490 issuerInfo.getName())) { 491 492 // Check for the OCSPSigning key purpose 493 try { 494 List<String> keyPurposes = signerCert.getExtendedKeyUsage(); 495 if (keyPurposes == null || 496 !keyPurposes.contains(KP_OCSP_SIGNING_OID)) { 497 throw new CertPathValidatorException( 498 "Responder's certificate not valid for signing " + 499 "OCSP responses"); 500 } 501 } catch (CertificateParsingException cpe) { 502 // assume cert is not valid for signing 503 throw new CertPathValidatorException( 504 "Responder's certificate not valid for signing " + 505 "OCSP responses", cpe); 506 } 507 508 // Check algorithm constraints specified in security property 509 // "jdk.certpath.disabledAlgorithms". 510 AlgorithmChecker algChecker = new AlgorithmChecker( 511 new TrustAnchor(issuerInfo.getName(), 512 issuerInfo.getPublicKey(), null)); 513 algChecker.init(false); 514 algChecker.check(signerCert, Collections.<String>emptySet()); 515 516 // check the validity 517 try { 518 if (date == null) { 519 signerCert.checkValidity(); 520 } else { 521 signerCert.checkValidity(date); 522 } 523 } catch (CertificateException e) { 524 throw new CertPathValidatorException( 525 "Responder's certificate not within the " + 526 "validity period", e); 527 } 528 529 // check for revocation 530 // 531 // A CA may specify that an OCSP client can trust a 532 // responder for the lifetime of the responder's 965 sb.append("revocationTime is "); 966 sb.append(revocationTime).append("\n"); 967 sb.append("revocationReason is "); 968 sb.append(revocationReason).append("\n"); 969 } 970 sb.append("thisUpdate is ").append(thisUpdate).append("\n"); 971 if (nextUpdate != null) { 972 sb.append("nextUpdate is ").append(nextUpdate).append("\n"); 973 } 974 for (java.security.cert.Extension ext : singleExtensions.values()) { 975 sb.append("singleExtension: "); 976 sb.append(ext.toString()).append("\n"); 977 } 978 return sb.toString(); 979 } 980 } 981 982 /** 983 * Helper class that allows consumers to pass in issuer information. This 984 * will always consist of the issuer's name and public key, but may also 985 * contain a certificate if the originating data is in that form. 986 */ 987 static final class IssuerInfo { 988 private final X509Certificate certificate; 989 private final X500Principal name; 990 private final PublicKey pubKey; 991 992 IssuerInfo(X509Certificate issuerCert) { 993 certificate = Objects.requireNonNull(issuerCert, 994 "Constructor requires non-null certificate"); 995 name = certificate.getSubjectX500Principal(); 996 pubKey = certificate.getPublicKey(); 997 } 998 999 IssuerInfo(X500Principal subjectName, PublicKey key) { 1000 certificate = null; 1001 name = Objects.requireNonNull(subjectName, 1002 "Constructor requires non-null subject"); 1003 pubKey = Objects.requireNonNull(key, 1004 "Constructor requires non-null public key"); 1005 } 1006 1007 IssuerInfo(TrustAnchor anchor) { 1008 certificate = anchor.getTrustedCert(); 1009 if (certificate != null) { 1010 name = certificate.getSubjectX500Principal(); 1011 pubKey = certificate.getPublicKey(); 1012 } else { 1013 name = anchor.getCA(); 1014 pubKey = anchor.getCAPublicKey(); 1015 } 1016 } 1017 1018 /** 1019 * Get the certificate in this IssuerInfo if present. 1020 * 1021 * @return the {@code X509Certificate} used to create this IssuerInfo 1022 * object, or {@code null} if a certificate was not used in its 1023 * creation. 1024 */ 1025 X509Certificate getCertificate() { 1026 return certificate; 1027 } 1028 1029 /** 1030 * Get the name of this issuer. 1031 * 1032 * @return an {@code X500Principal} corresponding to this issuer's 1033 * name. If derived from an issuer's {@code X509Certificate} this 1034 * would be equivalent to the certificate subject name. 1035 */ 1036 X500Principal getName() { 1037 return name; 1038 } 1039 1040 /** 1041 * Get the public key for this issuer. 1042 * 1043 * @return a {@code PublicKey} for this issuer. 1044 */ 1045 PublicKey getPublicKey() { 1046 return pubKey; 1047 } 1048 1049 /** 1050 * Create a string representation of this IssuerInfo. 1051 * 1052 * @return a {@code String} form of this IssuerInfo object. 1053 */ 1054 @Override 1055 public String toString() { 1056 StringBuilder sb = new StringBuilder(); 1057 sb.append("Issuer Info:\n"); 1058 sb.append("Name: ").append(name.toString()).append("\n"); 1059 sb.append("Public Key:\n").append(pubKey.toString()).append("\n"); 1060 return sb.toString(); 1061 } 1062 } 1063 } | 490 issuerInfo.getName())) { 491 492 // Check for the OCSPSigning key purpose 493 try { 494 List<String> keyPurposes = signerCert.getExtendedKeyUsage(); 495 if (keyPurposes == null || 496 !keyPurposes.contains(KP_OCSP_SIGNING_OID)) { 497 throw new CertPathValidatorException( 498 "Responder's certificate not valid for signing " + 499 "OCSP responses"); 500 } 501 } catch (CertificateParsingException cpe) { 502 // assume cert is not valid for signing 503 throw new CertPathValidatorException( 504 "Responder's certificate not valid for signing " + 505 "OCSP responses", cpe); 506 } 507 508 // Check algorithm constraints specified in security property 509 // "jdk.certpath.disabledAlgorithms". 510 AlgorithmChecker algChecker = 511 new AlgorithmChecker(issuerInfo.getAnchor(), date); 512 algChecker.init(false); 513 algChecker.check(signerCert, Collections.<String>emptySet()); 514 515 // check the validity 516 try { 517 if (date == null) { 518 signerCert.checkValidity(); 519 } else { 520 signerCert.checkValidity(date); 521 } 522 } catch (CertificateException e) { 523 throw new CertPathValidatorException( 524 "Responder's certificate not within the " + 525 "validity period", e); 526 } 527 528 // check for revocation 529 // 530 // A CA may specify that an OCSP client can trust a 531 // responder for the lifetime of the responder's 964 sb.append("revocationTime is "); 965 sb.append(revocationTime).append("\n"); 966 sb.append("revocationReason is "); 967 sb.append(revocationReason).append("\n"); 968 } 969 sb.append("thisUpdate is ").append(thisUpdate).append("\n"); 970 if (nextUpdate != null) { 971 sb.append("nextUpdate is ").append(nextUpdate).append("\n"); 972 } 973 for (java.security.cert.Extension ext : singleExtensions.values()) { 974 sb.append("singleExtension: "); 975 sb.append(ext.toString()).append("\n"); 976 } 977 return sb.toString(); 978 } 979 } 980 981 /** 982 * Helper class that allows consumers to pass in issuer information. This 983 * will always consist of the issuer's name and public key, but may also 984 * contain a certificate if the originating data is in that form. The 985 * trust anchor for the certificate chain will be included for certpath 986 * disabled algorithm checking. 987 */ 988 static final class IssuerInfo { 989 private final TrustAnchor anchor; 990 private X509Certificate certificate; 991 private X500Principal name; 992 private PublicKey pubKey; 993 994 IssuerInfo(TrustAnchor anchor) { 995 this.anchor = Objects.requireNonNull(anchor, 996 "Constructor requires non-null anchor"); 997 init(anchor.getTrustedCert()); 998 } 999 1000 IssuerInfo(TrustAnchor anchor, X509Certificate issuerCert) { 1001 this.anchor = Objects.requireNonNull(anchor, 1002 "Constructor requires non-null anchor"); 1003 init(issuerCert); 1004 } 1005 1006 /* Initialize Issuer Info */ 1007 private void init(X509Certificate issuerCert) { 1008 if (issuerCert != null) { 1009 name = issuerCert.getSubjectX500Principal(); 1010 pubKey = issuerCert.getPublicKey(); 1011 certificate = issuerCert; 1012 } else { 1013 name = anchor.getCA(); 1014 pubKey = anchor.getCAPublicKey(); 1015 } 1016 } 1017 1018 /** 1019 * Get the certificate in this IssuerInfo if present. 1020 * 1021 * @return the {@code X509Certificate} used to create this IssuerInfo 1022 * object, or {@code null} if a certificate was not used in its 1023 * creation. 1024 */ 1025 X509Certificate getCertificate() { 1026 return certificate; 1027 } 1028 1029 /** 1030 * Get the name of this issuer. 1031 * 1032 * @return an {@code X500Principal} corresponding to this issuer's 1033 * name. If derived from an issuer's {@code X509Certificate} this 1034 * would be equivalent to the certificate subject name. 1035 */ 1036 X500Principal getName() { 1037 return name; 1038 } 1039 1040 /** 1041 * Get the public key for this issuer. 1042 * 1043 * @return a {@code PublicKey} for this issuer. 1044 */ 1045 PublicKey getPublicKey() { 1046 return pubKey; 1047 } 1048 1049 /** 1050 * Get the TrustAnchor for the certificate chain. 1051 * 1052 * @return a {@code TrustAnchor}. 1053 */ 1054 TrustAnchor getAnchor() { 1055 return anchor; 1056 } 1057 1058 void setIssuerCert(X509Certificate issuerCert) { 1059 Objects.requireNonNull(issuerCert, 1060 "setIssuerCert requires non-null issuerCert"); 1061 init(issuerCert); 1062 } 1063 1064 /** 1065 * Create a string representation of this IssuerInfo. 1066 * 1067 * @return a {@code String} form of this IssuerInfo object. 1068 */ 1069 @Override 1070 public String toString() { 1071 StringBuilder sb = new StringBuilder(); 1072 sb.append("Issuer Info:\n"); 1073 sb.append("Name: ").append(name.toString()).append("\n"); 1074 sb.append("Public Key:\n").append(pubKey.toString()).append("\n"); 1075 return sb.toString(); 1076 } 1077 } 1078 } |