use of com.github.zhenwei.provider.jce.provider.PKIXPolicyNode in project LinLong-Java by zhenwei1108.
the class PKIXCertPathReviewer method checkPolicy.
private void checkPolicy() {
//
// 6.1.1 Inputs
//
// c) Initial Policy Set
Set userInitialPolicySet = pkixParams.getInitialPolicies();
// e) f) g) are part of pkixParams
//
// 6.1.2 Initialization
//
// a) valid policy tree
List[] policyNodes = new ArrayList[n + 1];
for (int j = 0; j < policyNodes.length; j++) {
policyNodes[j] = new ArrayList();
}
Set policySet = new HashSet();
policySet.add(ANY_POLICY);
PKIXPolicyNode validPolicyTree = new PKIXPolicyNode(new ArrayList(), 0, policySet, null, new HashSet(), ANY_POLICY, false);
policyNodes[0].add(validPolicyTree);
// d) explicit policy
int explicitPolicy;
if (pkixParams.isExplicitPolicyRequired()) {
explicitPolicy = 0;
} else {
explicitPolicy = n + 1;
}
// e) inhibit any policy
int inhibitAnyPolicy;
if (pkixParams.isAnyPolicyInhibited()) {
inhibitAnyPolicy = 0;
} else {
inhibitAnyPolicy = n + 1;
}
// f) policy mapping
int policyMapping;
if (pkixParams.isPolicyMappingInhibited()) {
policyMapping = 0;
} else {
policyMapping = n + 1;
}
Set acceptablePolicies = null;
//
// 6.1.3 Basic Certificate processing
//
X509Certificate cert = null;
int index;
int i;
try {
for (index = certs.size() - 1; index >= 0; index--) {
// i as defined in the algorithm description
i = n - index;
// set certificate to be checked in this round
cert = (X509Certificate) certs.get(index);
// d) process policy information
ASN1Sequence certPolicies;
try {
certPolicies = (ASN1Sequence) getExtensionValue(cert, CERTIFICATE_POLICIES);
} catch (AnnotatedException ae) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.policyExtError");
throw new CertPathReviewerException(msg, ae, certPath, index);
}
if (certPolicies != null && validPolicyTree != null) {
// d) 1)
Enumeration e = certPolicies.getObjects();
Set pols = new HashSet();
while (e.hasMoreElements()) {
PolicyInformation pInfo = PolicyInformation.getInstance(e.nextElement());
ASN1ObjectIdentifier pOid = pInfo.getPolicyIdentifier();
pols.add(pOid.getId());
if (!ANY_POLICY.equals(pOid.getId())) {
Set pq;
try {
pq = getQualifierSet(pInfo.getPolicyQualifiers());
} catch (CertPathValidatorException cpve) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.policyQualifierError");
throw new CertPathReviewerException(msg, cpve, certPath, index);
}
boolean match = processCertD1i(i, policyNodes, pOid, pq);
if (!match) {
processCertD1ii(i, policyNodes, pOid, pq);
}
}
}
if (acceptablePolicies == null || acceptablePolicies.contains(ANY_POLICY)) {
acceptablePolicies = pols;
} else {
Iterator it = acceptablePolicies.iterator();
Set t1 = new HashSet();
while (it.hasNext()) {
Object o = it.next();
if (pols.contains(o)) {
t1.add(o);
}
}
acceptablePolicies = t1;
}
if ((inhibitAnyPolicy > 0) || ((i < n) && isSelfIssued(cert))) {
e = certPolicies.getObjects();
while (e.hasMoreElements()) {
PolicyInformation pInfo = PolicyInformation.getInstance(e.nextElement());
if (ANY_POLICY.equals(pInfo.getPolicyIdentifier().getId())) {
Set _apq;
try {
_apq = getQualifierSet(pInfo.getPolicyQualifiers());
} catch (CertPathValidatorException cpve) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.policyQualifierError");
throw new CertPathReviewerException(msg, cpve, certPath, index);
}
List _nodes = policyNodes[i - 1];
for (int k = 0; k < _nodes.size(); k++) {
PKIXPolicyNode _node = (PKIXPolicyNode) _nodes.get(k);
Iterator _policySetIter = _node.getExpectedPolicies().iterator();
while (_policySetIter.hasNext()) {
Object _tmp = _policySetIter.next();
String _policy;
if (_tmp instanceof String) {
_policy = (String) _tmp;
} else if (_tmp instanceof ASN1ObjectIdentifier) {
_policy = ((ASN1ObjectIdentifier) _tmp).getId();
} else {
continue;
}
boolean _found = false;
Iterator _childrenIter = _node.getChildren();
while (_childrenIter.hasNext()) {
PKIXPolicyNode _child = (PKIXPolicyNode) _childrenIter.next();
if (_policy.equals(_child.getValidPolicy())) {
_found = true;
}
}
if (!_found) {
Set _newChildExpectedPolicies = new HashSet();
_newChildExpectedPolicies.add(_policy);
PKIXPolicyNode _newChild = new PKIXPolicyNode(new ArrayList(), i, _newChildExpectedPolicies, _node, _apq, _policy, false);
_node.addChild(_newChild);
policyNodes[i].add(_newChild);
}
}
}
break;
}
}
}
//
for (int j = (i - 1); j >= 0; j--) {
List nodes = policyNodes[j];
for (int k = 0; k < nodes.size(); k++) {
PKIXPolicyNode node = (PKIXPolicyNode) nodes.get(k);
if (!node.hasChildren()) {
validPolicyTree = removePolicyNode(validPolicyTree, policyNodes, node);
if (validPolicyTree == null) {
break;
}
}
}
}
//
// d (4)
//
Set criticalExtensionOids = cert.getCriticalExtensionOIDs();
if (criticalExtensionOids != null) {
boolean critical = criticalExtensionOids.contains(CERTIFICATE_POLICIES);
List nodes = policyNodes[i];
for (int j = 0; j < nodes.size(); j++) {
PKIXPolicyNode node = (PKIXPolicyNode) nodes.get(j);
node.setCritical(critical);
}
}
}
if (certPolicies == null) {
validPolicyTree = null;
}
if (explicitPolicy <= 0 && validPolicyTree == null) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.noValidPolicyTree");
throw new CertPathReviewerException(msg);
}
if (i != n) {
// a)
ASN1Primitive pm;
try {
pm = getExtensionValue(cert, POLICY_MAPPINGS);
} catch (AnnotatedException ae) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.policyMapExtError");
throw new CertPathReviewerException(msg, ae, certPath, index);
}
if (pm != null) {
ASN1Sequence mappings = (ASN1Sequence) pm;
for (int j = 0; j < mappings.size(); j++) {
ASN1Sequence mapping = (ASN1Sequence) mappings.getObjectAt(j);
ASN1ObjectIdentifier ip_id = (ASN1ObjectIdentifier) mapping.getObjectAt(0);
ASN1ObjectIdentifier sp_id = (ASN1ObjectIdentifier) mapping.getObjectAt(1);
if (ANY_POLICY.equals(ip_id.getId())) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.invalidPolicyMapping");
throw new CertPathReviewerException(msg, certPath, index);
}
if (ANY_POLICY.equals(sp_id.getId())) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.invalidPolicyMapping");
throw new CertPathReviewerException(msg, certPath, index);
}
}
}
if (pm != null) {
ASN1Sequence mappings = (ASN1Sequence) pm;
Map m_idp = new HashMap();
Set s_idp = new HashSet();
for (int j = 0; j < mappings.size(); j++) {
ASN1Sequence mapping = (ASN1Sequence) mappings.getObjectAt(j);
String id_p = ((ASN1ObjectIdentifier) mapping.getObjectAt(0)).getId();
String sd_p = ((ASN1ObjectIdentifier) mapping.getObjectAt(1)).getId();
Set tmp;
if (!m_idp.containsKey(id_p)) {
tmp = new HashSet();
tmp.add(sd_p);
m_idp.put(id_p, tmp);
s_idp.add(id_p);
} else {
tmp = (Set) m_idp.get(id_p);
tmp.add(sd_p);
}
}
Iterator it_idp = s_idp.iterator();
while (it_idp.hasNext()) {
String id_p = (String) it_idp.next();
//
if (policyMapping > 0) {
try {
prepareNextCertB1(i, policyNodes, id_p, m_idp, cert);
} catch (AnnotatedException ae) {
// error processing certificate policies extension
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.policyExtError");
throw new CertPathReviewerException(msg, ae, certPath, index);
} catch (CertPathValidatorException cpve) {
// error building qualifier set
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.policyQualifierError");
throw new CertPathReviewerException(msg, cpve, certPath, index);
}
//
// (2)
//
} else if (policyMapping <= 0) {
validPolicyTree = prepareNextCertB2(i, policyNodes, id_p, validPolicyTree);
}
}
}
if (!isSelfIssued(cert)) {
// (1)
if (explicitPolicy != 0) {
explicitPolicy--;
}
// (2)
if (policyMapping != 0) {
policyMapping--;
}
// (3)
if (inhibitAnyPolicy != 0) {
inhibitAnyPolicy--;
}
}
try {
ASN1Sequence pc = (ASN1Sequence) getExtensionValue(cert, POLICY_CONSTRAINTS);
if (pc != null) {
Enumeration policyConstraints = pc.getObjects();
while (policyConstraints.hasMoreElements()) {
ASN1TaggedObject constraint = (ASN1TaggedObject) policyConstraints.nextElement();
int tmpInt;
switch(constraint.getTagNo()) {
case 0:
tmpInt = ASN1Integer.getInstance(constraint, false).intValueExact();
if (tmpInt < explicitPolicy) {
explicitPolicy = tmpInt;
}
break;
case 1:
tmpInt = ASN1Integer.getInstance(constraint, false).intValueExact();
if (tmpInt < policyMapping) {
policyMapping = tmpInt;
}
break;
}
}
}
} catch (AnnotatedException ae) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.policyConstExtError");
throw new CertPathReviewerException(msg, certPath, index);
}
try {
ASN1Integer iap = (ASN1Integer) getExtensionValue(cert, INHIBIT_ANY_POLICY);
if (iap != null) {
int _inhibitAnyPolicy = iap.intValueExact();
if (_inhibitAnyPolicy < inhibitAnyPolicy) {
inhibitAnyPolicy = _inhibitAnyPolicy;
}
}
} catch (AnnotatedException ae) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.policyInhibitExtError");
throw new CertPathReviewerException(msg, certPath, index);
}
}
}
if (!isSelfIssued(cert) && explicitPolicy > 0) {
explicitPolicy--;
}
try {
ASN1Sequence pc = (ASN1Sequence) getExtensionValue(cert, POLICY_CONSTRAINTS);
if (pc != null) {
Enumeration policyConstraints = pc.getObjects();
while (policyConstraints.hasMoreElements()) {
ASN1TaggedObject constraint = (ASN1TaggedObject) policyConstraints.nextElement();
switch(constraint.getTagNo()) {
case 0:
int tmpInt = ASN1Integer.getInstance(constraint, false).intValueExact();
if (tmpInt == 0) {
explicitPolicy = 0;
}
break;
}
}
}
} catch (AnnotatedException e) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.policyConstExtError");
throw new CertPathReviewerException(msg, certPath, index);
}
//
// (g)
//
PKIXPolicyNode intersection;
//
if (validPolicyTree == null) {
if (pkixParams.isExplicitPolicyRequired()) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.explicitPolicy");
throw new CertPathReviewerException(msg, certPath, index);
}
intersection = null;
} else if (// (g) (ii)
isAnyPolicy(userInitialPolicySet)) {
if (pkixParams.isExplicitPolicyRequired()) {
if (acceptablePolicies.isEmpty()) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.explicitPolicy");
throw new CertPathReviewerException(msg, certPath, index);
} else {
Set _validPolicyNodeSet = new HashSet();
for (int j = 0; j < policyNodes.length; j++) {
List _nodeDepth = policyNodes[j];
for (int k = 0; k < _nodeDepth.size(); k++) {
PKIXPolicyNode _node = (PKIXPolicyNode) _nodeDepth.get(k);
if (ANY_POLICY.equals(_node.getValidPolicy())) {
Iterator _iter = _node.getChildren();
while (_iter.hasNext()) {
_validPolicyNodeSet.add(_iter.next());
}
}
}
}
Iterator _vpnsIter = _validPolicyNodeSet.iterator();
while (_vpnsIter.hasNext()) {
PKIXPolicyNode _node = (PKIXPolicyNode) _vpnsIter.next();
String _validPolicy = _node.getValidPolicy();
if (!acceptablePolicies.contains(_validPolicy)) {
// validPolicyTree = removePolicyNode(validPolicyTree, policyNodes, _node);
}
}
if (validPolicyTree != null) {
for (int j = (n - 1); j >= 0; j--) {
List nodes = policyNodes[j];
for (int k = 0; k < nodes.size(); k++) {
PKIXPolicyNode node = (PKIXPolicyNode) nodes.get(k);
if (!node.hasChildren()) {
validPolicyTree = removePolicyNode(validPolicyTree, policyNodes, node);
}
}
}
}
}
}
intersection = validPolicyTree;
} else {
//
// (g) (iii)
//
// This implementation is not exactly same as the one described in RFC3280.
// However, as far as the validation result is concerned, both produce
// adequate result. The only difference is whether AnyPolicy is remain
// in the policy tree or not.
//
// (g) (iii) 1
//
Set _validPolicyNodeSet = new HashSet();
for (int j = 0; j < policyNodes.length; j++) {
List _nodeDepth = policyNodes[j];
for (int k = 0; k < _nodeDepth.size(); k++) {
PKIXPolicyNode _node = (PKIXPolicyNode) _nodeDepth.get(k);
if (ANY_POLICY.equals(_node.getValidPolicy())) {
Iterator _iter = _node.getChildren();
while (_iter.hasNext()) {
PKIXPolicyNode _c_node = (PKIXPolicyNode) _iter.next();
if (!ANY_POLICY.equals(_c_node.getValidPolicy())) {
_validPolicyNodeSet.add(_c_node);
}
}
}
}
}
//
// (g) (iii) 2
//
Iterator _vpnsIter = _validPolicyNodeSet.iterator();
while (_vpnsIter.hasNext()) {
PKIXPolicyNode _node = (PKIXPolicyNode) _vpnsIter.next();
String _validPolicy = _node.getValidPolicy();
if (!userInitialPolicySet.contains(_validPolicy)) {
validPolicyTree = removePolicyNode(validPolicyTree, policyNodes, _node);
}
}
//
if (validPolicyTree != null) {
for (int j = (n - 1); j >= 0; j--) {
List nodes = policyNodes[j];
for (int k = 0; k < nodes.size(); k++) {
PKIXPolicyNode node = (PKIXPolicyNode) nodes.get(k);
if (!node.hasChildren()) {
validPolicyTree = removePolicyNode(validPolicyTree, policyNodes, node);
}
}
}
}
intersection = validPolicyTree;
}
if ((explicitPolicy <= 0) && (intersection == null)) {
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.invalidPolicy");
throw new CertPathReviewerException(msg);
}
validPolicyTree = intersection;
} catch (CertPathReviewerException cpre) {
addError(cpre.getErrorMessage(), cpre.getIndex());
validPolicyTree = null;
}
}
use of com.github.zhenwei.provider.jce.provider.PKIXPolicyNode in project LinLong-Java by zhenwei1108.
the class CertPathValidatorUtilities method prepareNextCertB1.
protected static void prepareNextCertB1(int i, List[] policyNodes, String id_p, Map m_idp, X509Certificate cert) throws AnnotatedException, CertPathValidatorException {
boolean idp_found = false;
Iterator nodes_i = policyNodes[i].iterator();
while (nodes_i.hasNext()) {
PKIXPolicyNode node = (PKIXPolicyNode) nodes_i.next();
if (node.getValidPolicy().equals(id_p)) {
idp_found = true;
node.setExpectedPolicies((Set) m_idp.get(id_p));
break;
}
}
if (!idp_found) {
nodes_i = policyNodes[i].iterator();
while (nodes_i.hasNext()) {
PKIXPolicyNode node = (PKIXPolicyNode) nodes_i.next();
if (ANY_POLICY.equals(node.getValidPolicy())) {
Set pq = null;
ASN1Sequence policies = null;
try {
policies = DERSequence.getInstance(getExtensionValue(cert, CERTIFICATE_POLICIES));
} catch (Exception e) {
throw new AnnotatedException("Certificate policies cannot be decoded.", e);
}
Enumeration e = policies.getObjects();
while (e.hasMoreElements()) {
PolicyInformation pinfo = null;
try {
pinfo = PolicyInformation.getInstance(e.nextElement());
} catch (Exception ex) {
throw new AnnotatedException("Policy information cannot be decoded.", ex);
}
if (ANY_POLICY.equals(pinfo.getPolicyIdentifier().getId())) {
try {
pq = getQualifierSet(pinfo.getPolicyQualifiers());
} catch (CertPathValidatorException ex) {
throw new ExtCertPathValidatorException("Policy qualifier info set could not be built.", ex);
}
break;
}
}
boolean ci = false;
if (cert.getCriticalExtensionOIDs() != null) {
ci = cert.getCriticalExtensionOIDs().contains(CERTIFICATE_POLICIES);
}
PKIXPolicyNode p_node = (PKIXPolicyNode) node.getParent();
if (ANY_POLICY.equals(p_node.getValidPolicy())) {
PKIXPolicyNode c_node = new PKIXPolicyNode(new ArrayList(), i, (Set) m_idp.get(id_p), p_node, pq, id_p, ci);
p_node.addChild(c_node);
policyNodes[i].add(c_node);
}
break;
}
}
}
}
use of com.github.zhenwei.provider.jce.provider.PKIXPolicyNode in project LinLong-Java by zhenwei1108.
the class CertPathValidatorUtilities method processCertD1i.
protected static boolean processCertD1i(int index, List[] policyNodes, ASN1ObjectIdentifier pOid, Set pq) {
List policyNodeVec = policyNodes[index - 1];
for (int j = 0; j < policyNodeVec.size(); j++) {
PKIXPolicyNode node = (PKIXPolicyNode) policyNodeVec.get(j);
Set expectedPolicies = node.getExpectedPolicies();
if (expectedPolicies.contains(pOid.getId())) {
Set childExpectedPolicies = new HashSet();
childExpectedPolicies.add(pOid.getId());
PKIXPolicyNode child = new PKIXPolicyNode(new ArrayList(), index, childExpectedPolicies, node, pq, pOid.getId(), false);
node.addChild(child);
policyNodes[index].add(child);
return true;
}
}
return false;
}
use of com.github.zhenwei.provider.jce.provider.PKIXPolicyNode in project LinLong-Java by zhenwei1108.
the class CertPathValidatorUtilities method removePolicyNodeRecurse.
private static void removePolicyNodeRecurse(List[] policyNodes, PKIXPolicyNode _node) {
policyNodes[_node.getDepth()].remove(_node);
if (_node.hasChildren()) {
Iterator _iter = _node.getChildren();
while (_iter.hasNext()) {
PKIXPolicyNode _child = (PKIXPolicyNode) _iter.next();
removePolicyNodeRecurse(policyNodes, _child);
}
}
}
use of com.github.zhenwei.provider.jce.provider.PKIXPolicyNode in project LinLong-Java by zhenwei1108.
the class CertPathValidatorUtilities method prepareNextCertB2.
protected static PKIXPolicyNode prepareNextCertB2(int i, List[] policyNodes, String id_p, PKIXPolicyNode validPolicyTree) {
Iterator nodes_i = policyNodes[i].iterator();
while (nodes_i.hasNext()) {
PKIXPolicyNode node = (PKIXPolicyNode) nodes_i.next();
if (node.getValidPolicy().equals(id_p)) {
PKIXPolicyNode p_node = (PKIXPolicyNode) node.getParent();
p_node.removeChild(node);
nodes_i.remove();
for (int k = (i - 1); k >= 0; k--) {
List nodes = policyNodes[k];
for (int l = 0; l < nodes.size(); l++) {
PKIXPolicyNode node2 = (PKIXPolicyNode) nodes.get(l);
if (!node2.hasChildren()) {
validPolicyTree = removePolicyNode(validPolicyTree, policyNodes, node2);
if (validPolicyTree == null) {
break;
}
}
}
}
}
}
return validPolicyTree;
}
Aggregations