Revert "betaversion for a workaround to solve problem with Java8 >= 141 and SHA1 certificates in certificate chain"

This reverts commit c4fe089610dba3d6e8929f6e163538dfae0d18da.

4 files changed, 1 insertions, 671 deletions

diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOASSLAlgorithmConstraints.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOASSLAlgorithmConstraints.java
deleted file mode 100644
index 8f367598d..000000000
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOASSLAlgorithmConstraints.java
+++ /dev/null
@@ -1,175 +0,0 @@
-/*
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- */
-package at.gv.egovernment.moa.id.commons.utils.ssl;
-
-import java.security.AlgorithmConstraints;
-import java.security.AlgorithmParameters;
-import java.security.CryptoPrimitive;
-import java.security.Key;
-import java.util.Set;
-
-import javax.net.ssl.SSLEngine;
-import javax.net.ssl.SSLSocket;
-
-/**
- * @author tlenz
- *
- */
-public class MOASSLAlgorithmConstraints implements AlgorithmConstraints {
-	   
-	   private AlgorithmConstraints userAlgConstraints = null;
-	   private AlgorithmConstraints peerAlgConstraints = null;
-	 
-	   private boolean enabledX509DisabledAlgConstraints = true;
-	 
-	 
-	   static final AlgorithmConstraints DEFAULT = new MOASSLAlgorithmConstraints(null);
-
-	   
-	   public MOASSLAlgorithmConstraints()
-	   {
-		   		   
-	   }
-
-	 
-	   static final AlgorithmConstraints DEFAULT_SSL_ONLY = new MOASSLAlgorithmConstraints((SSLSocket)null, false);
-
-	   MOASSLAlgorithmConstraints(AlgorithmConstraints paramAlgorithmConstraints)
-	   {
-		   this.userAlgConstraints = paramAlgorithmConstraints;
-		   		   
-	   }
-	   
-	   
-	   MOASSLAlgorithmConstraints(SSLSocket paramSSLSocket, boolean paramBoolean)
-	   {
-	     if (paramSSLSocket != null) {
-	       this.userAlgConstraints = paramSSLSocket.getSSLParameters().getAlgorithmConstraints();
-	 
-	    }
-	 
-	     if (!(paramBoolean))
-	       this.enabledX509DisabledAlgConstraints = false;
-	   }
-	 
-	 
-	   MOASSLAlgorithmConstraints(SSLEngine paramSSLEngine, boolean paramBoolean)
-	   {
-	     if (paramSSLEngine != null) {
-	       this.userAlgConstraints = paramSSLEngine.getSSLParameters().getAlgorithmConstraints();
-	 
-	     }
-	 
-	     if (!(paramBoolean))
-	       this.enabledX509DisabledAlgConstraints = false;
-	   }
-	   
-	   MOASSLAlgorithmConstraints(SSLSocket paramSSLSocket, String[] paramArrayOfString, boolean paramBoolean)
-	   {
-	     if (paramSSLSocket != null) {
-	       this.userAlgConstraints = paramSSLSocket.getSSLParameters().getAlgorithmConstraints();
-	 
-	       //this.peerAlgConstraints = new SupportedSignatureAlgorithmConstraints(paramArrayOfString);
-	 
-	     }
-	 
-	     if (!(paramBoolean))
-	       this.enabledX509DisabledAlgConstraints = false;
-	   }
-	 
-	 
-//	   MOASSLAlgorithmConstraints(SSLEngine paramSSLEngine, String[] paramArrayOfString, boolean paramBoolean)
-//	   {
-//	     if (paramSSLEngine != null) {
-//	       this.userAlgConstraints = paramSSLEngine.getSSLParameters().getAlgorithmConstraints();
-//	 
-//	       this.peerAlgConstraints = new SupportedSignatureAlgorithmConstraints(paramArrayOfString);
-//	 
-//	     }
-//	 
-//	     if (!(paramBoolean))
-//	       this.enabledX509DisabledAlgConstraints = false;
-//	   }
-	   
-	
-	/* (non-Javadoc)
-	 * @see java.security.AlgorithmConstraints#permits(java.util.Set, java.lang.String, java.security.AlgorithmParameters)
-	 */
-	@Override
-	public boolean permits(Set<CryptoPrimitive> primitives, String algorithm, AlgorithmParameters parameters) {
-         boolean bool = true;
-
-         if (this.peerAlgConstraints != null) {
-           bool = this.peerAlgConstraints.permits(primitives, algorithm, parameters);
-           
-         }
-	     
-         if ((bool) && (this.userAlgConstraints != null)) {
-           bool = this.userAlgConstraints.permits(primitives, algorithm, parameters);
-     
-         }
-	    	     
-        return bool;
-	
-	}
-
-	/* (non-Javadoc)
-	 * @see java.security.AlgorithmConstraints#permits(java.util.Set, java.security.Key)
-	 */
-	@Override
-	public boolean permits(Set<CryptoPrimitive> primitives, Key key) {
-		 boolean bool = true;
-		  
-		     if (this.peerAlgConstraints != null) {
-		       bool = this.peerAlgConstraints.permits(primitives, key);
-		     }
-		  
-		     if ((bool) && (this.userAlgConstraints != null)) {
-		       bool = this.userAlgConstraints.permits(primitives, key);
-		     }
-		     
-		     return bool;
-				
-	}
-
-	/* (non-Javadoc)
-	 * @see java.security.AlgorithmConstraints#permits(java.util.Set, java.lang.String, java.security.Key, java.security.AlgorithmParameters)
-	 */
-	@Override
-	public boolean permits(Set<CryptoPrimitive> primitives, String algorithm, Key key, AlgorithmParameters parameters) {
-		boolean bool = true;
-		 
-		     if (this.peerAlgConstraints != null) {
-		       bool = this.peerAlgConstraints.permits(primitives, algorithm, key, parameters);
-		
-		     }
-		 
-		     if ((bool) && (this.userAlgConstraints != null)) {
-		       bool = this.userAlgConstraints.permits(primitives, algorithm, key, parameters);
-		 
-		     }
-		     
-		     return bool;
-	}
-
-}
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOATrustManagerWrapper.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOATrustManagerWrapper.java
deleted file mode 100644
index c71d50161..000000000
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOATrustManagerWrapper.java
+++ /dev/null
@@ -1,267 +0,0 @@
-/*
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- */
-package at.gv.egovernment.moa.id.commons.utils.ssl;
-
-import java.lang.reflect.Constructor;
-import java.net.Socket;
-import java.security.AlgorithmConstraints;
-import java.security.Timestamp;
-import java.security.cert.CertPathValidatorException;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateException;
-import java.security.cert.PKIXCertPathChecker;
-import java.security.cert.X509Certificate;
-import java.util.Collections;
-import java.util.HashSet;
-
-import javax.net.ssl.SSLEngine;
-import javax.net.ssl.SSLSession;
-import javax.net.ssl.SSLSocket;
-import javax.net.ssl.X509ExtendedTrustManager;
-import javax.net.ssl.X509TrustManager;
-
-import at.gv.egovernment.moa.id.commons.validation.MOASSLAlgorithmChecker;
-import at.gv.egovernment.moa.logging.Logger;
-import at.gv.egovernment.moa.util.MiscUtil;
-import sun.security.provider.certpath.AlgorithmChecker;
-import sun.security.util.DisabledAlgorithmConstraints;
-
-/**
- * @author tlenz
- *
- */
-public class MOATrustManagerWrapper extends X509ExtendedTrustManager implements X509TrustManager {
-
-	private X509TrustManager internalTrustManager = null; 
-	
-	
-	/**
-	 * 
-	 */
-	public MOATrustManagerWrapper(X509TrustManager trustManger) {
-		this.internalTrustManager = trustManger;
-		
-	}
-	
-	
-	
-	/* (non-Javadoc)
-	 * @see javax.net.ssl.X509TrustManager#checkClientTrusted(java.security.cert.X509Certificate[], java.lang.String)
-	 */
-	@Override
-	public void checkClientTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString)
-			throws CertificateException {
-		internalTrustManager.checkClientTrusted(paramArrayOfX509Certificate, paramString);
-
-	}
-
-	/* (non-Javadoc)
-	 * @see javax.net.ssl.X509TrustManager#checkServerTrusted(java.security.cert.X509Certificate[], java.lang.String)
-	 */
-	@Override
-	public void checkServerTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString)
-			throws CertificateException {
-		internalTrustManager.checkServerTrusted(paramArrayOfX509Certificate, paramString);
-
-	}
-
-	/* (non-Javadoc)
-	 * @see javax.net.ssl.X509TrustManager#getAcceptedIssuers()
-	 */
-	@Override
-	public X509Certificate[] getAcceptedIssuers() {
-		return internalTrustManager.getAcceptedIssuers();
-	}
-
-	/* (non-Javadoc)
-	 * @see javax.net.ssl.X509ExtendedTrustManager#checkClientTrusted(java.security.cert.X509Certificate[], java.lang.String, java.net.Socket)
-	 */
-	@Override
-	public void checkClientTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString,
-			Socket paramSocket) throws CertificateException {
-		internalTrustManager.checkClientTrusted(paramArrayOfX509Certificate, paramString);
-		
-		checkAdditionalTrust(paramArrayOfX509Certificate, paramString, paramSocket, true);
-
-	}
-
-	/* (non-Javadoc)
-	 * @see javax.net.ssl.X509ExtendedTrustManager#checkServerTrusted(java.security.cert.X509Certificate[], java.lang.String, java.net.Socket)
-	 */
-	@Override
-	public void checkServerTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString,
-			Socket paramSocket) throws CertificateException {
-		
-		internalTrustManager.checkServerTrusted(paramArrayOfX509Certificate, paramString);
-		
-		checkAdditionalTrust(paramArrayOfX509Certificate, paramString, paramSocket, false);
-
-	}
-
-	/* (non-Javadoc)
-	 * @see javax.net.ssl.X509ExtendedTrustManager#checkClientTrusted(java.security.cert.X509Certificate[], java.lang.String, javax.net.ssl.SSLEngine)
-	 */
-	@Override
-	public void checkClientTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString,
-			SSLEngine paramSSLEngine) throws CertificateException {
-		internalTrustManager.checkClientTrusted(paramArrayOfX509Certificate, paramString);
-		
-		checkAdditionalTrust(paramArrayOfX509Certificate, paramString, paramSSLEngine, true);
-
-	}
-
-	/* (non-Javadoc)
-	 * @see javax.net.ssl.X509ExtendedTrustManager#checkServerTrusted(java.security.cert.X509Certificate[], java.lang.String, javax.net.ssl.SSLEngine)
-	 */
-	@Override
-	public void checkServerTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString,
-			SSLEngine paramSSLEngine) throws CertificateException {
-		internalTrustManager.checkServerTrusted(paramArrayOfX509Certificate, paramString);
-		
-		checkAdditionalTrust(paramArrayOfX509Certificate, paramString, paramSSLEngine, false);
-	}
-	
-	
-	
-	private void checkAdditionalTrust(X509Certificate[] paramArrayOfX509Certificate, 
-			String paramString, Socket paramSocket, boolean isClient) throws CertificateException {
-		if ((paramSocket == null) || (!(paramSocket.isConnected())) || (!(paramSocket instanceof SSLSocket))) {
-			return;
-	       
-	    }
-		
-	    SSLSocket localSSLSocket = (SSLSocket)paramSocket;
-	    SSLSession localSSLSession = localSSLSocket.getHandshakeSession();
-	    if (localSSLSession == null) {
-	    	throw new CertificateException("No handshake session");
-	    }
-	 
-	    String endpointIdenfificationAlgo = localSSLSocket.getSSLParameters().getEndpointIdentificationAlgorithm();	
-	    if (MiscUtil.isNotEmpty(endpointIdenfificationAlgo)) {	    	
-	    	String peerHost = localSSLSession.getPeerHost();
-	    	checkIdentity(peerHost, paramArrayOfX509Certificate[0], endpointIdenfificationAlgo);
-	 
-	    }
-	    	 
-		AlgorithmConstraints localSSLAlgorithmConstraints = new DisabledAlgorithmConstraints("jdk.certpath.disabledAlgorithms");	 
-	    checkAlgorithmConstraints(paramArrayOfX509Certificate, localSSLAlgorithmConstraints, isClient);
-	}
-	
-	private void checkAdditionalTrust(X509Certificate[] paramArrayOfX509Certificate, String paramString, 
-			SSLEngine paramSSLEngine, boolean isClient) throws CertificateException {
-		if (paramSSLEngine != null) {
-			SSLSession localSSLSession = paramSSLEngine.getHandshakeSession();
-			if (localSSLSession == null) {
-				throw new CertificateException("No handshake session");
- 
-			}
- 
-			String str = paramSSLEngine.getSSLParameters().getEndpointIdentificationAlgorithm();
-			if ((str != null) && (str.length() != 0)) {
-				String peerHost = localSSLSession.getPeerHost();
-				checkIdentity(peerHost, paramArrayOfX509Certificate[0], str);
-				
-			}
-	 
-			AlgorithmConstraints localSSLAlgorithmConstraints = new DisabledAlgorithmConstraints("jdk.certpath.disabledAlgorithms");
-		    checkAlgorithmConstraints(paramArrayOfX509Certificate, localSSLAlgorithmConstraints, isClient);
-		}
-	}
-	   
-	private void checkAlgorithmConstraints(X509Certificate[] certificates, 
-			java.security.AlgorithmConstraints algorithmConstraint, boolean isClient) throws CertificateException {
-		try {
-			int i = certificates.length - 1;		 
-		    HashSet<X509Certificate> localHashSet = new HashSet<X509Certificate>();	
-		    X509Certificate[] arrayOfX509Certificate = this.internalTrustManager.getAcceptedIssuers();
-		    
-		    if ((arrayOfX509Certificate != null) && (arrayOfX509Certificate.length > 0)) {
-		    	Collections.addAll(localHashSet, arrayOfX509Certificate);
-
-		    }
-		 
-		    if (localHashSet.contains(certificates[i])) {
-		    	--i;
-		    }
-		 
-		    if (i >= 0) {
-		    	PKIXCertPathChecker localAlgorithmChecker = null;
-		        Class<?> algorithCheckerClass = null;
-		        try {		        	
-		        	algorithCheckerClass = Class.forName("sun.security.provider.certpath.AlgorithmChecker");
-		        	Constructor<?> algorithCheckerConstructorJava8_141 = algorithCheckerClass.getConstructor(AlgorithmConstraints.class, Timestamp.class, String.class);
-		        	localAlgorithmChecker = (AlgorithmChecker) algorithCheckerConstructorJava8_141.newInstance(algorithmConstraint, (Timestamp)null, isClient?"tls client":"tls server");
-		        	Logger.trace("Use SSL AlgorithmChecker from JAVA8 >= 141 ...");
-		        	
-		        } catch (Throwable e) {
-		        	try {
-		        		Constructor<?> algorithCheckerConstructorJava8_71 = algorithCheckerClass.getConstructor(AlgorithmConstraints.class);
-		        		localAlgorithmChecker = (AlgorithmChecker) algorithCheckerConstructorJava8_71.newInstance(algorithmConstraint);
-		        		
-		        		Logger.trace("Use SSL AlgorithmChecker from JAVA8 < 141 ...");
-		        		
-		        	} catch (Throwable e1) {
-		        		Logger.error("Can NOT instance JAVA SSL AlgorithmChecker", e1);
-		        		Logger.error("USE ONE LEGACY VERSION OF ALGORITHM CHECKER ...");
-		        		localAlgorithmChecker = new MOASSLAlgorithmChecker();
-		        		
-		        	}		        			        	
-		        }
-		    	
-		    	
-		    	localAlgorithmChecker.init(false);
-		        
-		        for (int j = i; j >= 0; --j) {
-		        	X509Certificate localX509Certificate = certificates[j];
-		 		        	
-		        	//localAlgorithmChecker.check((Certificate)localX509Certificate, Collections.emptySet());
-		        	localAlgorithmChecker.check((Certificate)localX509Certificate, null);
-		        }
-		    }
-		} catch (CertPathValidatorException localCertPathValidatorException) {
-			throw new CertificateException("Certificates does not conform to algorithm constraints");
-		       
-		}
-	}
-	
-	private void checkIdentity(String peerHost, X509Certificate paramX509Certificate, String endpointIdenfificationAlgo) 
-			throws CertificateException {
-		if (MiscUtil.isEmpty(endpointIdenfificationAlgo))
-			return;
-		
-		if ((peerHost != null) && (peerHost.startsWith("[")) && (peerHost.endsWith("]"))) {
-			peerHost = peerHost.substring(1, peerHost.length() - 1);
-			
-		}
-		
-		if (endpointIdenfificationAlgo.equalsIgnoreCase("HTTPS")) {
-			sun.security.util.HostnameChecker.getInstance((byte)1).match(peerHost, paramX509Certificate);
-			
-		} else if ((endpointIdenfificationAlgo.equalsIgnoreCase("LDAP")) || (endpointIdenfificationAlgo.equalsIgnoreCase("LDAPS"))) {
-			sun.security.util.HostnameChecker.getInstance((byte)2).match(peerHost, paramX509Certificate);
-			
-		} else
-			throw new CertificateException("Unknown identification algorithm: " + endpointIdenfificationAlgo);
-	}
-	
-}
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
index 3e793e4d1..109390132 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
@@ -147,7 +147,6 @@ public class SSLUtils {
     SSLContext ctx = SSLContext.getInstance("TLS");
     ctx.init(kms, tms, null);    
     ssf = ctx.getSocketFactory();
-        
     // store SSLSocketFactory
     sslSocketFactories.put(url, ssf);
     
@@ -260,8 +259,7 @@ public class SSLUtils {
     MOAIDTrustManager.initializeLoggingContext();    
     MOAIDTrustManager tm = new MOAIDTrustManager(acceptedServerCertURL);
     tm.init(cfg, profile);
-    return new TrustManager[] {new MOATrustManagerWrapper(tm)};
-    
+    return new TrustManager[] {tm};
   }
     
 }
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java
deleted file mode 100644
index 990b5d3b1..000000000
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java
+++ /dev/null
@@ -1,226 +0,0 @@
-/*
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- */
-package at.gv.egovernment.moa.id.commons.validation;
-
-import java.math.BigInteger;
-import java.security.AlgorithmConstraints;
-import java.security.AlgorithmParameters;
-import java.security.CryptoPrimitive;
-import java.security.GeneralSecurityException;
-import java.security.KeyFactory;
-import java.security.PublicKey;
-import java.security.cert.CertPathValidatorException;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateParsingException;
-import java.security.cert.PKIXCertPathChecker;
-import java.security.cert.PKIXReason;
-import java.security.cert.X509Certificate;
-import java.security.interfaces.DSAParams;
-import java.security.interfaces.DSAPublicKey;
-import java.security.spec.DSAPublicKeySpec;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.EnumSet;
-import java.util.Set;
-
-import sun.security.util.DisabledAlgorithmConstraints;
-import sun.security.x509.X509CertImpl;
-
-/**
- * @author tlenz
- *
- */
-public class MOASSLAlgorithmChecker extends PKIXCertPathChecker {
-
-	private final AlgorithmConstraints constraints;
-	private final PublicKey trustedPubKey;
-	private PublicKey prevPubKey;
-	private static final Set<CryptoPrimitive> SIGNATURE_PRIMITIVE_SET = Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE));	 
-	private static final Set<CryptoPrimitive> KU_PRIMITIVE_SET = Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE, CryptoPrimitive.KEY_ENCAPSULATION, CryptoPrimitive.PUBLIC_KEY_ENCRYPTION, CryptoPrimitive.KEY_AGREEMENT));
-	
-	private static final DisabledAlgorithmConstraints certPathDefaultConstraints = new DisabledAlgorithmConstraints("jdk.certpath.disabledAlgorithms");
-
-	/**
-	 * 
-	 */
-	public MOASSLAlgorithmChecker() {
-		this.prevPubKey = null;
-		this.trustedPubKey = null;
-		this.constraints = certPathDefaultConstraints;
-		
-	}
-	
-	public MOASSLAlgorithmChecker(AlgorithmConstraints paramAlgorithmConstraints) {
-		this.prevPubKey = null;
-		this.trustedPubKey = null;
-		this.constraints = paramAlgorithmConstraints;
-	}
-	
-	
-	/* (non-Javadoc)
-	 * @see java.security.cert.PKIXCertPathChecker#init(boolean)
-	 */
-	@Override
-	public void init(boolean forward) throws CertPathValidatorException {
-		if (!(forward)) {
-			if (this.trustedPubKey != null)
-				this.prevPubKey = this.trustedPubKey;
-			
-			else
-				this.prevPubKey = null;
-			
-		} else 
-			throw new CertPathValidatorException("forward checking not supported");
-
-	}
-
-	/* (non-Javadoc)
-	 * @see java.security.cert.PKIXCertPathChecker#isForwardCheckingSupported()
-	 */
-	@Override
-	public boolean isForwardCheckingSupported() {
-		return false;
-		
-	}
-
-	/* (non-Javadoc)
-	 * @see java.security.cert.PKIXCertPathChecker#getSupportedExtensions()
-	 */
-	@Override
-	public Set<String> getSupportedExtensions() {
-		return null;
-		
-	}
-
-	/* (non-Javadoc)
-	 * @see java.security.cert.PKIXCertPathChecker#check(java.security.cert.Certificate, java.util.Collection)
-	 */
-	@Override
-	public void check(Certificate cert, Collection<String> unresolvedCritExts) throws CertPathValidatorException {
-		if ((!(cert instanceof X509Certificate)) || (this.constraints == null)) {
-			return;	
-		
-		}
- 
-		X509CertImpl localX509CertImpl = null;
-		try {
-			localX509CertImpl = sun.security.x509.X509CertImpl.toImpl((X509Certificate)cert);
-			
-		} catch (CertificateException localCertificateException1) {
-			throw new CertPathValidatorException(localCertificateException1);
-		
-		}
-		
-		PublicKey localPublicKey = localX509CertImpl.getPublicKey();
-		String str = localX509CertImpl.getSigAlgName();
-		 
-
-		//check algorithms
-		AlgorithmParameters localAlgorithmParameters = null;
-		try {
-			sun.security.x509.AlgorithmId localAlgorithmId = null;
-			localAlgorithmId = (sun.security.x509.AlgorithmId)localX509CertImpl.get("x509.algorithm");
-			localAlgorithmParameters = localAlgorithmId.getParameters();
-				
-			if (!(this.constraints.permits(SIGNATURE_PRIMITIVE_SET, str, localAlgorithmParameters))) {
-				throw new CertPathValidatorException("Algorithm constraints check failed: " + str, null, null, -1, CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED);
-			
-			}
-			
-		} catch (CertificateParsingException localCertificateException2) {
-			throw new CertPathValidatorException(localCertificateException2);
-			
-		}
- 
-
-		//check key usage
-		boolean[] arrayOfBoolean = localX509CertImpl.getKeyUsage();
-		if ((arrayOfBoolean != null) && (arrayOfBoolean.length < 9))
-			throw new CertPathValidatorException("incorrect KeyUsage extension", null, null, -1, PKIXReason.INVALID_KEY_USAGE);
-		
-		if (arrayOfBoolean != null) {
-			Set<CryptoPrimitive> cryptoPrimitives = EnumSet.noneOf(CryptoPrimitive.class);
-			if ((arrayOfBoolean[0] == true) || (arrayOfBoolean[1] == true) || (arrayOfBoolean[5] == true) || (arrayOfBoolean[6] == true)) {
-				cryptoPrimitives.add(CryptoPrimitive.SIGNATURE);
-			
-			}
- 						
-			if (arrayOfBoolean[2] == true) {
-				cryptoPrimitives.add(CryptoPrimitive.KEY_ENCAPSULATION);
-				
-			}
- 
-			if (arrayOfBoolean[3] == true) {
-				cryptoPrimitives.add(CryptoPrimitive.PUBLIC_KEY_ENCRYPTION);
-			
-			}
-			
-			if (arrayOfBoolean[4] == true) {
-				cryptoPrimitives.add(CryptoPrimitive.KEY_AGREEMENT);	
-			
-			}
-			
-			if ((!(cryptoPrimitives.isEmpty())) &&  (!(this.constraints.permits(cryptoPrimitives, localPublicKey)))) {	
-				throw new CertPathValidatorException("algorithm constraints check failed", null, null, -1, CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED);
-				
-			}
-		}
- 
-		//check pubKeys
-		if (this.prevPubKey != null) {
-			if ((str != null) && (!(this.constraints.permits(SIGNATURE_PRIMITIVE_SET, str, this.prevPubKey, localAlgorithmParameters)))) {
-				throw new CertPathValidatorException("Algorithm constraints check failed: " + str, null, null, -1, CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED);
-				
-			}
-			
-			if ((localPublicKey instanceof DSAPublicKey) && (((DSAPublicKey)localPublicKey).getParams() == null)) {
-				if (!(this.prevPubKey instanceof DSAPublicKey)) {
-					throw new CertPathValidatorException("Input key is not of a appropriate type for inheriting parameters");
-					
-				}
- 
-				DSAParams localObject = ((DSAPublicKey)this.prevPubKey).getParams();
-				if (localObject == null) {
-					throw new CertPathValidatorException("Key parameters missing");	
-					
-				}
-
-				try {
-					BigInteger localBigInteger = ((DSAPublicKey)localPublicKey).getY();
-					KeyFactory localKeyFactory = KeyFactory.getInstance("DSA");
-					DSAPublicKeySpec localDSAPublicKeySpec = new DSAPublicKeySpec(localBigInteger, ((DSAParams)localObject).getP(), ((DSAParams)localObject).getQ(), ((DSAParams)localObject).getG());
-					localPublicKey = localKeyFactory.generatePublic(localDSAPublicKeySpec);
-					
-				} catch (GeneralSecurityException localGeneralSecurityException) {	
-					throw new CertPathValidatorException("Unable to generate key with inherited parameters: " + localGeneralSecurityException.getMessage(), localGeneralSecurityException);
-
-				}
-			}
-		}
-		
-		this.prevPubKey = localPublicKey;
-	}
-
-
-}