public static void checkUsageForCodeSigning( X509Certificate paramX509Certificate, int paramInt, boolean paramBoolean) throws CertificateException, IOException { String str = null; Set localSet = paramX509Certificate.getCriticalExtensionOIDs(); if (localSet == null) localSet = Collections.EMPTY_SET; if (!checkBasicConstraintsForCodeSigning(paramX509Certificate, localSet, paramInt)) { Trace.msgSecurityPrintln("trustdecider.check.basicconstraints"); str = ResourceManager.getMessage("trustdecider.check.basicconstraints"); throw new CertificateException(str); } if (paramInt == 0) { if (!checkLeafKeyUsageForCodeSigning(paramX509Certificate, localSet, paramBoolean)) { Trace.msgSecurityPrintln("trustdecider.check.leafkeyusage"); str = ResourceManager.getMessage("trustdecider.check.leafkeyusage"); throw new CertificateException(str); } } else if (!checkSignerKeyUsage(paramX509Certificate, localSet)) { Trace.msgSecurityPrintln("trustdecider.check.signerkeyusage"); str = ResourceManager.getMessage("trustdecider.check.signerkeyusage"); throw new CertificateException(str); } if (!localSet.isEmpty()) { Trace.msgSecurityPrintln("trustdecider.check.extensions"); str = ResourceManager.getMessage("trustdecider.check.extensions"); throw new CertificateException(str); } }
static boolean hasAIAExtensionWithOCSPAccessMethod(X509Certificate paramX509Certificate) throws IOException { AuthorityInfoAccessExtension localAuthorityInfoAccessExtension = null; Object localObject; if ((paramX509Certificate instanceof X509CertImpl)) { localAuthorityInfoAccessExtension = ((X509CertImpl) paramX509Certificate).getAuthorityInfoAccessExtension(); } else { localObject = paramX509Certificate.getExtensionValue("1.3.6.1.5.5.7.1.1"); if (localObject == null) { Trace.msgSecurityPrintln("trustdecider.check.validation.ocsp.notfound"); return false; } if (localObject[0] == 4) localObject = new DerValue(localObject).getOctetString(); Trace.msgSecurityPrintln(extractSubjectAliasName(paramX509Certificate)); localAuthorityInfoAccessExtension = new AuthorityInfoAccessExtension(new Boolean(false), localObject); } if (localAuthorityInfoAccessExtension != null) { Trace.msgSecurityPrintln(localAuthorityInfoAccessExtension.toString()); localObject = localAuthorityInfoAccessExtension.getAccessDescriptions(); Iterator localIterator = ((List) localObject).iterator(); while (localIterator.hasNext()) { AccessDescription localAccessDescription = (AccessDescription) localIterator.next(); if (localAccessDescription.getAccessMethod().equals(AccessDescription.Ad_OCSP_Id)) return true; } } return false; }
static boolean checkTLSClient(X509Certificate paramX509Certificate) throws CertificateException { if (!checkKeyUsage(paramX509Certificate, 0)) { Trace.msgSecurityPrintln("clientauth.checkTLSClient.checkKeyUsage"); return false; } if (!checkEKU(paramX509Certificate, "1.3.6.1.5.5.7.3.2")) { Trace.msgSecurityPrintln("clientauth.checkTLSClient.checkEKU"); return false; } return true; }
static boolean getCertCRLExtension(X509Certificate paramX509Certificate) throws IOException { byte[] arrayOfByte = paramX509Certificate.getExtensionValue("2.5.29.31"); if (arrayOfByte == null) { Trace.msgSecurityPrintln("trustdecider.check.validation.crl.notfound"); return false; } if (arrayOfByte[0] == 4) arrayOfByte = new DerValue(arrayOfByte).getOctetString(); Trace.msgSecurityPrintln(extractSubjectAliasName(paramX509Certificate)); CRLDistributionPointsExtension localCRLDistributionPointsExtension = new CRLDistributionPointsExtension(new Boolean(false), arrayOfByte); Trace.msgSecurityPrintln(localCRLDistributionPointsExtension.toString()); return true; }
private static boolean checkSignerKeyUsage(X509Certificate paramX509Certificate, Set paramSet) throws CertificateException, IOException { paramSet.remove("2.5.29.15"); boolean[] arrayOfBoolean = paramX509Certificate.getKeyUsage(); if ((arrayOfBoolean != null) && ((arrayOfBoolean.length < 6) || (arrayOfBoolean[5] == 0))) { Trace.msgSecurityPrintln("trustdecider.check.signerkeyusage.lengthandbit"); return false; } List localList = X509Util.getExtendedKeyUsage(paramX509Certificate); Set localSet = paramX509Certificate.getNonCriticalExtensionOIDs(); if ((localList != null) && ((paramSet.contains("2.5.29.37")) || (localSet.contains("2.5.29.37")))) { paramSet.remove("2.5.29.37"); if ((!localList.contains("2.5.29.37.0")) && (!localList.contains("1.3.6.1.5.5.7.3.3"))) { Trace.msgSecurityPrintln("trustdecider.check.signerkeyusage.keyusage"); return false; } } return true; }
private static boolean checkLeafKeyUsageForCodeSigning( X509Certificate paramX509Certificate, Set paramSet, boolean paramBoolean) throws CertificateException, IOException { paramSet.remove("2.5.29.15"); boolean[] arrayOfBoolean = paramX509Certificate.getKeyUsage(); if (arrayOfBoolean != null) { if (arrayOfBoolean.length == 0) { Trace.msgSecurityPrintln("trustdecider.check.leafkeyusage.length"); return false; } int i = arrayOfBoolean[0]; if (i == 0) { Trace.msgSecurityPrintln("trustdecider.check.leafkeyusage.digitalsignature"); return false; } } List localList = X509Util.getExtendedKeyUsage(paramX509Certificate); Set localSet = paramX509Certificate.getNonCriticalExtensionOIDs(); if ((localList != null) && ((paramSet.contains("2.5.29.37")) || (localSet.contains("2.5.29.37")))) { paramSet.remove("2.5.29.37"); if (paramBoolean) { if ((!localList.contains("2.5.29.37.0")) && (!localList.contains("1.3.6.1.5.5.7.3.8"))) { Trace.msgSecurityPrintln("trustdecider.check.leafkeyusage.tsaextkeyusageinfo"); return false; } } else if ((!localList.contains("2.5.29.37.0")) && (!localList.contains("1.3.6.1.5.5.7.3.3"))) { Trace.msgSecurityPrintln("trustdecider.check.leafkeyusage.extkeyusageinfo"); return false; } } if ((paramX509Certificate.getExtensionValue("2.16.840.1.113730.1.1") != null) && (!getNetscapeCertTypeBit(paramX509Certificate, "object_signing"))) { Trace.msgSecurityPrintln("trustdecider.check.leafkeyusage.certtypebit"); return false; } return true; }
private static boolean checkBasicConstraintsForCodeSigning( X509Certificate paramX509Certificate, Set paramSet, int paramInt) throws CertificateException, IOException { paramSet.remove("2.5.29.19"); paramSet.remove("2.16.840.1.113730.1.1"); if (paramInt == 0) return true; if (paramX509Certificate.getExtensionValue("2.5.29.19") == null) { if (paramX509Certificate.getExtensionValue("2.16.840.1.113730.1.1") != null) { if (!getNetscapeCertTypeBit(paramX509Certificate, "object_signing_ca")) { Trace.msgSecurityPrintln("trustdecider.check.basicconstraints.certtypebit"); return false; } } else { Trace.msgSecurityPrintln("trustdecider.check.basicconstraints.extensionvalue"); return false; } } else { if ((paramX509Certificate.getExtensionValue("2.16.840.1.113730.1.1") != null) && ((getNetscapeCertTypeBit(paramX509Certificate, "ssl_ca")) || (getNetscapeCertTypeBit(paramX509Certificate, "s_mime_ca")) || (getNetscapeCertTypeBit(paramX509Certificate, "object_signing_ca"))) && (!getNetscapeCertTypeBit(paramX509Certificate, "object_signing_ca"))) { Trace.msgSecurityPrintln("trustdecider.check.basicconstraints.bitvalue"); return false; } int i = paramX509Certificate.getBasicConstraints(); if (i < 0) { Trace.msgSecurityPrintln("trustdecider.check.basicconstraints.enduser"); return false; } if (paramInt - 1 > i) { Trace.msgSecurityPrintln("trustdecider.check.basicconstraints.pathlength"); return false; } } return true; }
public synchronized void checkClientTrusted( X509Certificate[] paramArrayOfX509Certificate, String paramString, Socket paramSocket) throws CertificateException { SSLSocket localSSLSocket = (SSLSocket) paramSocket; SSLSession localSSLSession = localSSLSocket.getHandshakeSession(); String str1 = localSSLSocket.getSSLParameters().getEndpointIdentificationAlgorithm(); String str2 = localSSLSession.getPeerHost(); if ((str1 != null) && (!isSupportedAlgorithm(str1))) return; boolean bool = false; int i = 0; if (this.trustManager == null) throw new IllegalStateException("TrustManager should not be null"); int j = -1; try { rootStore.load(); sslRootStore.load(); permanentStore.load(); sessionStore.load(); deniedStore.load(); if ((browserSSLRootStore != null) && (!isBrowserSSLRootStoreLoaded)) { browserSSLRootStore.load(); isBrowserSSLRootStoreLoaded = true; } if (deniedStore.contains(paramArrayOfX509Certificate[0])) throw new CertificateException("Certificate has been denied"); if (!alwaysShow) try { this.trustManager.checkClientTrusted( paramArrayOfX509Certificate, paramString, localSSLSocket); return; } catch (CertificateException localCertificateException1) { } if (sessionStore.contains(paramArrayOfX509Certificate[0])) return; if (permanentStore.contains(paramArrayOfX509Certificate[0])) return; if ((paramArrayOfX509Certificate != null) && (paramArrayOfX509Certificate.length > 0)) { k = paramArrayOfX509Certificate.length - 1; if ((!rootStore.verify(paramArrayOfX509Certificate[k])) && (!sslRootStore.verify(paramArrayOfX509Certificate[k])) && ((browserSSLRootStore == null) || (!browserSSLRootStore.verify(paramArrayOfX509Certificate[k])))) bool = true; } for (int k = 0; k < paramArrayOfX509Certificate.length; k++) try { paramArrayOfX509Certificate[k].checkValidity(); } catch (CertificateExpiredException localCertificateExpiredException) { i = -1; } catch (CertificateNotYetValidException localCertificateNotYetValidException) { i = 1; } if (!Trace.isAutomationEnabled()) { k = (alwaysShow) || (bool) || (i != 0) || ((mismatchShow) && (!CertUtils.checkWildcardDomainList( str2, CertUtils.getServername(paramArrayOfX509Certificate[0])))) ? 1 : 0; if (k != 0) { Trace.msgSecurityPrintln("x509trustmgr.check.invalidcert"); URL localURL = null; try { localURL = new URL("https", localSSLSession.getPeerHost(), localSSLSession.getPeerPort(), ""); } catch (Exception localException) { } j = TrustDeciderDialog.showDialog( paramArrayOfX509Certificate, localURL, 0, paramArrayOfX509Certificate.length, bool, i, null, new AppInfo(), true, str2); } else { j = 0; } } else { Trace.msgSecurityPrintln("x509trustmgr.automation.ignoreclientcert"); j = 0; } if (j == 0) { sessionStore.add(paramArrayOfX509Certificate[0]); sessionStore.save(); } else if (j == 2) { CertStore localCertStore = DeploySSLCertStore.getUserCertStore(); localCertStore.load(true); if (localCertStore.add(paramArrayOfX509Certificate[0])) localCertStore.save(); } else { deniedStore.add(paramArrayOfX509Certificate[0]); deniedStore.save(); } } catch (CertificateException localCertificateException2) { throw localCertificateException2; } catch (Throwable localThrowable) { localThrowable.printStackTrace(); } if ((j != 0) && (j != 2)) throw new CertificateException("Java couldn't trust Client"); }