PKIXValidator(String variant, PKIXBuilderParameters params) {
super(TYPE_PKIX, variant);
trustedCerts = new HashSet();
for (Iterator t = params.getTrustAnchors().iterator(); t.hasNext(); ) {
TrustAnchor anchor = (TrustAnchor) t.next();
X509Certificate cert = anchor.getTrustedCert();
if (cert != null) {
trustedCerts.add(cert);
}
}
parameterTemplate = params;
initCommon();
}
protected static void processAttrCert4(
X509Certificate acIssuerCert, ExtendedPKIXParameters pkixParams)
throws CertPathValidatorException {
Set set = pkixParams.getTrustedACIssuers();
boolean trusted = false;
for (Iterator it = set.iterator(); it.hasNext(); ) {
TrustAnchor anchor = (TrustAnchor) it.next();
if (acIssuerCert.getSubjectX500Principal().getName("RFC2253").equals(anchor.getCAName())
|| acIssuerCert.equals(anchor.getTrustedCert())) {
trusted = true;
}
}
if (!trusted) {
throw new CertPathValidatorException("Attribute certificate issuer is not directly trusted.");
}
}
/** Returns true if trust anchor certificate matches specified certificate constraints. */
private static boolean anchorIsTarget(TrustAnchor anchor, CertSelector sel) {
X509Certificate anchorCert = anchor.getTrustedCert();
if (anchorCert != null) {
return sel.match(anchorCert);
}
return false;
}
/**
* Search the given Set of TrustAnchor's for one that is the issuer of the given X509 certificate.
* Uses the specified provider for signature verification, or the default provider if null.
*
* @param cert the X509 certificate
* @param trustAnchors a Set of TrustAnchor's
* @param sigProvider the provider to use for signature verification
* @return the <code>TrustAnchor</code> object if found or <code>null</code> if not.
* @throws AnnotatedException if a TrustAnchor was found but the signature verification on the
* given certificate has thrown an exception.
*/
protected static TrustAnchor findTrustAnchor(
X509Certificate cert, Set trustAnchors, String sigProvider) throws AnnotatedException {
TrustAnchor trust = null;
PublicKey trustPublicKey = null;
Exception invalidKeyEx = null;
X509CertSelector certSelectX509 = new X509CertSelector();
X500Principal certIssuer = getEncodedIssuerPrincipal(cert);
try {
certSelectX509.setSubject(certIssuer.getEncoded());
} catch (IOException ex) {
throw new AnnotatedException("Cannot set subject search criteria for trust anchor.", ex);
}
Iterator iter = trustAnchors.iterator();
while (iter.hasNext() && trust == null) {
trust = (TrustAnchor) iter.next();
if (trust.getTrustedCert() != null) {
if (certSelectX509.match(trust.getTrustedCert())) {
trustPublicKey = trust.getTrustedCert().getPublicKey();
} else {
trust = null;
}
} else if (trust.getCAName() != null && trust.getCAPublicKey() != null) {
try {
X500Principal caName = new X500Principal(trust.getCAName());
if (certIssuer.equals(caName)) {
trustPublicKey = trust.getCAPublicKey();
} else {
trust = null;
}
} catch (IllegalArgumentException ex) {
trust = null;
}
} else {
trust = null;
}
if (trustPublicKey != null) {
try {
verifyX509Certificate(cert, trustPublicKey, sigProvider);
} catch (Exception ex) {
invalidKeyEx = ex;
trust = null;
trustPublicKey = null;
}
}
}
if (trust == null && invalidKeyEx != null) {
throw new AnnotatedException(
"TrustAnchor found but certificate validation failed.", invalidKeyEx);
}
return trust;
}
private static X509Certificate[] toArray(CertPath path, TrustAnchor anchor)
throws CertificateException {
List list = path.getCertificates();
X509Certificate[] chain = new X509Certificate[list.size() + 1];
list.toArray(chain);
X509Certificate trustedCert = anchor.getTrustedCert();
if (trustedCert == null) {
throw new ValidatorException("TrustAnchor must be specified as certificate");
}
chain[chain.length - 1] = trustedCert;
return chain;
}
private PkiVerificationData(
@Nullable String displayName, PublicKey merchantSigningKey, TrustAnchor rootAuthority)
throws PaymentProtocolException.PkiVerificationException {
try {
this.displayName = displayName;
this.merchantSigningKey = merchantSigningKey;
this.rootAuthority = rootAuthority;
this.rootAuthorityName =
X509Utils.getDisplayNameFromCertificate(rootAuthority.getTrustedCert(), true);
} catch (CertificateParsingException x) {
throw new PaymentProtocolException.PkiVerificationException(x);
}
}
private @Nullable String getNameFromCert(TrustAnchor rootAuthority)
throws PaymentRequestException.PkiVerificationException {
org.spongycastle.asn1.x500.X500Name name =
new X500Name(rootAuthority.getTrustedCert().getSubjectX500Principal().getName());
String commonName = null, org = null, location = null, country = null;
for (RDN rdn : name.getRDNs()) {
AttributeTypeAndValue pair = rdn.getFirst();
String val = ((ASN1String) pair.getValue()).getString();
if (pair.getType().equals(RFC4519Style.cn)) commonName = val;
else if (pair.getType().equals(RFC4519Style.o)) org = val;
else if (pair.getType().equals(RFC4519Style.l)) location = val;
else if (pair.getType().equals(RFC4519Style.c)) country = val;
}
if (org != null) {
return Joiner.on(", ").skipNulls().join(org, location, country);
} else {
return commonName;
}
}
private String getNameFromCert(TrustAnchor rootAuthority)
throws PaymentRequestException.PkiVerificationException {
org.spongycastle.asn1.x500.X500Name name =
new X500Name(rootAuthority.getTrustedCert().getSubjectX500Principal().getName());
String commonName = null, org = null, location = null, country = null;
for (RDN rdn : name.getRDNs()) {
AttributeTypeAndValue pair = rdn.getFirst();
String val = ((ASN1String) pair.getValue()).getString();
if (pair.getType().equals(RFC4519Style.cn)) commonName = val;
else if (pair.getType().equals(RFC4519Style.o)) org = val;
else if (pair.getType().equals(RFC4519Style.l)) location = val;
else if (pair.getType().equals(RFC4519Style.c)) country = val;
}
if (org != null && location != null && country != null) {
return org + ", " + location + ", " + country;
} else {
if (commonName == null)
throw new PaymentRequestException.PkiVerificationException(
"Could not find any identity info for root CA");
return commonName;
}
}
/**
* Search the given Set of TrustAnchor's for one that is the issuer of the given X509 certificate.
*
* @param cert the X509 certificate
* @param params with trust anchors
* @return the <code>TrustAnchor</code> object if found or <code>null</code> if not.
* @exception CertPathValidatorException if a TrustAnchor was found but the signature verification
* on the given certificate has thrown an exception. This Exception can be obtainted with
* <code>getCause()</code> method.
*/
static final TrustAnchor findTrustAnchor(
X509Certificate cert, CertPath certPath, int index, PKIXParameters params)
throws CertPathValidatorException {
// If we have a trust anchor index, use it.
if (params instanceof IndexedPKIXParameters) {
IndexedPKIXParameters indexed = (IndexedPKIXParameters) params;
return indexed.findTrustAnchor(cert, certPath, index);
}
Iterator iter = params.getTrustAnchors().iterator();
TrustAnchor found = null;
PublicKey trustPublicKey = null;
Exception invalidKeyEx = null;
X509CertSelector certSelectX509 = new X509CertSelector();
try {
certSelectX509.setSubject(getEncodedIssuerPrincipal(cert).getEncoded());
} catch (IOException ex) {
throw new CertPathValidatorException(ex);
}
byte[] certBytes = null;
try {
certBytes = cert.getEncoded();
} catch (Exception e) {
// ignore, just continue
}
while (iter.hasNext() && found == null) {
found = (TrustAnchor) iter.next();
X509Certificate foundCert = found.getTrustedCert();
if (foundCert != null) {
// If the trust anchor is identical to the certificate we're
// done. Just return the anchor.
// There is similar code in PKIXCertPathValidatorSpi.
try {
byte[] foundBytes = foundCert.getEncoded();
if (certBytes != null && Arrays.equals(foundBytes, certBytes)) {
return found;
}
} catch (Exception e) {
// ignore, continue and verify the certificate
}
if (certSelectX509.match(foundCert)) {
trustPublicKey = foundCert.getPublicKey();
} else {
found = null;
}
} else if (found.getCAName() != null && found.getCAPublicKey() != null) {
try {
X500Principal certIssuer = getEncodedIssuerPrincipal(cert);
X500Principal caName = new X500Principal(found.getCAName());
if (certIssuer.equals(caName)) {
trustPublicKey = found.getCAPublicKey();
} else {
found = null;
}
} catch (IllegalArgumentException ex) {
found = null;
}
} else {
found = null;
}
if (trustPublicKey != null) {
try {
cert.verify(trustPublicKey);
} catch (Exception ex) {
invalidKeyEx = ex;
found = null;
}
}
}
if (found == null && invalidKeyEx != null) {
throw new CertPathValidatorException(
"TrustAnchor found but certificate validation failed.", invalidKeyEx, certPath, index);
}
return found;
}
/* */ public CertPathValidatorResult engineValidate(
CertPath paramCertPath, CertPathParameters paramCertPathParameters)
/* */ throws CertPathValidatorException, InvalidAlgorithmParameterException
/* */ {
/* 98 */ if (debug != null) {
/* 99 */ debug.println("PKIXCertPathValidator.engineValidate()...");
/* */ }
/* 101 */ if (!(paramCertPathParameters instanceof PKIXParameters)) {
/* 102 */ throw new InvalidAlgorithmParameterException(
"inappropriate parameters, must be an instance of PKIXParameters");
/* */ }
/* */
/* 106 */ if ((!paramCertPath.getType().equals("X.509"))
&& (!paramCertPath.getType().equals("X509"))) {
/* 107 */ throw new InvalidAlgorithmParameterException(
"inappropriate certification path type specified, must be X.509 or X509");
/* */ }
/* */
/* 111 */ PKIXParameters localPKIXParameters = (PKIXParameters) paramCertPathParameters;
/* */
/* 115 */ Set localSet = localPKIXParameters.getTrustAnchors();
/* 116 */ for (Object localObject1 = localSet.iterator();
((Iterator) localObject1).hasNext(); ) {
localObject2 = (TrustAnchor) ((Iterator) localObject1).next();
/* 117 */ if (((TrustAnchor) localObject2).getNameConstraints() != null) {
/* 118 */ throw new InvalidAlgorithmParameterException(
"name constraints in trust anchor not supported");
/* */ }
/* */
/* */ }
/* */
/* 133 */ localObject1 = new ArrayList(paramCertPath.getCertificates());
/* */
/* 135 */ if (debug != null) {
/* 136 */ if (((ArrayList) localObject1).isEmpty()) {
/* 137 */ debug.println("PKIXCertPathValidator.engineValidate() certList is empty");
/* */ }
/* */
/* 140 */ debug.println("PKIXCertPathValidator.engineValidate() reversing certpath...");
/* */ }
/* */
/* 143 */ Collections.reverse((List) localObject1);
/* */
/* 148 */ populateVariables(localPKIXParameters);
/* */
/* 152 */ Object localObject2 = null;
/* 153 */ if (!((ArrayList) localObject1).isEmpty()) {
/* 154 */ localObject2 = (X509Certificate) ((ArrayList) localObject1).get(0);
/* */ }
/* */
/* 157 */ Object localObject3 = null;
/* */
/* 161 */ for (TrustAnchor localTrustAnchor : localSet) {
/* 162 */ X509Certificate localX509Certificate = localTrustAnchor.getTrustedCert();
/* 163 */ if (localX509Certificate != null) {
/* 164 */ if (debug != null) {
/* 165 */ debug.println(
"PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null");
/* */ }
/* */
/* 171 */ if (isWorthTrying(localX509Certificate, (X509Certificate) localObject2))
/* */ {
/* 175 */ if (debug != null)
/* 176 */ debug.println(
"anchor.getTrustedCert().getSubjectX500Principal() = "
+ localX509Certificate.getSubjectX500Principal());
/* */ }
/* */ }
/* */ else
/* */ {
/* 181 */ if (debug != null) {
/* 182 */ debug.println(
"PKIXCertPathValidator.engineValidate(): anchor.getTrustedCert() == null");
/* */ }
/* */
/* */ try
/* */ {
/* 188 */ PolicyNodeImpl localPolicyNodeImpl =
new PolicyNodeImpl(
null, "2.5.29.32.0", null, false, Collections.singleton("2.5.29.32.0"), false);
/* */
/* 191 */ PolicyNode localPolicyNode =
doValidate(
localTrustAnchor,
paramCertPath,
(ArrayList) localObject1,
localPKIXParameters,
localPolicyNodeImpl);
/* */
/* 194 */ return new PKIXCertPathValidatorResult(
localTrustAnchor, localPolicyNode, this.basicChecker.getPublicKey());
/* */ }
/* */ catch (CertPathValidatorException localCertPathValidatorException)
/* */ {
/* 198 */ localObject3 = localCertPathValidatorException;
/* */ }
/* */ }
/* */
/* */ }
/* */
/* 204 */ if (localObject3 != null) {
/* 205 */ throw localObject3;
/* */ }
/* */
/* 208 */ throw new CertPathValidatorException(
"Path does not chain with any of the trust anchors",
null,
null,
-1,
PKIXReason.NO_TRUST_ANCHOR);
/* */ }