stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge

Browse Source
This commit is contained in:
Sean Mullan 2008-09-11 18:13:51 -04:00
commit 875eea0ac0
19 changed files with 525 additions and 104 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

132
jdk/src/share/classes/java/security/cert/CertPathValidatorException.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2000-2005 Sun Microsystems, Inc. All Rights Reserved.
* Copyright 2000-2008 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -25,6 +25,9 @@
package java.security.cert;
import java.io.InvalidObjectException;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.security.GeneralSecurityException;
/**
@ -36,10 +39,11 @@ import java.security.GeneralSecurityException;
* if any, that caused this exception to be thrown.
* <p>
* A <code>CertPathValidatorException</code> may also include the
* certification path that was being validated when the exception was thrown
* and the index of the certificate in the certification path that caused the
* exception to be thrown. Use the {@link #getCertPath getCertPath} and
* {@link #getIndex getIndex} methods to retrieve this information.
* certification path that was being validated when the exception was thrown,
* the index of the certificate in the certification path that caused the
* exception to be thrown, and the reason that caused the failure. Use the
* {@link #getCertPath getCertPath}, {@link #getIndex getIndex}, and
* {@link #getReason getReason} methods to retrieve this information.
*
* <p>
* <b>Concurrent Access</b>
@ -71,12 +75,17 @@ public class CertPathValidatorException extends GeneralSecurityException {
*/
private CertPath certPath;
/**
* @serial the reason the validation failed
*/
private Reason reason = BasicReason.UNSPECIFIED;
/**
* Creates a <code>CertPathValidatorException</code> with
* no detail message.
*/
public CertPathValidatorException() {
super();
this(null, null);
}
/**
@ -87,7 +96,7 @@ public class CertPathValidatorException extends GeneralSecurityException {
* @param msg the detail message
*/
public CertPathValidatorException(String msg) {
super(msg);
this(msg, null);
}
/**
@ -104,7 +113,7 @@ public class CertPathValidatorException extends GeneralSecurityException {
* permitted, and indicates that the cause is nonexistent or unknown.)
*/
public CertPathValidatorException(Throwable cause) {
super(cause);
this(null, cause);
}
/**
@ -117,7 +126,7 @@ public class CertPathValidatorException extends GeneralSecurityException {
* permitted, and indicates that the cause is nonexistent or unknown.)
*/
public CertPathValidatorException(String msg, Throwable cause) {
super(msg, cause);
this(msg, cause, null, -1);
}
/**
@ -139,6 +148,32 @@ public class CertPathValidatorException extends GeneralSecurityException {
*/
public CertPathValidatorException(String msg, Throwable cause,
CertPath certPath, int index) {
this(msg, cause, certPath, index, BasicReason.UNSPECIFIED);
}
/**
* Creates a <code>CertPathValidatorException</code> with the specified
* detail message, cause, certification path, index, and reason.
*
* @param msg the detail message (or <code>null</code> if none)
* @param cause the cause (or <code>null</code> if none)
* @param certPath the certification path that was in the process of
* being validated when the error was encountered
* @param index the index of the certificate in the certification path
* that caused the error (or -1 if not applicable). Note that
* the list of certificates in a <code>CertPath</code> is zero based.
* @param reason the reason the validation failed
* @throws IndexOutOfBoundsException if the index is out of range
* <code>(index < -1 || (certPath != null && index >=
* certPath.getCertificates().size())</code>
* @throws IllegalArgumentException if <code>certPath</code> is
* <code>null</code> and <code>index</code> is not -1
* @throws NullPointerException if <code>reason</code> is <code>null</code>
*
* @since 1.7
*/
public CertPathValidatorException(String msg, Throwable cause,
CertPath certPath, int index, Reason reason) {
super(msg, cause);
if (certPath == null && index != -1) {
throw new IllegalArgumentException();
@ -147,8 +182,12 @@ public class CertPathValidatorException extends GeneralSecurityException {
(certPath != null && index >= certPath.getCertificates().size())) {
throw new IndexOutOfBoundsException();
}
if (reason == null) {
throw new NullPointerException("reason can't be null");
}
this.certPath = certPath;
this.index = index;
this.reason = reason;
}
/**
@ -174,4 +213,79 @@ public class CertPathValidatorException extends GeneralSecurityException {
return this.index;
}
/**
* Returns the reason that the validation failed. The reason is
* associated with the index of the certificate returned by
* {@link getIndex}.
*
* @return the reason that the validation failed, or
* <code>BasicReason.UNSPECIFIED</code> if a reason has not been
* specified
*
* @since 1.7
*/
public Reason getReason() {
return this.reason;
}
private void readObject(ObjectInputStream stream)
throws ClassNotFoundException, IOException {
stream.defaultReadObject();
if (reason == null) {
reason = BasicReason.UNSPECIFIED;
}
if (certPath == null && index != -1) {
throw new InvalidObjectException("certpath is null and index != -1");
}
if (index < -1 ||
(certPath != null && index >= certPath.getCertificates().size())) {
throw new InvalidObjectException("index out of range");
}
}
/**
* The reason the validation algorithm failed.
*
* @since 1.7
*/
public static interface Reason extends java.io.Serializable { }
/**
* The BasicReason enumerates the potential reasons that a certification
* path of any type may be invalid.
*
* @since 1.7
*/
public static enum BasicReason implements Reason {
/**
* Unspecified reason.
*/
UNSPECIFIED,
/**
* The certificate is expired.
*/
EXPIRED,
/**
* The certificate is not yet valid.
*/
NOT_YET_VALID,
/**
* The certificate is revoked.
*/
REVOKED,
/**
* The revocation status of the certificate could not be determined.
*/
UNDETERMINED_REVOCATION_STATUS,
/**
* The signature is invalid.
*/
INVALID_SIGNATURE
}
}

77
jdk/src/share/classes/java/security/cert/PKIXReason.java Normal file
View File

@ -0,0 +1,77 @@
/*
* Copyright 2008 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Sun designates this
* particular file as subject to the "Classpath" exception as provided
* by Sun in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
* CA 95054 USA or visit www.sun.com if you need additional information or
* have any questions.
*/
package java.security.cert;
/**
* The <code>PKIXReason</code> enumerates the potential PKIX-specific reasons
* that an X.509 certification path may be invalid according to the PKIX
* (RFC 3280) standard. These reasons are in addition to those of the
* <code>CertPathValidatorException.BasicReason</code> enumeration.
*
* @since 1.7
*/
public enum PKIXReason implements CertPathValidatorException.Reason {
/**
* The certificate does not chain correctly.
*/
NAME_CHAINING,
/**
* The certificate's key usage is invalid.
*/
INVALID_KEY_USAGE,
/**
* The policy constraints have been violated.
*/
INVALID_POLICY,
/**
* No acceptable trust anchor found.
*/
NO_TRUST_ANCHOR,
/**
* The certificate contains one or more unrecognized critical
* extensions.
*/
UNRECOGNIZED_CRIT_EXT,
/**
* The certificate is not a CA certificate.
*/
NOT_CA_CERT,
/**
* The path length constraint has been violated.
*/
PATH_TOO_LONG,
/**
* The name constraints have been violated.
*/
INVALID_NAME
}

44
jdk/src/share/classes/sun/security/provider/certpath/BasicChecker.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2000-2007 Sun Microsystems, Inc. All Rights Reserved.
* Copyright 2000-2008 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -29,12 +29,18 @@ import java.math.BigInteger;
import java.util.Collection;
import java.util.Date;
import java.util.Set;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertPathValidatorException.BasicReason;
import java.security.cert.X509Certificate;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.CertPathValidatorException;
import java.security.cert.PKIXReason;
import java.security.cert.TrustAnchor;
import java.security.interfaces.DSAParams;
import java.security.interfaces.DSAPublicKey;
@ -152,11 +158,11 @@ class BasicChecker extends PKIXCertPathChecker {
try {
cert.verify(prevPubKey, sigProvider);
} catch (Exception e) {
if (debug != null) {
debug.println(e.getMessage());
e.printStackTrace();
}
} catch (SignatureException e) {
throw new CertPathValidatorException
(msg + " check failed", e, null, -1,
BasicReason.INVALID_SIGNATURE);
} catch (GeneralSecurityException e) {
throw new CertPathValidatorException(msg + " check failed", e);
}
@ -176,12 +182,12 @@ class BasicChecker extends PKIXCertPathChecker {
try {
cert.checkValidity(date);
} catch (Exception e) {
if (debug != null) {
debug.println(e.getMessage());
e.printStackTrace();
}
throw new CertPathValidatorException(msg + " check failed", e);
} catch (CertificateExpiredException e) {
throw new CertPathValidatorException
(msg + " check failed", e, null, -1, BasicReason.EXPIRED);
} catch (CertificateNotYetValidException e) {
throw new CertPathValidatorException
(msg + " check failed", e, null, -1, BasicReason.NOT_YET_VALID);
}
if (debug != null)
@ -204,12 +210,16 @@ class BasicChecker extends PKIXCertPathChecker {
// reject null or empty issuer DNs
if (X500Name.asX500Name(currIssuer).isEmpty()) {
throw new CertPathValidatorException(msg + " check failed: " +
"empty/null issuer DN in certificate is invalid");
throw new CertPathValidatorException
(msg + " check failed: " +
"empty/null issuer DN in certificate is invalid", null,
null, -1, PKIXReason.NAME_CHAINING);
}
if (!(currIssuer.equals(prevSubject))) {
throw new CertPathValidatorException(msg + " check failed");
throw new CertPathValidatorException
(msg + " check failed", null, null, -1,
PKIXReason.NAME_CHAINING);
}
if (debug != null)
@ -270,7 +280,7 @@ class BasicChecker extends PKIXCertPathChecker {
params.getQ(),
params.getG());
usableKey = kf.generatePublic(ks);
} catch (Exception e) {
} catch (GeneralSecurityException e) {
throw new CertPathValidatorException("Unable to generate key with" +
" inherited parameters: " +
e.getMessage(), e);

16
jdk/src/share/classes/sun/security/provider/certpath/ConstraintsChecker.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2000-2006 Sun Microsystems, Inc. All Rights Reserved.
* Copyright 2000-2008 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -32,9 +32,10 @@ import java.util.HashSet;
import java.io.IOException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.X509Certificate;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.CertPathValidatorException;
import java.security.cert.PKIXReason;
import sun.security.util.Debug;
import sun.security.x509.PKIXExtensions;
import sun.security.x509.NameConstraintsExtension;
@ -147,7 +148,8 @@ class ConstraintsChecker extends PKIXCertPathChecker {
try {
if (!prevNC.verify(currCert)) {
throw new CertPathValidatorException(msg + " check failed");
throw new CertPathValidatorException(msg + " check failed",
null, null, -1, PKIXReason.INVALID_NAME);
}
} catch (IOException ioe) {
throw new CertPathValidatorException(ioe);
@ -228,8 +230,9 @@ class ConstraintsChecker extends PKIXCertPathChecker {
if (i < certPathLength) {
int pathLenConstraint = currCert.getBasicConstraints();
if (pathLenConstraint == -1) {
throw new CertPathValidatorException(msg + " check failed: "
+ "this is not a CA certificate");
throw new CertPathValidatorException
(msg + " check failed: this is not a CA certificate", null,
null, -1, PKIXReason.NOT_CA_CERT);
}
if (!X509CertImpl.isSelfIssued(currCert)) {
@ -237,7 +240,8 @@ class ConstraintsChecker extends PKIXCertPathChecker {
throw new CertPathValidatorException
(msg + " check failed: pathLenConstraint violated - "
+ "this cert must be the last cert in the "
+ "certification path");
+ "certification path", null, null, -1,
PKIXReason.PATH_TOO_LONG);
}
maxPathLength--;
}

29
jdk/src/share/classes/sun/security/provider/certpath/CrlRevocationChecker.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2000-2007 Sun Microsystems, Inc. All Rights Reserved.
* Copyright 2000-2008 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -39,6 +39,7 @@ import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.*;
import java.security.cert.CertPathValidatorException.BasicReason;
import java.security.interfaces.DSAPublicKey;
import javax.security.auth.x500.X500Principal;
import sun.security.util.Debug;
@ -268,7 +269,8 @@ class CrlRevocationChecker extends PKIXCertPathChecker {
" circular dependency");
}
throw new CertPathValidatorException
("Could not determine revocation status");
("Could not determine revocation status", null, null, -1,
BasicReason.UNDETERMINED_REVOCATION_STATUS);
}
// init the state for this run
@ -324,7 +326,8 @@ class CrlRevocationChecker extends PKIXCertPathChecker {
return;
} else {
throw new CertPathValidatorException
("Could not determine revocation status");
("Could not determine revocation status", null, null, -1,
BasicReason.UNDETERMINED_REVOCATION_STATUS);
}
}
@ -370,7 +373,8 @@ class CrlRevocationChecker extends PKIXCertPathChecker {
+ unresCritExts);
}
throw new CertPathValidatorException
("Could not determine revocation status");
("Could not determine revocation status", null, null,
-1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
}
}
@ -378,10 +382,11 @@ class CrlRevocationChecker extends PKIXCertPathChecker {
if (reasonCode == null) {
reasonCode = CRLReason.UNSPECIFIED;
}
throw new CertPathValidatorException(
new CertificateRevokedException
(entry.getRevocationDate(), reasonCode,
crl.getIssuerX500Principal(), entry.getExtensions()));
Throwable t = new CertificateRevokedException
(entry.getRevocationDate(), reasonCode,
crl.getIssuerX500Principal(), entry.getExtensions());
throw new CertPathValidatorException(t.getMessage(), t,
null, -1, BasicReason.REVOKED);
}
}
}
@ -428,7 +433,8 @@ class CrlRevocationChecker extends PKIXCertPathChecker {
" circular dependency");
}
throw new CertPathValidatorException
("Could not determine revocation status");
("Could not determine revocation status", null, null,
-1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
}
// If prevKey wasn't trusted, maybe we just didn't have the right
@ -617,7 +623,7 @@ class CrlRevocationChecker extends PKIXCertPathChecker {
return;
} catch (CertPathValidatorException cpve) {
// If it is revoked, rethrow exception
if (cpve.getCause() instanceof CertificateRevokedException) {
if (cpve.getReason() == BasicReason.REVOKED) {
throw cpve;
}
// Otherwise, ignore the exception and
@ -628,7 +634,8 @@ class CrlRevocationChecker extends PKIXCertPathChecker {
throw new CertPathValidatorException(iape);
} catch (CertPathBuilderException cpbe) {
throw new CertPathValidatorException
("Could not determine revocation status", cpbe);
("Could not determine revocation status", null, null,
-1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
}
}
}

6
jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java
View File

@ -32,6 +32,7 @@ import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.cert.CertificateException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.PKIXReason;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.PKIXBuilderParameters;
@ -732,8 +733,9 @@ class ForwardBuilder extends Builder {
PKIXExtensions.ExtendedKeyUsage_Id.toString());
if (!unresCritExts.isEmpty())
throw new CertificateException("Unrecognized critical "
+ "extension(s)");
throw new CertPathValidatorException
("Unrecognized critical extension(s)", null, null, -1,
PKIXReason.UNRECOGNIZED_CRIT_EXT);
}
}

13
jdk/src/share/classes/sun/security/provider/certpath/KeyChecker.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2000-2003 Sun Microsystems, Inc. All Rights Reserved.
* Copyright 2000-2008 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -27,6 +27,7 @@ package sun.security.provider.certpath;
import java.util.*;
import java.security.cert.*;
import java.security.cert.PKIXReason;
import sun.security.util.Debug;
import sun.security.x509.PKIXExtensions;
@ -75,11 +76,12 @@ class KeyChecker extends PKIXCertPathChecker {
if (!forward) {
remainingCerts = certPathLen;
} else {
throw new CertPathValidatorException("forward checking not supported");
throw new CertPathValidatorException
("forward checking not supported");
}
}
public boolean isForwardCheckingSupported() {
public final boolean isForwardCheckingSupported() {
return false;
}
@ -155,8 +157,9 @@ class KeyChecker extends PKIXCertPathChecker {
// throw an exception if the keyCertSign bit is not set
if (!keyUsageBits[keyCertSign]) {
throw new CertPathValidatorException(msg + " check failed: "
+ "keyCertSign bit is not set");
throw new CertPathValidatorException
(msg + " check failed: keyCertSign bit is not set", null,
null, -1, PKIXReason.INVALID_KEY_USAGE);
}
if (debug != null) {

10
jdk/src/share/classes/sun/security/provider/certpath/OCSPChecker.java
View File

@ -33,6 +33,7 @@ import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.Security;
import java.security.cert.*;
import java.security.cert.CertPathValidatorException.BasicReason;
import java.net.*;
import javax.security.auth.x500.X500Principal;
@ -381,17 +382,18 @@ class OCSPChecker extends PKIXCertPathChecker {
}
if (certOCSPStatus == OCSPResponse.CERT_STATUS_REVOKED) {
throw new CertPathValidatorException(
new CertificateRevokedException(
Throwable t = new CertificateRevokedException(
ocspResponse.getRevocationTime(),
ocspResponse.getRevocationReason(),
responderCert.getSubjectX500Principal(),
ocspResponse.getSingleExtensions()));
ocspResponse.getSingleExtensions());
throw new CertPathValidatorException(t.getMessage(), t,
null, -1, BasicReason.REVOKED);
} else if (certOCSPStatus == OCSPResponse.CERT_STATUS_UNKNOWN) {
throw new CertPathValidatorException(
"Certificate's revocation status is unknown", null, cp,
remainingCerts);
remainingCerts, BasicReason.UNDETERMINED_REVOCATION_STATUS);
}
} catch (Exception e) {
throw new CertPathValidatorException(e);

39
jdk/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2000-2007 Sun Microsystems, Inc. All Rights Reserved.
* Copyright 2000-2008 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -38,6 +38,7 @@ import java.security.cert.CertPathValidatorResult;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.PKIXParameters;
import java.security.cert.PKIXReason;
import java.security.cert.PolicyNode;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
@ -47,7 +48,6 @@ import java.util.List;
import java.util.ArrayList;
import java.util.Date;
import java.util.Set;
import java.util.HashSet;
import javax.security.auth.x500.X500Principal;
import sun.security.util.Debug;
@ -67,6 +67,7 @@ public class PKIXCertPathValidator extends CertPathValidatorSpi {
private List<PKIXCertPathChecker> userCheckers;
private String sigProvider;
private BasicChecker basicChecker;
private String ocspProperty;
/**
* Default constructor.
@ -126,7 +127,7 @@ public class PKIXCertPathValidator extends CertPathValidatorSpi {
// Must copy elements of certList into a new modifiable List before
// calling Collections.reverse().
List<X509Certificate> certList = new ArrayList<X509Certificate>
ArrayList<X509Certificate> certList = new ArrayList<X509Certificate>
((List<X509Certificate>)cp.getCertificates());
if (debug != null) {
if (certList.isEmpty()) {
@ -201,7 +202,8 @@ public class PKIXCertPathValidator extends CertPathValidatorSpi {
}
// (b) otherwise, generate new exception
throw new CertPathValidatorException
("Path does not chain with any of the trust anchors");
("Path does not chain with any of the trust anchors",
null, null, -1, PKIXReason.NO_TRUST_ANCHOR);
}
/**
@ -210,7 +212,6 @@ public class PKIXCertPathValidator extends CertPathValidatorSpi {
*/
private boolean isWorthTrying(X509Certificate trustedCert,
X509Certificate firstCert)
throws CertPathValidatorException
{
if (debug != null) {
debug.println("PKIXCertPathValidator.isWorthTrying() checking "
@ -240,7 +241,6 @@ public class PKIXCertPathValidator extends CertPathValidatorSpi {
* Internal method to setup the internal state
*/
private void populateVariables(PKIXParameters pkixParam)
throws CertPathValidatorException
{
// default value for testDate is current time
testDate = pkixParam.getDate();
@ -250,6 +250,17 @@ public class PKIXCertPathValidator extends CertPathValidatorSpi {
userCheckers = pkixParam.getCertPathCheckers();
sigProvider = pkixParam.getSigProvider();
if (pkixParam.isRevocationEnabled()) {
// Examine OCSP security property
ocspProperty = AccessController.doPrivileged(
new PrivilegedAction<String>() {
public String run() {
return
Security.getProperty(OCSPChecker.OCSP_ENABLE_PROP);
}
});
}
}
/**
@ -259,12 +270,9 @@ public class PKIXCertPathValidator extends CertPathValidatorSpi {
*/
private PolicyNode doValidate(
TrustAnchor anchor, CertPath cpOriginal,
List<X509Certificate> certList, PKIXParameters pkixParam,
ArrayList<X509Certificate> certList, PKIXParameters pkixParam,
PolicyNodeImpl rootNode) throws CertPathValidatorException
{
List<PKIXCertPathChecker> certPathCheckers =
new ArrayList<PKIXCertPathChecker>();
int certPathLen = certList.size();
basicChecker = new BasicChecker(anchor, testDate, sigProvider, false);
@ -281,6 +289,8 @@ public class PKIXCertPathValidator extends CertPathValidatorSpi {
pkixParam.getPolicyQualifiersRejected(),
rootNode);
ArrayList<PKIXCertPathChecker> certPathCheckers =
new ArrayList<PKIXCertPathChecker>();
// add standard checkers that we will be using
certPathCheckers.add(keyChecker);
certPathCheckers.add(constraintsChecker);
@ -290,15 +300,6 @@ public class PKIXCertPathValidator extends CertPathValidatorSpi {
// only add a revocationChecker if revocation is enabled
if (pkixParam.isRevocationEnabled()) {
// Examine OCSP security property
String ocspProperty = AccessController.doPrivileged(
new PrivilegedAction<String>() {
public String run() {
return
Security.getProperty(OCSPChecker.OCSP_ENABLE_PROP);
}
});
// Use OCSP if it has been enabled
if ("true".equalsIgnoreCase(ocspProperty)) {
OCSPChecker ocspChecker =

15
jdk/src/share/classes/sun/security/provider/certpath/PKIXMasterCertPathValidator.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2000-2006 Sun Microsystems, Inc. All Rights Reserved.
* Copyright 2000-2008 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -30,11 +30,12 @@ import sun.security.util.Debug;
import java.util.Collections;
import java.util.List;
import java.util.Set;
import java.util.Iterator;
import java.security.cert.CertificateRevokedException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateRevokedException;
import java.security.cert.CertPathValidatorException.BasicReason;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXReason;
import java.security.cert.X509Certificate;
/**
@ -153,10 +154,11 @@ class PKIXMasterCertPathValidator {
*/
CertPathValidatorException currentCause =
new CertPathValidatorException(cpve.getMessage(),
cpve.getCause(), cpOriginal, cpSize - (i + 1));
cpve.getCause(), cpOriginal, cpSize - (i + 1),
cpve.getReason());
// Check if OCSP has confirmed that the cert was revoked
if (cpve.getCause() instanceof CertificateRevokedException) {
if (cpve.getReason() == BasicReason.REVOKED) {
throw currentCause;
}
// Check if it is appropriate to failover
@ -184,7 +186,8 @@ class PKIXMasterCertPathValidator {
debug.println("checking for unresolvedCritExts");
if (!unresolvedCritExts.isEmpty()) {
throw new CertPathValidatorException("unrecognized " +
"critical extension(s)", null, cpOriginal, cpSize-(i+1));
"critical extension(s)", null, cpOriginal, cpSize-(i+1),
PKIXReason.UNRECOGNIZED_CRIT_EXT);
}
if (debug != null)

21
jdk/src/share/classes/sun/security/provider/certpath/PolicyChecker.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2000-2006 Sun Microsystems, Inc. All Rights Reserved.
* Copyright 2000-2008 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -30,11 +30,12 @@ import java.io.IOException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.CertPathValidatorException;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXReason;
import java.security.cert.PolicyNode;
import java.security.cert.PolicyQualifierInfo;
import java.security.cert.X509Certificate;
import sun.security.util.Debug;
import sun.security.x509.CertificatePoliciesExtension;
@ -482,8 +483,9 @@ class PolicyChecker extends PKIXCertPathChecker {
// the policyQualifiersRejected flag is set in the params
if (!pQuals.isEmpty() && rejectPolicyQualifiers &&
policiesCritical) {
throw new CertPathValidatorException("critical " +
"policy qualifiers present in certificate");
throw new CertPathValidatorException(
"critical policy qualifiers present in certificate",
null, null, -1, PKIXReason.INVALID_POLICY);
}
// PKIX: Section 6.1.3: Step (d)(1)(i)
@ -567,7 +569,8 @@ class PolicyChecker extends PKIXCertPathChecker {
if ((explicitPolicy == 0) && (rootNode == null)) {
throw new CertPathValidatorException
("non-null policy tree required and policy tree is null");
("non-null policy tree required and policy tree is null",
null, null, -1, PKIXReason.INVALID_POLICY);
}
return rootNode;
@ -776,12 +779,14 @@ class PolicyChecker extends PKIXCertPathChecker {
if (issuerDomain.equals(ANY_POLICY)) {
throw new CertPathValidatorException
("encountered an issuerDomainPolicy of ANY_POLICY");
("encountered an issuerDomainPolicy of ANY_POLICY",
null, null, -1, PKIXReason.INVALID_POLICY);
}
if (subjectDomain.equals(ANY_POLICY)) {
throw new CertPathValidatorException
("encountered a subjectDomainPolicy of ANY_POLICY");
("encountered a subjectDomainPolicy of ANY_POLICY",
null, null, -1, PKIXReason.INVALID_POLICY);
}
Set<PolicyNodeImpl> validNodes =

15
jdk/src/share/classes/sun/security/provider/certpath/ReverseBuilder.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2000-2006 Sun Microsystems, Inc. All Rights Reserved.
* Copyright 2000-2008 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -29,14 +29,15 @@ import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.Principal;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXParameters;
import java.security.cert.PKIXReason;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.security.cert.X509CertSelector;
import java.util.ArrayList;
import java.util.Collection;
@ -402,7 +403,8 @@ class ReverseBuilder extends Builder {
*/
if ((currentState.remainingCACerts <= 0) && !X509CertImpl.isSelfIssued(cert)) {
throw new CertPathValidatorException
("pathLenConstraint violated, path too long");
("pathLenConstraint violated, path too long", null,
null, -1, PKIXReason.PATH_TOO_LONG);
}
/*
@ -438,7 +440,8 @@ class ReverseBuilder extends Builder {
try {
if (!currentState.nc.verify(cert)){
throw new CertPathValidatorException
("name constraints check failed");
("name constraints check failed", null, null, -1,
PKIXReason.INVALID_NAME);
}
} catch (IOException ioe){
throw new CertPathValidatorException(ioe);
@ -483,7 +486,9 @@ class ReverseBuilder extends Builder {
unresolvedCritExts.remove(PKIXExtensions.ExtendedKeyUsage_Id.toString());
if (!unresolvedCritExts.isEmpty())
throw new CertificateException("Unrecognized critical extension(s)");
throw new CertPathValidatorException
("Unrecognized critical extension(s)", null, null, -1,
PKIXReason.UNRECOGNIZED_CRIT_EXT);
}
/*

14
jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2000-2007 Sun Microsystems, Inc. All Rights Reserved.
* Copyright 2000-2008 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -30,6 +30,9 @@ import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.Principal;
import java.security.PublicKey;
import java.security.cert.*;
import java.security.cert.PKIXReason;
import java.security.interfaces.DSAPublicKey;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
@ -39,10 +42,6 @@ import java.util.Iterator;
import java.util.List;
import java.util.LinkedList;
import java.util.Set;
import java.security.cert.*;
import java.security.interfaces.DSAPublicKey;
import javax.security.auth.x500.X500Principal;
import sun.security.x509.X500Name;
@ -565,8 +564,9 @@ public final class SunCertPathBuilder extends CertPathBuilderSpi {
(PKIXExtensions.ExtendedKeyUsage_Id.toString());
if (!unresCritExts.isEmpty()) {
throw new CertPathValidatorException("unrecognized "
+ "critical extension(s)");
throw new CertPathValidatorException
("unrecognized critical extension(s)", null,
null, -1, PKIXReason.UNRECOGNIZED_CRIT_EXT);
}
}
}

10
jdk/test/java/security/cert/CertPathValidator/nameConstraintsRFC822/ValidateCertPath.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002 Sun Microsystems, Inc. All Rights Reserved.
* Copyright 2002-2008 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -34,6 +34,7 @@ import java.io.InputStream;
import java.io.IOException;
import java.security.cert.*;
import java.security.cert.PKIXReason;
import java.util.ArrayList;
import java.util.Collections;
@ -69,6 +70,9 @@ public final class ValidateCertPath {
validate(path, params);
throw new Exception("Successfully validated invalid path.");
} catch (CertPathValidatorException e) {
if (e.getReason() != PKIXReason.INVALID_NAME) {
throw new Exception("unexpected reason: " + e.getReason());
}
System.out.println("Path rejected as expected: " + e);
}
}
@ -86,14 +90,14 @@ public final class ValidateCertPath {
args = new String[] {"jane2jane.cer", "jane2steve.cer", "steve2tom.cer"};
TrustAnchor anchor = new TrustAnchor(getCertFromFile(args[0]), null);
List list = new ArrayList();
List<X509Certificate> list = new ArrayList<X509Certificate>();
for (int i = 1; i < args.length; i++) {
list.add(0, getCertFromFile(args[i]));
}
CertificateFactory cf = CertificateFactory.getInstance("X509");
path = cf.generateCertPath(list);
Set anchors = Collections.singleton(anchor);
Set<TrustAnchor> anchors = Collections.singleton(anchor);
params = new PKIXParameters(anchors);
params.setRevocationEnabled(false);
}

67
jdk/test/java/security/cert/CertPathValidatorException/ReasonTest.java Normal file
View File

@ -0,0 +1,67 @@
/*
* Copyright 2008 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
* CA 95054 USA or visit www.sun.com if you need additional information or
* have any questions.
*/
/*
* @test
* @bug 6465942
* @summary unit test for CertPathValidatorException.Reason
*/
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertPathValidatorException.BasicReason;
public class ReasonTest {
private static volatile boolean failed = false;
public static void main(String[] args) throws Exception {
// check that getReason returns UNSPECIFIED if reason not specified
CertPathValidatorException cpve = new CertPathValidatorException("abc");
if (cpve.getReason() != BasicReason.UNSPECIFIED) {
failed = true;
System.err.println("FAILED: unexpected reason: " + cpve.getReason());
}
// check that getReason returns specified reason
cpve = new CertPathValidatorException
("abc", null, null, -1, BasicReason.REVOKED);
if (cpve.getReason() != BasicReason.REVOKED) {
failed = true;
System.err.println("FAILED: unexpected reason: " + cpve.getReason());
}
// check that ctor throws NPE when reason is null
try {
cpve = new CertPathValidatorException("abc", null, null, -1, null);
failed = true;
System.err.println("ctor did not throw NPE for null reason");
} catch (Exception e) {
if (!(e instanceof NullPointerException)) {
failed = true;
System.err.println("FAILED: unexpected exception: " + e);
}
}
if (failed) {
throw new Exception("Some tests FAILED");
}
}
}

113
jdk/test/java/security/cert/CertPathValidatorException/Serial.java Normal file
View File

@ -0,0 +1,113 @@
/*
* Copyright 2008 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
* CA 95054 USA or visit www.sun.com if you need additional information or
* have any questions.
*/
/*
* @test
* @bug 6465942
* @summary Test deserialization of CertPathValidatorException
*/
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream;
//import java.io.FileOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertPathValidatorException.BasicReason;
import java.util.Collections;
/**
* This class tests to see if CertPathValidatorException can be serialized and
* deserialized properly.
*/
public class Serial {
private static volatile boolean failed = false;
public static void main(String[] args) throws Exception {
File f = new File(System.getProperty("test.src", "."), "cert_file");
FileInputStream fis = new FileInputStream(f);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
Certificate c = cf.generateCertificate(fis);
fis.close();
CertPath cp = cf.generateCertPath(Collections.singletonList(c));
CertPathValidatorException cpve1 =
new CertPathValidatorException
("Test", new Exception("Expired"), cp, 0, BasicReason.EXPIRED);
ByteArrayOutputStream baos = new ByteArrayOutputStream();
// FileOutputStream fos = new FileOutputStream("jdk7.serial");
ObjectOutputStream oos = new ObjectOutputStream(baos);
// ObjectOutputStream foos = new ObjectOutputStream(fos);
oos.writeObject(cpve1);
// foos.writeObject(cpve1);
ByteArrayInputStream bais = new ByteArrayInputStream(baos.toByteArray());
ObjectInputStream ois = new ObjectInputStream(bais);
CertPathValidatorException cpve2 =
(CertPathValidatorException) ois.readObject();
check(!cpve1.getMessage().equals(cpve2.getMessage()),
"CertPathValidatorException messages not equal");
check(!cpve1.getCause().getMessage().equals(cpve2.getCause().getMessage()),
"CertPathValidatorException causes not equal");
check(!cpve1.getCertPath().equals(cpve2.getCertPath()),
"CertPathValidatorException certpaths not equal");
check(cpve1.getIndex() != cpve2.getIndex(),
"CertPathValidatorException indexes not equal");
check(cpve1.getReason() != cpve2.getReason(),
"CertPathValidatorException reasons not equal");
oos.close();
ois.close();
f = new File(System.getProperty("test.src", "."), "jdk6.serial");
fis = new FileInputStream(f);
ois = new ObjectInputStream(fis);
cpve2 = (CertPathValidatorException) ois.readObject();
check(!cpve1.getMessage().equals(cpve2.getMessage()),
"CertPathValidatorException messages not equal");
check(!cpve1.getCause().getMessage().equals(cpve2.getCause().getMessage()),
"CertPathValidatorException causes not equal");
check(!cpve1.getCertPath().equals(cpve2.getCertPath()),
"CertPathValidatorException certpaths not equal");
check(cpve1.getIndex() != cpve2.getIndex(),
"CertPathValidatorException indexes not equal");
// System.out.println(cpve2.getReason());
check(cpve2.getReason() != BasicReason.UNSPECIFIED,
"CertPathValidatorException reasons not equal");
oos.close();
ois.close();
if (failed) {
throw new Exception("Some tests FAILED");
}
}
private static void check(boolean expr, String message) {
if (expr) {
failed = true;
System.err.println("FAILED: " + message);
}
}
}

BIN
jdk/test/java/security/cert/CertPathValidatorException/cert_file Normal file
View File

Binary file not shown.

BIN
jdk/test/java/security/cert/CertPathValidatorException/jdk6.serial Normal file
View File

Binary file not shown.

8
jdk/test/java/security/cert/PolicyNode/GetPolicyQualifiers.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2001 Sun Microsystems, Inc. All Rights Reserved.
* Copyright 2001-2008 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -74,6 +74,10 @@ public class GetPolicyQualifiers {
throw new Exception("Validation of CertPath containing critical " +
"qualifiers should have failed when policyQualifiersRejected " +
"flag is true");
} catch (CertPathValidatorException cpve) {}
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != PKIXReason.INVALID_POLICY) {
throw new Exception("unexpected reason: " + cpve.getReason());
}
}
}
}