use of java.security.cert.CertPathValidatorException in project jdk8u_jdk by JetBrains.
the class OCSP method check.
/**
* Checks the revocation status of a list of certificates using OCSP.
*
* @param certIds the CertIds to be checked
* @param responderURI the URI of the OCSP responder
* @param issuerInfo the issuer's certificate and/or subject and public key
* @param responderCert the OCSP responder's certificate
* @param date the time the validity of the OCSP responder's certificate
* should be checked against. If null, the current time is used.
* @param extensions zero or more OCSP extensions to be included in the
* request. If no extensions are requested, an empty {@code List} must
* be used. A {@code null} value is not allowed.
* @return the OCSPResponse
* @throws IOException if there is an exception connecting to or
* communicating with the OCSP responder
* @throws CertPathValidatorException if an exception occurs while
* encoding the OCSP Request or validating the OCSP Response
*/
static OCSPResponse check(List<CertId> certIds, URI responderURI, OCSPResponse.IssuerInfo issuerInfo, X509Certificate responderCert, Date date, List<Extension> extensions, String variant) throws IOException, CertPathValidatorException {
byte[] nonce = null;
for (Extension ext : extensions) {
if (ext.getId().equals(PKIXExtensions.OCSPNonce_Id.toString())) {
nonce = ext.getValue();
}
}
OCSPResponse ocspResponse = null;
try {
byte[] response = getOCSPBytes(certIds, responderURI, extensions);
ocspResponse = new OCSPResponse(response);
// verify the response
ocspResponse.verify(certIds, issuerInfo, responderCert, date, nonce, variant);
} catch (IOException ioe) {
throw new CertPathValidatorException("Unable to determine revocation status due to network error", ioe, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
}
return ocspResponse;
}
use of java.security.cert.CertPathValidatorException in project jdk8u_jdk by JetBrains.
the class GetMessage method main.
public static void main(String[] args) throws Exception {
Throwable[] causes = { new Throwable(), new Throwable("message"), new Throwable("message", new Throwable()) };
for (Throwable cause : causes) {
CertPathValidatorException cpve = new CertPathValidatorException(cause);
// from CertPathValidatorException(Throwable cause) spec:
// The detail message is set to (cause==null ? null : cause.toString() )
// (which typically contains the class and detail message of cause).
String expMsg = (cause == null ? null : cause.toString());
String actualMsg = cpve.getMessage();
boolean msgsEqual = (expMsg == null ? actualMsg == null : expMsg.equals(actualMsg));
if (!msgsEqual) {
System.out.println("expected message:" + expMsg);
System.out.println("getMessage():" + actualMsg);
failed = true;
}
}
if (failed) {
throw new Exception("Some tests FAILED");
}
}
use of java.security.cert.CertPathValidatorException in project jdk8u_jdk by JetBrains.
the class PKIXMasterCertPathValidator method validate.
/**
* Validates a certification path consisting exclusively of
* <code>X509Certificate</code>s using the specified
* <code>PKIXCertPathChecker</code>s. It is assumed that the
* <code>PKIXCertPathChecker</code>s
* have been initialized with any input parameters they may need.
*
* @param cpOriginal the original X509 CertPath passed in by the user
* @param reversedCertList the reversed X509 CertPath (as a List)
* @param certPathCheckers the PKIXCertPathCheckers
* @throws CertPathValidatorException if cert path does not validate
*/
static void validate(CertPath cpOriginal, List<X509Certificate> reversedCertList, List<PKIXCertPathChecker> certPathCheckers) throws CertPathValidatorException {
// we actually process reversedCertList, but we keep cpOriginal because
// we need to return the original certPath when we throw an exception.
// we will also need to modify the index appropriately when we
// throw an exception.
int cpSize = reversedCertList.size();
if (debug != null) {
debug.println("--------------------------------------------------" + "------------");
debug.println("Executing PKIX certification path validation " + "algorithm.");
}
for (int i = 0; i < cpSize; i++) {
/* The basic loop algorithm is that we get the
* current certificate, we verify the current certificate using
* information from the previous certificate and from the state,
* and we modify the state for the next loop by setting the
* current certificate of this loop to be the previous certificate
* of the next loop. The state is initialized during first loop.
*/
X509Certificate currCert = reversedCertList.get(i);
if (debug != null) {
debug.println("Checking cert" + (i + 1) + " - Subject: " + currCert.getSubjectX500Principal());
}
Set<String> unresCritExts = currCert.getCriticalExtensionOIDs();
if (unresCritExts == null) {
unresCritExts = Collections.<String>emptySet();
}
if (debug != null && !unresCritExts.isEmpty()) {
StringJoiner joiner = new StringJoiner(", ", "{", "}");
for (String oid : unresCritExts) {
joiner.add(oid);
}
debug.println("Set of critical extensions: " + joiner.toString());
}
for (int j = 0; j < certPathCheckers.size(); j++) {
PKIXCertPathChecker currChecker = certPathCheckers.get(j);
if (debug != null) {
debug.println("-Using checker" + (j + 1) + " ... [" + currChecker.getClass().getName() + "]");
}
if (i == 0)
currChecker.init(false);
try {
currChecker.check(currCert, unresCritExts);
if (debug != null) {
debug.println("-checker" + (j + 1) + " validation succeeded");
}
} catch (CertPathValidatorException cpve) {
throw new CertPathValidatorException(cpve.getMessage(), (cpve.getCause() != null) ? cpve.getCause() : cpve, cpOriginal, cpSize - (i + 1), cpve.getReason());
}
}
if (!unresCritExts.isEmpty()) {
throw new CertPathValidatorException("unrecognized " + "critical extension(s)", null, cpOriginal, cpSize - (i + 1), PKIXReason.UNRECOGNIZED_CRIT_EXT);
}
if (debug != null)
debug.println("\ncert" + (i + 1) + " validation succeeded.\n");
}
if (debug != null) {
debug.println("Cert path validation succeeded. (PKIX validation " + "algorithm)");
debug.println("-------------------------------------------------" + "-------------");
}
}
use of java.security.cert.CertPathValidatorException in project jdk8u_jdk by JetBrains.
the class PolicyChecker method mergePolicyMapping.
/**
* Merges the specified policyMapping value with the
* inhibitPolicyMapping field of the <code>PolicyConstraints</code>
* extension obtained from the certificate. A policyMapping
* value of -1 implies no constraint.
*
* @param policyMapping an integer which indicates if policy mapping
* is inhibited
* @param currCert the Certificate to be processed
* @return returns the new policyMapping value
* @exception CertPathValidatorException Exception thrown if an error
* occurs
*/
static int mergePolicyMapping(int policyMapping, X509CertImpl currCert) throws CertPathValidatorException {
if ((policyMapping > 0) && !X509CertImpl.isSelfIssued(currCert)) {
policyMapping--;
}
try {
PolicyConstraintsExtension polConstExt = currCert.getPolicyConstraintsExtension();
if (polConstExt == null)
return policyMapping;
int inhibit = polConstExt.get(PolicyConstraintsExtension.INHIBIT).intValue();
if (debug != null)
debug.println("PolicyChecker.mergePolicyMapping() " + "inhibit Index from cert = " + inhibit);
if (inhibit != -1) {
if ((policyMapping == -1) || (inhibit < policyMapping)) {
policyMapping = inhibit;
}
}
} catch (IOException e) {
if (debug != null) {
debug.println("PolicyChecker.mergePolicyMapping " + "unexpected exception");
e.printStackTrace();
}
throw new CertPathValidatorException(e);
}
return policyMapping;
}
use of java.security.cert.CertPathValidatorException in project jdk8u_jdk by JetBrains.
the class PolicyChecker method processPolicies.
/**
* Processes certificate policies in the certificate.
*
* @param certIndex the index of the certificate
* @param initPolicies the initial policies required by the user
* @param explicitPolicy an integer which indicates if a non-null
* valid policy tree is required
* @param policyMapping an integer which indicates if policy
* mapping is inhibited
* @param inhibitAnyPolicy an integer which indicates whether
* "any-policy" is considered a match
* @param rejectPolicyQualifiers a boolean indicating whether the
* user wants to reject policies that have qualifiers
* @param origRootNode the root node of the valid policy tree
* @param currCert the Certificate to be processed
* @param finalCert a boolean indicating whether currCert is the final
* cert in the cert path
* @return the root node of the valid policy tree after modification
* @exception CertPathValidatorException Exception thrown if an
* error occurs while processing policies.
*/
static PolicyNodeImpl processPolicies(int certIndex, Set<String> initPolicies, int explicitPolicy, int policyMapping, int inhibitAnyPolicy, boolean rejectPolicyQualifiers, PolicyNodeImpl origRootNode, X509CertImpl currCert, boolean finalCert) throws CertPathValidatorException {
boolean policiesCritical = false;
List<PolicyInformation> policyInfo;
PolicyNodeImpl rootNode = null;
Set<PolicyQualifierInfo> anyQuals = new HashSet<>();
if (origRootNode == null)
rootNode = null;
else
rootNode = origRootNode.copyTree();
// retrieve policyOIDs from currCert
CertificatePoliciesExtension currCertPolicies = currCert.getCertificatePoliciesExtension();
// PKIX: Section 6.1.3: Step (d)
if ((currCertPolicies != null) && (rootNode != null)) {
policiesCritical = currCertPolicies.isCritical();
if (debug != null)
debug.println("PolicyChecker.processPolicies() " + "policiesCritical = " + policiesCritical);
try {
policyInfo = currCertPolicies.get(CertificatePoliciesExtension.POLICIES);
} catch (IOException ioe) {
throw new CertPathValidatorException("Exception while " + "retrieving policyOIDs", ioe);
}
if (debug != null)
debug.println("PolicyChecker.processPolicies() " + "rejectPolicyQualifiers = " + rejectPolicyQualifiers);
boolean foundAnyPolicy = false;
// process each policy in cert
for (PolicyInformation curPolInfo : policyInfo) {
String curPolicy = curPolInfo.getPolicyIdentifier().getIdentifier().toString();
if (curPolicy.equals(ANY_POLICY)) {
foundAnyPolicy = true;
anyQuals = curPolInfo.getPolicyQualifiers();
} else {
// PKIX: Section 6.1.3: Step (d)(1)
if (debug != null)
debug.println("PolicyChecker.processPolicies() " + "processing policy: " + curPolicy);
// retrieve policy qualifiers from cert
Set<PolicyQualifierInfo> pQuals = curPolInfo.getPolicyQualifiers();
// the policyQualifiersRejected flag is set in the params
if (!pQuals.isEmpty() && rejectPolicyQualifiers && policiesCritical) {
throw new CertPathValidatorException("critical policy qualifiers present in certificate", null, null, -1, PKIXReason.INVALID_POLICY);
}
// PKIX: Section 6.1.3: Step (d)(1)(i)
boolean foundMatch = processParents(certIndex, policiesCritical, rejectPolicyQualifiers, rootNode, curPolicy, pQuals, false);
if (!foundMatch) {
// PKIX: Section 6.1.3: Step (d)(1)(ii)
processParents(certIndex, policiesCritical, rejectPolicyQualifiers, rootNode, curPolicy, pQuals, true);
}
}
}
// PKIX: Section 6.1.3: Step (d)(2)
if (foundAnyPolicy) {
if ((inhibitAnyPolicy > 0) || (!finalCert && X509CertImpl.isSelfIssued(currCert))) {
if (debug != null) {
debug.println("PolicyChecker.processPolicies() " + "processing policy: " + ANY_POLICY);
}
processParents(certIndex, policiesCritical, rejectPolicyQualifiers, rootNode, ANY_POLICY, anyQuals, true);
}
}
// PKIX: Section 6.1.3: Step (d)(3)
rootNode.prune(certIndex);
if (!rootNode.getChildren().hasNext()) {
rootNode = null;
}
} else if (currCertPolicies == null) {
if (debug != null)
debug.println("PolicyChecker.processPolicies() " + "no policies present in cert");
// PKIX: Section 6.1.3: Step (e)
rootNode = null;
}
// resulting in a null tree
if (rootNode != null) {
if (!finalCert) {
// PKIX: Section 6.1.4: Steps (a)-(b)
rootNode = processPolicyMappings(currCert, certIndex, policyMapping, rootNode, policiesCritical, anyQuals);
}
}
if ((rootNode != null) && (!initPolicies.contains(ANY_POLICY)) && (currCertPolicies != null)) {
rootNode = removeInvalidNodes(rootNode, certIndex, initPolicies, currCertPolicies);
// PKIX: Section 6.1.5: Step (g)(iii)
if ((rootNode != null) && finalCert) {
// rewrite anyPolicy leaf nodes (see method comments)
rootNode = rewriteLeafNodes(certIndex, initPolicies, rootNode);
}
}
if (finalCert) {
// PKIX: Section 6.1.5: Steps (a) and (b)
explicitPolicy = mergeExplicitPolicy(explicitPolicy, currCert, finalCert);
}
if ((explicitPolicy == 0) && (rootNode == null)) {
throw new CertPathValidatorException("non-null policy tree required and policy tree is null", null, null, -1, PKIXReason.INVALID_POLICY);
}
return rootNode;
}
Aggregations