1 /* 2 * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.provider.certpath; 27 28 import jdk.internal.event.CertificateChainEvent; 29 import jdk.internal.event.EventHelper; 30 import sun.security.util.Debug; 31 32 import java.util.Collections; 33 import java.util.List; 34 import java.util.Set; 35 import java.util.StringJoiner; 36 import java.security.cert.CertPath; 37 import java.security.cert.CertPathValidatorException; 38 import java.security.cert.PKIXCertPathChecker; 39 import java.security.cert.PKIXReason; 40 import java.security.cert.X509Certificate; 41 import java.util.stream.Collectors; 42 43 /** 44 * This class is initialized with a list of <code>PKIXCertPathChecker</code>s 45 * and is used to verify the certificates in a <code>CertPath</code> by 46 * feeding each certificate to each <code>PKIXCertPathChecker</code>. 47 * 48 * @since 1.4 49 * @author Yassir Elley 50 */ 51 class PKIXMasterCertPathValidator { 52 53 private static final Debug debug = Debug.getInstance("certpath"); 54 55 /** 56 * Validates a certification path consisting exclusively of 57 * <code>X509Certificate</code>s using the specified 58 * <code>PKIXCertPathChecker</code>s. It is assumed that the 59 * <code>PKIXCertPathChecker</code>s 60 * have been initialized with any input parameters they may need. 61 * 62 * @param cpOriginal the original X509 CertPath passed in by the user 63 * @param reversedCertList the reversed X509 CertPath (as a List) 64 * @param certPathCheckers the PKIXCertPathCheckers 65 * @throws CertPathValidatorException if cert path does not validate 66 */ 67 static void validate(CertPath cpOriginal, 68 List<X509Certificate> reversedCertList, 69 List<PKIXCertPathChecker> certPathCheckers) 70 throws CertPathValidatorException 71 { 72 // we actually process reversedCertList, but we keep cpOriginal because 73 // we need to return the original certPath when we throw an exception. 74 // we will also need to modify the index appropriately when we 75 // throw an exception. 76 77 int cpSize = reversedCertList.size(); 78 79 if (debug != null) { 80 debug.println("--------------------------------------------------" 81 + "------------"); 82 debug.println("Executing PKIX certification path validation " 83 + "algorithm."); 84 } 85 86 for (int i = 0; i < cpSize; i++) { 87 88 /* The basic loop algorithm is that we get the 89 * current certificate, we verify the current certificate using 90 * information from the previous certificate and from the state, 91 * and we modify the state for the next loop by setting the 92 * current certificate of this loop to be the previous certificate 93 * of the next loop. The state is initialized during first loop. 94 */ 95 X509Certificate currCert = reversedCertList.get(i); 96 97 if (debug != null) { 98 debug.println("Checking cert" + (i+1) + " - Subject: " + 99 currCert.getSubjectX500Principal()); 100 } 101 102 Set<String> unresCritExts = currCert.getCriticalExtensionOIDs(); 103 if (unresCritExts == null) { 104 unresCritExts = Collections.<String>emptySet(); 105 } 106 107 if (debug != null && !unresCritExts.isEmpty()) { 108 StringJoiner joiner = new StringJoiner(", ", "{", "}"); 109 for (String oid : unresCritExts) { 110 joiner.add(oid); 111 } 112 debug.println("Set of critical extensions: " + 113 joiner.toString()); 114 } 115 116 for (int j = 0; j < certPathCheckers.size(); j++) { 117 118 PKIXCertPathChecker currChecker = certPathCheckers.get(j); 119 if (debug != null) { 120 debug.println("-Using checker" + (j + 1) + " ... [" + 121 currChecker.getClass().getName() + "]"); 122 } 123 124 if (i == 0) 125 currChecker.init(false); 126 127 try { 128 currChecker.check(currCert, unresCritExts); 129 130 if (debug != null) { 131 debug.println("-checker" + (j + 1) + 132 " validation succeeded"); 133 } 134 135 } catch (CertPathValidatorException cpve) { 136 throw new CertPathValidatorException(cpve.getMessage(), 137 (cpve.getCause() != null) ? cpve.getCause() : cpve, 138 cpOriginal, cpSize - (i + 1), cpve.getReason()); 139 } 140 } 141 142 if (!unresCritExts.isEmpty()) { 143 throw new CertPathValidatorException("unrecognized " + 144 "critical extension(s)", null, cpOriginal, cpSize-(i+1), 145 PKIXReason.UNRECOGNIZED_CRIT_EXT); 146 } 147 148 if (debug != null) 149 debug.println("\ncert" + (i+1) + " validation succeeded.\n"); 150 151 CertificateChainEvent cce = new CertificateChainEvent(); 152 if(cce.isEnabled() || EventHelper.isLoggingSecurity()) { 153 String c = reversedCertList.stream() 154 .map(x -> x.getSerialNumber().toString(16)) 155 .collect(Collectors.joining(", ")); 156 EventHelper.commitCertChainEvent(cce, c); 157 } 158 } 159 160 if (debug != null) { 161 debug.println("Cert path validation succeeded. (PKIX validation " 162 + "algorithm)"); 163 debug.println("-------------------------------------------------" 164 + "-------------"); 165 } 166 } 167 }