Examples with NameConstraintsExtension sun.security.x509.NameConstraintsExtension used on opensource projects

Example 11 with NameConstraintsExtension

use of sun.security.x509.NameConstraintsExtension in project j2objc by google.

the class TrustAnchor method setNameConstraints.

/**
 * Decode the name constraints and clone them if not null.
 */
private void setNameConstraints(byte[] bytes) {
    if (bytes == null) {
        ncBytes = null;
        nc = null;
    } else {
        ncBytes = bytes.clone();
        // validate DER encoding
        try {
            nc = new NameConstraintsExtension(Boolean.FALSE, bytes);
        } catch (IOException ioe) {
            IllegalArgumentException iae = new IllegalArgumentException(ioe.getMessage());
            iae.initCause(ioe);
            throw iae;
        }
    }
}

Example 12 with NameConstraintsExtension

use of sun.security.x509.NameConstraintsExtension in project j2objc by google.

the class Builder method targetDistance.

/**
 * Determine how close a given certificate gets you toward
 * a given target.
 *
 * @param constraints Current NameConstraints; if null,
 *        then caller must verify NameConstraints
 *        independently, realizing that this certificate
 *        may not actually lead to the target at all.
 * @param cert Candidate certificate for chain
 * @param target GeneralNameInterface name of target
 * @return distance from this certificate to target:
 * <ul>
 * <li>-1 means certificate could be CA for target, but
 *     there are no NameConstraints limiting how close
 * <li> 0 means certificate subject or subjectAltName
 *      matches target
 * <li> 1 means certificate is permitted to be CA for
 *      target.
 * <li> 2 means certificate is permitted to be CA for
 *      parent of target.
 * <li>&gt;0 in general, means certificate is permitted
 *     to be a CA for this distance higher in the naming
 *     hierarchy than the target, plus 1.
 * </ul>
 * <p>Note that the subject and/or subjectAltName of the
 * candidate cert does not have to be an ancestor of the
 * target in order to be a CA that can issue a certificate to
 * the target. In these cases, the target distance is calculated
 * by inspecting the NameConstraints extension in the candidate
 * certificate. For example, suppose the target is an X.500 DN with
 * a value of "CN=mullan,OU=ireland,O=sun,C=us" and the
 * NameConstraints extension in the candidate certificate
 * includes a permitted component of "O=sun,C=us", which implies
 * that the candidate certificate is allowed to issue certs in
 * the "O=sun,C=us" namespace. The target distance is 3
 * ((distance of permitted NC from target) + 1).
 * The (+1) is added to distinguish the result from the case
 * which returns (0).
 * @throws IOException if certificate does not get closer
 */
static int targetDistance(NameConstraintsExtension constraints, X509Certificate cert, GeneralNameInterface target) throws IOException {
    /* ensure that certificate satisfies existing name constraints */
    if (constraints != null && !constraints.verify(cert)) {
        throw new IOException("certificate does not satisfy existing name " + "constraints");
    }
    X509CertImpl certImpl;
    try {
        certImpl = X509CertImpl.toImpl(cert);
    } catch (CertificateException e) {
        throw new IOException("Invalid certificate", e);
    }
    /* see if certificate subject matches target */
    X500Name subject = X500Name.asX500Name(certImpl.getSubjectX500Principal());
    if (subject.equals(target)) {
        /* match! */
        return 0;
    }
    SubjectAlternativeNameExtension altNameExt = certImpl.getSubjectAlternativeNameExtension();
    if (altNameExt != null) {
        GeneralNames altNames = altNameExt.get(SubjectAlternativeNameExtension.SUBJECT_NAME);
        /* see if any alternative name matches target */
        if (altNames != null) {
            for (int j = 0, n = altNames.size(); j < n; j++) {
                GeneralNameInterface altName = altNames.get(j).getName();
                if (altName.equals(target)) {
                    return 0;
                }
            }
        }
    }
    /* no exact match; see if certificate can get us to target */
    /* first, get NameConstraints out of certificate */
    NameConstraintsExtension ncExt = certImpl.getNameConstraintsExtension();
    if (ncExt == null) {
        return -1;
    }
    /* merge certificate's NameConstraints with current NameConstraints */
    if (constraints != null) {
        constraints.merge(ncExt);
    } else {
        // Make sure we do a clone here, because we're probably
        // going to modify this object later and we don't want to
        // be sharing it with a Certificate object!
        constraints = (NameConstraintsExtension) ncExt.clone();
    }
    if (debug != null) {
        debug.println("Builder.targetDistance() merged constraints: " + String.valueOf(constraints));
    }
    /* reduce permitted by excluded */
    GeneralSubtrees permitted = constraints.get(NameConstraintsExtension.PERMITTED_SUBTREES);
    GeneralSubtrees excluded = constraints.get(NameConstraintsExtension.EXCLUDED_SUBTREES);
    if (permitted != null) {
        permitted.reduce(excluded);
    }
    if (debug != null) {
        debug.println("Builder.targetDistance() reduced constraints: " + permitted);
    }
    /* see if new merged constraints allow target */
    if (!constraints.verify(target)) {
        throw new IOException("New certificate not allowed to sign " + "certificate for target");
    }
    /* find distance to target, if any, in permitted */
    if (permitted == null) {
        /* certificate is unconstrained; could sign for anything */
        return -1;
    }
    for (int i = 0, n = permitted.size(); i < n; i++) {
        GeneralNameInterface perName = permitted.get(i).getName().getName();
        int distance = distance(perName, target, -1);
        if (distance >= 0) {
            return (distance + 1);
        }
    }
    /* no matching type in permitted; cert holder could certify target */
    return -1;
}