1 /*
2 * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.provider.certpath;
27
28 import jdk.internal.event.CertificateChainEvent;
29 import jdk.internal.event.EventHelper;
30 import sun.security.util.Debug;
31
32 import java.util.Collections;
33 import java.util.List;
34 import java.util.Set;
35 import java.util.StringJoiner;
36 import java.security.cert.CertPath;
37 import java.security.cert.CertPathValidatorException;
38 import java.security.cert.PKIXCertPathChecker;
39 import java.security.cert.PKIXReason;
40 import java.security.cert.X509Certificate;
41 import java.util.stream.Collectors;
42
43 /**
44 * This class is initialized with a list of <code>PKIXCertPathChecker</code>s
45 * and is used to verify the certificates in a <code>CertPath</code> by
46 * feeding each certificate to each <code>PKIXCertPathChecker</code>.
47 *
48 * @since 1.4
49 * @author Yassir Elley
50 */
51 class PKIXMasterCertPathValidator {
52
53 private static final Debug debug = Debug.getInstance("certpath");
54
55 /**
56 * Validates a certification path consisting exclusively of
57 * <code>X509Certificate</code>s using the specified
58 * <code>PKIXCertPathChecker</code>s. It is assumed that the
59 * <code>PKIXCertPathChecker</code>s
60 * have been initialized with any input parameters they may need.
61 *
62 * @param cpOriginal the original X509 CertPath passed in by the user
63 * @param reversedCertList the reversed X509 CertPath (as a List)
64 * @param certPathCheckers the PKIXCertPathCheckers
65 * @throws CertPathValidatorException if cert path does not validate
66 */
67 static void validate(CertPath cpOriginal,
68 List<X509Certificate> reversedCertList,
69 List<PKIXCertPathChecker> certPathCheckers)
70 throws CertPathValidatorException
71 {
72 // we actually process reversedCertList, but we keep cpOriginal because
73 // we need to return the original certPath when we throw an exception.
74 // we will also need to modify the index appropriately when we
75 // throw an exception.
76
77 int cpSize = reversedCertList.size();
78
79 if (debug != null) {
80 debug.println("--------------------------------------------------"
81 + "------------");
82 debug.println("Executing PKIX certification path validation "
83 + "algorithm.");
84 }
85
86 for (int i = 0; i < cpSize; i++) {
87
88 /* The basic loop algorithm is that we get the
89 * current certificate, we verify the current certificate using
90 * information from the previous certificate and from the state,
91 * and we modify the state for the next loop by setting the
92 * current certificate of this loop to be the previous certificate
93 * of the next loop. The state is initialized during first loop.
94 */
95 X509Certificate currCert = reversedCertList.get(i);
96
97 if (debug != null) {
98 debug.println("Checking cert" + (i+1) + " - Subject: " +
99 currCert.getSubjectX500Principal());
100 }
101
102 Set<String> unresCritExts = currCert.getCriticalExtensionOIDs();
103 if (unresCritExts == null) {
104 unresCritExts = Collections.<String>emptySet();
105 }
106
107 if (debug != null && !unresCritExts.isEmpty()) {
108 StringJoiner joiner = new StringJoiner(", ", "{", "}");
109 for (String oid : unresCritExts) {
110 joiner.add(oid);
111 }
112 debug.println("Set of critical extensions: " +
113 joiner.toString());
114 }
115
116 for (int j = 0; j < certPathCheckers.size(); j++) {
117
118 PKIXCertPathChecker currChecker = certPathCheckers.get(j);
119 if (debug != null) {
120 debug.println("-Using checker" + (j + 1) + " ... [" +
121 currChecker.getClass().getName() + "]");
122 }
123
124 if (i == 0)
125 currChecker.init(false);
126
127 try {
128 currChecker.check(currCert, unresCritExts);
129
130 if (debug != null) {
131 debug.println("-checker" + (j + 1) +
132 " validation succeeded");
133 }
134
135 } catch (CertPathValidatorException cpve) {
136 throw new CertPathValidatorException(cpve.getMessage(),
137 (cpve.getCause() != null) ? cpve.getCause() : cpve,
138 cpOriginal, cpSize - (i + 1), cpve.getReason());
139 }
140 }
141
142 if (!unresCritExts.isEmpty()) {
143 throw new CertPathValidatorException("unrecognized " +
144 "critical extension(s)", null, cpOriginal, cpSize-(i+1),
145 PKIXReason.UNRECOGNIZED_CRIT_EXT);
146 }
147
148 if (debug != null)
149 debug.println("\ncert" + (i+1) + " validation succeeded.\n");
150
151 CertificateChainEvent cce = new CertificateChainEvent();
152 if(cce.isEnabled() || EventHelper.isLoggingSecurity()) {
153 String c = reversedCertList.stream()
154 .map(x -> x.getSerialNumber().toString(16))
155 .collect(Collectors.joining(", "));
156 EventHelper.commitCertChainEvent(cce, c);
157 }
158 }
159
160 if (debug != null) {
161 debug.println("Cert path validation succeeded. (PKIX validation "
162 + "algorithm)");
163 debug.println("-------------------------------------------------"
164 + "-------------");
165 }
166 }
167 }