Search in sources :

Example 1 with DERObjectIdentifier

use of org.bouncycastle.asn1.DERObjectIdentifier in project robovm by robovm.

the class PKIXCertPathValidatorSpi method engineValidate.

// END android-added
public CertPathValidatorResult engineValidate(CertPath certPath, CertPathParameters params) throws CertPathValidatorException, InvalidAlgorithmParameterException {
    if (!(params instanceof PKIXParameters)) {
        throw new InvalidAlgorithmParameterException("Parameters must be a " + PKIXParameters.class.getName() + " instance.");
    }
    ExtendedPKIXParameters paramsPKIX;
    if (params instanceof ExtendedPKIXParameters) {
        paramsPKIX = (ExtendedPKIXParameters) params;
    } else {
        paramsPKIX = ExtendedPKIXParameters.getInstance((PKIXParameters) params);
    }
    if (paramsPKIX.getTrustAnchors() == null) {
        throw new InvalidAlgorithmParameterException("trustAnchors is null, this is not allowed for certification path validation.");
    }
    //
    // 6.1.1 - inputs
    //
    //
    // (a)
    //
    List certs = certPath.getCertificates();
    int n = certs.size();
    if (certs.isEmpty()) {
        throw new CertPathValidatorException("Certification path is empty.", null, certPath, 0);
    }
    // BEGIN android-added
    {
        X509Certificate cert = (X509Certificate) certs.get(0);
        if (cert != null) {
            BigInteger serial = cert.getSerialNumber();
            if (blacklist.isSerialNumberBlackListed(serial)) {
                // emulate CRL exception message in RFC3280CertPathUtilities.checkCRLs
                String message = "Certificate revocation of serial 0x" + serial.toString(16);
                System.out.println(message);
                AnnotatedException e = new AnnotatedException(message);
                throw new CertPathValidatorException(e.getMessage(), e, certPath, 0);
            }
        }
    }
    // END android-added
    //
    // (b)
    //
    // Date validDate = CertPathValidatorUtilities.getValidDate(paramsPKIX);
    //
    // (c)
    //
    Set userInitialPolicySet = paramsPKIX.getInitialPolicies();
    //
    // (d)
    // 
    TrustAnchor trust;
    try {
        trust = CertPathValidatorUtilities.findTrustAnchor((X509Certificate) certs.get(certs.size() - 1), paramsPKIX.getTrustAnchors(), paramsPKIX.getSigProvider());
    } catch (AnnotatedException e) {
        throw new CertPathValidatorException(e.getMessage(), e, certPath, certs.size() - 1);
    }
    if (trust == null) {
        throw new CertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1);
    }
    //
    // (e), (f), (g) are part of the paramsPKIX object.
    //
    Iterator certIter;
    int index = 0;
    int i;
    // Certificate for each interation of the validation loop
    // Signature information for each iteration of the validation loop
    //
    // 6.1.2 - setup
    //
    //
    // (a)
    //
    List[] policyNodes = new ArrayList[n + 1];
    for (int j = 0; j < policyNodes.length; j++) {
        policyNodes[j] = new ArrayList();
    }
    Set policySet = new HashSet();
    policySet.add(RFC3280CertPathUtilities.ANY_POLICY);
    PKIXPolicyNode validPolicyTree = new PKIXPolicyNode(new ArrayList(), 0, policySet, null, new HashSet(), RFC3280CertPathUtilities.ANY_POLICY, false);
    policyNodes[0].add(validPolicyTree);
    //
    // (b) and (c)
    //
    PKIXNameConstraintValidator nameConstraintValidator = new PKIXNameConstraintValidator();
    // (d)
    //
    int explicitPolicy;
    Set acceptablePolicies = new HashSet();
    if (paramsPKIX.isExplicitPolicyRequired()) {
        explicitPolicy = 0;
    } else {
        explicitPolicy = n + 1;
    }
    //
    // (e)
    //
    int inhibitAnyPolicy;
    if (paramsPKIX.isAnyPolicyInhibited()) {
        inhibitAnyPolicy = 0;
    } else {
        inhibitAnyPolicy = n + 1;
    }
    //
    // (f)
    //
    int policyMapping;
    if (paramsPKIX.isPolicyMappingInhibited()) {
        policyMapping = 0;
    } else {
        policyMapping = n + 1;
    }
    //
    // (g), (h), (i), (j)
    //
    PublicKey workingPublicKey;
    X500Principal workingIssuerName;
    X509Certificate sign = trust.getTrustedCert();
    try {
        if (sign != null) {
            workingIssuerName = CertPathValidatorUtilities.getSubjectPrincipal(sign);
            workingPublicKey = sign.getPublicKey();
        } else {
            workingIssuerName = new X500Principal(trust.getCAName());
            workingPublicKey = trust.getCAPublicKey();
        }
    } catch (IllegalArgumentException ex) {
        throw new ExtCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", ex, certPath, -1);
    }
    AlgorithmIdentifier workingAlgId = null;
    try {
        workingAlgId = CertPathValidatorUtilities.getAlgorithmIdentifier(workingPublicKey);
    } catch (CertPathValidatorException e) {
        throw new ExtCertPathValidatorException("Algorithm identifier of public key of trust anchor could not be read.", e, certPath, -1);
    }
    DERObjectIdentifier workingPublicKeyAlgorithm = workingAlgId.getObjectId();
    ASN1Encodable workingPublicKeyParameters = workingAlgId.getParameters();
    //
    // (k)
    //
    int maxPathLength = n;
    if (paramsPKIX.getTargetConstraints() != null && !paramsPKIX.getTargetConstraints().match((X509Certificate) certs.get(0))) {
        throw new ExtCertPathValidatorException("Target certificate in certification path does not match targetConstraints.", null, certPath, 0);
    }
    // 
    // initialize CertPathChecker's
    //
    List pathCheckers = paramsPKIX.getCertPathCheckers();
    certIter = pathCheckers.iterator();
    while (certIter.hasNext()) {
        ((PKIXCertPathChecker) certIter.next()).init(false);
    }
    X509Certificate cert = null;
    for (index = certs.size() - 1; index >= 0; index--) {
        // BEGIN android-added
        if (blacklist.isPublicKeyBlackListed(workingPublicKey)) {
            // emulate CRL exception message in RFC3280CertPathUtilities.checkCRLs
            String message = "Certificate revocation of public key " + workingPublicKey;
            System.out.println(message);
            AnnotatedException e = new AnnotatedException(message);
            throw new CertPathValidatorException(e.getMessage(), e, certPath, index);
        }
        // END android-added
        // try
        // {
        //
        // i as defined in the algorithm description
        //
        i = n - index;
        //
        // set certificate to be checked in this round
        // sign and workingPublicKey and workingIssuerName are set
        // at the end of the for loop and initialized the
        // first time from the TrustAnchor
        //
        cert = (X509Certificate) certs.get(index);
        boolean verificationAlreadyPerformed = (index == certs.size() - 1);
        //
        // 6.1.3
        //
        RFC3280CertPathUtilities.processCertA(certPath, paramsPKIX, index, workingPublicKey, verificationAlreadyPerformed, workingIssuerName, sign);
        RFC3280CertPathUtilities.processCertBC(certPath, index, nameConstraintValidator);
        validPolicyTree = RFC3280CertPathUtilities.processCertD(certPath, index, acceptablePolicies, validPolicyTree, policyNodes, inhibitAnyPolicy);
        validPolicyTree = RFC3280CertPathUtilities.processCertE(certPath, index, validPolicyTree);
        RFC3280CertPathUtilities.processCertF(certPath, index, validPolicyTree, explicitPolicy);
        if (i != n) {
            if (cert != null && cert.getVersion() == 1) {
                throw new CertPathValidatorException("Version 1 certificates can't be used as CA ones.", null, certPath, index);
            }
            RFC3280CertPathUtilities.prepareNextCertA(certPath, index);
            validPolicyTree = RFC3280CertPathUtilities.prepareCertB(certPath, index, policyNodes, validPolicyTree, policyMapping);
            RFC3280CertPathUtilities.prepareNextCertG(certPath, index, nameConstraintValidator);
            // (h)
            explicitPolicy = RFC3280CertPathUtilities.prepareNextCertH1(certPath, index, explicitPolicy);
            policyMapping = RFC3280CertPathUtilities.prepareNextCertH2(certPath, index, policyMapping);
            inhibitAnyPolicy = RFC3280CertPathUtilities.prepareNextCertH3(certPath, index, inhibitAnyPolicy);
            //
            // (i)
            //
            explicitPolicy = RFC3280CertPathUtilities.prepareNextCertI1(certPath, index, explicitPolicy);
            policyMapping = RFC3280CertPathUtilities.prepareNextCertI2(certPath, index, policyMapping);
            // (j)
            inhibitAnyPolicy = RFC3280CertPathUtilities.prepareNextCertJ(certPath, index, inhibitAnyPolicy);
            // (k)
            RFC3280CertPathUtilities.prepareNextCertK(certPath, index);
            // (l)
            maxPathLength = RFC3280CertPathUtilities.prepareNextCertL(certPath, index, maxPathLength);
            // (m)
            maxPathLength = RFC3280CertPathUtilities.prepareNextCertM(certPath, index, maxPathLength);
            // (n)
            RFC3280CertPathUtilities.prepareNextCertN(certPath, index);
            Set criticalExtensions = cert.getCriticalExtensionOIDs();
            if (criticalExtensions != null) {
                criticalExtensions = new HashSet(criticalExtensions);
                // these extensions are handled by the algorithm
                criticalExtensions.remove(RFC3280CertPathUtilities.KEY_USAGE);
                criticalExtensions.remove(RFC3280CertPathUtilities.CERTIFICATE_POLICIES);
                criticalExtensions.remove(RFC3280CertPathUtilities.POLICY_MAPPINGS);
                criticalExtensions.remove(RFC3280CertPathUtilities.INHIBIT_ANY_POLICY);
                criticalExtensions.remove(RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT);
                criticalExtensions.remove(RFC3280CertPathUtilities.DELTA_CRL_INDICATOR);
                criticalExtensions.remove(RFC3280CertPathUtilities.POLICY_CONSTRAINTS);
                criticalExtensions.remove(RFC3280CertPathUtilities.BASIC_CONSTRAINTS);
                criticalExtensions.remove(RFC3280CertPathUtilities.SUBJECT_ALTERNATIVE_NAME);
                criticalExtensions.remove(RFC3280CertPathUtilities.NAME_CONSTRAINTS);
            } else {
                criticalExtensions = new HashSet();
            }
            // (o)
            RFC3280CertPathUtilities.prepareNextCertO(certPath, index, criticalExtensions, pathCheckers);
            // set signing certificate for next round
            sign = cert;
            // (c)
            workingIssuerName = CertPathValidatorUtilities.getSubjectPrincipal(sign);
            // (d)
            try {
                workingPublicKey = CertPathValidatorUtilities.getNextWorkingKey(certPath.getCertificates(), index);
            } catch (CertPathValidatorException e) {
                throw new CertPathValidatorException("Next working key could not be retrieved.", e, certPath, index);
            }
            workingAlgId = CertPathValidatorUtilities.getAlgorithmIdentifier(workingPublicKey);
            // (f)
            workingPublicKeyAlgorithm = workingAlgId.getObjectId();
            // (e)
            workingPublicKeyParameters = workingAlgId.getParameters();
        }
    }
    //
    // 6.1.5 Wrap-up procedure
    //
    explicitPolicy = RFC3280CertPathUtilities.wrapupCertA(explicitPolicy, cert);
    explicitPolicy = RFC3280CertPathUtilities.wrapupCertB(certPath, index + 1, explicitPolicy);
    //
    // (c) (d) and (e) are already done
    //
    //
    // (f)
    //
    Set criticalExtensions = cert.getCriticalExtensionOIDs();
    if (criticalExtensions != null) {
        criticalExtensions = new HashSet(criticalExtensions);
        // these extensions are handled by the algorithm
        criticalExtensions.remove(RFC3280CertPathUtilities.KEY_USAGE);
        criticalExtensions.remove(RFC3280CertPathUtilities.CERTIFICATE_POLICIES);
        criticalExtensions.remove(RFC3280CertPathUtilities.POLICY_MAPPINGS);
        criticalExtensions.remove(RFC3280CertPathUtilities.INHIBIT_ANY_POLICY);
        criticalExtensions.remove(RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT);
        criticalExtensions.remove(RFC3280CertPathUtilities.DELTA_CRL_INDICATOR);
        criticalExtensions.remove(RFC3280CertPathUtilities.POLICY_CONSTRAINTS);
        criticalExtensions.remove(RFC3280CertPathUtilities.BASIC_CONSTRAINTS);
        criticalExtensions.remove(RFC3280CertPathUtilities.SUBJECT_ALTERNATIVE_NAME);
        criticalExtensions.remove(RFC3280CertPathUtilities.NAME_CONSTRAINTS);
        criticalExtensions.remove(RFC3280CertPathUtilities.CRL_DISTRIBUTION_POINTS);
    } else {
        criticalExtensions = new HashSet();
    }
    RFC3280CertPathUtilities.wrapupCertF(certPath, index + 1, pathCheckers, criticalExtensions);
    PKIXPolicyNode intersection = RFC3280CertPathUtilities.wrapupCertG(certPath, paramsPKIX, userInitialPolicySet, index + 1, policyNodes, validPolicyTree, acceptablePolicies);
    if ((explicitPolicy > 0) || (intersection != null)) {
        return new PKIXCertPathValidatorResult(trust, intersection, cert.getPublicKey());
    }
    throw new CertPathValidatorException("Path processing failed on policy.", null, certPath, index);
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) ArrayList(java.util.ArrayList) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier) ExtendedPKIXParameters(org.bouncycastle.x509.ExtendedPKIXParameters) PKIXParameters(java.security.cert.PKIXParameters) PKIXCertPathChecker(java.security.cert.PKIXCertPathChecker) Iterator(java.util.Iterator) ArrayList(java.util.ArrayList) List(java.util.List) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) HashSet(java.util.HashSet) InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) PublicKey(java.security.PublicKey) TrustAnchor(java.security.cert.TrustAnchor) DERObjectIdentifier(org.bouncycastle.asn1.DERObjectIdentifier) X509Certificate(java.security.cert.X509Certificate) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) ExtendedPKIXParameters(org.bouncycastle.x509.ExtendedPKIXParameters) PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult) BigInteger(java.math.BigInteger) X500Principal(javax.security.auth.x500.X500Principal)

Example 2 with DERObjectIdentifier

use of org.bouncycastle.asn1.DERObjectIdentifier in project robovm by robovm.

the class CertPathValidatorUtilities method processCertD1i.

protected static boolean processCertD1i(int index, List[] policyNodes, DERObjectIdentifier pOid, Set pq) {
    List policyNodeVec = policyNodes[index - 1];
    for (int j = 0; j < policyNodeVec.size(); j++) {
        PKIXPolicyNode node = (PKIXPolicyNode) policyNodeVec.get(j);
        Set expectedPolicies = node.getExpectedPolicies();
        if (expectedPolicies.contains(pOid.getId())) {
            Set childExpectedPolicies = new HashSet();
            childExpectedPolicies.add(pOid.getId());
            PKIXPolicyNode child = new PKIXPolicyNode(new ArrayList(), index, childExpectedPolicies, node, pq, pOid.getId(), false);
            node.addChild(child);
            policyNodes[index].add(child);
            return true;
        }
    }
    return false;
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) ArrayList(java.util.ArrayList) List(java.util.List) ArrayList(java.util.ArrayList) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) HashSet(java.util.HashSet)

Example 3 with DERObjectIdentifier

use of org.bouncycastle.asn1.DERObjectIdentifier in project robovm by robovm.

the class RFC3280CertPathUtilities method prepareCertB.

protected static PKIXPolicyNode prepareCertB(CertPath certPath, int index, List[] policyNodes, PKIXPolicyNode validPolicyTree, int policyMapping) throws CertPathValidatorException {
    List certs = certPath.getCertificates();
    X509Certificate cert = (X509Certificate) certs.get(index);
    int n = certs.size();
    // i as defined in the algorithm description
    int i = n - index;
    // (b)
    //
    ASN1Sequence pm = null;
    try {
        pm = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.POLICY_MAPPINGS));
    } catch (AnnotatedException ex) {
        throw new ExtCertPathValidatorException("Policy mappings extension could not be decoded.", ex, certPath, index);
    }
    PKIXPolicyNode _validPolicyTree = validPolicyTree;
    if (pm != null) {
        ASN1Sequence mappings = (ASN1Sequence) pm;
        Map m_idp = new HashMap();
        Set s_idp = new HashSet();
        for (int j = 0; j < mappings.size(); j++) {
            ASN1Sequence mapping = (ASN1Sequence) mappings.getObjectAt(j);
            String id_p = ((DERObjectIdentifier) mapping.getObjectAt(0)).getId();
            String sd_p = ((DERObjectIdentifier) mapping.getObjectAt(1)).getId();
            Set tmp;
            if (!m_idp.containsKey(id_p)) {
                tmp = new HashSet();
                tmp.add(sd_p);
                m_idp.put(id_p, tmp);
                s_idp.add(id_p);
            } else {
                tmp = (Set) m_idp.get(id_p);
                tmp.add(sd_p);
            }
        }
        Iterator it_idp = s_idp.iterator();
        while (it_idp.hasNext()) {
            String id_p = (String) it_idp.next();
            //
            if (policyMapping > 0) {
                boolean idp_found = false;
                Iterator nodes_i = policyNodes[i].iterator();
                while (nodes_i.hasNext()) {
                    PKIXPolicyNode node = (PKIXPolicyNode) nodes_i.next();
                    if (node.getValidPolicy().equals(id_p)) {
                        idp_found = true;
                        node.expectedPolicies = (Set) m_idp.get(id_p);
                        break;
                    }
                }
                if (!idp_found) {
                    nodes_i = policyNodes[i].iterator();
                    while (nodes_i.hasNext()) {
                        PKIXPolicyNode node = (PKIXPolicyNode) nodes_i.next();
                        if (RFC3280CertPathUtilities.ANY_POLICY.equals(node.getValidPolicy())) {
                            Set pq = null;
                            ASN1Sequence policies = null;
                            try {
                                policies = (ASN1Sequence) CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.CERTIFICATE_POLICIES);
                            } catch (AnnotatedException e) {
                                throw new ExtCertPathValidatorException("Certificate policies extension could not be decoded.", e, certPath, index);
                            }
                            Enumeration e = policies.getObjects();
                            while (e.hasMoreElements()) {
                                PolicyInformation pinfo = null;
                                try {
                                    pinfo = PolicyInformation.getInstance(e.nextElement());
                                } catch (Exception ex) {
                                    throw new CertPathValidatorException("Policy information could not be decoded.", ex, certPath, index);
                                }
                                if (RFC3280CertPathUtilities.ANY_POLICY.equals(pinfo.getPolicyIdentifier().getId())) {
                                    try {
                                        pq = CertPathValidatorUtilities.getQualifierSet(pinfo.getPolicyQualifiers());
                                    } catch (CertPathValidatorException ex) {
                                        throw new ExtCertPathValidatorException("Policy qualifier info set could not be decoded.", ex, certPath, index);
                                    }
                                    break;
                                }
                            }
                            boolean ci = false;
                            if (cert.getCriticalExtensionOIDs() != null) {
                                ci = cert.getCriticalExtensionOIDs().contains(RFC3280CertPathUtilities.CERTIFICATE_POLICIES);
                            }
                            PKIXPolicyNode p_node = (PKIXPolicyNode) node.getParent();
                            if (RFC3280CertPathUtilities.ANY_POLICY.equals(p_node.getValidPolicy())) {
                                PKIXPolicyNode c_node = new PKIXPolicyNode(new ArrayList(), i, (Set) m_idp.get(id_p), p_node, pq, id_p, ci);
                                p_node.addChild(c_node);
                                policyNodes[i].add(c_node);
                            }
                            break;
                        }
                    }
                }
            //
            // (2)
            //
            } else if (policyMapping <= 0) {
                Iterator nodes_i = policyNodes[i].iterator();
                while (nodes_i.hasNext()) {
                    PKIXPolicyNode node = (PKIXPolicyNode) nodes_i.next();
                    if (node.getValidPolicy().equals(id_p)) {
                        PKIXPolicyNode p_node = (PKIXPolicyNode) node.getParent();
                        p_node.removeChild(node);
                        nodes_i.remove();
                        for (int k = (i - 1); k >= 0; k--) {
                            List nodes = policyNodes[k];
                            for (int l = 0; l < nodes.size(); l++) {
                                PKIXPolicyNode node2 = (PKIXPolicyNode) nodes.get(l);
                                if (!node2.hasChildren()) {
                                    _validPolicyTree = CertPathValidatorUtilities.removePolicyNode(_validPolicyTree, policyNodes, node2);
                                    if (_validPolicyTree == null) {
                                        break;
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
    }
    return _validPolicyTree;
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) Enumeration(java.util.Enumeration) HashMap(java.util.HashMap) PolicyInformation(org.bouncycastle.asn1.x509.PolicyInformation) ArrayList(java.util.ArrayList) DERObjectIdentifier(org.bouncycastle.asn1.DERObjectIdentifier) X509Certificate(java.security.cert.X509Certificate) IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) CertificateExpiredException(java.security.cert.CertificateExpiredException) GeneralSecurityException(java.security.GeneralSecurityException) CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException) CertPathBuilderException(java.security.cert.CertPathBuilderException) IOException(java.io.IOException) CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) Iterator(java.util.Iterator) List(java.util.List) ArrayList(java.util.ArrayList) Map(java.util.Map) HashMap(java.util.HashMap) HashSet(java.util.HashSet)

Example 4 with DERObjectIdentifier

use of org.bouncycastle.asn1.DERObjectIdentifier in project robovm by robovm.

the class RFC3280CertPathUtilities method processCertD.

protected static PKIXPolicyNode processCertD(CertPath certPath, int index, Set acceptablePolicies, PKIXPolicyNode validPolicyTree, List[] policyNodes, int inhibitAnyPolicy) throws CertPathValidatorException {
    List certs = certPath.getCertificates();
    X509Certificate cert = (X509Certificate) certs.get(index);
    int n = certs.size();
    // i as defined in the algorithm description
    int i = n - index;
    //
    // (d) policy Information checking against initial policy and
    // policy mapping
    //
    ASN1Sequence certPolicies = null;
    try {
        certPolicies = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.CERTIFICATE_POLICIES));
    } catch (AnnotatedException e) {
        throw new ExtCertPathValidatorException("Could not read certificate policies extension from certificate.", e, certPath, index);
    }
    if (certPolicies != null && validPolicyTree != null) {
        //
        // (d) (1)
        //
        Enumeration e = certPolicies.getObjects();
        Set pols = new HashSet();
        while (e.hasMoreElements()) {
            PolicyInformation pInfo = PolicyInformation.getInstance(e.nextElement());
            DERObjectIdentifier pOid = pInfo.getPolicyIdentifier();
            pols.add(pOid.getId());
            if (!RFC3280CertPathUtilities.ANY_POLICY.equals(pOid.getId())) {
                Set pq = null;
                try {
                    pq = CertPathValidatorUtilities.getQualifierSet(pInfo.getPolicyQualifiers());
                } catch (CertPathValidatorException ex) {
                    throw new ExtCertPathValidatorException("Policy qualifier info set could not be build.", ex, certPath, index);
                }
                boolean match = CertPathValidatorUtilities.processCertD1i(i, policyNodes, pOid, pq);
                if (!match) {
                    CertPathValidatorUtilities.processCertD1ii(i, policyNodes, pOid, pq);
                }
            }
        }
        if (acceptablePolicies.isEmpty() || acceptablePolicies.contains(RFC3280CertPathUtilities.ANY_POLICY)) {
            acceptablePolicies.clear();
            acceptablePolicies.addAll(pols);
        } else {
            Iterator it = acceptablePolicies.iterator();
            Set t1 = new HashSet();
            while (it.hasNext()) {
                Object o = it.next();
                if (pols.contains(o)) {
                    t1.add(o);
                }
            }
            acceptablePolicies.clear();
            acceptablePolicies.addAll(t1);
        }
        //
        if ((inhibitAnyPolicy > 0) || ((i < n) && CertPathValidatorUtilities.isSelfIssued(cert))) {
            e = certPolicies.getObjects();
            while (e.hasMoreElements()) {
                PolicyInformation pInfo = PolicyInformation.getInstance(e.nextElement());
                if (RFC3280CertPathUtilities.ANY_POLICY.equals(pInfo.getPolicyIdentifier().getId())) {
                    Set _apq = CertPathValidatorUtilities.getQualifierSet(pInfo.getPolicyQualifiers());
                    List _nodes = policyNodes[i - 1];
                    for (int k = 0; k < _nodes.size(); k++) {
                        PKIXPolicyNode _node = (PKIXPolicyNode) _nodes.get(k);
                        Iterator _policySetIter = _node.getExpectedPolicies().iterator();
                        while (_policySetIter.hasNext()) {
                            Object _tmp = _policySetIter.next();
                            String _policy;
                            if (_tmp instanceof String) {
                                _policy = (String) _tmp;
                            } else if (_tmp instanceof DERObjectIdentifier) {
                                _policy = ((DERObjectIdentifier) _tmp).getId();
                            } else {
                                continue;
                            }
                            boolean _found = false;
                            Iterator _childrenIter = _node.getChildren();
                            while (_childrenIter.hasNext()) {
                                PKIXPolicyNode _child = (PKIXPolicyNode) _childrenIter.next();
                                if (_policy.equals(_child.getValidPolicy())) {
                                    _found = true;
                                }
                            }
                            if (!_found) {
                                Set _newChildExpectedPolicies = new HashSet();
                                _newChildExpectedPolicies.add(_policy);
                                PKIXPolicyNode _newChild = new PKIXPolicyNode(new ArrayList(), i, _newChildExpectedPolicies, _node, _apq, _policy, false);
                                _node.addChild(_newChild);
                                policyNodes[i].add(_newChild);
                            }
                        }
                    }
                    break;
                }
            }
        }
        PKIXPolicyNode _validPolicyTree = validPolicyTree;
        //
        for (int j = (i - 1); j >= 0; j--) {
            List nodes = policyNodes[j];
            for (int k = 0; k < nodes.size(); k++) {
                PKIXPolicyNode node = (PKIXPolicyNode) nodes.get(k);
                if (!node.hasChildren()) {
                    _validPolicyTree = CertPathValidatorUtilities.removePolicyNode(_validPolicyTree, policyNodes, node);
                    if (_validPolicyTree == null) {
                        break;
                    }
                }
            }
        }
        //
        // d (4)
        //
        Set criticalExtensionOids = cert.getCriticalExtensionOIDs();
        if (criticalExtensionOids != null) {
            boolean critical = criticalExtensionOids.contains(RFC3280CertPathUtilities.CERTIFICATE_POLICIES);
            List nodes = policyNodes[i];
            for (int j = 0; j < nodes.size(); j++) {
                PKIXPolicyNode node = (PKIXPolicyNode) nodes.get(j);
                node.setCritical(critical);
            }
        }
        return _validPolicyTree;
    }
    return null;
}
Also used : Enumeration(java.util.Enumeration) Set(java.util.Set) HashSet(java.util.HashSet) PolicyInformation(org.bouncycastle.asn1.x509.PolicyInformation) ArrayList(java.util.ArrayList) DERObjectIdentifier(org.bouncycastle.asn1.DERObjectIdentifier) X509Certificate(java.security.cert.X509Certificate) IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) Iterator(java.util.Iterator) List(java.util.List) ArrayList(java.util.ArrayList) ASN1TaggedObject(org.bouncycastle.asn1.ASN1TaggedObject) HashSet(java.util.HashSet)

Example 5 with DERObjectIdentifier

use of org.bouncycastle.asn1.DERObjectIdentifier in project robovm by robovm.

the class PKCS12BagAttributeCarrierImpl method writeObject.

public void writeObject(ObjectOutputStream out) throws IOException {
    if (pkcs12Ordering.size() == 0) {
        out.writeObject(new Hashtable());
        out.writeObject(new Vector());
    } else {
        ByteArrayOutputStream bOut = new ByteArrayOutputStream();
        ASN1OutputStream aOut = new ASN1OutputStream(bOut);
        Enumeration e = this.getBagAttributeKeys();
        while (e.hasMoreElements()) {
            DERObjectIdentifier oid = (DERObjectIdentifier) e.nextElement();
            aOut.writeObject(oid);
            aOut.writeObject((ASN1Encodable) pkcs12Attributes.get(oid));
        }
        out.writeObject(bOut.toByteArray());
    }
}
Also used : Enumeration(java.util.Enumeration) Hashtable(java.util.Hashtable) ByteArrayOutputStream(java.io.ByteArrayOutputStream) ASN1OutputStream(org.bouncycastle.asn1.ASN1OutputStream) Vector(java.util.Vector) DERObjectIdentifier(org.bouncycastle.asn1.DERObjectIdentifier)

Aggregations

DERObjectIdentifier (org.bouncycastle.asn1.DERObjectIdentifier)43 IOException (java.io.IOException)22 ArrayList (java.util.ArrayList)22 HashSet (java.util.HashSet)21 List (java.util.List)21 Set (java.util.Set)21 Enumeration (java.util.Enumeration)18 ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)16 X509Certificate (java.security.cert.X509Certificate)13 AlgorithmIdentifier (org.bouncycastle.asn1.x509.AlgorithmIdentifier)11 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)11 DEREncodable (org.bouncycastle.asn1.DEREncodable)10 DERObject (org.bouncycastle.asn1.DERObject)10 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)9 Iterator (java.util.Iterator)8 ASN1EncodableVector (org.bouncycastle.asn1.ASN1EncodableVector)8 X962Parameters (org.bouncycastle.asn1.x9.X962Parameters)8 X9ECParameters (org.bouncycastle.asn1.x9.X9ECParameters)8 HashMap (java.util.HashMap)7 Map (java.util.Map)7