
* @exception CertPathValidatorException exception thrown if an error |
|
732 |
* occurs while processing policy mappings |
|
733 |
*/ |
|
734 |
private static PolicyNodeImpl processPolicyMappings(X509CertImpl currCert, |
|
735 |
int certIndex, int policyMapping, PolicyNodeImpl rootNode, |
|
736 |
boolean policiesCritical, Set<PolicyQualifierInfo> anyQuals) |
|
737 |
throws CertPathValidatorException |
|
738 |
{ |
|
739 |
PolicyMappingsExtension polMappingsExt |
|
740 |
= currCert.getPolicyMappingsExtension(); |
|
741 |
||
742 |
if (polMappingsExt == null) |
|
743 |
return rootNode; |
|
744 |
||
745 |
if (debug != null) |
|
746 |
debug.println("PolicyChecker.processPolicyMappings() " |
|
747 |
+ "inside policyMapping check"); |
|
748 |
||
749 |
List<CertificatePolicyMap> maps = null; |
|
750 |
try { |
|
751 |
maps = (List<CertificatePolicyMap>)polMappingsExt.get |
|
752 |
(PolicyMappingsExtension.MAP); |
|
753 |
} catch (IOException e) { |
|
754 |
if (debug != null) { |
|
755 |
debug.println("PolicyChecker.processPolicyMappings() " |
|
756 |
+ "mapping exception"); |
|
757 |
e.printStackTrace(); |
|
758 |
} |
|
759 |
throw new CertPathValidatorException("Exception while checking " |
|
760 |
+ "mapping", e); |
|
761 |
} |
|
762 |
||
763 |
boolean childDeleted = false; |
|
764 |
for (int j = 0; j < maps.size(); j++) { |
|
765 |
CertificatePolicyMap polMap = maps.get(j); |
|
766 |
String issuerDomain |
|
767 |
= polMap.getIssuerIdentifier().getIdentifier().toString(); |
|
768 |
String subjectDomain |
|
769 |
= polMap.getSubjectIdentifier().getIdentifier().toString(); |
|
770 |
if (debug != null) { |
|
771 |
debug.println("PolicyChecker.processPolicyMappings() " |
|
772 |
+ "issuerDomain = " + issuerDomain); |
|
773 |
debug.println("PolicyChecker.processPolicyMappings() " |
|
774 |
+ "subjectDomain = " + subjectDomain); |
|
775 |
} |
|
776 |
||
777 |
if (issuerDomain.equals(ANY_POLICY)) { |
|
778 |
throw new CertPathValidatorException |
|
779 |
("encountered an issuerDomainPolicy of ANY_POLICY"); |
|
780 |
} |
|
781 |
||
782 |
if (subjectDomain.equals(ANY_POLICY)) { |
|
783 |
throw new CertPathValidatorException |
|
784 |
("encountered a subjectDomainPolicy of ANY_POLICY"); |
|
785 |
} |
|
786 |
||
787 |
Set<PolicyNodeImpl> validNodes = |
|
788 |
rootNode.getPolicyNodesValid(certIndex, issuerDomain); |
|
789 |
if (!validNodes.isEmpty()) { |
|
790 |
for (PolicyNodeImpl curNode : validNodes) { |
|
791 |
if ((policyMapping > 0) || (policyMapping == -1)) { |
|
792 |
curNode.addExpectedPolicy(subjectDomain); |
|
793 |
} else if (policyMapping == 0) { |
|
794 |
PolicyNodeImpl parentNode = |
|
795 |
(PolicyNodeImpl) curNode.getParent(); |
|
796 |
if (debug != null) |
|
797 |
debug.println("PolicyChecker.processPolicyMappings" |
|
798 |
+ "() before deleting: policy tree = " |
|
799 |
+ rootNode); |
|
800 |
parentNode.deleteChild(curNode); |
|
801 |
childDeleted = true; |
|
802 |
if (debug != null) |
|
803 |
debug.println("PolicyChecker.processPolicyMappings" |
|
804 |
+ "() after deleting: policy tree = " |
|
805 |
+ rootNode); |
|
806 |
} |
|
807 |
} |
|
808 |
} else { // no node of depth i has a valid policy |
|
809 |
if ((policyMapping > 0) || (policyMapping == -1)) { |
|
810 |
Set<PolicyNodeImpl> validAnyNodes = |
|
811 |
rootNode.getPolicyNodesValid(certIndex, ANY_POLICY); |
|
812 |
for (PolicyNodeImpl curAnyNode : validAnyNodes) { |
|
813 |
PolicyNodeImpl curAnyNodeParent = |
|
814 |
(PolicyNodeImpl) curAnyNode.getParent(); |
|
815 |
||
816 |
Set<String> expPols = new HashSet<String>(); |
|
817 |
expPols.add(subjectDomain); |
|
818 |
||
819 |
PolicyNodeImpl curNode = new PolicyNodeImpl |
|
820 |
(curAnyNodeParent, issuerDomain, anyQuals, |
|
821 |
policiesCritical, expPols, true); |
|
822 |
} |
|
823 |
} |
|
824 |
} |
|
825 |
} |
|
826 |
||
827 |
if (childDeleted) { |
|
828 |
rootNode.prune(certIndex); |
|
829 |
if (!rootNode.getChildren().hasNext()) { |
|
830 |
if (debug != null) |
|
831 |
debug.println("setting rootNode to null"); |
|
832 |
rootNode = null; |
|
833 |
} |
|
834 |
} |
|
835 |
||
836 |
return rootNode; |
|
837 |
} |
|
838 |
||
839 |
/** |
|
840 |
* Removes those nodes which do not intersect with the initial policies |
|
841 |
* specified by the user. |
|
842 |
* |
|
843 |
* @param rootNode the root node of the valid policy tree |
|
844 |
* @param certIndex the index of the certificate being processed |
|
845 |
* @param initPolicies the Set of policies required by the user |
|
846 |
* @param currCertPolicies the CertificatePoliciesExtension of the |
|
847 |
* certificate being processed |
|
848 |
* @returns the root node of the valid policy tree after modification |
|
849 |
* @exception CertPathValidatorException Exception thrown if error occurs. |
|
850 |
*/ |
|
851 |
private static PolicyNodeImpl removeInvalidNodes(PolicyNodeImpl rootNode, |
|
852 |
int certIndex, Set<String> initPolicies, |
|
853 |
CertificatePoliciesExtension currCertPolicies) |
|
854 |
throws CertPathValidatorException |
|
855 |
{ |
|
856 |
List<PolicyInformation> policyInfo = null; |
|
857 |
try { |
|
858 |
policyInfo = (List<PolicyInformation>) |
|
859 |
currCertPolicies.get(CertificatePoliciesExtension.POLICIES); |
|
860 |
} catch (IOException ioe) { |
|
861 |
throw new CertPathValidatorException("Exception while " |
|
862 |
+ "retrieving policyOIDs", ioe); |
|
863 |
} |
|
864 |
||
865 |
boolean childDeleted = false; |
|
866 |
for (PolicyInformation curPolInfo : policyInfo) { |
|
867 |
String curPolicy = |
|
868 |
curPolInfo.getPolicyIdentifier().getIdentifier().toString(); |
|
869 |
||
870 |
if (debug != null) |
|
871 |
debug.println("PolicyChecker.processPolicies() " |
|
872 |
+ "processing policy second time: " + curPolicy); |
|
873 |
||
874 |
Set<PolicyNodeImpl> validNodes = |
|
875 |
rootNode.getPolicyNodesValid(certIndex, curPolicy); |
|
876 |
for (PolicyNodeImpl curNode : validNodes) { |
|
877 |
PolicyNodeImpl parentNode = (PolicyNodeImpl)curNode.getParent(); |
|
878 |
if (parentNode.getValidPolicy().equals(ANY_POLICY)) { |
|
879 |
if ((!initPolicies.contains(curPolicy)) && |
|
880 |
(!curPolicy.equals(ANY_POLICY))) { |
|
881 |
if (debug != null) |
|
882 |
debug.println("PolicyChecker.processPolicies() " |
|
883 |
+ "before deleting: policy tree = " + rootNode); |
|
884 |
parentNode.deleteChild(curNode); |
|
885 |
childDeleted = true; |
|
886 |
if (debug != null) |
|
887 |
debug.println("PolicyChecker.processPolicies() " |
|
888 |
+ "after deleting: policy tree = " + rootNode); |
|
889 |
} |
|
890 |
} |
|
891 |
} |
|
892 |
} |
|
893 |
||
894 |
if (childDeleted) { |
|
895 |
rootNode.prune(certIndex); |
|
896 |
if (!rootNode.getChildren().hasNext()) { |
|
897 |
rootNode = null; |
|
898 |
} |
|
899 |
} |
|
900 |
||
901 |
return rootNode; |
|
902 |
} |
|
903 |
||
904 |
/** |
|
905 |
* Gets the root node of the valid policy tree, or null if the |
|
906 |
* valid policy tree is null. Marks each node of the returned tree |
|
907 |
* immutable and thread-safe. |
|
908 |
* |
|
909 |
* @returns the root node of the valid policy tree, or null if |
|
910 |
* the valid policy tree is null |
|
911 |
*/ |
|
912 |
PolicyNode getPolicyTree() { |
|
913 |
if (rootNode == null) |
|
914 |
return null; |
|
915 |
else { |
|
916 |
PolicyNodeImpl policyTree = rootNode.copyTree(); |
|
917 |
policyTree.setImmutable(); |
|
918 |
return policyTree; |
|
919 |
} |
|
920 |
} |
|
921 |
} |