Ejemplo n.º 1
0
 public static void checkUsageForCodeSigning(
     X509Certificate paramX509Certificate, int paramInt, boolean paramBoolean)
     throws CertificateException, IOException {
   String str = null;
   Set localSet = paramX509Certificate.getCriticalExtensionOIDs();
   if (localSet == null) localSet = Collections.EMPTY_SET;
   if (!checkBasicConstraintsForCodeSigning(paramX509Certificate, localSet, paramInt)) {
     Trace.msgSecurityPrintln("trustdecider.check.basicconstraints");
     str = ResourceManager.getMessage("trustdecider.check.basicconstraints");
     throw new CertificateException(str);
   }
   if (paramInt == 0) {
     if (!checkLeafKeyUsageForCodeSigning(paramX509Certificate, localSet, paramBoolean)) {
       Trace.msgSecurityPrintln("trustdecider.check.leafkeyusage");
       str = ResourceManager.getMessage("trustdecider.check.leafkeyusage");
       throw new CertificateException(str);
     }
   } else if (!checkSignerKeyUsage(paramX509Certificate, localSet)) {
     Trace.msgSecurityPrintln("trustdecider.check.signerkeyusage");
     str = ResourceManager.getMessage("trustdecider.check.signerkeyusage");
     throw new CertificateException(str);
   }
   if (!localSet.isEmpty()) {
     Trace.msgSecurityPrintln("trustdecider.check.extensions");
     str = ResourceManager.getMessage("trustdecider.check.extensions");
     throw new CertificateException(str);
   }
 }
Ejemplo n.º 2
0
 static boolean hasAIAExtensionWithOCSPAccessMethod(X509Certificate paramX509Certificate)
     throws IOException {
   AuthorityInfoAccessExtension localAuthorityInfoAccessExtension = null;
   Object localObject;
   if ((paramX509Certificate instanceof X509CertImpl)) {
     localAuthorityInfoAccessExtension =
         ((X509CertImpl) paramX509Certificate).getAuthorityInfoAccessExtension();
   } else {
     localObject = paramX509Certificate.getExtensionValue("1.3.6.1.5.5.7.1.1");
     if (localObject == null) {
       Trace.msgSecurityPrintln("trustdecider.check.validation.ocsp.notfound");
       return false;
     }
     if (localObject[0] == 4) localObject = new DerValue(localObject).getOctetString();
     Trace.msgSecurityPrintln(extractSubjectAliasName(paramX509Certificate));
     localAuthorityInfoAccessExtension =
         new AuthorityInfoAccessExtension(new Boolean(false), localObject);
   }
   if (localAuthorityInfoAccessExtension != null) {
     Trace.msgSecurityPrintln(localAuthorityInfoAccessExtension.toString());
     localObject = localAuthorityInfoAccessExtension.getAccessDescriptions();
     Iterator localIterator = ((List) localObject).iterator();
     while (localIterator.hasNext()) {
       AccessDescription localAccessDescription = (AccessDescription) localIterator.next();
       if (localAccessDescription.getAccessMethod().equals(AccessDescription.Ad_OCSP_Id))
         return true;
     }
   }
   return false;
 }
Ejemplo n.º 3
0
 static boolean checkTLSClient(X509Certificate paramX509Certificate) throws CertificateException {
   if (!checkKeyUsage(paramX509Certificate, 0)) {
     Trace.msgSecurityPrintln("clientauth.checkTLSClient.checkKeyUsage");
     return false;
   }
   if (!checkEKU(paramX509Certificate, "1.3.6.1.5.5.7.3.2")) {
     Trace.msgSecurityPrintln("clientauth.checkTLSClient.checkEKU");
     return false;
   }
   return true;
 }
Ejemplo n.º 4
0
 static boolean getCertCRLExtension(X509Certificate paramX509Certificate) throws IOException {
   byte[] arrayOfByte = paramX509Certificate.getExtensionValue("2.5.29.31");
   if (arrayOfByte == null) {
     Trace.msgSecurityPrintln("trustdecider.check.validation.crl.notfound");
     return false;
   }
   if (arrayOfByte[0] == 4) arrayOfByte = new DerValue(arrayOfByte).getOctetString();
   Trace.msgSecurityPrintln(extractSubjectAliasName(paramX509Certificate));
   CRLDistributionPointsExtension localCRLDistributionPointsExtension =
       new CRLDistributionPointsExtension(new Boolean(false), arrayOfByte);
   Trace.msgSecurityPrintln(localCRLDistributionPointsExtension.toString());
   return true;
 }
Ejemplo n.º 5
0
 private static boolean checkSignerKeyUsage(X509Certificate paramX509Certificate, Set paramSet)
     throws CertificateException, IOException {
   paramSet.remove("2.5.29.15");
   boolean[] arrayOfBoolean = paramX509Certificate.getKeyUsage();
   if ((arrayOfBoolean != null) && ((arrayOfBoolean.length < 6) || (arrayOfBoolean[5] == 0))) {
     Trace.msgSecurityPrintln("trustdecider.check.signerkeyusage.lengthandbit");
     return false;
   }
   List localList = X509Util.getExtendedKeyUsage(paramX509Certificate);
   Set localSet = paramX509Certificate.getNonCriticalExtensionOIDs();
   if ((localList != null)
       && ((paramSet.contains("2.5.29.37")) || (localSet.contains("2.5.29.37")))) {
     paramSet.remove("2.5.29.37");
     if ((!localList.contains("2.5.29.37.0")) && (!localList.contains("1.3.6.1.5.5.7.3.3"))) {
       Trace.msgSecurityPrintln("trustdecider.check.signerkeyusage.keyusage");
       return false;
     }
   }
   return true;
 }
Ejemplo n.º 6
0
 private static boolean checkLeafKeyUsageForCodeSigning(
     X509Certificate paramX509Certificate, Set paramSet, boolean paramBoolean)
     throws CertificateException, IOException {
   paramSet.remove("2.5.29.15");
   boolean[] arrayOfBoolean = paramX509Certificate.getKeyUsage();
   if (arrayOfBoolean != null) {
     if (arrayOfBoolean.length == 0) {
       Trace.msgSecurityPrintln("trustdecider.check.leafkeyusage.length");
       return false;
     }
     int i = arrayOfBoolean[0];
     if (i == 0) {
       Trace.msgSecurityPrintln("trustdecider.check.leafkeyusage.digitalsignature");
       return false;
     }
   }
   List localList = X509Util.getExtendedKeyUsage(paramX509Certificate);
   Set localSet = paramX509Certificate.getNonCriticalExtensionOIDs();
   if ((localList != null)
       && ((paramSet.contains("2.5.29.37")) || (localSet.contains("2.5.29.37")))) {
     paramSet.remove("2.5.29.37");
     if (paramBoolean) {
       if ((!localList.contains("2.5.29.37.0")) && (!localList.contains("1.3.6.1.5.5.7.3.8"))) {
         Trace.msgSecurityPrintln("trustdecider.check.leafkeyusage.tsaextkeyusageinfo");
         return false;
       }
     } else if ((!localList.contains("2.5.29.37.0"))
         && (!localList.contains("1.3.6.1.5.5.7.3.3"))) {
       Trace.msgSecurityPrintln("trustdecider.check.leafkeyusage.extkeyusageinfo");
       return false;
     }
   }
   if ((paramX509Certificate.getExtensionValue("2.16.840.1.113730.1.1") != null)
       && (!getNetscapeCertTypeBit(paramX509Certificate, "object_signing"))) {
     Trace.msgSecurityPrintln("trustdecider.check.leafkeyusage.certtypebit");
     return false;
   }
   return true;
 }
Ejemplo n.º 7
0
 private static boolean checkBasicConstraintsForCodeSigning(
     X509Certificate paramX509Certificate, Set paramSet, int paramInt)
     throws CertificateException, IOException {
   paramSet.remove("2.5.29.19");
   paramSet.remove("2.16.840.1.113730.1.1");
   if (paramInt == 0) return true;
   if (paramX509Certificate.getExtensionValue("2.5.29.19") == null) {
     if (paramX509Certificate.getExtensionValue("2.16.840.1.113730.1.1") != null) {
       if (!getNetscapeCertTypeBit(paramX509Certificate, "object_signing_ca")) {
         Trace.msgSecurityPrintln("trustdecider.check.basicconstraints.certtypebit");
         return false;
       }
     } else {
       Trace.msgSecurityPrintln("trustdecider.check.basicconstraints.extensionvalue");
       return false;
     }
   } else {
     if ((paramX509Certificate.getExtensionValue("2.16.840.1.113730.1.1") != null)
         && ((getNetscapeCertTypeBit(paramX509Certificate, "ssl_ca"))
             || (getNetscapeCertTypeBit(paramX509Certificate, "s_mime_ca"))
             || (getNetscapeCertTypeBit(paramX509Certificate, "object_signing_ca")))
         && (!getNetscapeCertTypeBit(paramX509Certificate, "object_signing_ca"))) {
       Trace.msgSecurityPrintln("trustdecider.check.basicconstraints.bitvalue");
       return false;
     }
     int i = paramX509Certificate.getBasicConstraints();
     if (i < 0) {
       Trace.msgSecurityPrintln("trustdecider.check.basicconstraints.enduser");
       return false;
     }
     if (paramInt - 1 > i) {
       Trace.msgSecurityPrintln("trustdecider.check.basicconstraints.pathlength");
       return false;
     }
   }
   return true;
 }
 public synchronized void checkClientTrusted(
     X509Certificate[] paramArrayOfX509Certificate, String paramString, Socket paramSocket)
     throws CertificateException {
   SSLSocket localSSLSocket = (SSLSocket) paramSocket;
   SSLSession localSSLSession = localSSLSocket.getHandshakeSession();
   String str1 = localSSLSocket.getSSLParameters().getEndpointIdentificationAlgorithm();
   String str2 = localSSLSession.getPeerHost();
   if ((str1 != null) && (!isSupportedAlgorithm(str1))) return;
   boolean bool = false;
   int i = 0;
   if (this.trustManager == null)
     throw new IllegalStateException("TrustManager should not be null");
   int j = -1;
   try {
     rootStore.load();
     sslRootStore.load();
     permanentStore.load();
     sessionStore.load();
     deniedStore.load();
     if ((browserSSLRootStore != null) && (!isBrowserSSLRootStoreLoaded)) {
       browserSSLRootStore.load();
       isBrowserSSLRootStoreLoaded = true;
     }
     if (deniedStore.contains(paramArrayOfX509Certificate[0]))
       throw new CertificateException("Certificate has been denied");
     if (!alwaysShow)
       try {
         this.trustManager.checkClientTrusted(
             paramArrayOfX509Certificate, paramString, localSSLSocket);
         return;
       } catch (CertificateException localCertificateException1) {
       }
     if (sessionStore.contains(paramArrayOfX509Certificate[0])) return;
     if (permanentStore.contains(paramArrayOfX509Certificate[0])) return;
     if ((paramArrayOfX509Certificate != null) && (paramArrayOfX509Certificate.length > 0)) {
       k = paramArrayOfX509Certificate.length - 1;
       if ((!rootStore.verify(paramArrayOfX509Certificate[k]))
           && (!sslRootStore.verify(paramArrayOfX509Certificate[k]))
           && ((browserSSLRootStore == null)
               || (!browserSSLRootStore.verify(paramArrayOfX509Certificate[k])))) bool = true;
     }
     for (int k = 0; k < paramArrayOfX509Certificate.length; k++)
       try {
         paramArrayOfX509Certificate[k].checkValidity();
       } catch (CertificateExpiredException localCertificateExpiredException) {
         i = -1;
       } catch (CertificateNotYetValidException localCertificateNotYetValidException) {
         i = 1;
       }
     if (!Trace.isAutomationEnabled()) {
       k =
           (alwaysShow)
                   || (bool)
                   || (i != 0)
                   || ((mismatchShow)
                       && (!CertUtils.checkWildcardDomainList(
                           str2, CertUtils.getServername(paramArrayOfX509Certificate[0]))))
               ? 1
               : 0;
       if (k != 0) {
         Trace.msgSecurityPrintln("x509trustmgr.check.invalidcert");
         URL localURL = null;
         try {
           localURL =
               new URL("https", localSSLSession.getPeerHost(), localSSLSession.getPeerPort(), "");
         } catch (Exception localException) {
         }
         j =
             TrustDeciderDialog.showDialog(
                 paramArrayOfX509Certificate,
                 localURL,
                 0,
                 paramArrayOfX509Certificate.length,
                 bool,
                 i,
                 null,
                 new AppInfo(),
                 true,
                 str2);
       } else {
         j = 0;
       }
     } else {
       Trace.msgSecurityPrintln("x509trustmgr.automation.ignoreclientcert");
       j = 0;
     }
     if (j == 0) {
       sessionStore.add(paramArrayOfX509Certificate[0]);
       sessionStore.save();
     } else if (j == 2) {
       CertStore localCertStore = DeploySSLCertStore.getUserCertStore();
       localCertStore.load(true);
       if (localCertStore.add(paramArrayOfX509Certificate[0])) localCertStore.save();
     } else {
       deniedStore.add(paramArrayOfX509Certificate[0]);
       deniedStore.save();
     }
   } catch (CertificateException localCertificateException2) {
     throw localCertificateException2;
   } catch (Throwable localThrowable) {
     localThrowable.printStackTrace();
   }
   if ((j != 0) && (j != 2)) throw new CertificateException("Java couldn't trust Client");
 }