package org.bouncycastle.jce.provider;
import java.security.InvalidAlgorithmParameterException;
import java.security.Provider;
import java.security.Security;
import java.security.cert.CertPath;
import java.security.cert.CertPathParameters;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertPathValidatorResult;
import java.security.cert.CertPathValidatorSpi;
import java.security.cert.PKIXParameters;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.HashSet;
import java.util.Set;
import org.bouncycastle.jcajce.PKIXExtendedParameters;
import org.bouncycastle.jcajce.util.BCJcaJceHelper;
import org.bouncycastle.jcajce.util.JcaJceHelper;
import org.bouncycastle.jce.exception.ExtCertPathValidatorException;
import org.bouncycastle.util.Selector;
import org.bouncycastle.x509.ExtendedPKIXParameters;
import org.bouncycastle.x509.X509AttributeCertStoreSelector;
import org.bouncycastle.x509.X509AttributeCertificate;
CertPathValidatorSpi implementation for X.509 Attribute Certificates la RFC 3281.
See Also: - ExtendedPKIXParameters
/**
* CertPathValidatorSpi implementation for X.509 Attribute Certificates la RFC 3281.
*
* @see org.bouncycastle.x509.ExtendedPKIXParameters
*/
public class PKIXAttrCertPathValidatorSpi
extends CertPathValidatorSpi
{
private final JcaJceHelper helper = new BCJcaJceHelper();
public PKIXAttrCertPathValidatorSpi()
{
}
Validates an attribute certificate with the given certificate path.
params must be an instance of
ExtendedPKIXParameters.
The target constraints in the params must be an
X509AttributeCertStoreSelector with at least the attribute
certificate criterion set. Obey that also target informations may be
necessary to correctly validate this attribute certificate.
The attribute certificate issuer must be added to the trusted attribute issuers with ExtendedPKIXParameters.setTrustedACIssuers(Set).
Params: - certPath – The certificate path which belongs to the attribute
certificate issuer public key certificate.
- params – The PKIX parameters.
Throws: - InvalidAlgorithmParameterException – if
params is
inappropriate for this validator. - CertPathValidatorException – if the verification fails.
Returns: A PKIXCertPathValidatorResult of the result of
validating the certPath.
/**
* Validates an attribute certificate with the given certificate path.
*
* <p>
* <code>params</code> must be an instance of
* <code>ExtendedPKIXParameters</code>.
* <p>
* The target constraints in the <code>params</code> must be an
* <code>X509AttributeCertStoreSelector</code> with at least the attribute
* certificate criterion set. Obey that also target informations may be
* necessary to correctly validate this attribute certificate.
* <p>
* The attribute certificate issuer must be added to the trusted attribute
* issuers with {@link org.bouncycastle.x509.ExtendedPKIXParameters#setTrustedACIssuers(java.util.Set)}.
*
* @param certPath The certificate path which belongs to the attribute
* certificate issuer public key certificate.
* @param params The PKIX parameters.
* @return A <code>PKIXCertPathValidatorResult</code> of the result of
* validating the <code>certPath</code>.
* @throws java.security.InvalidAlgorithmParameterException if <code>params</code> is
* inappropriate for this validator.
* @throws java.security.cert.CertPathValidatorException if the verification fails.
*/
public CertPathValidatorResult engineValidate(CertPath certPath,
CertPathParameters params) throws CertPathValidatorException,
InvalidAlgorithmParameterException
{
if (!(params instanceof ExtendedPKIXParameters || params instanceof PKIXExtendedParameters))
{
throw new InvalidAlgorithmParameterException(
"Parameters must be a "
+ ExtendedPKIXParameters.class.getName() + " instance.");
}
Set attrCertCheckers = new HashSet();
Set prohibitedACAttrbiutes = new HashSet();
Set necessaryACAttributes = new HashSet();
Set trustedACIssuers = new HashSet();
PKIXExtendedParameters paramsPKIX;
if (params instanceof PKIXParameters)
{
PKIXExtendedParameters.Builder paramsPKIXBldr = new PKIXExtendedParameters.Builder((PKIXParameters)params);
if (params instanceof ExtendedPKIXParameters)
{
ExtendedPKIXParameters extPKIX = (ExtendedPKIXParameters)params;
paramsPKIXBldr.setUseDeltasEnabled(extPKIX.isUseDeltasEnabled());
paramsPKIXBldr.setValidityModel(extPKIX.getValidityModel());
attrCertCheckers = extPKIX.getAttrCertCheckers();
prohibitedACAttrbiutes = extPKIX.getProhibitedACAttributes();
necessaryACAttributes = extPKIX.getNecessaryACAttributes();
}
paramsPKIX = paramsPKIXBldr.build();
}
else
{
paramsPKIX = (PKIXExtendedParameters)params;
}
Selector certSelect = paramsPKIX.getTargetConstraints();
if (!(certSelect instanceof X509AttributeCertStoreSelector))
{
throw new InvalidAlgorithmParameterException(
"TargetConstraints must be an instance of "
+ X509AttributeCertStoreSelector.class.getName() + " for "
+ this.getClass().getName() + " class.");
}
X509AttributeCertificate attrCert = ((X509AttributeCertStoreSelector) certSelect)
.getAttributeCert();
CertPath holderCertPath = RFC3281CertPathUtilities.processAttrCert1(attrCert, paramsPKIX);
CertPathValidatorResult result = RFC3281CertPathUtilities.processAttrCert2(certPath, paramsPKIX);
X509Certificate issuerCert = (X509Certificate) certPath
.getCertificates().get(0);
RFC3281CertPathUtilities.processAttrCert3(issuerCert, paramsPKIX);
RFC3281CertPathUtilities.processAttrCert4(issuerCert, trustedACIssuers);
RFC3281CertPathUtilities.processAttrCert5(attrCert, paramsPKIX);
// 6 already done in X509AttributeCertStoreSelector
RFC3281CertPathUtilities.processAttrCert7(attrCert, certPath, holderCertPath, paramsPKIX, attrCertCheckers);
RFC3281CertPathUtilities.additionalChecks(attrCert, prohibitedACAttrbiutes, necessaryACAttributes);
Date date = null;
try
{
date = CertPathValidatorUtilities.getValidCertDateFromValidityModel(paramsPKIX, null, -1);
}
catch (AnnotatedException e)
{
throw new ExtCertPathValidatorException(
"Could not get validity date from attribute certificate.", e);
}
RFC3281CertPathUtilities.checkCRLs(attrCert, paramsPKIX, issuerCert, date, certPath.getCertificates(), helper);
return result;
}
}