public static void checkUsageForCodeSigning(
X509Certificate paramX509Certificate, int paramInt, boolean paramBoolean)
throws CertificateException, IOException {
String str = null;
Set localSet = paramX509Certificate.getCriticalExtensionOIDs();
if (localSet == null) localSet = Collections.EMPTY_SET;
if (!checkBasicConstraintsForCodeSigning(paramX509Certificate, localSet, paramInt)) {
Trace.msgSecurityPrintln("trustdecider.check.basicconstraints");
str = ResourceManager.getMessage("trustdecider.check.basicconstraints");
throw new CertificateException(str);
}
if (paramInt == 0) {
if (!checkLeafKeyUsageForCodeSigning(paramX509Certificate, localSet, paramBoolean)) {
Trace.msgSecurityPrintln("trustdecider.check.leafkeyusage");
str = ResourceManager.getMessage("trustdecider.check.leafkeyusage");
throw new CertificateException(str);
}
} else if (!checkSignerKeyUsage(paramX509Certificate, localSet)) {
Trace.msgSecurityPrintln("trustdecider.check.signerkeyusage");
str = ResourceManager.getMessage("trustdecider.check.signerkeyusage");
throw new CertificateException(str);
}
if (!localSet.isEmpty()) {
Trace.msgSecurityPrintln("trustdecider.check.extensions");
str = ResourceManager.getMessage("trustdecider.check.extensions");
throw new CertificateException(str);
}
}
static boolean hasAIAExtensionWithOCSPAccessMethod(X509Certificate paramX509Certificate)
throws IOException {
AuthorityInfoAccessExtension localAuthorityInfoAccessExtension = null;
Object localObject;
if ((paramX509Certificate instanceof X509CertImpl)) {
localAuthorityInfoAccessExtension =
((X509CertImpl) paramX509Certificate).getAuthorityInfoAccessExtension();
} else {
localObject = paramX509Certificate.getExtensionValue("1.3.6.1.5.5.7.1.1");
if (localObject == null) {
Trace.msgSecurityPrintln("trustdecider.check.validation.ocsp.notfound");
return false;
}
if (localObject[0] == 4) localObject = new DerValue(localObject).getOctetString();
Trace.msgSecurityPrintln(extractSubjectAliasName(paramX509Certificate));
localAuthorityInfoAccessExtension =
new AuthorityInfoAccessExtension(new Boolean(false), localObject);
}
if (localAuthorityInfoAccessExtension != null) {
Trace.msgSecurityPrintln(localAuthorityInfoAccessExtension.toString());
localObject = localAuthorityInfoAccessExtension.getAccessDescriptions();
Iterator localIterator = ((List) localObject).iterator();
while (localIterator.hasNext()) {
AccessDescription localAccessDescription = (AccessDescription) localIterator.next();
if (localAccessDescription.getAccessMethod().equals(AccessDescription.Ad_OCSP_Id))
return true;
}
}
return false;
}
static boolean checkTLSClient(X509Certificate paramX509Certificate) throws CertificateException {
if (!checkKeyUsage(paramX509Certificate, 0)) {
Trace.msgSecurityPrintln("clientauth.checkTLSClient.checkKeyUsage");
return false;
}
if (!checkEKU(paramX509Certificate, "1.3.6.1.5.5.7.3.2")) {
Trace.msgSecurityPrintln("clientauth.checkTLSClient.checkEKU");
return false;
}
return true;
}
static boolean getCertCRLExtension(X509Certificate paramX509Certificate) throws IOException {
byte[] arrayOfByte = paramX509Certificate.getExtensionValue("2.5.29.31");
if (arrayOfByte == null) {
Trace.msgSecurityPrintln("trustdecider.check.validation.crl.notfound");
return false;
}
if (arrayOfByte[0] == 4) arrayOfByte = new DerValue(arrayOfByte).getOctetString();
Trace.msgSecurityPrintln(extractSubjectAliasName(paramX509Certificate));
CRLDistributionPointsExtension localCRLDistributionPointsExtension =
new CRLDistributionPointsExtension(new Boolean(false), arrayOfByte);
Trace.msgSecurityPrintln(localCRLDistributionPointsExtension.toString());
return true;
}
private static boolean checkSignerKeyUsage(X509Certificate paramX509Certificate, Set paramSet)
throws CertificateException, IOException {
paramSet.remove("2.5.29.15");
boolean[] arrayOfBoolean = paramX509Certificate.getKeyUsage();
if ((arrayOfBoolean != null) && ((arrayOfBoolean.length < 6) || (arrayOfBoolean[5] == 0))) {
Trace.msgSecurityPrintln("trustdecider.check.signerkeyusage.lengthandbit");
return false;
}
List localList = X509Util.getExtendedKeyUsage(paramX509Certificate);
Set localSet = paramX509Certificate.getNonCriticalExtensionOIDs();
if ((localList != null)
&& ((paramSet.contains("2.5.29.37")) || (localSet.contains("2.5.29.37")))) {
paramSet.remove("2.5.29.37");
if ((!localList.contains("2.5.29.37.0")) && (!localList.contains("1.3.6.1.5.5.7.3.3"))) {
Trace.msgSecurityPrintln("trustdecider.check.signerkeyusage.keyusage");
return false;
}
}
return true;
}
private static boolean checkLeafKeyUsageForCodeSigning(
X509Certificate paramX509Certificate, Set paramSet, boolean paramBoolean)
throws CertificateException, IOException {
paramSet.remove("2.5.29.15");
boolean[] arrayOfBoolean = paramX509Certificate.getKeyUsage();
if (arrayOfBoolean != null) {
if (arrayOfBoolean.length == 0) {
Trace.msgSecurityPrintln("trustdecider.check.leafkeyusage.length");
return false;
}
int i = arrayOfBoolean[0];
if (i == 0) {
Trace.msgSecurityPrintln("trustdecider.check.leafkeyusage.digitalsignature");
return false;
}
}
List localList = X509Util.getExtendedKeyUsage(paramX509Certificate);
Set localSet = paramX509Certificate.getNonCriticalExtensionOIDs();
if ((localList != null)
&& ((paramSet.contains("2.5.29.37")) || (localSet.contains("2.5.29.37")))) {
paramSet.remove("2.5.29.37");
if (paramBoolean) {
if ((!localList.contains("2.5.29.37.0")) && (!localList.contains("1.3.6.1.5.5.7.3.8"))) {
Trace.msgSecurityPrintln("trustdecider.check.leafkeyusage.tsaextkeyusageinfo");
return false;
}
} else if ((!localList.contains("2.5.29.37.0"))
&& (!localList.contains("1.3.6.1.5.5.7.3.3"))) {
Trace.msgSecurityPrintln("trustdecider.check.leafkeyusage.extkeyusageinfo");
return false;
}
}
if ((paramX509Certificate.getExtensionValue("2.16.840.1.113730.1.1") != null)
&& (!getNetscapeCertTypeBit(paramX509Certificate, "object_signing"))) {
Trace.msgSecurityPrintln("trustdecider.check.leafkeyusage.certtypebit");
return false;
}
return true;
}
private static boolean checkBasicConstraintsForCodeSigning(
X509Certificate paramX509Certificate, Set paramSet, int paramInt)
throws CertificateException, IOException {
paramSet.remove("2.5.29.19");
paramSet.remove("2.16.840.1.113730.1.1");
if (paramInt == 0) return true;
if (paramX509Certificate.getExtensionValue("2.5.29.19") == null) {
if (paramX509Certificate.getExtensionValue("2.16.840.1.113730.1.1") != null) {
if (!getNetscapeCertTypeBit(paramX509Certificate, "object_signing_ca")) {
Trace.msgSecurityPrintln("trustdecider.check.basicconstraints.certtypebit");
return false;
}
} else {
Trace.msgSecurityPrintln("trustdecider.check.basicconstraints.extensionvalue");
return false;
}
} else {
if ((paramX509Certificate.getExtensionValue("2.16.840.1.113730.1.1") != null)
&& ((getNetscapeCertTypeBit(paramX509Certificate, "ssl_ca"))
|| (getNetscapeCertTypeBit(paramX509Certificate, "s_mime_ca"))
|| (getNetscapeCertTypeBit(paramX509Certificate, "object_signing_ca")))
&& (!getNetscapeCertTypeBit(paramX509Certificate, "object_signing_ca"))) {
Trace.msgSecurityPrintln("trustdecider.check.basicconstraints.bitvalue");
return false;
}
int i = paramX509Certificate.getBasicConstraints();
if (i < 0) {
Trace.msgSecurityPrintln("trustdecider.check.basicconstraints.enduser");
return false;
}
if (paramInt - 1 > i) {
Trace.msgSecurityPrintln("trustdecider.check.basicconstraints.pathlength");
return false;
}
}
return true;
}
public synchronized void checkClientTrusted(
X509Certificate[] paramArrayOfX509Certificate, String paramString, Socket paramSocket)
throws CertificateException {
SSLSocket localSSLSocket = (SSLSocket) paramSocket;
SSLSession localSSLSession = localSSLSocket.getHandshakeSession();
String str1 = localSSLSocket.getSSLParameters().getEndpointIdentificationAlgorithm();
String str2 = localSSLSession.getPeerHost();
if ((str1 != null) && (!isSupportedAlgorithm(str1))) return;
boolean bool = false;
int i = 0;
if (this.trustManager == null)
throw new IllegalStateException("TrustManager should not be null");
int j = -1;
try {
rootStore.load();
sslRootStore.load();
permanentStore.load();
sessionStore.load();
deniedStore.load();
if ((browserSSLRootStore != null) && (!isBrowserSSLRootStoreLoaded)) {
browserSSLRootStore.load();
isBrowserSSLRootStoreLoaded = true;
}
if (deniedStore.contains(paramArrayOfX509Certificate[0]))
throw new CertificateException("Certificate has been denied");
if (!alwaysShow)
try {
this.trustManager.checkClientTrusted(
paramArrayOfX509Certificate, paramString, localSSLSocket);
return;
} catch (CertificateException localCertificateException1) {
}
if (sessionStore.contains(paramArrayOfX509Certificate[0])) return;
if (permanentStore.contains(paramArrayOfX509Certificate[0])) return;
if ((paramArrayOfX509Certificate != null) && (paramArrayOfX509Certificate.length > 0)) {
k = paramArrayOfX509Certificate.length - 1;
if ((!rootStore.verify(paramArrayOfX509Certificate[k]))
&& (!sslRootStore.verify(paramArrayOfX509Certificate[k]))
&& ((browserSSLRootStore == null)
|| (!browserSSLRootStore.verify(paramArrayOfX509Certificate[k])))) bool = true;
}
for (int k = 0; k < paramArrayOfX509Certificate.length; k++)
try {
paramArrayOfX509Certificate[k].checkValidity();
} catch (CertificateExpiredException localCertificateExpiredException) {
i = -1;
} catch (CertificateNotYetValidException localCertificateNotYetValidException) {
i = 1;
}
if (!Trace.isAutomationEnabled()) {
k =
(alwaysShow)
|| (bool)
|| (i != 0)
|| ((mismatchShow)
&& (!CertUtils.checkWildcardDomainList(
str2, CertUtils.getServername(paramArrayOfX509Certificate[0]))))
? 1
: 0;
if (k != 0) {
Trace.msgSecurityPrintln("x509trustmgr.check.invalidcert");
URL localURL = null;
try {
localURL =
new URL("https", localSSLSession.getPeerHost(), localSSLSession.getPeerPort(), "");
} catch (Exception localException) {
}
j =
TrustDeciderDialog.showDialog(
paramArrayOfX509Certificate,
localURL,
0,
paramArrayOfX509Certificate.length,
bool,
i,
null,
new AppInfo(),
true,
str2);
} else {
j = 0;
}
} else {
Trace.msgSecurityPrintln("x509trustmgr.automation.ignoreclientcert");
j = 0;
}
if (j == 0) {
sessionStore.add(paramArrayOfX509Certificate[0]);
sessionStore.save();
} else if (j == 2) {
CertStore localCertStore = DeploySSLCertStore.getUserCertStore();
localCertStore.load(true);
if (localCertStore.add(paramArrayOfX509Certificate[0])) localCertStore.save();
} else {
deniedStore.add(paramArrayOfX509Certificate[0]);
deniedStore.save();
}
} catch (CertificateException localCertificateException2) {
throw localCertificateException2;
} catch (Throwable localThrowable) {
localThrowable.printStackTrace();
}
if ((j != 0) && (j != 2)) throw new CertificateException("Java couldn't trust Client");
}
