| /* |
| * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. |
| * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
| * |
| * This code is free software; you can redistribute it and/or modify it |
| * under the terms of the GNU General Public License version 2 only, as |
| * published by the Free Software Foundation. Oracle designates this |
| * particular file as subject to the "Classpath" exception as provided |
| * by Oracle in the LICENSE file that accompanied this code. |
| * |
| * This code is distributed in the hope that it will be useful, but WITHOUT |
| * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
| * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| * version 2 for more details (a copy is included in the LICENSE file that |
| * accompanied this code). |
| * |
| * You should have received a copy of the GNU General Public License version |
| * 2 along with this work; if not, write to the Free Software Foundation, |
| * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
| * |
| * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
| * or visit www.oracle.com if you need additional information or have any |
| * questions. |
| */ |
| |
| package sun.security.provider.certpath; |
| |
| import java.math.BigInteger; |
| import java.util.Collection; |
| import java.util.Date; |
| import java.util.Set; |
| import java.security.GeneralSecurityException; |
| import java.security.KeyFactory; |
| import java.security.PublicKey; |
| import java.security.SignatureException; |
| import java.security.cert.Certificate; |
| import java.security.cert.CertificateExpiredException; |
| import java.security.cert.CertificateNotYetValidException; |
| import java.security.cert.CertPathValidatorException; |
| import java.security.cert.CertPathValidatorException.BasicReason; |
| import java.security.cert.X509Certificate; |
| import java.security.cert.PKIXCertPathChecker; |
| import java.security.cert.PKIXReason; |
| import java.security.cert.TrustAnchor; |
| import java.security.interfaces.DSAParams; |
| import java.security.interfaces.DSAPublicKey; |
| import java.security.spec.DSAPublicKeySpec; |
| import javax.security.auth.x500.X500Principal; |
| import sun.security.x509.X500Name; |
| import sun.security.util.Debug; |
| |
| /** |
| * BasicChecker is a PKIXCertPathChecker that checks the basic information |
| * on a PKIX certificate, namely the signature, validity, and subject/issuer |
| * name chaining. |
| * |
| * @since 1.4 |
| * @author Yassir Elley |
| */ |
| class BasicChecker extends PKIXCertPathChecker { |
| |
| private static final Debug debug = Debug.getInstance("certpath"); |
| private final PublicKey trustedPubKey; |
| private final X500Principal caName; |
| private final Date date; |
| private final String sigProvider; |
| private final boolean sigOnly; |
| private X500Principal prevSubject; |
| private PublicKey prevPubKey; |
| |
| /** |
| * Constructor that initializes the input parameters. |
| * |
| * @param anchor the anchor selected to validate the target certificate |
| * @param testDate the time for which the validity of the certificate |
| * should be determined |
| * @param sigProvider the name of the signature provider |
| * @param sigOnly true if only signature checking is to be done; |
| * if false, all checks are done |
| */ |
| BasicChecker(TrustAnchor anchor, Date date, String sigProvider, |
| boolean sigOnly) { |
| if (anchor.getTrustedCert() != null) { |
| this.trustedPubKey = anchor.getTrustedCert().getPublicKey(); |
| this.caName = anchor.getTrustedCert().getSubjectX500Principal(); |
| } else { |
| this.trustedPubKey = anchor.getCAPublicKey(); |
| this.caName = anchor.getCA(); |
| } |
| this.date = date; |
| this.sigProvider = sigProvider; |
| this.sigOnly = sigOnly; |
| this.prevPubKey = trustedPubKey; |
| } |
| |
| /** |
| * Initializes the internal state of the checker from parameters |
| * specified in the constructor. |
| */ |
| @Override |
| public void init(boolean forward) throws CertPathValidatorException { |
| if (!forward) { |
| prevPubKey = trustedPubKey; |
| if (PKIX.isDSAPublicKeyWithoutParams(prevPubKey)) { |
| // If TrustAnchor is a DSA public key and it has no params, it |
| // cannot be used to verify the signature of the first cert, |
| // so throw exception |
| throw new CertPathValidatorException("Key parameters missing"); |
| } |
| prevSubject = caName; |
| } else { |
| throw new |
| CertPathValidatorException("forward checking not supported"); |
| } |
| } |
| |
| @Override |
| public boolean isForwardCheckingSupported() { |
| return false; |
| } |
| |
| @Override |
| public Set<String> getSupportedExtensions() { |
| return null; |
| } |
| |
| /** |
| * Performs the signature, validity, and subject/issuer name chaining |
| * checks on the certificate using its internal state. This method does |
| * not remove any critical extensions from the Collection. |
| * |
| * @param cert the Certificate |
| * @param unresolvedCritExts a Collection of the unresolved critical |
| * extensions |
| * @throws CertPathValidatorException if certificate does not verify |
| */ |
| @Override |
| public void check(Certificate cert, Collection<String> unresolvedCritExts) |
| throws CertPathValidatorException |
| { |
| X509Certificate currCert = (X509Certificate)cert; |
| |
| if (!sigOnly) { |
| verifyValidity(currCert); |
| verifyNameChaining(currCert); |
| } |
| verifySignature(currCert); |
| |
| updateState(currCert); |
| } |
| |
| /** |
| * Verifies the signature on the certificate using the previous public key. |
| * |
| * @param cert the X509Certificate |
| * @throws CertPathValidatorException if certificate does not verify |
| */ |
| private void verifySignature(X509Certificate cert) |
| throws CertPathValidatorException |
| { |
| String msg = "signature"; |
| if (debug != null) |
| debug.println("---checking " + msg + "..."); |
| |
| try { |
| cert.verify(prevPubKey, sigProvider); |
| } catch (SignatureException e) { |
| throw new CertPathValidatorException |
| (msg + " check failed", e, null, -1, |
| BasicReason.INVALID_SIGNATURE); |
| } catch (GeneralSecurityException e) { |
| throw new CertPathValidatorException(msg + " check failed", e); |
| } |
| |
| if (debug != null) |
| debug.println(msg + " verified."); |
| } |
| |
| /** |
| * Internal method to verify the validity on a certificate |
| */ |
| private void verifyValidity(X509Certificate cert) |
| throws CertPathValidatorException |
| { |
| String msg = "validity"; |
| if (debug != null) |
| debug.println("---checking " + msg + ":" + date.toString() + "..."); |
| |
| try { |
| cert.checkValidity(date); |
| } catch (CertificateExpiredException e) { |
| throw new CertPathValidatorException |
| (msg + " check failed", e, null, -1, BasicReason.EXPIRED); |
| } catch (CertificateNotYetValidException e) { |
| throw new CertPathValidatorException |
| (msg + " check failed", e, null, -1, BasicReason.NOT_YET_VALID); |
| } |
| |
| if (debug != null) |
| debug.println(msg + " verified."); |
| } |
| |
| /** |
| * Internal method to check that cert has a valid DN to be next in a chain |
| */ |
| private void verifyNameChaining(X509Certificate cert) |
| throws CertPathValidatorException |
| { |
| if (prevSubject != null) { |
| |
| String msg = "subject/issuer name chaining"; |
| if (debug != null) |
| debug.println("---checking " + msg + "..."); |
| |
| X500Principal currIssuer = cert.getIssuerX500Principal(); |
| |
| // reject null or empty issuer DNs |
| if (X500Name.asX500Name(currIssuer).isEmpty()) { |
| throw new CertPathValidatorException |
| (msg + " check failed: " + |
| "empty/null issuer DN in certificate is invalid", null, |
| null, -1, PKIXReason.NAME_CHAINING); |
| } |
| |
| if (!(currIssuer.equals(prevSubject))) { |
| throw new CertPathValidatorException |
| (msg + " check failed", null, null, -1, |
| PKIXReason.NAME_CHAINING); |
| } |
| |
| if (debug != null) |
| debug.println(msg + " verified."); |
| } |
| } |
| |
| /** |
| * Internal method to manage state information at each iteration |
| */ |
| private void updateState(X509Certificate currCert) |
| throws CertPathValidatorException |
| { |
| PublicKey cKey = currCert.getPublicKey(); |
| if (debug != null) { |
| debug.println("BasicChecker.updateState issuer: " + |
| currCert.getIssuerX500Principal().toString() + "; subject: " + |
| currCert.getSubjectX500Principal() + "; serial#: " + |
| currCert.getSerialNumber().toString()); |
| } |
| if (PKIX.isDSAPublicKeyWithoutParams(cKey)) { |
| // cKey needs to inherit DSA parameters from prev key |
| cKey = makeInheritedParamsKey(cKey, prevPubKey); |
| if (debug != null) debug.println("BasicChecker.updateState Made " + |
| "key with inherited params"); |
| } |
| prevPubKey = cKey; |
| prevSubject = currCert.getSubjectX500Principal(); |
| } |
| |
| /** |
| * Internal method to create a new key with inherited key parameters. |
| * |
| * @param keyValueKey key from which to obtain key value |
| * @param keyParamsKey key from which to obtain key parameters |
| * @return new public key having value and parameters |
| * @throws CertPathValidatorException if keys are not appropriate types |
| * for this operation |
| */ |
| static PublicKey makeInheritedParamsKey(PublicKey keyValueKey, |
| PublicKey keyParamsKey) throws CertPathValidatorException |
| { |
| if (!(keyValueKey instanceof DSAPublicKey) || |
| !(keyParamsKey instanceof DSAPublicKey)) |
| throw new CertPathValidatorException("Input key is not " + |
| "appropriate type for " + |
| "inheriting parameters"); |
| DSAParams params = ((DSAPublicKey)keyParamsKey).getParams(); |
| if (params == null) |
| throw new CertPathValidatorException("Key parameters missing"); |
| try { |
| BigInteger y = ((DSAPublicKey)keyValueKey).getY(); |
| KeyFactory kf = KeyFactory.getInstance("DSA"); |
| DSAPublicKeySpec ks = new DSAPublicKeySpec(y, |
| params.getP(), |
| params.getQ(), |
| params.getG()); |
| return kf.generatePublic(ks); |
| } catch (GeneralSecurityException e) { |
| throw new CertPathValidatorException("Unable to generate key with" + |
| " inherited parameters: " + |
| e.getMessage(), e); |
| } |
| } |
| |
| /** |
| * return the public key associated with the last certificate processed |
| * |
| * @return PublicKey the last public key processed |
| */ |
| PublicKey getPublicKey() { |
| return prevPubKey; |
| } |
| } |