author | juh |
Tue, 07 Oct 2014 22:23:19 -0700 | |
changeset 26967 | c182469301ee |
parent 25859 | 3317bb8137f4 |
child 29264 | 5172066a2da6 |
permissions | -rw-r--r-- |
2 | 1 |
/* |
26967
c182469301ee
8037550: Update RFC references in javadoc to RFC 5280
juh
parents:
25859
diff
changeset
|
2 |
* Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
package sun.security.provider.certpath; |
|
27 |
||
28 |
import java.io.IOException; |
|
29 |
import java.security.GeneralSecurityException; |
|
30 |
import java.security.InvalidAlgorithmParameterException; |
|
31 |
import java.security.PublicKey; |
|
1238
6d1f4b722acd
6465942: Add problem identification facility to the CertPathValidator framework
mullan
parents:
2
diff
changeset
|
32 |
import java.security.cert.*; |
22107
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
19045
diff
changeset
|
33 |
import java.security.cert.CertPathValidatorException.BasicReason; |
1238
6d1f4b722acd
6465942: Add problem identification facility to the CertPathValidator framework
mullan
parents:
2
diff
changeset
|
34 |
import java.security.cert.PKIXReason; |
2 | 35 |
import java.util.ArrayList; |
36 |
import java.util.Collection; |
|
37 |
import java.util.Collections; |
|
38 |
import java.util.HashSet; |
|
39 |
import java.util.Iterator; |
|
40 |
import java.util.List; |
|
41 |
import java.util.LinkedList; |
|
42 |
import java.util.Set; |
|
43 |
import javax.security.auth.x500.X500Principal; |
|
44 |
||
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
45 |
import sun.security.provider.certpath.PKIX.BuilderParams; |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
46 |
import static sun.security.x509.PKIXExtensions.*; |
2 | 47 |
import sun.security.util.Debug; |
48 |
||
49 |
/** |
|
50 |
* This class is able to build certification paths in either the forward |
|
51 |
* or reverse directions. |
|
52 |
* |
|
22107
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
19045
diff
changeset
|
53 |
* <p> If successful, it returns a certification path which has successfully |
2 | 54 |
* satisfied all the constraints and requirements specified in the |
55 |
* PKIXBuilderParameters object and has been validated according to the PKIX |
|
26967
c182469301ee
8037550: Update RFC references in javadoc to RFC 5280
juh
parents:
25859
diff
changeset
|
56 |
* path validation algorithm defined in RFC 5280. |
2 | 57 |
* |
58 |
* <p> This implementation uses a depth-first search approach to finding |
|
59 |
* certification paths. If it comes to a point in which it cannot find |
|
60 |
* any more certificates leading to the target OR the path length is too long |
|
61 |
* it backtracks to previous paths until the target has been found or |
|
62 |
* all possible paths have been exhausted. |
|
63 |
* |
|
64 |
* <p> This implementation is not thread-safe. |
|
65 |
* |
|
66 |
* @since 1.4 |
|
67 |
* @author Sean Mullan |
|
68 |
* @author Yassir Elley |
|
69 |
*/ |
|
70 |
public final class SunCertPathBuilder extends CertPathBuilderSpi { |
|
71 |
||
72 |
private static final Debug debug = Debug.getInstance("certpath"); |
|
73 |
||
74 |
/* |
|
75 |
* private objects shared by methods |
|
76 |
*/ |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
77 |
private BuilderParams buildParams; |
2 | 78 |
private CertificateFactory cf; |
79 |
private boolean pathCompleted = false; |
|
80 |
private PolicyNode policyTreeResult; |
|
81 |
private TrustAnchor trustAnchor; |
|
82 |
private PublicKey finalPublicKey; |
|
83 |
||
84 |
/** |
|
85 |
* Create an instance of <code>SunCertPathBuilder</code>. |
|
86 |
* |
|
87 |
* @throws CertPathBuilderException if an error occurs |
|
88 |
*/ |
|
89 |
public SunCertPathBuilder() throws CertPathBuilderException { |
|
90 |
try { |
|
91 |
cf = CertificateFactory.getInstance("X.509"); |
|
92 |
} catch (CertificateException e) { |
|
93 |
throw new CertPathBuilderException(e); |
|
94 |
} |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
95 |
} |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
96 |
|
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
97 |
@Override |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
98 |
public CertPathChecker engineGetRevocationChecker() { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
99 |
return new RevocationChecker(); |
2 | 100 |
} |
101 |
||
102 |
/** |
|
103 |
* Attempts to build a certification path using the Sun build |
|
104 |
* algorithm from a trusted anchor(s) to a target subject, which must both |
|
105 |
* be specified in the input parameter set. By default, this method will |
|
106 |
* attempt to build in the forward direction. In order to build in the |
|
107 |
* reverse direction, the caller needs to pass in an instance of |
|
108 |
* SunCertPathBuilderParameters with the buildForward flag set to false. |
|
109 |
* |
|
110 |
* <p>The certification path that is constructed is validated |
|
111 |
* according to the PKIX specification. |
|
112 |
* |
|
113 |
* @param params the parameter set for building a path. Must be an instance |
|
114 |
* of <code>PKIXBuilderParameters</code>. |
|
115 |
* @return a certification path builder result. |
|
116 |
* @exception CertPathBuilderException Exception thrown if builder is |
|
117 |
* unable to build a complete certification path from the trusted anchor(s) |
|
118 |
* to the target subject. |
|
119 |
* @throws InvalidAlgorithmParameterException if the given parameters are |
|
120 |
* inappropriate for this certification path builder. |
|
121 |
*/ |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
122 |
@Override |
2 | 123 |
public CertPathBuilderResult engineBuild(CertPathParameters params) |
124 |
throws CertPathBuilderException, InvalidAlgorithmParameterException { |
|
125 |
||
126 |
if (debug != null) { |
|
127 |
debug.println("SunCertPathBuilder.engineBuild(" + params + ")"); |
|
128 |
} |
|
129 |
||
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
130 |
buildParams = PKIX.checkBuilderParams(params); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
131 |
return build(); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
132 |
} |
2 | 133 |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
134 |
private PKIXCertPathBuilderResult build() throws CertPathBuilderException { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
135 |
List<List<Vertex>> adjList = new ArrayList<>(); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
136 |
PKIXCertPathBuilderResult result = buildCertPath(false, adjList); |
2 | 137 |
if (result == null) { |
138 |
if (debug != null) { |
|
139 |
debug.println("SunCertPathBuilder.engineBuild: 2nd pass"); |
|
140 |
} |
|
141 |
// try again |
|
142 |
adjList.clear(); |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
143 |
result = buildCertPath(true, adjList); |
2 | 144 |
if (result == null) { |
145 |
throw new SunCertPathBuilderException("unable to find valid " |
|
146 |
+ "certification path to requested target", |
|
147 |
new AdjacencyList(adjList)); |
|
148 |
} |
|
149 |
} |
|
150 |
return result; |
|
151 |
} |
|
152 |
||
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
153 |
private PKIXCertPathBuilderResult buildCertPath(boolean searchAllCertStores, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
154 |
List<List<Vertex>> adjList) |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
155 |
throws CertPathBuilderException |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
156 |
{ |
2 | 157 |
// Init shared variables and build certification path |
158 |
pathCompleted = false; |
|
159 |
trustAnchor = null; |
|
160 |
finalPublicKey = null; |
|
161 |
policyTreeResult = null; |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
162 |
LinkedList<X509Certificate> certPathList = new LinkedList<>(); |
2 | 163 |
try { |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
164 |
if (buildParams.buildForward()) { |
2 | 165 |
buildForward(adjList, certPathList, searchAllCertStores); |
166 |
} else { |
|
167 |
buildReverse(adjList, certPathList); |
|
168 |
} |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
169 |
} catch (GeneralSecurityException | IOException e) { |
2 | 170 |
if (debug != null) { |
171 |
debug.println("SunCertPathBuilder.engineBuild() exception in " |
|
172 |
+ "build"); |
|
173 |
e.printStackTrace(); |
|
174 |
} |
|
175 |
throw new SunCertPathBuilderException("unable to find valid " |
|
176 |
+ "certification path to requested target", e, |
|
177 |
new AdjacencyList(adjList)); |
|
178 |
} |
|
179 |
||
180 |
// construct SunCertPathBuilderResult |
|
181 |
try { |
|
182 |
if (pathCompleted) { |
|
183 |
if (debug != null) |
|
184 |
debug.println("SunCertPathBuilder.engineBuild() " |
|
185 |
+ "pathCompleted"); |
|
186 |
||
187 |
// we must return a certpath which has the target |
|
188 |
// as the first cert in the certpath - i.e. reverse |
|
189 |
// the certPathList |
|
190 |
Collections.reverse(certPathList); |
|
191 |
||
192 |
return new SunCertPathBuilderResult( |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
193 |
cf.generateCertPath(certPathList), trustAnchor, |
2 | 194 |
policyTreeResult, finalPublicKey, |
195 |
new AdjacencyList(adjList)); |
|
196 |
} |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
197 |
} catch (CertificateException e) { |
2 | 198 |
if (debug != null) { |
199 |
debug.println("SunCertPathBuilder.engineBuild() exception " |
|
200 |
+ "in wrap-up"); |
|
201 |
e.printStackTrace(); |
|
202 |
} |
|
203 |
throw new SunCertPathBuilderException("unable to find valid " |
|
204 |
+ "certification path to requested target", e, |
|
205 |
new AdjacencyList(adjList)); |
|
206 |
} |
|
207 |
||
208 |
return null; |
|
209 |
} |
|
210 |
||
211 |
/* |
|
212 |
* Private build reverse method. |
|
213 |
*/ |
|
214 |
private void buildReverse(List<List<Vertex>> adjacencyList, |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
215 |
LinkedList<X509Certificate> certPathList) |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
216 |
throws GeneralSecurityException, IOException |
2 | 217 |
{ |
218 |
if (debug != null) { |
|
219 |
debug.println("SunCertPathBuilder.buildReverse()..."); |
|
220 |
debug.println("SunCertPathBuilder.buildReverse() InitialPolicies: " |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
221 |
+ buildParams.initialPolicies()); |
2 | 222 |
} |
223 |
||
224 |
ReverseState currentState = new ReverseState(); |
|
225 |
/* Initialize adjacency list */ |
|
226 |
adjacencyList.clear(); |
|
227 |
adjacencyList.add(new LinkedList<Vertex>()); |
|
228 |
||
229 |
/* |
|
230 |
* Perform a search using each trust anchor, until a valid |
|
231 |
* path is found |
|
232 |
*/ |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
233 |
Iterator<TrustAnchor> iter = buildParams.trustAnchors().iterator(); |
2 | 234 |
while (iter.hasNext()) { |
235 |
TrustAnchor anchor = iter.next(); |
|
11900 | 236 |
|
2 | 237 |
/* check if anchor satisfies target constraints */ |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
238 |
if (anchorIsTarget(anchor, buildParams.targetCertConstraints())) { |
2 | 239 |
this.trustAnchor = anchor; |
240 |
this.pathCompleted = true; |
|
241 |
this.finalPublicKey = anchor.getTrustedCert().getPublicKey(); |
|
242 |
break; |
|
243 |
} |
|
244 |
||
13806
b18118646a65
7195409: CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails with NullPointerException
mullan
parents:
12861
diff
changeset
|
245 |
// skip anchor if it contains a DSA key with no DSA params |
b18118646a65
7195409: CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails with NullPointerException
mullan
parents:
12861
diff
changeset
|
246 |
X509Certificate trustedCert = anchor.getTrustedCert(); |
b18118646a65
7195409: CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails with NullPointerException
mullan
parents:
12861
diff
changeset
|
247 |
PublicKey pubKey = trustedCert != null ? trustedCert.getPublicKey() |
b18118646a65
7195409: CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails with NullPointerException
mullan
parents:
12861
diff
changeset
|
248 |
: anchor.getCAPublicKey(); |
b18118646a65
7195409: CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails with NullPointerException
mullan
parents:
12861
diff
changeset
|
249 |
|
b18118646a65
7195409: CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails with NullPointerException
mullan
parents:
12861
diff
changeset
|
250 |
if (PKIX.isDSAPublicKeyWithoutParams(pubKey)) { |
b18118646a65
7195409: CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails with NullPointerException
mullan
parents:
12861
diff
changeset
|
251 |
continue; |
b18118646a65
7195409: CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails with NullPointerException
mullan
parents:
12861
diff
changeset
|
252 |
} |
b18118646a65
7195409: CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails with NullPointerException
mullan
parents:
12861
diff
changeset
|
253 |
|
2 | 254 |
/* Initialize current state */ |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
255 |
currentState.initState(buildParams); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
256 |
currentState.updateState(anchor, buildParams); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
257 |
|
7040
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
258 |
currentState.algorithmChecker = new AlgorithmChecker(anchor); |
11900 | 259 |
currentState.untrustedChecker = new UntrustedChecker(); |
2 | 260 |
try { |
261 |
depthFirstSearchReverse(null, currentState, |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
262 |
new ReverseBuilder(buildParams), |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
263 |
adjacencyList, certPathList); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
264 |
} catch (GeneralSecurityException | IOException e) { |
2 | 265 |
// continue on error if more anchors to try |
266 |
if (iter.hasNext()) |
|
267 |
continue; |
|
268 |
else |
|
269 |
throw e; |
|
270 |
} |
|
271 |
||
272 |
// break out of loop if search is successful |
|
12693
e3c056161305
7167988: PKIX CertPathBuilder in reverse mode doesn't work if more than one trust anchor is specified
xuelei
parents:
11900
diff
changeset
|
273 |
if (pathCompleted) { |
e3c056161305
7167988: PKIX CertPathBuilder in reverse mode doesn't work if more than one trust anchor is specified
xuelei
parents:
11900
diff
changeset
|
274 |
break; |
e3c056161305
7167988: PKIX CertPathBuilder in reverse mode doesn't work if more than one trust anchor is specified
xuelei
parents:
11900
diff
changeset
|
275 |
} |
2 | 276 |
} |
277 |
||
278 |
if (debug != null) { |
|
279 |
debug.println("SunCertPathBuilder.buildReverse() returned from " |
|
280 |
+ "depthFirstSearchReverse()"); |
|
281 |
debug.println("SunCertPathBuilder.buildReverse() " |
|
282 |
+ "certPathList.size: " + certPathList.size()); |
|
283 |
} |
|
284 |
} |
|
285 |
||
286 |
/* |
|
287 |
* Private build forward method. |
|
288 |
*/ |
|
289 |
private void buildForward(List<List<Vertex>> adjacencyList, |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
290 |
LinkedList<X509Certificate> certPathList, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
291 |
boolean searchAllCertStores) |
2 | 292 |
throws GeneralSecurityException, IOException |
293 |
{ |
|
294 |
if (debug != null) { |
|
295 |
debug.println("SunCertPathBuilder.buildForward()..."); |
|
296 |
} |
|
297 |
||
298 |
/* Initialize current state */ |
|
299 |
ForwardState currentState = new ForwardState(); |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
300 |
currentState.initState(buildParams.certPathCheckers()); |
2 | 301 |
|
302 |
/* Initialize adjacency list */ |
|
303 |
adjacencyList.clear(); |
|
304 |
adjacencyList.add(new LinkedList<Vertex>()); |
|
305 |
||
11900 | 306 |
currentState.untrustedChecker = new UntrustedChecker(); |
2 | 307 |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
308 |
depthFirstSearchForward(buildParams.targetSubject(), currentState, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
309 |
new ForwardBuilder(buildParams, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
310 |
searchAllCertStores), |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
311 |
adjacencyList, certPathList); |
2 | 312 |
} |
313 |
||
314 |
/* |
|
315 |
* This method performs a depth first search for a certification |
|
316 |
* path while building forward which meets the requirements set in |
|
317 |
* the parameters object. |
|
318 |
* It uses an adjacency list to store all certificates which were |
|
319 |
* tried (i.e. at one time added to the path - they may not end up in |
|
320 |
* the final path if backtracking occurs). This information can |
|
321 |
* be used later to debug or demo the build. |
|
322 |
* |
|
323 |
* See "Data Structure and Algorithms, by Aho, Hopcroft, and Ullman" |
|
324 |
* for an explanation of the DFS algorithm. |
|
325 |
* |
|
326 |
* @param dN the distinguished name being currently searched for certs |
|
327 |
* @param currentState the current PKIX validation state |
|
328 |
*/ |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
329 |
private void depthFirstSearchForward(X500Principal dN, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
330 |
ForwardState currentState, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
331 |
ForwardBuilder builder, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
332 |
List<List<Vertex>> adjList, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
333 |
LinkedList<X509Certificate> cpList) |
2 | 334 |
throws GeneralSecurityException, IOException |
335 |
{ |
|
336 |
if (debug != null) { |
|
337 |
debug.println("SunCertPathBuilder.depthFirstSearchForward(" + dN |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
338 |
+ ", " + currentState.toString() + ")"); |
2 | 339 |
} |
340 |
||
341 |
/* |
|
342 |
* Find all the certificates issued to dN which |
|
343 |
* satisfy the PKIX certification path constraints. |
|
344 |
*/ |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
345 |
Collection<X509Certificate> certs = |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
346 |
builder.getMatchingCerts(currentState, buildParams.certStores()); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
347 |
List<Vertex> vertices = addVertices(certs, adjList); |
2 | 348 |
if (debug != null) { |
349 |
debug.println("SunCertPathBuilder.depthFirstSearchForward(): " |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
350 |
+ "certs.size=" + vertices.size()); |
2 | 351 |
} |
352 |
||
353 |
/* |
|
354 |
* For each cert in the collection, verify anything |
|
355 |
* that hasn't been checked yet (signature, revocation, etc) |
|
356 |
* and check for loops. Call depthFirstSearchForward() |
|
357 |
* recursively for each good cert. |
|
358 |
*/ |
|
359 |
||
360 |
vertices: |
|
361 |
for (Vertex vertex : vertices) { |
|
362 |
/** |
|
363 |
* Restore state to currentState each time through the loop. |
|
364 |
* This is important because some of the user-defined |
|
365 |
* checkers modify the state, which MUST be restored if |
|
366 |
* the cert eventually fails to lead to the target and |
|
367 |
* the next matching cert is tried. |
|
368 |
*/ |
|
369 |
ForwardState nextState = (ForwardState) currentState.clone(); |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
370 |
X509Certificate cert = vertex.getCertificate(); |
2 | 371 |
|
372 |
try { |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
373 |
builder.verifyCert(cert, nextState, cpList); |
2 | 374 |
} catch (GeneralSecurityException gse) { |
375 |
if (debug != null) { |
|
376 |
debug.println("SunCertPathBuilder.depthFirstSearchForward()" |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
377 |
+ ": validation failed: " + gse); |
2 | 378 |
gse.printStackTrace(); |
379 |
} |
|
380 |
vertex.setThrowable(gse); |
|
381 |
continue; |
|
382 |
} |
|
383 |
||
384 |
/* |
|
385 |
* Certificate is good. |
|
386 |
* If cert completes the path, |
|
387 |
* process userCheckers that don't support forward checking |
|
388 |
* and process policies over whole path |
|
389 |
* and backtrack appropriately if there is a failure |
|
390 |
* else if cert does not complete the path, |
|
391 |
* add it to the path |
|
392 |
*/ |
|
393 |
if (builder.isPathCompleted(cert)) { |
|
394 |
||
395 |
if (debug != null) |
|
396 |
debug.println("SunCertPathBuilder.depthFirstSearchForward()" |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
397 |
+ ": commencing final verification"); |
2 | 398 |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
399 |
List<X509Certificate> appendedCerts = new ArrayList<>(cpList); |
2 | 400 |
|
401 |
/* |
|
402 |
* if the trust anchor selected is specified as a trusted |
|
403 |
* public key rather than a trusted cert, then verify this |
|
404 |
* cert (which is signed by the trusted public key), but |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
405 |
* don't add it yet to the cpList |
2 | 406 |
*/ |
407 |
if (builder.trustAnchor.getTrustedCert() == null) { |
|
408 |
appendedCerts.add(0, cert); |
|
409 |
} |
|
410 |
||
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
411 |
Set<String> initExpPolSet = |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
412 |
Collections.singleton(PolicyChecker.ANY_POLICY); |
2 | 413 |
|
414 |
PolicyNodeImpl rootNode = new PolicyNodeImpl(null, |
|
415 |
PolicyChecker.ANY_POLICY, null, false, initExpPolSet, false); |
|
416 |
||
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
417 |
List<PKIXCertPathChecker> checkers = new ArrayList<>(); |
2 | 418 |
PolicyChecker policyChecker |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
419 |
= new PolicyChecker(buildParams.initialPolicies(), |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
420 |
appendedCerts.size(), |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
421 |
buildParams.explicitPolicyRequired(), |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
422 |
buildParams.policyMappingInhibited(), |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
423 |
buildParams.anyPolicyInhibited(), |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
424 |
buildParams.policyQualifiersRejected(), |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
425 |
rootNode); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
426 |
checkers.add(policyChecker); |
2 | 427 |
|
7040
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
428 |
// add the algorithm checker |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
429 |
checkers.add(new AlgorithmChecker(builder.trustAnchor)); |
7040
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
430 |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
431 |
BasicChecker basicChecker = null; |
2 | 432 |
if (nextState.keyParamsNeeded()) { |
433 |
PublicKey rootKey = cert.getPublicKey(); |
|
434 |
if (builder.trustAnchor.getTrustedCert() == null) { |
|
435 |
rootKey = builder.trustAnchor.getCAPublicKey(); |
|
436 |
if (debug != null) |
|
7040
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
437 |
debug.println( |
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
438 |
"SunCertPathBuilder.depthFirstSearchForward " + |
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
439 |
"using buildParams public key: " + |
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
440 |
rootKey.toString()); |
2 | 441 |
} |
442 |
TrustAnchor anchor = new TrustAnchor |
|
443 |
(cert.getSubjectX500Principal(), rootKey, null); |
|
7040
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
444 |
|
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
445 |
// add the basic checker |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
446 |
basicChecker = new BasicChecker(anchor, buildParams.date(), |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
447 |
buildParams.sigProvider(), |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
448 |
true); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
449 |
checkers.add(basicChecker); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
450 |
} |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
451 |
|
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
452 |
buildParams.setCertPath(cf.generateCertPath(appendedCerts)); |
7040
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
453 |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
454 |
boolean revCheckerAdded = false; |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
455 |
List<PKIXCertPathChecker> ckrs = buildParams.certPathCheckers(); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
456 |
for (PKIXCertPathChecker ckr : ckrs) { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
457 |
if (ckr instanceof PKIXRevocationChecker) { |
19045
bc9a25fff6c5
8010748: Add PKIXRevocationChecker NO_FALLBACK option and improve SOFT_FAIL option
mullan
parents:
13806
diff
changeset
|
458 |
if (revCheckerAdded) { |
bc9a25fff6c5
8010748: Add PKIXRevocationChecker NO_FALLBACK option and improve SOFT_FAIL option
mullan
parents:
13806
diff
changeset
|
459 |
throw new CertPathValidatorException( |
bc9a25fff6c5
8010748: Add PKIXRevocationChecker NO_FALLBACK option and improve SOFT_FAIL option
mullan
parents:
13806
diff
changeset
|
460 |
"Only one PKIXRevocationChecker can be specified"); |
bc9a25fff6c5
8010748: Add PKIXRevocationChecker NO_FALLBACK option and improve SOFT_FAIL option
mullan
parents:
13806
diff
changeset
|
461 |
} |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
462 |
revCheckerAdded = true; |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
463 |
// if it's our own, initialize it |
19045
bc9a25fff6c5
8010748: Add PKIXRevocationChecker NO_FALLBACK option and improve SOFT_FAIL option
mullan
parents:
13806
diff
changeset
|
464 |
if (ckr instanceof RevocationChecker) { |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
465 |
((RevocationChecker)ckr).init(builder.trustAnchor, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
466 |
buildParams); |
19045
bc9a25fff6c5
8010748: Add PKIXRevocationChecker NO_FALLBACK option and improve SOFT_FAIL option
mullan
parents:
13806
diff
changeset
|
467 |
} |
2 | 468 |
} |
469 |
} |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
470 |
// only add a RevocationChecker if revocation is enabled and |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
471 |
// a PKIXRevocationChecker has not already been added |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
472 |
if (buildParams.revocationEnabled() && !revCheckerAdded) { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
473 |
checkers.add(new RevocationChecker(builder.trustAnchor, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
474 |
buildParams)); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
475 |
} |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
476 |
|
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
477 |
checkers.addAll(ckrs); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
478 |
|
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
479 |
// Why we don't need BasicChecker and RevocationChecker |
7040
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
480 |
// if nextState.keyParamsNeeded() is false? |
2 | 481 |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
482 |
for (int i = 0; i < appendedCerts.size(); i++) { |
2 | 483 |
X509Certificate currCert = appendedCerts.get(i); |
484 |
if (debug != null) |
|
485 |
debug.println("current subject = " |
|
486 |
+ currCert.getSubjectX500Principal()); |
|
487 |
Set<String> unresCritExts = |
|
488 |
currCert.getCriticalExtensionOIDs(); |
|
489 |
if (unresCritExts == null) { |
|
490 |
unresCritExts = Collections.<String>emptySet(); |
|
491 |
} |
|
492 |
||
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
493 |
for (PKIXCertPathChecker currChecker : checkers) { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
494 |
if (!currChecker.isForwardCheckingSupported()) { |
2 | 495 |
if (i == 0) { |
496 |
currChecker.init(false); |
|
7040
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
497 |
|
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
498 |
// The user specified |
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
499 |
// AlgorithmChecker may not be |
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
500 |
// able to set the trust anchor until now. |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
501 |
if (currChecker instanceof AlgorithmChecker) { |
7040
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
502 |
((AlgorithmChecker)currChecker). |
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
503 |
trySetTrustAnchor(builder.trustAnchor); |
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
504 |
} |
2 | 505 |
} |
506 |
||
507 |
try { |
|
508 |
currChecker.check(currCert, unresCritExts); |
|
509 |
} catch (CertPathValidatorException cpve) { |
|
510 |
if (debug != null) |
|
511 |
debug.println |
|
512 |
("SunCertPathBuilder.depthFirstSearchForward(): " + |
|
513 |
"final verification failed: " + cpve); |
|
22107
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
19045
diff
changeset
|
514 |
// If the target cert itself is revoked, we |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
19045
diff
changeset
|
515 |
// cannot trust it. We can bail out here. |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
19045
diff
changeset
|
516 |
if (buildParams.targetCertConstraints().match(currCert) |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
19045
diff
changeset
|
517 |
&& cpve.getReason() == BasicReason.REVOKED) { |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
19045
diff
changeset
|
518 |
throw cpve; |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
19045
diff
changeset
|
519 |
} |
2 | 520 |
vertex.setThrowable(cpve); |
521 |
continue vertices; |
|
522 |
} |
|
523 |
} |
|
524 |
} |
|
525 |
||
526 |
/* |
|
527 |
* Remove extensions from user checkers that support |
|
528 |
* forward checking. After this step, we will have |
|
529 |
* removed all extensions that all user checkers |
|
530 |
* are capable of processing. |
|
531 |
*/ |
|
532 |
for (PKIXCertPathChecker checker : |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
533 |
buildParams.certPathCheckers()) |
2 | 534 |
{ |
535 |
if (checker.isForwardCheckingSupported()) { |
|
536 |
Set<String> suppExts = |
|
537 |
checker.getSupportedExtensions(); |
|
538 |
if (suppExts != null) { |
|
539 |
unresCritExts.removeAll(suppExts); |
|
540 |
} |
|
541 |
} |
|
542 |
} |
|
543 |
||
544 |
if (!unresCritExts.isEmpty()) { |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
545 |
unresCritExts.remove(BasicConstraints_Id.toString()); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
546 |
unresCritExts.remove(NameConstraints_Id.toString()); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
547 |
unresCritExts.remove(CertificatePolicies_Id.toString()); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
548 |
unresCritExts.remove(PolicyMappings_Id.toString()); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
549 |
unresCritExts.remove(PolicyConstraints_Id.toString()); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
550 |
unresCritExts.remove(InhibitAnyPolicy_Id.toString()); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
551 |
unresCritExts.remove( |
2 | 552 |
SubjectAlternativeName_Id.toString()); |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
553 |
unresCritExts.remove(KeyUsage_Id.toString()); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
554 |
unresCritExts.remove(ExtendedKeyUsage_Id.toString()); |
2 | 555 |
|
556 |
if (!unresCritExts.isEmpty()) { |
|
1238
6d1f4b722acd
6465942: Add problem identification facility to the CertPathValidator framework
mullan
parents:
2
diff
changeset
|
557 |
throw new CertPathValidatorException |
6d1f4b722acd
6465942: Add problem identification facility to the CertPathValidator framework
mullan
parents:
2
diff
changeset
|
558 |
("unrecognized critical extension(s)", null, |
6d1f4b722acd
6465942: Add problem identification facility to the CertPathValidator framework
mullan
parents:
2
diff
changeset
|
559 |
null, -1, PKIXReason.UNRECOGNIZED_CRIT_EXT); |
2 | 560 |
} |
561 |
} |
|
562 |
} |
|
563 |
if (debug != null) |
|
564 |
debug.println("SunCertPathBuilder.depthFirstSearchForward()" |
|
565 |
+ ": final verification succeeded - path completed!"); |
|
566 |
pathCompleted = true; |
|
567 |
||
568 |
/* |
|
569 |
* if the user specified a trusted public key rather than |
|
570 |
* trusted certs, then add this cert (which is signed by |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
571 |
* the trusted public key) to the cpList |
2 | 572 |
*/ |
573 |
if (builder.trustAnchor.getTrustedCert() == null) |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
574 |
builder.addCertToPath(cert, cpList); |
2 | 575 |
// Save the trust anchor |
576 |
this.trustAnchor = builder.trustAnchor; |
|
577 |
||
578 |
/* |
|
579 |
* Extract and save the final target public key |
|
580 |
*/ |
|
581 |
if (basicChecker != null) { |
|
582 |
finalPublicKey = basicChecker.getPublicKey(); |
|
583 |
} else { |
|
584 |
Certificate finalCert; |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
585 |
if (cpList.isEmpty()) { |
2 | 586 |
finalCert = builder.trustAnchor.getTrustedCert(); |
587 |
} else { |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
588 |
finalCert = cpList.getLast(); |
2 | 589 |
} |
590 |
finalPublicKey = finalCert.getPublicKey(); |
|
591 |
} |
|
592 |
||
593 |
policyTreeResult = policyChecker.getPolicyTree(); |
|
594 |
return; |
|
595 |
} else { |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
596 |
builder.addCertToPath(cert, cpList); |
2 | 597 |
} |
598 |
||
599 |
/* Update the PKIX state */ |
|
600 |
nextState.updateState(cert); |
|
601 |
||
602 |
/* |
|
603 |
* Append an entry for cert in adjacency list and |
|
604 |
* set index for current vertex. |
|
605 |
*/ |
|
606 |
adjList.add(new LinkedList<Vertex>()); |
|
607 |
vertex.setIndex(adjList.size() - 1); |
|
608 |
||
609 |
/* recursively search for matching certs at next dN */ |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
610 |
depthFirstSearchForward(cert.getIssuerX500Principal(), nextState, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
611 |
builder, adjList, cpList); |
2 | 612 |
|
613 |
/* |
|
614 |
* If path has been completed, return ASAP! |
|
615 |
*/ |
|
616 |
if (pathCompleted) { |
|
617 |
return; |
|
618 |
} else { |
|
619 |
/* |
|
620 |
* If we get here, it means we have searched all possible |
|
621 |
* certs issued by the dN w/o finding any matching certs. |
|
622 |
* This means we have to backtrack to the previous cert in |
|
623 |
* the path and try some other paths. |
|
624 |
*/ |
|
625 |
if (debug != null) |
|
626 |
debug.println("SunCertPathBuilder.depthFirstSearchForward()" |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
627 |
+ ": backtracking"); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
628 |
builder.removeFinalCertFromPath(cpList); |
2 | 629 |
} |
630 |
} |
|
631 |
} |
|
632 |
||
633 |
/* |
|
634 |
* This method performs a depth first search for a certification |
|
635 |
* path while building reverse which meets the requirements set in |
|
636 |
* the parameters object. |
|
637 |
* It uses an adjacency list to store all certificates which were |
|
638 |
* tried (i.e. at one time added to the path - they may not end up in |
|
639 |
* the final path if backtracking occurs). This information can |
|
640 |
* be used later to debug or demo the build. |
|
641 |
* |
|
642 |
* See "Data Structure and Algorithms, by Aho, Hopcroft, and Ullman" |
|
643 |
* for an explanation of the DFS algorithm. |
|
644 |
* |
|
645 |
* @param dN the distinguished name being currently searched for certs |
|
646 |
* @param currentState the current PKIX validation state |
|
647 |
*/ |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
648 |
private void depthFirstSearchReverse(X500Principal dN, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
649 |
ReverseState currentState, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
650 |
ReverseBuilder builder, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
651 |
List<List<Vertex>> adjList, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
652 |
LinkedList<X509Certificate> cpList) |
2 | 653 |
throws GeneralSecurityException, IOException |
654 |
{ |
|
655 |
if (debug != null) |
|
656 |
debug.println("SunCertPathBuilder.depthFirstSearchReverse(" + dN |
|
657 |
+ ", " + currentState.toString() + ")"); |
|
658 |
||
659 |
/* |
|
660 |
* Find all the certificates issued by dN which |
|
661 |
* satisfy the PKIX certification path constraints. |
|
662 |
*/ |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
663 |
Collection<X509Certificate> certs = |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
664 |
builder.getMatchingCerts(currentState, buildParams.certStores()); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
665 |
List<Vertex> vertices = addVertices(certs, adjList); |
2 | 666 |
if (debug != null) |
667 |
debug.println("SunCertPathBuilder.depthFirstSearchReverse(): " |
|
668 |
+ "certs.size=" + vertices.size()); |
|
669 |
||
670 |
/* |
|
671 |
* For each cert in the collection, verify anything |
|
672 |
* that hasn't been checked yet (signature, revocation, etc) |
|
673 |
* and check for loops. Call depthFirstSearchReverse() |
|
674 |
* recursively for each good cert. |
|
675 |
*/ |
|
676 |
for (Vertex vertex : vertices) { |
|
677 |
/** |
|
678 |
* Restore state to currentState each time through the loop. |
|
679 |
* This is important because some of the user-defined |
|
680 |
* checkers modify the state, which MUST be restored if |
|
681 |
* the cert eventually fails to lead to the target and |
|
682 |
* the next matching cert is tried. |
|
683 |
*/ |
|
684 |
ReverseState nextState = (ReverseState) currentState.clone(); |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
685 |
X509Certificate cert = vertex.getCertificate(); |
2 | 686 |
try { |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
687 |
builder.verifyCert(cert, nextState, cpList); |
2 | 688 |
} catch (GeneralSecurityException gse) { |
689 |
if (debug != null) |
|
690 |
debug.println("SunCertPathBuilder.depthFirstSearchReverse()" |
|
691 |
+ ": validation failed: " + gse); |
|
692 |
vertex.setThrowable(gse); |
|
693 |
continue; |
|
694 |
} |
|
695 |
||
696 |
/* |
|
697 |
* Certificate is good, add it to the path (if it isn't a |
|
698 |
* self-signed cert) and update state |
|
699 |
*/ |
|
700 |
if (!currentState.isInitial()) |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
701 |
builder.addCertToPath(cert, cpList); |
2 | 702 |
// save trust anchor |
703 |
this.trustAnchor = currentState.trustAnchor; |
|
704 |
||
705 |
/* |
|
706 |
* Check if path is completed, return ASAP if so. |
|
707 |
*/ |
|
708 |
if (builder.isPathCompleted(cert)) { |
|
709 |
if (debug != null) |
|
710 |
debug.println("SunCertPathBuilder.depthFirstSearchReverse()" |
|
711 |
+ ": path completed!"); |
|
712 |
pathCompleted = true; |
|
713 |
||
714 |
PolicyNodeImpl rootNode = nextState.rootNode; |
|
715 |
||
716 |
if (rootNode == null) |
|
717 |
policyTreeResult = null; |
|
718 |
else { |
|
719 |
policyTreeResult = rootNode.copyTree(); |
|
720 |
((PolicyNodeImpl)policyTreeResult).setImmutable(); |
|
721 |
} |
|
722 |
||
723 |
/* |
|
724 |
* Extract and save the final target public key |
|
725 |
*/ |
|
726 |
finalPublicKey = cert.getPublicKey(); |
|
13806
b18118646a65
7195409: CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails with NullPointerException
mullan
parents:
12861
diff
changeset
|
727 |
if (PKIX.isDSAPublicKeyWithoutParams(finalPublicKey)) { |
2 | 728 |
finalPublicKey = |
729 |
BasicChecker.makeInheritedParamsKey |
|
730 |
(finalPublicKey, currentState.pubKey); |
|
731 |
} |
|
732 |
||
733 |
return; |
|
734 |
} |
|
735 |
||
736 |
/* Update the PKIX state */ |
|
737 |
nextState.updateState(cert); |
|
738 |
||
739 |
/* |
|
740 |
* Append an entry for cert in adjacency list and |
|
741 |
* set index for current vertex. |
|
742 |
*/ |
|
743 |
adjList.add(new LinkedList<Vertex>()); |
|
744 |
vertex.setIndex(adjList.size() - 1); |
|
745 |
||
746 |
/* recursively search for matching certs at next dN */ |
|
747 |
depthFirstSearchReverse(cert.getSubjectX500Principal(), nextState, |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
748 |
builder, adjList, cpList); |
2 | 749 |
|
750 |
/* |
|
751 |
* If path has been completed, return ASAP! |
|
752 |
*/ |
|
753 |
if (pathCompleted) { |
|
754 |
return; |
|
755 |
} else { |
|
756 |
/* |
|
757 |
* If we get here, it means we have searched all possible |
|
758 |
* certs issued by the dN w/o finding any matching certs. This |
|
759 |
* means we have to backtrack to the previous cert in the path |
|
760 |
* and try some other paths. |
|
761 |
*/ |
|
762 |
if (debug != null) |
|
763 |
debug.println("SunCertPathBuilder.depthFirstSearchReverse()" |
|
764 |
+ ": backtracking"); |
|
765 |
if (!currentState.isInitial()) |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
766 |
builder.removeFinalCertFromPath(cpList); |
2 | 767 |
} |
768 |
} |
|
769 |
if (debug != null) |
|
770 |
debug.println("SunCertPathBuilder.depthFirstSearchReverse() all " |
|
771 |
+ "certs in this adjacency list checked"); |
|
772 |
} |
|
773 |
||
774 |
/* |
|
775 |
* Adds a collection of matching certificates to the |
|
776 |
* adjacency list. |
|
777 |
*/ |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
778 |
private static List<Vertex> addVertices(Collection<X509Certificate> certs, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
779 |
List<List<Vertex>> adjList) |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
780 |
{ |
2 | 781 |
List<Vertex> l = adjList.get(adjList.size() - 1); |
782 |
||
783 |
for (X509Certificate cert : certs) { |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
784 |
Vertex v = new Vertex(cert); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
785 |
l.add(v); |
2 | 786 |
} |
787 |
||
788 |
return l; |
|
789 |
} |
|
790 |
||
791 |
/** |
|
792 |
* Returns true if trust anchor certificate matches specified |
|
793 |
* certificate constraints. |
|
794 |
*/ |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
795 |
private static boolean anchorIsTarget(TrustAnchor anchor, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
796 |
CertSelector sel) |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
797 |
{ |
2 | 798 |
X509Certificate anchorCert = anchor.getTrustedCert(); |
799 |
if (anchorCert != null) { |
|
800 |
return sel.match(anchorCert); |
|
801 |
} |
|
802 |
return false; |
|
803 |
} |
|
804 |
} |