Search in sources :

Example 1 with PKIXNameConstraintValidator

use of com.github.zhenwei.provider.jce.provider.PKIXNameConstraintValidator in project LinLong-Java by zhenwei1108.

the class PKIXCertPathReviewer method checkNameConstraints.

private void checkNameConstraints() {
    X509Certificate cert = null;
    // 
    // Setup
    // 
    // (b)  and (c)
    PKIXNameConstraintValidator nameConstraintValidator = new PKIXNameConstraintValidator();
    // 
    // process each certificate except the last in the path
    // 
    int index;
    int i;
    try {
        for (index = certs.size() - 1; index > 0; index--) {
            i = n - index;
            // 
            // certificate processing
            // 
            cert = (X509Certificate) certs.get(index);
            if (!isSelfIssued(cert)) {
                X500Principal principal = getSubjectPrincipal(cert);
                ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(principal.getEncoded()));
                ASN1Sequence dns;
                try {
                    dns = (ASN1Sequence) aIn.readObject();
                } catch (IOException e) {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.ncSubjectNameError", new Object[] { new UntrustedInput(principal) });
                    throw new CertPathReviewerException(msg, e, certPath, index);
                }
                try {
                    nameConstraintValidator.checkPermittedDN(dns);
                } catch (PKIXNameConstraintValidatorException cpve) {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.notPermittedDN", new Object[] { new UntrustedInput(principal.getName()) });
                    throw new CertPathReviewerException(msg, cpve, certPath, index);
                }
                try {
                    nameConstraintValidator.checkExcludedDN(dns);
                } catch (PKIXNameConstraintValidatorException cpve) {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.excludedDN", new Object[] { new UntrustedInput(principal.getName()) });
                    throw new CertPathReviewerException(msg, cpve, certPath, index);
                }
                ASN1Sequence altName;
                try {
                    altName = (ASN1Sequence) getExtensionValue(cert, SUBJECT_ALTERNATIVE_NAME);
                } catch (AnnotatedException ae) {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.subjAltNameExtError");
                    throw new CertPathReviewerException(msg, ae, certPath, index);
                }
                if (altName != null) {
                    for (int j = 0; j < altName.size(); j++) {
                        GeneralName name = GeneralName.getInstance(altName.getObjectAt(j));
                        try {
                            nameConstraintValidator.checkPermitted(name);
                            nameConstraintValidator.checkExcluded(name);
                        } catch (PKIXNameConstraintValidatorException cpve) {
                            ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.notPermittedEmail", new Object[] { new UntrustedInput(name) });
                            throw new CertPathReviewerException(msg, cpve, certPath, index);
                        }
                    // switch(o.getTagNo())            TODO - move resources to PKIXNameConstraints
                    // {
                    // case 1:
                    // String email = DERIA5String.getInstance(o, true).getString();
                    // 
                    // try
                    // {
                    // checkPermittedEmail(permittedSubtreesEmail, email);
                    // }
                    // catch (CertPathValidatorException cpve)
                    // {
                    // ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.notPermittedEmail",
                    // new Object[] {new UntrustedInput(email)});
                    // throw new CertPathReviewerException(msg,cpve,certPath,index);
                    // }
                    // 
                    // try
                    // {
                    // checkExcludedEmail(excludedSubtreesEmail, email);
                    // }
                    // catch (CertPathValidatorException cpve)
                    // {
                    // ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.excludedEmail",
                    // new Object[] {new UntrustedInput(email)});
                    // throw new CertPathReviewerException(msg,cpve,certPath,index);
                    // }
                    // 
                    // break;
                    // case 4:
                    // ASN1Sequence altDN = ASN1Sequence.getInstance(o, true);
                    // 
                    // try
                    // {
                    // checkPermittedDN(permittedSubtreesDN, altDN);
                    // }
                    // catch (CertPathValidatorException cpve)
                    // {
                    // X509Name altDNName = new X509Name(altDN);
                    // ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.notPermittedDN",
                    // new Object[] {new UntrustedInput(altDNName)});
                    // throw new CertPathReviewerException(msg,cpve,certPath,index);
                    // }
                    // 
                    // try
                    // {
                    // checkExcludedDN(excludedSubtreesDN, altDN);
                    // }
                    // catch (CertPathValidatorException cpve)
                    // {
                    // X509Name altDNName = new X509Name(altDN);
                    // ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.excludedDN",
                    // new Object[] {new UntrustedInput(altDNName)});
                    // throw new CertPathReviewerException(msg,cpve,certPath,index);
                    // }
                    // 
                    // break;
                    // case 7:
                    // byte[] ip = ASN1OctetString.getInstance(o, true).getOctets();
                    // 
                    // try
                    // {
                    // checkPermittedIP(permittedSubtreesIP, ip);
                    // }
                    // catch (CertPathValidatorException cpve)
                    // {
                    // ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.notPermittedIP",
                    // new Object[] {IPtoString(ip)});
                    // throw new CertPathReviewerException(msg,cpve,certPath,index);
                    // }
                    // 
                    // try
                    // {
                    // checkExcludedIP(excludedSubtreesIP, ip);
                    // }
                    // catch (CertPathValidatorException cpve)
                    // {
                    // ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.excludedIP",
                    // new Object[] {IPtoString(ip)});
                    // throw new CertPathReviewerException(msg,cpve,certPath,index);
                    // }
                    // }
                    }
                }
            }
            // 
            // prepare for next certificate
            // 
            // 
            // (g) handle the name constraints extension
            // 
            ASN1Sequence ncSeq;
            try {
                ncSeq = (ASN1Sequence) getExtensionValue(cert, NAME_CONSTRAINTS);
            } catch (AnnotatedException ae) {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.ncExtError");
                throw new CertPathReviewerException(msg, ae, certPath, index);
            }
            if (ncSeq != null) {
                NameConstraints nc = NameConstraints.getInstance(ncSeq);
                // 
                // (g) (1) permitted subtrees
                // 
                GeneralSubtree[] permitted = nc.getPermittedSubtrees();
                if (permitted != null) {
                    nameConstraintValidator.intersectPermittedSubtree(permitted);
                }
                // 
                // (g) (2) excluded subtrees
                // 
                GeneralSubtree[] excluded = nc.getExcludedSubtrees();
                if (excluded != null) {
                    for (int c = 0; c != excluded.length; c++) {
                        nameConstraintValidator.addExcludedSubtree(excluded[c]);
                    }
                }
            }
        }
    // for
    } catch (CertPathReviewerException cpre) {
        addError(cpre.getErrorMessage(), cpre.getIndex());
    }
}
Also used : ASN1InputStream(com.github.zhenwei.core.asn1.ASN1InputStream) NameConstraints(com.github.zhenwei.core.asn1.x509.NameConstraints) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) IssuingDistributionPoint(com.github.zhenwei.core.asn1.x509.IssuingDistributionPoint) CRLDistPoint(com.github.zhenwei.core.asn1.x509.CRLDistPoint) DistributionPoint(com.github.zhenwei.core.asn1.x509.DistributionPoint) ASN1Sequence(com.github.zhenwei.core.asn1.ASN1Sequence) ErrorBundle(com.github.zhenwei.core.i18n.ErrorBundle) ByteArrayInputStream(java.io.ByteArrayInputStream) PKIXNameConstraintValidatorException(com.github.zhenwei.provider.jce.provider.PKIXNameConstraintValidatorException) PKIXNameConstraintValidator(com.github.zhenwei.provider.jce.provider.PKIXNameConstraintValidator) X500Principal(javax.security.auth.x500.X500Principal) ASN1TaggedObject(com.github.zhenwei.core.asn1.ASN1TaggedObject) GeneralName(com.github.zhenwei.core.asn1.x509.GeneralName) GeneralSubtree(com.github.zhenwei.core.asn1.x509.GeneralSubtree) UntrustedInput(com.github.zhenwei.core.i18n.filter.UntrustedInput) AnnotatedException(com.github.zhenwei.provider.jce.provider.AnnotatedException)

Aggregations

ASN1InputStream (com.github.zhenwei.core.asn1.ASN1InputStream)1 ASN1Sequence (com.github.zhenwei.core.asn1.ASN1Sequence)1 ASN1TaggedObject (com.github.zhenwei.core.asn1.ASN1TaggedObject)1 CRLDistPoint (com.github.zhenwei.core.asn1.x509.CRLDistPoint)1 DistributionPoint (com.github.zhenwei.core.asn1.x509.DistributionPoint)1 GeneralName (com.github.zhenwei.core.asn1.x509.GeneralName)1 GeneralSubtree (com.github.zhenwei.core.asn1.x509.GeneralSubtree)1 IssuingDistributionPoint (com.github.zhenwei.core.asn1.x509.IssuingDistributionPoint)1 NameConstraints (com.github.zhenwei.core.asn1.x509.NameConstraints)1 ErrorBundle (com.github.zhenwei.core.i18n.ErrorBundle)1 UntrustedInput (com.github.zhenwei.core.i18n.filter.UntrustedInput)1 AnnotatedException (com.github.zhenwei.provider.jce.provider.AnnotatedException)1 PKIXNameConstraintValidator (com.github.zhenwei.provider.jce.provider.PKIXNameConstraintValidator)1 PKIXNameConstraintValidatorException (com.github.zhenwei.provider.jce.provider.PKIXNameConstraintValidatorException)1 ByteArrayInputStream (java.io.ByteArrayInputStream)1 IOException (java.io.IOException)1 X509Certificate (java.security.cert.X509Certificate)1 X500Principal (javax.security.auth.x500.X500Principal)1