1 /* |
1 /* |
2 * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved. |
2 * Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 * |
4 * |
5 * This code is free software; you can redistribute it and/or modify it |
5 * This code is free software; you can redistribute it and/or modify it |
6 * under the terms of the GNU General Public License version 2 only, as |
6 * under the terms of the GNU General Public License version 2 only, as |
7 * published by the Free Software Foundation. Oracle designates this |
7 * published by the Free Software Foundation. Oracle designates this |
130 |
130 |
131 static EndEntityChecker getInstance(String type, String variant) { |
131 static EndEntityChecker getInstance(String type, String variant) { |
132 return new EndEntityChecker(type, variant); |
132 return new EndEntityChecker(type, variant); |
133 } |
133 } |
134 |
134 |
135 void check(X509Certificate cert, Object parameter, |
135 void check(X509Certificate[] chain, Object parameter, |
136 boolean checkUnresolvedCritExts, X509Certificate anchor) |
136 boolean checkUnresolvedCritExts) throws CertificateException { |
137 throws CertificateException { |
|
138 |
137 |
139 if (variant.equals(Validator.VAR_GENERIC)) { |
138 if (variant.equals(Validator.VAR_GENERIC)) { |
140 return; // no checks |
139 return; // no checks |
141 } |
140 } |
142 |
141 |
143 Set<String> exts = getCriticalExtensions(cert); |
142 Set<String> exts = getCriticalExtensions(chain[0]); |
144 if (variant.equals(Validator.VAR_TLS_SERVER)) { |
143 if (variant.equals(Validator.VAR_TLS_SERVER)) { |
145 checkTLSServer(cert, (String)parameter, exts); |
144 checkTLSServer(chain[0], (String)parameter, exts); |
146 } else if (variant.equals(Validator.VAR_TLS_CLIENT)) { |
145 } else if (variant.equals(Validator.VAR_TLS_CLIENT)) { |
147 checkTLSClient(cert, exts); |
146 checkTLSClient(chain[0], exts); |
148 } else if (variant.equals(Validator.VAR_CODE_SIGNING)) { |
147 } else if (variant.equals(Validator.VAR_CODE_SIGNING)) { |
149 checkCodeSigning(cert, exts); |
148 checkCodeSigning(chain[0], exts); |
150 } else if (variant.equals(Validator.VAR_JCE_SIGNING)) { |
149 } else if (variant.equals(Validator.VAR_JCE_SIGNING)) { |
151 checkCodeSigning(cert, exts); |
150 checkCodeSigning(chain[0], exts); |
152 } else if (variant.equals(Validator.VAR_PLUGIN_CODE_SIGNING)) { |
151 } else if (variant.equals(Validator.VAR_PLUGIN_CODE_SIGNING)) { |
153 checkCodeSigning(cert, exts); |
152 checkCodeSigning(chain[0], exts); |
154 } else if (variant.equals(Validator.VAR_TSA_SERVER)) { |
153 } else if (variant.equals(Validator.VAR_TSA_SERVER)) { |
155 checkTSAServer(cert, exts); |
154 checkTSAServer(chain[0], exts); |
156 } else { |
155 } else { |
157 throw new CertificateException("Unknown variant: " + variant); |
156 throw new CertificateException("Unknown variant: " + variant); |
158 } |
157 } |
159 |
158 |
160 // if neither VAR_GENERIC variant nor unknown variant |
159 // if neither VAR_GENERIC variant nor unknown variant |
163 } |
162 } |
164 |
163 |
165 // check if certificate should be distrusted according to policies |
164 // check if certificate should be distrusted according to policies |
166 // set in the jdk.security.caDistrustPolicies security property |
165 // set in the jdk.security.caDistrustPolicies security property |
167 for (CADistrustPolicy policy : CADistrustPolicy.POLICIES) { |
166 for (CADistrustPolicy policy : CADistrustPolicy.POLICIES) { |
168 policy.checkDistrust(variant, anchor, cert); |
167 policy.checkDistrust(variant, chain); |
169 } |
168 } |
170 } |
169 } |
171 |
170 |
172 /** |
171 /** |
173 * Utility method returning the Set of critical extensions for |
172 * Utility method returning the Set of critical extensions for |