public class BCCertPathValidator
extends java.lang.Object
PKIXCertPathReviewer
with additional support for proxy certificates.Modifier and Type | Field and Description |
---|---|
static long |
PROXY_VALIDATION_GRACE_PERIOD |
Constructor and Description |
---|
BCCertPathValidator() |
Modifier and Type | Method and Description |
---|---|
protected void |
checkLastCNNameRule(javax.security.auth.x500.X500Principal srcP,
javax.security.auth.x500.X500Principal issuerP,
java.util.List<ValidationError> errors,
int position,
java.security.cert.X509Certificate[] proxyChain) |
protected java.util.List<java.security.cert.X509Certificate> |
checkNonProxyChain(java.security.cert.X509Certificate[] baseChain,
ExtPKIXParameters2 params,
java.util.List<ValidationError> errors,
java.util.Set<java.lang.String> unresolvedExtensions,
int posDelta,
java.security.cert.X509Certificate[] cc)
Performs checking of the chain which has no proxies (or at least should not have proxies),
using
FixedBCPKIXCertPathReviewer . |
protected void |
checkPairWithProxy(java.security.cert.X509Certificate issuerCert,
java.security.cert.X509Certificate proxyCert,
java.util.List<ValidationError> errors,
int position,
java.security.cert.X509Certificate[] proxyChain,
java.util.Date validationTime)
Checks if the certificate passed as the 2nd argument is a correct proxy
certificate including checks w.r.t.
|
protected void |
checkProxyChainMain(java.security.cert.X509Certificate[] proxyChain,
java.util.List<ValidationError> errors,
java.util.Set<java.lang.String> unresolvedExtensions,
java.util.Date validDate)
Performs a validation loop of the proxy chain checking each pair in chain
for the rules not otherwise verified by the base check.
|
protected void |
checkProxyChainWithBC(java.security.cert.X509Certificate[] proxyChain,
java.util.Set<java.security.cert.TrustAnchor> trustAnchor,
java.util.List<ValidationError> errors,
java.util.Set<java.lang.String> unresolvedExtensions)
Checks chain with proxies, starting with the EEC using X.509 path validation.
|
protected void |
checkProxyTime(java.security.cert.X509Certificate proxyCert,
java.util.Date validationTime,
java.security.cert.X509Certificate[] proxyChain,
java.util.List<ValidationError> errors,
int position) |
protected java.util.List<ValidationError> |
convertErrors(java.util.List<?>[] bcErrorsA,
boolean ignoreProxyErrors,
int positionDelta,
java.security.cert.X509Certificate[] cc) |
protected ExtPKIXParameters2 |
createPKIXParameters(java.security.cert.X509Certificate[] toCheck,
boolean proxySupport,
java.util.Set<java.security.cert.TrustAnchor> trustAnchors,
java.security.cert.CertStore crlStore,
RevocationParameters revocationParams,
ObserversHandler observersHandler) |
protected int |
getFirstProxy(java.security.cert.X509Certificate[] toCheck) |
protected java.util.Set<java.lang.String> |
getUnresolvedExtensionons(java.util.List<?>[] bcErrorsA) |
ValidationResult |
validate(java.security.cert.X509Certificate[] toCheck,
boolean proxySupport,
java.util.Set<java.security.cert.TrustAnchor> trustAnchors,
java.security.cert.CertStore crlStore,
RevocationParameters revocationParams,
ObserversHandler observersHandler)
Performs validation.
|
public static final long PROXY_VALIDATION_GRACE_PERIOD
public ValidationResult validate(java.security.cert.X509Certificate[] toCheck, boolean proxySupport, java.util.Set<java.security.cert.TrustAnchor> trustAnchors, java.security.cert.CertStore crlStore, RevocationParameters revocationParams, ObserversHandler observersHandler) throws java.security.cert.CertificateException
If the proxy support is turned off or the chain has no proxy certificate then normal X.509 path validation is performed (see below).
If the proxy support is turned on and the chain has at least one proxy then the following checks are performed:
The normal path validation is performed as follows:
toCheck
- chain to checkproxySupport
- proxy supporttrustAnchors
- trust anchorscrlStore
- crl storerevocationParams
- revocation paramsobserversHandler
- observers handlerjava.security.cert.CertificateException
- if some of the certificates in the chain can not
be parsedprotected ExtPKIXParameters2 createPKIXParameters(java.security.cert.X509Certificate[] toCheck, boolean proxySupport, java.util.Set<java.security.cert.TrustAnchor> trustAnchors, java.security.cert.CertStore crlStore, RevocationParameters revocationParams, ObserversHandler observersHandler)
protected int getFirstProxy(java.security.cert.X509Certificate[] toCheck)
protected java.util.List<java.security.cert.X509Certificate> checkNonProxyChain(java.security.cert.X509Certificate[] baseChain, ExtPKIXParameters2 params, java.util.List<ValidationError> errors, java.util.Set<java.lang.String> unresolvedExtensions, int posDelta, java.security.cert.X509Certificate[] cc) throws java.security.cert.CertificateException
FixedBCPKIXCertPathReviewer
. In future, when BC implementation is fixed
it should use PKIXCertPathReviewer
instead.baseChain
- base chainparams
- parameterserrors
- errorsunresolvedExtensions
- unresolved extensionsposDelta
- position deltacc
- certificate chainjava.security.cert.CertificateException
- certificate exceptionprotected void checkProxyChainWithBC(java.security.cert.X509Certificate[] proxyChain, java.util.Set<java.security.cert.TrustAnchor> trustAnchor, java.util.List<ValidationError> errors, java.util.Set<java.lang.String> unresolvedExtensions) throws java.security.cert.CertificateException
proxyChain
- proxy chaintrustAnchor
- trust anchorerrors
- errorsunresolvedExtensions
- unresolved extensionsjava.security.cert.CertificateException
- certificate exceptionprotected void checkProxyChainMain(java.security.cert.X509Certificate[] proxyChain, java.util.List<ValidationError> errors, java.util.Set<java.lang.String> unresolvedExtensions, java.util.Date validDate) throws java.security.cert.CertificateException
proxyChain
- proxy chainerrors
- errorsunresolvedExtensions
- unresolved extensionsvalidDate
- valid datejava.security.cert.CertificateException
- certificate exceptionprotected void checkPairWithProxy(java.security.cert.X509Certificate issuerCert, java.security.cert.X509Certificate proxyCert, java.util.List<ValidationError> errors, int position, java.security.cert.X509Certificate[] proxyChain, java.util.Date validationTime) throws java.security.cert.CertPathValidatorException, java.security.cert.CertificateParsingException
issuerCert
- certificate of the issuerproxyCert
- certificate to be checkederrors
- out arg - list of errors foundposition
- position in original chain to be used in error reportingproxyChain
- proxy chainvalidationTime
- validation timejava.security.cert.CertPathValidatorException
- certificate path validator exceptionjava.security.cert.CertificateParsingException
- certificate parsing exceptionprotected void checkProxyTime(java.security.cert.X509Certificate proxyCert, java.util.Date validationTime, java.security.cert.X509Certificate[] proxyChain, java.util.List<ValidationError> errors, int position)
protected void checkLastCNNameRule(javax.security.auth.x500.X500Principal srcP, javax.security.auth.x500.X500Principal issuerP, java.util.List<ValidationError> errors, int position, java.security.cert.X509Certificate[] proxyChain) throws java.security.cert.CertPathValidatorException
java.security.cert.CertPathValidatorException
protected java.util.List<ValidationError> convertErrors(java.util.List<?>[] bcErrorsA, boolean ignoreProxyErrors, int positionDelta, java.security.cert.X509Certificate[] cc)
protected java.util.Set<java.lang.String> getUnresolvedExtensionons(java.util.List<?>[] bcErrorsA)