sun.security.x509.X509CertImpl Java Examples

The following examples show how to use sun.security.x509.X509CertImpl. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: KeyFactory.java    From ariADDna with Apache License 2.0 6 votes vote down vote up
public void storeCertToKeyStore(File certFile, File keyStoreFile) throws KeyStoreException {
    try {
        X509CertImpl cert = (X509CertImpl) certFactory.getCertByFile(certFile);
        String alias = certFactory.getCertSubjectName(cert);
        LOGGER.info("Certificate with filename {} has Subject name {}",
                certFile.getAbsolutePath(), alias);
        FileInputStream fis = new FileInputStream(keyStoreFile);
        KeyStore keyStore = KeyStore.getInstance(KEYSTORE_FORMAT);
        keyStore.load(fis, pass);
        LOGGER.info("KeyStore load successful");
        fis.close();

        keyStore.setCertificateEntry(alias, cert);
        FileOutputStream fos = new FileOutputStream(keyStoreFile);
        keyStore.store(fos, pass);
        LOGGER.info("Certificate with filename {} stored in keyStore with filename {}",
                certFile.getAbsolutePath(), keyStoreFile.getAbsolutePath());
        fos.close();

    } catch (Exception e) {
        LOGGER.error("Exception: ", e);
        throw new KeyStoreException("Caused by: ", e);
    }
}
 
Example #2
Source File: UntrustedCertificates.java    From jdk8u-jdk with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Checks if a certificate is untrusted.
 *
 * @param cert the certificate to check
 * @return true if the certificate is untrusted.
 */
public static boolean isUntrusted(X509Certificate cert) {
    if (algorithm == null) {
        return false;
    }
    String key;
    if (cert instanceof X509CertImpl) {
        key = ((X509CertImpl)cert).getFingerprint(algorithm);
    } else {
        try {
            key = new X509CertImpl(cert.getEncoded()).getFingerprint(algorithm);
        } catch (CertificateException cee) {
            return false;
        }
    }
    return props.containsKey(key);
}
 
Example #3
Source File: OCSP.java    From openjdk-jdk8u with GNU General Public License v2.0 6 votes vote down vote up
static URI getResponderURI(X509CertImpl certImpl) {

        // Examine the certificate's AuthorityInfoAccess extension
        AuthorityInfoAccessExtension aia =
            certImpl.getAuthorityInfoAccessExtension();
        if (aia == null) {
            return null;
        }

        List<AccessDescription> descriptions = aia.getAccessDescriptions();
        for (AccessDescription description : descriptions) {
            if (description.getAccessMethod().equals(
                AccessDescription.Ad_OCSP_Id)) {

                GeneralName generalName = description.getAccessLocation();
                if (generalName.getType() == GeneralNameInterface.NAME_URI) {
                    URIName uri = (URIName) generalName.getName();
                    return uri.getURI();
                }
            }
        }
        return null;
    }
 
Example #4
Source File: CheckCertId.java    From openjdk-jdk9 with GNU General Public License v2.0 6 votes vote down vote up
public static void main(String[] args) throws Exception {

        X509CertImpl cert = loadCert(CERT_FILENAME);

        /* Compute the hash in the same way as CertId constructor */
        MessageDigest hash = MessageDigest.getInstance("SHA1");
        hash.update(cert.getSubjectX500Principal().getEncoded());
        byte[] expectedHash = hash.digest();

        CertId certId = new CertId(cert, null);
        byte[] receivedHash = certId.getIssuerNameHash();

        if (! Arrays.equals(expectedHash, receivedHash)) {
            throw new
                Exception("Bad hash value for issuer name in CertId object");
        }
    }
 
Example #5
Source File: CheckCertId.java    From jdk8u-jdk with GNU General Public License v2.0 6 votes vote down vote up
public static void main(String[] args) throws Exception {

        X509CertImpl cert = loadCert(CERT_FILENAME);

        /* Compute the hash in the same way as CertId constructor */
        MessageDigest hash = MessageDigest.getInstance("SHA1");
        hash.update(cert.getSubjectX500Principal().getEncoded());
        byte[] expectedHash = hash.digest();

        CertId certId = new CertId(cert, null);
        byte[] receivedHash = certId.getIssuerNameHash();

        if (! Arrays.equals(expectedHash, receivedHash)) {
            throw new
                Exception("Bad hash value for issuer name in CertId object");
        }
    }
 
Example #6
Source File: ForwardBuilder.java    From Bytecoder with Apache License 2.0 6 votes vote down vote up
/**
 * Returns an X509CertSelector for matching on the authority key
 * identifier, or null if not applicable.
 */
private X509CertSelector getSelector(X509CertImpl previousCert)
    throws IOException {
    if (previousCert != null) {
        AuthorityKeyIdentifierExtension akidExt =
            previousCert.getAuthorityKeyIdentifierExtension();
        if (akidExt != null) {
            byte[] skid = akidExt.getEncodedKeyIdentifier();
            if (skid != null) {
                X509CertSelector selector = new X509CertSelector();
                selector.setSubjectKeyIdentifier(skid);
                return selector;
            }
        }
    }
    return null;
}
 
Example #7
Source File: Certificate.java    From dragonwell8_jdk with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Compares this certificate for equality with the specified
 * object. If the {@code other} object is an
 * {@code instanceof} {@code Certificate}, then
 * its encoded form is retrieved and compared with the
 * encoded form of this certificate.
 *
 * @param other the object to test for equality with this certificate.
 * @return true iff the encoded forms of the two certificates
 * match, false otherwise.
 */
public boolean equals(Object other) {
    if (this == other) {
        return true;
    }
    if (!(other instanceof Certificate)) {
        return false;
    }
    try {
        byte[] thisCert = X509CertImpl.getEncodedInternal(this);
        byte[] otherCert = X509CertImpl.getEncodedInternal((Certificate)other);

        return Arrays.equals(thisCert, otherCert);
    } catch (CertificateException e) {
        return false;
    }
}
 
Example #8
Source File: OCSP.java    From jdk8u-dev-jdk with GNU General Public License v2.0 6 votes vote down vote up
static URI getResponderURI(X509CertImpl certImpl) {

        // Examine the certificate's AuthorityInfoAccess extension
        AuthorityInfoAccessExtension aia =
            certImpl.getAuthorityInfoAccessExtension();
        if (aia == null) {
            return null;
        }

        List<AccessDescription> descriptions = aia.getAccessDescriptions();
        for (AccessDescription description : descriptions) {
            if (description.getAccessMethod().equals((Object)
                AccessDescription.Ad_OCSP_Id)) {

                GeneralName generalName = description.getAccessLocation();
                if (generalName.getType() == GeneralNameInterface.NAME_URI) {
                    URIName uri = (URIName) generalName.getName();
                    return uri.getURI();
                }
            }
        }
        return null;
    }
 
Example #9
Source File: CheckCertId.java    From jdk8u-jdk with GNU General Public License v2.0 6 votes vote down vote up
public static void main(String[] args) throws Exception {

        X509CertImpl cert = loadCert(CERT_FILENAME);

        /* Compute the hash in the same way as CertId constructor */
        MessageDigest hash = MessageDigest.getInstance("SHA1");
        hash.update(cert.getSubjectX500Principal().getEncoded());
        byte[] expectedHash = hash.digest();

        CertId certId = new CertId(cert, null);
        byte[] receivedHash = certId.getIssuerNameHash();

        if (! Arrays.equals(expectedHash, receivedHash)) {
            throw new
                Exception("Bad hash value for issuer name in CertId object");
        }
    }
 
Example #10
Source File: CheckCertId.java    From hottub with GNU General Public License v2.0 6 votes vote down vote up
public static void main(String[] args) throws Exception {

        X509CertImpl cert = loadCert(CERT_FILENAME);

        /* Compute the hash in the same way as CertId constructor */
        MessageDigest hash = MessageDigest.getInstance("SHA1");
        hash.update(cert.getSubjectX500Principal().getEncoded());
        byte[] expectedHash = hash.digest();

        CertId certId = new CertId(cert, null);
        byte[] receivedHash = certId.getIssuerNameHash();

        if (! Arrays.equals(expectedHash, receivedHash)) {
            throw new
                Exception("Bad hash value for issuer name in CertId object");
        }
    }
 
Example #11
Source File: SimpleValidator.java    From Bytecoder with Apache License 2.0 5 votes vote down vote up
private int checkBasicConstraints(X509Certificate cert,
        Set<String> critSet, int maxPathLen) throws CertificateException {

    critSet.remove(OID_BASIC_CONSTRAINTS);
    int constraints = cert.getBasicConstraints();
    // reject, if extension missing or not a CA (constraints == -1)
    if (constraints < 0) {
        throw new ValidatorException("End user tried to act as a CA",
            ValidatorException.T_CA_EXTENSIONS, cert);
    }

    // if the certificate is self-issued, ignore the pathLenConstraint
    // checking.
    if (!X509CertImpl.isSelfIssued(cert)) {
        if (maxPathLen <= 0) {
            throw new ValidatorException("Violated path length constraints",
                ValidatorException.T_CA_EXTENSIONS, cert);
        }

        maxPathLen--;
    }

    if (maxPathLen > constraints) {
        maxPathLen = constraints;
    }

    return maxPathLen;
}
 
Example #12
Source File: PolicyChecker.java    From TencentKona-8 with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Merges the specified explicitPolicy value with the
 * requireExplicitPolicy field of the <code>PolicyConstraints</code>
 * extension obtained from the certificate. An explicitPolicy
 * value of -1 implies no constraint.
 *
 * @param explicitPolicy an integer which indicates if a non-null
 * valid policy tree is required
 * @param currCert the Certificate to be processed
 * @param finalCert a boolean indicating whether currCert is
 * the final cert in the cert path
 * @return returns the new explicitPolicy value
 * @exception CertPathValidatorException Exception thrown if an error
 * occurs
 */
static int mergeExplicitPolicy(int explicitPolicy, X509CertImpl currCert,
    boolean finalCert) throws CertPathValidatorException
{
    if ((explicitPolicy > 0) && !X509CertImpl.isSelfIssued(currCert)) {
        explicitPolicy--;
    }

    try {
        PolicyConstraintsExtension polConstExt
            = currCert.getPolicyConstraintsExtension();
        if (polConstExt == null)
            return explicitPolicy;
        int require =
            polConstExt.get(PolicyConstraintsExtension.REQUIRE).intValue();
        if (debug != null) {
            debug.println("PolicyChecker.mergeExplicitPolicy() "
               + "require Index from cert = " + require);
        }
        if (!finalCert) {
            if (require != -1) {
                if ((explicitPolicy == -1) || (require < explicitPolicy)) {
                    explicitPolicy = require;
                }
            }
        } else {
            if (require == 0)
                explicitPolicy = require;
        }
    } catch (IOException e) {
        if (debug != null) {
            debug.println("PolicyChecker.mergeExplicitPolicy "
                          + "unexpected exception");
            e.printStackTrace();
        }
        throw new CertPathValidatorException(e);
    }

    return explicitPolicy;
}
 
Example #13
Source File: AnchorCertificates.java    From jdk8u-jdk with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Checks if a certificate is a trust anchor.
 *
 * @param cert the certificate to check
 * @return true if the certificate is trusted.
 */
public static boolean contains(X509Certificate cert) {
    String key = X509CertImpl.getFingerprint(HASH, cert);
    boolean result = certs.contains(key);
    if (result && debug != null) {
        debug.println("AnchorCertificate.contains: matched " +
                cert.getSubjectDN());
    }
    return result;
}
 
Example #14
Source File: PolicyChecker.java    From openjdk-jdk8u with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Merges the specified inhibitAnyPolicy value with the
 * SkipCerts value of the InhibitAnyPolicy
 * extension obtained from the certificate.
 *
 * @param inhibitAnyPolicy an integer which indicates whether
 * "any-policy" is considered a match
 * @param currCert the Certificate to be processed
 * @return returns the new inhibitAnyPolicy value
 * @exception CertPathValidatorException Exception thrown if an error
 * occurs
 */
static int mergeInhibitAnyPolicy(int inhibitAnyPolicy,
    X509CertImpl currCert) throws CertPathValidatorException
{
    if ((inhibitAnyPolicy > 0) && !X509CertImpl.isSelfIssued(currCert)) {
        inhibitAnyPolicy--;
    }

    try {
        InhibitAnyPolicyExtension inhAnyPolExt = (InhibitAnyPolicyExtension)
            currCert.getExtension(InhibitAnyPolicy_Id);
        if (inhAnyPolExt == null)
            return inhibitAnyPolicy;

        int skipCerts =
            inhAnyPolExt.get(InhibitAnyPolicyExtension.SKIP_CERTS).intValue();
        if (debug != null)
            debug.println("PolicyChecker.mergeInhibitAnyPolicy() "
                + "skipCerts Index from cert = " + skipCerts);

        if (skipCerts != -1) {
            if (skipCerts < inhibitAnyPolicy) {
                inhibitAnyPolicy = skipCerts;
            }
        }
    } catch (IOException e) {
        if (debug != null) {
            debug.println("PolicyChecker.mergeInhibitAnyPolicy "
                          + "unexpected exception");
            e.printStackTrace();
        }
        throw new CertPathValidatorException(e);
    }

    return inhibitAnyPolicy;
}
 
Example #15
Source File: PolicyChecker.java    From jdk8u60 with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Merges the specified explicitPolicy value with the
 * requireExplicitPolicy field of the <code>PolicyConstraints</code>
 * extension obtained from the certificate. An explicitPolicy
 * value of -1 implies no constraint.
 *
 * @param explicitPolicy an integer which indicates if a non-null
 * valid policy tree is required
 * @param currCert the Certificate to be processed
 * @param finalCert a boolean indicating whether currCert is
 * the final cert in the cert path
 * @return returns the new explicitPolicy value
 * @exception CertPathValidatorException Exception thrown if an error
 * occurs
 */
static int mergeExplicitPolicy(int explicitPolicy, X509CertImpl currCert,
    boolean finalCert) throws CertPathValidatorException
{
    if ((explicitPolicy > 0) && !X509CertImpl.isSelfIssued(currCert)) {
        explicitPolicy--;
    }

    try {
        PolicyConstraintsExtension polConstExt
            = currCert.getPolicyConstraintsExtension();
        if (polConstExt == null)
            return explicitPolicy;
        int require =
            polConstExt.get(PolicyConstraintsExtension.REQUIRE).intValue();
        if (debug != null) {
            debug.println("PolicyChecker.mergeExplicitPolicy() "
               + "require Index from cert = " + require);
        }
        if (!finalCert) {
            if (require != -1) {
                if ((explicitPolicy == -1) || (require < explicitPolicy)) {
                    explicitPolicy = require;
                }
            }
        } else {
            if (require == 0)
                explicitPolicy = require;
        }
    } catch (IOException e) {
        if (debug != null) {
            debug.println("PolicyChecker.mergeExplicitPolicy "
                          + "unexpected exception");
            e.printStackTrace();
        }
        throw new CertPathValidatorException(e);
    }

    return explicitPolicy;
}
 
Example #16
Source File: PolicyChecker.java    From dragonwell8_jdk with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Merges the specified explicitPolicy value with the
 * requireExplicitPolicy field of the <code>PolicyConstraints</code>
 * extension obtained from the certificate. An explicitPolicy
 * value of -1 implies no constraint.
 *
 * @param explicitPolicy an integer which indicates if a non-null
 * valid policy tree is required
 * @param currCert the Certificate to be processed
 * @param finalCert a boolean indicating whether currCert is
 * the final cert in the cert path
 * @return returns the new explicitPolicy value
 * @exception CertPathValidatorException Exception thrown if an error
 * occurs
 */
static int mergeExplicitPolicy(int explicitPolicy, X509CertImpl currCert,
    boolean finalCert) throws CertPathValidatorException
{
    if ((explicitPolicy > 0) && !X509CertImpl.isSelfIssued(currCert)) {
        explicitPolicy--;
    }

    try {
        PolicyConstraintsExtension polConstExt
            = currCert.getPolicyConstraintsExtension();
        if (polConstExt == null)
            return explicitPolicy;
        int require =
            polConstExt.get(PolicyConstraintsExtension.REQUIRE).intValue();
        if (debug != null) {
            debug.println("PolicyChecker.mergeExplicitPolicy() "
               + "require Index from cert = " + require);
        }
        if (!finalCert) {
            if (require != -1) {
                if ((explicitPolicy == -1) || (require < explicitPolicy)) {
                    explicitPolicy = require;
                }
            }
        } else {
            if (require == 0)
                explicitPolicy = require;
        }
    } catch (IOException e) {
        if (debug != null) {
            debug.println("PolicyChecker.mergeExplicitPolicy "
                          + "unexpected exception");
            e.printStackTrace();
        }
        throw new CertPathValidatorException(e);
    }

    return explicitPolicy;
}
 
Example #17
Source File: SimpleValidator.java    From hottub with GNU General Public License v2.0 5 votes vote down vote up
private int checkBasicConstraints(X509Certificate cert,
        Set<String> critSet, int maxPathLen) throws CertificateException {

    critSet.remove(OID_BASIC_CONSTRAINTS);
    int constraints = cert.getBasicConstraints();
    // reject, if extension missing or not a CA (constraints == -1)
    if (constraints < 0) {
        throw new ValidatorException("End user tried to act as a CA",
            ValidatorException.T_CA_EXTENSIONS, cert);
    }

    // if the certificate is self-issued, ignore the pathLenConstraint
    // checking.
    if (!X509CertImpl.isSelfIssued(cert)) {
        if (maxPathLen <= 0) {
            throw new ValidatorException("Violated path length constraints",
                ValidatorException.T_CA_EXTENSIONS, cert);
        }

        maxPathLen--;
    }

    if (maxPathLen > constraints) {
        maxPathLen = constraints;
    }

    return maxPathLen;
}
 
Example #18
Source File: PolicyChecker.java    From jdk8u60 with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Merges the specified policyMapping value with the
 * inhibitPolicyMapping field of the <code>PolicyConstraints</code>
 * extension obtained from the certificate. A policyMapping
 * value of -1 implies no constraint.
 *
 * @param policyMapping an integer which indicates if policy mapping
 * is inhibited
 * @param currCert the Certificate to be processed
 * @return returns the new policyMapping value
 * @exception CertPathValidatorException Exception thrown if an error
 * occurs
 */
static int mergePolicyMapping(int policyMapping, X509CertImpl currCert)
    throws CertPathValidatorException
{
    if ((policyMapping > 0) && !X509CertImpl.isSelfIssued(currCert)) {
        policyMapping--;
    }

    try {
        PolicyConstraintsExtension polConstExt
            = currCert.getPolicyConstraintsExtension();
        if (polConstExt == null)
            return policyMapping;

        int inhibit =
            polConstExt.get(PolicyConstraintsExtension.INHIBIT).intValue();
        if (debug != null)
            debug.println("PolicyChecker.mergePolicyMapping() "
                + "inhibit Index from cert = " + inhibit);

        if (inhibit != -1) {
            if ((policyMapping == -1) || (inhibit < policyMapping)) {
                policyMapping = inhibit;
            }
        }
    } catch (IOException e) {
        if (debug != null) {
            debug.println("PolicyChecker.mergePolicyMapping "
                          + "unexpected exception");
            e.printStackTrace();
        }
        throw new CertPathValidatorException(e);
    }

    return policyMapping;
}
 
Example #19
Source File: PolicyChecker.java    From openjdk-8 with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Merges the specified inhibitAnyPolicy value with the
 * SkipCerts value of the InhibitAnyPolicy
 * extension obtained from the certificate.
 *
 * @param inhibitAnyPolicy an integer which indicates whether
 * "any-policy" is considered a match
 * @param currCert the Certificate to be processed
 * @return returns the new inhibitAnyPolicy value
 * @exception CertPathValidatorException Exception thrown if an error
 * occurs
 */
static int mergeInhibitAnyPolicy(int inhibitAnyPolicy,
    X509CertImpl currCert) throws CertPathValidatorException
{
    if ((inhibitAnyPolicy > 0) && !X509CertImpl.isSelfIssued(currCert)) {
        inhibitAnyPolicy--;
    }

    try {
        InhibitAnyPolicyExtension inhAnyPolExt = (InhibitAnyPolicyExtension)
            currCert.getExtension(InhibitAnyPolicy_Id);
        if (inhAnyPolExt == null)
            return inhibitAnyPolicy;

        int skipCerts =
            inhAnyPolExt.get(InhibitAnyPolicyExtension.SKIP_CERTS).intValue();
        if (debug != null)
            debug.println("PolicyChecker.mergeInhibitAnyPolicy() "
                + "skipCerts Index from cert = " + skipCerts);

        if (skipCerts != -1) {
            if (skipCerts < inhibitAnyPolicy) {
                inhibitAnyPolicy = skipCerts;
            }
        }
    } catch (IOException e) {
        if (debug != null) {
            debug.println("PolicyChecker.mergeInhibitAnyPolicy "
                          + "unexpected exception");
            e.printStackTrace();
        }
        throw new CertPathValidatorException(e);
    }

    return inhibitAnyPolicy;
}
 
Example #20
Source File: SimpleValidator.java    From jdk8u-jdk with GNU General Public License v2.0 5 votes vote down vote up
private int checkBasicConstraints(X509Certificate cert,
        Set<String> critSet, int maxPathLen) throws CertificateException {

    critSet.remove(OID_BASIC_CONSTRAINTS);
    int constraints = cert.getBasicConstraints();
    // reject, if extension missing or not a CA (constraints == -1)
    if (constraints < 0) {
        throw new ValidatorException("End user tried to act as a CA",
            ValidatorException.T_CA_EXTENSIONS, cert);
    }

    // if the certificate is self-issued, ignore the pathLenConstraint
    // checking.
    if (!X509CertImpl.isSelfIssued(cert)) {
        if (maxPathLen <= 0) {
            throw new ValidatorException("Violated path length constraints",
                ValidatorException.T_CA_EXTENSIONS, cert);
        }

        maxPathLen--;
    }

    if (maxPathLen > constraints) {
        maxPathLen = constraints;
    }

    return maxPathLen;
}
 
Example #21
Source File: SimpleValidator.java    From TencentKona-8 with GNU General Public License v2.0 5 votes vote down vote up
private int checkBasicConstraints(X509Certificate cert,
        Set<String> critSet, int maxPathLen) throws CertificateException {

    critSet.remove(OID_BASIC_CONSTRAINTS);
    int constraints = cert.getBasicConstraints();
    // reject, if extension missing or not a CA (constraints == -1)
    if (constraints < 0) {
        throw new ValidatorException("End user tried to act as a CA",
            ValidatorException.T_CA_EXTENSIONS, cert);
    }

    // if the certificate is self-issued, ignore the pathLenConstraint
    // checking.
    if (!X509CertImpl.isSelfIssued(cert)) {
        if (maxPathLen <= 0) {
            throw new ValidatorException("Violated path length constraints",
                ValidatorException.T_CA_EXTENSIONS, cert);
        }

        maxPathLen--;
    }

    if (maxPathLen > constraints) {
        maxPathLen = constraints;
    }

    return maxPathLen;
}
 
Example #22
Source File: PolicyChecker.java    From j2objc with Apache License 2.0 5 votes vote down vote up
/**
 * Merges the specified policyMapping value with the
 * inhibitPolicyMapping field of the <code>PolicyConstraints</code>
 * extension obtained from the certificate. A policyMapping
 * value of -1 implies no constraint.
 *
 * @param policyMapping an integer which indicates if policy mapping
 * is inhibited
 * @param currCert the Certificate to be processed
 * @return returns the new policyMapping value
 * @exception CertPathValidatorException Exception thrown if an error
 * occurs
 */
static int mergePolicyMapping(int policyMapping, X509CertImpl currCert)
    throws CertPathValidatorException
{
    if ((policyMapping > 0) && !X509CertImpl.isSelfIssued(currCert)) {
        policyMapping--;
    }

    try {
        PolicyConstraintsExtension polConstExt
            = currCert.getPolicyConstraintsExtension();
        if (polConstExt == null)
            return policyMapping;

        int inhibit =
            polConstExt.get(PolicyConstraintsExtension.INHIBIT).intValue();
        if (debug != null)
            debug.println("PolicyChecker.mergePolicyMapping() "
                + "inhibit Index from cert = " + inhibit);

        if (inhibit != -1) {
            if ((policyMapping == -1) || (inhibit < policyMapping)) {
                policyMapping = inhibit;
            }
        }
    } catch (IOException e) {
        if (debug != null) {
            debug.println("PolicyChecker.mergePolicyMapping "
                          + "unexpected exception");
            e.printStackTrace();
        }
        throw new CertPathValidatorException(e);
    }

    return policyMapping;
}
 
Example #23
Source File: AnchorCertificates.java    From dragonwell8_jdk with GNU General Public License v2.0 5 votes vote down vote up
@Override
public Void run() {
    File f = new File(System.getProperty("java.home"),
            "lib/security/cacerts");
    KeyStore cacerts;
    try {
        cacerts = KeyStore.getInstance("JKS");
        try (FileInputStream fis = new FileInputStream(f)) {
            cacerts.load(fis, null);
            certs = new HashSet<>();
            Enumeration<String> list = cacerts.aliases();
            String alias;
            while (list.hasMoreElements()) {
                alias = list.nextElement();
                // Check if this cert is labeled a trust anchor.
                if (alias.contains(" [jdk")) {
                    X509Certificate cert = (X509Certificate) cacerts
                            .getCertificate(alias);
                    certs.add(X509CertImpl.getFingerprint(HASH, cert));
                }
            }
        }
    } catch (Exception e) {
        if (debug != null) {
            debug.println("Error parsing cacerts");
            e.printStackTrace();
        }
    }
    return null;
}
 
Example #24
Source File: OCSP.java    From openjdk-8-source with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Returns the URI of the OCSP Responder as specified in the
 * certificate's Authority Information Access extension, or null if
 * not specified.
 *
 * @param cert the certificate
 * @return the URI of the OCSP Responder, or null if not specified
 */
// Called by com.sun.deploy.security.TrustDecider
public static URI getResponderURI(X509Certificate cert) {
    try {
        return getResponderURI(X509CertImpl.toImpl(cert));
    } catch (CertificateException ce) {
        // treat this case as if the cert had no extension
        return null;
    }
}
 
Example #25
Source File: DigSigUtil.java    From juddi with Apache License 2.0 5 votes vote down vote up
/**
 * wrapper to overcome JDK differences between oracle vs openjdk
 */
 public static RevocationStatus check(X509Certificate cert,
     X509Certificate issuerCert)
     throws IOException, CertPathValidatorException, CertificateException {
     CertId certId = null;
     URI responderURI = null;
     
         X509CertImpl certImpl = X509CertImpl.toImpl(cert);
         responderURI = getResponderURI(certImpl);
         if (responderURI == null) {
             throw new CertPathValidatorException
                 ("No OCSP Responder URI in certificate");
         }
         return OCSP.check(cert, issuerCert, responderURI, cert, null);
}
 
Example #26
Source File: AnchorCertificates.java    From TencentKona-8 with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Checks if a certificate is a trust anchor.
 *
 * @param cert the certificate to check
 * @return true if the certificate is trusted.
 */
public static boolean contains(X509Certificate cert) {
    String key = X509CertImpl.getFingerprint(HASH, cert);
    boolean result = certs.contains(key);
    if (result && debug != null) {
        debug.println("AnchorCertificate.contains: matched " +
                cert.getSubjectDN());
    }
    return result;
}
 
Example #27
Source File: SimpleValidator.java    From jdk8u-jdk with GNU General Public License v2.0 5 votes vote down vote up
private int checkBasicConstraints(X509Certificate cert,
        Set<String> critSet, int maxPathLen) throws CertificateException {

    critSet.remove(OID_BASIC_CONSTRAINTS);
    int constraints = cert.getBasicConstraints();
    // reject, if extension missing or not a CA (constraints == -1)
    if (constraints < 0) {
        throw new ValidatorException("End user tried to act as a CA",
            ValidatorException.T_CA_EXTENSIONS, cert);
    }

    // if the certificate is self-issued, ignore the pathLenConstraint
    // checking.
    if (!X509CertImpl.isSelfIssued(cert)) {
        if (maxPathLen <= 0) {
            throw new ValidatorException("Violated path length constraints",
                ValidatorException.T_CA_EXTENSIONS, cert);
        }

        maxPathLen--;
    }

    if (maxPathLen > constraints) {
        maxPathLen = constraints;
    }

    return maxPathLen;
}
 
Example #28
Source File: ConstraintsChecker.java    From j2objc with Apache License 2.0 5 votes vote down vote up
/**
 * Internal method to check the name constraints against a cert
 */
private void verifyNameConstraints(X509Certificate currCert)
    throws CertPathValidatorException
{
    String msg = "name constraints";
    if (debug != null) {
        debug.println("---checking " + msg + "...");
    }

    // check name constraints only if there is a previous name constraint
    // and either the currCert is the final cert or the currCert is not
    // self-issued
    if (prevNC != null && ((i == certPathLength) ||
            !X509CertImpl.isSelfIssued(currCert))) {
        if (debug != null) {
            debug.println("prevNC = " + prevNC +
                ", currDN = " + currCert.getSubjectX500Principal());
        }

        try {
            if (!prevNC.verify(currCert)) {
                throw new CertPathValidatorException(msg + " check failed",
                    null, null, -1, PKIXReason.INVALID_NAME);
            }
        } catch (IOException ioe) {
            throw new CertPathValidatorException(ioe);
        }
    }

    // merge name constraints regardless of whether cert is self-issued
    prevNC = mergeNameConstraints(currCert, prevNC);

    if (debug != null)
        debug.println(msg + " verified.");
}
 
Example #29
Source File: PolicyChecker.java    From openjdk-jdk9 with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Merges the specified explicitPolicy value with the
 * requireExplicitPolicy field of the <code>PolicyConstraints</code>
 * extension obtained from the certificate. An explicitPolicy
 * value of -1 implies no constraint.
 *
 * @param explicitPolicy an integer which indicates if a non-null
 * valid policy tree is required
 * @param currCert the Certificate to be processed
 * @param finalCert a boolean indicating whether currCert is
 * the final cert in the cert path
 * @return returns the new explicitPolicy value
 * @exception CertPathValidatorException Exception thrown if an error
 * occurs
 */
static int mergeExplicitPolicy(int explicitPolicy, X509CertImpl currCert,
    boolean finalCert) throws CertPathValidatorException
{
    if ((explicitPolicy > 0) && !X509CertImpl.isSelfIssued(currCert)) {
        explicitPolicy--;
    }

    try {
        PolicyConstraintsExtension polConstExt
            = currCert.getPolicyConstraintsExtension();
        if (polConstExt == null)
            return explicitPolicy;
        int require =
            polConstExt.get(PolicyConstraintsExtension.REQUIRE).intValue();
        if (debug != null) {
            debug.println("PolicyChecker.mergeExplicitPolicy() "
               + "require Index from cert = " + require);
        }
        if (!finalCert) {
            if (require != -1) {
                if ((explicitPolicy == -1) || (require < explicitPolicy)) {
                    explicitPolicy = require;
                }
            }
        } else {
            if (require == 0)
                explicitPolicy = require;
        }
    } catch (IOException e) {
        if (debug != null) {
            debug.println("PolicyChecker.mergeExplicitPolicy "
                          + "unexpected exception");
            e.printStackTrace();
        }
        throw new CertPathValidatorException(e);
    }

    return explicitPolicy;
}
 
Example #30
Source File: SimpleValidator.java    From jdk8u_jdk with GNU General Public License v2.0 5 votes vote down vote up
private int checkBasicConstraints(X509Certificate cert,
        Set<String> critSet, int maxPathLen) throws CertificateException {

    critSet.remove(OID_BASIC_CONSTRAINTS);
    int constraints = cert.getBasicConstraints();
    // reject, if extension missing or not a CA (constraints == -1)
    if (constraints < 0) {
        throw new ValidatorException("End user tried to act as a CA",
            ValidatorException.T_CA_EXTENSIONS, cert);
    }

    // if the certificate is self-issued, ignore the pathLenConstraint
    // checking.
    if (!X509CertImpl.isSelfIssued(cert)) {
        if (maxPathLen <= 0) {
            throw new ValidatorException("Violated path length constraints",
                ValidatorException.T_CA_EXTENSIONS, cert);
        }

        maxPathLen--;
    }

    if (maxPathLen > constraints) {
        maxPathLen = constraints;
    }

    return maxPathLen;
}