コード例 #1
0
  /*
   * Retrieves all CA certificates which satisfy constraints
   * and requirements specified in the parameters and PKIX state.
   */
  private Collection getMatchingCACerts(ReverseState currentState)
      throws CertificateException, CertStoreException, IOException {

    /*
     * Compose a CertSelector to filter out
     * certs which do not satisfy requirements.
     */
    X509CertSelector sel = new X509CertSelector();

    /*
     * Match on issuer (subject of previous cert)
     */
    CertPathHelper.setIssuer(sel, currentState.subjectDN);

    /*
     * Match on certificate validity date.
     */
    sel.setCertificateValid(date);

    /*
     * Match on target subject name (checks that current cert's
     * name constraints permit it to certify target).
     * (4 is the integer type for DIRECTORY name).
     */
    sel.addPathToName(4, targetCertSelector.getSubjectAsBytes());

    /*
     * Policy processing optimizations
     */
    if (currentState.explicitPolicy == 0) sel.setPolicy(getMatchingPolicies());

    /*
     * If previous cert has a subject key identifier extension,
     * use it to match on authority key identifier extension.
     */
    /*if (currentState.subjKeyId != null) {
    AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
    	(KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
    			null, null);
    sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
         }*/

    /*
     * Require CA certs
     */
    sel.setBasicConstraints(0);

    /* Retrieve matching certs from CertStores */
    ArrayList reverseCerts = new ArrayList();
    addMatchingCerts(sel, buildParams.getCertStores(), reverseCerts);

    /* Sort remaining certs using name constraints */
    Collections.sort(reverseCerts, new PKIXCertComparator());

    if (debug != null)
      debug.println("ReverseBuilder.getMatchingCACerts got " + reverseCerts.size() + " certs.");
    return reverseCerts;
  }
コード例 #2
0
  /*
   * Retrieves all end-entity certificates which satisfy constraints
   * and requirements specified in the parameters and PKIX state.
   */
  private Collection getMatchingEECerts(ReverseState currentState)
      throws CertStoreException, CertificateException, IOException {

    /*
     * Compose a CertSelector to filter out
     * certs which do not satisfy requirements.
     *
     * First, retrieve clone of current target cert constraints,
     * and then add more selection criteria based on current validation state.
     */
    X509CertSelector sel = (X509CertSelector) buildParams.getTargetCertConstraints();

    /*
     * Match on issuer (subject of previous cert)
     */
    CertPathHelper.setIssuer(sel, currentState.subjectDN);

    /*
     * Match on certificate validity date.
     */
    sel.setCertificateValid(date);

    /*
     * Policy processing optimizations
     */
    if (currentState.explicitPolicy == 0) sel.setPolicy(getMatchingPolicies());

    /*
     * If previous cert has a subject key identifier extension,
     * use it to match on authority key identifier extension.
     */
    /*if (currentState.subjKeyId != null) {
    AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
    	(KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
    	null, null);
    sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
         }*/

    /*
     * Require EE certs
     */
    sel.setBasicConstraints(-2);

    /* Retrieve matching certs from CertStores */
    HashSet eeCerts = new HashSet();
    addMatchingCerts(sel, buildParams.getCertStores(), eeCerts);

    if (debug != null) {
      debug.println("ReverseBuilder.getMatchingEECerts got " + eeCerts.size() + " certs.");
    }
    return eeCerts;
  }