Java Code Examples for java.security.cert.X509CertSelector#setIssuer()

The following examples show how to use java.security.cert.X509CertSelector#setIssuer() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: X509CertSelectorTest.java    From TencentKona-8 with GNU General Public License v2.0 5 votes vote down vote up
private void testIssuer() throws IOException {
    System.out.println("X.509 Certificate Match on issuer");
    // bad match
    X509CertSelector selector = new X509CertSelector();
    selector.setIssuer("ou=bogus,ou=east,o=sun,c=us");
    checkMatch(selector, cert, false);

    // good match
    selector.setIssuer((cert.getIssuerX500Principal()).getName("RFC2253"));
    checkMatch(selector, cert, true);
}
 
Example 2
Source File: X509CertSelectorTest.java    From dragonwell8_jdk with GNU General Public License v2.0 5 votes vote down vote up
private void testIssuer() throws IOException {
    System.out.println("X.509 Certificate Match on issuer");
    // bad match
    X509CertSelector selector = new X509CertSelector();
    selector.setIssuer("ou=bogus,ou=east,o=sun,c=us");
    checkMatch(selector, cert, false);

    // good match
    selector.setIssuer((cert.getIssuerX500Principal()).getName("RFC2253"));
    checkMatch(selector, cert, true);
}
 
Example 3
Source File: X509CertSelectorTest.java    From openjdk-jdk8u with GNU General Public License v2.0 5 votes vote down vote up
private void testIssuer() throws IOException {
    System.out.println("X.509 Certificate Match on issuer");
    // bad match
    X509CertSelector selector = new X509CertSelector();
    selector.setIssuer("ou=bogus,ou=east,o=sun,c=us");
    checkMatch(selector, cert, false);

    // good match
    selector.setIssuer((cert.getIssuerX500Principal()).getName("RFC2253"));
    checkMatch(selector, cert, true);
}
 
Example 4
Source File: X509CertSelectorTest.java    From openjdk-jdk8u-backup with GNU General Public License v2.0 5 votes vote down vote up
private void testIssuer() throws IOException {
    System.out.println("X.509 Certificate Match on issuer");
    // bad match
    X509CertSelector selector = new X509CertSelector();
    selector.setIssuer("ou=bogus,ou=east,o=sun,c=us");
    checkMatch(selector, cert, false);

    // good match
    selector.setIssuer((cert.getIssuerX500Principal()).getName("RFC2253"));
    checkMatch(selector, cert, true);
}
 
Example 5
Source File: X509CertSelectorTest.java    From openjdk-jdk9 with GNU General Public License v2.0 5 votes vote down vote up
private void testIssuer() throws IOException {
    System.out.println("X.509 Certificate Match on issuer");
    // bad match
    X509CertSelector selector = new X509CertSelector();
    selector.setIssuer("ou=bogus,ou=east,o=sun,c=us");
    checkMatch(selector, cert, false);

    // good match
    selector.setIssuer((cert.getIssuerX500Principal()).getName("RFC2253"));
    checkMatch(selector, cert, true);
}
 
Example 6
Source File: X509CertSelectorTest.java    From jdk8u-jdk with GNU General Public License v2.0 5 votes vote down vote up
private void testIssuer() throws IOException {
    System.out.println("X.509 Certificate Match on issuer");
    // bad match
    X509CertSelector selector = new X509CertSelector();
    selector.setIssuer("ou=bogus,ou=east,o=sun,c=us");
    checkMatch(selector, cert, false);

    // good match
    selector.setIssuer((cert.getIssuerX500Principal()).getName("RFC2253"));
    checkMatch(selector, cert, true);
}
 
Example 7
Source File: KeyInfoProcessor.java    From xades4j with GNU Lesser General Public License v3.0 5 votes vote down vote up
private static KeyInfoRes tryUseSigningCertificateReference(CertRef signingCertRef, X500NameStyleProvider x500NameStyleProvider) throws CertificateValidationException
{
    if (signingCertRef == null)
    {
        throw new InvalidKeyInfoDataException("Could not identify the leaf certificate using X509Datas in KeyInfo");
    }

    X509CertSelector certSelector = new X509CertSelector();
    certSelector.setIssuer(x500NameStyleProvider.fromString(signingCertRef.issuerDN));
    certSelector.setSerialNumber(signingCertRef.serialNumber);
    
    return new KeyInfoRes(certSelector);     
}
 
Example 8
Source File: X509CertSelectorTest.java    From jdk8u_jdk with GNU General Public License v2.0 5 votes vote down vote up
private void testIssuer() throws IOException {
    System.out.println("X.509 Certificate Match on issuer");
    // bad match
    X509CertSelector selector = new X509CertSelector();
    selector.setIssuer("ou=bogus,ou=east,o=sun,c=us");
    checkMatch(selector, cert, false);

    // good match
    selector.setIssuer((cert.getIssuerX500Principal()).getName("RFC2253"));
    checkMatch(selector, cert, true);
}
 
Example 9
Source File: ReverseBuilder.java    From j2objc with Apache License 2.0 4 votes vote down vote up
private Collection<X509Certificate> getMatchingEECerts
    (ReverseState currentState, List<CertStore> certStores)
    throws CertStoreException, CertificateException, IOException {

    /*
     * Compose a CertSelector to filter out
     * certs which do not satisfy requirements.
     *
     * First, retrieve clone of current target cert constraints, and
     * then add more selection criteria based on current validation state.
     */
    X509CertSelector sel = (X509CertSelector) targetCertConstraints.clone();

    /*
     * Match on issuer (subject of previous cert)
     */
    sel.setIssuer(currentState.subjectDN);

    /*
     * Match on certificate validity date.
     */
    sel.setCertificateValid(buildParams.date());

    /*
     * Policy processing optimizations
     */
    if (currentState.explicitPolicy == 0)
        sel.setPolicy(getMatchingPolicies());

    /*
     * If previous cert has a subject key identifier extension,
     * use it to match on authority key identifier extension.
     */
    /*if (currentState.subjKeyId != null) {
      AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
            (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
            null, null);
    sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
    }*/

    /*
     * Require EE certs
     */
    sel.setBasicConstraints(-2);

    /* Retrieve matching certs from CertStores */
    HashSet<X509Certificate> eeCerts = new HashSet<>();
    addMatchingCerts(sel, certStores, eeCerts, true);

    if (debug != null) {
        debug.println("ReverseBuilder.getMatchingEECerts got "
                      + eeCerts.size() + " certs.");
    }
    return eeCerts;
}
 
Example 10
Source File: ReverseBuilder.java    From jdk8u-dev-jdk with GNU General Public License v2.0 4 votes vote down vote up
private Collection<X509Certificate> getMatchingCACerts
    (ReverseState currentState, List<CertStore> certStores)
    throws CertificateException, CertStoreException, IOException {

    /*
     * Compose a CertSelector to filter out
     * certs which do not satisfy requirements.
     */
    X509CertSelector sel = new X509CertSelector();

    /*
     * Match on issuer (subject of previous cert)
     */
    sel.setIssuer(currentState.subjectDN);

    /*
     * Match on certificate validity date.
     */
    sel.setCertificateValid(buildParams.date());

    /*
     * Match on target subject name (checks that current cert's
     * name constraints permit it to certify target).
     * (4 is the integer type for DIRECTORY name).
     */
    byte[] subject = targetCertConstraints.getSubjectAsBytes();
    if (subject != null) {
        sel.addPathToName(4, subject);
    } else {
        X509Certificate cert = targetCertConstraints.getCertificate();
        if (cert != null) {
            sel.addPathToName(4,
                              cert.getSubjectX500Principal().getEncoded());
        }
    }

    /*
     * Policy processing optimizations
     */
    if (currentState.explicitPolicy == 0)
        sel.setPolicy(getMatchingPolicies());

    /*
     * If previous cert has a subject key identifier extension,
     * use it to match on authority key identifier extension.
     */
    /*if (currentState.subjKeyId != null) {
      AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
            (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
                            null, null);
      sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
    }*/

    /*
     * Require CA certs
     */
    sel.setBasicConstraints(0);

    /* Retrieve matching certs from CertStores */
    ArrayList<X509Certificate> reverseCerts = new ArrayList<>();
    addMatchingCerts(sel, certStores, reverseCerts, true);

    /* Sort remaining certs using name constraints */
    Collections.sort(reverseCerts, new PKIXCertComparator());

    if (debug != null)
        debug.println("ReverseBuilder.getMatchingCACerts got " +
                      reverseCerts.size() + " certs.");
    return reverseCerts;
}
 
Example 11
Source File: ReverseBuilder.java    From jdk8u-dev-jdk with GNU General Public License v2.0 4 votes vote down vote up
private Collection<X509Certificate> getMatchingEECerts
    (ReverseState currentState, List<CertStore> certStores)
    throws CertStoreException, CertificateException, IOException {

    /*
     * Compose a CertSelector to filter out
     * certs which do not satisfy requirements.
     *
     * First, retrieve clone of current target cert constraints, and
     * then add more selection criteria based on current validation state.
     */
    X509CertSelector sel = (X509CertSelector) targetCertConstraints.clone();

    /*
     * Match on issuer (subject of previous cert)
     */
    sel.setIssuer(currentState.subjectDN);

    /*
     * Match on certificate validity date.
     */
    sel.setCertificateValid(buildParams.date());

    /*
     * Policy processing optimizations
     */
    if (currentState.explicitPolicy == 0)
        sel.setPolicy(getMatchingPolicies());

    /*
     * If previous cert has a subject key identifier extension,
     * use it to match on authority key identifier extension.
     */
    /*if (currentState.subjKeyId != null) {
      AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
            (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
            null, null);
    sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
    }*/

    /*
     * Require EE certs
     */
    sel.setBasicConstraints(-2);

    /* Retrieve matching certs from CertStores */
    HashSet<X509Certificate> eeCerts = new HashSet<>();
    addMatchingCerts(sel, certStores, eeCerts, true);

    if (debug != null) {
        debug.println("ReverseBuilder.getMatchingEECerts got "
                      + eeCerts.size() + " certs.");
    }
    return eeCerts;
}
 
Example 12
Source File: ReverseBuilder.java    From jdk8u-jdk with GNU General Public License v2.0 4 votes vote down vote up
private Collection<X509Certificate> getMatchingCACerts
    (ReverseState currentState, List<CertStore> certStores)
    throws CertificateException, CertStoreException, IOException {

    /*
     * Compose a CertSelector to filter out
     * certs which do not satisfy requirements.
     */
    X509CertSelector sel = new X509CertSelector();

    /*
     * Match on issuer (subject of previous cert)
     */
    sel.setIssuer(currentState.subjectDN);

    /*
     * Match on certificate validity date.
     */
    sel.setCertificateValid(buildParams.date());

    /*
     * Match on target subject name (checks that current cert's
     * name constraints permit it to certify target).
     * (4 is the integer type for DIRECTORY name).
     */
    byte[] subject = targetCertConstraints.getSubjectAsBytes();
    if (subject != null) {
        sel.addPathToName(4, subject);
    } else {
        X509Certificate cert = targetCertConstraints.getCertificate();
        if (cert != null) {
            sel.addPathToName(4,
                              cert.getSubjectX500Principal().getEncoded());
        }
    }

    /*
     * Policy processing optimizations
     */
    if (currentState.explicitPolicy == 0)
        sel.setPolicy(getMatchingPolicies());

    /*
     * If previous cert has a subject key identifier extension,
     * use it to match on authority key identifier extension.
     */
    /*if (currentState.subjKeyId != null) {
      AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
            (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
                            null, null);
      sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
    }*/

    /*
     * Require CA certs
     */
    sel.setBasicConstraints(0);

    /* Retrieve matching certs from CertStores */
    ArrayList<X509Certificate> reverseCerts = new ArrayList<>();
    addMatchingCerts(sel, certStores, reverseCerts, true);

    /* Sort remaining certs using name constraints */
    Collections.sort(reverseCerts, new PKIXCertComparator());

    if (debug != null)
        debug.println("ReverseBuilder.getMatchingCACerts got " +
                      reverseCerts.size() + " certs.");
    return reverseCerts;
}
 
Example 13
Source File: ReverseBuilder.java    From jdk8u-jdk with GNU General Public License v2.0 4 votes vote down vote up
private Collection<X509Certificate> getMatchingEECerts
    (ReverseState currentState, List<CertStore> certStores)
    throws CertStoreException, CertificateException, IOException {

    /*
     * Compose a CertSelector to filter out
     * certs which do not satisfy requirements.
     *
     * First, retrieve clone of current target cert constraints, and
     * then add more selection criteria based on current validation state.
     */
    X509CertSelector sel = (X509CertSelector) targetCertConstraints.clone();

    /*
     * Match on issuer (subject of previous cert)
     */
    sel.setIssuer(currentState.subjectDN);

    /*
     * Match on certificate validity date.
     */
    sel.setCertificateValid(buildParams.date());

    /*
     * Policy processing optimizations
     */
    if (currentState.explicitPolicy == 0)
        sel.setPolicy(getMatchingPolicies());

    /*
     * If previous cert has a subject key identifier extension,
     * use it to match on authority key identifier extension.
     */
    /*if (currentState.subjKeyId != null) {
      AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
            (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
            null, null);
    sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
    }*/

    /*
     * Require EE certs
     */
    sel.setBasicConstraints(-2);

    /* Retrieve matching certs from CertStores */
    HashSet<X509Certificate> eeCerts = new HashSet<>();
    addMatchingCerts(sel, certStores, eeCerts, true);

    if (debug != null) {
        debug.println("ReverseBuilder.getMatchingEECerts got "
                      + eeCerts.size() + " certs.");
    }
    return eeCerts;
}
 
Example 14
Source File: KeyInfoProcessor.java    From xades4j with GNU Lesser General Public License v3.0 4 votes vote down vote up
static KeyInfoRes process(
        KeyInfo keyInfo, CertRef signingCertRef, X500NameStyleProvider x500NameStyleProvider) throws CertificateValidationException
{
    if (null == keyInfo || !keyInfo.containsX509Data())
    {
        return tryUseSigningCertificateReference(signingCertRef, x500NameStyleProvider);
    }
    
    List<X509Certificate> keyInfoCerts = new ArrayList<X509Certificate>(1);
    XMLX509IssuerSerial issuerSerial = null;
    X509CertSelector certSelector = new X509CertSelector();

    // XML-DSIG 4.4.4: "Any X509IssuerSerial, X509SKI, and X509SubjectName elements
    // that appear MUST refer to the certificate or certificates containing the
    // validation key."
    // "All certificates appearing in an X509Data element MUST relate to the
    // validation key by either containing it or being part of a certification
    // chain that terminates in a certificate containing the validation key".

    // Scan ds:X509Data to find ds:IssuerSerial or ds:SubjectName elements. The
    // first to be found is used to select the leaf certificate. If none of those
    // elements is present, the first ds:X509Certificate is assumed as the signing
    // certificate.
    boolean hasSelectionCriteria = false;

    try
    {
        for (int i = 0; i < keyInfo.lengthX509Data(); ++i)
        {
            X509Data x509Data = keyInfo.itemX509Data(i);

            if (!hasSelectionCriteria)
            {
                if (x509Data.containsIssuerSerial())
                {
                    issuerSerial = x509Data.itemIssuerSerial(0);
                    certSelector.setIssuer(x500NameStyleProvider.fromString(issuerSerial.getIssuerName()));
                    certSelector.setSerialNumber(issuerSerial.getSerialNumber());
                    hasSelectionCriteria = true;
                }
                else if (x509Data.containsSubjectName())
                {
                    certSelector.setSubject(x500NameStyleProvider.fromString(x509Data.itemSubjectName(0).getSubjectName()));
                    hasSelectionCriteria = true;
                }
            }

            // Collect all certificates as they may be needed to build the cert path.
            if (x509Data.containsCertificate())
            {
                for (int j = 0; j < x509Data.lengthCertificate(); ++j)
                {
                    keyInfoCerts.add(x509Data.itemCertificate(j).getX509Certificate());
                }
            }
        }

        if (!hasSelectionCriteria)
        {
            if (keyInfoCerts.isEmpty())
            {
                return tryUseSigningCertificateReference(signingCertRef, x500NameStyleProvider);
            }

            certSelector.setCertificate(keyInfoCerts.get(0));
        }
    }
    catch (XMLSecurityException ex)
    {
        throw new InvalidKeyInfoDataException("Cannot process X509Data", ex);
    }

    return new KeyInfoRes(certSelector, keyInfoCerts, issuerSerial);
}
 
Example 15
Source File: ReverseBuilder.java    From j2objc with Apache License 2.0 4 votes vote down vote up
private Collection<X509Certificate> getMatchingCACerts
    (ReverseState currentState, List<CertStore> certStores)
    throws CertificateException, CertStoreException, IOException {

    /*
     * Compose a CertSelector to filter out
     * certs which do not satisfy requirements.
     */
    X509CertSelector sel = new X509CertSelector();

    /*
     * Match on issuer (subject of previous cert)
     */
    sel.setIssuer(currentState.subjectDN);

    /*
     * Match on certificate validity date.
     */
    sel.setCertificateValid(buildParams.date());

    /*
     * Match on target subject name (checks that current cert's
     * name constraints permit it to certify target).
     * (4 is the integer type for DIRECTORY name).
     */
    byte[] subject = targetCertConstraints.getSubjectAsBytes();
    if (subject != null) {
        sel.addPathToName(4, subject);
    } else {
        X509Certificate cert = targetCertConstraints.getCertificate();
        if (cert != null) {
            sel.addPathToName(4,
                              cert.getSubjectX500Principal().getEncoded());
        }
    }

    /*
     * Policy processing optimizations
     */
    if (currentState.explicitPolicy == 0)
        sel.setPolicy(getMatchingPolicies());

    /*
     * If previous cert has a subject key identifier extension,
     * use it to match on authority key identifier extension.
     */
    /*if (currentState.subjKeyId != null) {
      AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
            (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
                            null, null);
      sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
    }*/

    /*
     * Require CA certs
     */
    sel.setBasicConstraints(0);

    /* Retrieve matching certs from CertStores */
    ArrayList<X509Certificate> reverseCerts = new ArrayList<>();
    addMatchingCerts(sel, certStores, reverseCerts, true);

    /* Sort remaining certs using name constraints */
    Collections.sort(reverseCerts, new PKIXCertComparator());

    if (debug != null)
        debug.println("ReverseBuilder.getMatchingCACerts got " +
                      reverseCerts.size() + " certs.");
    return reverseCerts;
}
 
Example 16
Source File: ReverseBuilder.java    From openjdk-8 with GNU General Public License v2.0 4 votes vote down vote up
private Collection<X509Certificate> getMatchingEECerts
    (ReverseState currentState, List<CertStore> certStores)
    throws CertStoreException, CertificateException, IOException {

    /*
     * Compose a CertSelector to filter out
     * certs which do not satisfy requirements.
     *
     * First, retrieve clone of current target cert constraints, and
     * then add more selection criteria based on current validation state.
     */
    X509CertSelector sel = (X509CertSelector) targetCertConstraints.clone();

    /*
     * Match on issuer (subject of previous cert)
     */
    sel.setIssuer(currentState.subjectDN);

    /*
     * Match on certificate validity date.
     */
    sel.setCertificateValid(buildParams.date());

    /*
     * Policy processing optimizations
     */
    if (currentState.explicitPolicy == 0)
        sel.setPolicy(getMatchingPolicies());

    /*
     * If previous cert has a subject key identifier extension,
     * use it to match on authority key identifier extension.
     */
    /*if (currentState.subjKeyId != null) {
      AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
            (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
            null, null);
    sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
    }*/

    /*
     * Require EE certs
     */
    sel.setBasicConstraints(-2);

    /* Retrieve matching certs from CertStores */
    HashSet<X509Certificate> eeCerts = new HashSet<>();
    addMatchingCerts(sel, certStores, eeCerts, true);

    if (debug != null) {
        debug.println("ReverseBuilder.getMatchingEECerts got "
                      + eeCerts.size() + " certs.");
    }
    return eeCerts;
}
 
Example 17
Source File: ReverseBuilder.java    From openjdk-8-source with GNU General Public License v2.0 4 votes vote down vote up
private Collection<X509Certificate> getMatchingCACerts
    (ReverseState currentState, List<CertStore> certStores)
    throws CertificateException, CertStoreException, IOException {

    /*
     * Compose a CertSelector to filter out
     * certs which do not satisfy requirements.
     */
    X509CertSelector sel = new X509CertSelector();

    /*
     * Match on issuer (subject of previous cert)
     */
    sel.setIssuer(currentState.subjectDN);

    /*
     * Match on certificate validity date.
     */
    sel.setCertificateValid(buildParams.date());

    /*
     * Match on target subject name (checks that current cert's
     * name constraints permit it to certify target).
     * (4 is the integer type for DIRECTORY name).
     */
    byte[] subject = targetCertConstraints.getSubjectAsBytes();
    if (subject != null) {
        sel.addPathToName(4, subject);
    } else {
        X509Certificate cert = targetCertConstraints.getCertificate();
        if (cert != null) {
            sel.addPathToName(4,
                              cert.getSubjectX500Principal().getEncoded());
        }
    }

    /*
     * Policy processing optimizations
     */
    if (currentState.explicitPolicy == 0)
        sel.setPolicy(getMatchingPolicies());

    /*
     * If previous cert has a subject key identifier extension,
     * use it to match on authority key identifier extension.
     */
    /*if (currentState.subjKeyId != null) {
      AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
            (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
                            null, null);
      sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
    }*/

    /*
     * Require CA certs
     */
    sel.setBasicConstraints(0);

    /* Retrieve matching certs from CertStores */
    ArrayList<X509Certificate> reverseCerts = new ArrayList<>();
    addMatchingCerts(sel, certStores, reverseCerts, true);

    /* Sort remaining certs using name constraints */
    Collections.sort(reverseCerts, new PKIXCertComparator());

    if (debug != null)
        debug.println("ReverseBuilder.getMatchingCACerts got " +
                      reverseCerts.size() + " certs.");
    return reverseCerts;
}
 
Example 18
Source File: ReverseBuilder.java    From openjdk-8-source with GNU General Public License v2.0 4 votes vote down vote up
private Collection<X509Certificate> getMatchingEECerts
    (ReverseState currentState, List<CertStore> certStores)
    throws CertStoreException, CertificateException, IOException {

    /*
     * Compose a CertSelector to filter out
     * certs which do not satisfy requirements.
     *
     * First, retrieve clone of current target cert constraints, and
     * then add more selection criteria based on current validation state.
     */
    X509CertSelector sel = (X509CertSelector) targetCertConstraints.clone();

    /*
     * Match on issuer (subject of previous cert)
     */
    sel.setIssuer(currentState.subjectDN);

    /*
     * Match on certificate validity date.
     */
    sel.setCertificateValid(buildParams.date());

    /*
     * Policy processing optimizations
     */
    if (currentState.explicitPolicy == 0)
        sel.setPolicy(getMatchingPolicies());

    /*
     * If previous cert has a subject key identifier extension,
     * use it to match on authority key identifier extension.
     */
    /*if (currentState.subjKeyId != null) {
      AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
            (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
            null, null);
    sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
    }*/

    /*
     * Require EE certs
     */
    sel.setBasicConstraints(-2);

    /* Retrieve matching certs from CertStores */
    HashSet<X509Certificate> eeCerts = new HashSet<>();
    addMatchingCerts(sel, certStores, eeCerts, true);

    if (debug != null) {
        debug.println("ReverseBuilder.getMatchingEECerts got "
                      + eeCerts.size() + " certs.");
    }
    return eeCerts;
}
 
Example 19
Source File: ReverseBuilder.java    From jdk8u60 with GNU General Public License v2.0 4 votes vote down vote up
private Collection<X509Certificate> getMatchingCACerts
    (ReverseState currentState, List<CertStore> certStores)
    throws CertificateException, CertStoreException, IOException {

    /*
     * Compose a CertSelector to filter out
     * certs which do not satisfy requirements.
     */
    X509CertSelector sel = new X509CertSelector();

    /*
     * Match on issuer (subject of previous cert)
     */
    sel.setIssuer(currentState.subjectDN);

    /*
     * Match on certificate validity date.
     */
    sel.setCertificateValid(buildParams.date());

    /*
     * Match on target subject name (checks that current cert's
     * name constraints permit it to certify target).
     * (4 is the integer type for DIRECTORY name).
     */
    byte[] subject = targetCertConstraints.getSubjectAsBytes();
    if (subject != null) {
        sel.addPathToName(4, subject);
    } else {
        X509Certificate cert = targetCertConstraints.getCertificate();
        if (cert != null) {
            sel.addPathToName(4,
                              cert.getSubjectX500Principal().getEncoded());
        }
    }

    /*
     * Policy processing optimizations
     */
    if (currentState.explicitPolicy == 0)
        sel.setPolicy(getMatchingPolicies());

    /*
     * If previous cert has a subject key identifier extension,
     * use it to match on authority key identifier extension.
     */
    /*if (currentState.subjKeyId != null) {
      AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
            (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
                            null, null);
      sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
    }*/

    /*
     * Require CA certs
     */
    sel.setBasicConstraints(0);

    /* Retrieve matching certs from CertStores */
    ArrayList<X509Certificate> reverseCerts = new ArrayList<>();
    addMatchingCerts(sel, certStores, reverseCerts, true);

    /* Sort remaining certs using name constraints */
    Collections.sort(reverseCerts, new PKIXCertComparator());

    if (debug != null)
        debug.println("ReverseBuilder.getMatchingCACerts got " +
                      reverseCerts.size() + " certs.");
    return reverseCerts;
}
 
Example 20
Source File: ReverseBuilder.java    From jdk8u60 with GNU General Public License v2.0 4 votes vote down vote up
private Collection<X509Certificate> getMatchingEECerts
    (ReverseState currentState, List<CertStore> certStores)
    throws CertStoreException, CertificateException, IOException {

    /*
     * Compose a CertSelector to filter out
     * certs which do not satisfy requirements.
     *
     * First, retrieve clone of current target cert constraints, and
     * then add more selection criteria based on current validation state.
     */
    X509CertSelector sel = (X509CertSelector) targetCertConstraints.clone();

    /*
     * Match on issuer (subject of previous cert)
     */
    sel.setIssuer(currentState.subjectDN);

    /*
     * Match on certificate validity date.
     */
    sel.setCertificateValid(buildParams.date());

    /*
     * Policy processing optimizations
     */
    if (currentState.explicitPolicy == 0)
        sel.setPolicy(getMatchingPolicies());

    /*
     * If previous cert has a subject key identifier extension,
     * use it to match on authority key identifier extension.
     */
    /*if (currentState.subjKeyId != null) {
      AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
            (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
            null, null);
    sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
    }*/

    /*
     * Require EE certs
     */
    sel.setBasicConstraints(-2);

    /* Retrieve matching certs from CertStores */
    HashSet<X509Certificate> eeCerts = new HashSet<>();
    addMatchingCerts(sel, certStores, eeCerts, true);

    if (debug != null) {
        debug.println("ReverseBuilder.getMatchingEECerts got "
                      + eeCerts.size() + " certs.");
    }
    return eeCerts;
}