jdk/src/share/classes/sun/security/provider/certpath/ConstraintsChecker.java
changeset 1238 6d1f4b722acd
parent 790 b91742db13e2
child 2941 af92a83128fe
equal deleted inserted replaced
1096:7906d13db4eb 1238:6d1f4b722acd
     1 /*
     1 /*
     2  * Copyright 2000-2006 Sun Microsystems, Inc.  All Rights Reserved.
     2  * Copyright 2000-2008 Sun Microsystems, Inc.  All Rights Reserved.
     3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
     3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
     4  *
     4  *
     5  * This code is free software; you can redistribute it and/or modify it
     5  * This code is free software; you can redistribute it and/or modify it
     6  * under the terms of the GNU General Public License version 2 only, as
     6  * under the terms of the GNU General Public License version 2 only, as
     7  * published by the Free Software Foundation.  Sun designates this
     7  * published by the Free Software Foundation.  Sun designates this
    30 import java.util.Set;
    30 import java.util.Set;
    31 import java.util.HashSet;
    31 import java.util.HashSet;
    32 import java.io.IOException;
    32 import java.io.IOException;
    33 import java.security.cert.Certificate;
    33 import java.security.cert.Certificate;
    34 import java.security.cert.CertificateException;
    34 import java.security.cert.CertificateException;
       
    35 import java.security.cert.CertPathValidatorException;
    35 import java.security.cert.X509Certificate;
    36 import java.security.cert.X509Certificate;
    36 import java.security.cert.PKIXCertPathChecker;
    37 import java.security.cert.PKIXCertPathChecker;
    37 import java.security.cert.CertPathValidatorException;
    38 import java.security.cert.PKIXReason;
    38 import sun.security.util.Debug;
    39 import sun.security.util.Debug;
    39 import sun.security.x509.PKIXExtensions;
    40 import sun.security.x509.PKIXExtensions;
    40 import sun.security.x509.NameConstraintsExtension;
    41 import sun.security.x509.NameConstraintsExtension;
    41 import sun.security.x509.X509CertImpl;
    42 import sun.security.x509.X509CertImpl;
    42 
    43 
   145                 debug.println("currDN = " + currCert.getSubjectX500Principal());
   146                 debug.println("currDN = " + currCert.getSubjectX500Principal());
   146             }
   147             }
   147 
   148 
   148             try {
   149             try {
   149                 if (!prevNC.verify(currCert)) {
   150                 if (!prevNC.verify(currCert)) {
   150                     throw new CertPathValidatorException(msg + " check failed");
   151                     throw new CertPathValidatorException(msg + " check failed",
       
   152                         null, null, -1, PKIXReason.INVALID_NAME);
   151                 }
   153                 }
   152             } catch (IOException ioe) {
   154             } catch (IOException ioe) {
   153                 throw new CertPathValidatorException(ioe);
   155                 throw new CertPathValidatorException(ioe);
   154             }
   156             }
   155         }
   157         }
   226 
   228 
   227         /* check if intermediate cert */
   229         /* check if intermediate cert */
   228         if (i < certPathLength) {
   230         if (i < certPathLength) {
   229             int pathLenConstraint = currCert.getBasicConstraints();
   231             int pathLenConstraint = currCert.getBasicConstraints();
   230             if (pathLenConstraint == -1) {
   232             if (pathLenConstraint == -1) {
   231                 throw new CertPathValidatorException(msg + " check failed: "
   233                 throw new CertPathValidatorException
   232                     + "this is not a CA certificate");
   234                     (msg + " check failed: this is not a CA certificate", null,
       
   235                      null, -1, PKIXReason.NOT_CA_CERT);
   233             }
   236             }
   234 
   237 
   235             if (!X509CertImpl.isSelfIssued(currCert)) {
   238             if (!X509CertImpl.isSelfIssued(currCert)) {
   236                 if (maxPathLength <= 0) {
   239                 if (maxPathLength <= 0) {
   237                    throw new CertPathValidatorException
   240                    throw new CertPathValidatorException
   238                         (msg + " check failed: pathLenConstraint violated - "
   241                         (msg + " check failed: pathLenConstraint violated - "
   239                          + "this cert must be the last cert in the "
   242                          + "this cert must be the last cert in the "
   240                          + "certification path");
   243                          + "certification path", null, null, -1,
       
   244                          PKIXReason.PATH_TOO_LONG);
   241                 }
   245                 }
   242                 maxPathLength--;
   246                 maxPathLength--;
   243             }
   247             }
   244             if (pathLenConstraint < maxPathLength)
   248             if (pathLenConstraint < maxPathLength)
   245                 maxPathLength = pathLenConstraint;
   249                 maxPathLength = pathLenConstraint;