FileDocCategorySizeDatePackage
CertPathValidatorUtilities.javaAPI DocAndroid 1.5 API25483Wed May 06 22:41:06 BST 2009org.bouncycastle.jce.provider

CertPathValidatorUtilities

public class CertPathValidatorUtilities extends Object

Fields Summary
protected static final String
CERTIFICATE_POLICIES
protected static final String
BASIC_CONSTRAINTS
protected static final String
POLICY_MAPPINGS
protected static final String
SUBJECT_ALTERNATIVE_NAME
protected static final String
NAME_CONSTRAINTS
protected static final String
KEY_USAGE
protected static final String
INHIBIT_ANY_POLICY
protected static final String
ISSUING_DISTRIBUTION_POINT
protected static final String
DELTA_CRL_INDICATOR
protected static final String
POLICY_CONSTRAINTS
protected static final String
ANY_POLICY
protected static final String
CRL_NUMBER
protected static final int
KEY_CERT_SIGN
protected static final int
CRL_SIGN
protected static final String[]
crlReasons
Constructors Summary
Methods Summary
protected static voidcheckExcludedDN(java.util.Set excluded, org.bouncycastle.asn1.ASN1Sequence dns)

        if (excluded.isEmpty())
        {
            return;
        }

        Iterator it = excluded.iterator();

        while (it.hasNext())
        {
            ASN1Sequence subtree = (ASN1Sequence) it.next();

            if (withinDNSubtree(dns, subtree))
            {
                throw new CertPathValidatorException(
                        "Subject distinguished name is from an excluded subtree");
            }
        }
    
protected static voidcheckExcludedEmail(java.util.Set excluded, java.lang.String email)

        if (excluded.isEmpty())
        {
            return;
        }

        String sub = email.substring(email.indexOf('@") + 1);
        Iterator it = excluded.iterator();

        while (it.hasNext())
        {
            String str = (String) it.next();
            if (sub.endsWith(str))
            {
                throw new CertPathValidatorException(
                        "Subject email address is from an excluded subtree");
            }
        }
    
protected static voidcheckExcludedIP(java.util.Set excluded, byte[] ip)

        if (excluded.isEmpty())
        {
            return;
        }

        // TODO, check RFC791 and RFC1883 for IP bytes definition.
    
protected static voidcheckPermittedDN(java.util.Set permitted, org.bouncycastle.asn1.ASN1Sequence dns)

        if (permitted.isEmpty())
        {
            return;
        }

        Iterator it = permitted.iterator();

        while (it.hasNext())
        {
            ASN1Sequence subtree = (ASN1Sequence) it.next();

            if (withinDNSubtree(dns, subtree))
            {
                return;
            }
        }

        throw new CertPathValidatorException(
                "Subject distinguished name is not from a permitted subtree");
    
protected static voidcheckPermittedEmail(java.util.Set permitted, java.lang.String email)

        if (permitted.isEmpty())
        {
            return;
        }

        String sub = email.substring(email.indexOf('@") + 1);
        Iterator it = permitted.iterator();

        while (it.hasNext())
        {
            String str = (String) it.next();

            if (sub.endsWith(str))
            {
                return;
            }
        }

        throw new CertPathValidatorException(
                "Subject email address is not from a permitted subtree");
    
protected static voidcheckPermittedIP(java.util.Set permitted, byte[] ip)

        if (permitted.isEmpty())
        {
            return;
        }

        // TODO: ??? Something here
    
protected static final java.util.CollectionfindCRLs(java.security.cert.X509CRLSelector crlSelect, java.util.List crlStores)
Return a Collection of all CRLs found in the CertStore's that are matching the crlSelect criteriums.

param
crlSelect a {@link CertSelector CertSelector} object that will be used to select the CRLs
param
crlStores a List containing only {@link CertStore CertStore} objects. These are used to search for CRLs
return
a Collection of all found {@link CRL CRL} objects. May be empty but never null.

        Set crls = new HashSet();
        Iterator iter = crlStores.iterator();
    
        while (iter.hasNext())
        {
            CertStore   certStore = (CertStore)iter.next();
    
            try
            {
                crls.addAll(certStore.getCRLs(crlSelect));
            }
            catch (CertStoreException e)
            {
                throw new AnnotatedException("cannot extract crl: " + e, e);
            }
        }
    
        return crls;
    
protected static final java.security.cert.TrustAnchorfindTrustAnchor(java.security.cert.X509Certificate cert, java.security.cert.CertPath certPath, int index, java.util.Set trustAnchors)
Search the given Set of TrustAnchor's for one that is the issuer of the given X509 certificate.

param
cert the X509 certificate
param
trustAnchors a Set of TrustAnchor's
return
the TrustAnchor object if found or null if not.
exception
CertPathValidatorException if a TrustAnchor was found but the signature verification on the given certificate has thrown an exception. This Exception can be obtainted with getCause() method.

    
                                                                           
        
         
                
                     
                      
         
    
        Iterator iter = trustAnchors.iterator();
        TrustAnchor trust = null;
        PublicKey trustPublicKey = null;
        Exception invalidKeyEx = null;

        X509CertSelector certSelectX509 = new X509CertSelector();

        try
        {
            certSelectX509.setSubject(getEncodedIssuerPrincipal(cert).getEncoded());
        }
        catch (IOException ex)
        {
            throw new CertPathValidatorException(ex);
        }

        while (iter.hasNext() && trust == null)
        {
            trust = (TrustAnchor) iter.next();
            if (trust.getTrustedCert() != null)
            {
                if (certSelectX509.match(trust.getTrustedCert()))
                {
                    trustPublicKey = trust.getTrustedCert().getPublicKey();
                }
                else
                {
                    trust = null;
                }
            }
            else if (trust.getCAName() != null
                    && trust.getCAPublicKey() != null)
            {
                try
                {
                    X500Principal certIssuer = getEncodedIssuerPrincipal(cert);
                    X500Principal caName = new X500Principal(trust.getCAName());
                    if (certIssuer.equals(caName))
                    {
                        trustPublicKey = trust.getCAPublicKey();
                    }
                    else
                    {
                        trust = null;
                    }
                }
                catch (IllegalArgumentException ex)
                {
                    trust = null;
                }
            }
            else
            {
                trust = null;
            }

            if (trustPublicKey != null)
            {
                try
                {
                    cert.verify(trustPublicKey);
                }
                catch (Exception ex)
                {
                    invalidKeyEx = ex;
                    trust = null;
                }
            }
        }

        if (trust == null && invalidKeyEx != null)
        {
            throw new CertPathValidatorException("TrustAnchor found but certificate validation failed.", invalidKeyEx, certPath, index);
        }

        return trust;
    
protected static org.bouncycastle.asn1.x509.AlgorithmIdentifiergetAlgorithmIdentifier(java.security.PublicKey key)

        try
        {
            ASN1InputStream      aIn = new ASN1InputStream(key.getEncoded());

            SubjectPublicKeyInfo info = SubjectPublicKeyInfo.getInstance(aIn.readObject());

            return info.getAlgorithmId();
        }
        catch (IOException e)
        {
            throw new CertPathValidatorException("exception processing public key");
        }
    
protected static javax.security.auth.x500.X500PrincipalgetEncodedIssuerPrincipal(java.security.cert.X509Certificate cert)

        return cert.getIssuerX500Principal();
    
protected static org.bouncycastle.asn1.DERObjectgetExtensionValue(java.security.cert.X509Extension ext, java.lang.String oid)
extract the value of the given extension, if it exists.

        byte[]  bytes = ext.getExtensionValue(oid);
        if (bytes == null)
        {
            return null;
        }

        return getObject(oid, bytes);
    
protected static javax.security.auth.x500.X500PrincipalgetIssuerPrincipal(java.security.cert.X509CRL crl)

        return crl.getIssuerX500Principal();
    
private static org.bouncycastle.asn1.DERObjectgetObject(java.lang.String oid, byte[] ext)

        try
        {
            ASN1InputStream aIn = new ASN1InputStream(ext);
            ASN1OctetString octs = (ASN1OctetString)aIn.readObject();

            aIn = new ASN1InputStream(octs.getOctets());
            return aIn.readObject();
        }
        catch (IOException e)
        {
            throw new AnnotatedException("exception processing extension " + oid, e);
        }
    
protected static final java.util.SetgetQualifierSet(org.bouncycastle.asn1.ASN1Sequence qualifiers)

        Set             pq   = new HashSet();
        
        if (qualifiers == null)
        {
            return pq;
        }
        
        ByteArrayOutputStream   bOut = new ByteArrayOutputStream();
        ASN1OutputStream        aOut = new ASN1OutputStream(bOut);
    
        Enumeration e = qualifiers.getObjects();
    
        while (e.hasMoreElements())
        {
            try
            {
                aOut.writeObject(e.nextElement());
    
                pq.add(new PolicyQualifierInfo(bOut.toByteArray()));
            }
            catch (IOException ex)
            {
                throw new CertPathValidatorException("exception building qualifier set: " + ex);
            }
    
            bOut.reset();
        }
        
        return pq;
    
protected static javax.security.auth.x500.X500PrincipalgetSubjectPrincipal(java.security.cert.X509Certificate cert)

        return cert.getSubjectX500Principal();
    
protected static java.util.DategetValidDate(java.security.cert.PKIXParameters paramsPKIX)

        Date validDate = paramsPKIX.getDate();

        if (validDate == null)
        {
            validDate = new Date();
        }

        return validDate;
    
protected static java.util.SetintersectDN(java.util.Set permitted, org.bouncycastle.asn1.ASN1Sequence dn)

        if (permitted.isEmpty())
        {
            permitted.add(dn);

            return permitted;
        }
        else
        {
            Set intersect = new HashSet();

            Iterator _iter = permitted.iterator();
            while (_iter.hasNext())
            {
                ASN1Sequence subtree = (ASN1Sequence) _iter.next();

                if (withinDNSubtree(dn, subtree))
                {
                    intersect.add(dn);
                }
                else if (withinDNSubtree(subtree, dn))
                {
                    intersect.add(subtree);
                }
            }

            return intersect;
        }
    
protected static java.util.SetintersectEmail(java.util.Set permitted, java.lang.String email)

        String _sub = email.substring(email.indexOf('@") + 1);

        if (permitted.isEmpty())
        {
            permitted.add(_sub);

            return permitted;
        }
        else
        {
            Set intersect = new HashSet();

            Iterator _iter = permitted.iterator();
            while (_iter.hasNext())
            {
                String _permitted = (String) _iter.next();

                if (_sub.endsWith(_permitted))
                {
                    intersect.add(_sub);
                }
                else if (_permitted.endsWith(_sub))
                {
                    intersect.add(_permitted);
                }
            }

            return intersect;
        }
    
protected static java.util.SetintersectIP(java.util.Set permitted, byte[] ip)

        // TBD
        return permitted;
    
protected static booleanisAnyPolicy(java.util.Set policySet)

        return policySet == null || policySet.contains(ANY_POLICY) || policySet.isEmpty();
    
protected static booleanisSelfIssued(java.security.cert.X509Certificate cert)

        return cert.getSubjectDN().equals(cert.getIssuerDN());
    
protected static voidprepareNextCertB1(int i, java.util.List[] policyNodes, java.lang.String id_p, java.util.Map m_idp, java.security.cert.X509Certificate cert)

        boolean idp_found = false;
        Iterator nodes_i = policyNodes[i].iterator();
        while (nodes_i.hasNext())
        {
            PKIXPolicyNode node = (PKIXPolicyNode)nodes_i.next();
            if (node.getValidPolicy().equals(id_p))
            {
                idp_found = true;
                node.expectedPolicies = (Set)m_idp.get(id_p);
                break;
            }
        }

        if (!idp_found)
        {
            nodes_i = policyNodes[i].iterator();
            while (nodes_i.hasNext())
            {
                PKIXPolicyNode node = (PKIXPolicyNode)nodes_i.next();
                if (ANY_POLICY.equals(node.getValidPolicy()))
                {
                    Set pq = null;
                    ASN1Sequence policies = (ASN1Sequence)getExtensionValue(cert, CERTIFICATE_POLICIES);
                    Enumeration e = policies.getObjects();
                    while (e.hasMoreElements())
                    {
                        PolicyInformation pinfo = PolicyInformation.getInstance(e.nextElement());
                        if (ANY_POLICY.equals(pinfo.getPolicyIdentifier().getId()))
                        {
                            pq = getQualifierSet(pinfo.getPolicyQualifiers());
                            break;
                        }
                    }
                    boolean ci = false;
                    if (cert.getCriticalExtensionOIDs() != null)
                    {
                        ci = cert.getCriticalExtensionOIDs().contains(CERTIFICATE_POLICIES);
                    }

                    PKIXPolicyNode p_node = (PKIXPolicyNode)node.getParent();
                    if (ANY_POLICY.equals(p_node.getValidPolicy()))
                    {
                        PKIXPolicyNode c_node = new PKIXPolicyNode(
                                new ArrayList(), i,
                                (Set)m_idp.get(id_p),
                                p_node, pq, id_p, ci);
                        p_node.addChild(c_node);
                        policyNodes[i].add(c_node);
                    }
                    break;
                }
            }
        }
    
protected static PKIXPolicyNodeprepareNextCertB2(int i, java.util.List[] policyNodes, java.lang.String id_p, PKIXPolicyNode validPolicyTree)

        Iterator nodes_i = policyNodes[i].iterator();
        while (nodes_i.hasNext())
        {
            PKIXPolicyNode node = (PKIXPolicyNode)nodes_i.next();
            if (node.getValidPolicy().equals(id_p))
            {
                PKIXPolicyNode p_node = (PKIXPolicyNode)node.getParent();
                p_node.removeChild(node);
                nodes_i.remove();
                for (int k = (i - 1); k >= 0; k--)
                {
                    List nodes = policyNodes[k];
                    for (int l = 0; l < nodes.size(); l++)
                    {
                        PKIXPolicyNode node2 = (PKIXPolicyNode)nodes.get(l);
                        if (!node2.hasChildren())
                        {
                            validPolicyTree = removePolicyNode(validPolicyTree, policyNodes, node2);
                            if (validPolicyTree == null)
                            {
                                break;
                            }
                        }
                    }
                }
            }
        }
        return validPolicyTree;
    
protected static booleanprocessCertD1i(int index, java.util.List[] policyNodes, org.bouncycastle.asn1.DERObjectIdentifier pOid, java.util.Set pq)

        List       policyNodeVec = policyNodes[index - 1];

        for (int j = 0; j < policyNodeVec.size(); j++)
        {
            PKIXPolicyNode node = (PKIXPolicyNode)policyNodeVec.get(j);
            Set            expectedPolicies = node.getExpectedPolicies();
            
            if (expectedPolicies.contains(pOid.getId()))
            {
                Set childExpectedPolicies = new HashSet();
                childExpectedPolicies.add(pOid.getId());
                
                PKIXPolicyNode child = new PKIXPolicyNode(new ArrayList(),
                                                           index,
                                                           childExpectedPolicies,
                                                           node,
                                                           pq,
                                                           pOid.getId(),
                                                           false);
                node.addChild(child);
                policyNodes[index].add(child);
                
                return true;
            }
        }
        
        return false;
    
protected static voidprocessCertD1ii(int index, java.util.List[] policyNodes, org.bouncycastle.asn1.DERObjectIdentifier _poid, java.util.Set _pq)

        List       policyNodeVec = policyNodes[index - 1];

        for (int j = 0; j < policyNodeVec.size(); j++)
        {
            PKIXPolicyNode _node = (PKIXPolicyNode)policyNodeVec.get(j);
            Set            _expectedPolicies = _node.getExpectedPolicies();
            
            if (ANY_POLICY.equals(_node.getValidPolicy()))
            {
                Set _childExpectedPolicies = new HashSet();
                _childExpectedPolicies.add(_poid.getId());
                
                PKIXPolicyNode _child = new PKIXPolicyNode(new ArrayList(),
                                                           index,
                                                           _childExpectedPolicies,
                                                           _node,
                                                           _pq,
                                                           _poid.getId(),
                                                           false);
                _node.addChild(_child);
                policyNodes[index].add(_child);
                return;
            }
        }
    
protected static PKIXPolicyNoderemovePolicyNode(PKIXPolicyNode validPolicyTree, java.util.List[] policyNodes, PKIXPolicyNode _node)

        PKIXPolicyNode _parent = (PKIXPolicyNode)_node.getParent();
        
        if (validPolicyTree == null)
        {
            return null;
        }

        if (_parent == null)
        {
            for (int j = 0; j < policyNodes.length; j++)
            {
                policyNodes[j] = new ArrayList();
            }

            return null;
        }
        else
        {
            _parent.removeChild(_node);
            removePolicyNodeRecurse(policyNodes, _node);

            return validPolicyTree;
        }
    
private static voidremovePolicyNodeRecurse(java.util.List[] policyNodes, PKIXPolicyNode _node)

        policyNodes[_node.getDepth()].remove(_node);

        if (_node.hasChildren())
        {
            Iterator _iter = _node.getChildren();
            while (_iter.hasNext())
            {
                PKIXPolicyNode _child = (PKIXPolicyNode)_iter.next();
                removePolicyNodeRecurse(policyNodes, _child);
            }
        }
    
protected static java.util.SetunionDN(java.util.Set excluded, org.bouncycastle.asn1.ASN1Sequence dn)

        if (excluded.isEmpty())
        {
            excluded.add(dn);

            return excluded;
        }
        else
        {
            Set intersect = new HashSet();

            Iterator _iter = excluded.iterator();
            while (_iter.hasNext())
            {
                ASN1Sequence subtree = (ASN1Sequence) _iter.next();

                if (withinDNSubtree(dn, subtree))
                {
                    intersect.add(subtree);
                }
                else if (withinDNSubtree(subtree, dn))
                {
                    intersect.add(dn);
                }
                else
                {
                    intersect.add(subtree);
                    intersect.add(dn);
                }
            }

            return intersect;
        }
    
protected static java.util.SetunionEmail(java.util.Set excluded, java.lang.String email)

        String _sub = email.substring(email.indexOf('@") + 1);

        if (excluded.isEmpty())
        {
            excluded.add(_sub);
            return excluded;
        }
        else
        {
            Set intersect = new HashSet();

            Iterator _iter = excluded.iterator();
            while (_iter.hasNext())
            {
                String _excluded = (String) _iter.next();

                if (_sub.endsWith(_excluded))
                {
                    intersect.add(_excluded);
                }
                else if (_excluded.endsWith(_sub))
                {
                    intersect.add(_sub);
                }
                else
                {
                    intersect.add(_excluded);
                    intersect.add(_sub);
                }
            }

            return intersect;
        }
    
protected static java.util.SetunionIP(java.util.Set excluded, byte[] ip)

        // TBD
        return excluded;
    
private static booleanwithinDNSubtree(org.bouncycastle.asn1.ASN1Sequence dns, org.bouncycastle.asn1.ASN1Sequence subtree)

        if (subtree.size() < 1)
        {
            return false;
        }

        if (subtree.size() > dns.size())
        {
            return false;
        }

        for (int j = subtree.size() - 1; j >= 0; j--)
        {
            if (!subtree.getObjectAt(j).equals(dns.getObjectAt(j)))
            {
                return false;
            }
        }

        return true;