author | juh |
Tue, 03 Mar 2015 14:16:49 -0800 | |
changeset 29264 | 5172066a2da6 |
parent 26967 | c182469301ee |
child 29973 | 188affdeeed2 |
permissions | -rw-r--r-- |
2 | 1 |
/* |
29264
5172066a2da6
8054037: Improve tracing for java.security.debug=certpath
juh
parents:
26967
diff
changeset
|
2 |
* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
package sun.security.provider.certpath; |
|
27 |
||
28 |
import java.io.IOException; |
|
29 |
import java.security.GeneralSecurityException; |
|
30 |
import java.security.InvalidAlgorithmParameterException; |
|
31 |
import java.security.PublicKey; |
|
1238
6d1f4b722acd
6465942: Add problem identification facility to the CertPathValidator framework
mullan
parents:
2
diff
changeset
|
32 |
import java.security.cert.*; |
22107
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
19045
diff
changeset
|
33 |
import java.security.cert.CertPathValidatorException.BasicReason; |
1238
6d1f4b722acd
6465942: Add problem identification facility to the CertPathValidator framework
mullan
parents:
2
diff
changeset
|
34 |
import java.security.cert.PKIXReason; |
2 | 35 |
import java.util.ArrayList; |
36 |
import java.util.Collection; |
|
37 |
import java.util.Collections; |
|
38 |
import java.util.HashSet; |
|
39 |
import java.util.Iterator; |
|
40 |
import java.util.List; |
|
41 |
import java.util.LinkedList; |
|
42 |
import java.util.Set; |
|
43 |
import javax.security.auth.x500.X500Principal; |
|
44 |
||
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
45 |
import sun.security.provider.certpath.PKIX.BuilderParams; |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
46 |
import static sun.security.x509.PKIXExtensions.*; |
2 | 47 |
import sun.security.util.Debug; |
48 |
||
49 |
/** |
|
50 |
* This class is able to build certification paths in either the forward |
|
51 |
* or reverse directions. |
|
52 |
* |
|
22107
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
19045
diff
changeset
|
53 |
* <p> If successful, it returns a certification path which has successfully |
2 | 54 |
* satisfied all the constraints and requirements specified in the |
55 |
* PKIXBuilderParameters object and has been validated according to the PKIX |
|
26967
c182469301ee
8037550: Update RFC references in javadoc to RFC 5280
juh
parents:
25859
diff
changeset
|
56 |
* path validation algorithm defined in RFC 5280. |
2 | 57 |
* |
58 |
* <p> This implementation uses a depth-first search approach to finding |
|
59 |
* certification paths. If it comes to a point in which it cannot find |
|
60 |
* any more certificates leading to the target OR the path length is too long |
|
61 |
* it backtracks to previous paths until the target has been found or |
|
62 |
* all possible paths have been exhausted. |
|
63 |
* |
|
64 |
* <p> This implementation is not thread-safe. |
|
65 |
* |
|
66 |
* @since 1.4 |
|
67 |
* @author Sean Mullan |
|
68 |
* @author Yassir Elley |
|
69 |
*/ |
|
70 |
public final class SunCertPathBuilder extends CertPathBuilderSpi { |
|
71 |
||
72 |
private static final Debug debug = Debug.getInstance("certpath"); |
|
73 |
||
74 |
/* |
|
75 |
* private objects shared by methods |
|
76 |
*/ |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
77 |
private BuilderParams buildParams; |
2 | 78 |
private CertificateFactory cf; |
79 |
private boolean pathCompleted = false; |
|
80 |
private PolicyNode policyTreeResult; |
|
81 |
private TrustAnchor trustAnchor; |
|
82 |
private PublicKey finalPublicKey; |
|
83 |
||
84 |
/** |
|
85 |
* Create an instance of <code>SunCertPathBuilder</code>. |
|
86 |
* |
|
87 |
* @throws CertPathBuilderException if an error occurs |
|
88 |
*/ |
|
89 |
public SunCertPathBuilder() throws CertPathBuilderException { |
|
90 |
try { |
|
91 |
cf = CertificateFactory.getInstance("X.509"); |
|
92 |
} catch (CertificateException e) { |
|
93 |
throw new CertPathBuilderException(e); |
|
94 |
} |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
95 |
} |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
96 |
|
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
97 |
@Override |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
98 |
public CertPathChecker engineGetRevocationChecker() { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
99 |
return new RevocationChecker(); |
2 | 100 |
} |
101 |
||
102 |
/** |
|
103 |
* Attempts to build a certification path using the Sun build |
|
104 |
* algorithm from a trusted anchor(s) to a target subject, which must both |
|
105 |
* be specified in the input parameter set. By default, this method will |
|
106 |
* attempt to build in the forward direction. In order to build in the |
|
107 |
* reverse direction, the caller needs to pass in an instance of |
|
108 |
* SunCertPathBuilderParameters with the buildForward flag set to false. |
|
109 |
* |
|
110 |
* <p>The certification path that is constructed is validated |
|
111 |
* according to the PKIX specification. |
|
112 |
* |
|
113 |
* @param params the parameter set for building a path. Must be an instance |
|
114 |
* of <code>PKIXBuilderParameters</code>. |
|
115 |
* @return a certification path builder result. |
|
116 |
* @exception CertPathBuilderException Exception thrown if builder is |
|
117 |
* unable to build a complete certification path from the trusted anchor(s) |
|
118 |
* to the target subject. |
|
119 |
* @throws InvalidAlgorithmParameterException if the given parameters are |
|
120 |
* inappropriate for this certification path builder. |
|
121 |
*/ |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
122 |
@Override |
2 | 123 |
public CertPathBuilderResult engineBuild(CertPathParameters params) |
124 |
throws CertPathBuilderException, InvalidAlgorithmParameterException { |
|
125 |
||
126 |
if (debug != null) { |
|
127 |
debug.println("SunCertPathBuilder.engineBuild(" + params + ")"); |
|
128 |
} |
|
129 |
||
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
130 |
buildParams = PKIX.checkBuilderParams(params); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
131 |
return build(); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
132 |
} |
2 | 133 |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
134 |
private PKIXCertPathBuilderResult build() throws CertPathBuilderException { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
135 |
List<List<Vertex>> adjList = new ArrayList<>(); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
136 |
PKIXCertPathBuilderResult result = buildCertPath(false, adjList); |
2 | 137 |
if (result == null) { |
138 |
if (debug != null) { |
|
29264
5172066a2da6
8054037: Improve tracing for java.security.debug=certpath
juh
parents:
26967
diff
changeset
|
139 |
debug.println("SunCertPathBuilder.engineBuild: 2nd pass; " + |
5172066a2da6
8054037: Improve tracing for java.security.debug=certpath
juh
parents:
26967
diff
changeset
|
140 |
"try building again searching all certstores"); |
2 | 141 |
} |
142 |
// try again |
|
143 |
adjList.clear(); |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
144 |
result = buildCertPath(true, adjList); |
2 | 145 |
if (result == null) { |
146 |
throw new SunCertPathBuilderException("unable to find valid " |
|
147 |
+ "certification path to requested target", |
|
148 |
new AdjacencyList(adjList)); |
|
149 |
} |
|
150 |
} |
|
151 |
return result; |
|
152 |
} |
|
153 |
||
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
154 |
private PKIXCertPathBuilderResult buildCertPath(boolean searchAllCertStores, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
155 |
List<List<Vertex>> adjList) |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
156 |
throws CertPathBuilderException |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
157 |
{ |
2 | 158 |
// Init shared variables and build certification path |
159 |
pathCompleted = false; |
|
160 |
trustAnchor = null; |
|
161 |
finalPublicKey = null; |
|
162 |
policyTreeResult = null; |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
163 |
LinkedList<X509Certificate> certPathList = new LinkedList<>(); |
2 | 164 |
try { |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
165 |
if (buildParams.buildForward()) { |
2 | 166 |
buildForward(adjList, certPathList, searchAllCertStores); |
167 |
} else { |
|
168 |
buildReverse(adjList, certPathList); |
|
169 |
} |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
170 |
} catch (GeneralSecurityException | IOException e) { |
2 | 171 |
if (debug != null) { |
172 |
debug.println("SunCertPathBuilder.engineBuild() exception in " |
|
173 |
+ "build"); |
|
174 |
e.printStackTrace(); |
|
175 |
} |
|
176 |
throw new SunCertPathBuilderException("unable to find valid " |
|
177 |
+ "certification path to requested target", e, |
|
178 |
new AdjacencyList(adjList)); |
|
179 |
} |
|
180 |
||
181 |
// construct SunCertPathBuilderResult |
|
182 |
try { |
|
183 |
if (pathCompleted) { |
|
184 |
if (debug != null) |
|
185 |
debug.println("SunCertPathBuilder.engineBuild() " |
|
186 |
+ "pathCompleted"); |
|
187 |
||
188 |
// we must return a certpath which has the target |
|
189 |
// as the first cert in the certpath - i.e. reverse |
|
190 |
// the certPathList |
|
191 |
Collections.reverse(certPathList); |
|
192 |
||
193 |
return new SunCertPathBuilderResult( |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
194 |
cf.generateCertPath(certPathList), trustAnchor, |
2 | 195 |
policyTreeResult, finalPublicKey, |
196 |
new AdjacencyList(adjList)); |
|
197 |
} |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
198 |
} catch (CertificateException e) { |
2 | 199 |
if (debug != null) { |
200 |
debug.println("SunCertPathBuilder.engineBuild() exception " |
|
201 |
+ "in wrap-up"); |
|
202 |
e.printStackTrace(); |
|
203 |
} |
|
204 |
throw new SunCertPathBuilderException("unable to find valid " |
|
205 |
+ "certification path to requested target", e, |
|
206 |
new AdjacencyList(adjList)); |
|
207 |
} |
|
208 |
||
209 |
return null; |
|
210 |
} |
|
211 |
||
212 |
/* |
|
213 |
* Private build reverse method. |
|
214 |
*/ |
|
215 |
private void buildReverse(List<List<Vertex>> adjacencyList, |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
216 |
LinkedList<X509Certificate> certPathList) |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
217 |
throws GeneralSecurityException, IOException |
2 | 218 |
{ |
219 |
if (debug != null) { |
|
220 |
debug.println("SunCertPathBuilder.buildReverse()..."); |
|
221 |
debug.println("SunCertPathBuilder.buildReverse() InitialPolicies: " |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
222 |
+ buildParams.initialPolicies()); |
2 | 223 |
} |
224 |
||
225 |
ReverseState currentState = new ReverseState(); |
|
226 |
/* Initialize adjacency list */ |
|
227 |
adjacencyList.clear(); |
|
228 |
adjacencyList.add(new LinkedList<Vertex>()); |
|
229 |
||
230 |
/* |
|
231 |
* Perform a search using each trust anchor, until a valid |
|
232 |
* path is found |
|
233 |
*/ |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
234 |
Iterator<TrustAnchor> iter = buildParams.trustAnchors().iterator(); |
2 | 235 |
while (iter.hasNext()) { |
236 |
TrustAnchor anchor = iter.next(); |
|
11900 | 237 |
|
2 | 238 |
/* check if anchor satisfies target constraints */ |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
239 |
if (anchorIsTarget(anchor, buildParams.targetCertConstraints())) { |
2 | 240 |
this.trustAnchor = anchor; |
241 |
this.pathCompleted = true; |
|
242 |
this.finalPublicKey = anchor.getTrustedCert().getPublicKey(); |
|
243 |
break; |
|
244 |
} |
|
245 |
||
13806
b18118646a65
7195409: CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails with NullPointerException
mullan
parents:
12861
diff
changeset
|
246 |
// skip anchor if it contains a DSA key with no DSA params |
b18118646a65
7195409: CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails with NullPointerException
mullan
parents:
12861
diff
changeset
|
247 |
X509Certificate trustedCert = anchor.getTrustedCert(); |
b18118646a65
7195409: CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails with NullPointerException
mullan
parents:
12861
diff
changeset
|
248 |
PublicKey pubKey = trustedCert != null ? trustedCert.getPublicKey() |
b18118646a65
7195409: CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails with NullPointerException
mullan
parents:
12861
diff
changeset
|
249 |
: anchor.getCAPublicKey(); |
b18118646a65
7195409: CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails with NullPointerException
mullan
parents:
12861
diff
changeset
|
250 |
|
b18118646a65
7195409: CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails with NullPointerException
mullan
parents:
12861
diff
changeset
|
251 |
if (PKIX.isDSAPublicKeyWithoutParams(pubKey)) { |
b18118646a65
7195409: CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails with NullPointerException
mullan
parents:
12861
diff
changeset
|
252 |
continue; |
b18118646a65
7195409: CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails with NullPointerException
mullan
parents:
12861
diff
changeset
|
253 |
} |
b18118646a65
7195409: CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails with NullPointerException
mullan
parents:
12861
diff
changeset
|
254 |
|
2 | 255 |
/* Initialize current state */ |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
256 |
currentState.initState(buildParams); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
257 |
currentState.updateState(anchor, buildParams); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
258 |
|
7040
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
259 |
currentState.algorithmChecker = new AlgorithmChecker(anchor); |
11900 | 260 |
currentState.untrustedChecker = new UntrustedChecker(); |
2 | 261 |
try { |
262 |
depthFirstSearchReverse(null, currentState, |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
263 |
new ReverseBuilder(buildParams), |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
264 |
adjacencyList, certPathList); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
265 |
} catch (GeneralSecurityException | IOException e) { |
2 | 266 |
// continue on error if more anchors to try |
267 |
if (iter.hasNext()) |
|
268 |
continue; |
|
269 |
else |
|
270 |
throw e; |
|
271 |
} |
|
272 |
||
273 |
// break out of loop if search is successful |
|
12693
e3c056161305
7167988: PKIX CertPathBuilder in reverse mode doesn't work if more than one trust anchor is specified
xuelei
parents:
11900
diff
changeset
|
274 |
if (pathCompleted) { |
e3c056161305
7167988: PKIX CertPathBuilder in reverse mode doesn't work if more than one trust anchor is specified
xuelei
parents:
11900
diff
changeset
|
275 |
break; |
e3c056161305
7167988: PKIX CertPathBuilder in reverse mode doesn't work if more than one trust anchor is specified
xuelei
parents:
11900
diff
changeset
|
276 |
} |
2 | 277 |
} |
278 |
||
279 |
if (debug != null) { |
|
280 |
debug.println("SunCertPathBuilder.buildReverse() returned from " |
|
281 |
+ "depthFirstSearchReverse()"); |
|
282 |
debug.println("SunCertPathBuilder.buildReverse() " |
|
283 |
+ "certPathList.size: " + certPathList.size()); |
|
284 |
} |
|
285 |
} |
|
286 |
||
287 |
/* |
|
288 |
* Private build forward method. |
|
289 |
*/ |
|
290 |
private void buildForward(List<List<Vertex>> adjacencyList, |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
291 |
LinkedList<X509Certificate> certPathList, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
292 |
boolean searchAllCertStores) |
2 | 293 |
throws GeneralSecurityException, IOException |
294 |
{ |
|
295 |
if (debug != null) { |
|
296 |
debug.println("SunCertPathBuilder.buildForward()..."); |
|
297 |
} |
|
298 |
||
299 |
/* Initialize current state */ |
|
300 |
ForwardState currentState = new ForwardState(); |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
301 |
currentState.initState(buildParams.certPathCheckers()); |
2 | 302 |
|
303 |
/* Initialize adjacency list */ |
|
304 |
adjacencyList.clear(); |
|
305 |
adjacencyList.add(new LinkedList<Vertex>()); |
|
306 |
||
11900 | 307 |
currentState.untrustedChecker = new UntrustedChecker(); |
2 | 308 |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
309 |
depthFirstSearchForward(buildParams.targetSubject(), currentState, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
310 |
new ForwardBuilder(buildParams, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
311 |
searchAllCertStores), |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
312 |
adjacencyList, certPathList); |
2 | 313 |
} |
314 |
||
315 |
/* |
|
316 |
* This method performs a depth first search for a certification |
|
317 |
* path while building forward which meets the requirements set in |
|
318 |
* the parameters object. |
|
319 |
* It uses an adjacency list to store all certificates which were |
|
320 |
* tried (i.e. at one time added to the path - they may not end up in |
|
321 |
* the final path if backtracking occurs). This information can |
|
322 |
* be used later to debug or demo the build. |
|
323 |
* |
|
324 |
* See "Data Structure and Algorithms, by Aho, Hopcroft, and Ullman" |
|
325 |
* for an explanation of the DFS algorithm. |
|
326 |
* |
|
327 |
* @param dN the distinguished name being currently searched for certs |
|
328 |
* @param currentState the current PKIX validation state |
|
329 |
*/ |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
330 |
private void depthFirstSearchForward(X500Principal dN, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
331 |
ForwardState currentState, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
332 |
ForwardBuilder builder, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
333 |
List<List<Vertex>> adjList, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
334 |
LinkedList<X509Certificate> cpList) |
2 | 335 |
throws GeneralSecurityException, IOException |
336 |
{ |
|
337 |
if (debug != null) { |
|
338 |
debug.println("SunCertPathBuilder.depthFirstSearchForward(" + dN |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
339 |
+ ", " + currentState.toString() + ")"); |
2 | 340 |
} |
341 |
||
342 |
/* |
|
343 |
* Find all the certificates issued to dN which |
|
344 |
* satisfy the PKIX certification path constraints. |
|
345 |
*/ |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
346 |
Collection<X509Certificate> certs = |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
347 |
builder.getMatchingCerts(currentState, buildParams.certStores()); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
348 |
List<Vertex> vertices = addVertices(certs, adjList); |
2 | 349 |
if (debug != null) { |
350 |
debug.println("SunCertPathBuilder.depthFirstSearchForward(): " |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
351 |
+ "certs.size=" + vertices.size()); |
2 | 352 |
} |
353 |
||
354 |
/* |
|
355 |
* For each cert in the collection, verify anything |
|
356 |
* that hasn't been checked yet (signature, revocation, etc) |
|
357 |
* and check for loops. Call depthFirstSearchForward() |
|
358 |
* recursively for each good cert. |
|
359 |
*/ |
|
360 |
||
361 |
vertices: |
|
362 |
for (Vertex vertex : vertices) { |
|
363 |
/** |
|
364 |
* Restore state to currentState each time through the loop. |
|
365 |
* This is important because some of the user-defined |
|
366 |
* checkers modify the state, which MUST be restored if |
|
367 |
* the cert eventually fails to lead to the target and |
|
368 |
* the next matching cert is tried. |
|
369 |
*/ |
|
370 |
ForwardState nextState = (ForwardState) currentState.clone(); |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
371 |
X509Certificate cert = vertex.getCertificate(); |
2 | 372 |
|
373 |
try { |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
374 |
builder.verifyCert(cert, nextState, cpList); |
2 | 375 |
} catch (GeneralSecurityException gse) { |
376 |
if (debug != null) { |
|
377 |
debug.println("SunCertPathBuilder.depthFirstSearchForward()" |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
378 |
+ ": validation failed: " + gse); |
2 | 379 |
gse.printStackTrace(); |
380 |
} |
|
381 |
vertex.setThrowable(gse); |
|
382 |
continue; |
|
383 |
} |
|
384 |
||
385 |
/* |
|
386 |
* Certificate is good. |
|
387 |
* If cert completes the path, |
|
388 |
* process userCheckers that don't support forward checking |
|
389 |
* and process policies over whole path |
|
390 |
* and backtrack appropriately if there is a failure |
|
391 |
* else if cert does not complete the path, |
|
392 |
* add it to the path |
|
393 |
*/ |
|
394 |
if (builder.isPathCompleted(cert)) { |
|
395 |
||
396 |
if (debug != null) |
|
397 |
debug.println("SunCertPathBuilder.depthFirstSearchForward()" |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
398 |
+ ": commencing final verification"); |
2 | 399 |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
400 |
List<X509Certificate> appendedCerts = new ArrayList<>(cpList); |
2 | 401 |
|
402 |
/* |
|
403 |
* if the trust anchor selected is specified as a trusted |
|
404 |
* public key rather than a trusted cert, then verify this |
|
405 |
* cert (which is signed by the trusted public key), but |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
406 |
* don't add it yet to the cpList |
2 | 407 |
*/ |
408 |
if (builder.trustAnchor.getTrustedCert() == null) { |
|
409 |
appendedCerts.add(0, cert); |
|
410 |
} |
|
411 |
||
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
412 |
Set<String> initExpPolSet = |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
413 |
Collections.singleton(PolicyChecker.ANY_POLICY); |
2 | 414 |
|
415 |
PolicyNodeImpl rootNode = new PolicyNodeImpl(null, |
|
416 |
PolicyChecker.ANY_POLICY, null, false, initExpPolSet, false); |
|
417 |
||
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
418 |
List<PKIXCertPathChecker> checkers = new ArrayList<>(); |
2 | 419 |
PolicyChecker policyChecker |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
420 |
= new PolicyChecker(buildParams.initialPolicies(), |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
421 |
appendedCerts.size(), |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
422 |
buildParams.explicitPolicyRequired(), |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
423 |
buildParams.policyMappingInhibited(), |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
424 |
buildParams.anyPolicyInhibited(), |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
425 |
buildParams.policyQualifiersRejected(), |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
426 |
rootNode); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
427 |
checkers.add(policyChecker); |
2 | 428 |
|
7040
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
429 |
// add the algorithm checker |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
430 |
checkers.add(new AlgorithmChecker(builder.trustAnchor)); |
7040
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
431 |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
432 |
BasicChecker basicChecker = null; |
2 | 433 |
if (nextState.keyParamsNeeded()) { |
434 |
PublicKey rootKey = cert.getPublicKey(); |
|
435 |
if (builder.trustAnchor.getTrustedCert() == null) { |
|
436 |
rootKey = builder.trustAnchor.getCAPublicKey(); |
|
437 |
if (debug != null) |
|
7040
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
438 |
debug.println( |
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
439 |
"SunCertPathBuilder.depthFirstSearchForward " + |
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
440 |
"using buildParams public key: " + |
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
441 |
rootKey.toString()); |
2 | 442 |
} |
443 |
TrustAnchor anchor = new TrustAnchor |
|
444 |
(cert.getSubjectX500Principal(), rootKey, null); |
|
7040
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
445 |
|
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
446 |
// add the basic checker |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
447 |
basicChecker = new BasicChecker(anchor, buildParams.date(), |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
448 |
buildParams.sigProvider(), |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
449 |
true); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
450 |
checkers.add(basicChecker); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
451 |
} |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
452 |
|
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
453 |
buildParams.setCertPath(cf.generateCertPath(appendedCerts)); |
7040
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
454 |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
455 |
boolean revCheckerAdded = false; |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
456 |
List<PKIXCertPathChecker> ckrs = buildParams.certPathCheckers(); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
457 |
for (PKIXCertPathChecker ckr : ckrs) { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
458 |
if (ckr instanceof PKIXRevocationChecker) { |
19045
bc9a25fff6c5
8010748: Add PKIXRevocationChecker NO_FALLBACK option and improve SOFT_FAIL option
mullan
parents:
13806
diff
changeset
|
459 |
if (revCheckerAdded) { |
bc9a25fff6c5
8010748: Add PKIXRevocationChecker NO_FALLBACK option and improve SOFT_FAIL option
mullan
parents:
13806
diff
changeset
|
460 |
throw new CertPathValidatorException( |
bc9a25fff6c5
8010748: Add PKIXRevocationChecker NO_FALLBACK option and improve SOFT_FAIL option
mullan
parents:
13806
diff
changeset
|
461 |
"Only one PKIXRevocationChecker can be specified"); |
bc9a25fff6c5
8010748: Add PKIXRevocationChecker NO_FALLBACK option and improve SOFT_FAIL option
mullan
parents:
13806
diff
changeset
|
462 |
} |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
463 |
revCheckerAdded = true; |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
464 |
// if it's our own, initialize it |
19045
bc9a25fff6c5
8010748: Add PKIXRevocationChecker NO_FALLBACK option and improve SOFT_FAIL option
mullan
parents:
13806
diff
changeset
|
465 |
if (ckr instanceof RevocationChecker) { |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
466 |
((RevocationChecker)ckr).init(builder.trustAnchor, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
467 |
buildParams); |
19045
bc9a25fff6c5
8010748: Add PKIXRevocationChecker NO_FALLBACK option and improve SOFT_FAIL option
mullan
parents:
13806
diff
changeset
|
468 |
} |
2 | 469 |
} |
470 |
} |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
471 |
// only add a RevocationChecker if revocation is enabled and |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
472 |
// a PKIXRevocationChecker has not already been added |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
473 |
if (buildParams.revocationEnabled() && !revCheckerAdded) { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
474 |
checkers.add(new RevocationChecker(builder.trustAnchor, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
475 |
buildParams)); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
476 |
} |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
477 |
|
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
478 |
checkers.addAll(ckrs); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
479 |
|
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
480 |
// Why we don't need BasicChecker and RevocationChecker |
7040
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
481 |
// if nextState.keyParamsNeeded() is false? |
2 | 482 |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
483 |
for (int i = 0; i < appendedCerts.size(); i++) { |
2 | 484 |
X509Certificate currCert = appendedCerts.get(i); |
485 |
if (debug != null) |
|
486 |
debug.println("current subject = " |
|
487 |
+ currCert.getSubjectX500Principal()); |
|
488 |
Set<String> unresCritExts = |
|
489 |
currCert.getCriticalExtensionOIDs(); |
|
490 |
if (unresCritExts == null) { |
|
491 |
unresCritExts = Collections.<String>emptySet(); |
|
492 |
} |
|
493 |
||
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
494 |
for (PKIXCertPathChecker currChecker : checkers) { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
495 |
if (!currChecker.isForwardCheckingSupported()) { |
2 | 496 |
if (i == 0) { |
497 |
currChecker.init(false); |
|
7040
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
498 |
|
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
499 |
// The user specified |
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
500 |
// AlgorithmChecker may not be |
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
501 |
// able to set the trust anchor until now. |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
502 |
if (currChecker instanceof AlgorithmChecker) { |
7040
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
503 |
((AlgorithmChecker)currChecker). |
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
504 |
trySetTrustAnchor(builder.trustAnchor); |
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
505 |
} |
2 | 506 |
} |
507 |
||
508 |
try { |
|
509 |
currChecker.check(currCert, unresCritExts); |
|
510 |
} catch (CertPathValidatorException cpve) { |
|
511 |
if (debug != null) |
|
512 |
debug.println |
|
513 |
("SunCertPathBuilder.depthFirstSearchForward(): " + |
|
514 |
"final verification failed: " + cpve); |
|
22107
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
19045
diff
changeset
|
515 |
// If the target cert itself is revoked, we |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
19045
diff
changeset
|
516 |
// cannot trust it. We can bail out here. |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
19045
diff
changeset
|
517 |
if (buildParams.targetCertConstraints().match(currCert) |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
19045
diff
changeset
|
518 |
&& cpve.getReason() == BasicReason.REVOKED) { |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
19045
diff
changeset
|
519 |
throw cpve; |
3e6b0718041e
8007967: Infinite loop can happen in sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward()
juh
parents:
19045
diff
changeset
|
520 |
} |
2 | 521 |
vertex.setThrowable(cpve); |
522 |
continue vertices; |
|
523 |
} |
|
524 |
} |
|
525 |
} |
|
526 |
||
527 |
/* |
|
528 |
* Remove extensions from user checkers that support |
|
529 |
* forward checking. After this step, we will have |
|
530 |
* removed all extensions that all user checkers |
|
531 |
* are capable of processing. |
|
532 |
*/ |
|
533 |
for (PKIXCertPathChecker checker : |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
534 |
buildParams.certPathCheckers()) |
2 | 535 |
{ |
536 |
if (checker.isForwardCheckingSupported()) { |
|
537 |
Set<String> suppExts = |
|
538 |
checker.getSupportedExtensions(); |
|
539 |
if (suppExts != null) { |
|
540 |
unresCritExts.removeAll(suppExts); |
|
541 |
} |
|
542 |
} |
|
543 |
} |
|
544 |
||
545 |
if (!unresCritExts.isEmpty()) { |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
546 |
unresCritExts.remove(BasicConstraints_Id.toString()); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
547 |
unresCritExts.remove(NameConstraints_Id.toString()); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
548 |
unresCritExts.remove(CertificatePolicies_Id.toString()); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
549 |
unresCritExts.remove(PolicyMappings_Id.toString()); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
550 |
unresCritExts.remove(PolicyConstraints_Id.toString()); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
551 |
unresCritExts.remove(InhibitAnyPolicy_Id.toString()); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
552 |
unresCritExts.remove( |
2 | 553 |
SubjectAlternativeName_Id.toString()); |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
554 |
unresCritExts.remove(KeyUsage_Id.toString()); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
555 |
unresCritExts.remove(ExtendedKeyUsage_Id.toString()); |
2 | 556 |
|
557 |
if (!unresCritExts.isEmpty()) { |
|
1238
6d1f4b722acd
6465942: Add problem identification facility to the CertPathValidator framework
mullan
parents:
2
diff
changeset
|
558 |
throw new CertPathValidatorException |
6d1f4b722acd
6465942: Add problem identification facility to the CertPathValidator framework
mullan
parents:
2
diff
changeset
|
559 |
("unrecognized critical extension(s)", null, |
6d1f4b722acd
6465942: Add problem identification facility to the CertPathValidator framework
mullan
parents:
2
diff
changeset
|
560 |
null, -1, PKIXReason.UNRECOGNIZED_CRIT_EXT); |
2 | 561 |
} |
562 |
} |
|
563 |
} |
|
564 |
if (debug != null) |
|
565 |
debug.println("SunCertPathBuilder.depthFirstSearchForward()" |
|
566 |
+ ": final verification succeeded - path completed!"); |
|
567 |
pathCompleted = true; |
|
568 |
||
569 |
/* |
|
570 |
* if the user specified a trusted public key rather than |
|
571 |
* trusted certs, then add this cert (which is signed by |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
572 |
* the trusted public key) to the cpList |
2 | 573 |
*/ |
574 |
if (builder.trustAnchor.getTrustedCert() == null) |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
575 |
builder.addCertToPath(cert, cpList); |
2 | 576 |
// Save the trust anchor |
577 |
this.trustAnchor = builder.trustAnchor; |
|
578 |
||
579 |
/* |
|
580 |
* Extract and save the final target public key |
|
581 |
*/ |
|
582 |
if (basicChecker != null) { |
|
583 |
finalPublicKey = basicChecker.getPublicKey(); |
|
584 |
} else { |
|
585 |
Certificate finalCert; |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
586 |
if (cpList.isEmpty()) { |
2 | 587 |
finalCert = builder.trustAnchor.getTrustedCert(); |
588 |
} else { |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
589 |
finalCert = cpList.getLast(); |
2 | 590 |
} |
591 |
finalPublicKey = finalCert.getPublicKey(); |
|
592 |
} |
|
593 |
||
594 |
policyTreeResult = policyChecker.getPolicyTree(); |
|
595 |
return; |
|
596 |
} else { |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
597 |
builder.addCertToPath(cert, cpList); |
2 | 598 |
} |
599 |
||
600 |
/* Update the PKIX state */ |
|
601 |
nextState.updateState(cert); |
|
602 |
||
603 |
/* |
|
604 |
* Append an entry for cert in adjacency list and |
|
605 |
* set index for current vertex. |
|
606 |
*/ |
|
607 |
adjList.add(new LinkedList<Vertex>()); |
|
608 |
vertex.setIndex(adjList.size() - 1); |
|
609 |
||
610 |
/* recursively search for matching certs at next dN */ |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
611 |
depthFirstSearchForward(cert.getIssuerX500Principal(), nextState, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
612 |
builder, adjList, cpList); |
2 | 613 |
|
614 |
/* |
|
615 |
* If path has been completed, return ASAP! |
|
616 |
*/ |
|
617 |
if (pathCompleted) { |
|
618 |
return; |
|
619 |
} else { |
|
620 |
/* |
|
621 |
* If we get here, it means we have searched all possible |
|
622 |
* certs issued by the dN w/o finding any matching certs. |
|
623 |
* This means we have to backtrack to the previous cert in |
|
624 |
* the path and try some other paths. |
|
625 |
*/ |
|
626 |
if (debug != null) |
|
627 |
debug.println("SunCertPathBuilder.depthFirstSearchForward()" |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
628 |
+ ": backtracking"); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
629 |
builder.removeFinalCertFromPath(cpList); |
2 | 630 |
} |
631 |
} |
|
632 |
} |
|
633 |
||
634 |
/* |
|
635 |
* This method performs a depth first search for a certification |
|
636 |
* path while building reverse which meets the requirements set in |
|
637 |
* the parameters object. |
|
638 |
* It uses an adjacency list to store all certificates which were |
|
639 |
* tried (i.e. at one time added to the path - they may not end up in |
|
640 |
* the final path if backtracking occurs). This information can |
|
641 |
* be used later to debug or demo the build. |
|
642 |
* |
|
643 |
* See "Data Structure and Algorithms, by Aho, Hopcroft, and Ullman" |
|
644 |
* for an explanation of the DFS algorithm. |
|
645 |
* |
|
646 |
* @param dN the distinguished name being currently searched for certs |
|
647 |
* @param currentState the current PKIX validation state |
|
648 |
*/ |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
649 |
private void depthFirstSearchReverse(X500Principal dN, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
650 |
ReverseState currentState, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
651 |
ReverseBuilder builder, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
652 |
List<List<Vertex>> adjList, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
653 |
LinkedList<X509Certificate> cpList) |
2 | 654 |
throws GeneralSecurityException, IOException |
655 |
{ |
|
656 |
if (debug != null) |
|
657 |
debug.println("SunCertPathBuilder.depthFirstSearchReverse(" + dN |
|
658 |
+ ", " + currentState.toString() + ")"); |
|
659 |
||
660 |
/* |
|
661 |
* Find all the certificates issued by dN which |
|
662 |
* satisfy the PKIX certification path constraints. |
|
663 |
*/ |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
664 |
Collection<X509Certificate> certs = |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
665 |
builder.getMatchingCerts(currentState, buildParams.certStores()); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
666 |
List<Vertex> vertices = addVertices(certs, adjList); |
2 | 667 |
if (debug != null) |
668 |
debug.println("SunCertPathBuilder.depthFirstSearchReverse(): " |
|
669 |
+ "certs.size=" + vertices.size()); |
|
670 |
||
671 |
/* |
|
672 |
* For each cert in the collection, verify anything |
|
673 |
* that hasn't been checked yet (signature, revocation, etc) |
|
674 |
* and check for loops. Call depthFirstSearchReverse() |
|
675 |
* recursively for each good cert. |
|
676 |
*/ |
|
677 |
for (Vertex vertex : vertices) { |
|
678 |
/** |
|
679 |
* Restore state to currentState each time through the loop. |
|
680 |
* This is important because some of the user-defined |
|
681 |
* checkers modify the state, which MUST be restored if |
|
682 |
* the cert eventually fails to lead to the target and |
|
683 |
* the next matching cert is tried. |
|
684 |
*/ |
|
685 |
ReverseState nextState = (ReverseState) currentState.clone(); |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
686 |
X509Certificate cert = vertex.getCertificate(); |
2 | 687 |
try { |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
688 |
builder.verifyCert(cert, nextState, cpList); |
2 | 689 |
} catch (GeneralSecurityException gse) { |
690 |
if (debug != null) |
|
691 |
debug.println("SunCertPathBuilder.depthFirstSearchReverse()" |
|
692 |
+ ": validation failed: " + gse); |
|
693 |
vertex.setThrowable(gse); |
|
694 |
continue; |
|
695 |
} |
|
696 |
||
697 |
/* |
|
698 |
* Certificate is good, add it to the path (if it isn't a |
|
699 |
* self-signed cert) and update state |
|
700 |
*/ |
|
701 |
if (!currentState.isInitial()) |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
702 |
builder.addCertToPath(cert, cpList); |
2 | 703 |
// save trust anchor |
704 |
this.trustAnchor = currentState.trustAnchor; |
|
705 |
||
706 |
/* |
|
707 |
* Check if path is completed, return ASAP if so. |
|
708 |
*/ |
|
709 |
if (builder.isPathCompleted(cert)) { |
|
710 |
if (debug != null) |
|
711 |
debug.println("SunCertPathBuilder.depthFirstSearchReverse()" |
|
712 |
+ ": path completed!"); |
|
713 |
pathCompleted = true; |
|
714 |
||
715 |
PolicyNodeImpl rootNode = nextState.rootNode; |
|
716 |
||
717 |
if (rootNode == null) |
|
718 |
policyTreeResult = null; |
|
719 |
else { |
|
720 |
policyTreeResult = rootNode.copyTree(); |
|
721 |
((PolicyNodeImpl)policyTreeResult).setImmutable(); |
|
722 |
} |
|
723 |
||
724 |
/* |
|
725 |
* Extract and save the final target public key |
|
726 |
*/ |
|
727 |
finalPublicKey = cert.getPublicKey(); |
|
13806
b18118646a65
7195409: CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails with NullPointerException
mullan
parents:
12861
diff
changeset
|
728 |
if (PKIX.isDSAPublicKeyWithoutParams(finalPublicKey)) { |
2 | 729 |
finalPublicKey = |
730 |
BasicChecker.makeInheritedParamsKey |
|
731 |
(finalPublicKey, currentState.pubKey); |
|
732 |
} |
|
733 |
||
734 |
return; |
|
735 |
} |
|
736 |
||
737 |
/* Update the PKIX state */ |
|
738 |
nextState.updateState(cert); |
|
739 |
||
740 |
/* |
|
741 |
* Append an entry for cert in adjacency list and |
|
742 |
* set index for current vertex. |
|
743 |
*/ |
|
744 |
adjList.add(new LinkedList<Vertex>()); |
|
745 |
vertex.setIndex(adjList.size() - 1); |
|
746 |
||
747 |
/* recursively search for matching certs at next dN */ |
|
748 |
depthFirstSearchReverse(cert.getSubjectX500Principal(), nextState, |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
749 |
builder, adjList, cpList); |
2 | 750 |
|
751 |
/* |
|
752 |
* If path has been completed, return ASAP! |
|
753 |
*/ |
|
754 |
if (pathCompleted) { |
|
755 |
return; |
|
756 |
} else { |
|
757 |
/* |
|
758 |
* If we get here, it means we have searched all possible |
|
759 |
* certs issued by the dN w/o finding any matching certs. This |
|
760 |
* means we have to backtrack to the previous cert in the path |
|
761 |
* and try some other paths. |
|
762 |
*/ |
|
763 |
if (debug != null) |
|
764 |
debug.println("SunCertPathBuilder.depthFirstSearchReverse()" |
|
765 |
+ ": backtracking"); |
|
766 |
if (!currentState.isInitial()) |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
767 |
builder.removeFinalCertFromPath(cpList); |
2 | 768 |
} |
769 |
} |
|
770 |
if (debug != null) |
|
771 |
debug.println("SunCertPathBuilder.depthFirstSearchReverse() all " |
|
772 |
+ "certs in this adjacency list checked"); |
|
773 |
} |
|
774 |
||
775 |
/* |
|
776 |
* Adds a collection of matching certificates to the |
|
777 |
* adjacency list. |
|
778 |
*/ |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
779 |
private static List<Vertex> addVertices(Collection<X509Certificate> certs, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
780 |
List<List<Vertex>> adjList) |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
781 |
{ |
2 | 782 |
List<Vertex> l = adjList.get(adjList.size() - 1); |
783 |
||
784 |
for (X509Certificate cert : certs) { |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
785 |
Vertex v = new Vertex(cert); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
786 |
l.add(v); |
2 | 787 |
} |
788 |
||
789 |
return l; |
|
790 |
} |
|
791 |
||
792 |
/** |
|
793 |
* Returns true if trust anchor certificate matches specified |
|
794 |
* certificate constraints. |
|
795 |
*/ |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
796 |
private static boolean anchorIsTarget(TrustAnchor anchor, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
797 |
CertSelector sel) |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
7040
diff
changeset
|
798 |
{ |
2 | 799 |
X509Certificate anchorCert = anchor.getTrustedCert(); |
800 |
if (anchorCert != null) { |
|
801 |
return sel.match(anchorCert); |
|
802 |
} |
|
803 |
return false; |
|
804 |
} |
|
805 |
} |