34 import java.security.PublicKey;
35 import java.security.SignatureException;
36 import java.security.cert.Certificate;
37 import java.security.cert.CertificateExpiredException;
38 import java.security.cert.CertificateNotYetValidException;
39 import java.security.cert.CertPathValidatorException;
40 import java.security.cert.CertPathValidatorException.BasicReason;
41 import java.security.cert.X509Certificate;
42 import java.security.cert.PKIXCertPathChecker;
43 import java.security.cert.PKIXReason;
44 import java.security.cert.TrustAnchor;
45 import java.security.interfaces.DSAParams;
46 import java.security.interfaces.DSAPublicKey;
47 import java.security.spec.DSAPublicKeySpec;
48 import javax.security.auth.x500.X500Principal;
49 import sun.security.x509.X500Name;
50 import sun.security.util.Debug;
51
52 /**
53 * BasicChecker is a PKIXCertPathChecker that checks the basic information
54 * on a PKIX certificate, namely the signature, timestamp, and subject/issuer
55 * name chaining.
56 *
57 * @since 1.4
58 * @author Yassir Elley
59 */
60 class BasicChecker extends PKIXCertPathChecker {
61
62 private static final Debug debug = Debug.getInstance("certpath");
63 private final PublicKey trustedPubKey;
64 private final X500Principal caName;
65 private final Date date;
66 private final String sigProvider;
67 private final boolean sigOnly;
68 private X500Principal prevSubject;
69 private PublicKey prevPubKey;
70
71 /**
72 * Constructor that initializes the input parameters.
73 *
74 * @param anchor the anchor selected to validate the target certificate
108 throw new CertPathValidatorException("Key parameters missing");
109 }
110 prevSubject = caName;
111 } else {
112 throw new
113 CertPathValidatorException("forward checking not supported");
114 }
115 }
116
117 @Override
118 public boolean isForwardCheckingSupported() {
119 return false;
120 }
121
122 @Override
123 public Set<String> getSupportedExtensions() {
124 return null;
125 }
126
127 /**
128 * Performs the signature, timestamp, and subject/issuer name chaining
129 * checks on the certificate using its internal state. This method does
130 * not remove any critical extensions from the Collection.
131 *
132 * @param cert the Certificate
133 * @param unresolvedCritExts a Collection of the unresolved critical
134 * extensions
135 * @throws CertPathValidatorException if certificate does not verify
136 */
137 @Override
138 public void check(Certificate cert, Collection<String> unresolvedCritExts)
139 throws CertPathValidatorException
140 {
141 X509Certificate currCert = (X509Certificate)cert;
142
143 if (!sigOnly) {
144 verifyTimestamp(currCert);
145 verifyNameChaining(currCert);
146 }
147 verifySignature(currCert);
148
149 updateState(currCert);
150 }
151
152 /**
153 * Verifies the signature on the certificate using the previous public key.
154 *
155 * @param cert the X509Certificate
156 * @throws CertPathValidatorException if certificate does not verify
157 */
158 private void verifySignature(X509Certificate cert)
159 throws CertPathValidatorException
160 {
161 String msg = "signature";
162 if (debug != null)
163 debug.println("---checking " + msg + "...");
164
165 try {
166 cert.verify(prevPubKey, sigProvider);
167 } catch (SignatureException e) {
168 throw new CertPathValidatorException
169 (msg + " check failed", e, null, -1,
170 BasicReason.INVALID_SIGNATURE);
171 } catch (GeneralSecurityException e) {
172 throw new CertPathValidatorException(msg + " check failed", e);
173 }
174
175 if (debug != null)
176 debug.println(msg + " verified.");
177 }
178
179 /**
180 * Internal method to verify the timestamp on a certificate
181 */
182 private void verifyTimestamp(X509Certificate cert)
183 throws CertPathValidatorException
184 {
185 String msg = "timestamp";
186 if (debug != null)
187 debug.println("---checking " + msg + ":" + date.toString() + "...");
188
189 try {
190 cert.checkValidity(date);
191 } catch (CertificateExpiredException e) {
192 throw new CertPathValidatorException
193 (msg + " check failed", e, null, -1, BasicReason.EXPIRED);
194 } catch (CertificateNotYetValidException e) {
195 throw new CertPathValidatorException
196 (msg + " check failed", e, null, -1, BasicReason.NOT_YET_VALID);
197 }
198
199 if (debug != null)
200 debug.println(msg + " verified.");
201 }
202
203 /**
204 * Internal method to check that cert has a valid DN to be next in a chain
205 */
|
34 import java.security.PublicKey;
35 import java.security.SignatureException;
36 import java.security.cert.Certificate;
37 import java.security.cert.CertificateExpiredException;
38 import java.security.cert.CertificateNotYetValidException;
39 import java.security.cert.CertPathValidatorException;
40 import java.security.cert.CertPathValidatorException.BasicReason;
41 import java.security.cert.X509Certificate;
42 import java.security.cert.PKIXCertPathChecker;
43 import java.security.cert.PKIXReason;
44 import java.security.cert.TrustAnchor;
45 import java.security.interfaces.DSAParams;
46 import java.security.interfaces.DSAPublicKey;
47 import java.security.spec.DSAPublicKeySpec;
48 import javax.security.auth.x500.X500Principal;
49 import sun.security.x509.X500Name;
50 import sun.security.util.Debug;
51
52 /**
53 * BasicChecker is a PKIXCertPathChecker that checks the basic information
54 * on a PKIX certificate, namely the signature, validity, and subject/issuer
55 * name chaining.
56 *
57 * @since 1.4
58 * @author Yassir Elley
59 */
60 class BasicChecker extends PKIXCertPathChecker {
61
62 private static final Debug debug = Debug.getInstance("certpath");
63 private final PublicKey trustedPubKey;
64 private final X500Principal caName;
65 private final Date date;
66 private final String sigProvider;
67 private final boolean sigOnly;
68 private X500Principal prevSubject;
69 private PublicKey prevPubKey;
70
71 /**
72 * Constructor that initializes the input parameters.
73 *
74 * @param anchor the anchor selected to validate the target certificate
108 throw new CertPathValidatorException("Key parameters missing");
109 }
110 prevSubject = caName;
111 } else {
112 throw new
113 CertPathValidatorException("forward checking not supported");
114 }
115 }
116
117 @Override
118 public boolean isForwardCheckingSupported() {
119 return false;
120 }
121
122 @Override
123 public Set<String> getSupportedExtensions() {
124 return null;
125 }
126
127 /**
128 * Performs the signature, validity, and subject/issuer name chaining
129 * checks on the certificate using its internal state. This method does
130 * not remove any critical extensions from the Collection.
131 *
132 * @param cert the Certificate
133 * @param unresolvedCritExts a Collection of the unresolved critical
134 * extensions
135 * @throws CertPathValidatorException if certificate does not verify
136 */
137 @Override
138 public void check(Certificate cert, Collection<String> unresolvedCritExts)
139 throws CertPathValidatorException
140 {
141 X509Certificate currCert = (X509Certificate)cert;
142
143 if (!sigOnly) {
144 verifyValidity(currCert);
145 verifyNameChaining(currCert);
146 }
147 verifySignature(currCert);
148
149 updateState(currCert);
150 }
151
152 /**
153 * Verifies the signature on the certificate using the previous public key.
154 *
155 * @param cert the X509Certificate
156 * @throws CertPathValidatorException if certificate does not verify
157 */
158 private void verifySignature(X509Certificate cert)
159 throws CertPathValidatorException
160 {
161 String msg = "signature";
162 if (debug != null)
163 debug.println("---checking " + msg + "...");
164
165 try {
166 cert.verify(prevPubKey, sigProvider);
167 } catch (SignatureException e) {
168 throw new CertPathValidatorException
169 (msg + " check failed", e, null, -1,
170 BasicReason.INVALID_SIGNATURE);
171 } catch (GeneralSecurityException e) {
172 throw new CertPathValidatorException(msg + " check failed", e);
173 }
174
175 if (debug != null)
176 debug.println(msg + " verified.");
177 }
178
179 /**
180 * Internal method to verify the validity on a certificate
181 */
182 private void verifyValidity(X509Certificate cert)
183 throws CertPathValidatorException
184 {
185 String msg = "validity";
186 if (debug != null)
187 debug.println("---checking " + msg + ":" + date.toString() + "...");
188
189 try {
190 cert.checkValidity(date);
191 } catch (CertificateExpiredException e) {
192 throw new CertPathValidatorException
193 (msg + " check failed", e, null, -1, BasicReason.EXPIRED);
194 } catch (CertificateNotYetValidException e) {
195 throw new CertPathValidatorException
196 (msg + " check failed", e, null, -1, BasicReason.NOT_YET_VALID);
197 }
198
199 if (debug != null)
200 debug.println(msg + " verified.");
201 }
202
203 /**
204 * Internal method to check that cert has a valid DN to be next in a chain
205 */
|