Example 6 with NameConstraintsExtension
use of sun.security.x509.NameConstraintsExtension in project j2objc by google.
the class ReverseState method updateState.
/**
* Update the state with the next certificate added to the path.
*
* @param cert the certificate which is used to update the state
*/
public void updateState(X509Certificate cert) throws CertificateException, IOException, CertPathValidatorException {
if (cert == null) {
return;
}
/* update subject DN */
subjectDN = cert.getSubjectX500Principal();
/* check for key needing to inherit alg parameters */
X509CertImpl icert = X509CertImpl.toImpl(cert);
PublicKey newKey = cert.getPublicKey();
if (PKIX.isDSAPublicKeyWithoutParams(newKey)) {
newKey = BasicChecker.makeInheritedParamsKey(newKey, pubKey);
}
/* update subject public key */
pubKey = newKey;
/*
* if this is a trusted cert (init == true), then we
* don't update any of the remaining fields
*/
if (init) {
init = false;
return;
}
/* update subject key identifier */
subjKeyId = icert.getSubjectKeyIdentifierExtension();
/* update crlSign */
crlSign = RevocationChecker.certCanSignCrl(cert);
/* update current name constraints */
if (nc != null) {
nc.merge(icert.getNameConstraintsExtension());
} else {
nc = icert.getNameConstraintsExtension();
if (nc != null) {
// Make sure we do a clone here, because we're probably
// going to modify this object later and we don't want to
// be sharing it with a Certificate object!
nc = (NameConstraintsExtension) nc.clone();
}
}
/* update policy state variables */
explicitPolicy = PolicyChecker.mergeExplicitPolicy(explicitPolicy, icert, false);
policyMapping = PolicyChecker.mergePolicyMapping(policyMapping, icert);
inhibitAnyPolicy = PolicyChecker.mergeInhibitAnyPolicy(inhibitAnyPolicy, icert);
certIndex++;
/*
* Update remaining CA certs
*/
remainingCACerts = ConstraintsChecker.mergeBasicConstraints(cert, remainingCACerts);
init = false;
}
Also used :
PublicKey(java.security.PublicKey)
X509CertImpl(sun.security.x509.X509CertImpl)
Example 7 with NameConstraintsExtension
use of sun.security.x509.NameConstraintsExtension in project j2objc by google.
the class ConstraintsChecker method mergeNameConstraints.
/**
* Helper to fold sets of name constraints together
*/
static NameConstraintsExtension mergeNameConstraints(X509Certificate currCert, NameConstraintsExtension prevNC) throws CertPathValidatorException {
X509CertImpl currCertImpl;
try {
currCertImpl = X509CertImpl.toImpl(currCert);
} catch (CertificateException ce) {
throw new CertPathValidatorException(ce);
}
NameConstraintsExtension newConstraints = currCertImpl.getNameConstraintsExtension();
if (debug != null) {
debug.println("prevNC = " + prevNC + ", newNC = " + String.valueOf(newConstraints));
}
// new name constraints.
if (prevNC == null) {
if (debug != null) {
debug.println("mergedNC = " + String.valueOf(newConstraints));
}
if (newConstraints == null) {
return newConstraints;
} else {
// be sharing it with a Certificate object!
return (NameConstraintsExtension) newConstraints.clone();
}
} else {
try {
// after merge, prevNC should contain the merged constraints
prevNC.merge(newConstraints);
} catch (IOException ioe) {
throw new CertPathValidatorException(ioe);
}
if (debug != null) {
debug.println("mergedNC = " + prevNC);
}
return prevNC;
}
}
Also used :
CertPathValidatorException(java.security.cert.CertPathValidatorException)
X509CertImpl(sun.security.x509.X509CertImpl)
CertificateException(java.security.cert.CertificateException)
NameConstraintsExtension(sun.security.x509.NameConstraintsExtension)
IOException(java.io.IOException)
Example 8 with NameConstraintsExtension
use of sun.security.x509.NameConstraintsExtension in project jdk8u_jdk by JetBrains.
the class X509CertSelectorTest method testPathToName.
/*
* Tests matching on the name constraints extension contained in the
* certificate.
*/
private void testPathToName() throws IOException {
System.out.println("X.509 Certificate Match on pathToName");
X509CertSelector selector = null;
DerInputStream in = new DerInputStream(cert.getExtensionValue("2.5.29.30"));
byte[] encoded = in.getOctetString();
NameConstraintsExtension ext = new NameConstraintsExtension(false, encoded);
GeneralSubtrees permitted = (GeneralSubtrees) ext.get(PERMITTED_SUBTREES);
GeneralSubtrees excluded = (GeneralSubtrees) ext.get(EXCLUDED_SUBTREES);
// bad matches on pathToName within excluded subtrees
if (excluded != null) {
Iterator<GeneralSubtree> e = excluded.iterator();
while (e.hasNext()) {
GeneralSubtree tree = e.next();
if (tree.getName().getType() == NAME_DIRECTORY) {
X500Name excludedDN1 = new X500Name(tree.getName().toString());
X500Name excludedDN2 = new X500Name("CN=Bogus, " + tree.getName().toString());
DerOutputStream derDN1 = new DerOutputStream();
DerOutputStream derDN2 = new DerOutputStream();
excludedDN1.encode(derDN1);
excludedDN2.encode(derDN2);
selector = new X509CertSelector();
selector.addPathToName(NAME_DIRECTORY, derDN1.toByteArray());
checkMatch(selector, cert, false);
selector.setPathToNames(null);
selector.addPathToName(NAME_DIRECTORY, derDN2.toByteArray());
checkMatch(selector, cert, false);
}
}
}
// good matches on pathToName within permitted subtrees
if (permitted != null) {
Iterator<GeneralSubtree> e = permitted.iterator();
while (e.hasNext()) {
GeneralSubtree tree = e.next();
if (tree.getName().getType() == NAME_DIRECTORY) {
X500Name permittedDN1 = new X500Name(tree.getName().toString());
X500Name permittedDN2 = new X500Name("CN=good, " + tree.getName().toString());
DerOutputStream derDN1 = new DerOutputStream();
DerOutputStream derDN2 = new DerOutputStream();
permittedDN1.encode(derDN1);
permittedDN2.encode(derDN2);
selector = new X509CertSelector();
selector.addPathToName(NAME_DIRECTORY, derDN1.toByteArray());
checkMatch(selector, cert, true);
selector.setPathToNames(null);
selector.addPathToName(NAME_DIRECTORY, derDN2.toByteArray());
checkMatch(selector, cert, true);
}
}
}
}
Also used :
DerOutputStream(sun.security.util.DerOutputStream)
GeneralSubtrees(sun.security.x509.GeneralSubtrees)
X509CertSelector(java.security.cert.X509CertSelector)
DerInputStream(sun.security.util.DerInputStream)
NameConstraintsExtension(sun.security.x509.NameConstraintsExtension)
GeneralSubtree(sun.security.x509.GeneralSubtree)
X500Name(sun.security.x509.X500Name)
Example 9 with NameConstraintsExtension
use of sun.security.x509.NameConstraintsExtension in project Bytecoder by mirkosertic.
the class TrustAnchor method setNameConstraints.
/**
* Decode the name constraints and clone them if not null.
*/
private void setNameConstraints(byte[] bytes) {
if (bytes == null) {
ncBytes = null;
nc = null;
} else {
ncBytes = bytes.clone();
// validate DER encoding
try {
nc = new NameConstraintsExtension(Boolean.FALSE, bytes);
} catch (IOException ioe) {
IllegalArgumentException iae = new IllegalArgumentException(ioe.getMessage());
iae.initCause(ioe);
throw iae;
}
}
}
Also used :
NameConstraintsExtension(sun.security.x509.NameConstraintsExtension)
IOException(java.io.IOException)
Example 10 with NameConstraintsExtension
use of sun.security.x509.NameConstraintsExtension in project Bytecoder by mirkosertic.
the class ConstraintsChecker method mergeNameConstraints.
/**
* Helper to fold sets of name constraints together
*/
static NameConstraintsExtension mergeNameConstraints(X509Certificate currCert, NameConstraintsExtension prevNC) throws CertPathValidatorException {
X509CertImpl currCertImpl;
try {
currCertImpl = X509CertImpl.toImpl(currCert);
} catch (CertificateException ce) {
throw new CertPathValidatorException(ce);
}
NameConstraintsExtension newConstraints = currCertImpl.getNameConstraintsExtension();
if (debug != null) {
debug.println("prevNC = " + prevNC + ", newNC = " + String.valueOf(newConstraints));
}
// new name constraints.
if (prevNC == null) {
if (debug != null) {
debug.println("mergedNC = " + String.valueOf(newConstraints));
}
if (newConstraints == null) {
return newConstraints;
} else {
// be sharing it with a Certificate object!
return (NameConstraintsExtension) newConstraints.clone();
}
} else {
try {
// after merge, prevNC should contain the merged constraints
prevNC.merge(newConstraints);
} catch (IOException ioe) {
throw new CertPathValidatorException(ioe);
}
if (debug != null) {
debug.println("mergedNC = " + prevNC);
}
return prevNC;
}
}
Also used :
CertPathValidatorException(java.security.cert.CertPathValidatorException)
X509CertImpl(sun.security.x509.X509CertImpl)
CertificateException(java.security.cert.CertificateException)
NameConstraintsExtension(sun.security.x509.NameConstraintsExtension)
IOException(java.io.IOException)
Aggregations
NameConstraintsExtension (sun.security.x509.NameConstraintsExtension)11
IOException (java.io.IOException)9
X509CertImpl (sun.security.x509.X509CertImpl)7
GeneralSubtrees (sun.security.x509.GeneralSubtrees)5
X500Name (sun.security.x509.X500Name)5
CertPathValidatorException (java.security.cert.CertPathValidatorException)3
CertificateException (java.security.cert.CertificateException)3
GeneralNameInterface (sun.security.x509.GeneralNameInterface)3
GeneralNames (sun.security.x509.GeneralNames)3
SubjectAlternativeNameExtension (sun.security.x509.SubjectAlternativeNameExtension)3
X509CertSelector (java.security.cert.X509CertSelector)2
PublicKey (java.security.PublicKey)1
DerInputStream (sun.security.util.DerInputStream)1
DerOutputStream (sun.security.util.DerOutputStream)1
GeneralSubtree (sun.security.x509.GeneralSubtree)1
