PKIXCertPathValidatorSpi.java revision e6bf3e8dfa2804891a82075cb469b736321b4827
13b66ecb05fedbfe0a70b39d73b1ea5998bc8c31bChris Lattnerpackage org.bouncycastle.jce.provider; 2edf128a7fa90f2b0b7ee24741a04a7ae1ecd6f7eMisha Brukman 33b66ecb05fedbfe0a70b39d73b1ea5998bc8c31bChris Lattner// BEGIN android-added 43b66ecb05fedbfe0a70b39d73b1ea5998bc8c31bChris Lattnerimport java.math.BigInteger; 54ee451de366474b9c228b4e5fa573795a715216dChris Lattner// END android-added 64ee451de366474b9c228b4e5fa573795a715216dChris Lattnerimport java.security.InvalidAlgorithmParameterException; 7edf128a7fa90f2b0b7ee24741a04a7ae1ecd6f7eMisha Brukmanimport java.security.PublicKey; 83b66ecb05fedbfe0a70b39d73b1ea5998bc8c31bChris Lattnerimport java.security.cert.CertPath; 93b66ecb05fedbfe0a70b39d73b1ea5998bc8c31bChris Lattnerimport java.security.cert.CertPathParameters; 10b71fd7897f6b4500cdbe602c5a9907316750cf5aChris Lattnerimport java.security.cert.CertPathValidatorException; 113b66ecb05fedbfe0a70b39d73b1ea5998bc8c31bChris Lattnerimport java.security.cert.CertPathValidatorResult; 123b66ecb05fedbfe0a70b39d73b1ea5998bc8c31bChris Lattnerimport java.security.cert.CertPathValidatorSpi; 133b66ecb05fedbfe0a70b39d73b1ea5998bc8c31bChris Lattnerimport java.security.cert.PKIXCertPathChecker; 1406cb8ed00696eb14d1b831921452e50ec0568ea2Chandler Carruthimport java.security.cert.PKIXCertPathValidatorResult; 15d04a8d4b33ff316ca4cf961e06c9e312eff8e64fChandler Carruthimport java.security.cert.PKIXParameters; 1636b56886974eae4f9c5ebc96befd3e7bfe5de338Stephen Hinesimport java.security.cert.TrustAnchor; 170b8c9a80f20772c3793201ab5b251d3520b9cea3Chandler Carruthimport java.security.cert.X509Certificate; 180b8c9a80f20772c3793201ab5b251d3520b9cea3Chandler Carruthimport java.util.ArrayList; 190b8c9a80f20772c3793201ab5b251d3520b9cea3Chandler Carruthimport java.util.HashSet; 200b8c9a80f20772c3793201ab5b251d3520b9cea3Chandler Carruthimport java.util.Iterator; 210b8c9a80f20772c3793201ab5b251d3520b9cea3Chandler Carruthimport java.util.List; 220b8c9a80f20772c3793201ab5b251d3520b9cea3Chandler Carruthimport java.util.Set; 237d696d80409aad20bb5da0fc4eccab941dd371d4Torok Edwin 2445cfe545ec8177262dabc70580ce05feaa1c3880Chris Lattnerimport javax.security.auth.x500.X500Principal; 253b66ecb05fedbfe0a70b39d73b1ea5998bc8c31bChris Lattner 263b66ecb05fedbfe0a70b39d73b1ea5998bc8c31bChris Lattnerimport org.bouncycastle.asn1.ASN1Encodable; 270979ca7e3e8ff1bb3f38f7b93a02db2e1704333cChris Lattnerimport org.bouncycastle.asn1.DERObjectIdentifier; 28b76efb71d41dc1ae33e47d5d9ef79df25cde0b5dChris Lattnerimport org.bouncycastle.asn1.x509.AlgorithmIdentifier; 29b76efb71d41dc1ae33e47d5d9ef79df25cde0b5dChris Lattnerimport org.bouncycastle.jce.exception.ExtCertPathValidatorException; 30db125cfaf57cc83e7dd7453de2d509bc8efd0e5eChris Lattnerimport org.bouncycastle.x509.ExtendedPKIXParameters; 31b76efb71d41dc1ae33e47d5d9ef79df25cde0b5dChris Lattner 325fdd6c8793462549e3593890ec61573da06e3346Jay Foad/** 330979ca7e3e8ff1bb3f38f7b93a02db2e1704333cChris Lattner * CertPathValidatorSpi implementation for X.509 Certificate validation � la RFC 340979ca7e3e8ff1bb3f38f7b93a02db2e1704333cChris Lattner * 3280. 35b76efb71d41dc1ae33e47d5d9ef79df25cde0b5dChris Lattner */ 360979ca7e3e8ff1bb3f38f7b93a02db2e1704333cChris Lattnerpublic class PKIXCertPathValidatorSpi 370979ca7e3e8ff1bb3f38f7b93a02db2e1704333cChris Lattner extends CertPathValidatorSpi 38556b4a6385d34b77e58ff5a3ce51ddae5ae6112cChris Lattner{ 39556b4a6385d34b77e58ff5a3ce51ddae5ae6112cChris Lattner // BEGIN android-added 40556b4a6385d34b77e58ff5a3ce51ddae5ae6112cChris Lattner private final static CertBlacklist blacklist = new CertBlacklist(); 41c4342eab9bb999050dd94be929093c6e36a49c67Dale Johannesen // END android-added 42556b4a6385d34b77e58ff5a3ce51ddae5ae6112cChris Lattner 43c4342eab9bb999050dd94be929093c6e36a49c67Dale Johannesen public CertPathValidatorResult engineValidate( 44556b4a6385d34b77e58ff5a3ce51ddae5ae6112cChris Lattner CertPath certPath, 451d0be15f89cb5056e20e2d24faa8d6afb1573bcaOwen Anderson CertPathParameters params) 46556b4a6385d34b77e58ff5a3ce51ddae5ae6112cChris Lattner throws CertPathValidatorException, 47c4342eab9bb999050dd94be929093c6e36a49c67Dale Johannesen InvalidAlgorithmParameterException 48556b4a6385d34b77e58ff5a3ce51ddae5ae6112cChris Lattner { 491d0be15f89cb5056e20e2d24faa8d6afb1573bcaOwen Anderson if (!(params instanceof PKIXParameters)) 50556b4a6385d34b77e58ff5a3ce51ddae5ae6112cChris Lattner { 51c4342eab9bb999050dd94be929093c6e36a49c67Dale Johannesen throw new InvalidAlgorithmParameterException("Parameters must be a " + PKIXParameters.class.getName() 52c4342eab9bb999050dd94be929093c6e36a49c67Dale Johannesen + " instance."); 53c4342eab9bb999050dd94be929093c6e36a49c67Dale Johannesen } 54556b4a6385d34b77e58ff5a3ce51ddae5ae6112cChris Lattner 55556b4a6385d34b77e58ff5a3ce51ddae5ae6112cChris Lattner ExtendedPKIXParameters paramsPKIX; 56556b4a6385d34b77e58ff5a3ce51ddae5ae6112cChris Lattner if (params instanceof ExtendedPKIXParameters) 57c4342eab9bb999050dd94be929093c6e36a49c67Dale Johannesen { 58c4342eab9bb999050dd94be929093c6e36a49c67Dale Johannesen paramsPKIX = (ExtendedPKIXParameters)params; 59c4342eab9bb999050dd94be929093c6e36a49c67Dale Johannesen } 60588e72db75649e8f9f79d73c24156c9611aeacf3Chris Lattner else 61588e72db75649e8f9f79d73c24156c9611aeacf3Chris Lattner { 62588e72db75649e8f9f79d73c24156c9611aeacf3Chris Lattner paramsPKIX = ExtendedPKIXParameters.getInstance((PKIXParameters)params); 63588e72db75649e8f9f79d73c24156c9611aeacf3Chris Lattner } 64588e72db75649e8f9f79d73c24156c9611aeacf3Chris Lattner if (paramsPKIX.getTrustAnchors() == null) 65588e72db75649e8f9f79d73c24156c9611aeacf3Chris Lattner { 66b76efb71d41dc1ae33e47d5d9ef79df25cde0b5dChris Lattner throw new InvalidAlgorithmParameterException( 67db125cfaf57cc83e7dd7453de2d509bc8efd0e5eChris Lattner "trustAnchors is null, this is not allowed for certification path validation."); 68b41b5e0b2d865f9dcb8cc868b28929daf3a11207Owen Anderson } 69b41b5e0b2d865f9dcb8cc868b28929daf3a11207Owen Anderson 70b41b5e0b2d865f9dcb8cc868b28929daf3a11207Owen Anderson // 71b41b5e0b2d865f9dcb8cc868b28929daf3a11207Owen Anderson // 6.1.1 - inputs 725fdd6c8793462549e3593890ec61573da06e3346Jay Foad // 73b41b5e0b2d865f9dcb8cc868b28929daf3a11207Owen Anderson 74b41b5e0b2d865f9dcb8cc868b28929daf3a11207Owen Anderson // 75b41b5e0b2d865f9dcb8cc868b28929daf3a11207Owen Anderson // (a) 76b41b5e0b2d865f9dcb8cc868b28929daf3a11207Owen Anderson // 77588e72db75649e8f9f79d73c24156c9611aeacf3Chris Lattner List certs = certPath.getCertificates(); 78e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad int n = certs.size(); 7952eec548206d0b135b55ba52dd0e82e978f15ae5David Greene 80a3efbb15ddd5aa9006564cd79086723640084878Jay Foad if (certs.isEmpty()) 81e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad { 82b76efb71d41dc1ae33e47d5d9ef79df25cde0b5dChris Lattner throw new CertPathValidatorException("Certification path is empty.", null, certPath, 0); 83b76efb71d41dc1ae33e47d5d9ef79df25cde0b5dChris Lattner } 8402348caffc6a0ca6e00960767152b6b7422ab450Chris Lattner // BEGIN android-added 85588e72db75649e8f9f79d73c24156c9611aeacf3Chris Lattner { 86588e72db75649e8f9f79d73c24156c9611aeacf3Chris Lattner X509Certificate cert = (X509Certificate) certs.get(0); 877d9663c70b3300070298d716dba6e6f6ce2d1e3eDouglas Gregor 881f4096054367cab3acab3a74c719ef6d3090606aMichael J. Spencer if (cert != null) { 891f4096054367cab3acab3a74c719ef6d3090606aMichael J. Spencer BigInteger serial = cert.getSerialNumber(); 901f4096054367cab3acab3a74c719ef6d3090606aMichael J. Spencer if (blacklist.isSerialNumberBlackListed(serial)) { 911f4096054367cab3acab3a74c719ef6d3090606aMichael J. Spencer // emulate CRL exception message in RFC3280CertPathUtilities.checkCRLs 921f4096054367cab3acab3a74c719ef6d3090606aMichael J. Spencer String message = "Certificate revocation of serial 0x" + serial.toString(16); 937d9663c70b3300070298d716dba6e6f6ce2d1e3eDouglas Gregor System.out.println(message); 947d9663c70b3300070298d716dba6e6f6ce2d1e3eDouglas Gregor AnnotatedException e = new AnnotatedException(message); 95b71fd7897f6b4500cdbe602c5a9907316750cf5aChris Lattner throw new CertPathValidatorException(e.getMessage(), e, certPath, 0); 961d0be15f89cb5056e20e2d24faa8d6afb1573bcaOwen Anderson } 970979ca7e3e8ff1bb3f38f7b93a02db2e1704333cChris Lattner } 985cbf985dcbc89fba3208e7baf8b6f488b06d3ec9Reid Spencer } 990979ca7e3e8ff1bb3f38f7b93a02db2e1704333cChris Lattner // END android-added 1000979ca7e3e8ff1bb3f38f7b93a02db2e1704333cChris Lattner 1010979ca7e3e8ff1bb3f38f7b93a02db2e1704333cChris Lattner // 1021f243e9f43e3552c28331c2e17b7c19bdfc889f6Chris Lattner // (b) 1031d0be15f89cb5056e20e2d24faa8d6afb1573bcaOwen Anderson // 1040979ca7e3e8ff1bb3f38f7b93a02db2e1704333cChris Lattner // Date validDate = CertPathValidatorUtilities.getValidDate(paramsPKIX); 1050979ca7e3e8ff1bb3f38f7b93a02db2e1704333cChris Lattner 1061f243e9f43e3552c28331c2e17b7c19bdfc889f6Chris Lattner // 1071d0be15f89cb5056e20e2d24faa8d6afb1573bcaOwen Anderson // (c) 1080979ca7e3e8ff1bb3f38f7b93a02db2e1704333cChris Lattner // 1090979ca7e3e8ff1bb3f38f7b93a02db2e1704333cChris Lattner Set userInitialPolicySet = paramsPKIX.getInitialPolicies(); 1101f243e9f43e3552c28331c2e17b7c19bdfc889f6Chris Lattner 1111d0be15f89cb5056e20e2d24faa8d6afb1573bcaOwen Anderson // 1120979ca7e3e8ff1bb3f38f7b93a02db2e1704333cChris Lattner // (d) 113824b958e6fb1236e92e4d07f3acf18fca107cdc0Chris Lattner // 1141d0be15f89cb5056e20e2d24faa8d6afb1573bcaOwen Anderson TrustAnchor trust; 115ac53a0b272452013124bfc70480aea5e41b60f40Duncan Sands try 116ac53a0b272452013124bfc70480aea5e41b60f40Duncan Sands { 117ac53a0b272452013124bfc70480aea5e41b60f40Duncan Sands trust = CertPathValidatorUtilities.findTrustAnchor((X509Certificate) certs.get(certs.size() - 1), 118dce4a407a24b04eebc6a376f8e62b41aaa7b071fStephen Hines paramsPKIX.getTrustAnchors(), paramsPKIX.getSigProvider()); 1190979ca7e3e8ff1bb3f38f7b93a02db2e1704333cChris Lattner } 120824b958e6fb1236e92e4d07f3acf18fca107cdc0Chris Lattner catch (AnnotatedException e) 1211d0be15f89cb5056e20e2d24faa8d6afb1573bcaOwen Anderson { 122ac53a0b272452013124bfc70480aea5e41b60f40Duncan Sands throw new CertPathValidatorException(e.getMessage(), e, certPath, certs.size() - 1); 123ac53a0b272452013124bfc70480aea5e41b60f40Duncan Sands } 124ac53a0b272452013124bfc70480aea5e41b60f40Duncan Sands 125dce4a407a24b04eebc6a376f8e62b41aaa7b071fStephen Hines if (trust == null) 1260979ca7e3e8ff1bb3f38f7b93a02db2e1704333cChris Lattner { 127824b958e6fb1236e92e4d07f3acf18fca107cdc0Chris Lattner throw new CertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1); 1281d0be15f89cb5056e20e2d24faa8d6afb1573bcaOwen Anderson } 129ac53a0b272452013124bfc70480aea5e41b60f40Duncan Sands 130ac53a0b272452013124bfc70480aea5e41b60f40Duncan Sands // 1311d0be15f89cb5056e20e2d24faa8d6afb1573bcaOwen Anderson // (e), (f), (g) are part of the paramsPKIX object. 132dce4a407a24b04eebc6a376f8e62b41aaa7b071fStephen Hines // 1330979ca7e3e8ff1bb3f38f7b93a02db2e1704333cChris Lattner Iterator certIter; 1349ab7fb3ba47442d521a5bed09a27a5e8e7a786edDale Johannesen int index = 0; 135c4342eab9bb999050dd94be929093c6e36a49c67Dale Johannesen int i; 136b42a9ffbe9f5dc7dc0e54c6425dff10e926e1f3dChris Lattner // Certificate for each interation of the validation loop 137c4c966012901691fff21eed02d72a3de44dd47f1Dan Gohman // Signature information for each iteration of the validation loop 138c4342eab9bb999050dd94be929093c6e36a49c67Dale Johannesen // 139c4c966012901691fff21eed02d72a3de44dd47f1Dan Gohman // 6.1.2 - setup 140c4c966012901691fff21eed02d72a3de44dd47f1Dan Gohman // 141c4342eab9bb999050dd94be929093c6e36a49c67Dale Johannesen 142c4c966012901691fff21eed02d72a3de44dd47f1Dan Gohman // 143c4c966012901691fff21eed02d72a3de44dd47f1Dan Gohman // (a) 144c4342eab9bb999050dd94be929093c6e36a49c67Dale Johannesen // 145c4c966012901691fff21eed02d72a3de44dd47f1Dan Gohman List[] policyNodes = new ArrayList[n + 1]; 1467794f2a3a7778bdbc9bdd861db1fe914450e0470Dale Johannesen for (int j = 0; j < policyNodes.length; j++) 147c4342eab9bb999050dd94be929093c6e36a49c67Dale Johannesen { 1487794f2a3a7778bdbc9bdd861db1fe914450e0470Dale Johannesen policyNodes[j] = new ArrayList(); 1497794f2a3a7778bdbc9bdd861db1fe914450e0470Dale Johannesen } 150c4342eab9bb999050dd94be929093c6e36a49c67Dale Johannesen 1517794f2a3a7778bdbc9bdd861db1fe914450e0470Dale Johannesen Set policySet = new HashSet(); 1527794f2a3a7778bdbc9bdd861db1fe914450e0470Dale Johannesen 153c4342eab9bb999050dd94be929093c6e36a49c67Dale Johannesen policySet.add(RFC3280CertPathUtilities.ANY_POLICY); 1547794f2a3a7778bdbc9bdd861db1fe914450e0470Dale Johannesen 1557794f2a3a7778bdbc9bdd861db1fe914450e0470Dale Johannesen PKIXPolicyNode validPolicyTree = new PKIXPolicyNode(new ArrayList(), 0, policySet, null, new HashSet(), 156c4342eab9bb999050dd94be929093c6e36a49c67Dale Johannesen RFC3280CertPathUtilities.ANY_POLICY, false); 1577794f2a3a7778bdbc9bdd861db1fe914450e0470Dale Johannesen 1587794f2a3a7778bdbc9bdd861db1fe914450e0470Dale Johannesen policyNodes[0].add(validPolicyTree); 159c4342eab9bb999050dd94be929093c6e36a49c67Dale Johannesen 1607794f2a3a7778bdbc9bdd861db1fe914450e0470Dale Johannesen // 1610979ca7e3e8ff1bb3f38f7b93a02db2e1704333cChris Lattner // (b) and (c) 1620979ca7e3e8ff1bb3f38f7b93a02db2e1704333cChris Lattner // 163588e72db75649e8f9f79d73c24156c9611aeacf3Chris Lattner PKIXNameConstraintValidator nameConstraintValidator = new PKIXNameConstraintValidator(); 164e598181889d8ab43c3924799fd310e68571186f1Nate Begeman 165e598181889d8ab43c3924799fd310e68571186f1Nate Begeman // (d) 1669adc0abad3c3ed40a268ccbcee0c74cb9e1359feOwen Anderson // 167b0bc6c361da9009e8414efde317d9bbff755f6c0Duncan Sands int explicitPolicy; 168e598181889d8ab43c3924799fd310e68571186f1Nate Begeman Set acceptablePolicies = new HashSet(); 169e598181889d8ab43c3924799fd310e68571186f1Nate Begeman 170e598181889d8ab43c3924799fd310e68571186f1Nate Begeman if (paramsPKIX.isExplicitPolicyRequired()) 171e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad { 172e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad explicitPolicy = 0; 173e598181889d8ab43c3924799fd310e68571186f1Nate Begeman } 174c23197a26f34f559ea9797de51e187087c039c42Torok Edwin else 175e598181889d8ab43c3924799fd310e68571186f1Nate Begeman { 176eed707b1e6097aac2bb6b3d47271f6300ace7f2eOwen Anderson explicitPolicy = n + 1; 177e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad } 178eed707b1e6097aac2bb6b3d47271f6300ace7f2eOwen Anderson 179e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad // 180e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad // (e) 181e598181889d8ab43c3924799fd310e68571186f1Nate Begeman // 182e598181889d8ab43c3924799fd310e68571186f1Nate Begeman int inhibitAnyPolicy; 183e598181889d8ab43c3924799fd310e68571186f1Nate Begeman 184eed707b1e6097aac2bb6b3d47271f6300ace7f2eOwen Anderson if (paramsPKIX.isAnyPolicyInhibited()) 185e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad { 186eed707b1e6097aac2bb6b3d47271f6300ace7f2eOwen Anderson inhibitAnyPolicy = 0; 187e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad } 188eed707b1e6097aac2bb6b3d47271f6300ace7f2eOwen Anderson else 189e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad { 190eed707b1e6097aac2bb6b3d47271f6300ace7f2eOwen Anderson inhibitAnyPolicy = n + 1; 191e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad } 1929adc0abad3c3ed40a268ccbcee0c74cb9e1359feOwen Anderson 1931d0be15f89cb5056e20e2d24faa8d6afb1573bcaOwen Anderson // 194e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad // (f) 1959adc0abad3c3ed40a268ccbcee0c74cb9e1359feOwen Anderson // 1961d0be15f89cb5056e20e2d24faa8d6afb1573bcaOwen Anderson int policyMapping; 197e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad 198e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad if (paramsPKIX.isPolicyMappingInhibited()) 199e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad { 200e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad policyMapping = 0; 201e598181889d8ab43c3924799fd310e68571186f1Nate Begeman } 202e598181889d8ab43c3924799fd310e68571186f1Nate Begeman else 203e598181889d8ab43c3924799fd310e68571186f1Nate Begeman { 204eed707b1e6097aac2bb6b3d47271f6300ace7f2eOwen Anderson policyMapping = n + 1; 205e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad } 206eed707b1e6097aac2bb6b3d47271f6300ace7f2eOwen Anderson 207e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad // 208eed707b1e6097aac2bb6b3d47271f6300ace7f2eOwen Anderson // (g), (h), (i), (j) 209e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad // 210eed707b1e6097aac2bb6b3d47271f6300ace7f2eOwen Anderson PublicKey workingPublicKey; 211e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad X500Principal workingIssuerName; 212eed707b1e6097aac2bb6b3d47271f6300ace7f2eOwen Anderson 213e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad X509Certificate sign = trust.getTrustedCert(); 2149adc0abad3c3ed40a268ccbcee0c74cb9e1359feOwen Anderson try 215eed707b1e6097aac2bb6b3d47271f6300ace7f2eOwen Anderson { 216e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad if (sign != null) 2179adc0abad3c3ed40a268ccbcee0c74cb9e1359feOwen Anderson { 218eed707b1e6097aac2bb6b3d47271f6300ace7f2eOwen Anderson workingIssuerName = CertPathValidatorUtilities.getSubjectPrincipal(sign); 219e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad workingPublicKey = sign.getPublicKey(); 2209adc0abad3c3ed40a268ccbcee0c74cb9e1359feOwen Anderson } 221eed707b1e6097aac2bb6b3d47271f6300ace7f2eOwen Anderson else 222e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad { 223e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad workingIssuerName = new X500Principal(trust.getCAName()); 2241d0be15f89cb5056e20e2d24faa8d6afb1573bcaOwen Anderson workingPublicKey = trust.getCAPublicKey(); 225e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad } 226e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad } 227e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad catch (IllegalArgumentException ex) 2281d0be15f89cb5056e20e2d24faa8d6afb1573bcaOwen Anderson { 229e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad throw new ExtCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", ex, certPath, 230e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad -1); 231e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad } 2321d0be15f89cb5056e20e2d24faa8d6afb1573bcaOwen Anderson 2331d0be15f89cb5056e20e2d24faa8d6afb1573bcaOwen Anderson AlgorithmIdentifier workingAlgId = null; 234e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad try 235e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad { 2361d0be15f89cb5056e20e2d24faa8d6afb1573bcaOwen Anderson workingAlgId = CertPathValidatorUtilities.getAlgorithmIdentifier(workingPublicKey); 2371d0be15f89cb5056e20e2d24faa8d6afb1573bcaOwen Anderson } 238e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad catch (CertPathValidatorException e) 239e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad { 2401d0be15f89cb5056e20e2d24faa8d6afb1573bcaOwen Anderson throw new ExtCertPathValidatorException( 2411d0be15f89cb5056e20e2d24faa8d6afb1573bcaOwen Anderson "Algorithm identifier of public key of trust anchor could not be read.", e, certPath, -1); 242e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad } 243e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad DERObjectIdentifier workingPublicKeyAlgorithm = workingAlgId.getObjectId(); 2441d0be15f89cb5056e20e2d24faa8d6afb1573bcaOwen Anderson ASN1Encodable workingPublicKeyParameters = workingAlgId.getParameters(); 2451d0be15f89cb5056e20e2d24faa8d6afb1573bcaOwen Anderson 246e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad // 247e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad // (k) 248e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad // 249e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad int maxPathLength = n; 250e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad 251e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad // 252e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad // 6.1.3 253e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad // 254e598181889d8ab43c3924799fd310e68571186f1Nate Begeman 255e598181889d8ab43c3924799fd310e68571186f1Nate Begeman if (paramsPKIX.getTargetConstraints() != null 256e598181889d8ab43c3924799fd310e68571186f1Nate Begeman && !paramsPKIX.getTargetConstraints().match((X509Certificate) certs.get(0))) 257e598181889d8ab43c3924799fd310e68571186f1Nate Begeman { 258e598181889d8ab43c3924799fd310e68571186f1Nate Begeman throw new ExtCertPathValidatorException( 259e598181889d8ab43c3924799fd310e68571186f1Nate Begeman "Target certificate in certification path does not match targetConstraints.", null, certPath, 0); 26086f3e0c24e8834e6ad5ac61f2459fb335549bc24Chris Lattner } 261e598181889d8ab43c3924799fd310e68571186f1Nate Begeman 2629adc0abad3c3ed40a268ccbcee0c74cb9e1359feOwen Anderson // 263b0bc6c361da9009e8414efde317d9bbff755f6c0Duncan Sands // initialize CertPathChecker's 26486f3e0c24e8834e6ad5ac61f2459fb335549bc24Chris Lattner // 26586f3e0c24e8834e6ad5ac61f2459fb335549bc24Chris Lattner List pathCheckers = paramsPKIX.getCertPathCheckers(); 26686f3e0c24e8834e6ad5ac61f2459fb335549bc24Chris Lattner certIter = pathCheckers.iterator(); 26786f3e0c24e8834e6ad5ac61f2459fb335549bc24Chris Lattner while (certIter.hasNext()) 26886f3e0c24e8834e6ad5ac61f2459fb335549bc24Chris Lattner { 26986f3e0c24e8834e6ad5ac61f2459fb335549bc24Chris Lattner ((PKIXCertPathChecker) certIter.next()).init(false); 27086f3e0c24e8834e6ad5ac61f2459fb335549bc24Chris Lattner } 271e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad 272e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad X509Certificate cert = null; 27398cf45bbf6b6efc1b90d4744082149e9b5f3e17aChris Lattner 27402031c0ff8ad48acdb8c4a4058c4fafe600423e1Zhou Sheng for (index = certs.size() - 1; index >= 0; index--) 275eed707b1e6097aac2bb6b3d47271f6300ace7f2eOwen Anderson { 2763822ff5c71478c7c90a50ca57045fb676fcb5005Reid Spencer // BEGIN android-added 27702031c0ff8ad48acdb8c4a4058c4fafe600423e1Zhou Sheng if (blacklist.isPublicKeyBlackListed(workingPublicKey)) { 27802031c0ff8ad48acdb8c4a4058c4fafe600423e1Zhou Sheng // emulate CRL exception message in RFC3280CertPathUtilities.checkCRLs 27902031c0ff8ad48acdb8c4a4058c4fafe600423e1Zhou Sheng String message = "Certificate revocation of public key " + workingPublicKey; 28002031c0ff8ad48acdb8c4a4058c4fafe600423e1Zhou Sheng System.out.println(message); 281eed707b1e6097aac2bb6b3d47271f6300ace7f2eOwen Anderson AnnotatedException e = new AnnotatedException(message); 282e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad throw new CertPathValidatorException(e.getMessage(), e, certPath, index); 283e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad } 284eed707b1e6097aac2bb6b3d47271f6300ace7f2eOwen Anderson // END android-added 285e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad // try 286e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad // { 287e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad // 28802031c0ff8ad48acdb8c4a4058c4fafe600423e1Zhou Sheng // i as defined in the algorithm description 289e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad // 29002031c0ff8ad48acdb8c4a4058c4fafe600423e1Zhou Sheng i = n - index; 291eed707b1e6097aac2bb6b3d47271f6300ace7f2eOwen Anderson 292e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad // 29302031c0ff8ad48acdb8c4a4058c4fafe600423e1Zhou Sheng // set certificate to be checked in this round 29402031c0ff8ad48acdb8c4a4058c4fafe600423e1Zhou Sheng // sign and workingPublicKey and workingIssuerName are set 29586f3e0c24e8834e6ad5ac61f2459fb335549bc24Chris Lattner // at the end of the for loop and initialized the 29686f3e0c24e8834e6ad5ac61f2459fb335549bc24Chris Lattner // first time from the TrustAnchor 297914ce4508d46bdc5db0eec1aff8051ccd94c3d5fChris Lattner // 29886f3e0c24e8834e6ad5ac61f2459fb335549bc24Chris Lattner cert = (X509Certificate) certs.get(index); 29986f3e0c24e8834e6ad5ac61f2459fb335549bc24Chris Lattner boolean verificationAlreadyPerformed = (index == certs.size() - 1); 30098cf45bbf6b6efc1b90d4744082149e9b5f3e17aChris Lattner 301e598181889d8ab43c3924799fd310e68571186f1Nate Begeman // 3029adc0abad3c3ed40a268ccbcee0c74cb9e1359feOwen Anderson // 6.1.3 30398cf45bbf6b6efc1b90d4744082149e9b5f3e17aChris Lattner // 304e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad 305e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad RFC3280CertPathUtilities.processCertA(certPath, paramsPKIX, index, workingPublicKey, 30698cf45bbf6b6efc1b90d4744082149e9b5f3e17aChris Lattner verificationAlreadyPerformed, workingIssuerName, sign); 30702031c0ff8ad48acdb8c4a4058c4fafe600423e1Zhou Sheng 308eed707b1e6097aac2bb6b3d47271f6300ace7f2eOwen Anderson RFC3280CertPathUtilities.processCertBC(certPath, index, nameConstraintValidator); 309e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad 310e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad validPolicyTree = RFC3280CertPathUtilities.processCertD(certPath, index, acceptablePolicies, 31198cf45bbf6b6efc1b90d4744082149e9b5f3e17aChris Lattner validPolicyTree, policyNodes, inhibitAnyPolicy); 31298cf45bbf6b6efc1b90d4744082149e9b5f3e17aChris Lattner 313e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad validPolicyTree = RFC3280CertPathUtilities.processCertE(certPath, index, validPolicyTree); 3149adc0abad3c3ed40a268ccbcee0c74cb9e1359feOwen Anderson 31598cf45bbf6b6efc1b90d4744082149e9b5f3e17aChris Lattner RFC3280CertPathUtilities.processCertF(certPath, index, validPolicyTree, explicitPolicy); 31698cf45bbf6b6efc1b90d4744082149e9b5f3e17aChris Lattner 317b41b5e0b2d865f9dcb8cc868b28929daf3a11207Owen Anderson // 318b41b5e0b2d865f9dcb8cc868b28929daf3a11207Owen Anderson // 6.1.4 319f74185b80e07d58208b24f0314d94853d48ec9bdDale Johannesen // 3209e38531d9561630520732146c32977443c73c243Gabor Greif 3219e38531d9561630520732146c32977443c73c243Gabor Greif if (i != n) 322c23197a26f34f559ea9797de51e187087c039c42Torok Edwin { 323f74185b80e07d58208b24f0314d94853d48ec9bdDale Johannesen if (cert != null && cert.getVersion() == 1) 3249e38531d9561630520732146c32977443c73c243Gabor Greif { 3251d0be15f89cb5056e20e2d24faa8d6afb1573bcaOwen Anderson throw new CertPathValidatorException("Version 1 certificates can't be used as CA ones.", null, 326f74185b80e07d58208b24f0314d94853d48ec9bdDale Johannesen certPath, index); 327f74185b80e07d58208b24f0314d94853d48ec9bdDale Johannesen } 3289e38531d9561630520732146c32977443c73c243Gabor Greif 3291d0be15f89cb5056e20e2d24faa8d6afb1573bcaOwen Anderson RFC3280CertPathUtilities.prepareNextCertA(certPath, index); 330f74185b80e07d58208b24f0314d94853d48ec9bdDale Johannesen 331f74185b80e07d58208b24f0314d94853d48ec9bdDale Johannesen validPolicyTree = RFC3280CertPathUtilities.prepareCertB(certPath, index, policyNodes, validPolicyTree, 332f74185b80e07d58208b24f0314d94853d48ec9bdDale Johannesen policyMapping); 333f74185b80e07d58208b24f0314d94853d48ec9bdDale Johannesen 3349e38531d9561630520732146c32977443c73c243Gabor Greif RFC3280CertPathUtilities.prepareNextCertG(certPath, index, nameConstraintValidator); 3359e38531d9561630520732146c32977443c73c243Gabor Greif 336f74185b80e07d58208b24f0314d94853d48ec9bdDale Johannesen // (h) 337f74185b80e07d58208b24f0314d94853d48ec9bdDale Johannesen explicitPolicy = RFC3280CertPathUtilities.prepareNextCertH1(certPath, index, explicitPolicy); 338f74185b80e07d58208b24f0314d94853d48ec9bdDale Johannesen policyMapping = RFC3280CertPathUtilities.prepareNextCertH2(certPath, index, policyMapping); 339addd11d98ee3a3013c66d3fd25ee2cfb09b3c7bdReid Spencer inhibitAnyPolicy = RFC3280CertPathUtilities.prepareNextCertH3(certPath, index, inhibitAnyPolicy); 340b71fd7897f6b4500cdbe602c5a9907316750cf5aChris Lattner 341e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad // 342e922c0201916e0b980ab3cfe91e1413e68d55647Owen Anderson // (i) 343e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad // 34446510a73e977273ec67747eb34cbdb43f815e451Dan Gohman explicitPolicy = RFC3280CertPathUtilities.prepareNextCertI1(certPath, index, explicitPolicy); 3453b66ecb05fedbfe0a70b39d73b1ea5998bc8c31bChris Lattner policyMapping = RFC3280CertPathUtilities.prepareNextCertI2(certPath, index, policyMapping); 346edf128a7fa90f2b0b7ee24741a04a7ae1ecd6f7eMisha Brukman 3479e38531d9561630520732146c32977443c73c243Gabor Greif // (j) 3483b66ecb05fedbfe0a70b39d73b1ea5998bc8c31bChris Lattner inhibitAnyPolicy = RFC3280CertPathUtilities.prepareNextCertJ(certPath, index, inhibitAnyPolicy); 3493b66ecb05fedbfe0a70b39d73b1ea5998bc8c31bChris Lattner 35075361b69f3f327842b9dad69fa7f28ae3b688412Chris Lattner // (k) 3517d696d80409aad20bb5da0fc4eccab941dd371d4Torok Edwin RFC3280CertPathUtilities.prepareNextCertK(certPath, index); 3523b66ecb05fedbfe0a70b39d73b1ea5998bc8c31bChris Lattner 35375361b69f3f327842b9dad69fa7f28ae3b688412Chris Lattner // (l) 3547d696d80409aad20bb5da0fc4eccab941dd371d4Torok Edwin maxPathLength = RFC3280CertPathUtilities.prepareNextCertL(certPath, index, maxPathLength); 3553b66ecb05fedbfe0a70b39d73b1ea5998bc8c31bChris Lattner 3569da9934e27dfb48de77b80a3e20ed2d869b52024Jakub Staszak // (m) 3579da9934e27dfb48de77b80a3e20ed2d869b52024Jakub Staszak maxPathLength = RFC3280CertPathUtilities.prepareNextCertM(certPath, index, maxPathLength); 3589da9934e27dfb48de77b80a3e20ed2d869b52024Jakub Staszak 3599da9934e27dfb48de77b80a3e20ed2d869b52024Jakub Staszak // (n) 3609da9934e27dfb48de77b80a3e20ed2d869b52024Jakub Staszak RFC3280CertPathUtilities.prepareNextCertN(certPath, index); 3619da9934e27dfb48de77b80a3e20ed2d869b52024Jakub Staszak 3629da9934e27dfb48de77b80a3e20ed2d869b52024Jakub Staszak Set criticalExtensions = cert.getCriticalExtensionOIDs(); 363588e72db75649e8f9f79d73c24156c9611aeacf3Chris Lattner if (criticalExtensions != null) 364588e72db75649e8f9f79d73c24156c9611aeacf3Chris Lattner { 365588e72db75649e8f9f79d73c24156c9611aeacf3Chris Lattner criticalExtensions = new HashSet(criticalExtensions); 366588e72db75649e8f9f79d73c24156c9611aeacf3Chris Lattner 3679b700f7951b07cb7be885c7560066c73733ef101Chris Lattner // these extensions are handled by the algorithm 3689e38531d9561630520732146c32977443c73c243Gabor Greif criticalExtensions.remove(RFC3280CertPathUtilities.KEY_USAGE); 3691d0be15f89cb5056e20e2d24faa8d6afb1573bcaOwen Anderson criticalExtensions.remove(RFC3280CertPathUtilities.CERTIFICATE_POLICIES); 370f012705c7e4ca8cf90b6b734ce1d5355daca5ba5Benjamin Kramer criticalExtensions.remove(RFC3280CertPathUtilities.POLICY_MAPPINGS); 3719b700f7951b07cb7be885c7560066c73733ef101Chris Lattner criticalExtensions.remove(RFC3280CertPathUtilities.INHIBIT_ANY_POLICY); 3723b66ecb05fedbfe0a70b39d73b1ea5998bc8c31bChris Lattner criticalExtensions.remove(RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT); 3739b700f7951b07cb7be885c7560066c73733ef101Chris Lattner criticalExtensions.remove(RFC3280CertPathUtilities.DELTA_CRL_INDICATOR); 374edf128a7fa90f2b0b7ee24741a04a7ae1ecd6f7eMisha Brukman criticalExtensions.remove(RFC3280CertPathUtilities.POLICY_CONSTRAINTS); 375f012705c7e4ca8cf90b6b734ce1d5355daca5ba5Benjamin Kramer criticalExtensions.remove(RFC3280CertPathUtilities.BASIC_CONSTRAINTS); 376a7235ea7245028a0723e8ab7fd011386b3900777Owen Anderson criticalExtensions.remove(RFC3280CertPathUtilities.SUBJECT_ALTERNATIVE_NAME); 3779b700f7951b07cb7be885c7560066c73733ef101Chris Lattner criticalExtensions.remove(RFC3280CertPathUtilities.NAME_CONSTRAINTS); 3783b66ecb05fedbfe0a70b39d73b1ea5998bc8c31bChris Lattner } 379f0a3e6c21cc24ebbec701bd8f6b1253b49498457Chris Lattner else 3809e38531d9561630520732146c32977443c73c243Gabor Greif { 3811d0be15f89cb5056e20e2d24faa8d6afb1573bcaOwen Anderson criticalExtensions = new HashSet(); 3829b700f7951b07cb7be885c7560066c73733ef101Chris Lattner } 383f0a3e6c21cc24ebbec701bd8f6b1253b49498457Chris Lattner 3849b700f7951b07cb7be885c7560066c73733ef101Chris Lattner // (o) 385f0a3e6c21cc24ebbec701bd8f6b1253b49498457Chris Lattner RFC3280CertPathUtilities.prepareNextCertO(certPath, index, criticalExtensions, pathCheckers); 3863b66ecb05fedbfe0a70b39d73b1ea5998bc8c31bChris Lattner 387d0fcab915441c0748667ef981ef85989abd28b11Gabor Greif // set signing certificate for next round 3881d0be15f89cb5056e20e2d24faa8d6afb1573bcaOwen Anderson sign = cert; 3893b66ecb05fedbfe0a70b39d73b1ea5998bc8c31bChris Lattner 390f0a3e6c21cc24ebbec701bd8f6b1253b49498457Chris Lattner // (c) 391e9391fd9b52e93717b365bdd05c471101323a4dfReid Spencer workingIssuerName = CertPathValidatorUtilities.getSubjectPrincipal(sign); 3929e38531d9561630520732146c32977443c73c243Gabor Greif 3930b118206bf3411722707f2e5cab8fd2eedcd50d6Reid Spencer // (d) 3940b118206bf3411722707f2e5cab8fd2eedcd50d6Reid Spencer try 395e9391fd9b52e93717b365bdd05c471101323a4dfReid Spencer { 3969e38531d9561630520732146c32977443c73c243Gabor Greif workingPublicKey = CertPathValidatorUtilities.getNextWorkingKey(certPath.getCertificates(), index); 397e598181889d8ab43c3924799fd310e68571186f1Nate Begeman } 398e598181889d8ab43c3924799fd310e68571186f1Nate Begeman catch (CertPathValidatorException e) 399e9391fd9b52e93717b365bdd05c471101323a4dfReid Spencer { 4009e38531d9561630520732146c32977443c73c243Gabor Greif throw new CertPathValidatorException("Next working key could not be retrieved.", e, certPath, index); 401691ef2ba066dda14ae4ac0ad645054fbc967785aAndrew Lenharth } 402e598181889d8ab43c3924799fd310e68571186f1Nate Begeman 403e9391fd9b52e93717b365bdd05c471101323a4dfReid Spencer workingAlgId = CertPathValidatorUtilities.getAlgorithmIdentifier(workingPublicKey); 404a801172e504b45b2266486ec68adb64f7fcf8e17Chris Lattner // (f) 4059e38531d9561630520732146c32977443c73c243Gabor Greif workingPublicKeyAlgorithm = workingAlgId.getObjectId(); 406e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad // (e) 407e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad workingPublicKeyParameters = workingAlgId.getParameters(); 408eed707b1e6097aac2bb6b3d47271f6300ace7f2eOwen Anderson } 409e1e201416ae8ab40d31d223c5d560ee0f635e05aJay Foad } 410e922c0201916e0b980ab3cfe91e1413e68d55647Owen Anderson 411691ef2ba066dda14ae4ac0ad645054fbc967785aAndrew Lenharth // 412691ef2ba066dda14ae4ac0ad645054fbc967785aAndrew Lenharth // 6.1.5 Wrap-up procedure 413691ef2ba066dda14ae4ac0ad645054fbc967785aAndrew Lenharth // 41477b1330ece6ea40b3b7700fe13e2ca64bd494203Chris Lattner 4150c067bc11d5274973c21f83b6c6403a9928265d8Chris Lattner explicitPolicy = RFC3280CertPathUtilities.wrapupCertA(explicitPolicy, cert); 41658446916b71c4ff79962081ea7c4df078c388b0eBob Wilson 4170c067bc11d5274973c21f83b6c6403a9928265d8Chris Lattner explicitPolicy = RFC3280CertPathUtilities.wrapupCertB(certPath, index + 1, explicitPolicy); 41858446916b71c4ff79962081ea7c4df078c388b0eBob Wilson 41958446916b71c4ff79962081ea7c4df078c388b0eBob Wilson // 42058446916b71c4ff79962081ea7c4df078c388b0eBob Wilson // (c) (d) and (e) are already done 4210c067bc11d5274973c21f83b6c6403a9928265d8Chris Lattner // 42258446916b71c4ff79962081ea7c4df078c388b0eBob Wilson 42358446916b71c4ff79962081ea7c4df078c388b0eBob Wilson // 4240c067bc11d5274973c21f83b6c6403a9928265d8Chris Lattner // (f) 42558446916b71c4ff79962081ea7c4df078c388b0eBob Wilson // 4260c067bc11d5274973c21f83b6c6403a9928265d8Chris Lattner Set criticalExtensions = cert.getCriticalExtensionOIDs(); 427cf8990838143fcfa91dd6276af523ac6c23517c2Chris Lattner 428cf8990838143fcfa91dd6276af523ac6c23517c2Chris Lattner if (criticalExtensions != null) 42958446916b71c4ff79962081ea7c4df078c388b0eBob Wilson { 43058446916b71c4ff79962081ea7c4df078c388b0eBob Wilson criticalExtensions = new HashSet(criticalExtensions); 43158446916b71c4ff79962081ea7c4df078c388b0eBob Wilson // these extensions are handled by the algorithm 432cf8990838143fcfa91dd6276af523ac6c23517c2Chris Lattner criticalExtensions.remove(RFC3280CertPathUtilities.KEY_USAGE); 433cf8990838143fcfa91dd6276af523ac6c23517c2Chris Lattner criticalExtensions.remove(RFC3280CertPathUtilities.CERTIFICATE_POLICIES); 434cf8990838143fcfa91dd6276af523ac6c23517c2Chris Lattner criticalExtensions.remove(RFC3280CertPathUtilities.POLICY_MAPPINGS); 435cf8990838143fcfa91dd6276af523ac6c23517c2Chris Lattner criticalExtensions.remove(RFC3280CertPathUtilities.INHIBIT_ANY_POLICY); 4360942b7caf1b5fde959301042129d25f1e7b86b28Chris Lattner criticalExtensions.remove(RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT); 4370942b7caf1b5fde959301042129d25f1e7b86b28Chris Lattner criticalExtensions.remove(RFC3280CertPathUtilities.DELTA_CRL_INDICATOR); 4380942b7caf1b5fde959301042129d25f1e7b86b28Chris Lattner criticalExtensions.remove(RFC3280CertPathUtilities.POLICY_CONSTRAINTS); 4397f4ec3b2e3157e6a0798f3e95a3961bfa6ef66b6Andrew Lenharth criticalExtensions.remove(RFC3280CertPathUtilities.BASIC_CONSTRAINTS); 4407f4ec3b2e3157e6a0798f3e95a3961bfa6ef66b6Andrew Lenharth criticalExtensions.remove(RFC3280CertPathUtilities.SUBJECT_ALTERNATIVE_NAME); 44158446916b71c4ff79962081ea7c4df078c388b0eBob Wilson criticalExtensions.remove(RFC3280CertPathUtilities.NAME_CONSTRAINTS); 44258446916b71c4ff79962081ea7c4df078c388b0eBob Wilson criticalExtensions.remove(RFC3280CertPathUtilities.CRL_DISTRIBUTION_POINTS); 44358446916b71c4ff79962081ea7c4df078c388b0eBob Wilson } 4441d0be15f89cb5056e20e2d24faa8d6afb1573bcaOwen Anderson else 44551b8d54922350b7e1c2cd5a5183ef2c5f5d1b1d5Andrew Lenharth { 44658446916b71c4ff79962081ea7c4df078c388b0eBob Wilson criticalExtensions = new HashSet(); 4477f4ec3b2e3157e6a0798f3e95a3961bfa6ef66b6Andrew Lenharth } 44843970fec322d9e0153ca513de41d80af1c79bddeJim Laskey 449f664e41b201bad27ed3661bf50cd71f54242c114Duncan Sands RFC3280CertPathUtilities.wrapupCertF(certPath, index + 1, pathCheckers, criticalExtensions); 450f664e41b201bad27ed3661bf50cd71f54242c114Duncan Sands 451b01bbdcc1af27bd90b552bb1b62b48916e0d4be3Duncan Sands PKIXPolicyNode intersection = RFC3280CertPathUtilities.wrapupCertG(certPath, paramsPKIX, userInitialPolicySet, 452f664e41b201bad27ed3661bf50cd71f54242c114Duncan Sands index + 1, policyNodes, validPolicyTree, acceptablePolicies); 453eed707b1e6097aac2bb6b3d47271f6300ace7f2eOwen Anderson 454f664e41b201bad27ed3661bf50cd71f54242c114Duncan Sands if ((explicitPolicy > 0) || (intersection != null)) 4555fe51cc2c46afca64638597cdef3bdafa6cd0a8cChris Lattner { 456c2b7f5fa511420b99dd8238ab4ba769a6a6015a5Justin Holewinski return new PKIXCertPathValidatorResult(trust, intersection, cert.getPublicKey()); 457c2b7f5fa511420b99dd8238ab4ba769a6a6015a5Justin Holewinski } 458c2b7f5fa511420b99dd8238ab4ba769a6a6015a5Justin Holewinski 459c2b7f5fa511420b99dd8238ab4ba769a6a6015a5Justin Holewinski throw new CertPathValidatorException("Path processing failed on policy.", null, certPath, index); 460c2b7f5fa511420b99dd8238ab4ba769a6a6015a5Justin Holewinski } 461c2b7f5fa511420b99dd8238ab4ba769a6a6015a5Justin Holewinski 46224e5aada7d112447c41c12008f7daf1fc15a24bcTanya Lattner} 46324e5aada7d112447c41c12008f7daf1fc15a24bcTanya Lattner