< prev index next >

src/java.base/share/classes/sun/security/provider/certpath/OCSPResponse.java

Print this page




 490                     issuerInfo.getName())) {
 491 
 492                 // Check for the OCSPSigning key purpose
 493                 try {
 494                     List<String> keyPurposes = signerCert.getExtendedKeyUsage();
 495                     if (keyPurposes == null ||
 496                         !keyPurposes.contains(KP_OCSP_SIGNING_OID)) {
 497                         throw new CertPathValidatorException(
 498                             "Responder's certificate not valid for signing " +
 499                             "OCSP responses");
 500                     }
 501                 } catch (CertificateParsingException cpe) {
 502                     // assume cert is not valid for signing
 503                     throw new CertPathValidatorException(
 504                         "Responder's certificate not valid for signing " +
 505                         "OCSP responses", cpe);
 506                 }
 507 
 508                 // Check algorithm constraints specified in security property
 509                 // "jdk.certpath.disabledAlgorithms".
 510                 AlgorithmChecker algChecker = new AlgorithmChecker(
 511                         new TrustAnchor(issuerInfo.getName(),
 512                                 issuerInfo.getPublicKey(), null));
 513                 algChecker.init(false);
 514                 algChecker.check(signerCert, Collections.<String>emptySet());
 515 
 516                 // check the validity
 517                 try {
 518                     if (date == null) {
 519                         signerCert.checkValidity();
 520                     } else {
 521                         signerCert.checkValidity(date);
 522                     }
 523                 } catch (CertificateException e) {
 524                     throw new CertPathValidatorException(
 525                         "Responder's certificate not within the " +
 526                         "validity period", e);
 527                 }
 528 
 529                 // check for revocation
 530                 //
 531                 // A CA may specify that an OCSP client can trust a
 532                 // responder for the lifetime of the responder's


 965                 sb.append("revocationTime is ");
 966                 sb.append(revocationTime).append("\n");
 967                 sb.append("revocationReason is ");
 968                 sb.append(revocationReason).append("\n");
 969             }
 970             sb.append("thisUpdate is ").append(thisUpdate).append("\n");
 971             if (nextUpdate != null) {
 972                 sb.append("nextUpdate is ").append(nextUpdate).append("\n");
 973             }
 974             for (java.security.cert.Extension ext : singleExtensions.values()) {
 975                 sb.append("singleExtension: ");
 976                 sb.append(ext.toString()).append("\n");
 977             }
 978             return sb.toString();
 979         }
 980     }
 981 
 982     /**
 983      * Helper class that allows consumers to pass in issuer information.  This
 984      * will always consist of the issuer's name and public key, but may also
 985      * contain a certificate if the originating data is in that form.


 986      */
 987     static final class IssuerInfo {
 988         private final X509Certificate certificate;
 989         private final X500Principal name;
 990         private final PublicKey pubKey;
 991 
 992         IssuerInfo(X509Certificate issuerCert) {
 993             certificate = Objects.requireNonNull(issuerCert,
 994                     "Constructor requires non-null certificate");
 995             name = certificate.getSubjectX500Principal();
 996             pubKey = certificate.getPublicKey();
 997         }
 998 
 999         IssuerInfo(X500Principal subjectName, PublicKey key) {
1000             certificate = null;
1001             name = Objects.requireNonNull(subjectName,
1002                     "Constructor requires non-null subject");
1003             pubKey = Objects.requireNonNull(key,
1004                     "Constructor requires non-null public key");
1005         }
1006 
1007         IssuerInfo(TrustAnchor anchor) {
1008             certificate = anchor.getTrustedCert();
1009             if (certificate != null) {
1010                 name = certificate.getSubjectX500Principal();
1011                 pubKey = certificate.getPublicKey();













1012             } else {
1013                 name = anchor.getCA();
1014                 pubKey = anchor.getCAPublicKey();
1015             }
1016         }
1017 
1018         /**
1019          * Get the certificate in this IssuerInfo if present.
1020          *
1021          * @return the {@code X509Certificate} used to create this IssuerInfo
1022          * object, or {@code null} if a certificate was not used in its
1023          * creation.
1024          */
1025         X509Certificate getCertificate() {
1026             return certificate;
1027         }
1028 
1029         /**
1030          * Get the name of this issuer.
1031          *
1032          * @return an {@code X500Principal} corresponding to this issuer's
1033          * name.  If derived from an issuer's {@code X509Certificate} this
1034          * would be equivalent to the certificate subject name.
1035          */
1036         X500Principal getName() {
1037             return name;
1038         }
1039 
1040         /**
1041          * Get the public key for this issuer.
1042          *
1043          * @return a {@code PublicKey} for this issuer.
1044          */
1045         PublicKey getPublicKey() {
1046             return pubKey;















1047         }
1048 
1049         /**
1050          * Create a string representation of this IssuerInfo.
1051          *
1052          * @return a {@code String} form of this IssuerInfo object.
1053          */
1054         @Override
1055         public String toString() {
1056             StringBuilder sb = new StringBuilder();
1057             sb.append("Issuer Info:\n");
1058             sb.append("Name: ").append(name.toString()).append("\n");
1059             sb.append("Public Key:\n").append(pubKey.toString()).append("\n");
1060             return sb.toString();
1061         }
1062     }
1063 }


 490                     issuerInfo.getName())) {
 491 
 492                 // Check for the OCSPSigning key purpose
 493                 try {
 494                     List<String> keyPurposes = signerCert.getExtendedKeyUsage();
 495                     if (keyPurposes == null ||
 496                         !keyPurposes.contains(KP_OCSP_SIGNING_OID)) {
 497                         throw new CertPathValidatorException(
 498                             "Responder's certificate not valid for signing " +
 499                             "OCSP responses");
 500                     }
 501                 } catch (CertificateParsingException cpe) {
 502                     // assume cert is not valid for signing
 503                     throw new CertPathValidatorException(
 504                         "Responder's certificate not valid for signing " +
 505                         "OCSP responses", cpe);
 506                 }
 507 
 508                 // Check algorithm constraints specified in security property
 509                 // "jdk.certpath.disabledAlgorithms".
 510                 AlgorithmChecker algChecker =
 511                         new AlgorithmChecker(issuerInfo.getAnchor(), date);

 512                 algChecker.init(false);
 513                 algChecker.check(signerCert, Collections.<String>emptySet());
 514 
 515                 // check the validity
 516                 try {
 517                     if (date == null) {
 518                         signerCert.checkValidity();
 519                     } else {
 520                         signerCert.checkValidity(date);
 521                     }
 522                 } catch (CertificateException e) {
 523                     throw new CertPathValidatorException(
 524                         "Responder's certificate not within the " +
 525                         "validity period", e);
 526                 }
 527 
 528                 // check for revocation
 529                 //
 530                 // A CA may specify that an OCSP client can trust a
 531                 // responder for the lifetime of the responder's


 964                 sb.append("revocationTime is ");
 965                 sb.append(revocationTime).append("\n");
 966                 sb.append("revocationReason is ");
 967                 sb.append(revocationReason).append("\n");
 968             }
 969             sb.append("thisUpdate is ").append(thisUpdate).append("\n");
 970             if (nextUpdate != null) {
 971                 sb.append("nextUpdate is ").append(nextUpdate).append("\n");
 972             }
 973             for (java.security.cert.Extension ext : singleExtensions.values()) {
 974                 sb.append("singleExtension: ");
 975                 sb.append(ext.toString()).append("\n");
 976             }
 977             return sb.toString();
 978         }
 979     }
 980 
 981     /**
 982      * Helper class that allows consumers to pass in issuer information.  This
 983      * will always consist of the issuer's name and public key, but may also
 984      * contain a certificate if the originating data is in that form.  The
 985      * trust anchor for the certificate chain will be included for certpath
 986      * disabled algorithm checking.
 987      */
 988     static final class IssuerInfo {
 989         private final TrustAnchor anchor;
 990         private X509Certificate certificate;
 991         private X500Principal name;
 992         private PublicKey pubKey;














 993 
 994         IssuerInfo(TrustAnchor anchor) {
 995             this.anchor = Objects.requireNonNull(anchor,
 996                     "Constructor requires non-null anchor");
 997             init(anchor.getTrustedCert());
 998         }
 999 
1000         IssuerInfo(TrustAnchor anchor, X509Certificate issuerCert) {
1001             this.anchor = Objects.requireNonNull(anchor,
1002                     "Constructor requires non-null anchor");
1003             init(issuerCert);
1004         }
1005 
1006         /* Initialize Issuer Info */
1007         private void init(X509Certificate issuerCert) {
1008             if (issuerCert != null) {
1009                 name = issuerCert.getSubjectX500Principal();
1010                 pubKey = issuerCert.getPublicKey();
1011                 certificate = issuerCert;
1012             } else {
1013                 name = anchor.getCA();
1014                 pubKey = anchor.getCAPublicKey();
1015             }
1016         }
1017 
1018         /**
1019          * Get the certificate in this IssuerInfo if present.
1020          *
1021          * @return the {@code X509Certificate} used to create this IssuerInfo
1022          * object, or {@code null} if a certificate was not used in its
1023          * creation.
1024          */
1025         X509Certificate getCertificate() {
1026             return certificate;
1027         }
1028 
1029         /**
1030          * Get the name of this issuer.
1031          *
1032          * @return an {@code X500Principal} corresponding to this issuer's
1033          * name.  If derived from an issuer's {@code X509Certificate} this
1034          * would be equivalent to the certificate subject name.
1035          */
1036         X500Principal getName() {
1037             return name;
1038         }
1039 
1040         /**
1041          * Get the public key for this issuer.
1042          *
1043          * @return a {@code PublicKey} for this issuer.
1044          */
1045         PublicKey getPublicKey() {
1046             return pubKey;
1047         }
1048 
1049         /**
1050          * Get the TrustAnchor for the certificate chain.
1051          *
1052          * @return a {@code TrustAnchor}.
1053          */
1054         TrustAnchor getAnchor() {
1055             return anchor;
1056         }
1057 
1058         void setIssuerCert(X509Certificate issuerCert) {
1059             Objects.requireNonNull(issuerCert,
1060                     "setIssuerCert requires non-null issuerCert");
1061             init(issuerCert);
1062         }
1063 
1064         /**
1065          * Create a string representation of this IssuerInfo.
1066          *
1067          * @return a {@code String} form of this IssuerInfo object.
1068          */
1069         @Override
1070         public String toString() {
1071             StringBuilder sb = new StringBuilder();
1072             sb.append("Issuer Info:\n");
1073             sb.append("Name: ").append(name.toString()).append("\n");
1074             sb.append("Public Key:\n").append(pubKey.toString()).append("\n");
1075             return sb.toString();
1076         }
1077     }
1078 }
< prev index next >