/*
 * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * particular file as subject to the "Classpath" exception as provided
 * by Oracle in the LICENSE file that accompanied this code.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */

package sun.security.provider.certpath;

import java.io.IOException;
import java.security.cert.CertificateException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.ListIterator;
import javax.security.auth.x500.X500Principal;

import sun.security.util.Debug;
import sun.security.x509.SubjectAlternativeNameExtension;
import sun.security.x509.GeneralNames;
import sun.security.x509.GeneralName;
import sun.security.x509.GeneralNameInterface;
import sun.security.x509.X500Name;
import sun.security.x509.X509CertImpl;

A specification of a forward PKIX validation state which is initialized by each build and updated each time a certificate is added to the current path.
Author: Yassir Elley
Since: 1.4
/** * A specification of a forward PKIX validation state * which is initialized by each build and updated each time a * certificate is added to the current path. * @since 1.4 * @author Yassir Elley */
class ForwardState implements State { private static final Debug debug = Debug.getInstance("certpath"); /* The issuer DN of the last cert in the path */ X500Principal issuerDN; /* The last cert in the path */ X509CertImpl cert; /* The set of subjectDNs and subjectAltNames of all certs in the path */ HashSet<GeneralNameInterface> subjectNamesTraversed; /* * The number of intermediate CA certs which have been traversed so * far in the path */ int traversedCACerts; /* Flag indicating if state is initial (path is just starting) */ private boolean init = true; /* the untrusted certificates checker */ UntrustedChecker untrustedChecker; /* The list of user-defined checkers that support forward checking */ ArrayList<PKIXCertPathChecker> forwardCheckers; /* Flag indicating if key needing to inherit key parameters has been * encountered. */ boolean keyParamsNeededFlag = false;
Returns a boolean flag indicating if the state is initial (just starting)
Returns:boolean flag indicating if the state is initial (just starting)
/** * Returns a boolean flag indicating if the state is initial * (just starting) * * @return boolean flag indicating if the state is initial (just starting) */
@Override public boolean isInitial() { return init; }
Return boolean flag indicating whether a public key that needs to inherit key parameters has been encountered.
Returns:boolean true if key needing to inherit parameters has been encountered; false otherwise.
/** * Return boolean flag indicating whether a public key that needs to inherit * key parameters has been encountered. * * @return boolean true if key needing to inherit parameters has been * encountered; false otherwise. */
@Override public boolean keyParamsNeeded() { return keyParamsNeededFlag; }
Display state for debugging purposes
/** * Display state for debugging purposes */
@Override public String toString() { StringBuilder sb = new StringBuilder(); sb.append("State ["); sb.append("\n issuerDN of last cert: ").append(issuerDN); sb.append("\n traversedCACerts: ").append(traversedCACerts); sb.append("\n init: ").append(String.valueOf(init)); sb.append("\n keyParamsNeeded: ").append (String.valueOf(keyParamsNeededFlag)); sb.append("\n subjectNamesTraversed: \n").append (subjectNamesTraversed); sb.append("]\n"); return sb.toString(); }
Initialize the state.
Params:
  • certPathCheckers – the list of user-defined PKIXCertPathCheckers
/** * Initialize the state. * * @param certPathCheckers the list of user-defined PKIXCertPathCheckers */
public void initState(List<PKIXCertPathChecker> certPathCheckers) throws CertPathValidatorException { subjectNamesTraversed = new HashSet<GeneralNameInterface>(); traversedCACerts = 0; /* * Populate forwardCheckers with every user-defined checker * that supports forward checking and initialize the forwardCheckers */ forwardCheckers = new ArrayList<PKIXCertPathChecker>(); for (PKIXCertPathChecker checker : certPathCheckers) { if (checker.isForwardCheckingSupported()) { checker.init(true); forwardCheckers.add(checker); } } init = true; }
Update the state with the next certificate added to the path.
Params:
  • cert – the certificate which is used to update the state
/** * Update the state with the next certificate added to the path. * * @param cert the certificate which is used to update the state */
@Override public void updateState(X509Certificate cert) throws CertificateException, IOException, CertPathValidatorException { if (cert == null) return; X509CertImpl icert = X509CertImpl.toImpl(cert); /* see if certificate key has null parameters */ if (PKIX.isDSAPublicKeyWithoutParams(icert.getPublicKey())) { keyParamsNeededFlag = true; } /* update certificate */ this.cert = icert; /* update issuer DN */ issuerDN = cert.getIssuerX500Principal(); if (!X509CertImpl.isSelfIssued(cert)) { /* * update traversedCACerts only if this is a non-self-issued * intermediate CA cert */ if (!init && cert.getBasicConstraints() != -1) { traversedCACerts++; } } /* update subjectNamesTraversed only if this is the EE cert or if this cert is not self-issued */ if (init || !X509CertImpl.isSelfIssued(cert)){ X500Principal subjName = cert.getSubjectX500Principal(); subjectNamesTraversed.add(X500Name.asX500Name(subjName)); try { SubjectAlternativeNameExtension subjAltNameExt = icert.getSubjectAlternativeNameExtension(); if (subjAltNameExt != null) { GeneralNames gNames = subjAltNameExt.get( SubjectAlternativeNameExtension.SUBJECT_NAME); for (GeneralName gName : gNames.names()) { subjectNamesTraversed.add(gName.getName()); } } } catch (IOException e) { if (debug != null) { debug.println("ForwardState.updateState() unexpected " + "exception"); e.printStackTrace(); } throw new CertPathValidatorException(e); } } init = false; } /* * Clone current state. The state is cloned as each cert is * added to the path. This is necessary if backtracking occurs, * and a prior state needs to be restored. * * Note that this is a SMART clone. Not all fields are fully copied, * because some of them will * not have their contents modified by subsequent calls to updateState. */ @Override @SuppressWarnings("unchecked") // Safe casts assuming clone() works correctly public Object clone() { try { ForwardState clonedState = (ForwardState) super.clone(); /* clone checkers, if cloneable */ clonedState.forwardCheckers = (ArrayList<PKIXCertPathChecker>) forwardCheckers.clone(); ListIterator<PKIXCertPathChecker> li = clonedState.forwardCheckers.listIterator(); while (li.hasNext()) { PKIXCertPathChecker checker = li.next(); if (checker instanceof Cloneable) { li.set((PKIXCertPathChecker)checker.clone()); } } /* * Shallow copy traversed names. There is no need to * deep copy contents, since the elements of the Set * are never modified by subsequent calls to updateState(). */ clonedState.subjectNamesTraversed = (HashSet<GeneralNameInterface>)subjectNamesTraversed.clone(); return clonedState; } catch (CloneNotSupportedException e) { throw new InternalError(e.toString(), e); } } }