equal
deleted
inserted
replaced
37 import java.security.cert.Certificate; |
37 import java.security.cert.Certificate; |
38 |
38 |
39 import javax.net.ssl.*; |
39 import javax.net.ssl.*; |
40 |
40 |
41 import sun.security.provider.certpath.AlgorithmChecker; |
41 import sun.security.provider.certpath.AlgorithmChecker; |
|
42 import sun.security.validator.Validator; |
42 |
43 |
43 /** |
44 /** |
44 * The new X509 key manager implementation. The main differences to the |
45 * The new X509 key manager implementation. The main differences to the |
45 * old SunX509 key manager are: |
46 * old SunX509 key manager are: |
46 * . it is based around the KeyStore.Builder API. This allows it to use |
47 * . it is based around the KeyStore.Builder API. This allows it to use |
659 } |
660 } |
660 } |
661 } |
661 |
662 |
662 return CheckResult.OK; |
663 return CheckResult.OK; |
663 } |
664 } |
|
665 |
|
666 public String getValidator() { |
|
667 if (this == CLIENT) { |
|
668 return Validator.VAR_TLS_CLIENT; |
|
669 } else if (this == SERVER) { |
|
670 return Validator.VAR_TLS_SERVER; |
|
671 } |
|
672 return Validator.VAR_GENERIC; |
|
673 } |
664 } |
674 } |
665 |
675 |
666 // enum for the result of the extension check |
676 // enum for the result of the extension check |
667 // NOTE: the order of the constants is important as they are used |
677 // NOTE: the order of the constants is important as they are used |
668 // for sorting, i.e. OK is best, followed by EXPIRED and EXTENSION_MISMATCH |
678 // for sorting, i.e. OK is best, followed by EXPIRED and EXTENSION_MISMATCH |
772 } |
782 } |
773 } |
783 } |
774 |
784 |
775 // check the algorithm constraints |
785 // check the algorithm constraints |
776 if (constraints != null && |
786 if (constraints != null && |
777 !conformsToAlgorithmConstraints(constraints, chain)) { |
787 !conformsToAlgorithmConstraints(constraints, chain, |
|
788 checkType.getValidator())) { |
778 |
789 |
779 if (useDebug) { |
790 if (useDebug) { |
780 debug.println("Ignoring alias " + alias + |
791 debug.println("Ignoring alias " + alias + |
781 ": certificate list does not conform to " + |
792 ": certificate list does not conform to " + |
782 "algorithm constraints"); |
793 "algorithm constraints"); |
809 } |
820 } |
810 return results; |
821 return results; |
811 } |
822 } |
812 |
823 |
813 private static boolean conformsToAlgorithmConstraints( |
824 private static boolean conformsToAlgorithmConstraints( |
814 AlgorithmConstraints constraints, Certificate[] chain) { |
825 AlgorithmConstraints constraints, Certificate[] chain, |
815 |
826 String variant) { |
816 AlgorithmChecker checker = new AlgorithmChecker(constraints); |
827 |
|
828 AlgorithmChecker checker = new AlgorithmChecker(constraints, null, variant); |
817 try { |
829 try { |
818 checker.init(false); |
830 checker.init(false); |
819 } catch (CertPathValidatorException cpve) { |
831 } catch (CertPathValidatorException cpve) { |
820 // unlikely to happen |
832 // unlikely to happen |
821 if (useDebug) { |
833 if (useDebug) { |