src/java.base/share/classes/sun/security/validator/EndEntityChecker.java
Print this page
*** 1,7 ****
/*
! * Copyright (c) 2002, 2008, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
--- 1,7 ----
/*
! * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
*** 130,159 ****
static EndEntityChecker getInstance(String type, String variant) {
return new EndEntityChecker(type, variant);
}
! void check(X509Certificate cert, Object parameter)
! throws CertificateException {
if (variant.equals(Validator.VAR_GENERIC)) {
! // no checks
! return;
! } else if (variant.equals(Validator.VAR_TLS_SERVER)) {
! checkTLSServer(cert, (String)parameter);
} else if (variant.equals(Validator.VAR_TLS_CLIENT)) {
! checkTLSClient(cert);
} else if (variant.equals(Validator.VAR_CODE_SIGNING)) {
! checkCodeSigning(cert);
} else if (variant.equals(Validator.VAR_JCE_SIGNING)) {
! checkCodeSigning(cert);
} else if (variant.equals(Validator.VAR_PLUGIN_CODE_SIGNING)) {
! checkCodeSigning(cert);
} else if (variant.equals(Validator.VAR_TSA_SERVER)) {
! checkTSAServer(cert);
} else {
throw new CertificateException("Unknown variant: " + variant);
}
}
/**
* Utility method returning the Set of critical extensions for
* certificate cert (never null).
--- 130,166 ----
static EndEntityChecker getInstance(String type, String variant) {
return new EndEntityChecker(type, variant);
}
! void check(X509Certificate cert, Object parameter,
! boolean checkUnresolvedCritExts) throws CertificateException {
if (variant.equals(Validator.VAR_GENERIC)) {
! return; // no checks
! }
!
! Set<String> exts = getCriticalExtensions(cert);
! if (variant.equals(Validator.VAR_TLS_SERVER)) {
! checkTLSServer(cert, (String)parameter, exts);
} else if (variant.equals(Validator.VAR_TLS_CLIENT)) {
! checkTLSClient(cert, exts);
} else if (variant.equals(Validator.VAR_CODE_SIGNING)) {
! checkCodeSigning(cert, exts);
} else if (variant.equals(Validator.VAR_JCE_SIGNING)) {
! checkCodeSigning(cert, exts);
} else if (variant.equals(Validator.VAR_PLUGIN_CODE_SIGNING)) {
! checkCodeSigning(cert, exts);
} else if (variant.equals(Validator.VAR_TSA_SERVER)) {
! checkTSAServer(cert, exts);
} else {
throw new CertificateException("Unknown variant: " + variant);
}
+
+ // if neither VAR_GENERIC variant nor unknown variant
+ if (checkUnresolvedCritExts) {
+ checkRemainingExtensions(exts);
+ }
}
/**
* Utility method returning the Set of critical extensions for
* certificate cert (never null).
*** 217,230 ****
/**
* Check whether this certificate can be used for TLS client
* authentication.
* @throws CertificateException if not.
*/
! private void checkTLSClient(X509Certificate cert)
throws CertificateException {
- Set<String> exts = getCriticalExtensions(cert);
-
if (checkKeyUsage(cert, KU_SIGNATURE) == false) {
throw new ValidatorException
("KeyUsage does not allow digital signatures",
ValidatorException.T_EE_EXTENSIONS, cert);
}
--- 224,235 ----
/**
* Check whether this certificate can be used for TLS client
* authentication.
* @throws CertificateException if not.
*/
! private void checkTLSClient(X509Certificate cert, Set<String> exts)
throws CertificateException {
if (checkKeyUsage(cert, KU_SIGNATURE) == false) {
throw new ValidatorException
("KeyUsage does not allow digital signatures",
ValidatorException.T_EE_EXTENSIONS, cert);
}
*** 243,266 ****
// remove extensions we checked
exts.remove(SimpleValidator.OID_KEY_USAGE);
exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE);
exts.remove(SimpleValidator.OID_NETSCAPE_CERT_TYPE);
-
- checkRemainingExtensions(exts);
}
/**
* Check whether this certificate can be used for TLS server authentication
* using the specified authentication type parameter. See X509TrustManager
* specification for details.
* @throws CertificateException if not.
*/
! private void checkTLSServer(X509Certificate cert, String parameter)
! throws CertificateException {
! Set<String> exts = getCriticalExtensions(cert);
!
if (KU_SERVER_ENCRYPTION.contains(parameter)) {
if (checkKeyUsage(cert, KU_KEY_ENCIPHERMENT) == false) {
throw new ValidatorException
("KeyUsage does not allow key encipherment",
ValidatorException.T_EE_EXTENSIONS, cert);
--- 248,267 ----
// remove extensions we checked
exts.remove(SimpleValidator.OID_KEY_USAGE);
exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE);
exts.remove(SimpleValidator.OID_NETSCAPE_CERT_TYPE);
}
/**
* Check whether this certificate can be used for TLS server authentication
* using the specified authentication type parameter. See X509TrustManager
* specification for details.
* @throws CertificateException if not.
*/
! private void checkTLSServer(X509Certificate cert, String parameter,
! Set<String> exts) throws CertificateException {
if (KU_SERVER_ENCRYPTION.contains(parameter)) {
if (checkKeyUsage(cert, KU_KEY_ENCIPHERMENT) == false) {
throw new ValidatorException
("KeyUsage does not allow key encipherment",
ValidatorException.T_EE_EXTENSIONS, cert);
*** 301,322 ****
// remove extensions we checked
exts.remove(SimpleValidator.OID_KEY_USAGE);
exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE);
exts.remove(SimpleValidator.OID_NETSCAPE_CERT_TYPE);
-
- checkRemainingExtensions(exts);
}
/**
* Check whether this certificate can be used for code signing.
* @throws CertificateException if not.
*/
! private void checkCodeSigning(X509Certificate cert)
throws CertificateException {
- Set<String> exts = getCriticalExtensions(cert);
-
if (checkKeyUsage(cert, KU_SIGNATURE) == false) {
throw new ValidatorException
("KeyUsage does not allow digital signatures",
ValidatorException.T_EE_EXTENSIONS, cert);
}
--- 302,319 ----
// remove extensions we checked
exts.remove(SimpleValidator.OID_KEY_USAGE);
exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE);
exts.remove(SimpleValidator.OID_NETSCAPE_CERT_TYPE);
}
/**
* Check whether this certificate can be used for code signing.
* @throws CertificateException if not.
*/
! private void checkCodeSigning(X509Certificate cert, Set<String> exts)
throws CertificateException {
if (checkKeyUsage(cert, KU_SIGNATURE) == false) {
throw new ValidatorException
("KeyUsage does not allow digital signatures",
ValidatorException.T_EE_EXTENSIONS, cert);
}
*** 339,361 ****
}
// remove extensions we checked
exts.remove(SimpleValidator.OID_KEY_USAGE);
exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE);
-
- checkRemainingExtensions(exts);
}
/**
* Check whether this certificate can be used by a time stamping authority
* server (see RFC 3161, section 2.3).
* @throws CertificateException if not.
*/
! private void checkTSAServer(X509Certificate cert)
throws CertificateException {
- Set<String> exts = getCriticalExtensions(cert);
-
if (checkKeyUsage(cert, KU_SIGNATURE) == false) {
throw new ValidatorException
("KeyUsage does not allow digital signatures",
ValidatorException.T_EE_EXTENSIONS, cert);
}
--- 336,354 ----
}
// remove extensions we checked
exts.remove(SimpleValidator.OID_KEY_USAGE);
exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE);
}
/**
* Check whether this certificate can be used by a time stamping authority
* server (see RFC 3161, section 2.3).
* @throws CertificateException if not.
*/
! private void checkTSAServer(X509Certificate cert, Set<String> exts)
throws CertificateException {
if (checkKeyUsage(cert, KU_SIGNATURE) == false) {
throw new ValidatorException
("KeyUsage does not allow digital signatures",
ValidatorException.T_EE_EXTENSIONS, cert);
}
*** 374,382 ****
}
// remove extensions we checked
exts.remove(SimpleValidator.OID_KEY_USAGE);
exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE);
-
- checkRemainingExtensions(exts);
}
}
--- 367,373 ----