/* */ private boolean isWorthTrying(
X509Certificate paramX509Certificate1, X509Certificate paramX509Certificate2)
/* */ {
/* 220 */ boolean bool = false;
/* */
/* 222 */ if (debug != null) {
/* 223 */ debug.println(
"PKIXCertPathValidator.isWorthTrying() checking if this trusted cert is worth trying ...");
/* */ }
/* */
/* 227 */ if (paramX509Certificate2 == null) {
/* 228 */ return true;
/* */ }
/* */
/* 231 */ AdaptableX509CertSelector localAdaptableX509CertSelector =
new AdaptableX509CertSelector();
/* */
/* 235 */ localAdaptableX509CertSelector.setSubject(
paramX509Certificate2.getIssuerX500Principal());
/* */
/* 238 */ localAdaptableX509CertSelector.setValidityPeriod(
paramX509Certificate2.getNotBefore(), paramX509Certificate2.getNotAfter());
/* */ try
/* */ {
/* 246 */ X509CertImpl localX509CertImpl = X509CertImpl.toImpl(paramX509Certificate2);
/* 247 */ localAdaptableX509CertSelector.parseAuthorityKeyIdentifierExtension(
localX509CertImpl.getAuthorityKeyIdentifierExtension());
/* */
/* 250 */ bool = localAdaptableX509CertSelector.match(paramX509Certificate1);
/* */ }
/* */ catch (Exception localException)
/* */ {
/* */ }
/* 255 */ if (debug != null) {
/* 256 */ if (bool) /* 257 */ debug.println("YES - try this trustedCert");
/* */ else {
/* 259 */ debug.println("NO - don't try this trustedCert");
/* */ }
/* */ }
/* */
/* 263 */ return bool;
/* */ }
/**
* Verifies a matching certificate.
*
* <p>This method executes any of the validation steps in the PKIX path validation algorithm which
* were not satisfied via filtering out non-compliant certificates with certificate matching
* rules.
*
* <p>If the last certificate is being verified (the one whose subject matches the target subject,
* then the steps in Section 6.1.4 of the Certification Path Validation algorithm are NOT
* executed, regardless of whether or not the last cert is an end-entity cert or not. This allows
* callers to certify CA certs as well as EE certs.
*
* @param cert the certificate to be verified
* @param currentState the current state against which the cert is verified
* @param certPathList the certPathList generated thus far
*/
void verifyCert(X509Certificate cert, State currState, List certPathList)
throws GeneralSecurityException {
if (debug != null)
debug.println(
"ReverseBuilder.verifyCert(SN: "
+ Debug.toHexString(cert.getSerialNumber())
+ "\n Subject: "
+ cert.getSubjectX500Principal()
+ ")");
ReverseState currentState = (ReverseState) currState;
/* we don't perform any validation of the trusted cert */
if (currentState.isInitial()) {
return;
}
/*
* check for looping - abort a loop if
* ((we encounter the same certificate twice) AND
* ((policyMappingInhibited = true) OR (no policy mapping
* extensions can be found between the occurences of the same
* certificate)))
* in order to facilitate the check to see if there are
* any policy mapping extensions found between the occurences
* of the same certificate, we reverse the certpathlist first
*/
if ((certPathList != null) && (!certPathList.isEmpty())) {
List reverseCertList = new ArrayList();
Iterator iter = certPathList.iterator();
while (iter.hasNext()) {
reverseCertList.add(0, iter.next());
}
Iterator cpListIter = reverseCertList.iterator();
boolean policyMappingFound = false;
while (cpListIter.hasNext()) {
X509Certificate cpListCert = (X509Certificate) cpListIter.next();
X509CertImpl cpListCertImpl = X509CertImpl.toImpl(cpListCert);
PolicyMappingsExtension policyMappingsExt = cpListCertImpl.getPolicyMappingsExtension();
if (policyMappingsExt != null) {
policyMappingFound = true;
}
if (debug != null) debug.println("policyMappingFound = " + policyMappingFound);
if (cert.equals(cpListCert)) {
if ((buildParams.isPolicyMappingInhibited()) || (!policyMappingFound)) {
if (debug != null) debug.println("loop detected!!");
throw new CertPathValidatorException("loop detected");
}
}
}
}
/* check if target cert */
boolean finalCert = cert.getSubjectX500Principal().equals(targetSubjectDN);
/* check if CA cert */
boolean caCert = (cert.getBasicConstraints() != -1 ? true : false);
/* if there are more certs to follow, verify certain constraints */
if (!finalCert) {
/* check if CA cert */
if (!caCert) throw new CertPathValidatorException("cert is NOT a CA cert");
/* If the certificate was not self-issued, verify that
* remainingCerts is greater than zero
*/
if ((currentState.remainingCACerts <= 0) && !X509CertImpl.isSelfIssued(cert)) {
throw new CertPathValidatorException("pathLenConstraint violated, path too long");
}
/*
* Check keyUsage extension (only if CA cert and not final cert)
*/
KeyChecker.verifyCAKeyUsage(cert);
} else {
/*
* If final cert, check that it satisfies specified target
* constraints
*/
if (targetCertSelector.match(cert) == false) {
throw new CertPathValidatorException("target certificate " + "constraints check failed");
}
}
/*
* Check revocation.
*/
if (buildParams.isRevocationEnabled()) {
boolean crlSign = currentState.crlChecker.check(cert, currentState.pubKey, true);
// if this cert can't vouch for the CRL on the next cert, and
// if this wasn't the last cert in the chain, then we can't
// keep going from here!
// NOTE: if we ever add indirect/idp support, this will have
// to change...
if ((!crlSign) && (!finalCert))
throw new CertPathValidatorException("cert can't vouch for crl");
}
/* Check name constraints if this is not a self-issued cert */
if (finalCert || !X509CertImpl.isSelfIssued(cert)) {
if (currentState.nc != null) {
try {
if (!currentState.nc.verify(cert)) {
throw new CertPathValidatorException("name constraints check failed");
}
} catch (IOException ioe) {
throw new CertPathValidatorException(ioe);
}
}
}
/*
* Check policy
*/
X509CertImpl certImpl = X509CertImpl.toImpl(cert);
currentState.rootNode =
PolicyChecker.processPolicies(
currentState.certIndex,
initPolicies,
currentState.explicitPolicy,
currentState.policyMapping,
currentState.inhibitAnyPolicy,
buildParams.getPolicyQualifiersRejected(),
currentState.rootNode,
certImpl,
finalCert);
/*
* Check CRITICAL private extensions
*/
Set unresolvedCritExts = cert.getCriticalExtensionOIDs();
if (unresolvedCritExts == null) {
unresolvedCritExts = Collections.EMPTY_SET;
}
Iterator i = currentState.userCheckers.iterator();
while (i.hasNext()) {
PKIXCertPathChecker checker = (PKIXCertPathChecker) i.next();
checker.check(cert, unresolvedCritExts);
}
/*
* Look at the remaining extensions and remove any ones we have
* already checked. If there are any left, throw an exception!
*/
if (!unresolvedCritExts.isEmpty()) {
unresolvedCritExts.remove(PKIXExtensions.BasicConstraints_Id.toString());
unresolvedCritExts.remove(PKIXExtensions.NameConstraints_Id.toString());
unresolvedCritExts.remove(PKIXExtensions.CertificatePolicies_Id.toString());
unresolvedCritExts.remove(PKIXExtensions.PolicyMappings_Id.toString());
unresolvedCritExts.remove(PKIXExtensions.PolicyConstraints_Id.toString());
unresolvedCritExts.remove(PKIXExtensions.InhibitAnyPolicy_Id.toString());
unresolvedCritExts.remove(PKIXExtensions.SubjectAlternativeName_Id.toString());
unresolvedCritExts.remove(PKIXExtensions.KeyUsage_Id.toString());
unresolvedCritExts.remove(PKIXExtensions.ExtendedKeyUsage_Id.toString());
if (!unresolvedCritExts.isEmpty())
throw new CertificateException("Unrecognized critical extension(s)");
}
/*
* Check signature.
*/
if (buildParams.getSigProvider() != null) {
cert.verify(currentState.pubKey, buildParams.getSigProvider());
} else {
cert.verify(currentState.pubKey);
}
}
