170 lines
6.0 KiB
Java
170 lines
6.0 KiB
Java
/*
|
|
* Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
*
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License version 2 only, as
|
|
* published by the Free Software Foundation. Oracle designates this
|
|
* particular file as subject to the "Classpath" exception as provided
|
|
* by Oracle in the LICENSE file that accompanied this code.
|
|
*
|
|
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
* version 2 for more details (a copy is included in the LICENSE file that
|
|
* accompanied this code).
|
|
*
|
|
* You should have received a copy of the GNU General Public License version
|
|
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
*
|
|
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
* or visit www.oracle.com if you need additional information or have any
|
|
* questions.
|
|
*/
|
|
|
|
package sun.security.provider.certpath;
|
|
|
|
import java.util.*;
|
|
import java.security.cert.*;
|
|
import java.security.cert.PKIXReason;
|
|
|
|
import sun.security.util.Debug;
|
|
import static sun.security.x509.PKIXExtensions.*;
|
|
|
|
/**
|
|
* KeyChecker is a <code>PKIXCertPathChecker</code> that checks that the
|
|
* keyCertSign bit is set in the keyUsage extension in an intermediate CA
|
|
* certificate. It also checks whether the final certificate in a
|
|
* certification path meets the specified target constraints specified as
|
|
* a CertSelector in the PKIXParameters passed to the CertPathValidator.
|
|
*
|
|
* @since 1.4
|
|
* @author Yassir Elley
|
|
*/
|
|
class KeyChecker extends PKIXCertPathChecker {
|
|
|
|
private static final Debug debug = Debug.getInstance("certpath");
|
|
private final int certPathLen;
|
|
private final CertSelector targetConstraints;
|
|
private int remainingCerts;
|
|
|
|
private Set<String> supportedExts;
|
|
|
|
/**
|
|
* Creates a KeyChecker.
|
|
*
|
|
* @param certPathLen allowable cert path length
|
|
* @param targetCertSel a CertSelector object specifying the constraints
|
|
* on the target certificate
|
|
*/
|
|
KeyChecker(int certPathLen, CertSelector targetCertSel) {
|
|
this.certPathLen = certPathLen;
|
|
this.targetConstraints = targetCertSel;
|
|
}
|
|
|
|
/**
|
|
* Initializes the internal state of the checker from parameters
|
|
* specified in the constructor
|
|
*/
|
|
@Override
|
|
public void init(boolean forward) throws CertPathValidatorException {
|
|
if (!forward) {
|
|
remainingCerts = certPathLen;
|
|
} else {
|
|
throw new CertPathValidatorException
|
|
("forward checking not supported");
|
|
}
|
|
}
|
|
|
|
@Override
|
|
public boolean isForwardCheckingSupported() {
|
|
return false;
|
|
}
|
|
|
|
@Override
|
|
public Set<String> getSupportedExtensions() {
|
|
if (supportedExts == null) {
|
|
supportedExts = new HashSet<String>(3);
|
|
supportedExts.add(KeyUsage_Id.toString());
|
|
supportedExts.add(ExtendedKeyUsage_Id.toString());
|
|
supportedExts.add(SubjectAlternativeName_Id.toString());
|
|
supportedExts = Collections.unmodifiableSet(supportedExts);
|
|
}
|
|
return supportedExts;
|
|
}
|
|
|
|
/**
|
|
* Checks that keyUsage and target constraints are satisfied by
|
|
* the specified certificate.
|
|
*
|
|
* @param cert the Certificate
|
|
* @param unresolvedCritExts the unresolved critical extensions
|
|
* @throws CertPathValidatorException if certificate does not verify
|
|
*/
|
|
@Override
|
|
public void check(Certificate cert, Collection<String> unresCritExts)
|
|
throws CertPathValidatorException
|
|
{
|
|
X509Certificate currCert = (X509Certificate)cert;
|
|
|
|
remainingCerts--;
|
|
|
|
// if final certificate, check that target constraints are satisfied
|
|
if (remainingCerts == 0) {
|
|
if (targetConstraints != null &&
|
|
targetConstraints.match(currCert) == false) {
|
|
throw new CertPathValidatorException("target certificate " +
|
|
"constraints check failed");
|
|
}
|
|
} else {
|
|
// otherwise, verify that keyCertSign bit is set in CA certificate
|
|
verifyCAKeyUsage(currCert);
|
|
}
|
|
|
|
// remove the extensions that we have checked
|
|
if (unresCritExts != null && !unresCritExts.isEmpty()) {
|
|
unresCritExts.remove(KeyUsage_Id.toString());
|
|
unresCritExts.remove(ExtendedKeyUsage_Id.toString());
|
|
unresCritExts.remove(SubjectAlternativeName_Id.toString());
|
|
}
|
|
}
|
|
|
|
// the index of keyCertSign in the boolean KeyUsage array
|
|
private static final int KEY_CERT_SIGN = 5;
|
|
/**
|
|
* Verifies the key usage extension in a CA cert.
|
|
* The key usage extension, if present, must assert the keyCertSign bit.
|
|
* The extended key usage extension is not checked (see CR 4776794 for
|
|
* more information).
|
|
*/
|
|
static void verifyCAKeyUsage(X509Certificate cert)
|
|
throws CertPathValidatorException {
|
|
String msg = "CA key usage";
|
|
if (debug != null) {
|
|
debug.println("KeyChecker.verifyCAKeyUsage() ---checking " + msg
|
|
+ "...");
|
|
}
|
|
|
|
boolean[] keyUsageBits = cert.getKeyUsage();
|
|
|
|
// getKeyUsage returns null if the KeyUsage extension is not present
|
|
// in the certificate - in which case there is nothing to check
|
|
if (keyUsageBits == null) {
|
|
return;
|
|
}
|
|
|
|
// throw an exception if the keyCertSign bit is not set
|
|
if (!keyUsageBits[KEY_CERT_SIGN]) {
|
|
throw new CertPathValidatorException
|
|
(msg + " check failed: keyCertSign bit is not set", null,
|
|
null, -1, PKIXReason.INVALID_KEY_USAGE);
|
|
}
|
|
|
|
if (debug != null) {
|
|
debug.println("KeyChecker.verifyCAKeyUsage() " + msg
|
|
+ " verified.");
|
|
}
|
|
}
|
|
}
|