src/java.base/share/classes/sun/security/validator/EndEntityChecker.java

Print this page

        

*** 1,7 **** /* ! * Copyright (c) 2002, 2008, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this --- 1,7 ---- /* ! * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this
*** 121,145 **** private final String variant; // type of the validator this checker belongs to private final String type; private EndEntityChecker(String type, String variant) { this.type = type; this.variant = variant; } static EndEntityChecker getInstance(String type, String variant) { return new EndEntityChecker(type, variant); } ! void check(X509Certificate cert, Object parameter) ! throws CertificateException { if (variant.equals(Validator.VAR_GENERIC)) { ! // no checks ! return; ! } else if (variant.equals(Validator.VAR_TLS_SERVER)) { checkTLSServer(cert, (String)parameter); } else if (variant.equals(Validator.VAR_TLS_CLIENT)) { checkTLSClient(cert); } else if (variant.equals(Validator.VAR_CODE_SIGNING)) { checkCodeSigning(cert); --- 121,150 ---- private final String variant; // type of the validator this checker belongs to private final String type; + // the end entity certificate's extensions + private Set<String> exts; + private EndEntityChecker(String type, String variant) { this.type = type; this.variant = variant; } static EndEntityChecker getInstance(String type, String variant) { return new EndEntityChecker(type, variant); } ! void check(X509Certificate cert, Object parameter, ! boolean checkExtraExtensions) throws CertificateException { if (variant.equals(Validator.VAR_GENERIC)) { ! return; // no checks ! } ! ! exts = getCriticalExtensions(cert); ! if (variant.equals(Validator.VAR_TLS_SERVER)) { checkTLSServer(cert, (String)parameter); } else if (variant.equals(Validator.VAR_TLS_CLIENT)) { checkTLSClient(cert); } else if (variant.equals(Validator.VAR_CODE_SIGNING)) { checkCodeSigning(cert);
*** 150,159 **** --- 155,169 ---- } else if (variant.equals(Validator.VAR_TSA_SERVER)) { checkTSAServer(cert); } else { throw new CertificateException("Unknown variant: " + variant); } + + // if neither VAR_GENERIC variant nor unknown variant + if (checkExtraExtensions) { + checkRemainingExtensions(exts); + } } /** * Utility method returning the Set of critical extensions for * certificate cert (never null).
*** 219,230 **** * authentication. * @throws CertificateException if not. */ private void checkTLSClient(X509Certificate cert) throws CertificateException { - Set<String> exts = getCriticalExtensions(cert); - if (checkKeyUsage(cert, KU_SIGNATURE) == false) { throw new ValidatorException ("KeyUsage does not allow digital signatures", ValidatorException.T_EE_EXTENSIONS, cert); } --- 229,238 ----
*** 243,266 **** // remove extensions we checked exts.remove(SimpleValidator.OID_KEY_USAGE); exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE); exts.remove(SimpleValidator.OID_NETSCAPE_CERT_TYPE); - - checkRemainingExtensions(exts); } /** * Check whether this certificate can be used for TLS server authentication * using the specified authentication type parameter. See X509TrustManager * specification for details. * @throws CertificateException if not. */ private void checkTLSServer(X509Certificate cert, String parameter) throws CertificateException { - Set<String> exts = getCriticalExtensions(cert); - if (KU_SERVER_ENCRYPTION.contains(parameter)) { if (checkKeyUsage(cert, KU_KEY_ENCIPHERMENT) == false) { throw new ValidatorException ("KeyUsage does not allow key encipherment", ValidatorException.T_EE_EXTENSIONS, cert); --- 251,270 ----
*** 301,322 **** // remove extensions we checked exts.remove(SimpleValidator.OID_KEY_USAGE); exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE); exts.remove(SimpleValidator.OID_NETSCAPE_CERT_TYPE); - - checkRemainingExtensions(exts); } /** * Check whether this certificate can be used for code signing. * @throws CertificateException if not. */ private void checkCodeSigning(X509Certificate cert) throws CertificateException { - Set<String> exts = getCriticalExtensions(cert); - if (checkKeyUsage(cert, KU_SIGNATURE) == false) { throw new ValidatorException ("KeyUsage does not allow digital signatures", ValidatorException.T_EE_EXTENSIONS, cert); } --- 305,322 ----
*** 339,361 **** } // remove extensions we checked exts.remove(SimpleValidator.OID_KEY_USAGE); exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE); - - checkRemainingExtensions(exts); } /** * Check whether this certificate can be used by a time stamping authority * server (see RFC 3161, section 2.3). * @throws CertificateException if not. */ private void checkTSAServer(X509Certificate cert) throws CertificateException { - Set<String> exts = getCriticalExtensions(cert); - if (checkKeyUsage(cert, KU_SIGNATURE) == false) { throw new ValidatorException ("KeyUsage does not allow digital signatures", ValidatorException.T_EE_EXTENSIONS, cert); } --- 339,357 ----
*** 374,382 **** } // remove extensions we checked exts.remove(SimpleValidator.OID_KEY_USAGE); exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE); - - checkRemainingExtensions(exts); } } --- 370,376 ----