Java 类java.security.cert.PKIXReason 实例源码

项目:OpenJSharp    文件:KeyChecker.java   
/**
 * Verifies the key usage extension in a CA cert.
 * The key usage extension, if present, must assert the keyCertSign bit.
 * The extended key usage extension is not checked (see CR 4776794 for
 * more information).
 */
static void verifyCAKeyUsage(X509Certificate cert)
        throws CertPathValidatorException {
    String msg = "CA key usage";
    if (debug != null) {
        debug.println("KeyChecker.verifyCAKeyUsage() ---checking " + msg
                      + "...");
    }

    boolean[] keyUsageBits = cert.getKeyUsage();

    // getKeyUsage returns null if the KeyUsage extension is not present
    // in the certificate - in which case there is nothing to check
    if (keyUsageBits == null) {
        return;
    }

    // throw an exception if the keyCertSign bit is not set
    if (!keyUsageBits[KEY_CERT_SIGN]) {
        throw new CertPathValidatorException
            (msg + " check failed: keyCertSign bit is not set", null,
             null, -1, PKIXReason.INVALID_KEY_USAGE);
    }

    if (debug != null) {
        debug.println("KeyChecker.verifyCAKeyUsage() " + msg
                      + " verified.");
    }
}
项目:OpenJSharp    文件:ConstraintsChecker.java   
/**
 * Internal method to check the name constraints against a cert
 */
private void verifyNameConstraints(X509Certificate currCert)
    throws CertPathValidatorException
{
    String msg = "name constraints";
    if (debug != null) {
        debug.println("---checking " + msg + "...");
    }

    // check name constraints only if there is a previous name constraint
    // and either the currCert is the final cert or the currCert is not
    // self-issued
    if (prevNC != null && ((i == certPathLength) ||
            !X509CertImpl.isSelfIssued(currCert))) {
        if (debug != null) {
            debug.println("prevNC = " + prevNC);
            debug.println("currDN = " + currCert.getSubjectX500Principal());
        }

        try {
            if (!prevNC.verify(currCert)) {
                throw new CertPathValidatorException(msg + " check failed",
                    null, null, -1, PKIXReason.INVALID_NAME);
            }
        } catch (IOException ioe) {
            throw new CertPathValidatorException(ioe);
        }
    }

    // merge name constraints regardless of whether cert is self-issued
    prevNC = mergeNameConstraints(currCert, prevNC);

    if (debug != null)
        debug.println(msg + " verified.");
}
项目:OpenJSharp    文件:BasicChecker.java   
/**
 * Internal method to check that cert has a valid DN to be next in a chain
 */
private void verifyNameChaining(X509Certificate cert)
    throws CertPathValidatorException
{
    if (prevSubject != null) {

        String msg = "subject/issuer name chaining";
        if (debug != null)
            debug.println("---checking " + msg + "...");

        X500Principal currIssuer = cert.getIssuerX500Principal();

        // reject null or empty issuer DNs
        if (X500Name.asX500Name(currIssuer).isEmpty()) {
            throw new CertPathValidatorException
                (msg + " check failed: " +
                 "empty/null issuer DN in certificate is invalid", null,
                 null, -1, PKIXReason.NAME_CHAINING);
        }

        if (!(currIssuer.equals(prevSubject))) {
            throw new CertPathValidatorException
                (msg + " check failed", null, null, -1,
                 PKIXReason.NAME_CHAINING);
        }

        if (debug != null)
            debug.println(msg + " verified.");
    }
}
项目:jdk8u-jdk    文件:KeyChecker.java   
/**
 * Verifies the key usage extension in a CA cert.
 * The key usage extension, if present, must assert the keyCertSign bit.
 * The extended key usage extension is not checked (see CR 4776794 for
 * more information).
 */
static void verifyCAKeyUsage(X509Certificate cert)
        throws CertPathValidatorException {
    String msg = "CA key usage";
    if (debug != null) {
        debug.println("KeyChecker.verifyCAKeyUsage() ---checking " + msg
                      + "...");
    }

    boolean[] keyUsageBits = cert.getKeyUsage();

    // getKeyUsage returns null if the KeyUsage extension is not present
    // in the certificate - in which case there is nothing to check
    if (keyUsageBits == null) {
        return;
    }

    // throw an exception if the keyCertSign bit is not set
    if (!keyUsageBits[KEY_CERT_SIGN]) {
        throw new CertPathValidatorException
            (msg + " check failed: keyCertSign bit is not set", null,
             null, -1, PKIXReason.INVALID_KEY_USAGE);
    }

    if (debug != null) {
        debug.println("KeyChecker.verifyCAKeyUsage() " + msg
                      + " verified.");
    }
}
项目:jdk8u-jdk    文件:ConstraintsChecker.java   
/**
 * Internal method to check the name constraints against a cert
 */
private void verifyNameConstraints(X509Certificate currCert)
    throws CertPathValidatorException
{
    String msg = "name constraints";
    if (debug != null) {
        debug.println("---checking " + msg + "...");
    }

    // check name constraints only if there is a previous name constraint
    // and either the currCert is the final cert or the currCert is not
    // self-issued
    if (prevNC != null && ((i == certPathLength) ||
            !X509CertImpl.isSelfIssued(currCert))) {
        if (debug != null) {
            debug.println("prevNC = " + prevNC +
                ", currDN = " + currCert.getSubjectX500Principal());
        }

        try {
            if (!prevNC.verify(currCert)) {
                throw new CertPathValidatorException(msg + " check failed",
                    null, null, -1, PKIXReason.INVALID_NAME);
            }
        } catch (IOException ioe) {
            throw new CertPathValidatorException(ioe);
        }
    }

    // merge name constraints regardless of whether cert is self-issued
    prevNC = mergeNameConstraints(currCert, prevNC);

    if (debug != null)
        debug.println(msg + " verified.");
}
项目:jdk8u-jdk    文件:BasicChecker.java   
/**
 * Internal method to check that cert has a valid DN to be next in a chain
 */
private void verifyNameChaining(X509Certificate cert)
    throws CertPathValidatorException
{
    if (prevSubject != null) {

        String msg = "subject/issuer name chaining";
        if (debug != null)
            debug.println("---checking " + msg + "...");

        X500Principal currIssuer = cert.getIssuerX500Principal();

        // reject null or empty issuer DNs
        if (X500Name.asX500Name(currIssuer).isEmpty()) {
            throw new CertPathValidatorException
                (msg + " check failed: " +
                 "empty/null issuer DN in certificate is invalid", null,
                 null, -1, PKIXReason.NAME_CHAINING);
        }

        if (!(currIssuer.equals(prevSubject))) {
            throw new CertPathValidatorException
                (msg + " check failed", null, null, -1,
                 PKIXReason.NAME_CHAINING);
        }

        if (debug != null)
            debug.println(msg + " verified.");
    }
}
项目:jdk8u-jdk    文件:ValidateCertPath.java   
public static void main(String[] args) throws Exception {

        try {
            parseArgs(args);
            validate(path, params);
            throw new Exception("Successfully validated invalid path.");
        } catch (CertPathValidatorException e) {
            if (e.getReason() != PKIXReason.INVALID_NAME) {
                throw new Exception("unexpected reason: " + e.getReason());
            }
            System.out.println("Path rejected as expected: " + e);
        }
    }
项目:openjdk-jdk10    文件:KeyChecker.java   
/**
 * Verifies the key usage extension in a CA cert.
 * The key usage extension, if present, must assert the keyCertSign bit.
 * The extended key usage extension is not checked (see CR 4776794 for
 * more information).
 */
static void verifyCAKeyUsage(X509Certificate cert)
        throws CertPathValidatorException {
    String msg = "CA key usage";
    if (debug != null) {
        debug.println("KeyChecker.verifyCAKeyUsage() ---checking " + msg
                      + "...");
    }

    boolean[] keyUsageBits = cert.getKeyUsage();

    // getKeyUsage returns null if the KeyUsage extension is not present
    // in the certificate - in which case there is nothing to check
    if (keyUsageBits == null) {
        return;
    }

    // throw an exception if the keyCertSign bit is not set
    if (!keyUsageBits[KEY_CERT_SIGN]) {
        throw new CertPathValidatorException
            (msg + " check failed: keyCertSign bit is not set", null,
             null, -1, PKIXReason.INVALID_KEY_USAGE);
    }

    if (debug != null) {
        debug.println("KeyChecker.verifyCAKeyUsage() " + msg
                      + " verified.");
    }
}
项目:openjdk-jdk10    文件:ConstraintsChecker.java   
/**
 * Internal method to check the name constraints against a cert
 */
private void verifyNameConstraints(X509Certificate currCert)
    throws CertPathValidatorException
{
    String msg = "name constraints";
    if (debug != null) {
        debug.println("---checking " + msg + "...");
    }

    // check name constraints only if there is a previous name constraint
    // and either the currCert is the final cert or the currCert is not
    // self-issued
    if (prevNC != null && ((i == certPathLength) ||
            !X509CertImpl.isSelfIssued(currCert))) {
        if (debug != null) {
            debug.println("prevNC = " + prevNC +
                ", currDN = " + currCert.getSubjectX500Principal());
        }

        try {
            if (!prevNC.verify(currCert)) {
                throw new CertPathValidatorException(msg + " check failed",
                    null, null, -1, PKIXReason.INVALID_NAME);
            }
        } catch (IOException ioe) {
            throw new CertPathValidatorException(ioe);
        }
    }

    // merge name constraints regardless of whether cert is self-issued
    prevNC = mergeNameConstraints(currCert, prevNC);

    if (debug != null)
        debug.println(msg + " verified.");
}
项目:openjdk-jdk10    文件:BasicChecker.java   
/**
 * Internal method to check that cert has a valid DN to be next in a chain
 */
private void verifyNameChaining(X509Certificate cert)
    throws CertPathValidatorException
{
    if (prevSubject != null) {

        String msg = "subject/issuer name chaining";
        if (debug != null)
            debug.println("---checking " + msg + "...");

        X500Principal currIssuer = cert.getIssuerX500Principal();

        // reject null or empty issuer DNs
        if (X500Name.asX500Name(currIssuer).isEmpty()) {
            throw new CertPathValidatorException
                (msg + " check failed: " +
                 "empty/null issuer DN in certificate is invalid", null,
                 null, -1, PKIXReason.NAME_CHAINING);
        }

        if (!(currIssuer.equals(prevSubject))) {
            throw new CertPathValidatorException
                (msg + " check failed", null, null, -1,
                 PKIXReason.NAME_CHAINING);
        }

        if (debug != null)
            debug.println(msg + " verified.");
    }
}
项目:openjdk-jdk10    文件:ValidateCertPath.java   
public static void main(String[] args) throws Exception {

        try {
            parseArgs(args);
            validate(path, params);
            throw new Exception("Successfully validated invalid path.");
        } catch (CertPathValidatorException e) {
            if (e.getReason() != PKIXReason.INVALID_NAME) {
                throw new Exception("unexpected reason: " + e.getReason());
            }
            System.out.println("Path rejected as expected: " + e);
        }
    }
项目:openjdk9    文件:KeyChecker.java   
/**
 * Verifies the key usage extension in a CA cert.
 * The key usage extension, if present, must assert the keyCertSign bit.
 * The extended key usage extension is not checked (see CR 4776794 for
 * more information).
 */
static void verifyCAKeyUsage(X509Certificate cert)
        throws CertPathValidatorException {
    String msg = "CA key usage";
    if (debug != null) {
        debug.println("KeyChecker.verifyCAKeyUsage() ---checking " + msg
                      + "...");
    }

    boolean[] keyUsageBits = cert.getKeyUsage();

    // getKeyUsage returns null if the KeyUsage extension is not present
    // in the certificate - in which case there is nothing to check
    if (keyUsageBits == null) {
        return;
    }

    // throw an exception if the keyCertSign bit is not set
    if (!keyUsageBits[KEY_CERT_SIGN]) {
        throw new CertPathValidatorException
            (msg + " check failed: keyCertSign bit is not set", null,
             null, -1, PKIXReason.INVALID_KEY_USAGE);
    }

    if (debug != null) {
        debug.println("KeyChecker.verifyCAKeyUsage() " + msg
                      + " verified.");
    }
}
项目:openjdk9    文件:ConstraintsChecker.java   
/**
 * Internal method to check the name constraints against a cert
 */
private void verifyNameConstraints(X509Certificate currCert)
    throws CertPathValidatorException
{
    String msg = "name constraints";
    if (debug != null) {
        debug.println("---checking " + msg + "...");
    }

    // check name constraints only if there is a previous name constraint
    // and either the currCert is the final cert or the currCert is not
    // self-issued
    if (prevNC != null && ((i == certPathLength) ||
            !X509CertImpl.isSelfIssued(currCert))) {
        if (debug != null) {
            debug.println("prevNC = " + prevNC +
                ", currDN = " + currCert.getSubjectX500Principal());
        }

        try {
            if (!prevNC.verify(currCert)) {
                throw new CertPathValidatorException(msg + " check failed",
                    null, null, -1, PKIXReason.INVALID_NAME);
            }
        } catch (IOException ioe) {
            throw new CertPathValidatorException(ioe);
        }
    }

    // merge name constraints regardless of whether cert is self-issued
    prevNC = mergeNameConstraints(currCert, prevNC);

    if (debug != null)
        debug.println(msg + " verified.");
}
项目:openjdk9    文件:BasicChecker.java   
/**
 * Internal method to check that cert has a valid DN to be next in a chain
 */
private void verifyNameChaining(X509Certificate cert)
    throws CertPathValidatorException
{
    if (prevSubject != null) {

        String msg = "subject/issuer name chaining";
        if (debug != null)
            debug.println("---checking " + msg + "...");

        X500Principal currIssuer = cert.getIssuerX500Principal();

        // reject null or empty issuer DNs
        if (X500Name.asX500Name(currIssuer).isEmpty()) {
            throw new CertPathValidatorException
                (msg + " check failed: " +
                 "empty/null issuer DN in certificate is invalid", null,
                 null, -1, PKIXReason.NAME_CHAINING);
        }

        if (!(currIssuer.equals(prevSubject))) {
            throw new CertPathValidatorException
                (msg + " check failed", null, null, -1,
                 PKIXReason.NAME_CHAINING);
        }

        if (debug != null)
            debug.println(msg + " verified.");
    }
}
项目:openjdk9    文件:ValidateCertPath.java   
public static void main(String[] args) throws Exception {

        try {
            parseArgs(args);
            validate(path, params);
            throw new Exception("Successfully validated invalid path.");
        } catch (CertPathValidatorException e) {
            if (e.getReason() != PKIXReason.INVALID_NAME) {
                throw new Exception("unexpected reason: " + e.getReason());
            }
            System.out.println("Path rejected as expected: " + e);
        }
    }
项目:jdk8u_jdk    文件:KeyChecker.java   
/**
 * Verifies the key usage extension in a CA cert.
 * The key usage extension, if present, must assert the keyCertSign bit.
 * The extended key usage extension is not checked (see CR 4776794 for
 * more information).
 */
static void verifyCAKeyUsage(X509Certificate cert)
        throws CertPathValidatorException {
    String msg = "CA key usage";
    if (debug != null) {
        debug.println("KeyChecker.verifyCAKeyUsage() ---checking " + msg
                      + "...");
    }

    boolean[] keyUsageBits = cert.getKeyUsage();

    // getKeyUsage returns null if the KeyUsage extension is not present
    // in the certificate - in which case there is nothing to check
    if (keyUsageBits == null) {
        return;
    }

    // throw an exception if the keyCertSign bit is not set
    if (!keyUsageBits[KEY_CERT_SIGN]) {
        throw new CertPathValidatorException
            (msg + " check failed: keyCertSign bit is not set", null,
             null, -1, PKIXReason.INVALID_KEY_USAGE);
    }

    if (debug != null) {
        debug.println("KeyChecker.verifyCAKeyUsage() " + msg
                      + " verified.");
    }
}
项目:jdk8u_jdk    文件:ConstraintsChecker.java   
/**
 * Internal method to check the name constraints against a cert
 */
private void verifyNameConstraints(X509Certificate currCert)
    throws CertPathValidatorException
{
    String msg = "name constraints";
    if (debug != null) {
        debug.println("---checking " + msg + "...");
    }

    // check name constraints only if there is a previous name constraint
    // and either the currCert is the final cert or the currCert is not
    // self-issued
    if (prevNC != null && ((i == certPathLength) ||
            !X509CertImpl.isSelfIssued(currCert))) {
        if (debug != null) {
            debug.println("prevNC = " + prevNC +
                ", currDN = " + currCert.getSubjectX500Principal());
        }

        try {
            if (!prevNC.verify(currCert)) {
                throw new CertPathValidatorException(msg + " check failed",
                    null, null, -1, PKIXReason.INVALID_NAME);
            }
        } catch (IOException ioe) {
            throw new CertPathValidatorException(ioe);
        }
    }

    // merge name constraints regardless of whether cert is self-issued
    prevNC = mergeNameConstraints(currCert, prevNC);

    if (debug != null)
        debug.println(msg + " verified.");
}
项目:jdk8u_jdk    文件:BasicChecker.java   
/**
 * Internal method to check that cert has a valid DN to be next in a chain
 */
private void verifyNameChaining(X509Certificate cert)
    throws CertPathValidatorException
{
    if (prevSubject != null) {

        String msg = "subject/issuer name chaining";
        if (debug != null)
            debug.println("---checking " + msg + "...");

        X500Principal currIssuer = cert.getIssuerX500Principal();

        // reject null or empty issuer DNs
        if (X500Name.asX500Name(currIssuer).isEmpty()) {
            throw new CertPathValidatorException
                (msg + " check failed: " +
                 "empty/null issuer DN in certificate is invalid", null,
                 null, -1, PKIXReason.NAME_CHAINING);
        }

        if (!(currIssuer.equals(prevSubject))) {
            throw new CertPathValidatorException
                (msg + " check failed", null, null, -1,
                 PKIXReason.NAME_CHAINING);
        }

        if (debug != null)
            debug.println(msg + " verified.");
    }
}
项目:jdk8u_jdk    文件:ValidateCertPath.java   
public static void main(String[] args) throws Exception {

        try {
            parseArgs(args);
            validate(path, params);
            throw new Exception("Successfully validated invalid path.");
        } catch (CertPathValidatorException e) {
            if (e.getReason() != PKIXReason.INVALID_NAME) {
                throw new Exception("unexpected reason: " + e.getReason());
            }
            System.out.println("Path rejected as expected: " + e);
        }
    }
项目:lookaside_java-1.8.0-openjdk    文件:KeyChecker.java   
/**
 * Verifies the key usage extension in a CA cert.
 * The key usage extension, if present, must assert the keyCertSign bit.
 * The extended key usage extension is not checked (see CR 4776794 for
 * more information).
 */
static void verifyCAKeyUsage(X509Certificate cert)
        throws CertPathValidatorException {
    String msg = "CA key usage";
    if (debug != null) {
        debug.println("KeyChecker.verifyCAKeyUsage() ---checking " + msg
                      + "...");
    }

    boolean[] keyUsageBits = cert.getKeyUsage();

    // getKeyUsage returns null if the KeyUsage extension is not present
    // in the certificate - in which case there is nothing to check
    if (keyUsageBits == null) {
        return;
    }

    // throw an exception if the keyCertSign bit is not set
    if (!keyUsageBits[KEY_CERT_SIGN]) {
        throw new CertPathValidatorException
            (msg + " check failed: keyCertSign bit is not set", null,
             null, -1, PKIXReason.INVALID_KEY_USAGE);
    }

    if (debug != null) {
        debug.println("KeyChecker.verifyCAKeyUsage() " + msg
                      + " verified.");
    }
}
项目:lookaside_java-1.8.0-openjdk    文件:ConstraintsChecker.java   
/**
 * Internal method to check the name constraints against a cert
 */
private void verifyNameConstraints(X509Certificate currCert)
    throws CertPathValidatorException
{
    String msg = "name constraints";
    if (debug != null) {
        debug.println("---checking " + msg + "...");
    }

    // check name constraints only if there is a previous name constraint
    // and either the currCert is the final cert or the currCert is not
    // self-issued
    if (prevNC != null && ((i == certPathLength) ||
            !X509CertImpl.isSelfIssued(currCert))) {
        if (debug != null) {
            debug.println("prevNC = " + prevNC +
                ", currDN = " + currCert.getSubjectX500Principal());
        }

        try {
            if (!prevNC.verify(currCert)) {
                throw new CertPathValidatorException(msg + " check failed",
                    null, null, -1, PKIXReason.INVALID_NAME);
            }
        } catch (IOException ioe) {
            throw new CertPathValidatorException(ioe);
        }
    }

    // merge name constraints regardless of whether cert is self-issued
    prevNC = mergeNameConstraints(currCert, prevNC);

    if (debug != null)
        debug.println(msg + " verified.");
}
项目:lookaside_java-1.8.0-openjdk    文件:BasicChecker.java   
/**
 * Internal method to check that cert has a valid DN to be next in a chain
 */
private void verifyNameChaining(X509Certificate cert)
    throws CertPathValidatorException
{
    if (prevSubject != null) {

        String msg = "subject/issuer name chaining";
        if (debug != null)
            debug.println("---checking " + msg + "...");

        X500Principal currIssuer = cert.getIssuerX500Principal();

        // reject null or empty issuer DNs
        if (X500Name.asX500Name(currIssuer).isEmpty()) {
            throw new CertPathValidatorException
                (msg + " check failed: " +
                 "empty/null issuer DN in certificate is invalid", null,
                 null, -1, PKIXReason.NAME_CHAINING);
        }

        if (!(currIssuer.equals(prevSubject))) {
            throw new CertPathValidatorException
                (msg + " check failed", null, null, -1,
                 PKIXReason.NAME_CHAINING);
        }

        if (debug != null)
            debug.println(msg + " verified.");
    }
}
项目:lookaside_java-1.8.0-openjdk    文件:ValidateCertPath.java   
public static void main(String[] args) throws Exception {

        try {
            parseArgs(args);
            validate(path, params);
            throw new Exception("Successfully validated invalid path.");
        } catch (CertPathValidatorException e) {
            if (e.getReason() != PKIXReason.INVALID_NAME) {
                throw new Exception("unexpected reason: " + e.getReason());
            }
            System.out.println("Path rejected as expected: " + e);
        }
    }
项目:infobip-open-jdk-8    文件:KeyChecker.java   
/**
 * Verifies the key usage extension in a CA cert.
 * The key usage extension, if present, must assert the keyCertSign bit.
 * The extended key usage extension is not checked (see CR 4776794 for
 * more information).
 */
static void verifyCAKeyUsage(X509Certificate cert)
        throws CertPathValidatorException {
    String msg = "CA key usage";
    if (debug != null) {
        debug.println("KeyChecker.verifyCAKeyUsage() ---checking " + msg
                      + "...");
    }

    boolean[] keyUsageBits = cert.getKeyUsage();

    // getKeyUsage returns null if the KeyUsage extension is not present
    // in the certificate - in which case there is nothing to check
    if (keyUsageBits == null) {
        return;
    }

    // throw an exception if the keyCertSign bit is not set
    if (!keyUsageBits[KEY_CERT_SIGN]) {
        throw new CertPathValidatorException
            (msg + " check failed: keyCertSign bit is not set", null,
             null, -1, PKIXReason.INVALID_KEY_USAGE);
    }

    if (debug != null) {
        debug.println("KeyChecker.verifyCAKeyUsage() " + msg
                      + " verified.");
    }
}
项目:infobip-open-jdk-8    文件:ConstraintsChecker.java   
/**
 * Internal method to check the name constraints against a cert
 */
private void verifyNameConstraints(X509Certificate currCert)
    throws CertPathValidatorException
{
    String msg = "name constraints";
    if (debug != null) {
        debug.println("---checking " + msg + "...");
    }

    // check name constraints only if there is a previous name constraint
    // and either the currCert is the final cert or the currCert is not
    // self-issued
    if (prevNC != null && ((i == certPathLength) ||
            !X509CertImpl.isSelfIssued(currCert))) {
        if (debug != null) {
            debug.println("prevNC = " + prevNC);
            debug.println("currDN = " + currCert.getSubjectX500Principal());
        }

        try {
            if (!prevNC.verify(currCert)) {
                throw new CertPathValidatorException(msg + " check failed",
                    null, null, -1, PKIXReason.INVALID_NAME);
            }
        } catch (IOException ioe) {
            throw new CertPathValidatorException(ioe);
        }
    }

    // merge name constraints regardless of whether cert is self-issued
    prevNC = mergeNameConstraints(currCert, prevNC);

    if (debug != null)
        debug.println(msg + " verified.");
}
项目:infobip-open-jdk-8    文件:BasicChecker.java   
/**
 * Internal method to check that cert has a valid DN to be next in a chain
 */
private void verifyNameChaining(X509Certificate cert)
    throws CertPathValidatorException
{
    if (prevSubject != null) {

        String msg = "subject/issuer name chaining";
        if (debug != null)
            debug.println("---checking " + msg + "...");

        X500Principal currIssuer = cert.getIssuerX500Principal();

        // reject null or empty issuer DNs
        if (X500Name.asX500Name(currIssuer).isEmpty()) {
            throw new CertPathValidatorException
                (msg + " check failed: " +
                 "empty/null issuer DN in certificate is invalid", null,
                 null, -1, PKIXReason.NAME_CHAINING);
        }

        if (!(currIssuer.equals(prevSubject))) {
            throw new CertPathValidatorException
                (msg + " check failed", null, null, -1,
                 PKIXReason.NAME_CHAINING);
        }

        if (debug != null)
            debug.println(msg + " verified.");
    }
}
项目:infobip-open-jdk-8    文件:ValidateCertPath.java   
public static void main(String[] args) throws Exception {

        try {
            parseArgs(args);
            validate(path, params);
            throw new Exception("Successfully validated invalid path.");
        } catch (CertPathValidatorException e) {
            if (e.getReason() != PKIXReason.INVALID_NAME) {
                throw new Exception("unexpected reason: " + e.getReason());
            }
            System.out.println("Path rejected as expected: " + e);
        }
    }
项目:jdk8u-dev-jdk    文件:KeyChecker.java   
/**
 * Verifies the key usage extension in a CA cert.
 * The key usage extension, if present, must assert the keyCertSign bit.
 * The extended key usage extension is not checked (see CR 4776794 for
 * more information).
 */
static void verifyCAKeyUsage(X509Certificate cert)
        throws CertPathValidatorException {
    String msg = "CA key usage";
    if (debug != null) {
        debug.println("KeyChecker.verifyCAKeyUsage() ---checking " + msg
                      + "...");
    }

    boolean[] keyUsageBits = cert.getKeyUsage();

    // getKeyUsage returns null if the KeyUsage extension is not present
    // in the certificate - in which case there is nothing to check
    if (keyUsageBits == null) {
        return;
    }

    // throw an exception if the keyCertSign bit is not set
    if (!keyUsageBits[KEY_CERT_SIGN]) {
        throw new CertPathValidatorException
            (msg + " check failed: keyCertSign bit is not set", null,
             null, -1, PKIXReason.INVALID_KEY_USAGE);
    }

    if (debug != null) {
        debug.println("KeyChecker.verifyCAKeyUsage() " + msg
                      + " verified.");
    }
}
项目:jdk8u-dev-jdk    文件:ConstraintsChecker.java   
/**
 * Internal method to check the name constraints against a cert
 */
private void verifyNameConstraints(X509Certificate currCert)
    throws CertPathValidatorException
{
    String msg = "name constraints";
    if (debug != null) {
        debug.println("---checking " + msg + "...");
    }

    // check name constraints only if there is a previous name constraint
    // and either the currCert is the final cert or the currCert is not
    // self-issued
    if (prevNC != null && ((i == certPathLength) ||
            !X509CertImpl.isSelfIssued(currCert))) {
        if (debug != null) {
            debug.println("prevNC = " + prevNC +
                ", currDN = " + currCert.getSubjectX500Principal());
        }

        try {
            if (!prevNC.verify(currCert)) {
                throw new CertPathValidatorException(msg + " check failed",
                    null, null, -1, PKIXReason.INVALID_NAME);
            }
        } catch (IOException ioe) {
            throw new CertPathValidatorException(ioe);
        }
    }

    // merge name constraints regardless of whether cert is self-issued
    prevNC = mergeNameConstraints(currCert, prevNC);

    if (debug != null)
        debug.println(msg + " verified.");
}
项目:jdk8u-dev-jdk    文件:BasicChecker.java   
/**
 * Internal method to check that cert has a valid DN to be next in a chain
 */
private void verifyNameChaining(X509Certificate cert)
    throws CertPathValidatorException
{
    if (prevSubject != null) {

        String msg = "subject/issuer name chaining";
        if (debug != null)
            debug.println("---checking " + msg + "...");

        X500Principal currIssuer = cert.getIssuerX500Principal();

        // reject null or empty issuer DNs
        if (X500Name.asX500Name(currIssuer).isEmpty()) {
            throw new CertPathValidatorException
                (msg + " check failed: " +
                 "empty/null issuer DN in certificate is invalid", null,
                 null, -1, PKIXReason.NAME_CHAINING);
        }

        if (!(currIssuer.equals(prevSubject))) {
            throw new CertPathValidatorException
                (msg + " check failed", null, null, -1,
                 PKIXReason.NAME_CHAINING);
        }

        if (debug != null)
            debug.println(msg + " verified.");
    }
}
项目:jdk8u-dev-jdk    文件:ValidateCertPath.java   
public static void main(String[] args) throws Exception {

        try {
            parseArgs(args);
            validate(path, params);
            throw new Exception("Successfully validated invalid path.");
        } catch (CertPathValidatorException e) {
            if (e.getReason() != PKIXReason.INVALID_NAME) {
                throw new Exception("unexpected reason: " + e.getReason());
            }
            System.out.println("Path rejected as expected: " + e);
        }
    }
项目:jdk7-jdk    文件:KeyChecker.java   
/**
 * Static method to verify that the key usage and extended key usage
 * extension in a CA cert. The key usage extension, if present, must
 * assert the keyCertSign bit. The extended key usage extension, if
 * present, must include anyExtendedKeyUsage.
 */
static void verifyCAKeyUsage(X509Certificate cert)
        throws CertPathValidatorException {
    String msg = "CA key usage";
    if (debug != null) {
        debug.println("KeyChecker.verifyCAKeyUsage() ---checking " + msg
            + "...");
    }

    boolean[] keyUsageBits = cert.getKeyUsage();

    // getKeyUsage returns null if the KeyUsage extension is not present
    // in the certificate - in which case there is nothing to check
    if (keyUsageBits == null) {
        return;
    }

    // throw an exception if the keyCertSign bit is not set
    if (!keyUsageBits[keyCertSign]) {
        throw new CertPathValidatorException
            (msg + " check failed: keyCertSign bit is not set", null,
             null, -1, PKIXReason.INVALID_KEY_USAGE);
    }

    if (debug != null) {
        debug.println("KeyChecker.verifyCAKeyUsage() " + msg
            + " verified.");
    }
}
项目:jdk7-jdk    文件:ConstraintsChecker.java   
/**
 * Internal method to check the name constraints against a cert
 */
private void verifyNameConstraints(X509Certificate currCert)
    throws CertPathValidatorException
{
    String msg = "name constraints";
    if (debug != null) {
        debug.println("---checking " + msg + "...");
    }

    // check name constraints only if there is a previous name constraint
    // and either the currCert is the final cert or the currCert is not
    // self-issued
    if (prevNC != null && ((i == certPathLength) ||
            !X509CertImpl.isSelfIssued(currCert))) {
        if (debug != null) {
            debug.println("prevNC = " + prevNC);
            debug.println("currDN = " + currCert.getSubjectX500Principal());
        }

        try {
            if (!prevNC.verify(currCert)) {
                throw new CertPathValidatorException(msg + " check failed",
                    null, null, -1, PKIXReason.INVALID_NAME);
            }
        } catch (IOException ioe) {
            throw new CertPathValidatorException(ioe);
        }
    }

    // merge name constraints regardless of whether cert is self-issued
    prevNC = mergeNameConstraints(currCert, prevNC);

    if (debug != null)
        debug.println(msg + " verified.");
}
项目:jdk7-jdk    文件:BasicChecker.java   
/**
 * Internal method to check that cert has a valid DN to be next in a chain
 */
private void verifyNameChaining(X509Certificate cert,
    X500Principal prevSubject) throws CertPathValidatorException
{
    if (prevSubject != null) {

        String msg = "subject/issuer name chaining";
        if (debug != null)
            debug.println("---checking " + msg + "...");

        X500Principal currIssuer = cert.getIssuerX500Principal();
        // reject null or empty issuer DNs

        if (X500Name.asX500Name(currIssuer).isEmpty()) {
            throw new CertPathValidatorException
                (msg + " check failed: " +
                 "empty/null issuer DN in certificate is invalid", null,
                 null, -1, PKIXReason.NAME_CHAINING);
        }

        if (!(currIssuer.equals(prevSubject))) {
            throw new CertPathValidatorException
                (msg + " check failed", null, null, -1,
                 PKIXReason.NAME_CHAINING);
        }

        if (debug != null)
            debug.println(msg + " verified.");
    }
}
项目:jdk7-jdk    文件:ValidateCertPath.java   
public static void main(String[] args) throws Exception {

        try {
            parseArgs(args);
            validate(path, params);
            throw new Exception("Successfully validated invalid path.");
        } catch (CertPathValidatorException e) {
            if (e.getReason() != PKIXReason.INVALID_NAME) {
                throw new Exception("unexpected reason: " + e.getReason());
            }
            System.out.println("Path rejected as expected: " + e);
        }
    }
项目:openjdk-source-code-learn    文件:KeyChecker.java   
/**
 * Static method to verify that the key usage and extended key usage
 * extension in a CA cert. The key usage extension, if present, must
 * assert the keyCertSign bit. The extended key usage extension, if
 * present, must include anyExtendedKeyUsage.
 */
static void verifyCAKeyUsage(X509Certificate cert)
        throws CertPathValidatorException {
    String msg = "CA key usage";
    if (debug != null) {
        debug.println("KeyChecker.verifyCAKeyUsage() ---checking " + msg
            + "...");
    }

    boolean[] keyUsageBits = cert.getKeyUsage();

    // getKeyUsage returns null if the KeyUsage extension is not present
    // in the certificate - in which case there is nothing to check
    if (keyUsageBits == null) {
        return;
    }

    // throw an exception if the keyCertSign bit is not set
    if (!keyUsageBits[keyCertSign]) {
        throw new CertPathValidatorException
            (msg + " check failed: keyCertSign bit is not set", null,
             null, -1, PKIXReason.INVALID_KEY_USAGE);
    }

    if (debug != null) {
        debug.println("KeyChecker.verifyCAKeyUsage() " + msg
            + " verified.");
    }
}
项目:openjdk-source-code-learn    文件:ConstraintsChecker.java   
/**
 * Internal method to check the name constraints against a cert
 */
private void verifyNameConstraints(X509Certificate currCert)
    throws CertPathValidatorException
{
    String msg = "name constraints";
    if (debug != null) {
        debug.println("---checking " + msg + "...");
    }

    // check name constraints only if there is a previous name constraint
    // and either the currCert is the final cert or the currCert is not
    // self-issued
    if (prevNC != null && ((i == certPathLength) ||
            !X509CertImpl.isSelfIssued(currCert))) {
        if (debug != null) {
            debug.println("prevNC = " + prevNC);
            debug.println("currDN = " + currCert.getSubjectX500Principal());
        }

        try {
            if (!prevNC.verify(currCert)) {
                throw new CertPathValidatorException(msg + " check failed",
                    null, null, -1, PKIXReason.INVALID_NAME);
            }
        } catch (IOException ioe) {
            throw new CertPathValidatorException(ioe);
        }
    }

    // merge name constraints regardless of whether cert is self-issued
    prevNC = mergeNameConstraints(currCert, prevNC);

    if (debug != null)
        debug.println(msg + " verified.");
}
项目:openjdk-source-code-learn    文件:BasicChecker.java   
/**
 * Internal method to check that cert has a valid DN to be next in a chain
 */
private void verifyNameChaining(X509Certificate cert,
    X500Principal prevSubject) throws CertPathValidatorException
{
    if (prevSubject != null) {

        String msg = "subject/issuer name chaining";
        if (debug != null)
            debug.println("---checking " + msg + "...");

        X500Principal currIssuer = cert.getIssuerX500Principal();
        // reject null or empty issuer DNs

        if (X500Name.asX500Name(currIssuer).isEmpty()) {
            throw new CertPathValidatorException
                (msg + " check failed: " +
                 "empty/null issuer DN in certificate is invalid", null,
                 null, -1, PKIXReason.NAME_CHAINING);
        }

        if (!(currIssuer.equals(prevSubject))) {
            throw new CertPathValidatorException
                (msg + " check failed", null, null, -1,
                 PKIXReason.NAME_CHAINING);
        }

        if (debug != null)
            debug.println(msg + " verified.");
    }
}
项目:openjdk-source-code-learn    文件:ValidateCertPath.java   
public static void main(String[] args) throws Exception {

        try {
            parseArgs(args);
            validate(path, params);
            throw new Exception("Successfully validated invalid path.");
        } catch (CertPathValidatorException e) {
            if (e.getReason() != PKIXReason.INVALID_NAME) {
                throw new Exception("unexpected reason: " + e.getReason());
            }
            System.out.println("Path rejected as expected: " + e);
        }
    }
项目:OLD-OpenJDK8    文件:KeyChecker.java   
/**
 * Verifies the key usage extension in a CA cert.
 * The key usage extension, if present, must assert the keyCertSign bit.
 * The extended key usage extension is not checked (see CR 4776794 for
 * more information).
 */
static void verifyCAKeyUsage(X509Certificate cert)
        throws CertPathValidatorException {
    String msg = "CA key usage";
    if (debug != null) {
        debug.println("KeyChecker.verifyCAKeyUsage() ---checking " + msg
                      + "...");
    }

    boolean[] keyUsageBits = cert.getKeyUsage();

    // getKeyUsage returns null if the KeyUsage extension is not present
    // in the certificate - in which case there is nothing to check
    if (keyUsageBits == null) {
        return;
    }

    // throw an exception if the keyCertSign bit is not set
    if (!keyUsageBits[KEY_CERT_SIGN]) {
        throw new CertPathValidatorException
            (msg + " check failed: keyCertSign bit is not set", null,
             null, -1, PKIXReason.INVALID_KEY_USAGE);
    }

    if (debug != null) {
        debug.println("KeyChecker.verifyCAKeyUsage() " + msg
                      + " verified.");
    }
}