12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.provider.certpath; 27 28 import java.io.IOException; 29 import java.security.InvalidAlgorithmParameterException; 30 import java.security.cert.*; 31 import java.util.*; 32 33 import sun.security.provider.certpath.PKIX.ValidatorParams; 34 import sun.security.validator.Validator; 35 import sun.security.x509.X509CertImpl; 36 import sun.security.util.Debug; 37 38 /** 39 * This class implements the PKIX validation algorithm for certification 40 * paths consisting exclusively of <code>X509Certificates</code>. It uses 41 * the specified input parameter set (which must be a 42 * <code>PKIXParameters</code> object). 43 * 44 * @since 1.4 45 * @author Yassir Elley 46 */ 47 public final class PKIXCertPathValidator extends CertPathValidatorSpi { 48 49 private static final Debug debug = Debug.getInstance("certpath"); 50 51 /** 52 * Default constructor. 53 */ 54 public PKIXCertPathValidator() {} 55 56 @Override 57 public CertPathChecker engineGetRevocationChecker() { 58 return new RevocationChecker(); 59 } 60 61 /** 62 * Validates a certification path consisting exclusively of 63 * <code>X509Certificate</code>s using the PKIX validation algorithm, 64 * which uses the specified input parameter set. 65 * The input parameter set must be a <code>PKIXParameters</code> object. 66 * 67 * @param cp the X509 certification path 68 * @param params the input PKIX parameter set 69 * @return the result 217 } 218 revCheckerAdded = true; 219 // if it's our own, initialize it 220 if (checker instanceof RevocationChecker) { 221 ((RevocationChecker)checker).init(anchor, params); 222 } 223 } 224 } 225 // only add a RevocationChecker if revocation is enabled and 226 // a PKIXRevocationChecker has not already been added 227 if (params.revocationEnabled() && !revCheckerAdded) { 228 certPathCheckers.add(new RevocationChecker(anchor, params)); 229 } 230 // add user-specified checkers 231 certPathCheckers.addAll(checkers); 232 233 PKIXMasterCertPathValidator.validate(params.certPath(), 234 params.certificates(), 235 certPathCheckers); 236 237 return new PKIXCertPathValidatorResult(anchor, pc.getPolicyTree(), 238 bc.getPublicKey()); 239 } 240 } | 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.provider.certpath; 27 28 import java.io.IOException; 29 import java.security.InvalidAlgorithmParameterException; 30 import java.security.cert.*; 31 import java.util.*; 32 import java.util.concurrent.atomic.AtomicLong; 33 import java.util.stream.Collectors; 34 import java.util.stream.IntStream; 35 import java.util.stream.Stream; 36 37 import jdk.internal.event.X509ValidationEvent; 38 import jdk.internal.event.EventHelper; 39 import sun.security.provider.certpath.PKIX.ValidatorParams; 40 import sun.security.validator.Validator; 41 import sun.security.x509.X509CertImpl; 42 import sun.security.util.Debug; 43 44 /** 45 * This class implements the PKIX validation algorithm for certification 46 * paths consisting exclusively of <code>X509Certificates</code>. It uses 47 * the specified input parameter set (which must be a 48 * <code>PKIXParameters</code> object). 49 * 50 * @since 1.4 51 * @author Yassir Elley 52 */ 53 public final class PKIXCertPathValidator extends CertPathValidatorSpi { 54 55 private static final Debug debug = Debug.getInstance("certpath"); 56 private static final AtomicLong validationEventNumber = new AtomicLong(); 57 58 /** 59 * Default constructor. 60 */ 61 public PKIXCertPathValidator() {} 62 63 @Override 64 public CertPathChecker engineGetRevocationChecker() { 65 return new RevocationChecker(); 66 } 67 68 /** 69 * Validates a certification path consisting exclusively of 70 * <code>X509Certificate</code>s using the PKIX validation algorithm, 71 * which uses the specified input parameter set. 72 * The input parameter set must be a <code>PKIXParameters</code> object. 73 * 74 * @param cp the X509 certification path 75 * @param params the input PKIX parameter set 76 * @return the result 224 } 225 revCheckerAdded = true; 226 // if it's our own, initialize it 227 if (checker instanceof RevocationChecker) { 228 ((RevocationChecker)checker).init(anchor, params); 229 } 230 } 231 } 232 // only add a RevocationChecker if revocation is enabled and 233 // a PKIXRevocationChecker has not already been added 234 if (params.revocationEnabled() && !revCheckerAdded) { 235 certPathCheckers.add(new RevocationChecker(anchor, params)); 236 } 237 // add user-specified checkers 238 certPathCheckers.addAll(checkers); 239 240 PKIXMasterCertPathValidator.validate(params.certPath(), 241 params.certificates(), 242 certPathCheckers); 243 244 X509ValidationEvent xve = new X509ValidationEvent(); 245 if(xve.shouldCommit() || EventHelper.isLoggingSecurity()) { 246 int[] hashCodes = params.certificates().stream() 247 .mapToInt(x -> x.hashCode()) 248 .toArray(); 249 int anchorHashId = 250 anchor.getTrustedCert().hashCode(); 251 if (xve.shouldCommit()) { 252 xve.hashCode = anchorHashId; 253 int certificatePos = 1; //anchor cert 254 xve.certificatePosition = certificatePos; 255 xve.validationId = validationEventNumber.incrementAndGet(); 256 xve.commit(); 257 // now, iterate through remaining 258 for (int hashCode : hashCodes) { 259 xve.hashCode = hashCode; 260 xve.certificatePosition = ++certificatePos; 261 xve.commit(); 262 263 } 264 } 265 if (EventHelper.isLoggingSecurity()) { 266 EventHelper.logX509ValidationEvent(anchorHashId, hashCodes); 267 } 268 } 269 return new PKIXCertPathValidatorResult(anchor, pc.getPolicyTree(), 270 bc.getPublicKey()); 271 } 272 273 } |