2543 |
2543 |
2544 /** |
2544 /** |
2545 * Returns true if the certificate is self-signed, false otherwise. |
2545 * Returns true if the certificate is self-signed, false otherwise. |
2546 */ |
2546 */ |
2547 private boolean isSelfSigned(X509Certificate cert) { |
2547 private boolean isSelfSigned(X509Certificate cert) { |
2548 return cert.getSubjectDN().equals(cert.getIssuerDN()); |
2548 return signedBy(cert, cert); |
|
2549 } |
|
2550 |
|
2551 private boolean signedBy(X509Certificate end, X509Certificate ca) { |
|
2552 if (!ca.getSubjectDN().equals(end.getIssuerDN())) { |
|
2553 return false; |
|
2554 } |
|
2555 try { |
|
2556 end.verify(ca.getPublicKey()); |
|
2557 return true; |
|
2558 } catch (Exception e) { |
|
2559 return false; |
|
2560 } |
2549 } |
2561 } |
2550 |
2562 |
2551 /** |
2563 /** |
2552 * Returns true if the given certificate is trusted, false otherwise. |
2564 * Returns true if the given certificate is trusted, false otherwise. |
2553 */ |
2565 */ |
2867 } |
2879 } |
2868 |
2880 |
2869 Certificate tmpCert = replyCerts[0]; |
2881 Certificate tmpCert = replyCerts[0]; |
2870 replyCerts[0] = replyCerts[i]; |
2882 replyCerts[0] = replyCerts[i]; |
2871 replyCerts[i] = tmpCert; |
2883 replyCerts[i] = tmpCert; |
2872 Principal issuer = ((X509Certificate)replyCerts[0]).getIssuerDN(); |
2884 |
|
2885 X509Certificate thisCert = (X509Certificate)replyCerts[0]; |
2873 |
2886 |
2874 for (i=1; i < replyCerts.length-1; i++) { |
2887 for (i=1; i < replyCerts.length-1; i++) { |
2875 // find a cert in the reply whose "subject" is the same as the |
2888 // find a cert in the reply who signs thisCert |
2876 // given "issuer" |
|
2877 int j; |
2889 int j; |
2878 for (j=i; j<replyCerts.length; j++) { |
2890 for (j=i; j<replyCerts.length; j++) { |
2879 Principal subject; |
2891 if (signedBy(thisCert, (X509Certificate)replyCerts[j])) { |
2880 subject = ((X509Certificate)replyCerts[j]).getSubjectDN(); |
|
2881 if (subject.equals(issuer)) { |
|
2882 tmpCert = replyCerts[i]; |
2892 tmpCert = replyCerts[i]; |
2883 replyCerts[i] = replyCerts[j]; |
2893 replyCerts[i] = replyCerts[j]; |
2884 replyCerts[j] = tmpCert; |
2894 replyCerts[j] = tmpCert; |
2885 issuer = ((X509Certificate)replyCerts[i]).getIssuerDN(); |
2895 thisCert = (X509Certificate)replyCerts[i]; |
2886 break; |
2896 break; |
2887 } |
2897 } |
2888 } |
2898 } |
2889 if (j == replyCerts.length) { |
2899 if (j == replyCerts.length) { |
2890 throw new Exception |
2900 throw new Exception |
2891 (rb.getString("Incomplete certificate chain in reply")); |
2901 (rb.getString("Incomplete certificate chain in reply")); |
2892 } |
|
2893 } |
|
2894 |
|
2895 // now verify each cert in the ordered chain |
|
2896 for (i=0; i<replyCerts.length-1; i++) { |
|
2897 PublicKey pubKey = replyCerts[i+1].getPublicKey(); |
|
2898 try { |
|
2899 replyCerts[i].verify(pubKey); |
|
2900 } catch (Exception e) { |
|
2901 throw new Exception(rb.getString |
|
2902 ("Certificate chain in reply does not verify: ") + |
|
2903 e.getMessage()); |
|
2904 } |
2902 } |
2905 } |
2903 } |
2906 |
2904 |
2907 if (noprompt) { |
2905 if (noprompt) { |
2908 return replyCerts; |
2906 return replyCerts; |
3033 * @return true if successful, false otherwise. |
3031 * @return true if successful, false otherwise. |
3034 */ |
3032 */ |
3035 private boolean buildChain(X509Certificate certToVerify, |
3033 private boolean buildChain(X509Certificate certToVerify, |
3036 Vector<Certificate> chain, |
3034 Vector<Certificate> chain, |
3037 Hashtable<Principal, Vector<Certificate>> certs) { |
3035 Hashtable<Principal, Vector<Certificate>> certs) { |
3038 Principal subject = certToVerify.getSubjectDN(); |
|
3039 Principal issuer = certToVerify.getIssuerDN(); |
3036 Principal issuer = certToVerify.getIssuerDN(); |
3040 if (subject.equals(issuer)) { |
3037 if (isSelfSigned(certToVerify)) { |
3041 // reached self-signed root cert; |
3038 // reached self-signed root cert; |
3042 // no verification needed because it's trusted. |
3039 // no verification needed because it's trusted. |
3043 chain.addElement(certToVerify); |
3040 chain.addElement(certToVerify); |
3044 return true; |
3041 return true; |
3045 } |
3042 } |