12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.provider.certpath;
27
28 import java.io.IOException;
29 import java.security.InvalidAlgorithmParameterException;
30 import java.security.cert.*;
31 import java.util.*;
32
33 import sun.security.provider.certpath.PKIX.ValidatorParams;
34 import sun.security.validator.Validator;
35 import sun.security.x509.X509CertImpl;
36 import sun.security.util.Debug;
37
38 /**
39 * This class implements the PKIX validation algorithm for certification
40 * paths consisting exclusively of <code>X509Certificates</code>. It uses
41 * the specified input parameter set (which must be a
42 * <code>PKIXParameters</code> object).
43 *
44 * @since 1.4
45 * @author Yassir Elley
46 */
47 public final class PKIXCertPathValidator extends CertPathValidatorSpi {
48
49 private static final Debug debug = Debug.getInstance("certpath");
50
51 /**
52 * Default constructor.
53 */
54 public PKIXCertPathValidator() {}
55
56 @Override
57 public CertPathChecker engineGetRevocationChecker() {
58 return new RevocationChecker();
59 }
60
61 /**
62 * Validates a certification path consisting exclusively of
63 * <code>X509Certificate</code>s using the PKIX validation algorithm,
64 * which uses the specified input parameter set.
65 * The input parameter set must be a <code>PKIXParameters</code> object.
66 *
67 * @param cp the X509 certification path
68 * @param params the input PKIX parameter set
69 * @return the result
217 }
218 revCheckerAdded = true;
219 // if it's our own, initialize it
220 if (checker instanceof RevocationChecker) {
221 ((RevocationChecker)checker).init(anchor, params);
222 }
223 }
224 }
225 // only add a RevocationChecker if revocation is enabled and
226 // a PKIXRevocationChecker has not already been added
227 if (params.revocationEnabled() && !revCheckerAdded) {
228 certPathCheckers.add(new RevocationChecker(anchor, params));
229 }
230 // add user-specified checkers
231 certPathCheckers.addAll(checkers);
232
233 PKIXMasterCertPathValidator.validate(params.certPath(),
234 params.certificates(),
235 certPathCheckers);
236
237 return new PKIXCertPathValidatorResult(anchor, pc.getPolicyTree(),
238 bc.getPublicKey());
239 }
240 }
|
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.provider.certpath;
27
28 import java.io.IOException;
29 import java.security.InvalidAlgorithmParameterException;
30 import java.security.cert.*;
31 import java.util.*;
32 import java.util.concurrent.atomic.AtomicLong;
33 import java.util.stream.Collectors;
34 import java.util.stream.IntStream;
35 import java.util.stream.Stream;
36
37 import jdk.internal.event.X509ValidationEvent;
38 import jdk.internal.event.EventHelper;
39 import sun.security.provider.certpath.PKIX.ValidatorParams;
40 import sun.security.validator.Validator;
41 import sun.security.x509.X509CertImpl;
42 import sun.security.util.Debug;
43
44 /**
45 * This class implements the PKIX validation algorithm for certification
46 * paths consisting exclusively of <code>X509Certificates</code>. It uses
47 * the specified input parameter set (which must be a
48 * <code>PKIXParameters</code> object).
49 *
50 * @since 1.4
51 * @author Yassir Elley
52 */
53 public final class PKIXCertPathValidator extends CertPathValidatorSpi {
54
55 private static final Debug debug = Debug.getInstance("certpath");
56 private static final AtomicLong validationEventNumber = new AtomicLong();
57
58 /**
59 * Default constructor.
60 */
61 public PKIXCertPathValidator() {}
62
63 @Override
64 public CertPathChecker engineGetRevocationChecker() {
65 return new RevocationChecker();
66 }
67
68 /**
69 * Validates a certification path consisting exclusively of
70 * <code>X509Certificate</code>s using the PKIX validation algorithm,
71 * which uses the specified input parameter set.
72 * The input parameter set must be a <code>PKIXParameters</code> object.
73 *
74 * @param cp the X509 certification path
75 * @param params the input PKIX parameter set
76 * @return the result
224 }
225 revCheckerAdded = true;
226 // if it's our own, initialize it
227 if (checker instanceof RevocationChecker) {
228 ((RevocationChecker)checker).init(anchor, params);
229 }
230 }
231 }
232 // only add a RevocationChecker if revocation is enabled and
233 // a PKIXRevocationChecker has not already been added
234 if (params.revocationEnabled() && !revCheckerAdded) {
235 certPathCheckers.add(new RevocationChecker(anchor, params));
236 }
237 // add user-specified checkers
238 certPathCheckers.addAll(checkers);
239
240 PKIXMasterCertPathValidator.validate(params.certPath(),
241 params.certificates(),
242 certPathCheckers);
243
244 X509ValidationEvent xve = new X509ValidationEvent();
245 if(xve.shouldCommit() || EventHelper.isLoggingSecurity()) {
246 int[] hashCodes = params.certificates().stream()
247 .mapToInt(x -> x.hashCode())
248 .toArray();
249 int anchorHashId =
250 anchor.getTrustedCert().hashCode();
251 if (xve.shouldCommit()) {
252 xve.hashCode = anchorHashId;
253 int certificatePos = 1; //anchor cert
254 xve.certificatePosition = certificatePos;
255 xve.validationId = validationEventNumber.incrementAndGet();
256 xve.commit();
257 // now, iterate through remaining
258 for (int hashCode : hashCodes) {
259 xve.hashCode = hashCode;
260 xve.certificatePosition = ++certificatePos;
261 xve.commit();
262
263 }
264 }
265 if (EventHelper.isLoggingSecurity()) {
266 EventHelper.logX509ValidationEvent(anchorHashId, hashCodes);
267 }
268 }
269 return new PKIXCertPathValidatorResult(anchor, pc.getPolicyTree(),
270 bc.getPublicKey());
271 }
272
273 }
|