--- a/jdk/src/share/classes/java/security/cert/CertPathValidatorException.java Thu Sep 11 17:46:53 2008 +0100
+++ b/jdk/src/share/classes/java/security/cert/CertPathValidatorException.java Thu Sep 11 18:13:51 2008 -0400
@@ -1,5 +1,5 @@
/*
- * Copyright 2000-2005 Sun Microsystems, Inc. All Rights Reserved.
+ * Copyright 2000-2008 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,9 @@
package java.security.cert;
+import java.io.InvalidObjectException;
+import java.io.IOException;
+import java.io.ObjectInputStream;
import java.security.GeneralSecurityException;
/**
@@ -36,10 +39,11 @@
* if any, that caused this exception to be thrown.
* <p>
* A <code>CertPathValidatorException</code> may also include the
- * certification path that was being validated when the exception was thrown
- * and the index of the certificate in the certification path that caused the
- * exception to be thrown. Use the {@link #getCertPath getCertPath} and
- * {@link #getIndex getIndex} methods to retrieve this information.
+ * certification path that was being validated when the exception was thrown,
+ * the index of the certificate in the certification path that caused the
+ * exception to be thrown, and the reason that caused the failure. Use the
+ * {@link #getCertPath getCertPath}, {@link #getIndex getIndex}, and
+ * {@link #getReason getReason} methods to retrieve this information.
*
* <p>
* <b>Concurrent Access</b>
@@ -72,11 +76,16 @@
private CertPath certPath;
/**
+ * @serial the reason the validation failed
+ */
+ private Reason reason = BasicReason.UNSPECIFIED;
+
+ /**
* Creates a <code>CertPathValidatorException</code> with
* no detail message.
*/
public CertPathValidatorException() {
- super();
+ this(null, null);
}
/**
@@ -87,7 +96,7 @@
* @param msg the detail message
*/
public CertPathValidatorException(String msg) {
- super(msg);
+ this(msg, null);
}
/**
@@ -104,7 +113,7 @@
* permitted, and indicates that the cause is nonexistent or unknown.)
*/
public CertPathValidatorException(Throwable cause) {
- super(cause);
+ this(null, cause);
}
/**
@@ -117,7 +126,7 @@
* permitted, and indicates that the cause is nonexistent or unknown.)
*/
public CertPathValidatorException(String msg, Throwable cause) {
- super(msg, cause);
+ this(msg, cause, null, -1);
}
/**
@@ -139,6 +148,32 @@
*/
public CertPathValidatorException(String msg, Throwable cause,
CertPath certPath, int index) {
+ this(msg, cause, certPath, index, BasicReason.UNSPECIFIED);
+ }
+
+ /**
+ * Creates a <code>CertPathValidatorException</code> with the specified
+ * detail message, cause, certification path, index, and reason.
+ *
+ * @param msg the detail message (or <code>null</code> if none)
+ * @param cause the cause (or <code>null</code> if none)
+ * @param certPath the certification path that was in the process of
+ * being validated when the error was encountered
+ * @param index the index of the certificate in the certification path
+ * that caused the error (or -1 if not applicable). Note that
+ * the list of certificates in a <code>CertPath</code> is zero based.
+ * @param reason the reason the validation failed
+ * @throws IndexOutOfBoundsException if the index is out of range
+ * <code>(index < -1 || (certPath != null && index >=
+ * certPath.getCertificates().size())</code>
+ * @throws IllegalArgumentException if <code>certPath</code> is
+ * <code>null</code> and <code>index</code> is not -1
+ * @throws NullPointerException if <code>reason</code> is <code>null</code>
+ *
+ * @since 1.7
+ */
+ public CertPathValidatorException(String msg, Throwable cause,
+ CertPath certPath, int index, Reason reason) {
super(msg, cause);
if (certPath == null && index != -1) {
throw new IllegalArgumentException();
@@ -147,8 +182,12 @@
(certPath != null && index >= certPath.getCertificates().size())) {
throw new IndexOutOfBoundsException();
}
+ if (reason == null) {
+ throw new NullPointerException("reason can't be null");
+ }
this.certPath = certPath;
this.index = index;
+ this.reason = reason;
}
/**
@@ -174,4 +213,79 @@
return this.index;
}
+ /**
+ * Returns the reason that the validation failed. The reason is
+ * associated with the index of the certificate returned by
+ * {@link getIndex}.
+ *
+ * @return the reason that the validation failed, or
+ * <code>BasicReason.UNSPECIFIED</code> if a reason has not been
+ * specified
+ *
+ * @since 1.7
+ */
+ public Reason getReason() {
+ return this.reason;
+ }
+
+ private void readObject(ObjectInputStream stream)
+ throws ClassNotFoundException, IOException {
+ stream.defaultReadObject();
+ if (reason == null) {
+ reason = BasicReason.UNSPECIFIED;
+ }
+ if (certPath == null && index != -1) {
+ throw new InvalidObjectException("certpath is null and index != -1");
+ }
+ if (index < -1 ||
+ (certPath != null && index >= certPath.getCertificates().size())) {
+ throw new InvalidObjectException("index out of range");
+ }
+ }
+
+ /**
+ * The reason the validation algorithm failed.
+ *
+ * @since 1.7
+ */
+ public static interface Reason extends java.io.Serializable { }
+
+
+ /**
+ * The BasicReason enumerates the potential reasons that a certification
+ * path of any type may be invalid.
+ *
+ * @since 1.7
+ */
+ public static enum BasicReason implements Reason {
+ /**
+ * Unspecified reason.
+ */
+ UNSPECIFIED,
+
+ /**
+ * The certificate is expired.
+ */
+ EXPIRED,
+
+ /**
+ * The certificate is not yet valid.
+ */
+ NOT_YET_VALID,
+
+ /**
+ * The certificate is revoked.
+ */
+ REVOKED,
+
+ /**
+ * The revocation status of the certificate could not be determined.
+ */
+ UNDETERMINED_REVOCATION_STATUS,
+
+ /**
+ * The signature is invalid.
+ */
+ INVALID_SIGNATURE
+ }
}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/src/share/classes/java/security/cert/PKIXReason.java Thu Sep 11 18:13:51 2008 -0400
@@ -0,0 +1,77 @@
+/*
+ * Copyright 2008 Sun Microsystems, Inc. All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Sun designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Sun in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+package java.security.cert;
+
+/**
+ * The <code>PKIXReason</code> enumerates the potential PKIX-specific reasons
+ * that an X.509 certification path may be invalid according to the PKIX
+ * (RFC 3280) standard. These reasons are in addition to those of the
+ * <code>CertPathValidatorException.BasicReason</code> enumeration.
+ *
+ * @since 1.7
+ */
+public enum PKIXReason implements CertPathValidatorException.Reason {
+ /**
+ * The certificate does not chain correctly.
+ */
+ NAME_CHAINING,
+
+ /**
+ * The certificate's key usage is invalid.
+ */
+ INVALID_KEY_USAGE,
+
+ /**
+ * The policy constraints have been violated.
+ */
+ INVALID_POLICY,
+
+ /**
+ * No acceptable trust anchor found.
+ */
+ NO_TRUST_ANCHOR,
+
+ /**
+ * The certificate contains one or more unrecognized critical
+ * extensions.
+ */
+ UNRECOGNIZED_CRIT_EXT,
+
+ /**
+ * The certificate is not a CA certificate.
+ */
+ NOT_CA_CERT,
+
+ /**
+ * The path length constraint has been violated.
+ */
+ PATH_TOO_LONG,
+
+ /**
+ * The name constraints have been violated.
+ */
+ INVALID_NAME
+}
--- a/jdk/src/share/classes/sun/security/provider/certpath/BasicChecker.java Thu Sep 11 17:46:53 2008 +0100
+++ b/jdk/src/share/classes/sun/security/provider/certpath/BasicChecker.java Thu Sep 11 18:13:51 2008 -0400
@@ -1,5 +1,5 @@
/*
- * Copyright 2000-2007 Sun Microsystems, Inc. All Rights Reserved.
+ * Copyright 2000-2008 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -29,12 +29,18 @@
import java.util.Collection;
import java.util.Date;
import java.util.Set;
+import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.PublicKey;
+import java.security.SignatureException;
import java.security.cert.Certificate;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.CertPathValidatorException;
+import java.security.cert.CertPathValidatorException.BasicReason;
import java.security.cert.X509Certificate;
import java.security.cert.PKIXCertPathChecker;
-import java.security.cert.CertPathValidatorException;
+import java.security.cert.PKIXReason;
import java.security.cert.TrustAnchor;
import java.security.interfaces.DSAParams;
import java.security.interfaces.DSAPublicKey;
@@ -152,11 +158,11 @@
try {
cert.verify(prevPubKey, sigProvider);
- } catch (Exception e) {
- if (debug != null) {
- debug.println(e.getMessage());
- e.printStackTrace();
- }
+ } catch (SignatureException e) {
+ throw new CertPathValidatorException
+ (msg + " check failed", e, null, -1,
+ BasicReason.INVALID_SIGNATURE);
+ } catch (GeneralSecurityException e) {
throw new CertPathValidatorException(msg + " check failed", e);
}
@@ -176,12 +182,12 @@
try {
cert.checkValidity(date);
- } catch (Exception e) {
- if (debug != null) {
- debug.println(e.getMessage());
- e.printStackTrace();
- }
- throw new CertPathValidatorException(msg + " check failed", e);
+ } catch (CertificateExpiredException e) {
+ throw new CertPathValidatorException
+ (msg + " check failed", e, null, -1, BasicReason.EXPIRED);
+ } catch (CertificateNotYetValidException e) {
+ throw new CertPathValidatorException
+ (msg + " check failed", e, null, -1, BasicReason.NOT_YET_VALID);
}
if (debug != null)
@@ -204,12 +210,16 @@
// reject null or empty issuer DNs
if (X500Name.asX500Name(currIssuer).isEmpty()) {
- throw new CertPathValidatorException(msg + " check failed: " +
- "empty/null issuer DN in certificate is invalid");
+ throw new CertPathValidatorException
+ (msg + " check failed: " +
+ "empty/null issuer DN in certificate is invalid", null,
+ null, -1, PKIXReason.NAME_CHAINING);
}
if (!(currIssuer.equals(prevSubject))) {
- throw new CertPathValidatorException(msg + " check failed");
+ throw new CertPathValidatorException
+ (msg + " check failed", null, null, -1,
+ PKIXReason.NAME_CHAINING);
}
if (debug != null)
@@ -270,7 +280,7 @@
params.getQ(),
params.getG());
usableKey = kf.generatePublic(ks);
- } catch (Exception e) {
+ } catch (GeneralSecurityException e) {
throw new CertPathValidatorException("Unable to generate key with" +
" inherited parameters: " +
e.getMessage(), e);
--- a/jdk/src/share/classes/sun/security/provider/certpath/ConstraintsChecker.java Thu Sep 11 17:46:53 2008 +0100
+++ b/jdk/src/share/classes/sun/security/provider/certpath/ConstraintsChecker.java Thu Sep 11 18:13:51 2008 -0400
@@ -1,5 +1,5 @@
/*
- * Copyright 2000-2006 Sun Microsystems, Inc. All Rights Reserved.
+ * Copyright 2000-2008 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -32,9 +32,10 @@
import java.io.IOException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
+import java.security.cert.CertPathValidatorException;
import java.security.cert.X509Certificate;
import java.security.cert.PKIXCertPathChecker;
-import java.security.cert.CertPathValidatorException;
+import java.security.cert.PKIXReason;
import sun.security.util.Debug;
import sun.security.x509.PKIXExtensions;
import sun.security.x509.NameConstraintsExtension;
@@ -147,7 +148,8 @@
try {
if (!prevNC.verify(currCert)) {
- throw new CertPathValidatorException(msg + " check failed");
+ throw new CertPathValidatorException(msg + " check failed",
+ null, null, -1, PKIXReason.INVALID_NAME);
}
} catch (IOException ioe) {
throw new CertPathValidatorException(ioe);
@@ -228,8 +230,9 @@
if (i < certPathLength) {
int pathLenConstraint = currCert.getBasicConstraints();
if (pathLenConstraint == -1) {
- throw new CertPathValidatorException(msg + " check failed: "
- + "this is not a CA certificate");
+ throw new CertPathValidatorException
+ (msg + " check failed: this is not a CA certificate", null,
+ null, -1, PKIXReason.NOT_CA_CERT);
}
if (!X509CertImpl.isSelfIssued(currCert)) {
@@ -237,7 +240,8 @@
throw new CertPathValidatorException
(msg + " check failed: pathLenConstraint violated - "
+ "this cert must be the last cert in the "
- + "certification path");
+ + "certification path", null, null, -1,
+ PKIXReason.PATH_TOO_LONG);
}
maxPathLength--;
}
--- a/jdk/src/share/classes/sun/security/provider/certpath/CrlRevocationChecker.java Thu Sep 11 17:46:53 2008 +0100
+++ b/jdk/src/share/classes/sun/security/provider/certpath/CrlRevocationChecker.java Thu Sep 11 18:13:51 2008 -0400
@@ -1,5 +1,5 @@
/*
- * Copyright 2000-2007 Sun Microsystems, Inc. All Rights Reserved.
+ * Copyright 2000-2008 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -39,6 +39,7 @@
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.*;
+import java.security.cert.CertPathValidatorException.BasicReason;
import java.security.interfaces.DSAPublicKey;
import javax.security.auth.x500.X500Principal;
import sun.security.util.Debug;
@@ -268,7 +269,8 @@
" circular dependency");
}
throw new CertPathValidatorException
- ("Could not determine revocation status");
+ ("Could not determine revocation status", null, null, -1,
+ BasicReason.UNDETERMINED_REVOCATION_STATUS);
}
// init the state for this run
@@ -324,7 +326,8 @@
return;
} else {
throw new CertPathValidatorException
- ("Could not determine revocation status");
+ ("Could not determine revocation status", null, null, -1,
+ BasicReason.UNDETERMINED_REVOCATION_STATUS);
}
}
@@ -370,7 +373,8 @@
+ unresCritExts);
}
throw new CertPathValidatorException
- ("Could not determine revocation status");
+ ("Could not determine revocation status", null, null,
+ -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
}
}
@@ -378,10 +382,11 @@
if (reasonCode == null) {
reasonCode = CRLReason.UNSPECIFIED;
}
- throw new CertPathValidatorException(
- new CertificateRevokedException
- (entry.getRevocationDate(), reasonCode,
- crl.getIssuerX500Principal(), entry.getExtensions()));
+ Throwable t = new CertificateRevokedException
+ (entry.getRevocationDate(), reasonCode,
+ crl.getIssuerX500Principal(), entry.getExtensions());
+ throw new CertPathValidatorException(t.getMessage(), t,
+ null, -1, BasicReason.REVOKED);
}
}
}
@@ -428,7 +433,8 @@
" circular dependency");
}
throw new CertPathValidatorException
- ("Could not determine revocation status");
+ ("Could not determine revocation status", null, null,
+ -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
}
// If prevKey wasn't trusted, maybe we just didn't have the right
@@ -617,7 +623,7 @@
return;
} catch (CertPathValidatorException cpve) {
// If it is revoked, rethrow exception
- if (cpve.getCause() instanceof CertificateRevokedException) {
+ if (cpve.getReason() == BasicReason.REVOKED) {
throw cpve;
}
// Otherwise, ignore the exception and
@@ -628,7 +634,8 @@
throw new CertPathValidatorException(iape);
} catch (CertPathBuilderException cpbe) {
throw new CertPathValidatorException
- ("Could not determine revocation status", cpbe);
+ ("Could not determine revocation status", null, null,
+ -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
}
}
}
--- a/jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java Thu Sep 11 17:46:53 2008 +0100
+++ b/jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java Thu Sep 11 18:13:51 2008 -0400
@@ -32,6 +32,7 @@
import java.security.InvalidKeyException;
import java.security.cert.CertificateException;
import java.security.cert.CertPathValidatorException;
+import java.security.cert.PKIXReason;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.PKIXBuilderParameters;
@@ -732,8 +733,9 @@
PKIXExtensions.ExtendedKeyUsage_Id.toString());
if (!unresCritExts.isEmpty())
- throw new CertificateException("Unrecognized critical "
- + "extension(s)");
+ throw new CertPathValidatorException
+ ("Unrecognized critical extension(s)", null, null, -1,
+ PKIXReason.UNRECOGNIZED_CRIT_EXT);
}
}
--- a/jdk/src/share/classes/sun/security/provider/certpath/KeyChecker.java Thu Sep 11 17:46:53 2008 +0100
+++ b/jdk/src/share/classes/sun/security/provider/certpath/KeyChecker.java Thu Sep 11 18:13:51 2008 -0400
@@ -1,5 +1,5 @@
/*
- * Copyright 2000-2003 Sun Microsystems, Inc. All Rights Reserved.
+ * Copyright 2000-2008 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -27,6 +27,7 @@
import java.util.*;
import java.security.cert.*;
+import java.security.cert.PKIXReason;
import sun.security.util.Debug;
import sun.security.x509.PKIXExtensions;
@@ -75,11 +76,12 @@
if (!forward) {
remainingCerts = certPathLen;
} else {
- throw new CertPathValidatorException("forward checking not supported");
+ throw new CertPathValidatorException
+ ("forward checking not supported");
}
}
- public boolean isForwardCheckingSupported() {
+ public final boolean isForwardCheckingSupported() {
return false;
}
@@ -155,8 +157,9 @@
// throw an exception if the keyCertSign bit is not set
if (!keyUsageBits[keyCertSign]) {
- throw new CertPathValidatorException(msg + " check failed: "
- + "keyCertSign bit is not set");
+ throw new CertPathValidatorException
+ (msg + " check failed: keyCertSign bit is not set", null,
+ null, -1, PKIXReason.INVALID_KEY_USAGE);
}
if (debug != null) {
--- a/jdk/src/share/classes/sun/security/provider/certpath/OCSPChecker.java Thu Sep 11 17:46:53 2008 +0100
+++ b/jdk/src/share/classes/sun/security/provider/certpath/OCSPChecker.java Thu Sep 11 18:13:51 2008 -0400
@@ -33,6 +33,7 @@
import java.security.PrivilegedAction;
import java.security.Security;
import java.security.cert.*;
+import java.security.cert.CertPathValidatorException.BasicReason;
import java.net.*;
import javax.security.auth.x500.X500Principal;
@@ -381,17 +382,18 @@
}
if (certOCSPStatus == OCSPResponse.CERT_STATUS_REVOKED) {
- throw new CertPathValidatorException(
- new CertificateRevokedException(
+ Throwable t = new CertificateRevokedException(
ocspResponse.getRevocationTime(),
ocspResponse.getRevocationReason(),
responderCert.getSubjectX500Principal(),
- ocspResponse.getSingleExtensions()));
+ ocspResponse.getSingleExtensions());
+ throw new CertPathValidatorException(t.getMessage(), t,
+ null, -1, BasicReason.REVOKED);
} else if (certOCSPStatus == OCSPResponse.CERT_STATUS_UNKNOWN) {
throw new CertPathValidatorException(
"Certificate's revocation status is unknown", null, cp,
- remainingCerts);
+ remainingCerts, BasicReason.UNDETERMINED_REVOCATION_STATUS);
}
} catch (Exception e) {
throw new CertPathValidatorException(e);
--- a/jdk/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java Thu Sep 11 17:46:53 2008 +0100
+++ b/jdk/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java Thu Sep 11 18:13:51 2008 -0400
@@ -1,5 +1,5 @@
/*
- * Copyright 2000-2007 Sun Microsystems, Inc. All Rights Reserved.
+ * Copyright 2000-2008 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -38,6 +38,7 @@
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.PKIXParameters;
+import java.security.cert.PKIXReason;
import java.security.cert.PolicyNode;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
@@ -47,7 +48,6 @@
import java.util.ArrayList;
import java.util.Date;
import java.util.Set;
-import java.util.HashSet;
import javax.security.auth.x500.X500Principal;
import sun.security.util.Debug;
@@ -67,6 +67,7 @@
private List<PKIXCertPathChecker> userCheckers;
private String sigProvider;
private BasicChecker basicChecker;
+ private String ocspProperty;
/**
* Default constructor.
@@ -126,7 +127,7 @@
// Must copy elements of certList into a new modifiable List before
// calling Collections.reverse().
- List<X509Certificate> certList = new ArrayList<X509Certificate>
+ ArrayList<X509Certificate> certList = new ArrayList<X509Certificate>
((List<X509Certificate>)cp.getCertificates());
if (debug != null) {
if (certList.isEmpty()) {
@@ -201,7 +202,8 @@
}
// (b) otherwise, generate new exception
throw new CertPathValidatorException
- ("Path does not chain with any of the trust anchors");
+ ("Path does not chain with any of the trust anchors",
+ null, null, -1, PKIXReason.NO_TRUST_ANCHOR);
}
/**
@@ -210,7 +212,6 @@
*/
private boolean isWorthTrying(X509Certificate trustedCert,
X509Certificate firstCert)
- throws CertPathValidatorException
{
if (debug != null) {
debug.println("PKIXCertPathValidator.isWorthTrying() checking "
@@ -240,7 +241,6 @@
* Internal method to setup the internal state
*/
private void populateVariables(PKIXParameters pkixParam)
- throws CertPathValidatorException
{
// default value for testDate is current time
testDate = pkixParam.getDate();
@@ -250,6 +250,17 @@
userCheckers = pkixParam.getCertPathCheckers();
sigProvider = pkixParam.getSigProvider();
+
+ if (pkixParam.isRevocationEnabled()) {
+ // Examine OCSP security property
+ ocspProperty = AccessController.doPrivileged(
+ new PrivilegedAction<String>() {
+ public String run() {
+ return
+ Security.getProperty(OCSPChecker.OCSP_ENABLE_PROP);
+ }
+ });
+ }
}
/**
@@ -259,12 +270,9 @@
*/
private PolicyNode doValidate(
TrustAnchor anchor, CertPath cpOriginal,
- List<X509Certificate> certList, PKIXParameters pkixParam,
+ ArrayList<X509Certificate> certList, PKIXParameters pkixParam,
PolicyNodeImpl rootNode) throws CertPathValidatorException
{
- List<PKIXCertPathChecker> certPathCheckers =
- new ArrayList<PKIXCertPathChecker>();
-
int certPathLen = certList.size();
basicChecker = new BasicChecker(anchor, testDate, sigProvider, false);
@@ -281,6 +289,8 @@
pkixParam.getPolicyQualifiersRejected(),
rootNode);
+ ArrayList<PKIXCertPathChecker> certPathCheckers =
+ new ArrayList<PKIXCertPathChecker>();
// add standard checkers that we will be using
certPathCheckers.add(keyChecker);
certPathCheckers.add(constraintsChecker);
@@ -290,15 +300,6 @@
// only add a revocationChecker if revocation is enabled
if (pkixParam.isRevocationEnabled()) {
- // Examine OCSP security property
- String ocspProperty = AccessController.doPrivileged(
- new PrivilegedAction<String>() {
- public String run() {
- return
- Security.getProperty(OCSPChecker.OCSP_ENABLE_PROP);
- }
- });
-
// Use OCSP if it has been enabled
if ("true".equalsIgnoreCase(ocspProperty)) {
OCSPChecker ocspChecker =
--- a/jdk/src/share/classes/sun/security/provider/certpath/PKIXMasterCertPathValidator.java Thu Sep 11 17:46:53 2008 +0100
+++ b/jdk/src/share/classes/sun/security/provider/certpath/PKIXMasterCertPathValidator.java Thu Sep 11 18:13:51 2008 -0400
@@ -1,5 +1,5 @@
/*
- * Copyright 2000-2006 Sun Microsystems, Inc. All Rights Reserved.
+ * Copyright 2000-2008 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -30,11 +30,12 @@
import java.util.Collections;
import java.util.List;
import java.util.Set;
-import java.util.Iterator;
+import java.security.cert.CertificateRevokedException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidatorException;
-import java.security.cert.CertificateRevokedException;
+import java.security.cert.CertPathValidatorException.BasicReason;
import java.security.cert.PKIXCertPathChecker;
+import java.security.cert.PKIXReason;
import java.security.cert.X509Certificate;
/**
@@ -153,10 +154,11 @@
*/
CertPathValidatorException currentCause =
new CertPathValidatorException(cpve.getMessage(),
- cpve.getCause(), cpOriginal, cpSize - (i + 1));
+ cpve.getCause(), cpOriginal, cpSize - (i + 1),
+ cpve.getReason());
// Check if OCSP has confirmed that the cert was revoked
- if (cpve.getCause() instanceof CertificateRevokedException) {
+ if (cpve.getReason() == BasicReason.REVOKED) {
throw currentCause;
}
// Check if it is appropriate to failover
@@ -184,7 +186,8 @@
debug.println("checking for unresolvedCritExts");
if (!unresolvedCritExts.isEmpty()) {
throw new CertPathValidatorException("unrecognized " +
- "critical extension(s)", null, cpOriginal, cpSize-(i+1));
+ "critical extension(s)", null, cpOriginal, cpSize-(i+1),
+ PKIXReason.UNRECOGNIZED_CRIT_EXT);
}
if (debug != null)
--- a/jdk/src/share/classes/sun/security/provider/certpath/PolicyChecker.java Thu Sep 11 17:46:53 2008 +0100
+++ b/jdk/src/share/classes/sun/security/provider/certpath/PolicyChecker.java Thu Sep 11 18:13:51 2008 -0400
@@ -1,5 +1,5 @@
/*
- * Copyright 2000-2006 Sun Microsystems, Inc. All Rights Reserved.
+ * Copyright 2000-2008 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -30,11 +30,12 @@
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
+import java.security.cert.CertPathValidatorException;
import java.security.cert.PKIXCertPathChecker;
-import java.security.cert.CertPathValidatorException;
+import java.security.cert.PKIXReason;
import java.security.cert.PolicyNode;
import java.security.cert.PolicyQualifierInfo;
+import java.security.cert.X509Certificate;
import sun.security.util.Debug;
import sun.security.x509.CertificatePoliciesExtension;
@@ -482,8 +483,9 @@
// the policyQualifiersRejected flag is set in the params
if (!pQuals.isEmpty() && rejectPolicyQualifiers &&
policiesCritical) {
- throw new CertPathValidatorException("critical " +
- "policy qualifiers present in certificate");
+ throw new CertPathValidatorException(
+ "critical policy qualifiers present in certificate",
+ null, null, -1, PKIXReason.INVALID_POLICY);
}
// PKIX: Section 6.1.3: Step (d)(1)(i)
@@ -567,7 +569,8 @@
if ((explicitPolicy == 0) && (rootNode == null)) {
throw new CertPathValidatorException
- ("non-null policy tree required and policy tree is null");
+ ("non-null policy tree required and policy tree is null",
+ null, null, -1, PKIXReason.INVALID_POLICY);
}
return rootNode;
@@ -776,12 +779,14 @@
if (issuerDomain.equals(ANY_POLICY)) {
throw new CertPathValidatorException
- ("encountered an issuerDomainPolicy of ANY_POLICY");
+ ("encountered an issuerDomainPolicy of ANY_POLICY",
+ null, null, -1, PKIXReason.INVALID_POLICY);
}
if (subjectDomain.equals(ANY_POLICY)) {
throw new CertPathValidatorException
- ("encountered a subjectDomainPolicy of ANY_POLICY");
+ ("encountered a subjectDomainPolicy of ANY_POLICY",
+ null, null, -1, PKIXReason.INVALID_POLICY);
}
Set<PolicyNodeImpl> validNodes =
--- a/jdk/src/share/classes/sun/security/provider/certpath/ReverseBuilder.java Thu Sep 11 17:46:53 2008 +0100
+++ b/jdk/src/share/classes/sun/security/provider/certpath/ReverseBuilder.java Thu Sep 11 18:13:51 2008 -0400
@@ -1,5 +1,5 @@
/*
- * Copyright 2000-2006 Sun Microsystems, Inc. All Rights Reserved.
+ * Copyright 2000-2008 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -29,14 +29,15 @@
import java.security.GeneralSecurityException;
import java.security.Principal;
import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXParameters;
+import java.security.cert.PKIXReason;
import java.security.cert.TrustAnchor;
+import java.security.cert.X509Certificate;
import java.security.cert.X509CertSelector;
import java.util.ArrayList;
import java.util.Collection;
@@ -402,7 +403,8 @@
*/
if ((currentState.remainingCACerts <= 0) && !X509CertImpl.isSelfIssued(cert)) {
throw new CertPathValidatorException
- ("pathLenConstraint violated, path too long");
+ ("pathLenConstraint violated, path too long", null,
+ null, -1, PKIXReason.PATH_TOO_LONG);
}
/*
@@ -438,7 +440,8 @@
try {
if (!currentState.nc.verify(cert)){
throw new CertPathValidatorException
- ("name constraints check failed");
+ ("name constraints check failed", null, null, -1,
+ PKIXReason.INVALID_NAME);
}
} catch (IOException ioe){
throw new CertPathValidatorException(ioe);
@@ -483,7 +486,9 @@
unresolvedCritExts.remove(PKIXExtensions.ExtendedKeyUsage_Id.toString());
if (!unresolvedCritExts.isEmpty())
- throw new CertificateException("Unrecognized critical extension(s)");
+ throw new CertPathValidatorException
+ ("Unrecognized critical extension(s)", null, null, -1,
+ PKIXReason.UNRECOGNIZED_CRIT_EXT);
}
/*
--- a/jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java Thu Sep 11 17:46:53 2008 +0100
+++ b/jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java Thu Sep 11 18:13:51 2008 -0400
@@ -1,5 +1,5 @@
/*
- * Copyright 2000-2007 Sun Microsystems, Inc. All Rights Reserved.
+ * Copyright 2000-2008 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -30,6 +30,9 @@
import java.security.InvalidAlgorithmParameterException;
import java.security.Principal;
import java.security.PublicKey;
+import java.security.cert.*;
+import java.security.cert.PKIXReason;
+import java.security.interfaces.DSAPublicKey;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
@@ -39,10 +42,6 @@
import java.util.List;
import java.util.LinkedList;
import java.util.Set;
-
-import java.security.cert.*;
-import java.security.interfaces.DSAPublicKey;
-
import javax.security.auth.x500.X500Principal;
import sun.security.x509.X500Name;
@@ -565,8 +564,9 @@
(PKIXExtensions.ExtendedKeyUsage_Id.toString());
if (!unresCritExts.isEmpty()) {
- throw new CertPathValidatorException("unrecognized "
- + "critical extension(s)");
+ throw new CertPathValidatorException
+ ("unrecognized critical extension(s)", null,
+ null, -1, PKIXReason.UNRECOGNIZED_CRIT_EXT);
}
}
}
--- a/jdk/test/java/security/cert/CertPathValidator/nameConstraintsRFC822/ValidateCertPath.java Thu Sep 11 17:46:53 2008 +0100
+++ b/jdk/test/java/security/cert/CertPathValidator/nameConstraintsRFC822/ValidateCertPath.java Thu Sep 11 18:13:51 2008 -0400
@@ -1,5 +1,5 @@
/*
- * Copyright 2002 Sun Microsystems, Inc. All Rights Reserved.
+ * Copyright 2002-2008 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -34,6 +34,7 @@
import java.io.IOException;
import java.security.cert.*;
+import java.security.cert.PKIXReason;
import java.util.ArrayList;
import java.util.Collections;
@@ -69,6 +70,9 @@
validate(path, params);
throw new Exception("Successfully validated invalid path.");
} catch (CertPathValidatorException e) {
+ if (e.getReason() != PKIXReason.INVALID_NAME) {
+ throw new Exception("unexpected reason: " + e.getReason());
+ }
System.out.println("Path rejected as expected: " + e);
}
}
@@ -86,14 +90,14 @@
args = new String[] {"jane2jane.cer", "jane2steve.cer", "steve2tom.cer"};
TrustAnchor anchor = new TrustAnchor(getCertFromFile(args[0]), null);
- List list = new ArrayList();
+ List<X509Certificate> list = new ArrayList<X509Certificate>();
for (int i = 1; i < args.length; i++) {
list.add(0, getCertFromFile(args[i]));
}
CertificateFactory cf = CertificateFactory.getInstance("X509");
path = cf.generateCertPath(list);
- Set anchors = Collections.singleton(anchor);
+ Set<TrustAnchor> anchors = Collections.singleton(anchor);
params = new PKIXParameters(anchors);
params.setRevocationEnabled(false);
}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/java/security/cert/CertPathValidatorException/ReasonTest.java Thu Sep 11 18:13:51 2008 -0400
@@ -0,0 +1,67 @@
+/*
+ * Copyright 2008 Sun Microsystems, Inc. All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/*
+ * @test
+ * @bug 6465942
+ * @summary unit test for CertPathValidatorException.Reason
+ */
+
+import java.security.cert.CertPathValidatorException;
+import java.security.cert.CertPathValidatorException.BasicReason;
+
+public class ReasonTest {
+ private static volatile boolean failed = false;
+ public static void main(String[] args) throws Exception {
+
+ // check that getReason returns UNSPECIFIED if reason not specified
+ CertPathValidatorException cpve = new CertPathValidatorException("abc");
+ if (cpve.getReason() != BasicReason.UNSPECIFIED) {
+ failed = true;
+ System.err.println("FAILED: unexpected reason: " + cpve.getReason());
+ }
+
+ // check that getReason returns specified reason
+ cpve = new CertPathValidatorException
+ ("abc", null, null, -1, BasicReason.REVOKED);
+ if (cpve.getReason() != BasicReason.REVOKED) {
+ failed = true;
+ System.err.println("FAILED: unexpected reason: " + cpve.getReason());
+ }
+
+ // check that ctor throws NPE when reason is null
+ try {
+ cpve = new CertPathValidatorException("abc", null, null, -1, null);
+ failed = true;
+ System.err.println("ctor did not throw NPE for null reason");
+ } catch (Exception e) {
+ if (!(e instanceof NullPointerException)) {
+ failed = true;
+ System.err.println("FAILED: unexpected exception: " + e);
+ }
+ }
+ if (failed) {
+ throw new Exception("Some tests FAILED");
+ }
+ }
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/java/security/cert/CertPathValidatorException/Serial.java Thu Sep 11 18:13:51 2008 -0400
@@ -0,0 +1,113 @@
+/*
+ * Copyright 2008 Sun Microsystems, Inc. All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/*
+ * @test
+ * @bug 6465942
+ * @summary Test deserialization of CertPathValidatorException
+ */
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+//import java.io.FileOutputStream;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+import java.security.cert.CertPath;
+import java.security.cert.CertPathValidatorException;
+import java.security.cert.CertPathValidatorException.BasicReason;
+import java.util.Collections;
+
+/**
+ * This class tests to see if CertPathValidatorException can be serialized and
+ * deserialized properly.
+ */
+public class Serial {
+ private static volatile boolean failed = false;
+ public static void main(String[] args) throws Exception {
+
+ File f = new File(System.getProperty("test.src", "."), "cert_file");
+ FileInputStream fis = new FileInputStream(f);
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
+ Certificate c = cf.generateCertificate(fis);
+ fis.close();
+ CertPath cp = cf.generateCertPath(Collections.singletonList(c));
+
+ CertPathValidatorException cpve1 =
+ new CertPathValidatorException
+ ("Test", new Exception("Expired"), cp, 0, BasicReason.EXPIRED);
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+// FileOutputStream fos = new FileOutputStream("jdk7.serial");
+ ObjectOutputStream oos = new ObjectOutputStream(baos);
+// ObjectOutputStream foos = new ObjectOutputStream(fos);
+ oos.writeObject(cpve1);
+// foos.writeObject(cpve1);
+ ByteArrayInputStream bais = new ByteArrayInputStream(baos.toByteArray());
+ ObjectInputStream ois = new ObjectInputStream(bais);
+ CertPathValidatorException cpve2 =
+ (CertPathValidatorException) ois.readObject();
+ check(!cpve1.getMessage().equals(cpve2.getMessage()),
+ "CertPathValidatorException messages not equal");
+ check(!cpve1.getCause().getMessage().equals(cpve2.getCause().getMessage()),
+ "CertPathValidatorException causes not equal");
+ check(!cpve1.getCertPath().equals(cpve2.getCertPath()),
+ "CertPathValidatorException certpaths not equal");
+ check(cpve1.getIndex() != cpve2.getIndex(),
+ "CertPathValidatorException indexes not equal");
+ check(cpve1.getReason() != cpve2.getReason(),
+ "CertPathValidatorException reasons not equal");
+ oos.close();
+ ois.close();
+
+ f = new File(System.getProperty("test.src", "."), "jdk6.serial");
+ fis = new FileInputStream(f);
+ ois = new ObjectInputStream(fis);
+ cpve2 = (CertPathValidatorException) ois.readObject();
+ check(!cpve1.getMessage().equals(cpve2.getMessage()),
+ "CertPathValidatorException messages not equal");
+ check(!cpve1.getCause().getMessage().equals(cpve2.getCause().getMessage()),
+ "CertPathValidatorException causes not equal");
+ check(!cpve1.getCertPath().equals(cpve2.getCertPath()),
+ "CertPathValidatorException certpaths not equal");
+ check(cpve1.getIndex() != cpve2.getIndex(),
+ "CertPathValidatorException indexes not equal");
+// System.out.println(cpve2.getReason());
+ check(cpve2.getReason() != BasicReason.UNSPECIFIED,
+ "CertPathValidatorException reasons not equal");
+ oos.close();
+ ois.close();
+ if (failed) {
+ throw new Exception("Some tests FAILED");
+ }
+ }
+
+ private static void check(boolean expr, String message) {
+ if (expr) {
+ failed = true;
+ System.err.println("FAILED: " + message);
+ }
+ }
+}
Binary file jdk/test/java/security/cert/CertPathValidatorException/cert_file has changed
Binary file jdk/test/java/security/cert/CertPathValidatorException/jdk6.serial has changed
--- a/jdk/test/java/security/cert/PolicyNode/GetPolicyQualifiers.java Thu Sep 11 17:46:53 2008 +0100
+++ b/jdk/test/java/security/cert/PolicyNode/GetPolicyQualifiers.java Thu Sep 11 18:13:51 2008 -0400
@@ -1,5 +1,5 @@
/*
- * Copyright 2001 Sun Microsystems, Inc. All Rights Reserved.
+ * Copyright 2001-2008 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -74,6 +74,10 @@
throw new Exception("Validation of CertPath containing critical " +
"qualifiers should have failed when policyQualifiersRejected " +
"flag is true");
- } catch (CertPathValidatorException cpve) {}
+ } catch (CertPathValidatorException cpve) {
+ if (cpve.getReason() != PKIXReason.INVALID_POLICY) {
+ throw new Exception("unexpected reason: " + cpve.getReason());
+ }
+ }
}
}