Пример #1
0
 PKIXValidator(String variant, PKIXBuilderParameters params) {
   super(TYPE_PKIX, variant);
   trustedCerts = new HashSet();
   for (Iterator t = params.getTrustAnchors().iterator(); t.hasNext(); ) {
     TrustAnchor anchor = (TrustAnchor) t.next();
     X509Certificate cert = anchor.getTrustedCert();
     if (cert != null) {
       trustedCerts.add(cert);
     }
   }
   parameterTemplate = params;
   initCommon();
 }
 protected static void processAttrCert4(
     X509Certificate acIssuerCert, ExtendedPKIXParameters pkixParams)
     throws CertPathValidatorException {
   Set set = pkixParams.getTrustedACIssuers();
   boolean trusted = false;
   for (Iterator it = set.iterator(); it.hasNext(); ) {
     TrustAnchor anchor = (TrustAnchor) it.next();
     if (acIssuerCert.getSubjectX500Principal().getName("RFC2253").equals(anchor.getCAName())
         || acIssuerCert.equals(anchor.getTrustedCert())) {
       trusted = true;
     }
   }
   if (!trusted) {
     throw new CertPathValidatorException("Attribute certificate issuer is not directly trusted.");
   }
 }
Пример #3
0
 /** Returns true if trust anchor certificate matches specified certificate constraints. */
 private static boolean anchorIsTarget(TrustAnchor anchor, CertSelector sel) {
   X509Certificate anchorCert = anchor.getTrustedCert();
   if (anchorCert != null) {
     return sel.match(anchorCert);
   }
   return false;
 }
  /**
   * Search the given Set of TrustAnchor's for one that is the issuer of the given X509 certificate.
   * Uses the specified provider for signature verification, or the default provider if null.
   *
   * @param cert the X509 certificate
   * @param trustAnchors a Set of TrustAnchor's
   * @param sigProvider the provider to use for signature verification
   * @return the <code>TrustAnchor</code> object if found or <code>null</code> if not.
   * @throws AnnotatedException if a TrustAnchor was found but the signature verification on the
   *     given certificate has thrown an exception.
   */
  protected static TrustAnchor findTrustAnchor(
      X509Certificate cert, Set trustAnchors, String sigProvider) throws AnnotatedException {
    TrustAnchor trust = null;
    PublicKey trustPublicKey = null;
    Exception invalidKeyEx = null;

    X509CertSelector certSelectX509 = new X509CertSelector();
    X500Principal certIssuer = getEncodedIssuerPrincipal(cert);

    try {
      certSelectX509.setSubject(certIssuer.getEncoded());
    } catch (IOException ex) {
      throw new AnnotatedException("Cannot set subject search criteria for trust anchor.", ex);
    }

    Iterator iter = trustAnchors.iterator();
    while (iter.hasNext() && trust == null) {
      trust = (TrustAnchor) iter.next();
      if (trust.getTrustedCert() != null) {
        if (certSelectX509.match(trust.getTrustedCert())) {
          trustPublicKey = trust.getTrustedCert().getPublicKey();
        } else {
          trust = null;
        }
      } else if (trust.getCAName() != null && trust.getCAPublicKey() != null) {
        try {
          X500Principal caName = new X500Principal(trust.getCAName());
          if (certIssuer.equals(caName)) {
            trustPublicKey = trust.getCAPublicKey();
          } else {
            trust = null;
          }
        } catch (IllegalArgumentException ex) {
          trust = null;
        }
      } else {
        trust = null;
      }

      if (trustPublicKey != null) {
        try {
          verifyX509Certificate(cert, trustPublicKey, sigProvider);
        } catch (Exception ex) {
          invalidKeyEx = ex;
          trust = null;
          trustPublicKey = null;
        }
      }
    }

    if (trust == null && invalidKeyEx != null) {
      throw new AnnotatedException(
          "TrustAnchor found but certificate validation failed.", invalidKeyEx);
    }

    return trust;
  }
Пример #5
0
 private static X509Certificate[] toArray(CertPath path, TrustAnchor anchor)
     throws CertificateException {
   List list = path.getCertificates();
   X509Certificate[] chain = new X509Certificate[list.size() + 1];
   list.toArray(chain);
   X509Certificate trustedCert = anchor.getTrustedCert();
   if (trustedCert == null) {
     throw new ValidatorException("TrustAnchor must be specified as certificate");
   }
   chain[chain.length - 1] = trustedCert;
   return chain;
 }
Пример #6
0
 private PkiVerificationData(
     @Nullable String displayName, PublicKey merchantSigningKey, TrustAnchor rootAuthority)
     throws PaymentProtocolException.PkiVerificationException {
   try {
     this.displayName = displayName;
     this.merchantSigningKey = merchantSigningKey;
     this.rootAuthority = rootAuthority;
     this.rootAuthorityName =
         X509Utils.getDisplayNameFromCertificate(rootAuthority.getTrustedCert(), true);
   } catch (CertificateParsingException x) {
     throw new PaymentProtocolException.PkiVerificationException(x);
   }
 }
Пример #7
0
 private @Nullable String getNameFromCert(TrustAnchor rootAuthority)
     throws PaymentRequestException.PkiVerificationException {
   org.spongycastle.asn1.x500.X500Name name =
       new X500Name(rootAuthority.getTrustedCert().getSubjectX500Principal().getName());
   String commonName = null, org = null, location = null, country = null;
   for (RDN rdn : name.getRDNs()) {
     AttributeTypeAndValue pair = rdn.getFirst();
     String val = ((ASN1String) pair.getValue()).getString();
     if (pair.getType().equals(RFC4519Style.cn)) commonName = val;
     else if (pair.getType().equals(RFC4519Style.o)) org = val;
     else if (pair.getType().equals(RFC4519Style.l)) location = val;
     else if (pair.getType().equals(RFC4519Style.c)) country = val;
   }
   if (org != null) {
     return Joiner.on(", ").skipNulls().join(org, location, country);
   } else {
     return commonName;
   }
 }
Пример #8
0
 private String getNameFromCert(TrustAnchor rootAuthority)
     throws PaymentRequestException.PkiVerificationException {
   org.spongycastle.asn1.x500.X500Name name =
       new X500Name(rootAuthority.getTrustedCert().getSubjectX500Principal().getName());
   String commonName = null, org = null, location = null, country = null;
   for (RDN rdn : name.getRDNs()) {
     AttributeTypeAndValue pair = rdn.getFirst();
     String val = ((ASN1String) pair.getValue()).getString();
     if (pair.getType().equals(RFC4519Style.cn)) commonName = val;
     else if (pair.getType().equals(RFC4519Style.o)) org = val;
     else if (pair.getType().equals(RFC4519Style.l)) location = val;
     else if (pair.getType().equals(RFC4519Style.c)) country = val;
   }
   if (org != null && location != null && country != null) {
     return org + ", " + location + ", " + country;
   } else {
     if (commonName == null)
       throw new PaymentRequestException.PkiVerificationException(
           "Could not find any identity info for root CA");
     return commonName;
   }
 }
  /**
   * Search the given Set of TrustAnchor's for one that is the issuer of the given X509 certificate.
   *
   * @param cert the X509 certificate
   * @param params with trust anchors
   * @return the <code>TrustAnchor</code> object if found or <code>null</code> if not.
   * @exception CertPathValidatorException if a TrustAnchor was found but the signature verification
   *     on the given certificate has thrown an exception. This Exception can be obtainted with
   *     <code>getCause()</code> method.
   */
  static final TrustAnchor findTrustAnchor(
      X509Certificate cert, CertPath certPath, int index, PKIXParameters params)
      throws CertPathValidatorException {
    // If we have a trust anchor index, use it.
    if (params instanceof IndexedPKIXParameters) {
      IndexedPKIXParameters indexed = (IndexedPKIXParameters) params;
      return indexed.findTrustAnchor(cert, certPath, index);
    }

    Iterator iter = params.getTrustAnchors().iterator();
    TrustAnchor found = null;
    PublicKey trustPublicKey = null;
    Exception invalidKeyEx = null;

    X509CertSelector certSelectX509 = new X509CertSelector();

    try {
      certSelectX509.setSubject(getEncodedIssuerPrincipal(cert).getEncoded());
    } catch (IOException ex) {
      throw new CertPathValidatorException(ex);
    }

    byte[] certBytes = null;
    try {
      certBytes = cert.getEncoded();
    } catch (Exception e) {
      // ignore, just continue
    }
    while (iter.hasNext() && found == null) {
      found = (TrustAnchor) iter.next();
      X509Certificate foundCert = found.getTrustedCert();
      if (foundCert != null) {
        // If the trust anchor is identical to the certificate we're
        // done. Just return the anchor.
        // There is similar code in PKIXCertPathValidatorSpi.
        try {
          byte[] foundBytes = foundCert.getEncoded();
          if (certBytes != null && Arrays.equals(foundBytes, certBytes)) {
            return found;
          }
        } catch (Exception e) {
          // ignore, continue and verify the certificate
        }
        if (certSelectX509.match(foundCert)) {
          trustPublicKey = foundCert.getPublicKey();
        } else {
          found = null;
        }
      } else if (found.getCAName() != null && found.getCAPublicKey() != null) {
        try {
          X500Principal certIssuer = getEncodedIssuerPrincipal(cert);
          X500Principal caName = new X500Principal(found.getCAName());
          if (certIssuer.equals(caName)) {
            trustPublicKey = found.getCAPublicKey();
          } else {
            found = null;
          }
        } catch (IllegalArgumentException ex) {
          found = null;
        }
      } else {
        found = null;
      }

      if (trustPublicKey != null) {
        try {
          cert.verify(trustPublicKey);
        } catch (Exception ex) {
          invalidKeyEx = ex;
          found = null;
        }
      }
    }

    if (found == null && invalidKeyEx != null) {
      throw new CertPathValidatorException(
          "TrustAnchor found but certificate validation failed.", invalidKeyEx, certPath, index);
    }

    return found;
  }
 /*     */ public CertPathValidatorResult engineValidate(
     CertPath paramCertPath, CertPathParameters paramCertPathParameters)
     /*     */ throws CertPathValidatorException, InvalidAlgorithmParameterException
       /*     */ {
   /*  98 */ if (debug != null) {
     /*  99 */ debug.println("PKIXCertPathValidator.engineValidate()...");
     /*     */ }
   /* 101 */ if (!(paramCertPathParameters instanceof PKIXParameters)) {
     /* 102 */ throw new InvalidAlgorithmParameterException(
         "inappropriate parameters, must be an instance of PKIXParameters");
     /*     */ }
   /*     */
   /* 106 */ if ((!paramCertPath.getType().equals("X.509"))
       && (!paramCertPath.getType().equals("X509"))) {
     /* 107 */ throw new InvalidAlgorithmParameterException(
         "inappropriate certification path type specified, must be X.509 or X509");
     /*     */ }
   /*     */
   /* 111 */ PKIXParameters localPKIXParameters = (PKIXParameters) paramCertPathParameters;
   /*     */
   /* 115 */ Set localSet = localPKIXParameters.getTrustAnchors();
   /* 116 */ for (Object localObject1 = localSet.iterator();
       ((Iterator) localObject1).hasNext(); ) {
     localObject2 = (TrustAnchor) ((Iterator) localObject1).next();
     /* 117 */ if (((TrustAnchor) localObject2).getNameConstraints() != null) {
       /* 118 */ throw new InvalidAlgorithmParameterException(
           "name constraints in trust anchor not supported");
       /*     */ }
     /*     */
     /*     */ }
   /*     */
   /* 133 */ localObject1 = new ArrayList(paramCertPath.getCertificates());
   /*     */
   /* 135 */ if (debug != null) {
     /* 136 */ if (((ArrayList) localObject1).isEmpty()) {
       /* 137 */ debug.println("PKIXCertPathValidator.engineValidate() certList is empty");
       /*     */ }
     /*     */
     /* 140 */ debug.println("PKIXCertPathValidator.engineValidate() reversing certpath...");
     /*     */ }
   /*     */
   /* 143 */ Collections.reverse((List) localObject1);
   /*     */
   /* 148 */ populateVariables(localPKIXParameters);
   /*     */
   /* 152 */ Object localObject2 = null;
   /* 153 */ if (!((ArrayList) localObject1).isEmpty()) {
     /* 154 */ localObject2 = (X509Certificate) ((ArrayList) localObject1).get(0);
     /*     */ }
   /*     */
   /* 157 */ Object localObject3 = null;
   /*     */
   /* 161 */ for (TrustAnchor localTrustAnchor : localSet) {
     /* 162 */ X509Certificate localX509Certificate = localTrustAnchor.getTrustedCert();
     /* 163 */ if (localX509Certificate != null) {
       /* 164 */ if (debug != null) {
         /* 165 */ debug.println(
             "PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null");
         /*     */ }
       /*     */
       /* 171 */ if (isWorthTrying(localX509Certificate, (X509Certificate) localObject2))
       /*     */ {
         /* 175 */ if (debug != null)
           /* 176 */ debug.println(
               "anchor.getTrustedCert().getSubjectX500Principal() = "
                   + localX509Certificate.getSubjectX500Principal());
         /*     */ }
       /*     */ }
     /*     */ else
     /*     */ {
       /* 181 */ if (debug != null) {
         /* 182 */ debug.println(
             "PKIXCertPathValidator.engineValidate(): anchor.getTrustedCert() == null");
         /*     */ }
       /*     */
       /*     */ try
       /*     */ {
         /* 188 */ PolicyNodeImpl localPolicyNodeImpl =
             new PolicyNodeImpl(
                 null, "2.5.29.32.0", null, false, Collections.singleton("2.5.29.32.0"), false);
         /*     */
         /* 191 */ PolicyNode localPolicyNode =
             doValidate(
                 localTrustAnchor,
                 paramCertPath,
                 (ArrayList) localObject1,
                 localPKIXParameters,
                 localPolicyNodeImpl);
         /*     */
         /* 194 */ return new PKIXCertPathValidatorResult(
             localTrustAnchor, localPolicyNode, this.basicChecker.getPublicKey());
         /*     */ }
       /*     */ catch (CertPathValidatorException localCertPathValidatorException)
       /*     */ {
         /* 198 */ localObject3 = localCertPathValidatorException;
         /*     */ }
       /*     */ }
     /*     */
     /*     */ }
   /*     */
   /* 204 */ if (localObject3 != null) {
     /* 205 */ throw localObject3;
     /*     */ }
   /*     */
   /* 208 */ throw new CertPathValidatorException(
       "Path does not chain with any of the trust anchors",
       null,
       null,
       -1,
       PKIXReason.NO_TRUST_ANCHOR);
   /*     */ }