< prev index next >

src/share/classes/sun/security/provider/certpath/BasicChecker.java

Print this page 
rev 12532 : 8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
Reviewed-by: coffeys


  34 import java.security.PublicKey;
  35 import java.security.SignatureException;
  36 import java.security.cert.Certificate;
  37 import java.security.cert.CertificateExpiredException;
  38 import java.security.cert.CertificateNotYetValidException;
  39 import java.security.cert.CertPathValidatorException;
  40 import java.security.cert.CertPathValidatorException.BasicReason;
  41 import java.security.cert.X509Certificate;
  42 import java.security.cert.PKIXCertPathChecker;
  43 import java.security.cert.PKIXReason;
  44 import java.security.cert.TrustAnchor;
  45 import java.security.interfaces.DSAParams;
  46 import java.security.interfaces.DSAPublicKey;
  47 import java.security.spec.DSAPublicKeySpec;
  48 import javax.security.auth.x500.X500Principal;
  49 import sun.security.x509.X500Name;
  50 import sun.security.util.Debug;
  51 
  52 /**
  53  * BasicChecker is a PKIXCertPathChecker that checks the basic information
  54  * on a PKIX certificate, namely the signature, timestamp, and subject/issuer
  55  * name chaining.
  56  *
  57  * @since       1.4
  58  * @author      Yassir Elley
  59  */
  60 class BasicChecker extends PKIXCertPathChecker {
  61 
  62     private static final Debug debug = Debug.getInstance("certpath");
  63     private final PublicKey trustedPubKey;
  64     private final X500Principal caName;
  65     private final Date date;
  66     private final String sigProvider;
  67     private final boolean sigOnly;
  68     private X500Principal prevSubject;
  69     private PublicKey prevPubKey;
  70 
  71     /**
  72      * Constructor that initializes the input parameters.
  73      *
  74      * @param anchor the anchor selected to validate the target certificate


 108                 throw new CertPathValidatorException("Key parameters missing");
 109             }
 110             prevSubject = caName;
 111         } else {
 112             throw new
 113                 CertPathValidatorException("forward checking not supported");
 114         }
 115     }
 116 
 117     @Override
 118     public boolean isForwardCheckingSupported() {
 119         return false;
 120     }
 121 
 122     @Override
 123     public Set<String> getSupportedExtensions() {
 124         return null;
 125     }
 126 
 127     /**
 128      * Performs the signature, timestamp, and subject/issuer name chaining
 129      * checks on the certificate using its internal state. This method does
 130      * not remove any critical extensions from the Collection.
 131      *
 132      * @param cert the Certificate
 133      * @param unresolvedCritExts a Collection of the unresolved critical
 134      * extensions
 135      * @throws CertPathValidatorException if certificate does not verify
 136      */
 137     @Override
 138     public void check(Certificate cert, Collection<String> unresolvedCritExts)
 139         throws CertPathValidatorException
 140     {
 141         X509Certificate currCert = (X509Certificate)cert;
 142 
 143         if (!sigOnly) {
 144             verifyTimestamp(currCert);
 145             verifyNameChaining(currCert);
 146         }
 147         verifySignature(currCert);
 148 
 149         updateState(currCert);
 150     }
 151 
 152     /**
 153      * Verifies the signature on the certificate using the previous public key.
 154      *
 155      * @param cert the X509Certificate
 156      * @throws CertPathValidatorException if certificate does not verify
 157      */
 158     private void verifySignature(X509Certificate cert)
 159         throws CertPathValidatorException
 160     {
 161         String msg = "signature";
 162         if (debug != null)
 163             debug.println("---checking " + msg + "...");
 164 
 165         try {
 166             cert.verify(prevPubKey, sigProvider);
 167         } catch (SignatureException e) {
 168             throw new CertPathValidatorException
 169                 (msg + " check failed", e, null, -1,
 170                  BasicReason.INVALID_SIGNATURE);
 171         } catch (GeneralSecurityException e) {
 172             throw new CertPathValidatorException(msg + " check failed", e);
 173         }
 174 
 175         if (debug != null)
 176             debug.println(msg + " verified.");
 177     }
 178 
 179     /**
 180      * Internal method to verify the timestamp on a certificate
 181      */
 182     private void verifyTimestamp(X509Certificate cert)
 183         throws CertPathValidatorException
 184     {
 185         String msg = "timestamp";
 186         if (debug != null)
 187             debug.println("---checking " + msg + ":" + date.toString() + "...");
 188 
 189         try {
 190             cert.checkValidity(date);
 191         } catch (CertificateExpiredException e) {
 192             throw new CertPathValidatorException
 193                 (msg + " check failed", e, null, -1, BasicReason.EXPIRED);
 194         } catch (CertificateNotYetValidException e) {
 195             throw new CertPathValidatorException
 196                 (msg + " check failed", e, null, -1, BasicReason.NOT_YET_VALID);
 197         }
 198 
 199         if (debug != null)
 200             debug.println(msg + " verified.");
 201     }
 202 
 203     /**
 204      * Internal method to check that cert has a valid DN to be next in a chain
 205      */




  34 import java.security.PublicKey;
  35 import java.security.SignatureException;
  36 import java.security.cert.Certificate;
  37 import java.security.cert.CertificateExpiredException;
  38 import java.security.cert.CertificateNotYetValidException;
  39 import java.security.cert.CertPathValidatorException;
  40 import java.security.cert.CertPathValidatorException.BasicReason;
  41 import java.security.cert.X509Certificate;
  42 import java.security.cert.PKIXCertPathChecker;
  43 import java.security.cert.PKIXReason;
  44 import java.security.cert.TrustAnchor;
  45 import java.security.interfaces.DSAParams;
  46 import java.security.interfaces.DSAPublicKey;
  47 import java.security.spec.DSAPublicKeySpec;
  48 import javax.security.auth.x500.X500Principal;
  49 import sun.security.x509.X500Name;
  50 import sun.security.util.Debug;
  51 
  52 /**
  53  * BasicChecker is a PKIXCertPathChecker that checks the basic information
  54  * on a PKIX certificate, namely the signature, validity, and subject/issuer
  55  * name chaining.
  56  *
  57  * @since       1.4
  58  * @author      Yassir Elley
  59  */
  60 class BasicChecker extends PKIXCertPathChecker {
  61 
  62     private static final Debug debug = Debug.getInstance("certpath");
  63     private final PublicKey trustedPubKey;
  64     private final X500Principal caName;
  65     private final Date date;
  66     private final String sigProvider;
  67     private final boolean sigOnly;
  68     private X500Principal prevSubject;
  69     private PublicKey prevPubKey;
  70 
  71     /**
  72      * Constructor that initializes the input parameters.
  73      *
  74      * @param anchor the anchor selected to validate the target certificate


 108                 throw new CertPathValidatorException("Key parameters missing");
 109             }
 110             prevSubject = caName;
 111         } else {
 112             throw new
 113                 CertPathValidatorException("forward checking not supported");
 114         }
 115     }
 116 
 117     @Override
 118     public boolean isForwardCheckingSupported() {
 119         return false;
 120     }
 121 
 122     @Override
 123     public Set<String> getSupportedExtensions() {
 124         return null;
 125     }
 126 
 127     /**
 128      * Performs the signature, validity, and subject/issuer name chaining
 129      * checks on the certificate using its internal state. This method does
 130      * not remove any critical extensions from the Collection.
 131      *
 132      * @param cert the Certificate
 133      * @param unresolvedCritExts a Collection of the unresolved critical
 134      * extensions
 135      * @throws CertPathValidatorException if certificate does not verify
 136      */
 137     @Override
 138     public void check(Certificate cert, Collection<String> unresolvedCritExts)
 139         throws CertPathValidatorException
 140     {
 141         X509Certificate currCert = (X509Certificate)cert;
 142 
 143         if (!sigOnly) {
 144             verifyValidity(currCert);
 145             verifyNameChaining(currCert);
 146         }
 147         verifySignature(currCert);
 148 
 149         updateState(currCert);
 150     }
 151 
 152     /**
 153      * Verifies the signature on the certificate using the previous public key.
 154      *
 155      * @param cert the X509Certificate
 156      * @throws CertPathValidatorException if certificate does not verify
 157      */
 158     private void verifySignature(X509Certificate cert)
 159         throws CertPathValidatorException
 160     {
 161         String msg = "signature";
 162         if (debug != null)
 163             debug.println("---checking " + msg + "...");
 164 
 165         try {
 166             cert.verify(prevPubKey, sigProvider);
 167         } catch (SignatureException e) {
 168             throw new CertPathValidatorException
 169                 (msg + " check failed", e, null, -1,
 170                  BasicReason.INVALID_SIGNATURE);
 171         } catch (GeneralSecurityException e) {
 172             throw new CertPathValidatorException(msg + " check failed", e);
 173         }
 174 
 175         if (debug != null)
 176             debug.println(msg + " verified.");
 177     }
 178 
 179     /**
 180      * Internal method to verify the validity on a certificate
 181      */
 182     private void verifyValidity(X509Certificate cert)
 183         throws CertPathValidatorException
 184     {
 185         String msg = "validity";
 186         if (debug != null)
 187             debug.println("---checking " + msg + ":" + date.toString() + "...");
 188 
 189         try {
 190             cert.checkValidity(date);
 191         } catch (CertificateExpiredException e) {
 192             throw new CertPathValidatorException
 193                 (msg + " check failed", e, null, -1, BasicReason.EXPIRED);
 194         } catch (CertificateNotYetValidException e) {
 195             throw new CertPathValidatorException
 196                 (msg + " check failed", e, null, -1, BasicReason.NOT_YET_VALID);
 197         }
 198 
 199         if (debug != null)
 200             debug.println(msg + " verified.");
 201     }
 202 
 203     /**
 204      * Internal method to check that cert has a valid DN to be next in a chain
 205      */
< prev index next >