diff options
Diffstat (limited to 'bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXAttrCertPathBuilderSpi.java')
-rw-r--r-- | bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXAttrCertPathBuilderSpi.java | 92 |
1 files changed, 75 insertions, 17 deletions
diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXAttrCertPathBuilderSpi.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXAttrCertPathBuilderSpi.java index 14aef43..115c198 100644 --- a/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXAttrCertPathBuilderSpi.java +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXAttrCertPathBuilderSpi.java @@ -1,5 +1,6 @@ package org.bouncycastle.jce.provider; +import java.io.ByteArrayInputStream; import java.io.IOException; import java.security.InvalidAlgorithmParameterException; import java.security.Principal; @@ -9,6 +10,10 @@ import java.security.cert.CertPathBuilderResult; import java.security.cert.CertPathBuilderSpi; import java.security.cert.CertPathParameters; import java.security.cert.CertPathValidator; +import java.security.cert.CertStore; +import java.security.cert.CertStoreException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.CertificateParsingException; import java.security.cert.PKIXBuilderParameters; @@ -24,12 +29,20 @@ import java.util.Set; import javax.security.auth.x500.X500Principal; +import org.bouncycastle.asn1.x509.Extension; +import org.bouncycastle.jcajce.PKIXCertStoreSelector; +import org.bouncycastle.jcajce.PKIXExtendedBuilderParameters; import org.bouncycastle.jce.exception.ExtCertPathBuilderException; +import org.bouncycastle.util.Encodable; import org.bouncycastle.util.Selector; +import org.bouncycastle.util.Store; +import org.bouncycastle.util.StoreException; import org.bouncycastle.x509.ExtendedPKIXBuilderParameters; +import org.bouncycastle.x509.ExtendedPKIXParameters; import org.bouncycastle.x509.X509AttributeCertStoreSelector; import org.bouncycastle.x509.X509AttributeCertificate; import org.bouncycastle.x509.X509CertStoreSelector; +import org.bouncycastle.x509.X509Store; public class PKIXAttrCertPathBuilderSpi extends CertPathBuilderSpi @@ -45,24 +58,37 @@ public class PKIXAttrCertPathBuilderSpi throws CertPathBuilderException, InvalidAlgorithmParameterException { if (!(params instanceof PKIXBuilderParameters) - && !(params instanceof ExtendedPKIXBuilderParameters)) + && !(params instanceof ExtendedPKIXBuilderParameters) + && !(params instanceof PKIXExtendedBuilderParameters)) { throw new InvalidAlgorithmParameterException( "Parameters must be an instance of " + PKIXBuilderParameters.class.getName() + " or " - + ExtendedPKIXBuilderParameters.class.getName() + + PKIXExtendedBuilderParameters.class.getName() + "."); } - ExtendedPKIXBuilderParameters pkixParams; - if (params instanceof ExtendedPKIXBuilderParameters) + List targetStores = new ArrayList(); + + PKIXExtendedBuilderParameters paramsPKIX; + if (params instanceof PKIXBuilderParameters) { - pkixParams = (ExtendedPKIXBuilderParameters) params; + PKIXExtendedBuilderParameters.Builder paramsPKIXBldr = new PKIXExtendedBuilderParameters.Builder((PKIXBuilderParameters)params); + + if (params instanceof ExtendedPKIXParameters) + { + ExtendedPKIXBuilderParameters extPKIX = (ExtendedPKIXBuilderParameters)params; + + paramsPKIXBldr.addExcludedCerts(extPKIX.getExcludedCerts()); + paramsPKIXBldr.setMaxPathLength(extPKIX.getMaxPathLength()); + targetStores = extPKIX.getStores(); + } + + paramsPKIX = paramsPKIXBldr.build(); } else { - pkixParams = (ExtendedPKIXBuilderParameters) ExtendedPKIXBuilderParameters - .getInstance((PKIXBuilderParameters) params); + paramsPKIX = (PKIXExtendedBuilderParameters)params; } Collection targets; @@ -72,7 +98,7 @@ public class PKIXAttrCertPathBuilderSpi // search target certificates - Selector certSelect = pkixParams.getTargetConstraints(); + Selector certSelect = paramsPKIX.getBaseParameters().getTargetConstraints(); if (!(certSelect instanceof X509AttributeCertStoreSelector)) { throw new CertPathBuilderException( @@ -81,9 +107,10 @@ public class PKIXAttrCertPathBuilderSpi + " for "+this.getClass().getName()+" class."); } + try { - targets = CertPathValidatorUtilities.findCertificates((X509AttributeCertStoreSelector)certSelect, pkixParams.getStores()); + targets = findCertificates((X509AttributeCertStoreSelector)certSelect, targetStores); } catch (AnnotatedException e) { @@ -115,8 +142,9 @@ public class PKIXAttrCertPathBuilderSpi { selector.setSubject(((X500Principal)principals[i]).getEncoded()); } - issuers.addAll(CertPathValidatorUtilities.findCertificates(selector, pkixParams.getStores())); - issuers.addAll(CertPathValidatorUtilities.findCertificates(selector, pkixParams.getCertStores())); + PKIXCertStoreSelector certStoreSelector = new PKIXCertStoreSelector.Builder(selector).build(); + issuers.addAll(CertPathValidatorUtilities.findCertificates(certStoreSelector, paramsPKIX.getBaseParameters().getCertStores())); + issuers.addAll(CertPathValidatorUtilities.findCertificates(certStoreSelector, paramsPKIX.getBaseParameters().getCertificateStores())); } catch (AnnotatedException e) { @@ -139,7 +167,7 @@ public class PKIXAttrCertPathBuilderSpi Iterator it = issuers.iterator(); while (it.hasNext() && result == null) { - result = build(cert, (X509Certificate)it.next(), pkixParams, certPathList); + result = build(cert, (X509Certificate)it.next(), paramsPKIX, certPathList); } } @@ -162,7 +190,7 @@ public class PKIXAttrCertPathBuilderSpi private Exception certPathException; private CertPathBuilderResult build(X509AttributeCertificate attrCert, X509Certificate tbvCert, - ExtendedPKIXBuilderParameters pkixParams, List tbvPath) + PKIXExtendedBuilderParameters pkixParams, List tbvPath) { // If tbvCert is readily present in tbvPath, it indicates having run @@ -208,8 +236,8 @@ public class PKIXAttrCertPathBuilderSpi try { // check whether the issuer of <tbvCert> is a TrustAnchor - if (CertPathValidatorUtilities.findTrustAnchor(tbvCert, pkixParams.getTrustAnchors(), - pkixParams.getSigProvider()) != null) + if (CertPathValidatorUtilities.findTrustAnchor(tbvCert, pkixParams.getBaseParameters().getTrustAnchors(), + pkixParams.getBaseParameters().getSigProvider()) != null) { CertPath certPath; PKIXCertPathValidatorResult result; @@ -243,10 +271,13 @@ public class PKIXAttrCertPathBuilderSpi } else { + List stores = new ArrayList(); + + stores.addAll(pkixParams.getBaseParameters().getCertificateStores()); // add additional X.509 stores from locations in certificate try { - CertPathValidatorUtilities.addAdditionalStoresFromAltNames(tbvCert, pkixParams); + stores.addAll(CertPathValidatorUtilities.getAdditionalStoresFromAltNames(tbvCert.getExtensionValue(Extension.issuerAlternativeName.getId()), pkixParams.getBaseParameters().getNamedCertificateStoreMap())); } catch (CertificateParsingException e) { @@ -259,7 +290,7 @@ public class PKIXAttrCertPathBuilderSpi // of the stores try { - issuers.addAll(CertPathValidatorUtilities.findIssuerCerts(tbvCert, pkixParams)); + issuers.addAll(CertPathValidatorUtilities.findIssuerCerts(tbvCert, pkixParams.getBaseParameters().getCertStores(), stores)); } catch (AnnotatedException e) { @@ -300,4 +331,31 @@ public class PKIXAttrCertPathBuilderSpi return builderResult; } + protected static Collection findCertificates(X509AttributeCertStoreSelector certSelect, + List certStores) + throws AnnotatedException + { + Set certs = new HashSet(); + Iterator iter = certStores.iterator(); + + while (iter.hasNext()) + { + Object obj = iter.next(); + + if (obj instanceof Store) + { + Store certStore = (Store)obj; + try + { + certs.addAll(certStore.getMatches(certSelect)); + } + catch (StoreException e) + { + throw new AnnotatedException( + "Problem while picking certificates from X.509 store.", e); + } + } + } + return certs; + } } |