Examples with AuthorityInfoAccessExtension sun.security.x509.AuthorityInfoAccessExtension used on opensource projects

Example 1 with AuthorityInfoAccessExtension

use of sun.security.x509.AuthorityInfoAccessExtension in project jdk8u_jdk by JetBrains.

the class ForwardBuilder method getCerts.

/**
     * Download Certificates from the given AIA and add them to the
     * specified Collection.
     */
// cs.getCertificates(caSelector) returns a collection of X509Certificate's
// because of the selector, so the cast is safe
@SuppressWarnings("unchecked")
private boolean getCerts(AuthorityInfoAccessExtension aiaExt, Collection<X509Certificate> certs) {
    if (Builder.USE_AIA == false) {
        return false;
    }
    List<AccessDescription> adList = aiaExt.getAccessDescriptions();
    if (adList == null || adList.isEmpty()) {
        return false;
    }
    boolean add = false;
    for (AccessDescription ad : adList) {
        CertStore cs = URICertStore.getInstance(ad);
        if (cs != null) {
            try {
                if (certs.addAll((Collection<X509Certificate>) cs.getCertificates(caSelector))) {
                    add = true;
                    if (!searchAllCertStores) {
                        return true;
                    }
                }
            } catch (CertStoreException cse) {
                if (debug != null) {
                    debug.println("exception getting certs from CertStore:");
                    cse.printStackTrace();
                }
            }
        }
    }
    return add;
}

Example 2 with AuthorityInfoAccessExtension

use of sun.security.x509.AuthorityInfoAccessExtension in project jdk8u_jdk by JetBrains.

the class ForwardBuilder method getMatchingCACerts.

/**
     * Retrieves all CA certificates which satisfy constraints
     * and requirements specified in the parameters and PKIX state.
     */
private void getMatchingCACerts(ForwardState currentState, List<CertStore> certStores, Collection<X509Certificate> caCerts) throws IOException {
    if (debug != null) {
        debug.println("ForwardBuilder.getMatchingCACerts()...");
    }
    int initialSize = caCerts.size();
    /*
         * Compose a CertSelector to filter out
         * certs which do not satisfy requirements.
         */
    X509CertSelector sel = null;
    if (currentState.isInitial()) {
        if (targetCertConstraints.getBasicConstraints() == -2) {
            // no need to continue: this means we never can match a CA cert
            return;
        }
        /* This means a CA is the target, so match on same stuff as
             * getMatchingEECerts
             */
        if (debug != null) {
            debug.println("ForwardBuilder.getMatchingCACerts(): " + "the target is a CA");
        }
        if (caTargetSelector == null) {
            caTargetSelector = (X509CertSelector) targetCertConstraints.clone();
            /*
                 * Policy processing optimizations
                 */
            if (buildParams.explicitPolicyRequired())
                caTargetSelector.setPolicy(getMatchingPolicies());
        }
        sel = caTargetSelector;
    } else {
        if (caSelector == null) {
            caSelector = new AdaptableX509CertSelector();
            /*
                 * Policy processing optimizations
                 */
            if (buildParams.explicitPolicyRequired())
                caSelector.setPolicy(getMatchingPolicies());
        }
        /*
             * Match on subject (issuer of previous cert)
             */
        caSelector.setSubject(currentState.issuerDN);
        /*
             * Match on subjectNamesTraversed (both DNs and AltNames)
             * (checks that current cert's name constraints permit it
             * to certify all the DNs and AltNames that have been traversed)
             */
        CertPathHelper.setPathToNames(caSelector, currentState.subjectNamesTraversed);
        /*
             * check the validity period
             */
        caSelector.setValidityPeriod(currentState.cert.getNotBefore(), currentState.cert.getNotAfter());
        sel = caSelector;
    }
    /*
         * For compatibility, conservatively, we don't check the path
         * length constraint of trusted anchors.  Please don't set the
         * basic constraints criterion unless the trusted certificate
         * matching is completed.
         */
    sel.setBasicConstraints(-1);
    for (X509Certificate trustedCert : trustedCerts) {
        if (sel.match(trustedCert)) {
            if (debug != null) {
                debug.println("ForwardBuilder.getMatchingCACerts: " + "found matching trust anchor." + "\n  SN: " + Debug.toHexString(trustedCert.getSerialNumber()) + "\n  Subject: " + trustedCert.getSubjectX500Principal() + "\n  Issuer: " + trustedCert.getIssuerX500Principal());
            }
            if (caCerts.add(trustedCert) && !searchAllCertStores) {
                return;
            }
        }
    }
    /*
         * The trusted certificate matching is completed. We need to match
         * on certificate validity date.
         */
    sel.setCertificateValid(buildParams.date());
    /*
         * Require CA certs with a pathLenConstraint that allows
         * at least as many CA certs that have already been traversed
         */
    sel.setBasicConstraints(currentState.traversedCACerts);
    /*
         * If we have already traversed as many CA certs as the maxPathLength
         * will allow us to, then we don't bother looking through these
         * certificate pairs. If maxPathLength has a value of -1, this
         * means it is unconstrained, so we always look through the
         * certificate pairs.
         */
    if (currentState.isInitial() || (buildParams.maxPathLength() == -1) || (buildParams.maxPathLength() > currentState.traversedCACerts)) {
        if (addMatchingCerts(sel, certStores, caCerts, searchAllCertStores) && !searchAllCertStores) {
            return;
        }
    }
    if (!currentState.isInitial() && Builder.USE_AIA) {
        // check for AuthorityInformationAccess extension
        AuthorityInfoAccessExtension aiaExt = currentState.cert.getAuthorityInfoAccessExtension();
        if (aiaExt != null) {
            getCerts(aiaExt, caCerts);
        }
    }
    if (debug != null) {
        int numCerts = caCerts.size() - initialSize;
        debug.println("ForwardBuilder.getMatchingCACerts: found " + numCerts + " CA certs");
    }
}

Example 3 with AuthorityInfoAccessExtension

use of sun.security.x509.AuthorityInfoAccessExtension in project jdk8u_jdk by JetBrains.

the class OCSP method getResponderURI.

static URI getResponderURI(X509CertImpl certImpl) {
    // Examine the certificate's AuthorityInfoAccess extension
    AuthorityInfoAccessExtension aia = certImpl.getAuthorityInfoAccessExtension();
    if (aia == null) {
        return null;
    }
    List<AccessDescription> descriptions = aia.getAccessDescriptions();
    for (AccessDescription description : descriptions) {
        if (description.getAccessMethod().equals(AccessDescription.Ad_OCSP_Id)) {
            GeneralName generalName = description.getAccessLocation();
            if (generalName.getType() == GeneralNameInterface.NAME_URI) {
                URIName uri = (URIName) generalName.getName();
                return uri.getURI();
            }
        }
    }
    return null;
}