src/java.base/share/classes/sun/security/validator/EndEntityChecker.java
Print this page
@@ -1,7 +1,7 @@
/*
- * Copyright (c) 2002, 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
@@ -121,25 +121,30 @@
private final String variant;
// type of the validator this checker belongs to
private final String type;
+ // the end entity certificate's extensions
+ private Set<String> exts;
+
private EndEntityChecker(String type, String variant) {
this.type = type;
this.variant = variant;
}
static EndEntityChecker getInstance(String type, String variant) {
return new EndEntityChecker(type, variant);
}
- void check(X509Certificate cert, Object parameter)
- throws CertificateException {
+ void check(X509Certificate cert, Object parameter,
+ boolean checkExtraExtensions) throws CertificateException {
if (variant.equals(Validator.VAR_GENERIC)) {
- // no checks
- return;
- } else if (variant.equals(Validator.VAR_TLS_SERVER)) {
+ return; // no checks
+ }
+
+ exts = getCriticalExtensions(cert);
+ if (variant.equals(Validator.VAR_TLS_SERVER)) {
checkTLSServer(cert, (String)parameter);
} else if (variant.equals(Validator.VAR_TLS_CLIENT)) {
checkTLSClient(cert);
} else if (variant.equals(Validator.VAR_CODE_SIGNING)) {
checkCodeSigning(cert);
@@ -150,10 +155,15 @@
} else if (variant.equals(Validator.VAR_TSA_SERVER)) {
checkTSAServer(cert);
} else {
throw new CertificateException("Unknown variant: " + variant);
}
+
+ // if neither VAR_GENERIC variant nor unknown variant
+ if (checkExtraExtensions) {
+ checkRemainingExtensions(exts);
+ }
}
/**
* Utility method returning the Set of critical extensions for
* certificate cert (never null).
@@ -219,12 +229,10 @@
* authentication.
* @throws CertificateException if not.
*/
private void checkTLSClient(X509Certificate cert)
throws CertificateException {
- Set<String> exts = getCriticalExtensions(cert);
-
if (checkKeyUsage(cert, KU_SIGNATURE) == false) {
throw new ValidatorException
("KeyUsage does not allow digital signatures",
ValidatorException.T_EE_EXTENSIONS, cert);
}
@@ -243,24 +251,20 @@
// remove extensions we checked
exts.remove(SimpleValidator.OID_KEY_USAGE);
exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE);
exts.remove(SimpleValidator.OID_NETSCAPE_CERT_TYPE);
-
- checkRemainingExtensions(exts);
}
/**
* Check whether this certificate can be used for TLS server authentication
* using the specified authentication type parameter. See X509TrustManager
* specification for details.
* @throws CertificateException if not.
*/
private void checkTLSServer(X509Certificate cert, String parameter)
throws CertificateException {
- Set<String> exts = getCriticalExtensions(cert);
-
if (KU_SERVER_ENCRYPTION.contains(parameter)) {
if (checkKeyUsage(cert, KU_KEY_ENCIPHERMENT) == false) {
throw new ValidatorException
("KeyUsage does not allow key encipherment",
ValidatorException.T_EE_EXTENSIONS, cert);
@@ -301,22 +305,18 @@
// remove extensions we checked
exts.remove(SimpleValidator.OID_KEY_USAGE);
exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE);
exts.remove(SimpleValidator.OID_NETSCAPE_CERT_TYPE);
-
- checkRemainingExtensions(exts);
}
/**
* Check whether this certificate can be used for code signing.
* @throws CertificateException if not.
*/
private void checkCodeSigning(X509Certificate cert)
throws CertificateException {
- Set<String> exts = getCriticalExtensions(cert);
-
if (checkKeyUsage(cert, KU_SIGNATURE) == false) {
throw new ValidatorException
("KeyUsage does not allow digital signatures",
ValidatorException.T_EE_EXTENSIONS, cert);
}
@@ -339,23 +339,19 @@
}
// remove extensions we checked
exts.remove(SimpleValidator.OID_KEY_USAGE);
exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE);
-
- checkRemainingExtensions(exts);
}
/**
* Check whether this certificate can be used by a time stamping authority
* server (see RFC 3161, section 2.3).
* @throws CertificateException if not.
*/
private void checkTSAServer(X509Certificate cert)
throws CertificateException {
- Set<String> exts = getCriticalExtensions(cert);
-
if (checkKeyUsage(cert, KU_SIGNATURE) == false) {
throw new ValidatorException
("KeyUsage does not allow digital signatures",
ValidatorException.T_EE_EXTENSIONS, cert);
}
@@ -374,9 +370,7 @@
}
// remove extensions we checked
exts.remove(SimpleValidator.OID_KEY_USAGE);
exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE);
-
- checkRemainingExtensions(exts);
}
}