191 if ((chain == null) || (chain.length == 0)) {
192 throw new CertificateException
193 ("null or zero-length certificate chain");
194 }
195
196 // add new algorithm constraints checker
197 PKIXBuilderParameters pkixParameters =
198 (PKIXBuilderParameters) parameterTemplate.clone();
199 AlgorithmChecker algorithmChecker = null;
200 if (constraints != null) {
201 algorithmChecker = new AlgorithmChecker(constraints);
202 pkixParameters.addCertPathChecker(algorithmChecker);
203 }
204
205 // check that chain is in correct order and check if chain contains
206 // trust anchor
207 X500Principal prevIssuer = null;
208 for (int i = 0; i < chain.length; i++) {
209 X509Certificate cert = chain[i];
210 X500Principal dn = cert.getSubjectX500Principal();
211 if (i != 0 &&
212 !dn.equals(prevIssuer)) {
213 // chain is not ordered correctly, call builder instead
214 return doBuild(chain, otherCerts, pkixParameters);
215 }
216
217 // Check if chain[i] is already trusted. It may be inside
218 // trustedCerts, or has the same dn and public key as a cert
219 // inside trustedCerts. The latter happens when a CA has
220 // updated its cert with a stronger signature algorithm in JRE
221 // but the weak one is still in circulation.
222
223 if (trustedCerts.contains(cert) || // trusted cert
224 (trustedSubjects.containsKey(dn) && // replacing ...
225 trustedSubjects.get(dn).contains( // ... weak cert
226 cert.getPublicKey()))) {
227 if (i == 0) {
228 return new X509Certificate[] {chain[0]};
229 }
230 // Remove and call validator on partial chain [0 .. i-1]
231 X509Certificate[] newChain = new X509Certificate[i];
232 System.arraycopy(chain, 0, newChain, 0, i);
|
191 if ((chain == null) || (chain.length == 0)) {
192 throw new CertificateException
193 ("null or zero-length certificate chain");
194 }
195
196 // add new algorithm constraints checker
197 PKIXBuilderParameters pkixParameters =
198 (PKIXBuilderParameters) parameterTemplate.clone();
199 AlgorithmChecker algorithmChecker = null;
200 if (constraints != null) {
201 algorithmChecker = new AlgorithmChecker(constraints);
202 pkixParameters.addCertPathChecker(algorithmChecker);
203 }
204
205 // check that chain is in correct order and check if chain contains
206 // trust anchor
207 X500Principal prevIssuer = null;
208 for (int i = 0; i < chain.length; i++) {
209 X509Certificate cert = chain[i];
210 X500Principal dn = cert.getSubjectX500Principal();
211 if (i != 0 && !dn.equals(prevIssuer)) {
212 // chain is not ordered correctly, call builder instead
213 return doBuild(chain, otherCerts, pkixParameters);
214 }
215
216 // Check if chain[i] is already trusted. It may be inside
217 // trustedCerts, or has the same dn and public key as a cert
218 // inside trustedCerts. The latter happens when a CA has
219 // updated its cert with a stronger signature algorithm in JRE
220 // but the weak one is still in circulation.
221
222 if (trustedCerts.contains(cert) || // trusted cert
223 (trustedSubjects.containsKey(dn) && // replacing ...
224 trustedSubjects.get(dn).contains( // ... weak cert
225 cert.getPublicKey()))) {
226 if (i == 0) {
227 return new X509Certificate[] {chain[0]};
228 }
229 // Remove and call validator on partial chain [0 .. i-1]
230 X509Certificate[] newChain = new X509Certificate[i];
231 System.arraycopy(chain, 0, newChain, 0, i);
|