/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/**
* A <code>PKIXCertPathChecker</code> implementation to check whether a
* specified certificate contains the required algorithm constraints.
* <p>
* Certificate fields such as the subject public key, the signature
* algorithm, key usage, extended key usage, etc. need to conform to
* the specified algorithm constraints.
*
* @see PKIXCertPathChecker
* @see PKIXParameters
*/
private final static DisabledAlgorithmConstraints
/**
* Create a new <code>AlgorithmChecker</code> with the algorithm
* constraints specified in security property
* "jdk.certpath.disabledAlgorithms".
*
* @param anchor the trust anchor selected to validate the target
* certificate
*/
this(anchor, certPathDefaultConstraints);
}
/**
* Create a new <code>AlgorithmChecker</code> with the
* given {@code AlgorithmConstraints}.
* <p>
* Note that this constructor will be used to check a certification
* path where the trust anchor is unknown, or a certificate list which may
* contain the trust anchor. This constructor is used by SunJSSE.
*
* @param constraints the algorithm constraints (or null)
*/
this.prevPubKey = null;
this.trustedPubKey = null;
this.constraints = constraints;
}
/**
* Create a new <code>AlgorithmChecker</code> with the
* given <code>TrustAnchor</code> and <code>AlgorithmConstraints</code>.
*
* @param anchor the trust anchor selected to validate the target
* certificate
* @param constraints the algorithm constraints (or null)
*
* @throws IllegalArgumentException if the <code>anchor</code> is null
*/
throw new IllegalArgumentException(
"The trust anchor cannot be null");
}
} else {
}
this.prevPubKey = trustedPubKey;
this.constraints = constraints;
}
// Note that this class does not support forward mode.
if (!forward) {
if (trustedPubKey != null) {
} else {
prevPubKey = null;
}
} else {
throw new
CertPathValidatorException("forward checking not supported");
}
}
public boolean isForwardCheckingSupported() {
// Note that as this class does not support forward mode, the method
// will always returns false.
return false;
}
return null;
}
throws CertPathValidatorException {
// ignore the check for non-x.509 certificate or null constraints
return;
}
try {
} catch (CertificateException ce) {
throw new CertPathValidatorException(ce);
}
try {
} catch (CertificateException ce) {
throw new CertPathValidatorException(ce);
}
// Check the current signature algorithm
if (!constraints.permits(
throw new CertPathValidatorException(
"Algorithm constraints check failed: " + currSigAlg,
}
// check the key usage and key size
throw new CertPathValidatorException(
"incorrect KeyUsage extension",
}
// keyUsage[0]: KeyUsage.digitalSignature
// keyUsage[1]: KeyUsage.nonRepudiation
// keyUsage[5]: KeyUsage.keyCertSign
// keyUsage[6]: KeyUsage.cRLSign
}
}
}
}
// KeyUsage.encipherOnly and KeyUsage.decipherOnly are
// undefined in the absence of the keyAgreement bit.
if (!primitives.isEmpty()) {
throw new CertPathValidatorException(
"algorithm constraints check failed",
}
}
}
// Check with previous cert for signature algorithm and public key
if (prevPubKey != null) {
if (currSigAlg != null) {
if (!constraints.permits(
throw new CertPathValidatorException(
"Algorithm constraints check failed: " + currSigAlg,
}
}
// Inherit key parameters from previous key
if (currPubKey instanceof DSAPublicKey &&
// Inherit DSA parameters from previous key
if (!(prevPubKey instanceof DSAPublicKey)) {
throw new CertPathValidatorException("Input key is not " +
"of a appropriate type for inheriting parameters");
}
throw new CertPathValidatorException(
"Key parameters missing");
}
try {
} catch (GeneralSecurityException e) {
throw new CertPathValidatorException("Unable to generate " +
"key with inherited parameters: " + e.getMessage(), e);
}
}
}
// reset the previous public key
// check the extended key usage, ignore the check now
// List<String> extendedKeyUsages = x509Cert.getExtendedKeyUsage();
// DO NOT remove any unresolved critical extensions
}
/**
* Try to set the trust anchor of the checker.
* <p>
* If there is no trust anchor specified and the checker has not started,
* set the trust anchor.
*
* @param anchor the trust anchor selected to validate the target
* certificate
*/
// Don't bother if the check has started or trust anchor has already
// specified.
if (prevPubKey == null) {
throw new IllegalArgumentException(
"The trust anchor cannot be null");
}
// Don't bother to change the trustedPubKey.
} else {
}
}
}
/**
* Check the signature algorithm with the specified public key.
*
* @param key the public key to verify the CRL signature
* @param crl the target CRL
*/
throws CertPathValidatorException {
try {
} catch (CRLException ce) {
throw new CertPathValidatorException(ce);
}
}
/**
* Check the signature algorithm with the specified public key.
*
* @param key the public key to verify the CRL signature
* @param crl the target CRL
*/
throws CertPathValidatorException {
throw new CertPathValidatorException(
}
}
}