513 }
514
515 /*
516 * Check if CertConstraintParameters has a trusted match, if it does
517 * call next() for any following constraints. If it does not, exit
518 * as this constraint(s) does not restrict the operation.
519 */
520 public void permits(CertConstraintParameters cp)
521 throws CertPathValidatorException {
522 if (debug != null) {
523 debug.println("jdkCAConstraints.permits(): " + algorithm);
524 }
525
526 // Check chain has a trust anchor in cacerts
527 if (cp.isTrustedMatch()) {
528 if (next(cp)) {
529 return;
530 }
531 throw new CertPathValidatorException(
532 "Algorithm constraints check failed on certificate " +
533 "anchor limits",
534 null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
535 }
536 }
537 }
538
539 /*
540 * This class handles the denyAfter constraint. The date is in the UTC/GMT
541 * timezone.
542 */
543 private static class DenyAfterConstraint extends Constraint {
544 private Date denyAfterDate;
545 private static final SimpleDateFormat dateFormat =
546 new SimpleDateFormat("EEE, MMM d HH:mm:ss z yyyy");
547
548 DenyAfterConstraint(String algo, int year, int month, int day) {
549 Calendar c;
550
551 algorithm = algo;
552
553 if (debug != null) {
594 throws CertPathValidatorException {
595 Date currentDate;
596 String errmsg;
597
598 if (cp.getJARTimestamp() != null) {
599 currentDate = cp.getJARTimestamp().getTimestamp();
600 errmsg = "JAR Timestamp date: ";
601 } else if (cp.getPKIXParamDate() != null) {
602 currentDate = cp.getPKIXParamDate();
603 errmsg = "PKIXParameter date: ";
604 } else {
605 currentDate = new Date();
606 errmsg = "Certificate date: ";
607 }
608
609 if (!denyAfterDate.after(currentDate)) {
610 if (next(cp)) {
611 return;
612 }
613 throw new CertPathValidatorException(
614 "denyAfter constraint check failed. " +
615 "Constraint date: " +
616 dateFormat.format(denyAfterDate) + "; "
617 + errmsg + dateFormat.format(currentDate),
618 null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
619 }
620 }
621
622 /*
623 * Return result if the constraint's date is beyond the current date
624 * in UTC timezone.
625 */
626 public boolean permits(Key key) {
627 if (next(key)) {
628 return true;
629 }
630 if (debug != null) {
631 debug.println("DenyAfterConstraints.permits(): " + algorithm);
632 }
633
634 return denyAfterDate.after(new Date());
635 }
636 }
637
638 /*
639 * This class contains constraints dealing with the key size
640 * support limits per algorithm. e.g. "keySize <= 1024"
641 */
642 private static class KeySizeConstraint extends Constraint {
643
644 private int minSize; // the minimal available key size
645 private int maxSize; // the maximal available key size
646 private int prohibitedSize = -1; // unavailable key sizes
647
648 public KeySizeConstraint(String algo, Operator operator, int length) {
649 algorithm = algo;
650 switch (operator) {
651 case EQ: // an unavailable key size
652 this.minSize = 0;
653 this.maxSize = Integer.MAX_VALUE;
654 prohibitedSize = length;
655 break;
656 case NE:
657 this.minSize = length;
658 this.maxSize = length;
659 break;
660 case LT:
661 this.minSize = length;
662 this.maxSize = Integer.MAX_VALUE;
663 break;
664 case LE:
665 this.minSize = length + 1;
666 this.maxSize = Integer.MAX_VALUE;
678 this.minSize = Integer.MAX_VALUE;
679 this.maxSize = -1;
680 }
681 }
682
683 /*
684 * If we are passed a certificate, extract the public key and use it.
685 *
686 * Check if each constraint fails and check if there is a linked
687 * constraint Any permitted constraint will exit the linked list
688 * to allow the operation.
689 */
690 public void permits(CertConstraintParameters cp)
691 throws CertPathValidatorException {
692 if (!permitsImpl(cp.getCertificate().getPublicKey())) {
693 if (nextConstraint != null) {
694 nextConstraint.permits(cp);
695 return;
696 }
697 throw new CertPathValidatorException(
698 "Algorithm constraints check failed on keysize limits",
699 null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
700 }
701 }
702
703
704 // Check if key constraint disable the specified key
705 // Uses old style permit()
706 public boolean permits(Key key) {
707 // If we recursively find a constraint that permits us to use
708 // this key, return true and skip any other constraint checks.
709 if (nextConstraint != null && nextConstraint.permits(key)) {
710 return true;
711 }
712 if (debug != null) {
713 debug.println("KeySizeConstraints.permits(): " + algorithm);
714 }
715
716 return permitsImpl(key);
717 }
718
719 private boolean permitsImpl(Key key) {
720 // Verify this constraint is for this public key algorithm
721 if (algorithm.compareToIgnoreCase(key.getAlgorithm()) != 0) {
722 return true;
723 }
724
725 int size = KeyUtil.getKeySize(key);
726 if (size == 0) {
727 return false; // we don't allow any key of size 0.
728 } else if (size > 0) {
729 return !((size < minSize) || (size > maxSize) ||
730 (prohibitedSize == size));
731 } // Otherwise, the key size is not accessible. Conservatively,
732 // please don't disable such keys.
733
734 return true;
735 }
736 }
737 }
738
|
513 }
514
515 /*
516 * Check if CertConstraintParameters has a trusted match, if it does
517 * call next() for any following constraints. If it does not, exit
518 * as this constraint(s) does not restrict the operation.
519 */
520 public void permits(CertConstraintParameters cp)
521 throws CertPathValidatorException {
522 if (debug != null) {
523 debug.println("jdkCAConstraints.permits(): " + algorithm);
524 }
525
526 // Check chain has a trust anchor in cacerts
527 if (cp.isTrustedMatch()) {
528 if (next(cp)) {
529 return;
530 }
531 throw new CertPathValidatorException(
532 "Algorithm constraints check failed on certificate " +
533 "anchor limits. " + algorithm + " used with " +
534 cp.getCertificate().getSubjectX500Principal(),
535 null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
536 }
537 }
538 }
539
540 /*
541 * This class handles the denyAfter constraint. The date is in the UTC/GMT
542 * timezone.
543 */
544 private static class DenyAfterConstraint extends Constraint {
545 private Date denyAfterDate;
546 private static final SimpleDateFormat dateFormat =
547 new SimpleDateFormat("EEE, MMM d HH:mm:ss z yyyy");
548
549 DenyAfterConstraint(String algo, int year, int month, int day) {
550 Calendar c;
551
552 algorithm = algo;
553
554 if (debug != null) {
595 throws CertPathValidatorException {
596 Date currentDate;
597 String errmsg;
598
599 if (cp.getJARTimestamp() != null) {
600 currentDate = cp.getJARTimestamp().getTimestamp();
601 errmsg = "JAR Timestamp date: ";
602 } else if (cp.getPKIXParamDate() != null) {
603 currentDate = cp.getPKIXParamDate();
604 errmsg = "PKIXParameter date: ";
605 } else {
606 currentDate = new Date();
607 errmsg = "Certificate date: ";
608 }
609
610 if (!denyAfterDate.after(currentDate)) {
611 if (next(cp)) {
612 return;
613 }
614 throw new CertPathValidatorException(
615 "denyAfter constraint check failed: " + algorithm +
616 " used with Constraint date: " +
617 dateFormat.format(denyAfterDate) + "; "
618 + errmsg + dateFormat.format(currentDate),
619 null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
620 }
621 }
622
623 /*
624 * Return result if the constraint's date is beyond the current date
625 * in UTC timezone.
626 */
627 public boolean permits(Key key) {
628 if (next(key)) {
629 return true;
630 }
631 if (debug != null) {
632 debug.println("DenyAfterConstraints.permits(): " + algorithm);
633 }
634
635 return denyAfterDate.after(new Date());
636 }
637 }
638
639 /*
640 * This class contains constraints dealing with the key size
641 * support limits per algorithm. e.g. "keySize <= 1024"
642 */
643 private static class KeySizeConstraint extends Constraint {
644
645 private int minSize; // the minimal available key size
646 private int maxSize; // the maximal available key size
647 private int prohibitedSize = -1; // unavailable key sizes
648 private int size;
649
650 public KeySizeConstraint(String algo, Operator operator, int length) {
651 algorithm = algo;
652 switch (operator) {
653 case EQ: // an unavailable key size
654 this.minSize = 0;
655 this.maxSize = Integer.MAX_VALUE;
656 prohibitedSize = length;
657 break;
658 case NE:
659 this.minSize = length;
660 this.maxSize = length;
661 break;
662 case LT:
663 this.minSize = length;
664 this.maxSize = Integer.MAX_VALUE;
665 break;
666 case LE:
667 this.minSize = length + 1;
668 this.maxSize = Integer.MAX_VALUE;
680 this.minSize = Integer.MAX_VALUE;
681 this.maxSize = -1;
682 }
683 }
684
685 /*
686 * If we are passed a certificate, extract the public key and use it.
687 *
688 * Check if each constraint fails and check if there is a linked
689 * constraint Any permitted constraint will exit the linked list
690 * to allow the operation.
691 */
692 public void permits(CertConstraintParameters cp)
693 throws CertPathValidatorException {
694 if (!permitsImpl(cp.getCertificate().getPublicKey())) {
695 if (nextConstraint != null) {
696 nextConstraint.permits(cp);
697 return;
698 }
699 throw new CertPathValidatorException(
700 "Algorithm constraints check failed on keysize limits. "
701 + algorithm + " " + size + "bit key used with "
702 + cp.getCertificate().getSubjectX500Principal(),
703 null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
704 }
705 }
706
707
708 // Check if key constraint disable the specified key
709 // Uses old style permit()
710 public boolean permits(Key key) {
711 // If we recursively find a constraint that permits us to use
712 // this key, return true and skip any other constraint checks.
713 if (nextConstraint != null && nextConstraint.permits(key)) {
714 return true;
715 }
716 if (debug != null) {
717 debug.println("KeySizeConstraints.permits(): " + algorithm);
718 }
719
720 return permitsImpl(key);
721 }
722
723 private boolean permitsImpl(Key key) {
724 // Verify this constraint is for this public key algorithm
725 if (algorithm.compareToIgnoreCase(key.getAlgorithm()) != 0) {
726 return true;
727 }
728
729 size = KeyUtil.getKeySize(key);
730 if (size == 0) {
731 return false; // we don't allow any key of size 0.
732 } else if (size > 0) {
733 return !((size < minSize) || (size > maxSize) ||
734 (prohibitedSize == size));
735 } // Otherwise, the key size is not accessible. Conservatively,
736 // please don't disable such keys.
737
738 return true;
739 }
740 }
741 }
742
|