From c4fe089610dba3d6e8929f6e163538dfae0d18da Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 25 Jul 2017 12:07:59 +0200 Subject: betaversion for a workaround to solve problem with Java8 >= 141 and SHA1 certificates in certificate chain --- .../utils/ssl/MOASSLAlgorithmConstraints.java | 175 ++++++++++++++ .../commons/utils/ssl/MOATrustManagerWrapper.java | 267 +++++++++++++++++++++ .../moa/id/commons/utils/ssl/SSLUtils.java | 4 +- .../commons/validation/MOASSLAlgorithmChecker.java | 226 +++++++++++++++++ 4 files changed, 671 insertions(+), 1 deletion(-) create mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOASSLAlgorithmConstraints.java create mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOATrustManagerWrapper.java create mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java (limited to 'id/server/moa-id-commons/src/main') diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOASSLAlgorithmConstraints.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOASSLAlgorithmConstraints.java new file mode 100644 index 000000000..8f367598d --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOASSLAlgorithmConstraints.java @@ -0,0 +1,175 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.commons.utils.ssl; + +import java.security.AlgorithmConstraints; +import java.security.AlgorithmParameters; +import java.security.CryptoPrimitive; +import java.security.Key; +import java.util.Set; + +import javax.net.ssl.SSLEngine; +import javax.net.ssl.SSLSocket; + +/** + * @author tlenz + * + */ +public class MOASSLAlgorithmConstraints implements AlgorithmConstraints { + + private AlgorithmConstraints userAlgConstraints = null; + private AlgorithmConstraints peerAlgConstraints = null; + + private boolean enabledX509DisabledAlgConstraints = true; + + + static final AlgorithmConstraints DEFAULT = new MOASSLAlgorithmConstraints(null); + + + public MOASSLAlgorithmConstraints() + { + + } + + + static final AlgorithmConstraints DEFAULT_SSL_ONLY = new MOASSLAlgorithmConstraints((SSLSocket)null, false); + + MOASSLAlgorithmConstraints(AlgorithmConstraints paramAlgorithmConstraints) + { + this.userAlgConstraints = paramAlgorithmConstraints; + + } + + + MOASSLAlgorithmConstraints(SSLSocket paramSSLSocket, boolean paramBoolean) + { + if (paramSSLSocket != null) { + this.userAlgConstraints = paramSSLSocket.getSSLParameters().getAlgorithmConstraints(); + + } + + if (!(paramBoolean)) + this.enabledX509DisabledAlgConstraints = false; + } + + + MOASSLAlgorithmConstraints(SSLEngine paramSSLEngine, boolean paramBoolean) + { + if (paramSSLEngine != null) { + this.userAlgConstraints = paramSSLEngine.getSSLParameters().getAlgorithmConstraints(); + + } + + if (!(paramBoolean)) + this.enabledX509DisabledAlgConstraints = false; + } + + MOASSLAlgorithmConstraints(SSLSocket paramSSLSocket, String[] paramArrayOfString, boolean paramBoolean) + { + if (paramSSLSocket != null) { + this.userAlgConstraints = paramSSLSocket.getSSLParameters().getAlgorithmConstraints(); + + //this.peerAlgConstraints = new SupportedSignatureAlgorithmConstraints(paramArrayOfString); + + } + + if (!(paramBoolean)) + this.enabledX509DisabledAlgConstraints = false; + } + + +// MOASSLAlgorithmConstraints(SSLEngine paramSSLEngine, String[] paramArrayOfString, boolean paramBoolean) +// { +// if (paramSSLEngine != null) { +// this.userAlgConstraints = paramSSLEngine.getSSLParameters().getAlgorithmConstraints(); +// +// this.peerAlgConstraints = new SupportedSignatureAlgorithmConstraints(paramArrayOfString); +// +// } +// +// if (!(paramBoolean)) +// this.enabledX509DisabledAlgConstraints = false; +// } + + + /* (non-Javadoc) + * @see java.security.AlgorithmConstraints#permits(java.util.Set, java.lang.String, java.security.AlgorithmParameters) + */ + @Override + public boolean permits(Set primitives, String algorithm, AlgorithmParameters parameters) { + boolean bool = true; + + if (this.peerAlgConstraints != null) { + bool = this.peerAlgConstraints.permits(primitives, algorithm, parameters); + + } + + if ((bool) && (this.userAlgConstraints != null)) { + bool = this.userAlgConstraints.permits(primitives, algorithm, parameters); + + } + + return bool; + + } + + /* (non-Javadoc) + * @see java.security.AlgorithmConstraints#permits(java.util.Set, java.security.Key) + */ + @Override + public boolean permits(Set primitives, Key key) { + boolean bool = true; + + if (this.peerAlgConstraints != null) { + bool = this.peerAlgConstraints.permits(primitives, key); + } + + if ((bool) && (this.userAlgConstraints != null)) { + bool = this.userAlgConstraints.permits(primitives, key); + } + + return bool; + + } + + /* (non-Javadoc) + * @see java.security.AlgorithmConstraints#permits(java.util.Set, java.lang.String, java.security.Key, java.security.AlgorithmParameters) + */ + @Override + public boolean permits(Set primitives, String algorithm, Key key, AlgorithmParameters parameters) { + boolean bool = true; + + if (this.peerAlgConstraints != null) { + bool = this.peerAlgConstraints.permits(primitives, algorithm, key, parameters); + + } + + if ((bool) && (this.userAlgConstraints != null)) { + bool = this.userAlgConstraints.permits(primitives, algorithm, key, parameters); + + } + + return bool; + } + +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOATrustManagerWrapper.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOATrustManagerWrapper.java new file mode 100644 index 000000000..c71d50161 --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOATrustManagerWrapper.java @@ -0,0 +1,267 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.commons.utils.ssl; + +import java.lang.reflect.Constructor; +import java.net.Socket; +import java.security.AlgorithmConstraints; +import java.security.Timestamp; +import java.security.cert.CertPathValidatorException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.PKIXCertPathChecker; +import java.security.cert.X509Certificate; +import java.util.Collections; +import java.util.HashSet; + +import javax.net.ssl.SSLEngine; +import javax.net.ssl.SSLSession; +import javax.net.ssl.SSLSocket; +import javax.net.ssl.X509ExtendedTrustManager; +import javax.net.ssl.X509TrustManager; + +import at.gv.egovernment.moa.id.commons.validation.MOASSLAlgorithmChecker; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; +import sun.security.provider.certpath.AlgorithmChecker; +import sun.security.util.DisabledAlgorithmConstraints; + +/** + * @author tlenz + * + */ +public class MOATrustManagerWrapper extends X509ExtendedTrustManager implements X509TrustManager { + + private X509TrustManager internalTrustManager = null; + + + /** + * + */ + public MOATrustManagerWrapper(X509TrustManager trustManger) { + this.internalTrustManager = trustManger; + + } + + + + /* (non-Javadoc) + * @see javax.net.ssl.X509TrustManager#checkClientTrusted(java.security.cert.X509Certificate[], java.lang.String) + */ + @Override + public void checkClientTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString) + throws CertificateException { + internalTrustManager.checkClientTrusted(paramArrayOfX509Certificate, paramString); + + } + + /* (non-Javadoc) + * @see javax.net.ssl.X509TrustManager#checkServerTrusted(java.security.cert.X509Certificate[], java.lang.String) + */ + @Override + public void checkServerTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString) + throws CertificateException { + internalTrustManager.checkServerTrusted(paramArrayOfX509Certificate, paramString); + + } + + /* (non-Javadoc) + * @see javax.net.ssl.X509TrustManager#getAcceptedIssuers() + */ + @Override + public X509Certificate[] getAcceptedIssuers() { + return internalTrustManager.getAcceptedIssuers(); + } + + /* (non-Javadoc) + * @see javax.net.ssl.X509ExtendedTrustManager#checkClientTrusted(java.security.cert.X509Certificate[], java.lang.String, java.net.Socket) + */ + @Override + public void checkClientTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString, + Socket paramSocket) throws CertificateException { + internalTrustManager.checkClientTrusted(paramArrayOfX509Certificate, paramString); + + checkAdditionalTrust(paramArrayOfX509Certificate, paramString, paramSocket, true); + + } + + /* (non-Javadoc) + * @see javax.net.ssl.X509ExtendedTrustManager#checkServerTrusted(java.security.cert.X509Certificate[], java.lang.String, java.net.Socket) + */ + @Override + public void checkServerTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString, + Socket paramSocket) throws CertificateException { + + internalTrustManager.checkServerTrusted(paramArrayOfX509Certificate, paramString); + + checkAdditionalTrust(paramArrayOfX509Certificate, paramString, paramSocket, false); + + } + + /* (non-Javadoc) + * @see javax.net.ssl.X509ExtendedTrustManager#checkClientTrusted(java.security.cert.X509Certificate[], java.lang.String, javax.net.ssl.SSLEngine) + */ + @Override + public void checkClientTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString, + SSLEngine paramSSLEngine) throws CertificateException { + internalTrustManager.checkClientTrusted(paramArrayOfX509Certificate, paramString); + + checkAdditionalTrust(paramArrayOfX509Certificate, paramString, paramSSLEngine, true); + + } + + /* (non-Javadoc) + * @see javax.net.ssl.X509ExtendedTrustManager#checkServerTrusted(java.security.cert.X509Certificate[], java.lang.String, javax.net.ssl.SSLEngine) + */ + @Override + public void checkServerTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString, + SSLEngine paramSSLEngine) throws CertificateException { + internalTrustManager.checkServerTrusted(paramArrayOfX509Certificate, paramString); + + checkAdditionalTrust(paramArrayOfX509Certificate, paramString, paramSSLEngine, false); + } + + + + private void checkAdditionalTrust(X509Certificate[] paramArrayOfX509Certificate, + String paramString, Socket paramSocket, boolean isClient) throws CertificateException { + if ((paramSocket == null) || (!(paramSocket.isConnected())) || (!(paramSocket instanceof SSLSocket))) { + return; + + } + + SSLSocket localSSLSocket = (SSLSocket)paramSocket; + SSLSession localSSLSession = localSSLSocket.getHandshakeSession(); + if (localSSLSession == null) { + throw new CertificateException("No handshake session"); + } + + String endpointIdenfificationAlgo = localSSLSocket.getSSLParameters().getEndpointIdentificationAlgorithm(); + if (MiscUtil.isNotEmpty(endpointIdenfificationAlgo)) { + String peerHost = localSSLSession.getPeerHost(); + checkIdentity(peerHost, paramArrayOfX509Certificate[0], endpointIdenfificationAlgo); + + } + + AlgorithmConstraints localSSLAlgorithmConstraints = new DisabledAlgorithmConstraints("jdk.certpath.disabledAlgorithms"); + checkAlgorithmConstraints(paramArrayOfX509Certificate, localSSLAlgorithmConstraints, isClient); + } + + private void checkAdditionalTrust(X509Certificate[] paramArrayOfX509Certificate, String paramString, + SSLEngine paramSSLEngine, boolean isClient) throws CertificateException { + if (paramSSLEngine != null) { + SSLSession localSSLSession = paramSSLEngine.getHandshakeSession(); + if (localSSLSession == null) { + throw new CertificateException("No handshake session"); + + } + + String str = paramSSLEngine.getSSLParameters().getEndpointIdentificationAlgorithm(); + if ((str != null) && (str.length() != 0)) { + String peerHost = localSSLSession.getPeerHost(); + checkIdentity(peerHost, paramArrayOfX509Certificate[0], str); + + } + + AlgorithmConstraints localSSLAlgorithmConstraints = new DisabledAlgorithmConstraints("jdk.certpath.disabledAlgorithms"); + checkAlgorithmConstraints(paramArrayOfX509Certificate, localSSLAlgorithmConstraints, isClient); + } + } + + private void checkAlgorithmConstraints(X509Certificate[] certificates, + java.security.AlgorithmConstraints algorithmConstraint, boolean isClient) throws CertificateException { + try { + int i = certificates.length - 1; + HashSet localHashSet = new HashSet(); + X509Certificate[] arrayOfX509Certificate = this.internalTrustManager.getAcceptedIssuers(); + + if ((arrayOfX509Certificate != null) && (arrayOfX509Certificate.length > 0)) { + Collections.addAll(localHashSet, arrayOfX509Certificate); + + } + + if (localHashSet.contains(certificates[i])) { + --i; + } + + if (i >= 0) { + PKIXCertPathChecker localAlgorithmChecker = null; + Class algorithCheckerClass = null; + try { + algorithCheckerClass = Class.forName("sun.security.provider.certpath.AlgorithmChecker"); + Constructor algorithCheckerConstructorJava8_141 = algorithCheckerClass.getConstructor(AlgorithmConstraints.class, Timestamp.class, String.class); + localAlgorithmChecker = (AlgorithmChecker) algorithCheckerConstructorJava8_141.newInstance(algorithmConstraint, (Timestamp)null, isClient?"tls client":"tls server"); + Logger.trace("Use SSL AlgorithmChecker from JAVA8 >= 141 ..."); + + } catch (Throwable e) { + try { + Constructor algorithCheckerConstructorJava8_71 = algorithCheckerClass.getConstructor(AlgorithmConstraints.class); + localAlgorithmChecker = (AlgorithmChecker) algorithCheckerConstructorJava8_71.newInstance(algorithmConstraint); + + Logger.trace("Use SSL AlgorithmChecker from JAVA8 < 141 ..."); + + } catch (Throwable e1) { + Logger.error("Can NOT instance JAVA SSL AlgorithmChecker", e1); + Logger.error("USE ONE LEGACY VERSION OF ALGORITHM CHECKER ..."); + localAlgorithmChecker = new MOASSLAlgorithmChecker(); + + } + } + + + localAlgorithmChecker.init(false); + + for (int j = i; j >= 0; --j) { + X509Certificate localX509Certificate = certificates[j]; + + //localAlgorithmChecker.check((Certificate)localX509Certificate, Collections.emptySet()); + localAlgorithmChecker.check((Certificate)localX509Certificate, null); + } + } + } catch (CertPathValidatorException localCertPathValidatorException) { + throw new CertificateException("Certificates does not conform to algorithm constraints"); + + } + } + + private void checkIdentity(String peerHost, X509Certificate paramX509Certificate, String endpointIdenfificationAlgo) + throws CertificateException { + if (MiscUtil.isEmpty(endpointIdenfificationAlgo)) + return; + + if ((peerHost != null) && (peerHost.startsWith("[")) && (peerHost.endsWith("]"))) { + peerHost = peerHost.substring(1, peerHost.length() - 1); + + } + + if (endpointIdenfificationAlgo.equalsIgnoreCase("HTTPS")) { + sun.security.util.HostnameChecker.getInstance((byte)1).match(peerHost, paramX509Certificate); + + } else if ((endpointIdenfificationAlgo.equalsIgnoreCase("LDAP")) || (endpointIdenfificationAlgo.equalsIgnoreCase("LDAPS"))) { + sun.security.util.HostnameChecker.getInstance((byte)2).match(peerHost, paramX509Certificate); + + } else + throw new CertificateException("Unknown identification algorithm: " + endpointIdenfificationAlgo); + } + +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java index 109390132..3e793e4d1 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java @@ -147,6 +147,7 @@ public class SSLUtils { SSLContext ctx = SSLContext.getInstance("TLS"); ctx.init(kms, tms, null); ssf = ctx.getSocketFactory(); + // store SSLSocketFactory sslSocketFactories.put(url, ssf); @@ -259,7 +260,8 @@ public class SSLUtils { MOAIDTrustManager.initializeLoggingContext(); MOAIDTrustManager tm = new MOAIDTrustManager(acceptedServerCertURL); tm.init(cfg, profile); - return new TrustManager[] {tm}; + return new TrustManager[] {new MOATrustManagerWrapper(tm)}; + } } diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java new file mode 100644 index 000000000..990b5d3b1 --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java @@ -0,0 +1,226 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.commons.validation; + +import java.math.BigInteger; +import java.security.AlgorithmConstraints; +import java.security.AlgorithmParameters; +import java.security.CryptoPrimitive; +import java.security.GeneralSecurityException; +import java.security.KeyFactory; +import java.security.PublicKey; +import java.security.cert.CertPathValidatorException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.CertificateParsingException; +import java.security.cert.PKIXCertPathChecker; +import java.security.cert.PKIXReason; +import java.security.cert.X509Certificate; +import java.security.interfaces.DSAParams; +import java.security.interfaces.DSAPublicKey; +import java.security.spec.DSAPublicKeySpec; +import java.util.Collection; +import java.util.Collections; +import java.util.EnumSet; +import java.util.Set; + +import sun.security.util.DisabledAlgorithmConstraints; +import sun.security.x509.X509CertImpl; + +/** + * @author tlenz + * + */ +public class MOASSLAlgorithmChecker extends PKIXCertPathChecker { + + private final AlgorithmConstraints constraints; + private final PublicKey trustedPubKey; + private PublicKey prevPubKey; + private static final Set SIGNATURE_PRIMITIVE_SET = Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE)); + private static final Set KU_PRIMITIVE_SET = Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE, CryptoPrimitive.KEY_ENCAPSULATION, CryptoPrimitive.PUBLIC_KEY_ENCRYPTION, CryptoPrimitive.KEY_AGREEMENT)); + + private static final DisabledAlgorithmConstraints certPathDefaultConstraints = new DisabledAlgorithmConstraints("jdk.certpath.disabledAlgorithms"); + + /** + * + */ + public MOASSLAlgorithmChecker() { + this.prevPubKey = null; + this.trustedPubKey = null; + this.constraints = certPathDefaultConstraints; + + } + + public MOASSLAlgorithmChecker(AlgorithmConstraints paramAlgorithmConstraints) { + this.prevPubKey = null; + this.trustedPubKey = null; + this.constraints = paramAlgorithmConstraints; + } + + + /* (non-Javadoc) + * @see java.security.cert.PKIXCertPathChecker#init(boolean) + */ + @Override + public void init(boolean forward) throws CertPathValidatorException { + if (!(forward)) { + if (this.trustedPubKey != null) + this.prevPubKey = this.trustedPubKey; + + else + this.prevPubKey = null; + + } else + throw new CertPathValidatorException("forward checking not supported"); + + } + + /* (non-Javadoc) + * @see java.security.cert.PKIXCertPathChecker#isForwardCheckingSupported() + */ + @Override + public boolean isForwardCheckingSupported() { + return false; + + } + + /* (non-Javadoc) + * @see java.security.cert.PKIXCertPathChecker#getSupportedExtensions() + */ + @Override + public Set getSupportedExtensions() { + return null; + + } + + /* (non-Javadoc) + * @see java.security.cert.PKIXCertPathChecker#check(java.security.cert.Certificate, java.util.Collection) + */ + @Override + public void check(Certificate cert, Collection unresolvedCritExts) throws CertPathValidatorException { + if ((!(cert instanceof X509Certificate)) || (this.constraints == null)) { + return; + + } + + X509CertImpl localX509CertImpl = null; + try { + localX509CertImpl = sun.security.x509.X509CertImpl.toImpl((X509Certificate)cert); + + } catch (CertificateException localCertificateException1) { + throw new CertPathValidatorException(localCertificateException1); + + } + + PublicKey localPublicKey = localX509CertImpl.getPublicKey(); + String str = localX509CertImpl.getSigAlgName(); + + + //check algorithms + AlgorithmParameters localAlgorithmParameters = null; + try { + sun.security.x509.AlgorithmId localAlgorithmId = null; + localAlgorithmId = (sun.security.x509.AlgorithmId)localX509CertImpl.get("x509.algorithm"); + localAlgorithmParameters = localAlgorithmId.getParameters(); + + if (!(this.constraints.permits(SIGNATURE_PRIMITIVE_SET, str, localAlgorithmParameters))) { + throw new CertPathValidatorException("Algorithm constraints check failed: " + str, null, null, -1, CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED); + + } + + } catch (CertificateParsingException localCertificateException2) { + throw new CertPathValidatorException(localCertificateException2); + + } + + + //check key usage + boolean[] arrayOfBoolean = localX509CertImpl.getKeyUsage(); + if ((arrayOfBoolean != null) && (arrayOfBoolean.length < 9)) + throw new CertPathValidatorException("incorrect KeyUsage extension", null, null, -1, PKIXReason.INVALID_KEY_USAGE); + + if (arrayOfBoolean != null) { + Set cryptoPrimitives = EnumSet.noneOf(CryptoPrimitive.class); + if ((arrayOfBoolean[0] == true) || (arrayOfBoolean[1] == true) || (arrayOfBoolean[5] == true) || (arrayOfBoolean[6] == true)) { + cryptoPrimitives.add(CryptoPrimitive.SIGNATURE); + + } + + if (arrayOfBoolean[2] == true) { + cryptoPrimitives.add(CryptoPrimitive.KEY_ENCAPSULATION); + + } + + if (arrayOfBoolean[3] == true) { + cryptoPrimitives.add(CryptoPrimitive.PUBLIC_KEY_ENCRYPTION); + + } + + if (arrayOfBoolean[4] == true) { + cryptoPrimitives.add(CryptoPrimitive.KEY_AGREEMENT); + + } + + if ((!(cryptoPrimitives.isEmpty())) && (!(this.constraints.permits(cryptoPrimitives, localPublicKey)))) { + throw new CertPathValidatorException("algorithm constraints check failed", null, null, -1, CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED); + + } + } + + //check pubKeys + if (this.prevPubKey != null) { + if ((str != null) && (!(this.constraints.permits(SIGNATURE_PRIMITIVE_SET, str, this.prevPubKey, localAlgorithmParameters)))) { + throw new CertPathValidatorException("Algorithm constraints check failed: " + str, null, null, -1, CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED); + + } + + if ((localPublicKey instanceof DSAPublicKey) && (((DSAPublicKey)localPublicKey).getParams() == null)) { + if (!(this.prevPubKey instanceof DSAPublicKey)) { + throw new CertPathValidatorException("Input key is not of a appropriate type for inheriting parameters"); + + } + + DSAParams localObject = ((DSAPublicKey)this.prevPubKey).getParams(); + if (localObject == null) { + throw new CertPathValidatorException("Key parameters missing"); + + } + + try { + BigInteger localBigInteger = ((DSAPublicKey)localPublicKey).getY(); + KeyFactory localKeyFactory = KeyFactory.getInstance("DSA"); + DSAPublicKeySpec localDSAPublicKeySpec = new DSAPublicKeySpec(localBigInteger, ((DSAParams)localObject).getP(), ((DSAParams)localObject).getQ(), ((DSAParams)localObject).getG()); + localPublicKey = localKeyFactory.generatePublic(localDSAPublicKeySpec); + + } catch (GeneralSecurityException localGeneralSecurityException) { + throw new CertPathValidatorException("Unable to generate key with inherited parameters: " + localGeneralSecurityException.getMessage(), localGeneralSecurityException); + + } + } + } + + this.prevPubKey = localPublicKey; + } + + +} -- cgit v1.2.3