24 */ |
24 */ |
25 |
25 |
26 package sun.security.provider.certpath; |
26 package sun.security.provider.certpath; |
27 |
27 |
28 import java.io.IOException; |
28 import java.io.IOException; |
29 import java.util.*; |
|
30 |
|
31 import java.security.GeneralSecurityException; |
29 import java.security.GeneralSecurityException; |
32 import java.security.InvalidKeyException; |
30 import java.security.InvalidKeyException; |
|
31 import java.security.PublicKey; |
33 import java.security.cert.CertificateException; |
32 import java.security.cert.CertificateException; |
34 import java.security.cert.CertPathValidatorException; |
33 import java.security.cert.CertPathValidatorException; |
35 import java.security.cert.PKIXReason; |
34 import java.security.cert.PKIXReason; |
36 import java.security.cert.CertStore; |
35 import java.security.cert.CertStore; |
37 import java.security.cert.CertStoreException; |
36 import java.security.cert.CertStoreException; |
38 import java.security.cert.PKIXBuilderParameters; |
37 import java.security.cert.PKIXBuilderParameters; |
39 import java.security.cert.PKIXCertPathChecker; |
38 import java.security.cert.PKIXCertPathChecker; |
40 import java.security.cert.TrustAnchor; |
39 import java.security.cert.TrustAnchor; |
41 import java.security.cert.X509Certificate; |
40 import java.security.cert.X509Certificate; |
42 import java.security.cert.X509CertSelector; |
41 import java.security.cert.X509CertSelector; |
|
42 import java.util.*; |
43 import javax.security.auth.x500.X500Principal; |
43 import javax.security.auth.x500.X500Principal; |
44 |
44 |
|
45 import sun.security.provider.certpath.PKIX.BuilderParams; |
45 import sun.security.util.Debug; |
46 import sun.security.util.Debug; |
46 import sun.security.x509.AccessDescription; |
47 import sun.security.x509.AccessDescription; |
47 import sun.security.x509.AuthorityInfoAccessExtension; |
48 import sun.security.x509.AuthorityInfoAccessExtension; |
48 import sun.security.x509.PKIXExtensions; |
49 import static sun.security.x509.PKIXExtensions.*; |
49 import sun.security.x509.PolicyMappingsExtension; |
50 import sun.security.x509.PolicyMappingsExtension; |
50 import sun.security.x509.X500Name; |
51 import sun.security.x509.X500Name; |
51 import sun.security.x509.X509CertImpl; |
52 import sun.security.x509.X509CertImpl; |
52 import sun.security.x509.AuthorityKeyIdentifierExtension; |
53 import sun.security.x509.AuthorityKeyIdentifierExtension; |
53 |
54 |
70 private AdaptableX509CertSelector caSelector; |
71 private AdaptableX509CertSelector caSelector; |
71 private X509CertSelector caTargetSelector; |
72 private X509CertSelector caTargetSelector; |
72 TrustAnchor trustAnchor; |
73 TrustAnchor trustAnchor; |
73 private Comparator<X509Certificate> comparator; |
74 private Comparator<X509Certificate> comparator; |
74 private boolean searchAllCertStores = true; |
75 private boolean searchAllCertStores = true; |
75 private boolean onlyEECert = false; |
|
76 |
76 |
77 /** |
77 /** |
78 * Initialize the builder with the input parameters. |
78 * Initialize the builder with the input parameters. |
79 * |
79 * |
80 * @param params the parameter set used to build a certification path |
80 * @param params the parameter set used to build a certification path |
81 */ |
81 */ |
82 ForwardBuilder(PKIXBuilderParameters buildParams, |
82 ForwardBuilder(BuilderParams buildParams, boolean searchAllCertStores) { |
83 X500Principal targetSubjectDN, boolean searchAllCertStores, |
83 super(buildParams); |
84 boolean onlyEECert) |
|
85 { |
|
86 super(buildParams, targetSubjectDN); |
|
87 |
84 |
88 // populate sets of trusted certificates and subject DNs |
85 // populate sets of trusted certificates and subject DNs |
89 trustAnchors = buildParams.getTrustAnchors(); |
86 trustAnchors = buildParams.trustAnchors(); |
90 trustedCerts = new HashSet<X509Certificate>(trustAnchors.size()); |
87 trustedCerts = new HashSet<X509Certificate>(trustAnchors.size()); |
91 trustedSubjectDNs = new HashSet<X500Principal>(trustAnchors.size()); |
88 trustedSubjectDNs = new HashSet<X500Principal>(trustAnchors.size()); |
92 for (TrustAnchor anchor : trustAnchors) { |
89 for (TrustAnchor anchor : trustAnchors) { |
93 X509Certificate trustedCert = anchor.getTrustedCert(); |
90 X509Certificate trustedCert = anchor.getTrustedCert(); |
94 if (trustedCert != null) { |
91 if (trustedCert != null) { |
98 trustedSubjectDNs.add(anchor.getCA()); |
95 trustedSubjectDNs.add(anchor.getCA()); |
99 } |
96 } |
100 } |
97 } |
101 comparator = new PKIXCertComparator(trustedSubjectDNs); |
98 comparator = new PKIXCertComparator(trustedSubjectDNs); |
102 this.searchAllCertStores = searchAllCertStores; |
99 this.searchAllCertStores = searchAllCertStores; |
103 this.onlyEECert = onlyEECert; |
|
104 } |
100 } |
105 |
101 |
106 /** |
102 /** |
107 * Retrieves all certs from the specified CertStores that satisfy the |
103 * Retrieves all certs from the specified CertStores that satisfy the |
108 * requirements specified in the parameters and the current |
104 * requirements specified in the parameters and the current |
110 * |
106 * |
111 * @param currentState the current state. |
107 * @param currentState the current state. |
112 * Must be an instance of <code>ForwardState</code> |
108 * Must be an instance of <code>ForwardState</code> |
113 * @param certStores list of CertStores |
109 * @param certStores list of CertStores |
114 */ |
110 */ |
115 Collection<X509Certificate> getMatchingCerts |
111 @Override |
116 (State currentState, List<CertStore> certStores) |
112 Collection<X509Certificate> getMatchingCerts(State currentState, |
|
113 List<CertStore> certStores) |
117 throws CertStoreException, CertificateException, IOException |
114 throws CertStoreException, CertificateException, IOException |
118 { |
115 { |
119 if (debug != null) { |
116 if (debug != null) { |
120 debug.println("ForwardBuilder.getMatchingCerts()..."); |
117 debug.println("ForwardBuilder.getMatchingCerts()..."); |
121 } |
118 } |
125 /* |
122 /* |
126 * We store certs in a Set because we don't want duplicates. |
123 * We store certs in a Set because we don't want duplicates. |
127 * As each cert is added, it is sorted based on the PKIXCertComparator |
124 * As each cert is added, it is sorted based on the PKIXCertComparator |
128 * algorithm. |
125 * algorithm. |
129 */ |
126 */ |
130 Set<X509Certificate> certs = new TreeSet<X509Certificate>(comparator); |
127 Set<X509Certificate> certs = new TreeSet<>(comparator); |
131 |
128 |
132 /* |
129 /* |
133 * Only look for EE certs if search has just started. |
130 * Only look for EE certs if search has just started. |
134 */ |
131 */ |
135 if (currState.isInitial()) { |
132 if (currState.isInitial()) { |
143 /* |
140 /* |
144 * Retrieves all end-entity certificates which satisfy constraints |
141 * Retrieves all end-entity certificates which satisfy constraints |
145 * and requirements specified in the parameters and PKIX state. |
142 * and requirements specified in the parameters and PKIX state. |
146 */ |
143 */ |
147 private void getMatchingEECerts(ForwardState currentState, |
144 private void getMatchingEECerts(ForwardState currentState, |
148 List<CertStore> certStores, Collection<X509Certificate> eeCerts) |
145 List<CertStore> certStores, |
149 throws IOException { |
146 Collection<X509Certificate> eeCerts) |
150 |
147 throws IOException |
|
148 { |
151 if (debug != null) { |
149 if (debug != null) { |
152 debug.println("ForwardBuilder.getMatchingEECerts()..."); |
150 debug.println("ForwardBuilder.getMatchingEECerts()..."); |
153 } |
151 } |
154 /* |
152 /* |
155 * Compose a certificate matching rule to filter out |
153 * Compose a certificate matching rule to filter out |
163 eeSelector = (X509CertSelector) targetCertConstraints.clone(); |
161 eeSelector = (X509CertSelector) targetCertConstraints.clone(); |
164 |
162 |
165 /* |
163 /* |
166 * Match on certificate validity date |
164 * Match on certificate validity date |
167 */ |
165 */ |
168 eeSelector.setCertificateValid(date); |
166 eeSelector.setCertificateValid(buildParams.date()); |
169 |
167 |
170 /* |
168 /* |
171 * Policy processing optimizations |
169 * Policy processing optimizations |
172 */ |
170 */ |
173 if (buildParams.isExplicitPolicyRequired()) { |
171 if (buildParams.explicitPolicyRequired()) { |
174 eeSelector.setPolicy(getMatchingPolicies()); |
172 eeSelector.setPolicy(getMatchingPolicies()); |
175 } |
173 } |
176 /* |
174 /* |
177 * Require EE certs |
175 * Require EE certs |
178 */ |
176 */ |
186 /** |
184 /** |
187 * Retrieves all CA certificates which satisfy constraints |
185 * Retrieves all CA certificates which satisfy constraints |
188 * and requirements specified in the parameters and PKIX state. |
186 * and requirements specified in the parameters and PKIX state. |
189 */ |
187 */ |
190 private void getMatchingCACerts(ForwardState currentState, |
188 private void getMatchingCACerts(ForwardState currentState, |
191 List<CertStore> certStores, Collection<X509Certificate> caCerts) |
189 List<CertStore> certStores, |
192 throws IOException { |
190 Collection<X509Certificate> caCerts) |
193 |
191 throws IOException |
|
192 { |
194 if (debug != null) { |
193 if (debug != null) { |
195 debug.println("ForwardBuilder.getMatchingCACerts()..."); |
194 debug.println("ForwardBuilder.getMatchingCACerts()..."); |
196 } |
195 } |
197 int initialSize = caCerts.size(); |
196 int initialSize = caCerts.size(); |
198 |
197 |
214 if (debug != null) { |
213 if (debug != null) { |
215 debug.println("ForwardBuilder.getMatchingCACerts(): ca is target"); |
214 debug.println("ForwardBuilder.getMatchingCACerts(): ca is target"); |
216 } |
215 } |
217 |
216 |
218 if (caTargetSelector == null) { |
217 if (caTargetSelector == null) { |
219 caTargetSelector = (X509CertSelector) |
218 caTargetSelector = |
220 targetCertConstraints.clone(); |
219 (X509CertSelector) targetCertConstraints.clone(); |
221 |
220 |
222 /* |
221 /* |
223 * Since we don't check the validity period of trusted |
222 * Since we don't check the validity period of trusted |
224 * certificates, please don't set the certificate valid |
223 * certificates, please don't set the certificate valid |
225 * criterion unless the trusted certificate matching is |
224 * criterion unless the trusted certificate matching is |
305 |
304 |
306 /* |
305 /* |
307 * The trusted certificate matching is completed. We need to match |
306 * The trusted certificate matching is completed. We need to match |
308 * on certificate validity date. |
307 * on certificate validity date. |
309 */ |
308 */ |
310 sel.setCertificateValid(date); |
309 sel.setCertificateValid(buildParams.date()); |
311 |
310 |
312 /* |
311 /* |
313 * Require CA certs with a pathLenConstraint that allows |
312 * Require CA certs with a pathLenConstraint that allows |
314 * at least as many CA certs that have already been traversed |
313 * at least as many CA certs that have already been traversed |
315 */ |
314 */ |
321 * certificate pairs. If maxPathLength has a value of -1, this |
320 * certificate pairs. If maxPathLength has a value of -1, this |
322 * means it is unconstrained, so we always look through the |
321 * means it is unconstrained, so we always look through the |
323 * certificate pairs. |
322 * certificate pairs. |
324 */ |
323 */ |
325 if (currentState.isInitial() || |
324 if (currentState.isInitial() || |
326 (buildParams.getMaxPathLength() == -1) || |
325 (buildParams.maxPathLength() == -1) || |
327 (buildParams.getMaxPathLength() > currentState.traversedCACerts)) |
326 (buildParams.maxPathLength() > currentState.traversedCACerts)) |
328 { |
327 { |
329 if (addMatchingCerts(sel, certStores, |
328 if (addMatchingCerts(sel, certStores, |
330 caCerts, searchAllCertStores) && !searchAllCertStores) { |
329 caCerts, searchAllCertStores) |
|
330 && !searchAllCertStores) { |
331 return; |
331 return; |
332 } |
332 } |
333 } |
333 } |
334 |
334 |
335 if (!currentState.isInitial() && Builder.USE_AIA) { |
335 if (!currentState.isInitial() && Builder.USE_AIA) { |
354 */ |
354 */ |
355 // cs.getCertificates(caSelector) returns a collection of X509Certificate's |
355 // cs.getCertificates(caSelector) returns a collection of X509Certificate's |
356 // because of the selector, so the cast is safe |
356 // because of the selector, so the cast is safe |
357 @SuppressWarnings("unchecked") |
357 @SuppressWarnings("unchecked") |
358 private boolean getCerts(AuthorityInfoAccessExtension aiaExt, |
358 private boolean getCerts(AuthorityInfoAccessExtension aiaExt, |
359 Collection<X509Certificate> certs) { |
359 Collection<X509Certificate> certs) |
|
360 { |
360 if (Builder.USE_AIA == false) { |
361 if (Builder.USE_AIA == false) { |
361 return false; |
362 return false; |
362 } |
363 } |
363 List<AccessDescription> adList = aiaExt.getAccessDescriptions(); |
364 List<AccessDescription> adList = aiaExt.getAccessDescriptions(); |
364 if (adList == null || adList.isEmpty()) { |
365 if (adList == null || adList.isEmpty()) { |
447 * certs are equal so that this comparator behaves |
448 * certs are equal so that this comparator behaves |
448 * correctly when used in a SortedSet. |
449 * correctly when used in a SortedSet. |
449 * @throws ClassCastException if either argument is not of type |
450 * @throws ClassCastException if either argument is not of type |
450 * X509Certificate |
451 * X509Certificate |
451 */ |
452 */ |
|
453 @Override |
452 public int compare(X509Certificate oCert1, X509Certificate oCert2) { |
454 public int compare(X509Certificate oCert1, X509Certificate oCert2) { |
453 |
455 |
454 // if certs are the same, return 0 |
456 // if certs are the same, return 0 |
455 if (oCert1.equals(oCert2)) return 0; |
457 if (oCert1.equals(oCert2)) return 0; |
456 |
458 |
649 * |
651 * |
650 * @param cert the certificate to be verified |
652 * @param cert the certificate to be verified |
651 * @param currentState the current state against which the cert is verified |
653 * @param currentState the current state against which the cert is verified |
652 * @param certPathList the certPathList generated thus far |
654 * @param certPathList the certPathList generated thus far |
653 */ |
655 */ |
|
656 @Override |
654 void verifyCert(X509Certificate cert, State currentState, |
657 void verifyCert(X509Certificate cert, State currentState, |
655 List<X509Certificate> certPathList) throws GeneralSecurityException |
658 List<X509Certificate> certPathList) |
|
659 throws GeneralSecurityException |
656 { |
660 { |
657 if (debug != null) { |
661 if (debug != null) { |
658 debug.println("ForwardBuilder.verifyCert(SN: " |
662 debug.println("ForwardBuilder.verifyCert(SN: " |
659 + Debug.toHexString(cert.getSerialNumber()) |
663 + Debug.toHexString(cert.getSerialNumber()) |
660 + "\n Issuer: " + cert.getIssuerX500Principal() + ")" |
664 + "\n Issuer: " + cert.getIssuerX500Principal() + ")" |
684 } |
688 } |
685 if (debug != null) { |
689 if (debug != null) { |
686 debug.println("policyMappingFound = " + policyMappingFound); |
690 debug.println("policyMappingFound = " + policyMappingFound); |
687 } |
691 } |
688 if (cert.equals(cpListCert)) { |
692 if (cert.equals(cpListCert)) { |
689 if ((buildParams.isPolicyMappingInhibited()) || |
693 if ((buildParams.policyMappingInhibited()) || |
690 (!policyMappingFound)) { |
694 (!policyMappingFound)) { |
691 if (debug != null) { |
695 if (debug != null) { |
692 debug.println("loop detected!!"); |
696 debug.println("loop detected!!"); |
693 } |
697 } |
694 throw new CertPathValidatorException("loop detected"); |
698 throw new CertPathValidatorException("loop detected"); |
719 * Remove extensions from user checkers that don't support |
723 * Remove extensions from user checkers that don't support |
720 * forward checking. After this step, we will have removed |
724 * forward checking. After this step, we will have removed |
721 * all extensions that all user checkers are capable of |
725 * all extensions that all user checkers are capable of |
722 * processing. |
726 * processing. |
723 */ |
727 */ |
724 for (PKIXCertPathChecker checker : buildParams.getCertPathCheckers()) { |
728 for (PKIXCertPathChecker checker : buildParams.certPathCheckers()) { |
725 if (!checker.isForwardCheckingSupported()) { |
729 if (!checker.isForwardCheckingSupported()) { |
726 Set<String> supportedExts = checker.getSupportedExtensions(); |
730 Set<String> supportedExts = checker.getSupportedExtensions(); |
727 if (supportedExts != null) { |
731 if (supportedExts != null) { |
728 unresCritExts.removeAll(supportedExts); |
732 unresCritExts.removeAll(supportedExts); |
729 } |
733 } |
733 /* |
737 /* |
734 * Look at the remaining extensions and remove any ones we know how |
738 * Look at the remaining extensions and remove any ones we know how |
735 * to check. If there are any left, throw an exception! |
739 * to check. If there are any left, throw an exception! |
736 */ |
740 */ |
737 if (!unresCritExts.isEmpty()) { |
741 if (!unresCritExts.isEmpty()) { |
738 unresCritExts.remove( |
742 unresCritExts.remove(BasicConstraints_Id.toString()); |
739 PKIXExtensions.BasicConstraints_Id.toString()); |
743 unresCritExts.remove(NameConstraints_Id.toString()); |
740 unresCritExts.remove( |
744 unresCritExts.remove(CertificatePolicies_Id.toString()); |
741 PKIXExtensions.NameConstraints_Id.toString()); |
745 unresCritExts.remove(PolicyMappings_Id.toString()); |
742 unresCritExts.remove( |
746 unresCritExts.remove(PolicyConstraints_Id.toString()); |
743 PKIXExtensions.CertificatePolicies_Id.toString()); |
747 unresCritExts.remove(InhibitAnyPolicy_Id.toString()); |
744 unresCritExts.remove( |
748 unresCritExts.remove(SubjectAlternativeName_Id.toString()); |
745 PKIXExtensions.PolicyMappings_Id.toString()); |
749 unresCritExts.remove(KeyUsage_Id.toString()); |
746 unresCritExts.remove( |
750 unresCritExts.remove(ExtendedKeyUsage_Id.toString()); |
747 PKIXExtensions.PolicyConstraints_Id.toString()); |
|
748 unresCritExts.remove( |
|
749 PKIXExtensions.InhibitAnyPolicy_Id.toString()); |
|
750 unresCritExts.remove( |
|
751 PKIXExtensions.SubjectAlternativeName_Id.toString()); |
|
752 unresCritExts.remove(PKIXExtensions.KeyUsage_Id.toString()); |
|
753 unresCritExts.remove( |
|
754 PKIXExtensions.ExtendedKeyUsage_Id.toString()); |
|
755 |
751 |
756 if (!unresCritExts.isEmpty()) |
752 if (!unresCritExts.isEmpty()) |
757 throw new CertPathValidatorException |
753 throw new CertPathValidatorException |
758 ("Unrecognized critical extension(s)", null, null, -1, |
754 ("Unrecognized critical extension(s)", null, null, -1, |
759 PKIXReason.UNRECOGNIZED_CRIT_EXT); |
755 PKIXReason.UNRECOGNIZED_CRIT_EXT); |
787 * subjectDN, and publicKey from the cert |
783 * subjectDN, and publicKey from the cert |
788 * in order to verify a previous cert |
784 * in order to verify a previous cert |
789 */ |
785 */ |
790 |
786 |
791 /* |
787 /* |
792 * Check revocation for the previous cert |
|
793 */ |
|
794 if (buildParams.isRevocationEnabled()) { |
|
795 |
|
796 // first off, see if this cert can authorize revocation... |
|
797 if (CrlRevocationChecker.certCanSignCrl(cert)) { |
|
798 // And then check to be sure no key requiring key parameters |
|
799 // has been encountered |
|
800 if (!currState.keyParamsNeeded()) |
|
801 // If all that checks out, we can check the |
|
802 // revocation status of the cert. Otherwise, |
|
803 // we'll just wait until the end. |
|
804 currState.crlChecker.check(currState.cert, |
|
805 cert.getPublicKey(), |
|
806 true); |
|
807 } |
|
808 } |
|
809 |
|
810 /* |
|
811 * Check signature only if no key requiring key parameters has been |
788 * Check signature only if no key requiring key parameters has been |
812 * encountered. |
789 * encountered. |
813 */ |
790 */ |
814 if (!currState.keyParamsNeeded()) { |
791 if (!currState.keyParamsNeeded()) { |
815 (currState.cert).verify(cert.getPublicKey(), |
792 (currState.cert).verify(cert.getPublicKey(), |
816 buildParams.getSigProvider()); |
793 buildParams.sigProvider()); |
817 } |
794 } |
818 } |
795 } |
819 |
796 |
820 /** |
797 /** |
821 * Verifies whether the input certificate completes the path. |
798 * Verifies whether the input certificate completes the path. |
827 * of the trust anchors are valid for this cert. |
804 * of the trust anchors are valid for this cert. |
828 * |
805 * |
829 * @param cert the certificate to test |
806 * @param cert the certificate to test |
830 * @return a boolean value indicating whether the cert completes the path. |
807 * @return a boolean value indicating whether the cert completes the path. |
831 */ |
808 */ |
|
809 @Override |
832 boolean isPathCompleted(X509Certificate cert) { |
810 boolean isPathCompleted(X509Certificate cert) { |
833 for (TrustAnchor anchor : trustAnchors) { |
811 for (TrustAnchor anchor : trustAnchors) { |
834 if (anchor.getTrustedCert() != null) { |
812 if (anchor.getTrustedCert() != null) { |
835 if (cert.equals(anchor.getTrustedCert())) { |
813 if (cert.equals(anchor.getTrustedCert())) { |
836 this.trustAnchor = anchor; |
814 this.trustAnchor = anchor; |
838 } else { |
816 } else { |
839 continue; |
817 continue; |
840 } |
818 } |
841 } else { |
819 } else { |
842 X500Principal principal = anchor.getCA(); |
820 X500Principal principal = anchor.getCA(); |
843 java.security.PublicKey publicKey = anchor.getCAPublicKey(); |
821 PublicKey publicKey = anchor.getCAPublicKey(); |
844 |
822 |
845 if (principal != null && publicKey != null && |
823 if (principal != null && publicKey != null && |
846 principal.equals(cert.getSubjectX500Principal())) { |
824 principal.equals(cert.getSubjectX500Principal())) { |
847 if (publicKey.equals(cert.getPublicKey())) { |
825 if (publicKey.equals(cert.getPublicKey())) { |
848 // the cert itself is a trust anchor |
826 // the cert itself is a trust anchor |
857 !principal.equals(cert.getIssuerX500Principal())) { |
835 !principal.equals(cert.getIssuerX500Principal())) { |
858 continue; |
836 continue; |
859 } |
837 } |
860 } |
838 } |
861 |
839 |
862 /* Check revocation if it is enabled */ |
|
863 if (buildParams.isRevocationEnabled()) { |
|
864 try { |
|
865 CrlRevocationChecker crlChecker = new CrlRevocationChecker |
|
866 (anchor, buildParams, null, onlyEECert); |
|
867 crlChecker.check(cert, anchor.getCAPublicKey(), true); |
|
868 } catch (CertPathValidatorException cpve) { |
|
869 if (debug != null) { |
|
870 debug.println("ForwardBuilder.isPathCompleted() cpve"); |
|
871 cpve.printStackTrace(); |
|
872 } |
|
873 continue; |
|
874 } |
|
875 } |
|
876 |
|
877 /* |
840 /* |
878 * Check signature |
841 * Check signature |
879 */ |
842 */ |
880 try { |
843 try { |
881 // NOTE: the DSA public key in the buildParams may lack |
844 // NOTE: the DSA public key in the buildParams may lack |
882 // parameters, yet there is no key to inherit the parameters |
845 // parameters, yet there is no key to inherit the parameters |
883 // from. This is probably such a rare case that it is not worth |
846 // from. This is probably such a rare case that it is not worth |
884 // trying to detect the situation earlier. |
847 // trying to detect the situation earlier. |
885 cert.verify(anchor.getCAPublicKey(), |
848 cert.verify(anchor.getCAPublicKey(), buildParams.sigProvider()); |
886 buildParams.getSigProvider()); |
|
887 } catch (InvalidKeyException ike) { |
849 } catch (InvalidKeyException ike) { |
888 if (debug != null) { |
850 if (debug != null) { |
889 debug.println("ForwardBuilder.isPathCompleted() invalid " |
851 debug.println("ForwardBuilder.isPathCompleted() invalid " |
890 + "DSA key found"); |
852 + "DSA key found"); |
891 } |
853 } |
892 continue; |
854 continue; |
893 } catch (Exception e){ |
855 } catch (GeneralSecurityException e){ |
894 if (debug != null) { |
856 if (debug != null) { |
895 debug.println("ForwardBuilder.isPathCompleted() " + |
857 debug.println("ForwardBuilder.isPathCompleted() " + |
896 "unexpected exception"); |
858 "unexpected exception"); |
897 e.printStackTrace(); |
859 e.printStackTrace(); |
898 } |
860 } |
899 continue; |
861 continue; |
900 } |
862 } |
901 |
863 |
909 /** Adds the certificate to the certPathList |
871 /** Adds the certificate to the certPathList |
910 * |
872 * |
911 * @param cert the certificate to be added |
873 * @param cert the certificate to be added |
912 * @param certPathList the certification path list |
874 * @param certPathList the certification path list |
913 */ |
875 */ |
|
876 @Override |
914 void addCertToPath(X509Certificate cert, |
877 void addCertToPath(X509Certificate cert, |
915 LinkedList<X509Certificate> certPathList) { |
878 LinkedList<X509Certificate> certPathList) |
|
879 { |
916 certPathList.addFirst(cert); |
880 certPathList.addFirst(cert); |
917 } |
881 } |
918 |
882 |
919 /** Removes final certificate from the certPathList |
883 /** Removes final certificate from the certPathList |
920 * |
884 * |
921 * @param certPathList the certification path list |
885 * @param certPathList the certification path list |
922 */ |
886 */ |
|
887 @Override |
923 void removeFinalCertFromPath(LinkedList<X509Certificate> certPathList) { |
888 void removeFinalCertFromPath(LinkedList<X509Certificate> certPathList) { |
924 certPathList.removeFirst(); |
889 certPathList.removeFirst(); |
925 } |
890 } |
926 } |
891 } |