Java Code Examples for sun.security.x509.X509CertImpl#isSelfIssued()
The following examples show how to use
sun.security.x509.X509CertImpl#isSelfIssued() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: SimpleValidator.java From TencentKona-8 with GNU General Public License v2.0 | 5 votes |
private int checkBasicConstraints(X509Certificate cert, Set<String> critSet, int maxPathLen) throws CertificateException { critSet.remove(OID_BASIC_CONSTRAINTS); int constraints = cert.getBasicConstraints(); // reject, if extension missing or not a CA (constraints == -1) if (constraints < 0) { throw new ValidatorException("End user tried to act as a CA", ValidatorException.T_CA_EXTENSIONS, cert); } // if the certificate is self-issued, ignore the pathLenConstraint // checking. if (!X509CertImpl.isSelfIssued(cert)) { if (maxPathLen <= 0) { throw new ValidatorException("Violated path length constraints", ValidatorException.T_CA_EXTENSIONS, cert); } maxPathLen--; } if (maxPathLen > constraints) { maxPathLen = constraints; } return maxPathLen; }
Example 2
Source File: SimpleValidator.java From jdk8u60 with GNU General Public License v2.0 | 5 votes |
private int checkBasicConstraints(X509Certificate cert, Set<String> critSet, int maxPathLen) throws CertificateException { critSet.remove(OID_BASIC_CONSTRAINTS); int constraints = cert.getBasicConstraints(); // reject, if extension missing or not a CA (constraints == -1) if (constraints < 0) { throw new ValidatorException("End user tried to act as a CA", ValidatorException.T_CA_EXTENSIONS, cert); } // if the certificate is self-issued, ignore the pathLenConstraint // checking. if (!X509CertImpl.isSelfIssued(cert)) { if (maxPathLen <= 0) { throw new ValidatorException("Violated path length constraints", ValidatorException.T_CA_EXTENSIONS, cert); } maxPathLen--; } if (maxPathLen > constraints) { maxPathLen = constraints; } return maxPathLen; }
Example 3
Source File: PolicyChecker.java From TencentKona-8 with GNU General Public License v2.0 | 5 votes |
/** * Merges the specified inhibitAnyPolicy value with the * SkipCerts value of the InhibitAnyPolicy * extension obtained from the certificate. * * @param inhibitAnyPolicy an integer which indicates whether * "any-policy" is considered a match * @param currCert the Certificate to be processed * @return returns the new inhibitAnyPolicy value * @exception CertPathValidatorException Exception thrown if an error * occurs */ static int mergeInhibitAnyPolicy(int inhibitAnyPolicy, X509CertImpl currCert) throws CertPathValidatorException { if ((inhibitAnyPolicy > 0) && !X509CertImpl.isSelfIssued(currCert)) { inhibitAnyPolicy--; } try { InhibitAnyPolicyExtension inhAnyPolExt = (InhibitAnyPolicyExtension) currCert.getExtension(InhibitAnyPolicy_Id); if (inhAnyPolExt == null) return inhibitAnyPolicy; int skipCerts = inhAnyPolExt.get(InhibitAnyPolicyExtension.SKIP_CERTS).intValue(); if (debug != null) debug.println("PolicyChecker.mergeInhibitAnyPolicy() " + "skipCerts Index from cert = " + skipCerts); if (skipCerts != -1) { if (skipCerts < inhibitAnyPolicy) { inhibitAnyPolicy = skipCerts; } } } catch (IOException e) { if (debug != null) { debug.println("PolicyChecker.mergeInhibitAnyPolicy " + "unexpected exception"); e.printStackTrace(); } throw new CertPathValidatorException(e); } return inhibitAnyPolicy; }
Example 4
Source File: ConstraintsChecker.java From openjdk-8 with GNU General Public License v2.0 | 5 votes |
/** * Merges the specified maxPathLength with the pathLenConstraint * obtained from the certificate. * * @param cert the <code>X509Certificate</code> * @param maxPathLength the previous maximum path length * @return the new maximum path length constraint (-1 means no more * certificates can follow, Integer.MAX_VALUE means path length is * unconstrained) */ static int mergeBasicConstraints(X509Certificate cert, int maxPathLength) { int pathLenConstraint = cert.getBasicConstraints(); if (!X509CertImpl.isSelfIssued(cert)) { maxPathLength--; } if (pathLenConstraint < maxPathLength) { maxPathLength = pathLenConstraint; } return maxPathLength; }
Example 5
Source File: PolicyChecker.java From jdk8u60 with GNU General Public License v2.0 | 5 votes |
/** * Merges the specified explicitPolicy value with the * requireExplicitPolicy field of the <code>PolicyConstraints</code> * extension obtained from the certificate. An explicitPolicy * value of -1 implies no constraint. * * @param explicitPolicy an integer which indicates if a non-null * valid policy tree is required * @param currCert the Certificate to be processed * @param finalCert a boolean indicating whether currCert is * the final cert in the cert path * @return returns the new explicitPolicy value * @exception CertPathValidatorException Exception thrown if an error * occurs */ static int mergeExplicitPolicy(int explicitPolicy, X509CertImpl currCert, boolean finalCert) throws CertPathValidatorException { if ((explicitPolicy > 0) && !X509CertImpl.isSelfIssued(currCert)) { explicitPolicy--; } try { PolicyConstraintsExtension polConstExt = currCert.getPolicyConstraintsExtension(); if (polConstExt == null) return explicitPolicy; int require = polConstExt.get(PolicyConstraintsExtension.REQUIRE).intValue(); if (debug != null) { debug.println("PolicyChecker.mergeExplicitPolicy() " + "require Index from cert = " + require); } if (!finalCert) { if (require != -1) { if ((explicitPolicy == -1) || (require < explicitPolicy)) { explicitPolicy = require; } } } else { if (require == 0) explicitPolicy = require; } } catch (IOException e) { if (debug != null) { debug.println("PolicyChecker.mergeExplicitPolicy " + "unexpected exception"); e.printStackTrace(); } throw new CertPathValidatorException(e); } return explicitPolicy; }
Example 6
Source File: PolicyChecker.java From jdk8u-jdk with GNU General Public License v2.0 | 5 votes |
/** * Merges the specified explicitPolicy value with the * requireExplicitPolicy field of the <code>PolicyConstraints</code> * extension obtained from the certificate. An explicitPolicy * value of -1 implies no constraint. * * @param explicitPolicy an integer which indicates if a non-null * valid policy tree is required * @param currCert the Certificate to be processed * @param finalCert a boolean indicating whether currCert is * the final cert in the cert path * @return returns the new explicitPolicy value * @exception CertPathValidatorException Exception thrown if an error * occurs */ static int mergeExplicitPolicy(int explicitPolicy, X509CertImpl currCert, boolean finalCert) throws CertPathValidatorException { if ((explicitPolicy > 0) && !X509CertImpl.isSelfIssued(currCert)) { explicitPolicy--; } try { PolicyConstraintsExtension polConstExt = currCert.getPolicyConstraintsExtension(); if (polConstExt == null) return explicitPolicy; int require = polConstExt.get(PolicyConstraintsExtension.REQUIRE).intValue(); if (debug != null) { debug.println("PolicyChecker.mergeExplicitPolicy() " + "require Index from cert = " + require); } if (!finalCert) { if (require != -1) { if ((explicitPolicy == -1) || (require < explicitPolicy)) { explicitPolicy = require; } } } else { if (require == 0) explicitPolicy = require; } } catch (IOException e) { if (debug != null) { debug.println("PolicyChecker.mergeExplicitPolicy " + "unexpected exception"); e.printStackTrace(); } throw new CertPathValidatorException(e); } return explicitPolicy; }
Example 7
Source File: ConstraintsChecker.java From openjdk-8 with GNU General Public License v2.0 | 5 votes |
/** * Internal method to check the name constraints against a cert */ private void verifyNameConstraints(X509Certificate currCert) throws CertPathValidatorException { String msg = "name constraints"; if (debug != null) { debug.println("---checking " + msg + "..."); } // check name constraints only if there is a previous name constraint // and either the currCert is the final cert or the currCert is not // self-issued if (prevNC != null && ((i == certPathLength) || !X509CertImpl.isSelfIssued(currCert))) { if (debug != null) { debug.println("prevNC = " + prevNC); debug.println("currDN = " + currCert.getSubjectX500Principal()); } try { if (!prevNC.verify(currCert)) { throw new CertPathValidatorException(msg + " check failed", null, null, -1, PKIXReason.INVALID_NAME); } } catch (IOException ioe) { throw new CertPathValidatorException(ioe); } } // merge name constraints regardless of whether cert is self-issued prevNC = mergeNameConstraints(currCert, prevNC); if (debug != null) debug.println(msg + " verified."); }
Example 8
Source File: ConstraintsChecker.java From TencentKona-8 with GNU General Public License v2.0 | 5 votes |
/** * Internal method to check the name constraints against a cert */ private void verifyNameConstraints(X509Certificate currCert) throws CertPathValidatorException { String msg = "name constraints"; if (debug != null) { debug.println("---checking " + msg + "..."); } // check name constraints only if there is a previous name constraint // and either the currCert is the final cert or the currCert is not // self-issued if (prevNC != null && ((i == certPathLength) || !X509CertImpl.isSelfIssued(currCert))) { if (debug != null) { debug.println("prevNC = " + prevNC + ", currDN = " + currCert.getSubjectX500Principal()); } try { if (!prevNC.verify(currCert)) { throw new CertPathValidatorException(msg + " check failed", null, null, -1, PKIXReason.INVALID_NAME); } } catch (IOException ioe) { throw new CertPathValidatorException(ioe); } } // merge name constraints regardless of whether cert is self-issued prevNC = mergeNameConstraints(currCert, prevNC); if (debug != null) debug.println(msg + " verified."); }
Example 9
Source File: ConstraintsChecker.java From hottub with GNU General Public License v2.0 | 5 votes |
/** * Internal method to check the name constraints against a cert */ private void verifyNameConstraints(X509Certificate currCert) throws CertPathValidatorException { String msg = "name constraints"; if (debug != null) { debug.println("---checking " + msg + "..."); } // check name constraints only if there is a previous name constraint // and either the currCert is the final cert or the currCert is not // self-issued if (prevNC != null && ((i == certPathLength) || !X509CertImpl.isSelfIssued(currCert))) { if (debug != null) { debug.println("prevNC = " + prevNC + ", currDN = " + currCert.getSubjectX500Principal()); } try { if (!prevNC.verify(currCert)) { throw new CertPathValidatorException(msg + " check failed", null, null, -1, PKIXReason.INVALID_NAME); } } catch (IOException ioe) { throw new CertPathValidatorException(ioe); } } // merge name constraints regardless of whether cert is self-issued prevNC = mergeNameConstraints(currCert, prevNC); if (debug != null) debug.println(msg + " verified."); }
Example 10
Source File: PolicyChecker.java From hottub with GNU General Public License v2.0 | 5 votes |
/** * Merges the specified explicitPolicy value with the * requireExplicitPolicy field of the <code>PolicyConstraints</code> * extension obtained from the certificate. An explicitPolicy * value of -1 implies no constraint. * * @param explicitPolicy an integer which indicates if a non-null * valid policy tree is required * @param currCert the Certificate to be processed * @param finalCert a boolean indicating whether currCert is * the final cert in the cert path * @return returns the new explicitPolicy value * @exception CertPathValidatorException Exception thrown if an error * occurs */ static int mergeExplicitPolicy(int explicitPolicy, X509CertImpl currCert, boolean finalCert) throws CertPathValidatorException { if ((explicitPolicy > 0) && !X509CertImpl.isSelfIssued(currCert)) { explicitPolicy--; } try { PolicyConstraintsExtension polConstExt = currCert.getPolicyConstraintsExtension(); if (polConstExt == null) return explicitPolicy; int require = polConstExt.get(PolicyConstraintsExtension.REQUIRE).intValue(); if (debug != null) { debug.println("PolicyChecker.mergeExplicitPolicy() " + "require Index from cert = " + require); } if (!finalCert) { if (require != -1) { if ((explicitPolicy == -1) || (require < explicitPolicy)) { explicitPolicy = require; } } } else { if (require == 0) explicitPolicy = require; } } catch (IOException e) { if (debug != null) { debug.println("PolicyChecker.mergeExplicitPolicy " + "unexpected exception"); e.printStackTrace(); } throw new CertPathValidatorException(e); } return explicitPolicy; }
Example 11
Source File: PolicyChecker.java From hottub with GNU General Public License v2.0 | 5 votes |
/** * Merges the specified policyMapping value with the * inhibitPolicyMapping field of the <code>PolicyConstraints</code> * extension obtained from the certificate. A policyMapping * value of -1 implies no constraint. * * @param policyMapping an integer which indicates if policy mapping * is inhibited * @param currCert the Certificate to be processed * @return returns the new policyMapping value * @exception CertPathValidatorException Exception thrown if an error * occurs */ static int mergePolicyMapping(int policyMapping, X509CertImpl currCert) throws CertPathValidatorException { if ((policyMapping > 0) && !X509CertImpl.isSelfIssued(currCert)) { policyMapping--; } try { PolicyConstraintsExtension polConstExt = currCert.getPolicyConstraintsExtension(); if (polConstExt == null) return policyMapping; int inhibit = polConstExt.get(PolicyConstraintsExtension.INHIBIT).intValue(); if (debug != null) debug.println("PolicyChecker.mergePolicyMapping() " + "inhibit Index from cert = " + inhibit); if (inhibit != -1) { if ((policyMapping == -1) || (inhibit < policyMapping)) { policyMapping = inhibit; } } } catch (IOException e) { if (debug != null) { debug.println("PolicyChecker.mergePolicyMapping " + "unexpected exception"); e.printStackTrace(); } throw new CertPathValidatorException(e); } return policyMapping; }
Example 12
Source File: PolicyChecker.java From openjdk-jdk8u-backup with GNU General Public License v2.0 | 5 votes |
/** * Merges the specified explicitPolicy value with the * requireExplicitPolicy field of the <code>PolicyConstraints</code> * extension obtained from the certificate. An explicitPolicy * value of -1 implies no constraint. * * @param explicitPolicy an integer which indicates if a non-null * valid policy tree is required * @param currCert the Certificate to be processed * @param finalCert a boolean indicating whether currCert is * the final cert in the cert path * @return returns the new explicitPolicy value * @exception CertPathValidatorException Exception thrown if an error * occurs */ static int mergeExplicitPolicy(int explicitPolicy, X509CertImpl currCert, boolean finalCert) throws CertPathValidatorException { if ((explicitPolicy > 0) && !X509CertImpl.isSelfIssued(currCert)) { explicitPolicy--; } try { PolicyConstraintsExtension polConstExt = currCert.getPolicyConstraintsExtension(); if (polConstExt == null) return explicitPolicy; int require = polConstExt.get(PolicyConstraintsExtension.REQUIRE).intValue(); if (debug != null) { debug.println("PolicyChecker.mergeExplicitPolicy() " + "require Index from cert = " + require); } if (!finalCert) { if (require != -1) { if ((explicitPolicy == -1) || (require < explicitPolicy)) { explicitPolicy = require; } } } else { if (require == 0) explicitPolicy = require; } } catch (IOException e) { if (debug != null) { debug.println("PolicyChecker.mergeExplicitPolicy " + "unexpected exception"); e.printStackTrace(); } throw new CertPathValidatorException(e); } return explicitPolicy; }
Example 13
Source File: PolicyChecker.java From jdk8u-jdk with GNU General Public License v2.0 | 5 votes |
/** * Merges the specified inhibitAnyPolicy value with the * SkipCerts value of the InhibitAnyPolicy * extension obtained from the certificate. * * @param inhibitAnyPolicy an integer which indicates whether * "any-policy" is considered a match * @param currCert the Certificate to be processed * @return returns the new inhibitAnyPolicy value * @exception CertPathValidatorException Exception thrown if an error * occurs */ static int mergeInhibitAnyPolicy(int inhibitAnyPolicy, X509CertImpl currCert) throws CertPathValidatorException { if ((inhibitAnyPolicy > 0) && !X509CertImpl.isSelfIssued(currCert)) { inhibitAnyPolicy--; } try { InhibitAnyPolicyExtension inhAnyPolExt = (InhibitAnyPolicyExtension) currCert.getExtension(InhibitAnyPolicy_Id); if (inhAnyPolExt == null) return inhibitAnyPolicy; int skipCerts = inhAnyPolExt.get(InhibitAnyPolicyExtension.SKIP_CERTS).intValue(); if (debug != null) debug.println("PolicyChecker.mergeInhibitAnyPolicy() " + "skipCerts Index from cert = " + skipCerts); if (skipCerts != -1) { if (skipCerts < inhibitAnyPolicy) { inhibitAnyPolicy = skipCerts; } } } catch (IOException e) { if (debug != null) { debug.println("PolicyChecker.mergeInhibitAnyPolicy " + "unexpected exception"); e.printStackTrace(); } throw new CertPathValidatorException(e); } return inhibitAnyPolicy; }
Example 14
Source File: PolicyChecker.java From Bytecoder with Apache License 2.0 | 5 votes |
/** * Merges the specified inhibitAnyPolicy value with the * SkipCerts value of the InhibitAnyPolicy * extension obtained from the certificate. * * @param inhibitAnyPolicy an integer which indicates whether * "any-policy" is considered a match * @param currCert the Certificate to be processed * @return returns the new inhibitAnyPolicy value * @exception CertPathValidatorException Exception thrown if an error * occurs */ static int mergeInhibitAnyPolicy(int inhibitAnyPolicy, X509CertImpl currCert) throws CertPathValidatorException { if ((inhibitAnyPolicy > 0) && !X509CertImpl.isSelfIssued(currCert)) { inhibitAnyPolicy--; } try { InhibitAnyPolicyExtension inhAnyPolExt = (InhibitAnyPolicyExtension) currCert.getExtension(InhibitAnyPolicy_Id); if (inhAnyPolExt == null) return inhibitAnyPolicy; int skipCerts = inhAnyPolExt.get(InhibitAnyPolicyExtension.SKIP_CERTS).intValue(); if (debug != null) debug.println("PolicyChecker.mergeInhibitAnyPolicy() " + "skipCerts Index from cert = " + skipCerts); if (skipCerts != -1) { if (skipCerts < inhibitAnyPolicy) { inhibitAnyPolicy = skipCerts; } } } catch (IOException e) { if (debug != null) { debug.println("PolicyChecker.mergeInhibitAnyPolicy " + "unexpected exception"); e.printStackTrace(); } throw new CertPathValidatorException(e); } return inhibitAnyPolicy; }
Example 15
Source File: PolicyChecker.java From jdk8u-jdk with GNU General Public License v2.0 | 5 votes |
/** * Merges the specified explicitPolicy value with the * requireExplicitPolicy field of the <code>PolicyConstraints</code> * extension obtained from the certificate. An explicitPolicy * value of -1 implies no constraint. * * @param explicitPolicy an integer which indicates if a non-null * valid policy tree is required * @param currCert the Certificate to be processed * @param finalCert a boolean indicating whether currCert is * the final cert in the cert path * @return returns the new explicitPolicy value * @exception CertPathValidatorException Exception thrown if an error * occurs */ static int mergeExplicitPolicy(int explicitPolicy, X509CertImpl currCert, boolean finalCert) throws CertPathValidatorException { if ((explicitPolicy > 0) && !X509CertImpl.isSelfIssued(currCert)) { explicitPolicy--; } try { PolicyConstraintsExtension polConstExt = currCert.getPolicyConstraintsExtension(); if (polConstExt == null) return explicitPolicy; int require = polConstExt.get(PolicyConstraintsExtension.REQUIRE).intValue(); if (debug != null) { debug.println("PolicyChecker.mergeExplicitPolicy() " + "require Index from cert = " + require); } if (!finalCert) { if (require != -1) { if ((explicitPolicy == -1) || (require < explicitPolicy)) { explicitPolicy = require; } } } else { if (require == 0) explicitPolicy = require; } } catch (IOException e) { if (debug != null) { debug.println("PolicyChecker.mergeExplicitPolicy " + "unexpected exception"); e.printStackTrace(); } throw new CertPathValidatorException(e); } return explicitPolicy; }
Example 16
Source File: PolicyChecker.java From jdk8u-dev-jdk with GNU General Public License v2.0 | 5 votes |
/** * Merges the specified explicitPolicy value with the * requireExplicitPolicy field of the <code>PolicyConstraints</code> * extension obtained from the certificate. An explicitPolicy * value of -1 implies no constraint. * * @param explicitPolicy an integer which indicates if a non-null * valid policy tree is required * @param currCert the Certificate to be processed * @param finalCert a boolean indicating whether currCert is * the final cert in the cert path * @return returns the new explicitPolicy value * @exception CertPathValidatorException Exception thrown if an error * occurs */ static int mergeExplicitPolicy(int explicitPolicy, X509CertImpl currCert, boolean finalCert) throws CertPathValidatorException { if ((explicitPolicy > 0) && !X509CertImpl.isSelfIssued(currCert)) { explicitPolicy--; } try { PolicyConstraintsExtension polConstExt = currCert.getPolicyConstraintsExtension(); if (polConstExt == null) return explicitPolicy; int require = polConstExt.get(PolicyConstraintsExtension.REQUIRE).intValue(); if (debug != null) { debug.println("PolicyChecker.mergeExplicitPolicy() " + "require Index from cert = " + require); } if (!finalCert) { if (require != -1) { if ((explicitPolicy == -1) || (require < explicitPolicy)) { explicitPolicy = require; } } } else { if (require == 0) explicitPolicy = require; } } catch (IOException e) { if (debug != null) { debug.println("PolicyChecker.mergeExplicitPolicy " + "unexpected exception"); e.printStackTrace(); } throw new CertPathValidatorException(e); } return explicitPolicy; }
Example 17
Source File: PolicyChecker.java From openjdk-8 with GNU General Public License v2.0 | 5 votes |
/** * Merges the specified explicitPolicy value with the * requireExplicitPolicy field of the <code>PolicyConstraints</code> * extension obtained from the certificate. An explicitPolicy * value of -1 implies no constraint. * * @param explicitPolicy an integer which indicates if a non-null * valid policy tree is required * @param currCert the Certificate to be processed * @param finalCert a boolean indicating whether currCert is * the final cert in the cert path * @return returns the new explicitPolicy value * @exception CertPathValidatorException Exception thrown if an error * occurs */ static int mergeExplicitPolicy(int explicitPolicy, X509CertImpl currCert, boolean finalCert) throws CertPathValidatorException { if ((explicitPolicy > 0) && !X509CertImpl.isSelfIssued(currCert)) { explicitPolicy--; } try { PolicyConstraintsExtension polConstExt = currCert.getPolicyConstraintsExtension(); if (polConstExt == null) return explicitPolicy; int require = polConstExt.get(PolicyConstraintsExtension.REQUIRE).intValue(); if (debug != null) { debug.println("PolicyChecker.mergeExplicitPolicy() " + "require Index from cert = " + require); } if (!finalCert) { if (require != -1) { if ((explicitPolicy == -1) || (require < explicitPolicy)) { explicitPolicy = require; } } } else { if (require == 0) explicitPolicy = require; } } catch (IOException e) { if (debug != null) { debug.println("PolicyChecker.mergeExplicitPolicy " + "unexpected exception"); e.printStackTrace(); } throw new CertPathValidatorException(e); } return explicitPolicy; }
Example 18
Source File: ForwardState.java From jdk8u-dev-jdk with GNU General Public License v2.0 | 4 votes |
/** * Update the state with the next certificate added to the path. * * @param cert the certificate which is used to update the state */ @Override public void updateState(X509Certificate cert) throws CertificateException, IOException, CertPathValidatorException { if (cert == null) return; X509CertImpl icert = X509CertImpl.toImpl(cert); /* see if certificate key has null parameters */ if (PKIX.isDSAPublicKeyWithoutParams(icert.getPublicKey())) { keyParamsNeededFlag = true; } /* update certificate */ this.cert = icert; /* update issuer DN */ issuerDN = cert.getIssuerX500Principal(); if (!X509CertImpl.isSelfIssued(cert)) { /* * update traversedCACerts only if this is a non-self-issued * intermediate CA cert */ if (!init && cert.getBasicConstraints() != -1) { traversedCACerts++; } } /* update subjectNamesTraversed only if this is the EE cert or if this cert is not self-issued */ if (init || !X509CertImpl.isSelfIssued(cert)){ X500Principal subjName = cert.getSubjectX500Principal(); subjectNamesTraversed.add(X500Name.asX500Name(subjName)); try { SubjectAlternativeNameExtension subjAltNameExt = icert.getSubjectAlternativeNameExtension(); if (subjAltNameExt != null) { GeneralNames gNames = subjAltNameExt.get( SubjectAlternativeNameExtension.SUBJECT_NAME); for (GeneralName gName : gNames.names()) { subjectNamesTraversed.add(gName.getName()); } } } catch (IOException e) { if (debug != null) { debug.println("ForwardState.updateState() unexpected " + "exception"); e.printStackTrace(); } throw new CertPathValidatorException(e); } } init = false; }
Example 19
Source File: ConstraintsChecker.java From jdk8u-dev-jdk with GNU General Public License v2.0 | 4 votes |
/** * Internal method to check that a given cert meets basic constraints. */ private void checkBasicConstraints(X509Certificate currCert) throws CertPathValidatorException { String msg = "basic constraints"; if (debug != null) { debug.println("---checking " + msg + "..."); debug.println("i = " + i + ", maxPathLength = " + maxPathLength); } /* check if intermediate cert */ if (i < certPathLength) { // RFC5280: If certificate i is a version 3 certificate, verify // that the basicConstraints extension is present and that cA is // set to TRUE. (If certificate i is a version 1 or version 2 // certificate, then the application MUST either verify that // certificate i is a CA certificate through out-of-band means // or reject the certificate. Conforming implementations may // choose to reject all version 1 and version 2 intermediate // certificates.) // // We choose to reject all version 1 and version 2 intermediate // certificates except that it is self issued by the trust // anchor in order to support key rollover or changes in // certificate policies. int pathLenConstraint = -1; if (currCert.getVersion() < 3) { // version 1 or version 2 if (i == 1) { // issued by a trust anchor if (X509CertImpl.isSelfIssued(currCert)) { pathLenConstraint = Integer.MAX_VALUE; } } } else { pathLenConstraint = currCert.getBasicConstraints(); } if (pathLenConstraint == -1) { throw new CertPathValidatorException (msg + " check failed: this is not a CA certificate", null, null, -1, PKIXReason.NOT_CA_CERT); } if (!X509CertImpl.isSelfIssued(currCert)) { if (maxPathLength <= 0) { throw new CertPathValidatorException (msg + " check failed: pathLenConstraint violated - " + "this cert must be the last cert in the " + "certification path", null, null, -1, PKIXReason.PATH_TOO_LONG); } maxPathLength--; } if (pathLenConstraint < maxPathLength) maxPathLength = pathLenConstraint; } if (debug != null) { debug.println("after processing, maxPathLength = " + maxPathLength); debug.println(msg + " verified."); } }
Example 20
Source File: ForwardState.java From openjdk-8-source with GNU General Public License v2.0 | 4 votes |
/** * Update the state with the next certificate added to the path. * * @param cert the certificate which is used to update the state */ @Override public void updateState(X509Certificate cert) throws CertificateException, IOException, CertPathValidatorException { if (cert == null) return; X509CertImpl icert = X509CertImpl.toImpl(cert); /* see if certificate key has null parameters */ if (PKIX.isDSAPublicKeyWithoutParams(icert.getPublicKey())) { keyParamsNeededFlag = true; } /* update certificate */ this.cert = icert; /* update issuer DN */ issuerDN = cert.getIssuerX500Principal(); if (!X509CertImpl.isSelfIssued(cert)) { /* * update traversedCACerts only if this is a non-self-issued * intermediate CA cert */ if (!init && cert.getBasicConstraints() != -1) { traversedCACerts++; } } /* update subjectNamesTraversed only if this is the EE cert or if this cert is not self-issued */ if (init || !X509CertImpl.isSelfIssued(cert)){ X500Principal subjName = cert.getSubjectX500Principal(); subjectNamesTraversed.add(X500Name.asX500Name(subjName)); try { SubjectAlternativeNameExtension subjAltNameExt = icert.getSubjectAlternativeNameExtension(); if (subjAltNameExt != null) { GeneralNames gNames = subjAltNameExt.get( SubjectAlternativeNameExtension.SUBJECT_NAME); for (GeneralName gName : gNames.names()) { subjectNamesTraversed.add(gName.getName()); } } } catch (IOException e) { if (debug != null) { debug.println("ForwardState.updateState() unexpected " + "exception"); e.printStackTrace(); } throw new CertPathValidatorException(e); } } init = false; }