/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/**
* Class to check if an end entity cert is suitable for use in some
* context.<p>
*
* This class is used internally by the validator. Currently, seven variants
* are supported defined as VAR_XXX constants in the Validator class:
* <ul>
* <li>Generic. No additional requirements, all certificates are ok.
*
* <li>TLS server. Requires that a String parameter is passed to
* validate that specifies the name of the TLS key exchange algorithm
* in use. See the JSSE X509TrustManager spec for details.
*
* <li>TLS client.
*
* <li>Code signing.
*
* <li>JCE code signing. Some early JCE code signing certs issued to
* providers had incorrect extensions. In this mode the checks
* are relaxed compared to standard code signing checks in order to
* allow these certificates to pass.
*
* <li>Plugin code signing. WebStart and Plugin require their own variant
* which is equivalent to VAR_CODE_SIGNING with additional checks for
* compatibility/special cases. See also PKIXValidator.
*
* <li>TSA Server (see RFC 3161, section 2.3).
*
* </ul>
*
* @author Andreas Sterbenz
*/
class EndEntityChecker {
// extended key usage OIDs for TLS server, TLS client, code signing
// and any usage
// the Netscape Server-Gated-Cryptography EKU extension OID
// the Microsoft Server-Gated-Cryptography EKU extension OID
// the recognized extension OIDs
// bit numbers in the key usage extension
// TLS key exchange algorithms requiring digitalSignature key usage
"RSA_EXPORT", "UNKNOWN");
// TLS key exchange algorithms requiring keyEncipherment key usage
// TLS key exchange algorithms requiring keyAgreement key usage
// variant of this end entity cert checker
// type of the validator this checker belongs to
}
}
throws CertificateException {
// no checks
return;
} else {
}
}
/**
* Utility method returning the Set of critical extensions for
* certificate cert (never null).
*/
}
return exts;
}
/**
* Utility method checking if there are any unresolved critical extensions.
* @throws CertificateException if so.
*/
throws CertificateException {
// basic constraints irrelevant in EE certs
// If the subject field contains an empty sequence, the subjectAltName
// extension MUST be marked critical.
// We do not check the validity of the critical extension, just mark
// it recognizable here.
throw new CertificateException("Certificate contains unsupported "
+ "critical extensions: " + exts);
}
}
/**
* Utility method checking if the extended key usage extension in
* certificate cert allows use for expectedEKU.
*/
return true;
}
}
/**
* Utility method checking if bit 'bit' is set in this certificates
* key usage extension.
* @throws CertificateException if not
*/
throws CertificateException {
return true;
}
}
/**
* Check whether this certificate can be used for TLS client
* authentication.
* @throws CertificateException if not.
*/
throws CertificateException {
throw new ValidatorException
("KeyUsage does not allow digital signatures",
}
throw new ValidatorException("Extended key usage does not "
+ "permit use for TLS client authentication",
}
throw new ValidatorException
("Netscape cert type does not permit use for SSL client",
}
// remove extensions we checked
}
/**
* Check whether this certificate can be used for TLS server authentication
* using the specified authentication type parameter. See X509TrustManager
* specification for details.
* @throws CertificateException if not.
*/
throws CertificateException {
throw new ValidatorException
("KeyUsage does not allow key encipherment",
}
throw new ValidatorException
("KeyUsage does not allow digital signatures",
}
throw new ValidatorException
("KeyUsage does not allow key agreement",
}
} else {
}
// check for equivalent but now obsolete Server-Gated-Cryptography
// (aka Step-Up, 128 bit) EKU OIDs
throw new ValidatorException
("Extended key usage does not permit use for TLS "
+ "server authentication",
}
}
throw new ValidatorException
("Netscape cert type does not permit use for SSL server",
}
// remove extensions we checked
}
/**
* Check whether this certificate can be used for code signing.
* @throws CertificateException if not.
*/
throws CertificateException {
throw new ValidatorException
("KeyUsage does not allow digital signatures",
}
throw new ValidatorException
("Extended key usage does not permit use for code signing",
}
// do not check Netscape cert type for JCE code signing checks
// (some certs were issued with incorrect extensions)
throw new ValidatorException
("Netscape cert type does not permit use for code signing",
}
}
// remove extensions we checked
}
/**
* Check whether this certificate can be used by a time stamping authority
* server (see RFC 3161, section 2.3).
* @throws CertificateException if not.
*/
throws CertificateException {
throw new ValidatorException
("KeyUsage does not allow digital signatures",
}
throw new ValidatorException
("Certificate does not contain an extended key usage " +
"extension required for a TSA server",
}
throw new ValidatorException
("Extended key usage does not permit use for TSA server",
}
// remove extensions we checked
}
}