2362N/A * Copyright (c) 2000, 2008, Oracle and/or its affiliates. All rights reserved. 0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 0N/A * This code is free software; you can redistribute it and/or modify it 0N/A * under the terms of the GNU General Public License version 2 only, as 2362N/A * published by the Free Software Foundation. Oracle designates this 0N/A * particular file as subject to the "Classpath" exception as provided 2362N/A * by Oracle in the LICENSE file that accompanied this code. 0N/A * This code is distributed in the hope that it will be useful, but WITHOUT 0N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 0N/A * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 0N/A * version 2 for more details (a copy is included in the LICENSE file that 0N/A * accompanied this code). 0N/A * You should have received a copy of the GNU General Public License version 0N/A * 2 along with this work; if not, write to the Free Software Foundation, 0N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 2362N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 2362N/A * or visit www.oracle.com if you need additional information or have any 0N/A * PolicyChecker is a <code>PKIXCertPathChecker</code> that checks policy 0N/A * information on a PKIX certificate, namely certificate policies, policy 0N/A * mappings, policy constraints and policy qualifiers. 0N/A * @author Yassir Elley 0N/A * Constructs a Policy Checker. 0N/A * @param initialPolicies Set of initial policies 0N/A * @param certPathLen length of the certification path to be checked 0N/A * @param expPolicyRequired true if explicit policy is required 0N/A * @param polMappingInhibited true if policy mapping is inhibited 0N/A * @param anyPolicyInhibited true if the ANY_POLICY OID should be inhibited 0N/A * @param rejectPolicyQualifiers true if pol qualifiers are to be rejected 0N/A * @param rootNode the initial root node of the valid policy tree 0N/A // if no initialPolicies are specified by user, set 0N/A // initPolicies to be anyPolicy by default 0N/A * Initializes the internal state of the checker from parameters 0N/A * specified in the constructor 0N/A * @param forward a boolean indicating whether this checker should 0N/A * be initialized capable of building in the forward direction 0N/A * @exception CertPathValidatorException Exception thrown if user 0N/A * wants to enable forward checking and forward checking is not supported. 0N/A (
"forward checking not supported");
0N/A * Checks if forward checking is supported. Forward checking refers 0N/A * to the ability of the PKIXCertPathChecker to perform its checks 0N/A * when presented with certificates in the forward direction (from 0N/A * target to anchor). 0N/A * @return true if forward checking is supported, false otherwise 0N/A * Gets an immutable Set of the OID strings for the extensions that 0N/A * the PKIXCertPathChecker supports (i.e. recognizes, is able to 0N/A * process), or null if no extensions are 0N/A * supported. All OID strings that a PKIXCertPathChecker might 0N/A * possibly be able to process should be included. 0N/A * @return the Set of extensions supported by this PKIXCertPathChecker, 0N/A * or null if no extensions are supported 0N/A * Performs the policy processing checks on the certificate using its 0N/A * @param cert the Certificate to be processed 0N/A * @param unresCritExts the unresolved critical extensions 0N/A * @exception CertPathValidatorException Exception thrown if 0N/A * the certificate does not verify. 0N/A // now do the policy checks 0N/A * Internal method to run through all the checks. 0N/A * @param currCert the certificate to be processed 0N/A * @exception CertPathValidatorException Exception thrown if 0N/A * the certificate does not verify 0N/A * Merges the specified explicitPolicy value with the 0N/A * requireExplicitPolicy field of the <code>PolicyConstraints</code> 0N/A * extension obtained from the certificate. An explicitPolicy 0N/A * value of -1 implies no constraint. 0N/A * @param explicitPolicy an integer which indicates if a non-null 0N/A * valid policy tree is required 0N/A * @param currCert the Certificate to be processed 0N/A * @param finalCert a boolean indicating whether currCert is 0N/A * the final cert in the cert path 0N/A * @return returns the new explicitPolicy value 0N/A * @exception CertPathValidatorException Exception thrown if an error 0N/A +
"unexpected exception");
0N/A * Merges the specified policyMapping value with the 0N/A * inhibitPolicyMapping field of the <code>PolicyConstraints</code> 0N/A * extension obtained from the certificate. A policyMapping 0N/A * value of -1 implies no constraint. 0N/A * @param policyMapping an integer which indicates if policy mapping 0N/A * @param currCert the Certificate to be processed 0N/A * @return returns the new policyMapping value 0N/A * @exception CertPathValidatorException Exception thrown if an error 0N/A +
"unexpected exception");
0N/A * Merges the specified inhibitAnyPolicy value with the 0N/A * SkipCerts value of the InhibitAnyPolicy 0N/A * extension obtained from the certificate. 0N/A * @param inhibitAnyPolicy an integer which indicates whether 0N/A * "any-policy" is considered a match 0N/A * @param currCert the Certificate to be processed 0N/A * @return returns the new inhibitAnyPolicy value 0N/A * @exception CertPathValidatorException Exception thrown if an error 0N/A +
"unexpected exception");
0N/A * Processes certificate policies in the certificate. 0N/A * @param certIndex the index of the certificate 0N/A * @param initPolicies the initial policies required by the user 0N/A * @param explicitPolicy an integer which indicates if a non-null 0N/A * valid policy tree is required 0N/A * @param policyMapping an integer which indicates if policy 0N/A * mapping is inhibited 0N/A * @param inhibitAnyPolicy an integer which indicates whether 0N/A * "any-policy" is considered a match 0N/A * @param rejectPolicyQualifiers a boolean indicating whether the 0N/A * user wants to reject policies that have qualifiers 0N/A * @param origRootNode the root node of the valid policy tree 0N/A * @param currCert the Certificate to be processed 0N/A * @param finalCert a boolean indicating whether currCert is the final 0N/A * cert in the cert path 0N/A * @return the root node of the valid policy tree after modification 0N/A * @exception CertPathValidatorException Exception thrown if an 0N/A * error occurs while processing policies. 0N/A // retrieve policyOIDs from currCert 0N/A // PKIX: Section 6.1.3: Step (d) 0N/A +
"retrieving policyOIDs",
ioe);
0N/A // process each policy in cert 0N/A // PKIX: Section 6.1.3: Step (d)(1) 0N/A // retrieve policy qualifiers from cert 0N/A // reject cert if we find critical policy qualifiers and 0N/A // the policyQualifiersRejected flag is set in the params 585N/A "critical policy qualifiers present in certificate",
0N/A // PKIX: Section 6.1.3: Step (d)(1)(i) 0N/A // PKIX: Section 6.1.3: Step (d)(1)(ii) 0N/A // PKIX: Section 6.1.3: Step (d)(2) 0N/A // PKIX: Section 6.1.3: Step (d)(3) 0N/A +
"no policies present in cert");
0N/A // PKIX: Section 6.1.3: Step (e) 0N/A // We delay PKIX: Section 6.1.3: Step (f) to the end 0N/A // because the code that follows may delete some nodes 0N/A // resulting in a null tree 0N/A // PKIX: Section 6.1.4: Steps (a)-(b) 0N/A // At this point, we optimize the PKIX algorithm by 0N/A // removing those nodes which would later have 0N/A // been removed by PKIX: Section 6.1.5: Step (g)(iii) 0N/A // PKIX: Section 6.1.5: Step (g)(iii) 0N/A // rewrite anyPolicy leaf nodes (see method comments) 0N/A // PKIX: Section 6.1.5: Steps (a) and (b) 0N/A // PKIX: Section 6.1.3: Step (f) 0N/A // verify that either explicit policy is greater than 0 or 0N/A // the valid_policy_tree is not equal to NULL 585N/A (
"non-null policy tree required and policy tree is null",
0N/A * Rewrite leaf nodes at the end of validation as described in RFC 3280 0N/A * section 6.1.5: Step (g)(iii). Leaf nodes with anyPolicy are replaced 0N/A * by nodes explicitly representing initial policies not already 0N/A * represented by leaf nodes. 0N/A * This method should only be called when processing the final cert 0N/A * and if the policy tree is not null and initial policies is not 0N/A * @param certIndex the depth of the tree 0N/A * @param initPolicies Set of user specified initial policies 0N/A * @param rootNode the root of the policy tree 0N/A // see if there are any initialPolicies not represented by leaf nodes 0N/A // we deleted the anyPolicy node and have nothing to re-add, 0N/A // so we need to prune the tree 0N/A * Finds the policy nodes of depth (certIndex-1) where curPolicy 0N/A * is in the expected policy set and creates a new child node 0N/A * appropriately. If matchAny is true, then a value of ANY_POLICY 0N/A * in the expected policy set will match any curPolicy. If matchAny 0N/A * is false, then the expected policy set must exactly contain the 0N/A * curPolicy to be considered a match. This method returns a boolean 0N/A * value indicating whether a match was found. 0N/A * @param certIndex the index of the certificate whose policy is 0N/A * @param policiesCritical a boolean indicating whether the certificate 0N/A * policies extension is critical 0N/A * @param rejectPolicyQualifiers a boolean indicating whether the 0N/A * user wants to reject policies that have qualifiers 0N/A * @param rootNode the root node of the valid policy tree 0N/A * @param curPolicy a String representing the policy being processed 0N/A * @param pQuals the policy qualifiers of the policy being processed or an 0N/A * empty Set if there are no qualifiers 0N/A * @param matchAny a boolean indicating whether a value of ANY_POLICY 0N/A * in the expected policy set will be considered a match 0N/A * @return a boolean indicating whether a match was found 0N/A * @exception CertPathValidatorException Exception thrown if error occurs. 0N/A // find matching parents 0N/A // for each matching parent, extend policy tree 0N/A +
"expected policy set already appears in " 0N/A * Processes policy mappings in the certificate. 0N/A * @param currCert the Certificate to be processed 0N/A * @param certIndex the index of the current certificate 0N/A * @param policyMapping an integer which indicates if policy 0N/A * mapping is inhibited 0N/A * @param rootNode the root node of the valid policy tree 0N/A * @param policiesCritical a boolean indicating if the certificate policies 0N/A * extension is critical 0N/A * @param anyQuals the qualifiers associated with ANY-POLICY, or an empty 0N/A * Set if there are no qualifiers associated with ANY-POLICY 0N/A * @return the root node of the valid policy tree after modification 0N/A * @exception CertPathValidatorException exception thrown if an error 0N/A * occurs while processing policy mappings 0N/A +
"inside policyMapping check");
0N/A +
"mapping exception");
585N/A (
"encountered an issuerDomainPolicy of ANY_POLICY",
585N/A (
"encountered a subjectDomainPolicy of ANY_POLICY",
0N/A +
"() before deleting: policy tree = " 0N/A +
"() after deleting: policy tree = " 0N/A }
else {
// no node of depth i has a valid policy 0N/A * Removes those nodes which do not intersect with the initial policies 0N/A * specified by the user. 0N/A * @param rootNode the root node of the valid policy tree 0N/A * @param certIndex the index of the certificate being processed 0N/A * @param initPolicies the Set of policies required by the user 0N/A * @param currCertPolicies the CertificatePoliciesExtension of the 0N/A * certificate being processed 0N/A * @returns the root node of the valid policy tree after modification 0N/A * @exception CertPathValidatorException Exception thrown if error occurs. 0N/A +
"retrieving policyOIDs",
ioe);
0N/A * Gets the root node of the valid policy tree, or null if the 0N/A * valid policy tree is null. Marks each node of the returned tree 0N/A * immutable and thread-safe. 0N/A * @returns the root node of the valid policy tree, or null if 0N/A * the valid policy tree is null