equal
deleted
inserted
replaced
1 /* |
1 /* |
2 * Copyright (c) 2003, 2009, Oracle and/or its affiliates. All rights reserved. |
2 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 * |
4 * |
5 * This code is free software; you can redistribute it and/or modify it |
5 * This code is free software; you can redistribute it and/or modify it |
6 * under the terms of the GNU General Public License version 2 only, as |
6 * under the terms of the GNU General Public License version 2 only, as |
7 * published by the Free Software Foundation. Oracle designates this |
7 * published by the Free Software Foundation. Oracle designates this |
30 import java.security.*; |
30 import java.security.*; |
31 import java.security.cert.CertificateException; |
31 import java.security.cert.CertificateException; |
32 import java.security.cert.CertificateParsingException; |
32 import java.security.cert.CertificateParsingException; |
33 import java.security.cert.CertPathValidatorException; |
33 import java.security.cert.CertPathValidatorException; |
34 import java.security.cert.CRLReason; |
34 import java.security.cert.CRLReason; |
|
35 import java.security.cert.TrustAnchor; |
35 import java.security.cert.X509Certificate; |
36 import java.security.cert.X509Certificate; |
36 import java.util.Collections; |
37 import java.util.Collections; |
37 import java.util.Date; |
38 import java.util.Date; |
38 import java.util.HashMap; |
39 import java.util.HashMap; |
39 import java.util.List; |
40 import java.util.List; |
368 // assume cert is not valid for signing |
369 // assume cert is not valid for signing |
369 throw new CertPathValidatorException( |
370 throw new CertPathValidatorException( |
370 "Responder's certificate not valid for signing " + |
371 "Responder's certificate not valid for signing " + |
371 "OCSP responses", cpe); |
372 "OCSP responses", cpe); |
372 } |
373 } |
|
374 |
|
375 // Check algorithm constraints specified in security property |
|
376 // "jdk.certpath.disabledAlgorithms". |
|
377 AlgorithmChecker algChecker = new AlgorithmChecker( |
|
378 new TrustAnchor(responderCert, null)); |
|
379 algChecker.init(false); |
|
380 algChecker.check(cert, Collections.<String>emptySet()); |
373 |
381 |
374 // check the validity |
382 // check the validity |
375 try { |
383 try { |
376 if (dateCheckedAgainst == null) { |
384 if (dateCheckedAgainst == null) { |
377 cert.checkValidity(); |
385 cert.checkValidity(); |
420 } |
428 } |
421 |
429 |
422 // Confirm that the signed response was generated using the public |
430 // Confirm that the signed response was generated using the public |
423 // key from the trusted responder cert |
431 // key from the trusted responder cert |
424 if (responderCert != null) { |
432 if (responderCert != null) { |
|
433 // Check algorithm constraints specified in security property |
|
434 // "jdk.certpath.disabledAlgorithms". |
|
435 AlgorithmChecker.check(responderCert.getPublicKey(), sigAlgId); |
|
436 |
425 if (!verifyResponse(responseDataDer, responderCert, |
437 if (!verifyResponse(responseDataDer, responderCert, |
426 sigAlgId, signature)) { |
438 sigAlgId, signature)) { |
427 throw new CertPathValidatorException( |
439 throw new CertPathValidatorException( |
428 "Error verifying OCSP Responder's signature"); |
440 "Error verifying OCSP Responder's signature"); |
429 } |
441 } |