jdk-sandbox: comparison jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java

equal deleted inserted replaced

-:0a5f341c2a28
+:7aa4d0b3a8c7
 */
 package sun.security.provider.certpath;
 import java.io.IOException;
-import java.util.*;
 import java.security.GeneralSecurityException;
 import java.security.InvalidKeyException;
+import java.security.PublicKey;
 import java.security.cert.CertificateException;
 import java.security.cert.CertPathValidatorException;
 import java.security.cert.PKIXReason;
 import java.security.cert.CertStore;
 import java.security.cert.CertStoreException;
 import java.security.cert.PKIXBuilderParameters;
 import java.security.cert.PKIXCertPathChecker;
 import java.security.cert.TrustAnchor;
 import java.security.cert.X509Certificate;
 import java.security.cert.X509CertSelector;
+import java.util.*;
 import javax.security.auth.x500.X500Principal;
+import sun.security.provider.certpath.PKIX.BuilderParams;
 import sun.security.util.Debug;
 import sun.security.x509.AccessDescription;
 import sun.security.x509.AuthorityInfoAccessExtension;
-import sun.security.x509.PKIXExtensions;
+import static sun.security.x509.PKIXExtensions.*;
 import sun.security.x509.PolicyMappingsExtension;
 import sun.security.x509.X500Name;
 import sun.security.x509.X509CertImpl;
 import sun.security.x509.AuthorityKeyIdentifierExtension;
 private AdaptableX509CertSelector caSelector;
 private X509CertSelector caTargetSelector;
 TrustAnchor trustAnchor;
 private Comparator<X509Certificate> comparator;
 private boolean searchAllCertStores = true;
-private boolean onlyEECert = false;
 /**
 * Initialize the builder with the input parameters.
 *
 * @param params the parameter set used to build a certification path
 */
-ForwardBuilder(PKIXBuilderParameters buildParams,
+ForwardBuilder(BuilderParams buildParams, boolean searchAllCertStores) {
-X500Principal targetSubjectDN, boolean searchAllCertStores,
+super(buildParams);
-boolean onlyEECert)
-{
-super(buildParams, targetSubjectDN);
 // populate sets of trusted certificates and subject DNs
-trustAnchors = buildParams.getTrustAnchors();
+trustAnchors = buildParams.trustAnchors();
 trustedCerts = new HashSet<X509Certificate>(trustAnchors.size());
 trustedSubjectDNs = new HashSet<X500Principal>(trustAnchors.size());
 for (TrustAnchor anchor : trustAnchors) {
 X509Certificate trustedCert = anchor.getTrustedCert();
 if (trustedCert != null) {
 trustedSubjectDNs.add(anchor.getCA());
 }
 }
 comparator = new PKIXCertComparator(trustedSubjectDNs);
 this.searchAllCertStores = searchAllCertStores;
-this.onlyEECert = onlyEECert;
 }
 /**
 * Retrieves all certs from the specified CertStores that satisfy the
 * requirements specified in the parameters and the current
 *
 * @param currentState the current state.
 *        Must be an instance of <code>ForwardState</code>
 * @param certStores list of CertStores
 */
-Collection<X509Certificate> getMatchingCerts
+@Override
-(State currentState, List<CertStore> certStores)
+Collection<X509Certificate> getMatchingCerts(State currentState,
+List<CertStore> certStores)
 throws CertStoreException, CertificateException, IOException
 {
 if (debug != null) {
 debug.println("ForwardBuilder.getMatchingCerts()...");
 }
 /*
 * We store certs in a Set because we don't want duplicates.
 * As each cert is added, it is sorted based on the PKIXCertComparator
 * algorithm.
 */
-Set<X509Certificate> certs = new TreeSet<X509Certificate>(comparator);
+Set<X509Certificate> certs = new TreeSet<>(comparator);
 /*
 * Only look for EE certs if search has just started.
 */
 if (currState.isInitial()) {
 /*
 * Retrieves all end-entity certificates which satisfy constraints
 * and requirements specified in the parameters and PKIX state.
 */
 private void getMatchingEECerts(ForwardState currentState,
-List<CertStore> certStores, Collection<X509Certificate> eeCerts)
+List<CertStore> certStores,
-throws IOException {
+Collection<X509Certificate> eeCerts)
+throws IOException
+{
 if (debug != null) {
 debug.println("ForwardBuilder.getMatchingEECerts()...");
 }
 /*
 * Compose a certificate matching rule to filter out
 eeSelector = (X509CertSelector) targetCertConstraints.clone();
 /*
 * Match on certificate validity date
 */
-eeSelector.setCertificateValid(date);
+eeSelector.setCertificateValid(buildParams.date());
 /*
 * Policy processing optimizations
 */
-if (buildParams.isExplicitPolicyRequired()) {
+if (buildParams.explicitPolicyRequired()) {
 eeSelector.setPolicy(getMatchingPolicies());
 }
 /*
 * Require EE certs
 */
 /**
 * Retrieves all CA certificates which satisfy constraints
 * and requirements specified in the parameters and PKIX state.
 */
 private void getMatchingCACerts(ForwardState currentState,
-List<CertStore> certStores, Collection<X509Certificate> caCerts)
+List<CertStore> certStores,
-throws IOException {
+Collection<X509Certificate> caCerts)
+throws IOException
+{
 if (debug != null) {
 debug.println("ForwardBuilder.getMatchingCACerts()...");
 }
 int initialSize = caCerts.size();
 if (debug != null) {
 debug.println("ForwardBuilder.getMatchingCACerts(): ca is target");
 }
 if (caTargetSelector == null) {
-caTargetSelector = (X509CertSelector)
+caTargetSelector =
-targetCertConstraints.clone();
+(X509CertSelector) targetCertConstraints.clone();
 /*
 * Since we don't check the validity period of trusted
 * certificates, please don't set the certificate valid
 * criterion unless the trusted certificate matching is
 */
 /*
 * Policy processing optimizations
 */
-if (buildParams.isExplicitPolicyRequired())
+if (buildParams.explicitPolicyRequired())
 caTargetSelector.setPolicy(getMatchingPolicies());
 }
 sel = caTargetSelector;
 } else {
 */
 /*
 * Policy processing optimizations
 */
-if (buildParams.isExplicitPolicyRequired())
+if (buildParams.explicitPolicyRequired())
 caSelector.setPolicy(getMatchingPolicies());
 }
 /*
 * Match on subject (issuer of previous cert)
 /*
 * check the validity period
 */
 caSelector.setValidityPeriod(currentState.cert.getNotBefore(),
 currentState.cert.getNotAfter());
 sel = caSelector;
 }
 /*
 /*
 * The trusted certificate matching is completed. We need to match
 * on certificate validity date.
 */
-sel.setCertificateValid(date);
+sel.setCertificateValid(buildParams.date());
 /*
 * Require CA certs with a pathLenConstraint that allows
 * at least as many CA certs that have already been traversed
 */
 * certificate pairs. If maxPathLength has a value of -1, this
 * means it is unconstrained, so we always look through the
 * certificate pairs.
 */
 if (currentState.isInitial() ||
-(buildParams.getMaxPathLength() == -1) ||
+(buildParams.maxPathLength() == -1) ||
-(buildParams.getMaxPathLength() > currentState.traversedCACerts))
+(buildParams.maxPathLength() > currentState.traversedCACerts))
 {
 if (addMatchingCerts(sel, certStores,
-caCerts, searchAllCertStores) && !searchAllCertStores) {
+caCerts, searchAllCertStores)
+&& !searchAllCertStores) {
 return;
 }
 }
 if (!currentState.isInitial() && Builder.USE_AIA) {
 */
 // cs.getCertificates(caSelector) returns a collection of X509Certificate's
 // because of the selector, so the cast is safe
 @SuppressWarnings("unchecked")
 private boolean getCerts(AuthorityInfoAccessExtension aiaExt,
-Collection<X509Certificate> certs) {
+Collection<X509Certificate> certs)
+{
 if (Builder.USE_AIA == false) {
 return false;
 }
 List<AccessDescription> adList = aiaExt.getAccessDescriptions();
 if (adList == null || adList.isEmpty()) {
 *          certs are equal so that this comparator behaves
 *          correctly when used in a SortedSet.
 * @throws ClassCastException if either argument is not of type
 * X509Certificate
 */
+@Override
 public int compare(X509Certificate oCert1, X509Certificate oCert2) {
 // if certs are the same, return 0
 if (oCert1.equals(oCert2)) return 0;
 *
 * @param cert the certificate to be verified
 * @param currentState the current state against which the cert is verified
 * @param certPathList the certPathList generated thus far
 */
+@Override
 void verifyCert(X509Certificate cert, State currentState,
-List<X509Certificate> certPathList) throws GeneralSecurityException
+List<X509Certificate> certPathList)
+throws GeneralSecurityException
 {
 if (debug != null) {
 debug.println("ForwardBuilder.verifyCert(SN: "
 + Debug.toHexString(cert.getSerialNumber())
 + "\n  Issuer: " + cert.getIssuerX500Principal() + ")"
 }
 if (debug != null) {
 debug.println("policyMappingFound = " + policyMappingFound);
 }
 if (cert.equals(cpListCert)) {
-if ((buildParams.isPolicyMappingInhibited()) ||
+if ((buildParams.policyMappingInhibited()) ||
 (!policyMappingFound)) {
 if (debug != null) {
 debug.println("loop detected!!");
 }
 throw new CertPathValidatorException("loop detected");
 * Remove extensions from user checkers that don't support
 * forward checking. After this step, we will have removed
 * all extensions that all user checkers are capable of
 * processing.
 */
-for (PKIXCertPathChecker checker : buildParams.getCertPathCheckers()) {
+for (PKIXCertPathChecker checker : buildParams.certPathCheckers()) {
 if (!checker.isForwardCheckingSupported()) {
 Set<String> supportedExts = checker.getSupportedExtensions();
 if (supportedExts != null) {
 unresCritExts.removeAll(supportedExts);
 }
 /*
 * Look at the remaining extensions and remove any ones we know how
 * to check. If there are any left, throw an exception!
 */
 if (!unresCritExts.isEmpty()) {
-unresCritExts.remove(
+unresCritExts.remove(BasicConstraints_Id.toString());
-PKIXExtensions.BasicConstraints_Id.toString());
+unresCritExts.remove(NameConstraints_Id.toString());
-unresCritExts.remove(
+unresCritExts.remove(CertificatePolicies_Id.toString());
-PKIXExtensions.NameConstraints_Id.toString());
+unresCritExts.remove(PolicyMappings_Id.toString());
-unresCritExts.remove(
+unresCritExts.remove(PolicyConstraints_Id.toString());
-PKIXExtensions.CertificatePolicies_Id.toString());
+unresCritExts.remove(InhibitAnyPolicy_Id.toString());
-unresCritExts.remove(
+unresCritExts.remove(SubjectAlternativeName_Id.toString());
-PKIXExtensions.PolicyMappings_Id.toString());
+unresCritExts.remove(KeyUsage_Id.toString());
-unresCritExts.remove(
+unresCritExts.remove(ExtendedKeyUsage_Id.toString());
-PKIXExtensions.PolicyConstraints_Id.toString());
-unresCritExts.remove(
-PKIXExtensions.InhibitAnyPolicy_Id.toString());
-unresCritExts.remove(
-PKIXExtensions.SubjectAlternativeName_Id.toString());
-unresCritExts.remove(PKIXExtensions.KeyUsage_Id.toString());
-unresCritExts.remove(
-PKIXExtensions.ExtendedKeyUsage_Id.toString());
 if (!unresCritExts.isEmpty())
 throw new CertPathValidatorException
 ("Unrecognized critical extension(s)", null, null, -1,
 PKIXReason.UNRECOGNIZED_CRIT_EXT);
 * subjectDN, and publicKey from the cert
 * in order to verify a previous cert
 */
 /*
-* Check revocation for the previous cert
-*/
-if (buildParams.isRevocationEnabled()) {
-// first off, see if this cert can authorize revocation...
-if (CrlRevocationChecker.certCanSignCrl(cert)) {
-// And then check to be sure no key requiring key parameters
-// has been encountered
-if (!currState.keyParamsNeeded())
-// If all that checks out, we can check the
-// revocation status of the cert. Otherwise,
-// we'll just wait until the end.
-currState.crlChecker.check(currState.cert,
-cert.getPublicKey(),
-true);
-}
-}
-/*
 * Check signature only if no key requiring key parameters has been
 * encountered.
 */
 if (!currState.keyParamsNeeded()) {
 (currState.cert).verify(cert.getPublicKey(),
-buildParams.getSigProvider());
+buildParams.sigProvider());
 }
 }
 /**
 * Verifies whether the input certificate completes the path.
 * of the trust anchors are valid for this cert.
 *
 * @param cert the certificate to test
 * @return a boolean value indicating whether the cert completes the path.
 */
+@Override
 boolean isPathCompleted(X509Certificate cert) {
 for (TrustAnchor anchor : trustAnchors) {
 if (anchor.getTrustedCert() != null) {
 if (cert.equals(anchor.getTrustedCert())) {
 this.trustAnchor = anchor;
 } else {
 continue;
 }
 } else {
 X500Principal principal = anchor.getCA();
-java.security.PublicKey publicKey = anchor.getCAPublicKey();
+PublicKey publicKey = anchor.getCAPublicKey();
 if (principal != null && publicKey != null &&
 principal.equals(cert.getSubjectX500Principal())) {
 if (publicKey.equals(cert.getPublicKey())) {
 // the cert itself is a trust anchor
 !principal.equals(cert.getIssuerX500Principal())) {
 continue;
 }
 }
-/* Check revocation if it is enabled */
-if (buildParams.isRevocationEnabled()) {
-try {
-CrlRevocationChecker crlChecker = new CrlRevocationChecker
-(anchor, buildParams, null, onlyEECert);
-crlChecker.check(cert, anchor.getCAPublicKey(), true);
-} catch (CertPathValidatorException cpve) {
-if (debug != null) {
-debug.println("ForwardBuilder.isPathCompleted() cpve");
-cpve.printStackTrace();
-}
-continue;
-}
-}
 /*
 * Check signature
 */
 try {
 // NOTE: the DSA public key in the buildParams may lack
 // parameters, yet there is no key to inherit the parameters
 // from.  This is probably such a rare case that it is not worth
 // trying to detect the situation earlier.
-cert.verify(anchor.getCAPublicKey(),
+cert.verify(anchor.getCAPublicKey(), buildParams.sigProvider());
-buildParams.getSigProvider());
 } catch (InvalidKeyException ike) {
 if (debug != null) {
 debug.println("ForwardBuilder.isPathCompleted() invalid "
 + "DSA key found");
 }
 continue;
-} catch (Exception e){
+} catch (GeneralSecurityException e){
 if (debug != null) {
 debug.println("ForwardBuilder.isPathCompleted() " +
 "unexpected exception");
 e.printStackTrace();
 }
 continue;
 }
 /** Adds the certificate to the certPathList
 *
 * @param cert the certificate to be added
 * @param certPathList the certification path list
 */
+@Override
 void addCertToPath(X509Certificate cert,
-LinkedList<X509Certificate> certPathList) {
+LinkedList<X509Certificate> certPathList)
+{
 certPathList.addFirst(cert);
 }
 /** Removes final certificate from the certPathList
 *
 * @param certPathList the certification path list
 */
+@Override
 void removeFinalCertFromPath(LinkedList<X509Certificate> certPathList) {
 certPathList.removeFirst();
 }
 }

changeset 12861	7aa4d0b3a8c7
parent 11902	a94ba35d9c4a
parent 12860	9ffbd4e43413
child 13800	2fd4a82efe9c