Java Code Examples for sun.security.validator.ValidatorException#T_CA_EXTENSIONS
The following examples show how to use
sun.security.validator.ValidatorException#T_CA_EXTENSIONS .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: SimpleValidator.java From openjsse with GNU General Public License v2.0 | 6 votes |
|
private int checkExtensions(X509Certificate cert, int maxPathLen)
throws CertificateException {
Set<String> critSet = cert.getCriticalExtensionOIDs();
if (critSet == null) {
critSet = Collections.<String>emptySet();
}
// Check the basic constraints extension
int pathLenConstraint =
checkBasicConstraints(cert, critSet, maxPathLen);
// Check the key usage and extended key usage extensions
checkKeyUsage(cert, critSet);
// check Netscape certificate type extension
checkNetscapeCertType(cert, critSet);
if (!critSet.isEmpty()) {
throw new ValidatorException
("Certificate contains unknown critical extensions: " + critSet,
ValidatorException.T_CA_EXTENSIONS, cert);
}
return pathLenConstraint;
}
Example 2
| Source File: SimpleValidator.java From openjsse with GNU General Public License v2.0 | 6 votes |
|
private void checkNetscapeCertType(X509Certificate cert,
Set<String> critSet) throws CertificateException {
if (variant.equals(VAR_GENERIC)) {
// nothing
} else if (variant.equals(VAR_TLS_CLIENT)
|| variant.equals(VAR_TLS_SERVER)) {
if (getNetscapeCertTypeBit(cert, NSCT_SSL_CA) == false) {
throw new ValidatorException
("Invalid Netscape CertType extension for SSL CA "
+ "certificate",
ValidatorException.T_CA_EXTENSIONS, cert);
}
critSet.remove(OID_NETSCAPE_CERT_TYPE);
} else if (variant.equals(VAR_CODE_SIGNING)
|| variant.equals(VAR_JCE_SIGNING)) {
if (getNetscapeCertTypeBit(cert, NSCT_CODE_SIGNING_CA) == false) {
throw new ValidatorException
("Invalid Netscape CertType extension for code "
+ "signing CA certificate",
ValidatorException.T_CA_EXTENSIONS, cert);
}
critSet.remove(OID_NETSCAPE_CERT_TYPE);
} else {
throw new CertificateException("Unknown variant " + variant);
}
}
Example 3
| Source File: SimpleValidator.java From openjsse with GNU General Public License v2.0 | 6 votes |
|
private void checkKeyUsage(X509Certificate cert, Set<String> critSet)
throws CertificateException {
critSet.remove(OID_KEY_USAGE);
// EKU irrelevant in CA certificates
critSet.remove(OID_EXTENDED_KEY_USAGE);
// check key usage extension
boolean[] keyUsageInfo = cert.getKeyUsage();
if (keyUsageInfo != null) {
// keyUsageInfo[5] is for keyCertSign.
if ((keyUsageInfo.length < 6) || (keyUsageInfo[5] == false)) {
throw new ValidatorException
("Wrong key usage: expected keyCertSign",
ValidatorException.T_CA_EXTENSIONS, cert);
}
}
}
Example 4
| Source File: SimpleValidator.java From openjsse with GNU General Public License v2.0 | 5 votes |
|
private int checkBasicConstraints(X509Certificate cert,
Set<String> critSet, int maxPathLen) throws CertificateException {
critSet.remove(OID_BASIC_CONSTRAINTS);
int constraints = cert.getBasicConstraints();
// reject, if extension missing or not a CA (constraints == -1)
if (constraints < 0) {
throw new ValidatorException("End user tried to act as a CA",
ValidatorException.T_CA_EXTENSIONS, cert);
}
// if the certificate is self-issued, ignore the pathLenConstraint
// checking.
if (!X509CertImpl.isSelfIssued(cert)) {
if (maxPathLen <= 0) {
throw new ValidatorException("Violated path length constraints",
ValidatorException.T_CA_EXTENSIONS, cert);
}
maxPathLen--;
}
if (maxPathLen > constraints) {
maxPathLen = constraints;
}
return maxPathLen;
}
