Example 21 with PolicyInformation
use of org.apache.harmony.security.x509.PolicyInformation in project jdk8u_jdk by JetBrains.
the class PolicyChecker method processPolicies.
/**
* Processes certificate policies in the certificate.
*
* @param certIndex the index of the certificate
* @param initPolicies the initial policies required by the user
* @param explicitPolicy an integer which indicates if a non-null
* valid policy tree is required
* @param policyMapping an integer which indicates if policy
* mapping is inhibited
* @param inhibitAnyPolicy an integer which indicates whether
* "any-policy" is considered a match
* @param rejectPolicyQualifiers a boolean indicating whether the
* user wants to reject policies that have qualifiers
* @param origRootNode the root node of the valid policy tree
* @param currCert the Certificate to be processed
* @param finalCert a boolean indicating whether currCert is the final
* cert in the cert path
* @return the root node of the valid policy tree after modification
* @exception CertPathValidatorException Exception thrown if an
* error occurs while processing policies.
*/
static PolicyNodeImpl processPolicies(int certIndex, Set<String> initPolicies, int explicitPolicy, int policyMapping, int inhibitAnyPolicy, boolean rejectPolicyQualifiers, PolicyNodeImpl origRootNode, X509CertImpl currCert, boolean finalCert) throws CertPathValidatorException {
boolean policiesCritical = false;
List<PolicyInformation> policyInfo;
PolicyNodeImpl rootNode = null;
Set<PolicyQualifierInfo> anyQuals = new HashSet<>();
if (origRootNode == null)
rootNode = null;
else
rootNode = origRootNode.copyTree();
// retrieve policyOIDs from currCert
CertificatePoliciesExtension currCertPolicies = currCert.getCertificatePoliciesExtension();
// PKIX: Section 6.1.3: Step (d)
if ((currCertPolicies != null) && (rootNode != null)) {
policiesCritical = currCertPolicies.isCritical();
if (debug != null)
debug.println("PolicyChecker.processPolicies() " + "policiesCritical = " + policiesCritical);
try {
policyInfo = currCertPolicies.get(CertificatePoliciesExtension.POLICIES);
} catch (IOException ioe) {
throw new CertPathValidatorException("Exception while " + "retrieving policyOIDs", ioe);
}
if (debug != null)
debug.println("PolicyChecker.processPolicies() " + "rejectPolicyQualifiers = " + rejectPolicyQualifiers);
boolean foundAnyPolicy = false;
// process each policy in cert
for (PolicyInformation curPolInfo : policyInfo) {
String curPolicy = curPolInfo.getPolicyIdentifier().getIdentifier().toString();
if (curPolicy.equals(ANY_POLICY)) {
foundAnyPolicy = true;
anyQuals = curPolInfo.getPolicyQualifiers();
} else {
// PKIX: Section 6.1.3: Step (d)(1)
if (debug != null)
debug.println("PolicyChecker.processPolicies() " + "processing policy: " + curPolicy);
// retrieve policy qualifiers from cert
Set<PolicyQualifierInfo> pQuals = curPolInfo.getPolicyQualifiers();
// the policyQualifiersRejected flag is set in the params
if (!pQuals.isEmpty() && rejectPolicyQualifiers && policiesCritical) {
throw new CertPathValidatorException("critical policy qualifiers present in certificate", null, null, -1, PKIXReason.INVALID_POLICY);
}
// PKIX: Section 6.1.3: Step (d)(1)(i)
boolean foundMatch = processParents(certIndex, policiesCritical, rejectPolicyQualifiers, rootNode, curPolicy, pQuals, false);
if (!foundMatch) {
// PKIX: Section 6.1.3: Step (d)(1)(ii)
processParents(certIndex, policiesCritical, rejectPolicyQualifiers, rootNode, curPolicy, pQuals, true);
}
}
}
// PKIX: Section 6.1.3: Step (d)(2)
if (foundAnyPolicy) {
if ((inhibitAnyPolicy > 0) || (!finalCert && X509CertImpl.isSelfIssued(currCert))) {
if (debug != null) {
debug.println("PolicyChecker.processPolicies() " + "processing policy: " + ANY_POLICY);
}
processParents(certIndex, policiesCritical, rejectPolicyQualifiers, rootNode, ANY_POLICY, anyQuals, true);
}
}
// PKIX: Section 6.1.3: Step (d)(3)
rootNode.prune(certIndex);
if (!rootNode.getChildren().hasNext()) {
rootNode = null;
}
} else if (currCertPolicies == null) {
if (debug != null)
debug.println("PolicyChecker.processPolicies() " + "no policies present in cert");
// PKIX: Section 6.1.3: Step (e)
rootNode = null;
}
// resulting in a null tree
if (rootNode != null) {
if (!finalCert) {
// PKIX: Section 6.1.4: Steps (a)-(b)
rootNode = processPolicyMappings(currCert, certIndex, policyMapping, rootNode, policiesCritical, anyQuals);
}
}
if ((rootNode != null) && (!initPolicies.contains(ANY_POLICY)) && (currCertPolicies != null)) {
rootNode = removeInvalidNodes(rootNode, certIndex, initPolicies, currCertPolicies);
// PKIX: Section 6.1.5: Step (g)(iii)
if ((rootNode != null) && finalCert) {
// rewrite anyPolicy leaf nodes (see method comments)
rootNode = rewriteLeafNodes(certIndex, initPolicies, rootNode);
}
}
if (finalCert) {
// PKIX: Section 6.1.5: Steps (a) and (b)
explicitPolicy = mergeExplicitPolicy(explicitPolicy, currCert, finalCert);
}
if ((explicitPolicy == 0) && (rootNode == null)) {
throw new CertPathValidatorException("non-null policy tree required and policy tree is null", null, null, -1, PKIXReason.INVALID_POLICY);
}
return rootNode;
}
Also used :
CertPathValidatorException(java.security.cert.CertPathValidatorException)
PolicyInformation(sun.security.x509.PolicyInformation)
PolicyQualifierInfo(java.security.cert.PolicyQualifierInfo)
CertificatePoliciesExtension(sun.security.x509.CertificatePoliciesExtension)
IOException(java.io.IOException)
Example 22 with PolicyInformation
use of org.apache.harmony.security.x509.PolicyInformation in project jdk8u_jdk by JetBrains.
the class PolicyChecker method removeInvalidNodes.
/**
* Removes those nodes which do not intersect with the initial policies
* specified by the user.
*
* @param rootNode the root node of the valid policy tree
* @param certIndex the index of the certificate being processed
* @param initPolicies the Set of policies required by the user
* @param currCertPolicies the CertificatePoliciesExtension of the
* certificate being processed
* @returns the root node of the valid policy tree after modification
* @exception CertPathValidatorException Exception thrown if error occurs.
*/
private static PolicyNodeImpl removeInvalidNodes(PolicyNodeImpl rootNode, int certIndex, Set<String> initPolicies, CertificatePoliciesExtension currCertPolicies) throws CertPathValidatorException {
List<PolicyInformation> policyInfo = null;
try {
policyInfo = currCertPolicies.get(CertificatePoliciesExtension.POLICIES);
} catch (IOException ioe) {
throw new CertPathValidatorException("Exception while " + "retrieving policyOIDs", ioe);
}
boolean childDeleted = false;
for (PolicyInformation curPolInfo : policyInfo) {
String curPolicy = curPolInfo.getPolicyIdentifier().getIdentifier().toString();
if (debug != null)
debug.println("PolicyChecker.processPolicies() " + "processing policy second time: " + curPolicy);
Set<PolicyNodeImpl> validNodes = rootNode.getPolicyNodesValid(certIndex, curPolicy);
for (PolicyNodeImpl curNode : validNodes) {
PolicyNodeImpl parentNode = (PolicyNodeImpl) curNode.getParent();
if (parentNode.getValidPolicy().equals(ANY_POLICY)) {
if ((!initPolicies.contains(curPolicy)) && (!curPolicy.equals(ANY_POLICY))) {
if (debug != null)
debug.println("PolicyChecker.processPolicies() " + "before deleting: policy tree = " + rootNode);
parentNode.deleteChild(curNode);
childDeleted = true;
if (debug != null)
debug.println("PolicyChecker.processPolicies() " + "after deleting: policy tree = " + rootNode);
}
}
}
}
if (childDeleted) {
rootNode.prune(certIndex);
if (!rootNode.getChildren().hasNext()) {
rootNode = null;
}
}
return rootNode;
}
Also used :
CertPathValidatorException(java.security.cert.CertPathValidatorException)
PolicyInformation(sun.security.x509.PolicyInformation)
IOException(java.io.IOException)
Example 23 with PolicyInformation
use of org.apache.harmony.security.x509.PolicyInformation in project nhin-d by DirectProject.
the class CertificatePolicyCpsUriExtensionField method injectReferenceValue.
/**
* {@inheritDoc}
*/
@Override
public void injectReferenceValue(X509Certificate value) throws PolicyProcessException {
this.certificate = value;
final DERObject exValue = getExtensionValue(value);
if (exValue == null) {
if (isRequired())
throw new PolicyRequiredException("Extention " + getExtentionIdentifier().getDisplay() + " is marked as required by is not present.");
else {
final Collection<String> emptyList = Collections.emptyList();
this.policyValue = PolicyValueFactory.getInstance(emptyList);
return;
}
}
final Collection<String> retVal = new ArrayList<String>();
final ASN1Sequence seq = (ASN1Sequence) exValue;
@SuppressWarnings("unchecked") final Enumeration<DEREncodable> pols = seq.getObjects();
while (pols.hasMoreElements()) {
final PolicyInformation pol = PolicyInformation.getInstance(pols.nextElement());
if (pol.getPolicyQualifiers() != null) {
@SuppressWarnings("unchecked") final Enumeration<DEREncodable> polInfos = pol.getPolicyQualifiers().getObjects();
while (polInfos.hasMoreElements()) {
final PolicyQualifierInfo polInfo = PolicyQualifierInfo.getInstance(polInfos.nextElement());
if (polInfo.getPolicyQualifierId().equals(PolicyQualifierId.id_qt_cps)) {
retVal.add(polInfo.getQualifier().toString());
}
}
}
}
///CLOVER:OFF
if (retVal.isEmpty() && isRequired())
throw new PolicyRequiredException("Extention " + getExtentionIdentifier().getDisplay() + " is marked as required by is not present.");
///CLOVER:ON
this.policyValue = PolicyValueFactory.getInstance(retVal);
}
Also used :
PolicyRequiredException(org.nhindirect.policy.PolicyRequiredException)
DERObject(org.bouncycastle.asn1.DERObject)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
PolicyInformation(org.bouncycastle.asn1.x509.PolicyInformation)
DEREncodable(org.bouncycastle.asn1.DEREncodable)
ArrayList(java.util.ArrayList)
PolicyQualifierInfo(org.bouncycastle.asn1.x509.PolicyQualifierInfo)
Example 24 with PolicyInformation
use of org.apache.harmony.security.x509.PolicyInformation in project nhin-d by DirectProject.
the class CertificatePolicyIndentifierExtensionField method injectReferenceValue.
/**
* {@inheritDoc}
*/
@Override
public void injectReferenceValue(X509Certificate value) throws PolicyProcessException {
this.certificate = value;
final DERObject exValue = getExtensionValue(value);
if (exValue == null) {
if (isRequired())
throw new PolicyRequiredException("Extention " + getExtentionIdentifier().getDisplay() + " is marked as required by is not present.");
else {
final Collection<String> emptyList = Collections.emptyList();
this.policyValue = PolicyValueFactory.getInstance(emptyList);
return;
}
}
final Collection<String> retVal = new ArrayList<String>();
final ASN1Sequence seq = (ASN1Sequence) exValue;
@SuppressWarnings("unchecked") final Enumeration<DEREncodable> pols = seq.getObjects();
while (pols.hasMoreElements()) {
final PolicyInformation pol = PolicyInformation.getInstance(pols.nextElement());
retVal.add(pol.getPolicyIdentifier().getId());
}
this.policyValue = PolicyValueFactory.getInstance(retVal);
}
Also used :
PolicyRequiredException(org.nhindirect.policy.PolicyRequiredException)
DERObject(org.bouncycastle.asn1.DERObject)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
PolicyInformation(org.bouncycastle.asn1.x509.PolicyInformation)
DEREncodable(org.bouncycastle.asn1.DEREncodable)
ArrayList(java.util.ArrayList)
Example 25 with PolicyInformation
use of org.apache.harmony.security.x509.PolicyInformation in project xipki by xipki.
the class ExtensionsChecker method checkExtensionCertificatePolicies.
// method checkExtensionTlsFeature
private void checkExtensionCertificatePolicies(StringBuilder failureMsg, byte[] extensionValue, Extensions requestedExtensions, ExtensionControl extControl) {
QaCertificatePolicies conf = certificatePolicies;
if (conf == null) {
byte[] expected = getExpectedExtValue(Extension.certificatePolicies, requestedExtensions, extControl);
if (!Arrays.equals(expected, extensionValue)) {
addViolation(failureMsg, "extension values", hex(extensionValue), (expected == null) ? "not present" : hex(expected));
}
return;
}
org.bouncycastle.asn1.x509.CertificatePolicies asn1 = org.bouncycastle.asn1.x509.CertificatePolicies.getInstance(extensionValue);
PolicyInformation[] isPolicyInformations = asn1.getPolicyInformation();
for (PolicyInformation isPolicyInformation : isPolicyInformations) {
ASN1ObjectIdentifier isPolicyId = isPolicyInformation.getPolicyIdentifier();
QaCertificatePolicyInformation expCp = conf.getPolicyInformation(isPolicyId.getId());
if (expCp == null) {
failureMsg.append("certificate policy '").append(isPolicyId).append("' is not expected; ");
continue;
}
QaPolicyQualifiers expCpPq = expCp.getPolicyQualifiers();
if (expCpPq == null) {
continue;
}
ASN1Sequence isPolicyQualifiers = isPolicyInformation.getPolicyQualifiers();
List<String> isCpsUris = new LinkedList<>();
List<String> isUserNotices = new LinkedList<>();
int size = isPolicyQualifiers.size();
for (int i = 0; i < size; i++) {
PolicyQualifierInfo isPolicyQualifierInfo = (PolicyQualifierInfo) isPolicyQualifiers.getObjectAt(i);
ASN1ObjectIdentifier isPolicyQualifierId = isPolicyQualifierInfo.getPolicyQualifierId();
ASN1Encodable isQualifier = isPolicyQualifierInfo.getQualifier();
if (PolicyQualifierId.id_qt_cps.equals(isPolicyQualifierId)) {
String isCpsUri = ((DERIA5String) isQualifier).getString();
isCpsUris.add(isCpsUri);
} else if (PolicyQualifierId.id_qt_unotice.equals(isPolicyQualifierId)) {
UserNotice isUserNotice = UserNotice.getInstance(isQualifier);
if (isUserNotice.getExplicitText() != null) {
isUserNotices.add(isUserNotice.getExplicitText().getString());
}
}
}
List<QaPolicyQualifierInfo> qualifierInfos = expCpPq.getPolicyQualifiers();
for (QaPolicyQualifierInfo qualifierInfo : qualifierInfos) {
if (qualifierInfo instanceof QaCpsUriPolicyQualifier) {
String value = ((QaCpsUriPolicyQualifier) qualifierInfo).getCpsUri();
if (!isCpsUris.contains(value)) {
failureMsg.append("CPSUri '").append(value).append("' is absent but is required; ");
}
} else if (qualifierInfo instanceof QaUserNoticePolicyQualifierInfo) {
String value = ((QaUserNoticePolicyQualifierInfo) qualifierInfo).getUserNotice();
if (!isUserNotices.contains(value)) {
failureMsg.append("userNotice '").append(value).append("' is absent but is required; ");
}
} else {
throw new RuntimeException("should not reach here");
}
}
}
for (QaCertificatePolicyInformation cp : conf.getPolicyInformations()) {
boolean present = false;
for (PolicyInformation isPolicyInformation : isPolicyInformations) {
if (isPolicyInformation.getPolicyIdentifier().getId().equals(cp.getPolicyId())) {
present = true;
break;
}
}
if (present) {
continue;
}
failureMsg.append("certificate policy '").append(cp.getPolicyId()).append("' is absent but is required; ");
}
}
Also used :
PolicyInformation(org.bouncycastle.asn1.x509.PolicyInformation)
QaCertificatePolicyInformation(org.xipki.ca.qa.internal.QaCertificatePolicies.QaCertificatePolicyInformation)
UserNotice(org.bouncycastle.asn1.x509.UserNotice)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERBMPString(org.bouncycastle.asn1.DERBMPString)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
ASN1String(org.bouncycastle.asn1.ASN1String)
DirectoryString(org.bouncycastle.asn1.x500.DirectoryString)
QaDirectoryString(org.xipki.ca.qa.internal.QaDirectoryString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
DERT61String(org.bouncycastle.asn1.DERT61String)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
QaPolicyQualifiers(org.xipki.ca.qa.internal.QaPolicyQualifiers)
QaPolicyQualifierInfo(org.xipki.ca.qa.internal.QaPolicyQualifierInfo)
QaUserNoticePolicyQualifierInfo(org.xipki.ca.qa.internal.QaPolicyQualifierInfo.QaUserNoticePolicyQualifierInfo)
PolicyQualifierInfo(org.bouncycastle.asn1.x509.PolicyQualifierInfo)
QaCertificatePolicyInformation(org.xipki.ca.qa.internal.QaCertificatePolicies.QaCertificatePolicyInformation)
LinkedList(java.util.LinkedList)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
QaPolicyQualifierInfo(org.xipki.ca.qa.internal.QaPolicyQualifierInfo)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
QaUserNoticePolicyQualifierInfo(org.xipki.ca.qa.internal.QaPolicyQualifierInfo.QaUserNoticePolicyQualifierInfo)
QaCertificatePolicies(org.xipki.ca.qa.internal.QaCertificatePolicies)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
QaCpsUriPolicyQualifier(org.xipki.ca.qa.internal.QaPolicyQualifierInfo.QaCpsUriPolicyQualifier)
Aggregations
PolicyInformation (org.bouncycastle.asn1.x509.PolicyInformation)20
IOException (java.io.IOException)16
ArrayList (java.util.ArrayList)11
ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)11
CertPathValidatorException (java.security.cert.CertPathValidatorException)10
HashSet (java.util.HashSet)7
CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)7
DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)7
Enumeration (java.util.Enumeration)6
Iterator (java.util.Iterator)6
List (java.util.List)6
Set (java.util.Set)6
ExtCertPathValidatorException (org.bouncycastle.jce.exception.ExtCertPathValidatorException)6
X509Certificate (java.security.cert.X509Certificate)5
PolicyInformation (sun.security.x509.PolicyInformation)5
GeneralSecurityException (java.security.GeneralSecurityException)4
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)4
IssuingDistributionPoint (org.bouncycastle.asn1.x509.IssuingDistributionPoint)4
DError (org.kse.gui.error.DError)4
DERObjectIdentifier (org.bouncycastle.asn1.DERObjectIdentifier)3
