org.bouncycastle.jce.provider.PKIXAttrCertPathValidatorSpi Maven / Gradle / Ivy
Show all versions of bcprov-jdk14 Show documentation
package org.bouncycastle.jce.provider; import java.security.InvalidAlgorithmParameterException; import java.security.cert.CertPath; import java.security.cert.CertPathParameters; import java.security.cert.CertPathValidatorException; import java.security.cert.CertPathValidatorResult; import java.security.cert.CertPathValidatorSpi; import java.security.cert.PKIXParameters; import java.security.cert.X509Certificate; import java.util.Date; import java.util.HashSet; import java.util.Set; import org.bouncycastle.jcajce.PKIXExtendedParameters; import org.bouncycastle.jcajce.util.BCJcaJceHelper; import org.bouncycastle.jcajce.util.JcaJceHelper; import org.bouncycastle.jce.exception.ExtCertPathValidatorException; import org.bouncycastle.util.Selector; import org.bouncycastle.x509.ExtendedPKIXParameters; import org.bouncycastle.x509.X509AttributeCertStoreSelector; import org.bouncycastle.x509.X509AttributeCertificate; /** * CertPathValidatorSpi implementation for X.509 Attribute Certificates la RFC 3281. * * @see org.bouncycastle.x509.ExtendedPKIXParameters */ public class PKIXAttrCertPathValidatorSpi extends CertPathValidatorSpi { private final JcaJceHelper helper = new BCJcaJceHelper(); public PKIXAttrCertPathValidatorSpi() { } /** * Validates an attribute certificate with the given certificate path. * *
must be an instance of * ExtendedPKIXParameters. ** params
* The target constraints in the params must be an * X509AttributeCertStoreSelector with at least the attribute * certificate criterion set. Obey that also target informations may be * necessary to correctly validate this attribute certificate. *
* The attribute certificate issuer must be added to the trusted attribute * issuers with {@link org.bouncycastle.x509.ExtendedPKIXParameters#setTrustedACIssuers(java.util.Set)}. * * @param certPath The certificate path which belongs to the attribute * certificate issuer public key certificate. * @param params The PKIX parameters. * @return A PKIXCertPathValidatorResult of the result of * validating the certPath. * @throws java.security.InvalidAlgorithmParameterException if params is * inappropriate for this validator. * @throws java.security.cert.CertPathValidatorException if the verification fails. */ public CertPathValidatorResult engineValidate(CertPath certPath, CertPathParameters params) throws CertPathValidatorException, InvalidAlgorithmParameterException { if (!(params instanceof ExtendedPKIXParameters || params instanceof PKIXExtendedParameters)) { throw new InvalidAlgorithmParameterException( "Parameters must be a " + ExtendedPKIXParameters.class.getName() + " instance."); } Set attrCertCheckers = new HashSet(); Set prohibitedACAttrbiutes = new HashSet(); Set necessaryACAttributes = new HashSet(); Set trustedACIssuers = new HashSet(); PKIXExtendedParameters paramsPKIX; if (params instanceof PKIXParameters) { PKIXExtendedParameters.Builder paramsPKIXBldr = new PKIXExtendedParameters.Builder((PKIXParameters)params); if (params instanceof ExtendedPKIXParameters) { ExtendedPKIXParameters extPKIX = (ExtendedPKIXParameters)params; paramsPKIXBldr.setUseDeltasEnabled(extPKIX.isUseDeltasEnabled()); paramsPKIXBldr.setValidityModel(extPKIX.getValidityModel()); attrCertCheckers = extPKIX.getAttrCertCheckers(); prohibitedACAttrbiutes = extPKIX.getProhibitedACAttributes(); necessaryACAttributes = extPKIX.getNecessaryACAttributes(); } paramsPKIX = paramsPKIXBldr.build(); } else { paramsPKIX = (PKIXExtendedParameters)params; } Selector certSelect = paramsPKIX.getTargetConstraints(); if (!(certSelect instanceof X509AttributeCertStoreSelector)) { throw new InvalidAlgorithmParameterException( "TargetConstraints must be an instance of " + X509AttributeCertStoreSelector.class.getName() + " for " + this.getClass().getName() + " class."); } X509AttributeCertificate attrCert = ((X509AttributeCertStoreSelector) certSelect) .getAttributeCert(); CertPath holderCertPath = RFC3281CertPathUtilities.processAttrCert1(attrCert, paramsPKIX); CertPathValidatorResult result = RFC3281CertPathUtilities.processAttrCert2(certPath, paramsPKIX); X509Certificate issuerCert = (X509Certificate) certPath .getCertificates().get(0); RFC3281CertPathUtilities.processAttrCert3(issuerCert, paramsPKIX); RFC3281CertPathUtilities.processAttrCert4(issuerCert, trustedACIssuers); RFC3281CertPathUtilities.processAttrCert5(attrCert, paramsPKIX); // 6 already done in X509AttributeCertStoreSelector RFC3281CertPathUtilities.processAttrCert7(attrCert, certPath, holderCertPath, paramsPKIX, attrCertCheckers); RFC3281CertPathUtilities.additionalChecks(attrCert, prohibitedACAttrbiutes, necessaryACAttributes); Date date = null; try { date = CertPathValidatorUtilities.getValidCertDateFromValidityModel(paramsPKIX, null, -1); } catch (AnnotatedException e) { throw new ExtCertPathValidatorException( "Could not get validity date from attribute certificate.", e); } RFC3281CertPathUtilities.checkCRLs(attrCert, paramsPKIX, issuerCert, date, certPath.getCertificates(), helper); return result; } }