1 /* |
1 /* |
2 * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. |
2 * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 * |
4 * |
5 * This code is free software; you can redistribute it and/or modify it |
5 * This code is free software; you can redistribute it and/or modify it |
6 * under the terms of the GNU General Public License version 2 only, as |
6 * under the terms of the GNU General Public License version 2 only, as |
7 * published by the Free Software Foundation. Oracle designates this |
7 * published by the Free Software Foundation. Oracle designates this |
24 */ |
24 */ |
25 |
25 |
26 package sun.security.provider.certpath; |
26 package sun.security.provider.certpath; |
27 |
27 |
28 import java.io.IOException; |
28 import java.io.IOException; |
29 import java.util.*; |
|
30 |
|
31 import java.security.GeneralSecurityException; |
29 import java.security.GeneralSecurityException; |
32 import java.security.InvalidKeyException; |
30 import java.security.InvalidKeyException; |
|
31 import java.security.PublicKey; |
33 import java.security.cert.CertificateException; |
32 import java.security.cert.CertificateException; |
34 import java.security.cert.CertPathValidatorException; |
33 import java.security.cert.CertPathValidatorException; |
35 import java.security.cert.PKIXReason; |
34 import java.security.cert.PKIXReason; |
36 import java.security.cert.CertStore; |
35 import java.security.cert.CertStore; |
37 import java.security.cert.CertStoreException; |
36 import java.security.cert.CertStoreException; |
38 import java.security.cert.PKIXBuilderParameters; |
37 import java.security.cert.PKIXBuilderParameters; |
39 import java.security.cert.PKIXCertPathChecker; |
38 import java.security.cert.PKIXCertPathChecker; |
40 import java.security.cert.TrustAnchor; |
39 import java.security.cert.TrustAnchor; |
41 import java.security.cert.X509Certificate; |
40 import java.security.cert.X509Certificate; |
42 import java.security.cert.X509CertSelector; |
41 import java.security.cert.X509CertSelector; |
|
42 import java.util.*; |
43 import javax.security.auth.x500.X500Principal; |
43 import javax.security.auth.x500.X500Principal; |
44 |
44 |
|
45 import sun.security.provider.certpath.PKIX.BuilderParams; |
45 import sun.security.util.Debug; |
46 import sun.security.util.Debug; |
46 import sun.security.x509.AccessDescription; |
47 import sun.security.x509.AccessDescription; |
47 import sun.security.x509.AuthorityInfoAccessExtension; |
48 import sun.security.x509.AuthorityInfoAccessExtension; |
48 import sun.security.x509.PKIXExtensions; |
49 import static sun.security.x509.PKIXExtensions.*; |
49 import sun.security.x509.PolicyMappingsExtension; |
50 import sun.security.x509.PolicyMappingsExtension; |
50 import sun.security.x509.X500Name; |
51 import sun.security.x509.X500Name; |
51 import sun.security.x509.X509CertImpl; |
52 import sun.security.x509.X509CertImpl; |
52 import sun.security.x509.AuthorityKeyIdentifierExtension; |
53 import sun.security.x509.AuthorityKeyIdentifierExtension; |
53 |
54 |
70 private AdaptableX509CertSelector caSelector; |
71 private AdaptableX509CertSelector caSelector; |
71 private X509CertSelector caTargetSelector; |
72 private X509CertSelector caTargetSelector; |
72 TrustAnchor trustAnchor; |
73 TrustAnchor trustAnchor; |
73 private Comparator<X509Certificate> comparator; |
74 private Comparator<X509Certificate> comparator; |
74 private boolean searchAllCertStores = true; |
75 private boolean searchAllCertStores = true; |
75 private boolean onlyEECert = false; |
|
76 |
76 |
77 /** |
77 /** |
78 * Initialize the builder with the input parameters. |
78 * Initialize the builder with the input parameters. |
79 * |
79 * |
80 * @param params the parameter set used to build a certification path |
80 * @param params the parameter set used to build a certification path |
81 */ |
81 */ |
82 ForwardBuilder(PKIXBuilderParameters buildParams, |
82 ForwardBuilder(BuilderParams buildParams, boolean searchAllCertStores) { |
83 X500Principal targetSubjectDN, boolean searchAllCertStores, |
83 super(buildParams); |
84 boolean onlyEECert) |
|
85 { |
|
86 super(buildParams, targetSubjectDN); |
|
87 |
84 |
88 // populate sets of trusted certificates and subject DNs |
85 // populate sets of trusted certificates and subject DNs |
89 trustAnchors = buildParams.getTrustAnchors(); |
86 trustAnchors = buildParams.trustAnchors(); |
90 trustedCerts = new HashSet<X509Certificate>(trustAnchors.size()); |
87 trustedCerts = new HashSet<X509Certificate>(trustAnchors.size()); |
91 trustedSubjectDNs = new HashSet<X500Principal>(trustAnchors.size()); |
88 trustedSubjectDNs = new HashSet<X500Principal>(trustAnchors.size()); |
92 for (TrustAnchor anchor : trustAnchors) { |
89 for (TrustAnchor anchor : trustAnchors) { |
93 X509Certificate trustedCert = anchor.getTrustedCert(); |
90 X509Certificate trustedCert = anchor.getTrustedCert(); |
94 if (trustedCert != null) { |
91 if (trustedCert != null) { |
98 trustedSubjectDNs.add(anchor.getCA()); |
95 trustedSubjectDNs.add(anchor.getCA()); |
99 } |
96 } |
100 } |
97 } |
101 comparator = new PKIXCertComparator(trustedSubjectDNs); |
98 comparator = new PKIXCertComparator(trustedSubjectDNs); |
102 this.searchAllCertStores = searchAllCertStores; |
99 this.searchAllCertStores = searchAllCertStores; |
103 this.onlyEECert = onlyEECert; |
|
104 } |
100 } |
105 |
101 |
106 /** |
102 /** |
107 * Retrieves all certs from the specified CertStores that satisfy the |
103 * Retrieves all certs from the specified CertStores that satisfy the |
108 * requirements specified in the parameters and the current |
104 * requirements specified in the parameters and the current |
110 * |
106 * |
111 * @param currentState the current state. |
107 * @param currentState the current state. |
112 * Must be an instance of <code>ForwardState</code> |
108 * Must be an instance of <code>ForwardState</code> |
113 * @param certStores list of CertStores |
109 * @param certStores list of CertStores |
114 */ |
110 */ |
115 Collection<X509Certificate> getMatchingCerts |
111 @Override |
116 (State currentState, List<CertStore> certStores) |
112 Collection<X509Certificate> getMatchingCerts(State currentState, |
|
113 List<CertStore> certStores) |
117 throws CertStoreException, CertificateException, IOException |
114 throws CertStoreException, CertificateException, IOException |
118 { |
115 { |
119 if (debug != null) { |
116 if (debug != null) { |
120 debug.println("ForwardBuilder.getMatchingCerts()..."); |
117 debug.println("ForwardBuilder.getMatchingCerts()..."); |
121 } |
118 } |
125 /* |
122 /* |
126 * We store certs in a Set because we don't want duplicates. |
123 * We store certs in a Set because we don't want duplicates. |
127 * As each cert is added, it is sorted based on the PKIXCertComparator |
124 * As each cert is added, it is sorted based on the PKIXCertComparator |
128 * algorithm. |
125 * algorithm. |
129 */ |
126 */ |
130 Set<X509Certificate> certs = new TreeSet<X509Certificate>(comparator); |
127 Set<X509Certificate> certs = new TreeSet<>(comparator); |
131 |
128 |
132 /* |
129 /* |
133 * Only look for EE certs if search has just started. |
130 * Only look for EE certs if search has just started. |
134 */ |
131 */ |
135 if (currState.isInitial()) { |
132 if (currState.isInitial()) { |
143 /* |
140 /* |
144 * Retrieves all end-entity certificates which satisfy constraints |
141 * Retrieves all end-entity certificates which satisfy constraints |
145 * and requirements specified in the parameters and PKIX state. |
142 * and requirements specified in the parameters and PKIX state. |
146 */ |
143 */ |
147 private void getMatchingEECerts(ForwardState currentState, |
144 private void getMatchingEECerts(ForwardState currentState, |
148 List<CertStore> certStores, Collection<X509Certificate> eeCerts) |
145 List<CertStore> certStores, |
149 throws IOException { |
146 Collection<X509Certificate> eeCerts) |
150 |
147 throws IOException |
|
148 { |
151 if (debug != null) { |
149 if (debug != null) { |
152 debug.println("ForwardBuilder.getMatchingEECerts()..."); |
150 debug.println("ForwardBuilder.getMatchingEECerts()..."); |
153 } |
151 } |
154 /* |
152 /* |
155 * Compose a certificate matching rule to filter out |
153 * Compose a certificate matching rule to filter out |
163 eeSelector = (X509CertSelector) targetCertConstraints.clone(); |
161 eeSelector = (X509CertSelector) targetCertConstraints.clone(); |
164 |
162 |
165 /* |
163 /* |
166 * Match on certificate validity date |
164 * Match on certificate validity date |
167 */ |
165 */ |
168 eeSelector.setCertificateValid(date); |
166 eeSelector.setCertificateValid(buildParams.date()); |
169 |
167 |
170 /* |
168 /* |
171 * Policy processing optimizations |
169 * Policy processing optimizations |
172 */ |
170 */ |
173 if (buildParams.isExplicitPolicyRequired()) { |
171 if (buildParams.explicitPolicyRequired()) { |
174 eeSelector.setPolicy(getMatchingPolicies()); |
172 eeSelector.setPolicy(getMatchingPolicies()); |
175 } |
173 } |
176 /* |
174 /* |
177 * Require EE certs |
175 * Require EE certs |
178 */ |
176 */ |
186 /** |
184 /** |
187 * Retrieves all CA certificates which satisfy constraints |
185 * Retrieves all CA certificates which satisfy constraints |
188 * and requirements specified in the parameters and PKIX state. |
186 * and requirements specified in the parameters and PKIX state. |
189 */ |
187 */ |
190 private void getMatchingCACerts(ForwardState currentState, |
188 private void getMatchingCACerts(ForwardState currentState, |
191 List<CertStore> certStores, Collection<X509Certificate> caCerts) |
189 List<CertStore> certStores, |
192 throws IOException { |
190 Collection<X509Certificate> caCerts) |
193 |
191 throws IOException |
|
192 { |
194 if (debug != null) { |
193 if (debug != null) { |
195 debug.println("ForwardBuilder.getMatchingCACerts()..."); |
194 debug.println("ForwardBuilder.getMatchingCACerts()..."); |
196 } |
195 } |
197 int initialSize = caCerts.size(); |
196 int initialSize = caCerts.size(); |
198 |
197 |
214 if (debug != null) { |
213 if (debug != null) { |
215 debug.println("ForwardBuilder.getMatchingCACerts(): ca is target"); |
214 debug.println("ForwardBuilder.getMatchingCACerts(): ca is target"); |
216 } |
215 } |
217 |
216 |
218 if (caTargetSelector == null) { |
217 if (caTargetSelector == null) { |
219 caTargetSelector = (X509CertSelector) |
218 caTargetSelector = |
220 targetCertConstraints.clone(); |
219 (X509CertSelector) targetCertConstraints.clone(); |
221 |
220 |
222 /* |
221 /* |
223 * Since we don't check the validity period of trusted |
222 * Since we don't check the validity period of trusted |
224 * certificates, please don't set the certificate valid |
223 * certificates, please don't set the certificate valid |
225 * criterion unless the trusted certificate matching is |
224 * criterion unless the trusted certificate matching is |
305 |
304 |
306 /* |
305 /* |
307 * The trusted certificate matching is completed. We need to match |
306 * The trusted certificate matching is completed. We need to match |
308 * on certificate validity date. |
307 * on certificate validity date. |
309 */ |
308 */ |
310 sel.setCertificateValid(date); |
309 sel.setCertificateValid(buildParams.date()); |
311 |
310 |
312 /* |
311 /* |
313 * Require CA certs with a pathLenConstraint that allows |
312 * Require CA certs with a pathLenConstraint that allows |
314 * at least as many CA certs that have already been traversed |
313 * at least as many CA certs that have already been traversed |
315 */ |
314 */ |
321 * certificate pairs. If maxPathLength has a value of -1, this |
320 * certificate pairs. If maxPathLength has a value of -1, this |
322 * means it is unconstrained, so we always look through the |
321 * means it is unconstrained, so we always look through the |
323 * certificate pairs. |
322 * certificate pairs. |
324 */ |
323 */ |
325 if (currentState.isInitial() || |
324 if (currentState.isInitial() || |
326 (buildParams.getMaxPathLength() == -1) || |
325 (buildParams.maxPathLength() == -1) || |
327 (buildParams.getMaxPathLength() > currentState.traversedCACerts)) |
326 (buildParams.maxPathLength() > currentState.traversedCACerts)) |
328 { |
327 { |
329 if (addMatchingCerts(sel, certStores, |
328 if (addMatchingCerts(sel, certStores, |
330 caCerts, searchAllCertStores) && !searchAllCertStores) { |
329 caCerts, searchAllCertStores) |
|
330 && !searchAllCertStores) { |
331 return; |
331 return; |
332 } |
332 } |
333 } |
333 } |
334 |
334 |
335 if (!currentState.isInitial() && Builder.USE_AIA) { |
335 if (!currentState.isInitial() && Builder.USE_AIA) { |
354 */ |
354 */ |
355 // cs.getCertificates(caSelector) returns a collection of X509Certificate's |
355 // cs.getCertificates(caSelector) returns a collection of X509Certificate's |
356 // because of the selector, so the cast is safe |
356 // because of the selector, so the cast is safe |
357 @SuppressWarnings("unchecked") |
357 @SuppressWarnings("unchecked") |
358 private boolean getCerts(AuthorityInfoAccessExtension aiaExt, |
358 private boolean getCerts(AuthorityInfoAccessExtension aiaExt, |
359 Collection<X509Certificate> certs) { |
359 Collection<X509Certificate> certs) |
|
360 { |
360 if (Builder.USE_AIA == false) { |
361 if (Builder.USE_AIA == false) { |
361 return false; |
362 return false; |
362 } |
363 } |
363 List<AccessDescription> adList = aiaExt.getAccessDescriptions(); |
364 List<AccessDescription> adList = aiaExt.getAccessDescriptions(); |
364 if (adList == null || adList.isEmpty()) { |
365 if (adList == null || adList.isEmpty()) { |
447 * certs are equal so that this comparator behaves |
448 * certs are equal so that this comparator behaves |
448 * correctly when used in a SortedSet. |
449 * correctly when used in a SortedSet. |
449 * @throws ClassCastException if either argument is not of type |
450 * @throws ClassCastException if either argument is not of type |
450 * X509Certificate |
451 * X509Certificate |
451 */ |
452 */ |
|
453 @Override |
452 public int compare(X509Certificate oCert1, X509Certificate oCert2) { |
454 public int compare(X509Certificate oCert1, X509Certificate oCert2) { |
453 |
455 |
454 // if certs are the same, return 0 |
456 // if certs are the same, return 0 |
455 if (oCert1.equals(oCert2)) return 0; |
457 if (oCert1.equals(oCert2)) return 0; |
456 |
458 |
649 * |
651 * |
650 * @param cert the certificate to be verified |
652 * @param cert the certificate to be verified |
651 * @param currentState the current state against which the cert is verified |
653 * @param currentState the current state against which the cert is verified |
652 * @param certPathList the certPathList generated thus far |
654 * @param certPathList the certPathList generated thus far |
653 */ |
655 */ |
|
656 @Override |
654 void verifyCert(X509Certificate cert, State currentState, |
657 void verifyCert(X509Certificate cert, State currentState, |
655 List<X509Certificate> certPathList) throws GeneralSecurityException |
658 List<X509Certificate> certPathList) |
|
659 throws GeneralSecurityException |
656 { |
660 { |
657 if (debug != null) { |
661 if (debug != null) { |
658 debug.println("ForwardBuilder.verifyCert(SN: " |
662 debug.println("ForwardBuilder.verifyCert(SN: " |
659 + Debug.toHexString(cert.getSerialNumber()) |
663 + Debug.toHexString(cert.getSerialNumber()) |
660 + "\n Issuer: " + cert.getIssuerX500Principal() + ")" |
664 + "\n Issuer: " + cert.getIssuerX500Principal() + ")" |
681 } |
685 } |
682 if (debug != null) { |
686 if (debug != null) { |
683 debug.println("policyMappingFound = " + policyMappingFound); |
687 debug.println("policyMappingFound = " + policyMappingFound); |
684 } |
688 } |
685 if (cert.equals(cpListCert)) { |
689 if (cert.equals(cpListCert)) { |
686 if ((buildParams.isPolicyMappingInhibited()) || |
690 if ((buildParams.policyMappingInhibited()) || |
687 (!policyMappingFound)) { |
691 (!policyMappingFound)) { |
688 if (debug != null) { |
692 if (debug != null) { |
689 debug.println("loop detected!!"); |
693 debug.println("loop detected!!"); |
690 } |
694 } |
691 throw new CertPathValidatorException("loop detected"); |
695 throw new CertPathValidatorException("loop detected"); |
716 * Remove extensions from user checkers that don't support |
720 * Remove extensions from user checkers that don't support |
717 * forward checking. After this step, we will have removed |
721 * forward checking. After this step, we will have removed |
718 * all extensions that all user checkers are capable of |
722 * all extensions that all user checkers are capable of |
719 * processing. |
723 * processing. |
720 */ |
724 */ |
721 for (PKIXCertPathChecker checker : buildParams.getCertPathCheckers()) { |
725 for (PKIXCertPathChecker checker : buildParams.certPathCheckers()) { |
722 if (!checker.isForwardCheckingSupported()) { |
726 if (!checker.isForwardCheckingSupported()) { |
723 Set<String> supportedExts = checker.getSupportedExtensions(); |
727 Set<String> supportedExts = checker.getSupportedExtensions(); |
724 if (supportedExts != null) { |
728 if (supportedExts != null) { |
725 unresCritExts.removeAll(supportedExts); |
729 unresCritExts.removeAll(supportedExts); |
726 } |
730 } |
730 /* |
734 /* |
731 * Look at the remaining extensions and remove any ones we know how |
735 * Look at the remaining extensions and remove any ones we know how |
732 * to check. If there are any left, throw an exception! |
736 * to check. If there are any left, throw an exception! |
733 */ |
737 */ |
734 if (!unresCritExts.isEmpty()) { |
738 if (!unresCritExts.isEmpty()) { |
735 unresCritExts.remove( |
739 unresCritExts.remove(BasicConstraints_Id.toString()); |
736 PKIXExtensions.BasicConstraints_Id.toString()); |
740 unresCritExts.remove(NameConstraints_Id.toString()); |
737 unresCritExts.remove( |
741 unresCritExts.remove(CertificatePolicies_Id.toString()); |
738 PKIXExtensions.NameConstraints_Id.toString()); |
742 unresCritExts.remove(PolicyMappings_Id.toString()); |
739 unresCritExts.remove( |
743 unresCritExts.remove(PolicyConstraints_Id.toString()); |
740 PKIXExtensions.CertificatePolicies_Id.toString()); |
744 unresCritExts.remove(InhibitAnyPolicy_Id.toString()); |
741 unresCritExts.remove( |
745 unresCritExts.remove(SubjectAlternativeName_Id.toString()); |
742 PKIXExtensions.PolicyMappings_Id.toString()); |
746 unresCritExts.remove(KeyUsage_Id.toString()); |
743 unresCritExts.remove( |
747 unresCritExts.remove(ExtendedKeyUsage_Id.toString()); |
744 PKIXExtensions.PolicyConstraints_Id.toString()); |
|
745 unresCritExts.remove( |
|
746 PKIXExtensions.InhibitAnyPolicy_Id.toString()); |
|
747 unresCritExts.remove( |
|
748 PKIXExtensions.SubjectAlternativeName_Id.toString()); |
|
749 unresCritExts.remove(PKIXExtensions.KeyUsage_Id.toString()); |
|
750 unresCritExts.remove( |
|
751 PKIXExtensions.ExtendedKeyUsage_Id.toString()); |
|
752 |
748 |
753 if (!unresCritExts.isEmpty()) |
749 if (!unresCritExts.isEmpty()) |
754 throw new CertPathValidatorException |
750 throw new CertPathValidatorException |
755 ("Unrecognized critical extension(s)", null, null, -1, |
751 ("Unrecognized critical extension(s)", null, null, -1, |
756 PKIXReason.UNRECOGNIZED_CRIT_EXT); |
752 PKIXReason.UNRECOGNIZED_CRIT_EXT); |
784 * subjectDN, and publicKey from the cert |
780 * subjectDN, and publicKey from the cert |
785 * in order to verify a previous cert |
781 * in order to verify a previous cert |
786 */ |
782 */ |
787 |
783 |
788 /* |
784 /* |
789 * Check revocation for the previous cert |
|
790 */ |
|
791 if (buildParams.isRevocationEnabled()) { |
|
792 |
|
793 // first off, see if this cert can authorize revocation... |
|
794 if (CrlRevocationChecker.certCanSignCrl(cert)) { |
|
795 // And then check to be sure no key requiring key parameters |
|
796 // has been encountered |
|
797 if (!currState.keyParamsNeeded()) |
|
798 // If all that checks out, we can check the |
|
799 // revocation status of the cert. Otherwise, |
|
800 // we'll just wait until the end. |
|
801 currState.crlChecker.check(currState.cert, |
|
802 cert.getPublicKey(), |
|
803 true); |
|
804 } |
|
805 } |
|
806 |
|
807 /* |
|
808 * Check signature only if no key requiring key parameters has been |
785 * Check signature only if no key requiring key parameters has been |
809 * encountered. |
786 * encountered. |
810 */ |
787 */ |
811 if (!currState.keyParamsNeeded()) { |
788 if (!currState.keyParamsNeeded()) { |
812 (currState.cert).verify(cert.getPublicKey(), |
789 (currState.cert).verify(cert.getPublicKey(), |
813 buildParams.getSigProvider()); |
790 buildParams.sigProvider()); |
814 } |
791 } |
815 } |
792 } |
816 |
793 |
817 /** |
794 /** |
818 * Verifies whether the input certificate completes the path. |
795 * Verifies whether the input certificate completes the path. |
824 * of the trust anchors are valid for this cert. |
801 * of the trust anchors are valid for this cert. |
825 * |
802 * |
826 * @param cert the certificate to test |
803 * @param cert the certificate to test |
827 * @return a boolean value indicating whether the cert completes the path. |
804 * @return a boolean value indicating whether the cert completes the path. |
828 */ |
805 */ |
|
806 @Override |
829 boolean isPathCompleted(X509Certificate cert) { |
807 boolean isPathCompleted(X509Certificate cert) { |
830 for (TrustAnchor anchor : trustAnchors) { |
808 for (TrustAnchor anchor : trustAnchors) { |
831 if (anchor.getTrustedCert() != null) { |
809 if (anchor.getTrustedCert() != null) { |
832 if (cert.equals(anchor.getTrustedCert())) { |
810 if (cert.equals(anchor.getTrustedCert())) { |
833 this.trustAnchor = anchor; |
811 this.trustAnchor = anchor; |
835 } else { |
813 } else { |
836 continue; |
814 continue; |
837 } |
815 } |
838 } else { |
816 } else { |
839 X500Principal principal = anchor.getCA(); |
817 X500Principal principal = anchor.getCA(); |
840 java.security.PublicKey publicKey = anchor.getCAPublicKey(); |
818 PublicKey publicKey = anchor.getCAPublicKey(); |
841 |
819 |
842 if (principal != null && publicKey != null && |
820 if (principal != null && publicKey != null && |
843 principal.equals(cert.getSubjectX500Principal())) { |
821 principal.equals(cert.getSubjectX500Principal())) { |
844 if (publicKey.equals(cert.getPublicKey())) { |
822 if (publicKey.equals(cert.getPublicKey())) { |
845 // the cert itself is a trust anchor |
823 // the cert itself is a trust anchor |
854 !principal.equals(cert.getIssuerX500Principal())) { |
832 !principal.equals(cert.getIssuerX500Principal())) { |
855 continue; |
833 continue; |
856 } |
834 } |
857 } |
835 } |
858 |
836 |
859 /* Check revocation if it is enabled */ |
|
860 if (buildParams.isRevocationEnabled()) { |
|
861 try { |
|
862 CrlRevocationChecker crlChecker = new CrlRevocationChecker |
|
863 (anchor, buildParams, null, onlyEECert); |
|
864 crlChecker.check(cert, anchor.getCAPublicKey(), true); |
|
865 } catch (CertPathValidatorException cpve) { |
|
866 if (debug != null) { |
|
867 debug.println("ForwardBuilder.isPathCompleted() cpve"); |
|
868 cpve.printStackTrace(); |
|
869 } |
|
870 continue; |
|
871 } |
|
872 } |
|
873 |
|
874 /* |
837 /* |
875 * Check signature |
838 * Check signature |
876 */ |
839 */ |
877 try { |
840 try { |
878 // NOTE: the DSA public key in the buildParams may lack |
841 // NOTE: the DSA public key in the buildParams may lack |
879 // parameters, yet there is no key to inherit the parameters |
842 // parameters, yet there is no key to inherit the parameters |
880 // from. This is probably such a rare case that it is not worth |
843 // from. This is probably such a rare case that it is not worth |
881 // trying to detect the situation earlier. |
844 // trying to detect the situation earlier. |
882 cert.verify(anchor.getCAPublicKey(), |
845 cert.verify(anchor.getCAPublicKey(), buildParams.sigProvider()); |
883 buildParams.getSigProvider()); |
|
884 } catch (InvalidKeyException ike) { |
846 } catch (InvalidKeyException ike) { |
885 if (debug != null) { |
847 if (debug != null) { |
886 debug.println("ForwardBuilder.isPathCompleted() invalid " |
848 debug.println("ForwardBuilder.isPathCompleted() invalid " |
887 + "DSA key found"); |
849 + "DSA key found"); |
888 } |
850 } |
889 continue; |
851 continue; |
890 } catch (Exception e){ |
852 } catch (GeneralSecurityException e){ |
891 if (debug != null) { |
853 if (debug != null) { |
892 debug.println("ForwardBuilder.isPathCompleted() " + |
854 debug.println("ForwardBuilder.isPathCompleted() " + |
893 "unexpected exception"); |
855 "unexpected exception"); |
894 e.printStackTrace(); |
856 e.printStackTrace(); |
895 } |
857 } |
896 continue; |
858 continue; |
897 } |
859 } |
898 |
860 |
906 /** Adds the certificate to the certPathList |
868 /** Adds the certificate to the certPathList |
907 * |
869 * |
908 * @param cert the certificate to be added |
870 * @param cert the certificate to be added |
909 * @param certPathList the certification path list |
871 * @param certPathList the certification path list |
910 */ |
872 */ |
|
873 @Override |
911 void addCertToPath(X509Certificate cert, |
874 void addCertToPath(X509Certificate cert, |
912 LinkedList<X509Certificate> certPathList) { |
875 LinkedList<X509Certificate> certPathList) |
|
876 { |
913 certPathList.addFirst(cert); |
877 certPathList.addFirst(cert); |
914 } |
878 } |
915 |
879 |
916 /** Removes final certificate from the certPathList |
880 /** Removes final certificate from the certPathList |
917 * |
881 * |
918 * @param certPathList the certification path list |
882 * @param certPathList the certification path list |
919 */ |
883 */ |
|
884 @Override |
920 void removeFinalCertFromPath(LinkedList<X509Certificate> certPathList) { |
885 void removeFinalCertFromPath(LinkedList<X509Certificate> certPathList) { |
921 certPathList.removeFirst(); |
886 certPathList.removeFirst(); |
922 } |
887 } |
923 } |
888 } |