Java Code Examples for java.security.cert.PKIXReason#NOT_CA_CERT

The following examples show how to use java.security.cert.PKIXReason#NOT_CA_CERT . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: ConstraintsChecker.java    From dragonwell8_jdk with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Internal method to check that a given cert meets basic constraints.
 */
private void checkBasicConstraints(X509Certificate currCert)
    throws CertPathValidatorException
{
    String msg = "basic constraints";
    if (debug != null) {
        debug.println("---checking " + msg + "...");
        debug.println("i = " + i +
                    ", maxPathLength = " + maxPathLength);
    }

    /* check if intermediate cert */
    if (i < certPathLength) {
        // RFC5280: If certificate i is a version 3 certificate, verify
        // that the basicConstraints extension is present and that cA is
        // set to TRUE.  (If certificate i is a version 1 or version 2
        // certificate, then the application MUST either verify that
        // certificate i is a CA certificate through out-of-band means
        // or reject the certificate.  Conforming implementations may
        // choose to reject all version 1 and version 2 intermediate
        // certificates.)
        //
        // We choose to reject all version 1 and version 2 intermediate
        // certificates except that it is self issued by the trust
        // anchor in order to support key rollover or changes in
        // certificate policies.
        int pathLenConstraint = -1;
        if (currCert.getVersion() < 3) {    // version 1 or version 2
            if (i == 1) {                   // issued by a trust anchor
                if (X509CertImpl.isSelfIssued(currCert)) {
                    pathLenConstraint = Integer.MAX_VALUE;
                }
            }
        } else {
            pathLenConstraint = currCert.getBasicConstraints();
        }

        if (pathLenConstraint == -1) {
            throw new CertPathValidatorException
                (msg + " check failed: this is not a CA certificate",
                 null, null, -1, PKIXReason.NOT_CA_CERT);
        }

        if (!X509CertImpl.isSelfIssued(currCert)) {
            if (maxPathLength <= 0) {
               throw new CertPathValidatorException
                    (msg + " check failed: pathLenConstraint violated - "
                     + "this cert must be the last cert in the "
                     + "certification path", null, null, -1,
                     PKIXReason.PATH_TOO_LONG);
            }
            maxPathLength--;
        }
        if (pathLenConstraint < maxPathLength)
            maxPathLength = pathLenConstraint;
    }

    if (debug != null) {
        debug.println("after processing, maxPathLength = " + maxPathLength);
        debug.println(msg + " verified.");
    }
}
 
Example 2
Source File: ConstraintsChecker.java    From TencentKona-8 with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Internal method to check that a given cert meets basic constraints.
 */
private void checkBasicConstraints(X509Certificate currCert)
    throws CertPathValidatorException
{
    String msg = "basic constraints";
    if (debug != null) {
        debug.println("---checking " + msg + "...");
        debug.println("i = " + i +
                    ", maxPathLength = " + maxPathLength);
    }

    /* check if intermediate cert */
    if (i < certPathLength) {
        // RFC5280: If certificate i is a version 3 certificate, verify
        // that the basicConstraints extension is present and that cA is
        // set to TRUE.  (If certificate i is a version 1 or version 2
        // certificate, then the application MUST either verify that
        // certificate i is a CA certificate through out-of-band means
        // or reject the certificate.  Conforming implementations may
        // choose to reject all version 1 and version 2 intermediate
        // certificates.)
        //
        // We choose to reject all version 1 and version 2 intermediate
        // certificates except that it is self issued by the trust
        // anchor in order to support key rollover or changes in
        // certificate policies.
        int pathLenConstraint = -1;
        if (currCert.getVersion() < 3) {    // version 1 or version 2
            if (i == 1) {                   // issued by a trust anchor
                if (X509CertImpl.isSelfIssued(currCert)) {
                    pathLenConstraint = Integer.MAX_VALUE;
                }
            }
        } else {
            pathLenConstraint = currCert.getBasicConstraints();
        }

        if (pathLenConstraint == -1) {
            throw new CertPathValidatorException
                (msg + " check failed: this is not a CA certificate",
                 null, null, -1, PKIXReason.NOT_CA_CERT);
        }

        if (!X509CertImpl.isSelfIssued(currCert)) {
            if (maxPathLength <= 0) {
               throw new CertPathValidatorException
                    (msg + " check failed: pathLenConstraint violated - "
                     + "this cert must be the last cert in the "
                     + "certification path", null, null, -1,
                     PKIXReason.PATH_TOO_LONG);
            }
            maxPathLength--;
        }
        if (pathLenConstraint < maxPathLength)
            maxPathLength = pathLenConstraint;
    }

    if (debug != null) {
        debug.println("after processing, maxPathLength = " + maxPathLength);
        debug.println(msg + " verified.");
    }
}
 
Example 3
Source File: ConstraintsChecker.java    From jdk8u60 with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Internal method to check that a given cert meets basic constraints.
 */
private void checkBasicConstraints(X509Certificate currCert)
    throws CertPathValidatorException
{
    String msg = "basic constraints";
    if (debug != null) {
        debug.println("---checking " + msg + "...");
        debug.println("i = " + i +
                    ", maxPathLength = " + maxPathLength);
    }

    /* check if intermediate cert */
    if (i < certPathLength) {
        // RFC5280: If certificate i is a version 3 certificate, verify
        // that the basicConstraints extension is present and that cA is
        // set to TRUE.  (If certificate i is a version 1 or version 2
        // certificate, then the application MUST either verify that
        // certificate i is a CA certificate through out-of-band means
        // or reject the certificate.  Conforming implementations may
        // choose to reject all version 1 and version 2 intermediate
        // certificates.)
        //
        // We choose to reject all version 1 and version 2 intermediate
        // certificates except that it is self issued by the trust
        // anchor in order to support key rollover or changes in
        // certificate policies.
        int pathLenConstraint = -1;
        if (currCert.getVersion() < 3) {    // version 1 or version 2
            if (i == 1) {                   // issued by a trust anchor
                if (X509CertImpl.isSelfIssued(currCert)) {
                    pathLenConstraint = Integer.MAX_VALUE;
                }
            }
        } else {
            pathLenConstraint = currCert.getBasicConstraints();
        }

        if (pathLenConstraint == -1) {
            throw new CertPathValidatorException
                (msg + " check failed: this is not a CA certificate",
                 null, null, -1, PKIXReason.NOT_CA_CERT);
        }

        if (!X509CertImpl.isSelfIssued(currCert)) {
            if (maxPathLength <= 0) {
               throw new CertPathValidatorException
                    (msg + " check failed: pathLenConstraint violated - "
                     + "this cert must be the last cert in the "
                     + "certification path", null, null, -1,
                     PKIXReason.PATH_TOO_LONG);
            }
            maxPathLength--;
        }
        if (pathLenConstraint < maxPathLength)
            maxPathLength = pathLenConstraint;
    }

    if (debug != null) {
        debug.println("after processing, maxPathLength = " + maxPathLength);
        debug.println(msg + " verified.");
    }
}
 
Example 4
Source File: ConstraintsChecker.java    From openjdk-jdk8u with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Internal method to check that a given cert meets basic constraints.
 */
private void checkBasicConstraints(X509Certificate currCert)
    throws CertPathValidatorException
{
    String msg = "basic constraints";
    if (debug != null) {
        debug.println("---checking " + msg + "...");
        debug.println("i = " + i +
                    ", maxPathLength = " + maxPathLength);
    }

    /* check if intermediate cert */
    if (i < certPathLength) {
        // RFC5280: If certificate i is a version 3 certificate, verify
        // that the basicConstraints extension is present and that cA is
        // set to TRUE.  (If certificate i is a version 1 or version 2
        // certificate, then the application MUST either verify that
        // certificate i is a CA certificate through out-of-band means
        // or reject the certificate.  Conforming implementations may
        // choose to reject all version 1 and version 2 intermediate
        // certificates.)
        //
        // We choose to reject all version 1 and version 2 intermediate
        // certificates except that it is self issued by the trust
        // anchor in order to support key rollover or changes in
        // certificate policies.
        int pathLenConstraint = -1;
        if (currCert.getVersion() < 3) {    // version 1 or version 2
            if (i == 1) {                   // issued by a trust anchor
                if (X509CertImpl.isSelfIssued(currCert)) {
                    pathLenConstraint = Integer.MAX_VALUE;
                }
            }
        } else {
            pathLenConstraint = currCert.getBasicConstraints();
        }

        if (pathLenConstraint == -1) {
            throw new CertPathValidatorException
                (msg + " check failed: this is not a CA certificate",
                 null, null, -1, PKIXReason.NOT_CA_CERT);
        }

        if (!X509CertImpl.isSelfIssued(currCert)) {
            if (maxPathLength <= 0) {
               throw new CertPathValidatorException
                    (msg + " check failed: pathLenConstraint violated - "
                     + "this cert must be the last cert in the "
                     + "certification path", null, null, -1,
                     PKIXReason.PATH_TOO_LONG);
            }
            maxPathLength--;
        }
        if (pathLenConstraint < maxPathLength)
            maxPathLength = pathLenConstraint;
    }

    if (debug != null) {
        debug.println("after processing, maxPathLength = " + maxPathLength);
        debug.println(msg + " verified.");
    }
}
 
Example 5
Source File: ConstraintsChecker.java    From openjdk-jdk8u-backup with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Internal method to check that a given cert meets basic constraints.
 */
private void checkBasicConstraints(X509Certificate currCert)
    throws CertPathValidatorException
{
    String msg = "basic constraints";
    if (debug != null) {
        debug.println("---checking " + msg + "...");
        debug.println("i = " + i +
                    ", maxPathLength = " + maxPathLength);
    }

    /* check if intermediate cert */
    if (i < certPathLength) {
        // RFC5280: If certificate i is a version 3 certificate, verify
        // that the basicConstraints extension is present and that cA is
        // set to TRUE.  (If certificate i is a version 1 or version 2
        // certificate, then the application MUST either verify that
        // certificate i is a CA certificate through out-of-band means
        // or reject the certificate.  Conforming implementations may
        // choose to reject all version 1 and version 2 intermediate
        // certificates.)
        //
        // We choose to reject all version 1 and version 2 intermediate
        // certificates except that it is self issued by the trust
        // anchor in order to support key rollover or changes in
        // certificate policies.
        int pathLenConstraint = -1;
        if (currCert.getVersion() < 3) {    // version 1 or version 2
            if (i == 1) {                   // issued by a trust anchor
                if (X509CertImpl.isSelfIssued(currCert)) {
                    pathLenConstraint = Integer.MAX_VALUE;
                }
            }
        } else {
            pathLenConstraint = currCert.getBasicConstraints();
        }

        if (pathLenConstraint == -1) {
            throw new CertPathValidatorException
                (msg + " check failed: this is not a CA certificate",
                 null, null, -1, PKIXReason.NOT_CA_CERT);
        }

        if (!X509CertImpl.isSelfIssued(currCert)) {
            if (maxPathLength <= 0) {
               throw new CertPathValidatorException
                    (msg + " check failed: pathLenConstraint violated - "
                     + "this cert must be the last cert in the "
                     + "certification path", null, null, -1,
                     PKIXReason.PATH_TOO_LONG);
            }
            maxPathLength--;
        }
        if (pathLenConstraint < maxPathLength)
            maxPathLength = pathLenConstraint;
    }

    if (debug != null) {
        debug.println("after processing, maxPathLength = " + maxPathLength);
        debug.println(msg + " verified.");
    }
}
 
Example 6
Source File: ConstraintsChecker.java    From Bytecoder with Apache License 2.0 4 votes vote down vote up
/**
 * Internal method to check that a given cert meets basic constraints.
 */
private void checkBasicConstraints(X509Certificate currCert)
    throws CertPathValidatorException
{
    String msg = "basic constraints";
    if (debug != null) {
        debug.println("---checking " + msg + "...");
        debug.println("i = " + i +
                    ", maxPathLength = " + maxPathLength);
    }

    /* check if intermediate cert */
    if (i < certPathLength) {
        // RFC5280: If certificate i is a version 3 certificate, verify
        // that the basicConstraints extension is present and that cA is
        // set to TRUE.  (If certificate i is a version 1 or version 2
        // certificate, then the application MUST either verify that
        // certificate i is a CA certificate through out-of-band means
        // or reject the certificate.  Conforming implementations may
        // choose to reject all version 1 and version 2 intermediate
        // certificates.)
        //
        // We choose to reject all version 1 and version 2 intermediate
        // certificates except that it is self issued by the trust
        // anchor in order to support key rollover or changes in
        // certificate policies.
        int pathLenConstraint = -1;
        if (currCert.getVersion() < 3) {    // version 1 or version 2
            if (i == 1) {                   // issued by a trust anchor
                if (X509CertImpl.isSelfIssued(currCert)) {
                    pathLenConstraint = Integer.MAX_VALUE;
                }
            }
        } else {
            pathLenConstraint = currCert.getBasicConstraints();
        }

        if (pathLenConstraint == -1) {
            throw new CertPathValidatorException
                (msg + " check failed: this is not a CA certificate",
                 null, null, -1, PKIXReason.NOT_CA_CERT);
        }

        if (!X509CertImpl.isSelfIssued(currCert)) {
            if (maxPathLength <= 0) {
               throw new CertPathValidatorException
                    (msg + " check failed: pathLenConstraint violated - "
                     + "this cert must be the last cert in the "
                     + "certification path", null, null, -1,
                     PKIXReason.PATH_TOO_LONG);
            }
            maxPathLength--;
        }
        if (pathLenConstraint < maxPathLength)
            maxPathLength = pathLenConstraint;
    }

    if (debug != null) {
        debug.println("after processing, maxPathLength = " + maxPathLength);
        debug.println(msg + " verified.");
    }
}
 
Example 7
Source File: ConstraintsChecker.java    From openjdk-jdk9 with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Internal method to check that a given cert meets basic constraints.
 */
private void checkBasicConstraints(X509Certificate currCert)
    throws CertPathValidatorException
{
    String msg = "basic constraints";
    if (debug != null) {
        debug.println("---checking " + msg + "...");
        debug.println("i = " + i +
                    ", maxPathLength = " + maxPathLength);
    }

    /* check if intermediate cert */
    if (i < certPathLength) {
        // RFC5280: If certificate i is a version 3 certificate, verify
        // that the basicConstraints extension is present and that cA is
        // set to TRUE.  (If certificate i is a version 1 or version 2
        // certificate, then the application MUST either verify that
        // certificate i is a CA certificate through out-of-band means
        // or reject the certificate.  Conforming implementations may
        // choose to reject all version 1 and version 2 intermediate
        // certificates.)
        //
        // We choose to reject all version 1 and version 2 intermediate
        // certificates except that it is self issued by the trust
        // anchor in order to support key rollover or changes in
        // certificate policies.
        int pathLenConstraint = -1;
        if (currCert.getVersion() < 3) {    // version 1 or version 2
            if (i == 1) {                   // issued by a trust anchor
                if (X509CertImpl.isSelfIssued(currCert)) {
                    pathLenConstraint = Integer.MAX_VALUE;
                }
            }
        } else {
            pathLenConstraint = currCert.getBasicConstraints();
        }

        if (pathLenConstraint == -1) {
            throw new CertPathValidatorException
                (msg + " check failed: this is not a CA certificate",
                 null, null, -1, PKIXReason.NOT_CA_CERT);
        }

        if (!X509CertImpl.isSelfIssued(currCert)) {
            if (maxPathLength <= 0) {
               throw new CertPathValidatorException
                    (msg + " check failed: pathLenConstraint violated - "
                     + "this cert must be the last cert in the "
                     + "certification path", null, null, -1,
                     PKIXReason.PATH_TOO_LONG);
            }
            maxPathLength--;
        }
        if (pathLenConstraint < maxPathLength)
            maxPathLength = pathLenConstraint;
    }

    if (debug != null) {
        debug.println("after processing, maxPathLength = " + maxPathLength);
        debug.println(msg + " verified.");
    }
}
 
Example 8
Source File: ConstraintsChecker.java    From jdk8u-jdk with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Internal method to check that a given cert meets basic constraints.
 */
private void checkBasicConstraints(X509Certificate currCert)
    throws CertPathValidatorException
{
    String msg = "basic constraints";
    if (debug != null) {
        debug.println("---checking " + msg + "...");
        debug.println("i = " + i +
                    ", maxPathLength = " + maxPathLength);
    }

    /* check if intermediate cert */
    if (i < certPathLength) {
        // RFC5280: If certificate i is a version 3 certificate, verify
        // that the basicConstraints extension is present and that cA is
        // set to TRUE.  (If certificate i is a version 1 or version 2
        // certificate, then the application MUST either verify that
        // certificate i is a CA certificate through out-of-band means
        // or reject the certificate.  Conforming implementations may
        // choose to reject all version 1 and version 2 intermediate
        // certificates.)
        //
        // We choose to reject all version 1 and version 2 intermediate
        // certificates except that it is self issued by the trust
        // anchor in order to support key rollover or changes in
        // certificate policies.
        int pathLenConstraint = -1;
        if (currCert.getVersion() < 3) {    // version 1 or version 2
            if (i == 1) {                   // issued by a trust anchor
                if (X509CertImpl.isSelfIssued(currCert)) {
                    pathLenConstraint = Integer.MAX_VALUE;
                }
            }
        } else {
            pathLenConstraint = currCert.getBasicConstraints();
        }

        if (pathLenConstraint == -1) {
            throw new CertPathValidatorException
                (msg + " check failed: this is not a CA certificate",
                 null, null, -1, PKIXReason.NOT_CA_CERT);
        }

        if (!X509CertImpl.isSelfIssued(currCert)) {
            if (maxPathLength <= 0) {
               throw new CertPathValidatorException
                    (msg + " check failed: pathLenConstraint violated - "
                     + "this cert must be the last cert in the "
                     + "certification path", null, null, -1,
                     PKIXReason.PATH_TOO_LONG);
            }
            maxPathLength--;
        }
        if (pathLenConstraint < maxPathLength)
            maxPathLength = pathLenConstraint;
    }

    if (debug != null) {
        debug.println("after processing, maxPathLength = " + maxPathLength);
        debug.println(msg + " verified.");
    }
}
 
Example 9
Source File: ConstraintsChecker.java    From hottub with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Internal method to check that a given cert meets basic constraints.
 */
private void checkBasicConstraints(X509Certificate currCert)
    throws CertPathValidatorException
{
    String msg = "basic constraints";
    if (debug != null) {
        debug.println("---checking " + msg + "...");
        debug.println("i = " + i +
                    ", maxPathLength = " + maxPathLength);
    }

    /* check if intermediate cert */
    if (i < certPathLength) {
        // RFC5280: If certificate i is a version 3 certificate, verify
        // that the basicConstraints extension is present and that cA is
        // set to TRUE.  (If certificate i is a version 1 or version 2
        // certificate, then the application MUST either verify that
        // certificate i is a CA certificate through out-of-band means
        // or reject the certificate.  Conforming implementations may
        // choose to reject all version 1 and version 2 intermediate
        // certificates.)
        //
        // We choose to reject all version 1 and version 2 intermediate
        // certificates except that it is self issued by the trust
        // anchor in order to support key rollover or changes in
        // certificate policies.
        int pathLenConstraint = -1;
        if (currCert.getVersion() < 3) {    // version 1 or version 2
            if (i == 1) {                   // issued by a trust anchor
                if (X509CertImpl.isSelfIssued(currCert)) {
                    pathLenConstraint = Integer.MAX_VALUE;
                }
            }
        } else {
            pathLenConstraint = currCert.getBasicConstraints();
        }

        if (pathLenConstraint == -1) {
            throw new CertPathValidatorException
                (msg + " check failed: this is not a CA certificate",
                 null, null, -1, PKIXReason.NOT_CA_CERT);
        }

        if (!X509CertImpl.isSelfIssued(currCert)) {
            if (maxPathLength <= 0) {
               throw new CertPathValidatorException
                    (msg + " check failed: pathLenConstraint violated - "
                     + "this cert must be the last cert in the "
                     + "certification path", null, null, -1,
                     PKIXReason.PATH_TOO_LONG);
            }
            maxPathLength--;
        }
        if (pathLenConstraint < maxPathLength)
            maxPathLength = pathLenConstraint;
    }

    if (debug != null) {
        debug.println("after processing, maxPathLength = " + maxPathLength);
        debug.println(msg + " verified.");
    }
}
 
Example 10
Source File: ConstraintsChecker.java    From openjdk-8-source with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Internal method to check that a given cert meets basic constraints.
 */
private void checkBasicConstraints(X509Certificate currCert)
    throws CertPathValidatorException
{
    String msg = "basic constraints";
    if (debug != null) {
        debug.println("---checking " + msg + "...");
        debug.println("i = " + i);
        debug.println("maxPathLength = " + maxPathLength);
    }

    /* check if intermediate cert */
    if (i < certPathLength) {
        // RFC5280: If certificate i is a version 3 certificate, verify
        // that the basicConstraints extension is present and that cA is
        // set to TRUE.  (If certificate i is a version 1 or version 2
        // certificate, then the application MUST either verify that
        // certificate i is a CA certificate through out-of-band means
        // or reject the certificate.  Conforming implementations may
        // choose to reject all version 1 and version 2 intermediate
        // certificates.)
        //
        // We choose to reject all version 1 and version 2 intermediate
        // certificates except that it is self issued by the trust
        // anchor in order to support key rollover or changes in
        // certificate policies.
        int pathLenConstraint = -1;
        if (currCert.getVersion() < 3) {    // version 1 or version 2
            if (i == 1) {                   // issued by a trust anchor
                if (X509CertImpl.isSelfIssued(currCert)) {
                    pathLenConstraint = Integer.MAX_VALUE;
                }
            }
        } else {
            pathLenConstraint = currCert.getBasicConstraints();
        }

        if (pathLenConstraint == -1) {
            throw new CertPathValidatorException
                (msg + " check failed: this is not a CA certificate",
                 null, null, -1, PKIXReason.NOT_CA_CERT);
        }

        if (!X509CertImpl.isSelfIssued(currCert)) {
            if (maxPathLength <= 0) {
               throw new CertPathValidatorException
                    (msg + " check failed: pathLenConstraint violated - "
                     + "this cert must be the last cert in the "
                     + "certification path", null, null, -1,
                     PKIXReason.PATH_TOO_LONG);
            }
            maxPathLength--;
        }
        if (pathLenConstraint < maxPathLength)
            maxPathLength = pathLenConstraint;
    }

    if (debug != null) {
        debug.println("after processing, maxPathLength = " + maxPathLength);
        debug.println(msg + " verified.");
    }
}
 
Example 11
Source File: ConstraintsChecker.java    From openjdk-8 with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Internal method to check that a given cert meets basic constraints.
 */
private void checkBasicConstraints(X509Certificate currCert)
    throws CertPathValidatorException
{
    String msg = "basic constraints";
    if (debug != null) {
        debug.println("---checking " + msg + "...");
        debug.println("i = " + i);
        debug.println("maxPathLength = " + maxPathLength);
    }

    /* check if intermediate cert */
    if (i < certPathLength) {
        // RFC5280: If certificate i is a version 3 certificate, verify
        // that the basicConstraints extension is present and that cA is
        // set to TRUE.  (If certificate i is a version 1 or version 2
        // certificate, then the application MUST either verify that
        // certificate i is a CA certificate through out-of-band means
        // or reject the certificate.  Conforming implementations may
        // choose to reject all version 1 and version 2 intermediate
        // certificates.)
        //
        // We choose to reject all version 1 and version 2 intermediate
        // certificates except that it is self issued by the trust
        // anchor in order to support key rollover or changes in
        // certificate policies.
        int pathLenConstraint = -1;
        if (currCert.getVersion() < 3) {    // version 1 or version 2
            if (i == 1) {                   // issued by a trust anchor
                if (X509CertImpl.isSelfIssued(currCert)) {
                    pathLenConstraint = Integer.MAX_VALUE;
                }
            }
        } else {
            pathLenConstraint = currCert.getBasicConstraints();
        }

        if (pathLenConstraint == -1) {
            throw new CertPathValidatorException
                (msg + " check failed: this is not a CA certificate",
                 null, null, -1, PKIXReason.NOT_CA_CERT);
        }

        if (!X509CertImpl.isSelfIssued(currCert)) {
            if (maxPathLength <= 0) {
               throw new CertPathValidatorException
                    (msg + " check failed: pathLenConstraint violated - "
                     + "this cert must be the last cert in the "
                     + "certification path", null, null, -1,
                     PKIXReason.PATH_TOO_LONG);
            }
            maxPathLength--;
        }
        if (pathLenConstraint < maxPathLength)
            maxPathLength = pathLenConstraint;
    }

    if (debug != null) {
        debug.println("after processing, maxPathLength = " + maxPathLength);
        debug.println(msg + " verified.");
    }
}
 
Example 12
Source File: ConstraintsChecker.java    From jdk8u_jdk with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Internal method to check that a given cert meets basic constraints.
 */
private void checkBasicConstraints(X509Certificate currCert)
    throws CertPathValidatorException
{
    String msg = "basic constraints";
    if (debug != null) {
        debug.println("---checking " + msg + "...");
        debug.println("i = " + i +
                    ", maxPathLength = " + maxPathLength);
    }

    /* check if intermediate cert */
    if (i < certPathLength) {
        // RFC5280: If certificate i is a version 3 certificate, verify
        // that the basicConstraints extension is present and that cA is
        // set to TRUE.  (If certificate i is a version 1 or version 2
        // certificate, then the application MUST either verify that
        // certificate i is a CA certificate through out-of-band means
        // or reject the certificate.  Conforming implementations may
        // choose to reject all version 1 and version 2 intermediate
        // certificates.)
        //
        // We choose to reject all version 1 and version 2 intermediate
        // certificates except that it is self issued by the trust
        // anchor in order to support key rollover or changes in
        // certificate policies.
        int pathLenConstraint = -1;
        if (currCert.getVersion() < 3) {    // version 1 or version 2
            if (i == 1) {                   // issued by a trust anchor
                if (X509CertImpl.isSelfIssued(currCert)) {
                    pathLenConstraint = Integer.MAX_VALUE;
                }
            }
        } else {
            pathLenConstraint = currCert.getBasicConstraints();
        }

        if (pathLenConstraint == -1) {
            throw new CertPathValidatorException
                (msg + " check failed: this is not a CA certificate",
                 null, null, -1, PKIXReason.NOT_CA_CERT);
        }

        if (!X509CertImpl.isSelfIssued(currCert)) {
            if (maxPathLength <= 0) {
               throw new CertPathValidatorException
                    (msg + " check failed: pathLenConstraint violated - "
                     + "this cert must be the last cert in the "
                     + "certification path", null, null, -1,
                     PKIXReason.PATH_TOO_LONG);
            }
            maxPathLength--;
        }
        if (pathLenConstraint < maxPathLength)
            maxPathLength = pathLenConstraint;
    }

    if (debug != null) {
        debug.println("after processing, maxPathLength = " + maxPathLength);
        debug.println(msg + " verified.");
    }
}
 
Example 13
Source File: ConstraintsChecker.java    From jdk8u-jdk with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Internal method to check that a given cert meets basic constraints.
 */
private void checkBasicConstraints(X509Certificate currCert)
    throws CertPathValidatorException
{
    String msg = "basic constraints";
    if (debug != null) {
        debug.println("---checking " + msg + "...");
        debug.println("i = " + i +
                    ", maxPathLength = " + maxPathLength);
    }

    /* check if intermediate cert */
    if (i < certPathLength) {
        // RFC5280: If certificate i is a version 3 certificate, verify
        // that the basicConstraints extension is present and that cA is
        // set to TRUE.  (If certificate i is a version 1 or version 2
        // certificate, then the application MUST either verify that
        // certificate i is a CA certificate through out-of-band means
        // or reject the certificate.  Conforming implementations may
        // choose to reject all version 1 and version 2 intermediate
        // certificates.)
        //
        // We choose to reject all version 1 and version 2 intermediate
        // certificates except that it is self issued by the trust
        // anchor in order to support key rollover or changes in
        // certificate policies.
        int pathLenConstraint = -1;
        if (currCert.getVersion() < 3) {    // version 1 or version 2
            if (i == 1) {                   // issued by a trust anchor
                if (X509CertImpl.isSelfIssued(currCert)) {
                    pathLenConstraint = Integer.MAX_VALUE;
                }
            }
        } else {
            pathLenConstraint = currCert.getBasicConstraints();
        }

        if (pathLenConstraint == -1) {
            throw new CertPathValidatorException
                (msg + " check failed: this is not a CA certificate",
                 null, null, -1, PKIXReason.NOT_CA_CERT);
        }

        if (!X509CertImpl.isSelfIssued(currCert)) {
            if (maxPathLength <= 0) {
               throw new CertPathValidatorException
                    (msg + " check failed: pathLenConstraint violated - "
                     + "this cert must be the last cert in the "
                     + "certification path", null, null, -1,
                     PKIXReason.PATH_TOO_LONG);
            }
            maxPathLength--;
        }
        if (pathLenConstraint < maxPathLength)
            maxPathLength = pathLenConstraint;
    }

    if (debug != null) {
        debug.println("after processing, maxPathLength = " + maxPathLength);
        debug.println(msg + " verified.");
    }
}
 
Example 14
Source File: ConstraintsChecker.java    From jdk8u-dev-jdk with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Internal method to check that a given cert meets basic constraints.
 */
private void checkBasicConstraints(X509Certificate currCert)
    throws CertPathValidatorException
{
    String msg = "basic constraints";
    if (debug != null) {
        debug.println("---checking " + msg + "...");
        debug.println("i = " + i +
                    ", maxPathLength = " + maxPathLength);
    }

    /* check if intermediate cert */
    if (i < certPathLength) {
        // RFC5280: If certificate i is a version 3 certificate, verify
        // that the basicConstraints extension is present and that cA is
        // set to TRUE.  (If certificate i is a version 1 or version 2
        // certificate, then the application MUST either verify that
        // certificate i is a CA certificate through out-of-band means
        // or reject the certificate.  Conforming implementations may
        // choose to reject all version 1 and version 2 intermediate
        // certificates.)
        //
        // We choose to reject all version 1 and version 2 intermediate
        // certificates except that it is self issued by the trust
        // anchor in order to support key rollover or changes in
        // certificate policies.
        int pathLenConstraint = -1;
        if (currCert.getVersion() < 3) {    // version 1 or version 2
            if (i == 1) {                   // issued by a trust anchor
                if (X509CertImpl.isSelfIssued(currCert)) {
                    pathLenConstraint = Integer.MAX_VALUE;
                }
            }
        } else {
            pathLenConstraint = currCert.getBasicConstraints();
        }

        if (pathLenConstraint == -1) {
            throw new CertPathValidatorException
                (msg + " check failed: this is not a CA certificate",
                 null, null, -1, PKIXReason.NOT_CA_CERT);
        }

        if (!X509CertImpl.isSelfIssued(currCert)) {
            if (maxPathLength <= 0) {
               throw new CertPathValidatorException
                    (msg + " check failed: pathLenConstraint violated - "
                     + "this cert must be the last cert in the "
                     + "certification path", null, null, -1,
                     PKIXReason.PATH_TOO_LONG);
            }
            maxPathLength--;
        }
        if (pathLenConstraint < maxPathLength)
            maxPathLength = pathLenConstraint;
    }

    if (debug != null) {
        debug.println("after processing, maxPathLength = " + maxPathLength);
        debug.println(msg + " verified.");
    }
}
 
Example 15
Source File: ConstraintsChecker.java    From j2objc with Apache License 2.0 4 votes vote down vote up
/**
 * Internal method to check that a given cert meets basic constraints.
 */
private void checkBasicConstraints(X509Certificate currCert)
    throws CertPathValidatorException
{
    String msg = "basic constraints";
    if (debug != null) {
        debug.println("---checking " + msg + "...");
        debug.println("i = " + i +
                    ", maxPathLength = " + maxPathLength);
    }

    /* check if intermediate cert */
    if (i < certPathLength) {
        // RFC5280: If certificate i is a version 3 certificate, verify
        // that the basicConstraints extension is present and that cA is
        // set to TRUE.  (If certificate i is a version 1 or version 2
        // certificate, then the application MUST either verify that
        // certificate i is a CA certificate through out-of-band means
        // or reject the certificate.  Conforming implementations may
        // choose to reject all version 1 and version 2 intermediate
        // certificates.)
        //
        // We choose to reject all version 1 and version 2 intermediate
        // certificates except that it is self issued by the trust
        // anchor in order to support key rollover or changes in
        // certificate policies.
        int pathLenConstraint = -1;
        if (currCert.getVersion() < 3) {    // version 1 or version 2
            if (i == 1) {                   // issued by a trust anchor
                if (X509CertImpl.isSelfIssued(currCert)) {
                    pathLenConstraint = Integer.MAX_VALUE;
                }
            }
        } else {
            pathLenConstraint = currCert.getBasicConstraints();
        }

        if (pathLenConstraint == -1) {
            throw new CertPathValidatorException
                (msg + " check failed: this is not a CA certificate",
                 null, null, -1, PKIXReason.NOT_CA_CERT);
        }

        if (!X509CertImpl.isSelfIssued(currCert)) {
            if (maxPathLength <= 0) {
               throw new CertPathValidatorException
                    (msg + " check failed: pathLenConstraint violated - "
                     + "this cert must be the last cert in the "
                     + "certification path", null, null, -1,
                     PKIXReason.PATH_TOO_LONG);
            }
            maxPathLength--;
        }
        if (pathLenConstraint < maxPathLength)
            maxPathLength = pathLenConstraint;
    }

    if (debug != null) {
        debug.println("after processing, maxPathLength = " + maxPathLength);
        debug.println(msg + " verified.");
    }
}