/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: AMCertPath.java,v 1.5 2009/07/16 00:02:24 beomsuk Exp $
*
* Portions Copyrighted 2010-2015 ForgeRock AS.
*/
/**
* Class AMCertPath is special cased Certpath validation class.
* It does cert path validation together with CRL check and ocsp checking
* if they are properly configured.
*/
public class AMCertPath {
static {
try {
} catch (Exception e) {
}
}
/**
* Class constructor
* param Vector crls
*/
if (debug.messageEnabled()) {
}
synchronized(AMCertPath.class) {
}
} else {
if (debug.messageEnabled()) {
}
}
}
/**
* It does cert path validation together with CRL check and ocsp checking
* if they are properly configured.
* @param certs
**/
boolean ocspEnabled) {
/*
The entire contents of this method must be synchronized for the following reasons:
1. The CertPathValidator#validate method is not thread-safe
2. even if a non-static CertPathValidator instance were obtained in this method, each instance references
the ocsp-related properties in the Security class. Thus the state set in Security.setProperty("ocsp.enable", true/false)
will affect all CertPathValidator instances.
Note that despite the synchronized block, the fact that static Security properties are being set and referenced
exposes the code below to data races in the context of these Security properties. Currently, Security.setProperties
is not being called from anywhere in the OpenAM code base. If this were to change, and the "ocsp.enable" property
were manipulated, the OCSP-based checking below would be susceptible to data races. There does not seem to
be an alternative however: the section on PKIXParameters here:
http://docs.oracle.com/javase/6/docs/technotes/guides/security/certpath/CertPathProgGuide.html#Introduction
mentions setting PKIXCertPathChecker implementations to do CRL or OCSP based checking, but there is no remove
method, and the state returned from getCertPathCheckers is immutable.
*/
synchronized(AMCertPath.class) {
if (debug.messageEnabled()) {
}
try {
// init PKIXParameters
"com.sun.identity.security.keystore.AMX509TrustManager");
if (debug.messageEnabled()) {
}
if (ocspEnabled) {
if (debug.messageEnabled()) {
+ "set to true, and ocsp.enabled set to true with a OCSP responder url of " + responderURLString);
}
} else {
//OCSP revocation checking not configured properly. Disable the check if crl-based checking not enabled
"com.sun.identity.authentication.ocsp.responder.url property does not specify a OCSP " +
"responder. OCSP checking will NOT be performed.");
}
} else {
//the Security properties are static - if we are doing crl validation, insure that the property
//is not present which will toggle OCSP checking.
if (debug.messageEnabled()) {
}
}
}
if (debug.messageEnabled()) {
StringBuilder sb = new StringBuilder("The policy-related state in the PKIXParameters passed to the PKIX CertPathValidator: \n");
sb.append("\tisExplicitPolicyRequired: ").append(pkixparams.isExplicitPolicyRequired()).append('\n');
sb.append("\tisPolicyMappingInhibited: ").append(pkixparams.isPolicyMappingInhibited()).append('\n');
}
// validate
if (debug.messageEnabled()) {
}
if (debug.messageEnabled()) {
}
return false;
} catch (Throwable t) {
return false;
}
return true;
}
}
/*
* returns <code>null</code> if no or invalid value is specified for
* <code>com.sun.identity.authentication.ocsp.responder.url</code>
*/
"com.sun.identity.authentication.ocsp.responder.url");
if (responderURLString != null) {
try {
} catch (MalformedURLException urlEx) {
} finally {
return responderURLString;
}
} else {
if (debug.warningEnabled()) {
}
}
return responderURLString;
}
}