1 /*
2 * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.validator;
27
28 import java.io.IOException;
29 import java.util.*;
30
31 import java.security.*;
32 import java.security.cert.*;
33
34 import javax.security.auth.x500.X500Principal;
35
36 import sun.security.x509.X509CertImpl;
37 import sun.security.x509.NetscapeCertTypeExtension;
38 import sun.security.util.DerValue;
39 import sun.security.util.DerInputStream;
40 import sun.security.util.ObjectIdentifier;
41
42 import sun.security.provider.certpath.AlgorithmChecker;
43 import sun.security.provider.certpath.UntrustedChecker;
44
45 /**
46 * A simple validator implementation. It is based on code from the JSSE
47 * X509TrustManagerImpl. This implementation is designed for compatibility with
48 * deployed certificates and previous J2SE versions. It will never support
49 * more advanced features and will be deemphasized in favor of the PKIX
50 * validator going forward.
51 * <p>
52 * {@code SimpleValidator} objects are immutable once they have been created.
53 * Please DO NOT add methods that can change the state of an instance once
54 * it has been created.
55 *
56 * @author Andreas Sterbenz
136 Date date = validationDate;
137 if (date == null) {
138 date = new Date();
139 }
140
141 // create distrusted certificates checker
142 UntrustedChecker untrustedChecker = new UntrustedChecker();
143
144 // check if anchor is untrusted
145 X509Certificate anchorCert = chain[chain.length - 1];
146 try {
147 untrustedChecker.check(anchorCert);
148 } catch (CertPathValidatorException cpve) {
149 throw new ValidatorException(
150 "Untrusted certificate: "+ anchorCert.getSubjectX500Principal(),
151 ValidatorException.T_UNTRUSTED_CERT, anchorCert, cpve);
152 }
153
154 // create default algorithm constraints checker
155 TrustAnchor anchor = new TrustAnchor(anchorCert, null);
156 AlgorithmChecker defaultAlgChecker = new AlgorithmChecker(anchor);
157
158 // create application level algorithm constraints checker
159 AlgorithmChecker appAlgChecker = null;
160 if (constraints != null) {
161 appAlgChecker = new AlgorithmChecker(anchor, constraints);
162 }
163
164 // verify top down, starting at the certificate issued by
165 // the trust anchor
166 int maxPathLength = chain.length - 1;
167 for (int i = chain.length - 2; i >= 0; i--) {
168 X509Certificate issuerCert = chain[i + 1];
169 X509Certificate cert = chain[i];
170
171 // check untrusted certificate
172 try {
173 // Untrusted checker does not care about the unresolved
174 // critical extensions.
175 untrustedChecker.check(cert, Collections.<String>emptySet());
176 } catch (CertPathValidatorException cpve) {
177 throw new ValidatorException(
178 "Untrusted certificate: " + cert.getSubjectX500Principal(),
179 ValidatorException.T_UNTRUSTED_CERT, cert, cpve);
180 }
181
|
1 /*
2 * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.validator;
27
28 import java.io.IOException;
29 import java.util.*;
30
31 import java.security.*;
32 import java.security.cert.*;
33
34 import javax.security.auth.x500.X500Principal;
35
36 import sun.security.x509.X509CertImpl;
37 import sun.security.x509.KeyIdentifier;
38 import sun.security.x509.NetscapeCertTypeExtension;
39 import sun.security.util.DerValue;
40 import sun.security.util.DerInputStream;
41 import sun.security.util.ObjectIdentifier;
42
43 import sun.security.provider.certpath.AlgorithmChecker;
44 import sun.security.provider.certpath.UntrustedChecker;
45
46 /**
47 * A simple validator implementation. It is based on code from the JSSE
48 * X509TrustManagerImpl. This implementation is designed for compatibility with
49 * deployed certificates and previous J2SE versions. It will never support
50 * more advanced features and will be deemphasized in favor of the PKIX
51 * validator going forward.
52 * <p>
53 * {@code SimpleValidator} objects are immutable once they have been created.
54 * Please DO NOT add methods that can change the state of an instance once
55 * it has been created.
56 *
57 * @author Andreas Sterbenz
137 Date date = validationDate;
138 if (date == null) {
139 date = new Date();
140 }
141
142 // create distrusted certificates checker
143 UntrustedChecker untrustedChecker = new UntrustedChecker();
144
145 // check if anchor is untrusted
146 X509Certificate anchorCert = chain[chain.length - 1];
147 try {
148 untrustedChecker.check(anchorCert);
149 } catch (CertPathValidatorException cpve) {
150 throw new ValidatorException(
151 "Untrusted certificate: "+ anchorCert.getSubjectX500Principal(),
152 ValidatorException.T_UNTRUSTED_CERT, anchorCert, cpve);
153 }
154
155 // create default algorithm constraints checker
156 TrustAnchor anchor = new TrustAnchor(anchorCert, null);
157 AlgorithmChecker defaultAlgChecker =
158 new AlgorithmChecker(anchor, variant);
159
160 // create application level algorithm constraints checker
161 AlgorithmChecker appAlgChecker = null;
162 if (constraints != null) {
163 appAlgChecker = new AlgorithmChecker(anchor, constraints, null,
164 null, variant);
165 }
166
167 // verify top down, starting at the certificate issued by
168 // the trust anchor
169 int maxPathLength = chain.length - 1;
170 for (int i = chain.length - 2; i >= 0; i--) {
171 X509Certificate issuerCert = chain[i + 1];
172 X509Certificate cert = chain[i];
173
174 // check untrusted certificate
175 try {
176 // Untrusted checker does not care about the unresolved
177 // critical extensions.
178 untrustedChecker.check(cert, Collections.<String>emptySet());
179 } catch (CertPathValidatorException cpve) {
180 throw new ValidatorException(
181 "Untrusted certificate: " + cert.getSubjectX500Principal(),
182 ValidatorException.T_UNTRUSTED_CERT, cert, cpve);
183 }
184
|