Java Code Examples for sun.security.util.AnchorCertificates#contains()

The following examples show how to use sun.security.util.AnchorCertificates#contains() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: X509TrustManagerImpl.java    From openjsse with GNU General Public License v2.0 5 votes vote down vote up
static void checkIdentity(SSLSession session,
        X509Certificate[] trustedChain,
        String algorithm,
        boolean checkClientTrusted) throws CertificateException {

    // check if EE certificate chains to a public root CA (as
    // pre-installed in cacerts)
    boolean chainsToPublicCA = AnchorCertificates.contains(
            trustedChain[trustedChain.length - 1]);

    boolean identifiable = false;
    String peerHost = session.getPeerHost();
    if (!checkClientTrusted) {
        List<SNIServerName> sniNames = getRequestedServerNames(session);
        String sniHostName = getHostNameInSNI(sniNames);
        if (sniHostName != null) {
            try {
                checkIdentity(sniHostName,
                        trustedChain[0], algorithm, chainsToPublicCA);
                identifiable = true;
            } catch (CertificateException ce) {
                if (sniHostName.equalsIgnoreCase(peerHost)) {
                    throw ce;
                }

                // otherwisw, failover to check peer host
            }
        }
    }

    if (!identifiable) {
        checkIdentity(peerHost,
                trustedChain[0], algorithm, chainsToPublicCA);
    }
}
 
Example 2
Source File: AlgorithmChecker.java    From dragonwell8_jdk with GNU General Public License v2.0 5 votes vote down vote up
private static boolean checkFingerprint(X509Certificate cert) {
    if (!publicCALimits) {
        return false;
    }

    if (debug != null) {
        debug.println("AlgorithmChecker.contains: " + cert.getSigAlgName());
    }
    return AnchorCertificates.contains(cert);
}
 
Example 3
Source File: AlgorithmChecker.java    From TencentKona-8 with GNU General Public License v2.0 5 votes vote down vote up
private static boolean checkFingerprint(X509Certificate cert) {
    if (!publicCALimits) {
        return false;
    }

    if (debug != null) {
        debug.println("AlgorithmChecker.contains: " + cert.getSigAlgName());
    }
    return AnchorCertificates.contains(cert);
}
 
Example 4
Source File: AlgorithmChecker.java    From openjdk-jdk8u with GNU General Public License v2.0 5 votes vote down vote up
private static boolean checkFingerprint(X509Certificate cert) {
    if (!publicCALimits) {
        return false;
    }

    if (debug != null) {
        debug.println("AlgorithmChecker.contains: " + cert.getSigAlgName());
    }
    return AnchorCertificates.contains(cert);
}
 
Example 5
Source File: AlgorithmChecker.java    From openjdk-jdk8u-backup with GNU General Public License v2.0 5 votes vote down vote up
private static boolean checkFingerprint(X509Certificate cert) {
    if (!publicCALimits) {
        return false;
    }

    if (debug != null) {
        debug.println("AlgorithmChecker.contains: " + cert.getSigAlgName());
    }
    return AnchorCertificates.contains(cert);
}
 
Example 6
Source File: X509TrustManagerImpl.java    From Bytecoder with Apache License 2.0 5 votes vote down vote up
static void checkIdentity(SSLSession session,
        X509Certificate[] trustedChain,
        String algorithm,
        boolean checkClientTrusted) throws CertificateException {

    // check if EE certificate chains to a public root CA (as
    // pre-installed in cacerts)
    boolean chainsToPublicCA = AnchorCertificates.contains(
            trustedChain[trustedChain.length - 1]);

    boolean identifiable = false;
    String peerHost = session.getPeerHost();
    if (!checkClientTrusted) {
        List<SNIServerName> sniNames = getRequestedServerNames(session);
        String sniHostName = getHostNameInSNI(sniNames);
        if (sniHostName != null) {
            try {
                checkIdentity(sniHostName,
                        trustedChain[0], algorithm, chainsToPublicCA);
                identifiable = true;
            } catch (CertificateException ce) {
                if (sniHostName.equalsIgnoreCase(peerHost)) {
                    throw ce;
                }

                // otherwisw, failover to check peer host
            }
        }
    }

    if (!identifiable) {
        checkIdentity(peerHost,
                trustedChain[0], algorithm, chainsToPublicCA);
    }
}
 
Example 7
Source File: AlgorithmChecker.java    From Bytecoder with Apache License 2.0 5 votes vote down vote up
private static boolean checkFingerprint(X509Certificate cert) {
    if (!publicCALimits) {
        return false;
    }

    if (debug != null) {
        debug.println("AlgorithmChecker.contains: " + cert.getSigAlgName());
    }
    return AnchorCertificates.contains(cert);
}
 
Example 8
Source File: AlgorithmChecker.java    From openjdk-jdk9 with GNU General Public License v2.0 5 votes vote down vote up
private static boolean checkFingerprint(X509Certificate cert) {
    if (!publicCALimits) {
        return false;
    }

    if (debug != null) {
        debug.println("AlgorithmChecker.contains: " + cert.getSigAlgName());
    }
    return AnchorCertificates.contains(cert);
}
 
Example 9
Source File: AlgorithmChecker.java    From jdk8u-jdk with GNU General Public License v2.0 5 votes vote down vote up
private static boolean checkFingerprint(X509Certificate cert) {
    if (!publicCALimits) {
        return false;
    }

    if (debug != null) {
        debug.println("AlgorithmChecker.contains: " + cert.getSigAlgName());
    }
    return AnchorCertificates.contains(cert);
}
 
Example 10
Source File: AlgorithmChecker.java    From jdk8u_jdk with GNU General Public License v2.0 5 votes vote down vote up
private static boolean checkFingerprint(X509Certificate cert) {
    if (!publicCALimits) {
        return false;
    }

    if (debug != null) {
        debug.println("AlgorithmChecker.contains: " + cert.getSigAlgName());
    }
    return AnchorCertificates.contains(cert);
}
 
Example 11
Source File: X509TrustManagerImpl.java    From openjdk-jdk9 with GNU General Public License v2.0 4 votes vote down vote up
private void checkTrusted(X509Certificate[] chain, String authType,
            Socket socket, boolean isClient) throws CertificateException {
    Validator v = checkTrustedInit(chain, authType, isClient);

    X509Certificate[] trustedChain = null;
    if ((socket != null) && socket.isConnected() &&
                                    (socket instanceof SSLSocket)) {

        SSLSocket sslSocket = (SSLSocket)socket;
        SSLSession session = sslSocket.getHandshakeSession();
        if (session == null) {
            throw new CertificateException("No handshake session");
        }

        // create the algorithm constraints
        ProtocolVersion protocolVersion =
            ProtocolVersion.valueOf(session.getProtocol());
        boolean isExtSession = (session instanceof ExtendedSSLSession);
        AlgorithmConstraints constraints = null;
        if (protocolVersion.v >= ProtocolVersion.TLS12.v && isExtSession) {
            ExtendedSSLSession extSession = (ExtendedSSLSession)session;
            String[] localSupportedSignAlgs =
                    extSession.getLocalSupportedSignatureAlgorithms();

            constraints = new SSLAlgorithmConstraints(
                            sslSocket, localSupportedSignAlgs, false);
        } else {
            constraints = new SSLAlgorithmConstraints(sslSocket, false);
        }

        // Grab any stapled OCSP responses for use in validation
        List<byte[]> responseList = Collections.emptyList();
        if (!isClient && isExtSession) {
            responseList =
                    ((ExtendedSSLSession)session).getStatusResponses();
        }
        trustedChain = validate(v, chain, responseList,
                constraints, isClient ? null : authType);

        // check if EE certificate chains to a public root CA (as
        // pre-installed in cacerts)
        boolean chainsToPublicCA =
            AnchorCertificates.contains(trustedChain[trustedChain.length-1]);

        // check endpoint identity
        String identityAlg = sslSocket.getSSLParameters().
                getEndpointIdentificationAlgorithm();
        if (identityAlg != null && identityAlg.length() != 0) {
            checkIdentity(session, trustedChain[0], identityAlg, isClient,
                    getRequestedServerNames(socket), chainsToPublicCA);
        }
    } else {
        trustedChain = validate(v, chain, Collections.emptyList(),
                null, isClient ? null : authType);
    }
    if (debug != null && Debug.isOn("trustmanager")) {
        System.out.println("Found trusted certificate:");
        System.out.println(trustedChain[trustedChain.length - 1]);
    }
}
 
Example 12
Source File: X509TrustManagerImpl.java    From openjdk-jdk9 with GNU General Public License v2.0 4 votes vote down vote up
private void checkTrusted(X509Certificate[] chain, String authType,
        SSLEngine engine, boolean isClient) throws CertificateException {
    Validator v = checkTrustedInit(chain, authType, isClient);

    X509Certificate[] trustedChain = null;
    if (engine != null) {
        SSLSession session = engine.getHandshakeSession();
        if (session == null) {
            throw new CertificateException("No handshake session");
        }

        // create the algorithm constraints
        ProtocolVersion protocolVersion =
            ProtocolVersion.valueOf(session.getProtocol());
        boolean isExtSession = (session instanceof ExtendedSSLSession);
        AlgorithmConstraints constraints = null;
        if (protocolVersion.v >= ProtocolVersion.TLS12.v && isExtSession) {
            ExtendedSSLSession extSession = (ExtendedSSLSession)session;
            String[] localSupportedSignAlgs =
                    extSession.getLocalSupportedSignatureAlgorithms();

            constraints = new SSLAlgorithmConstraints(
                            engine, localSupportedSignAlgs, false);
        } else {
            constraints = new SSLAlgorithmConstraints(engine, false);
        }

        // Grab any stapled OCSP responses for use in validation
        List<byte[]> responseList = Collections.emptyList();
        if (!isClient && isExtSession) {
            responseList =
                    ((ExtendedSSLSession)session).getStatusResponses();
        }
        trustedChain = validate(v, chain, responseList,
                constraints, isClient ? null : authType);

        // check if EE certificate chains to a public root CA (as
        // pre-installed in cacerts)
        boolean chainsToPublicCA =
            AnchorCertificates.contains(trustedChain[trustedChain.length-1]);

        // check endpoint identity
        String identityAlg = engine.getSSLParameters().
                getEndpointIdentificationAlgorithm();
        if (identityAlg != null && identityAlg.length() != 0) {
            checkIdentity(session, trustedChain[0], identityAlg, isClient,
                    getRequestedServerNames(engine), chainsToPublicCA);
        }
    } else {
        trustedChain = validate(v, chain, Collections.emptyList(),
                null, isClient ? null : authType);
    }
    if (debug != null && Debug.isOn("trustmanager")) {
        System.out.println("Found trusted certificate:");
        System.out.println(trustedChain[trustedChain.length - 1]);
    }
}