diff options
Diffstat (limited to 'bcpkix/src/main/java/org/bouncycastle/cert/path/validations/KeyUsageValidation.java')
-rw-r--r-- | bcpkix/src/main/java/org/bouncycastle/cert/path/validations/KeyUsageValidation.java | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/path/validations/KeyUsageValidation.java b/bcpkix/src/main/java/org/bouncycastle/cert/path/validations/KeyUsageValidation.java new file mode 100644 index 0000000..5d9adc8 --- /dev/null +++ b/bcpkix/src/main/java/org/bouncycastle/cert/path/validations/KeyUsageValidation.java @@ -0,0 +1,63 @@ +package org.bouncycastle.cert.path.validations; + +import org.bouncycastle.asn1.x509.Extension; +import org.bouncycastle.asn1.x509.KeyUsage; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.path.CertPathValidation; +import org.bouncycastle.cert.path.CertPathValidationContext; +import org.bouncycastle.cert.path.CertPathValidationException; +import org.bouncycastle.util.Memoable; + +public class KeyUsageValidation + implements CertPathValidation +{ + private boolean isMandatory; + + public KeyUsageValidation() + { + this(true); + } + + public KeyUsageValidation(boolean isMandatory) + { + this.isMandatory = isMandatory; + } + + public void validate(CertPathValidationContext context, X509CertificateHolder certificate) + throws CertPathValidationException + { + context.addHandledExtension(Extension.keyUsage); + + if (!context.isEndEntity()) + { + KeyUsage usage = KeyUsage.fromExtensions(certificate.getExtensions()); + + if (usage != null) + { + if (!usage.hasUsages(KeyUsage.keyCertSign)) + { + throw new CertPathValidationException("Issuer certificate KeyUsage extension does not permit key signing"); + } + } + else + { + if (isMandatory) + { + throw new CertPathValidationException("KeyUsage extension not present in CA certificate"); + } + } + } + } + + public Memoable copy() + { + return new KeyUsageValidation(isMandatory); + } + + public void reset(Memoable other) + { + KeyUsageValidation v = (KeyUsageValidation)other; + + this.isMandatory = v.isMandatory; + } +} |