org.bouncycastle.cert.path.validations.ParentCertIssuedValidation Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of bcpkix-jdk15on Show documentation
Show all versions of bcpkix-jdk15on Show documentation
The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. This jar contains APIs for JDK 1.5 and up. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.
The newest version!
package org.bouncycastle.cert.path.validations;
import java.io.IOException;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1Null;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.CertException;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509ContentVerifierProviderBuilder;
import org.bouncycastle.cert.path.CertPathValidation;
import org.bouncycastle.cert.path.CertPathValidationContext;
import org.bouncycastle.cert.path.CertPathValidationException;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.util.Memoable;
public class ParentCertIssuedValidation
implements CertPathValidation
{
private X509ContentVerifierProviderBuilder contentVerifierProvider;
private X500Name workingIssuerName;
private SubjectPublicKeyInfo workingPublicKey;
private AlgorithmIdentifier workingAlgId;
public ParentCertIssuedValidation(X509ContentVerifierProviderBuilder contentVerifierProvider)
{
this.contentVerifierProvider = contentVerifierProvider;
}
public void validate(CertPathValidationContext context, X509CertificateHolder certificate)
throws CertPathValidationException
{
if (workingIssuerName != null)
{
if (!workingIssuerName.equals(certificate.getIssuer()))
{
throw new CertPathValidationException("Certificate issue does not match parent");
}
}
if (workingPublicKey != null)
{
try
{
SubjectPublicKeyInfo validatingKeyInfo;
if (workingPublicKey.getAlgorithm().equals(workingAlgId))
{
validatingKeyInfo = workingPublicKey;
}
else
{
validatingKeyInfo = new SubjectPublicKeyInfo(workingAlgId, workingPublicKey.parsePublicKey());
}
if (!certificate.isSignatureValid(contentVerifierProvider.build(validatingKeyInfo)))
{
throw new CertPathValidationException("Certificate signature not for public key in parent");
}
}
catch (OperatorCreationException e)
{
throw new CertPathValidationException("Unable to create verifier: " + e.getMessage(), e);
}
catch (CertException e)
{
throw new CertPathValidationException("Unable to validate signature: " + e.getMessage(), e);
}
catch (IOException e)
{
throw new CertPathValidationException("Unable to build public key: " + e.getMessage(), e);
}
}
workingIssuerName = certificate.getSubject();
workingPublicKey = certificate.getSubjectPublicKeyInfo();
if (workingAlgId != null)
{
// check for inherited parameters
if (workingPublicKey.getAlgorithm().getAlgorithm().equals(workingAlgId.getAlgorithm()))
{
if (!isNull(workingPublicKey.getAlgorithm().getParameters()))
{
workingAlgId = workingPublicKey.getAlgorithm();
}
}
else
{
workingAlgId = workingPublicKey.getAlgorithm();
}
}
else
{
workingAlgId = workingPublicKey.getAlgorithm();
}
}
private boolean isNull(ASN1Encodable obj)
{
return obj == null || obj instanceof ASN1Null;
}
public Memoable copy()
{
ParentCertIssuedValidation v = new ParentCertIssuedValidation(contentVerifierProvider);
v.workingAlgId = this.workingAlgId;
v.workingIssuerName = this.workingIssuerName;
v.workingPublicKey = this.workingPublicKey;
return v;
}
public void reset(Memoable other)
{
ParentCertIssuedValidation v = (ParentCertIssuedValidation)other;
this.contentVerifierProvider = v.contentVerifierProvider;
this.workingAlgId = v.workingAlgId;
this.workingIssuerName = v.workingIssuerName;
this.workingPublicKey = v.workingPublicKey;
}
}