/*
 * Copyright (c) 2000, 2006, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * particular file as subject to the "Classpath" exception as provided
 * by Oracle in the LICENSE file that accompanied this code.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */

package sun.security.provider.certpath;

import sun.security.util.Debug;

import java.util.Collections;
import java.util.List;
import java.util.Set;
import java.util.Iterator;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidatorException;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.X509Certificate;

This class is initialized with a list of PKIXCertPathCheckers and is used to verify the certificates in a CertPath by feeding each certificate to each PKIXCertPathChecker.
Author: Yassir Elley
Since: 1.4
/** * This class is initialized with a list of <code>PKIXCertPathChecker</code>s * and is used to verify the certificates in a <code>CertPath</code> by * feeding each certificate to each <code>PKIXCertPathChecker</code>. * * @since 1.4 * @author Yassir Elley */
class PKIXMasterCertPathValidator { private static final Debug debug = Debug.getInstance("certpath"); private List<PKIXCertPathChecker> certPathCheckers;
Initializes the list of PKIXCertPathCheckers whose checks will be performed on each certificate in the certpath.
Params:
  • certPathCheckers – a List of checkers to use
/** * Initializes the list of PKIXCertPathCheckers whose checks * will be performed on each certificate in the certpath. * * @param certPathCheckers a List of checkers to use */
PKIXMasterCertPathValidator(List<PKIXCertPathChecker> certPathCheckers) { this.certPathCheckers = certPathCheckers; }
Validates a certification path consisting exclusively of X509Certificates using the PKIXCertPathCheckers specified in the constructor. It is assumed that the PKIXCertPathCheckers have been initialized with any input parameters they may need.
Params:
  • cpOriginal – the original X509 CertPath passed in by the user
  • reversedCertList – the reversed X509 CertPath (as a List)
Throws:
/** * Validates a certification path consisting exclusively of * <code>X509Certificate</code>s using the * <code>PKIXCertPathChecker</code>s specified * in the constructor. It is assumed that the * <code>PKIXCertPathChecker</code>s * have been initialized with any input parameters they may need. * * @param cpOriginal the original X509 CertPath passed in by the user * @param reversedCertList the reversed X509 CertPath (as a List) * @exception CertPathValidatorException Exception thrown if cert * path does not validate. */
void validate(CertPath cpOriginal, List<X509Certificate> reversedCertList) throws CertPathValidatorException { // we actually process reversedCertList, but we keep cpOriginal because // we need to return the original certPath when we throw an exception. // we will also need to modify the index appropriately when we // throw an exception. int cpSize = reversedCertList.size(); if (debug != null) { debug.println("--------------------------------------------------" + "------------"); debug.println("Executing PKIX certification path validation " + "algorithm."); } for (int i = 0; i < cpSize; i++) { /* The basic loop algorithm is that we get the * current certificate, we verify the current certificate using * information from the previous certificate and from the state, * and we modify the state for the next loop by setting the * current certificate of this loop to be the previous certificate * of the next loop. The state is initialized during first loop. */ if (debug != null) debug.println("Checking cert" + (i+1) + " ..."); X509Certificate currCert = reversedCertList.get(i); Set<String> unresolvedCritExts = currCert.getCriticalExtensionOIDs(); if (unresolvedCritExts == null) { unresolvedCritExts = Collections.<String>emptySet(); } if (debug != null && !unresolvedCritExts.isEmpty()) { debug.println("Set of critical extensions:"); for (String oid : unresolvedCritExts) { debug.println(oid); } } CertPathValidatorException ocspCause = null; for (int j = 0; j < certPathCheckers.size(); j++) { PKIXCertPathChecker currChecker = certPathCheckers.get(j); if (debug != null) { debug.println("-Using checker" + (j + 1) + " ... [" + currChecker.getClass().getName() + "]"); } if (i == 0) currChecker.init(false); try { currChecker.check(currCert, unresolvedCritExts); // OCSP has validated the cert so skip the CRL check if (isRevocationCheck(currChecker, j, certPathCheckers)) { if (debug != null) { debug.println("-checker" + (j + 1) + " validation succeeded"); } j++; continue; // skip } } catch (CertPathValidatorException cpve) { // Throw the saved OCSP exception // (when the CRL check has also failed) if (ocspCause != null && currChecker instanceof CrlRevocationChecker) { throw ocspCause; } /* * Handle failover from OCSP to CRLs */ CertPathValidatorException currentCause = new CertPathValidatorException(cpve.getMessage(), (cpve.getCause() != null) ? cpve.getCause() : cpve, cpOriginal, cpSize - (i + 1)); // Check if OCSP has confirmed that the cert was revoked if (cpve instanceof CertificateRevokedException) { throw currentCause; } // Check if it is appropriate to failover if (! isRevocationCheck(currChecker, j, certPathCheckers)) { // no failover throw currentCause; } // Save the current exception // (in case the CRL check also fails) ocspCause = currentCause; // Otherwise, failover to CRLs if (debug != null) { debug.println(cpve.getMessage()); debug.println( "preparing to failover (from OCSP to CRLs)"); } } if (debug != null) debug.println("-checker" + (j+1) + " validation succeeded"); } if (debug != null) debug.println("checking for unresolvedCritExts"); if (!unresolvedCritExts.isEmpty()) { throw new CertPathValidatorException("unrecognized " + "critical extension(s)", null, cpOriginal, cpSize-(i+1)); } if (debug != null) debug.println("\ncert" + (i+1) + " validation succeeded.\n"); } if (debug != null) { debug.println("Cert path validation succeeded. (PKIX validation " + "algorithm)"); debug.println("-------------------------------------------------" + "-------------"); } } /* * Examines the list of PKIX cert path checkers to determine whether * both the current checker and the next checker are revocation checkers. * OCSPChecker and CrlRevocationChecker are both revocation checkers. */ private static boolean isRevocationCheck(PKIXCertPathChecker checker, int index, List<PKIXCertPathChecker> checkers) { if (checker instanceof OCSPChecker && index + 1 < checkers.size()) { PKIXCertPathChecker nextChecker = checkers.get(index + 1); if (nextChecker instanceof CrlRevocationChecker) { return true; } } return false; } }