66 class EndEntityChecker { |
66 class EndEntityChecker { |
67 |
67 |
68 // extended key usage OIDs for TLS server, TLS client, code signing |
68 // extended key usage OIDs for TLS server, TLS client, code signing |
69 // and any usage |
69 // and any usage |
70 |
70 |
71 private final static String OID_EXTENDED_KEY_USAGE = |
71 private static final String OID_EXTENDED_KEY_USAGE = |
72 SimpleValidator.OID_EXTENDED_KEY_USAGE; |
72 SimpleValidator.OID_EXTENDED_KEY_USAGE; |
73 |
73 |
74 private final static String OID_EKU_TLS_SERVER = "1.3.6.1.5.5.7.3.1"; |
74 private static final String OID_EKU_TLS_SERVER = "1.3.6.1.5.5.7.3.1"; |
75 |
75 |
76 private final static String OID_EKU_TLS_CLIENT = "1.3.6.1.5.5.7.3.2"; |
76 private static final String OID_EKU_TLS_CLIENT = "1.3.6.1.5.5.7.3.2"; |
77 |
77 |
78 private final static String OID_EKU_CODE_SIGNING = "1.3.6.1.5.5.7.3.3"; |
78 private static final String OID_EKU_CODE_SIGNING = "1.3.6.1.5.5.7.3.3"; |
79 |
79 |
80 private final static String OID_EKU_TIME_STAMPING = "1.3.6.1.5.5.7.3.8"; |
80 private static final String OID_EKU_TIME_STAMPING = "1.3.6.1.5.5.7.3.8"; |
81 |
81 |
82 private final static String OID_EKU_ANY_USAGE = "2.5.29.37.0"; |
82 private static final String OID_EKU_ANY_USAGE = "2.5.29.37.0"; |
83 |
83 |
84 // the Netscape Server-Gated-Cryptography EKU extension OID |
84 // the Netscape Server-Gated-Cryptography EKU extension OID |
85 private final static String OID_EKU_NS_SGC = "2.16.840.1.113730.4.1"; |
85 private static final String OID_EKU_NS_SGC = "2.16.840.1.113730.4.1"; |
86 |
86 |
87 // the Microsoft Server-Gated-Cryptography EKU extension OID |
87 // the Microsoft Server-Gated-Cryptography EKU extension OID |
88 private final static String OID_EKU_MS_SGC = "1.3.6.1.4.1.311.10.3.3"; |
88 private static final String OID_EKU_MS_SGC = "1.3.6.1.4.1.311.10.3.3"; |
89 |
89 |
90 // the recognized extension OIDs |
90 // the recognized extension OIDs |
91 private final static String OID_SUBJECT_ALT_NAME = "2.5.29.17"; |
91 private static final String OID_SUBJECT_ALT_NAME = "2.5.29.17"; |
92 |
92 |
93 private final static String NSCT_SSL_CLIENT = |
93 private static final String NSCT_SSL_CLIENT = |
94 NetscapeCertTypeExtension.SSL_CLIENT; |
94 NetscapeCertTypeExtension.SSL_CLIENT; |
95 |
95 |
96 private final static String NSCT_SSL_SERVER = |
96 private static final String NSCT_SSL_SERVER = |
97 NetscapeCertTypeExtension.SSL_SERVER; |
97 NetscapeCertTypeExtension.SSL_SERVER; |
98 |
98 |
99 private final static String NSCT_CODE_SIGNING = |
99 private static final String NSCT_CODE_SIGNING = |
100 NetscapeCertTypeExtension.OBJECT_SIGNING; |
100 NetscapeCertTypeExtension.OBJECT_SIGNING; |
101 |
101 |
102 // bit numbers in the key usage extension |
102 // bit numbers in the key usage extension |
103 private final static int KU_SIGNATURE = 0; |
103 private static final int KU_SIGNATURE = 0; |
104 private final static int KU_KEY_ENCIPHERMENT = 2; |
104 private static final int KU_KEY_ENCIPHERMENT = 2; |
105 private final static int KU_KEY_AGREEMENT = 4; |
105 private static final int KU_KEY_AGREEMENT = 4; |
106 |
106 |
107 // TLS key exchange algorithms requiring digitalSignature key usage |
107 // TLS key exchange algorithms requiring digitalSignature key usage |
108 private final static Collection<String> KU_SERVER_SIGNATURE = |
108 private static final Collection<String> KU_SERVER_SIGNATURE = |
109 Arrays.asList("DHE_DSS", "DHE_RSA", "ECDHE_ECDSA", "ECDHE_RSA", |
109 Arrays.asList("DHE_DSS", "DHE_RSA", "ECDHE_ECDSA", "ECDHE_RSA", |
110 "RSA_EXPORT", "UNKNOWN"); |
110 "RSA_EXPORT", "UNKNOWN"); |
111 |
111 |
112 // TLS key exchange algorithms requiring keyEncipherment key usage |
112 // TLS key exchange algorithms requiring keyEncipherment key usage |
113 private final static Collection<String> KU_SERVER_ENCRYPTION = |
113 private static final Collection<String> KU_SERVER_ENCRYPTION = |
114 Arrays.asList("RSA"); |
114 Arrays.asList("RSA"); |
115 |
115 |
116 // TLS key exchange algorithms requiring keyAgreement key usage |
116 // TLS key exchange algorithms requiring keyAgreement key usage |
117 private final static Collection<String> KU_SERVER_KEY_AGREEMENT = |
117 private static final Collection<String> KU_SERVER_KEY_AGREEMENT = |
118 Arrays.asList("DH_DSS", "DH_RSA", "ECDH_ECDSA", "ECDH_RSA"); |
118 Arrays.asList("DH_DSS", "DH_RSA", "ECDH_ECDSA", "ECDH_RSA"); |
119 |
119 |
120 // variant of this end entity cert checker |
120 // variant of this end entity cert checker |
121 private final String variant; |
121 private final String variant; |
122 |
122 |