summaryrefslogtreecommitdiffstats
path: root/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXAttrCertPathBuilderSpi.java
diff options
context:
space:
mode:
Diffstat (limited to 'bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXAttrCertPathBuilderSpi.java')
-rw-r--r--bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXAttrCertPathBuilderSpi.java92
1 files changed, 75 insertions, 17 deletions
diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXAttrCertPathBuilderSpi.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXAttrCertPathBuilderSpi.java
index 14aef43..115c198 100644
--- a/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXAttrCertPathBuilderSpi.java
+++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXAttrCertPathBuilderSpi.java
@@ -1,5 +1,6 @@
package org.bouncycastle.jce.provider;
+import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.Principal;
@@ -9,6 +10,10 @@ import java.security.cert.CertPathBuilderResult;
import java.security.cert.CertPathBuilderSpi;
import java.security.cert.CertPathParameters;
import java.security.cert.CertPathValidator;
+import java.security.cert.CertStore;
+import java.security.cert.CertStoreException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateParsingException;
import java.security.cert.PKIXBuilderParameters;
@@ -24,12 +29,20 @@ import java.util.Set;
import javax.security.auth.x500.X500Principal;
+import org.bouncycastle.asn1.x509.Extension;
+import org.bouncycastle.jcajce.PKIXCertStoreSelector;
+import org.bouncycastle.jcajce.PKIXExtendedBuilderParameters;
import org.bouncycastle.jce.exception.ExtCertPathBuilderException;
+import org.bouncycastle.util.Encodable;
import org.bouncycastle.util.Selector;
+import org.bouncycastle.util.Store;
+import org.bouncycastle.util.StoreException;
import org.bouncycastle.x509.ExtendedPKIXBuilderParameters;
+import org.bouncycastle.x509.ExtendedPKIXParameters;
import org.bouncycastle.x509.X509AttributeCertStoreSelector;
import org.bouncycastle.x509.X509AttributeCertificate;
import org.bouncycastle.x509.X509CertStoreSelector;
+import org.bouncycastle.x509.X509Store;
public class PKIXAttrCertPathBuilderSpi
extends CertPathBuilderSpi
@@ -45,24 +58,37 @@ public class PKIXAttrCertPathBuilderSpi
throws CertPathBuilderException, InvalidAlgorithmParameterException
{
if (!(params instanceof PKIXBuilderParameters)
- && !(params instanceof ExtendedPKIXBuilderParameters))
+ && !(params instanceof ExtendedPKIXBuilderParameters)
+ && !(params instanceof PKIXExtendedBuilderParameters))
{
throw new InvalidAlgorithmParameterException(
"Parameters must be an instance of "
+ PKIXBuilderParameters.class.getName() + " or "
- + ExtendedPKIXBuilderParameters.class.getName()
+ + PKIXExtendedBuilderParameters.class.getName()
+ ".");
}
- ExtendedPKIXBuilderParameters pkixParams;
- if (params instanceof ExtendedPKIXBuilderParameters)
+ List targetStores = new ArrayList();
+
+ PKIXExtendedBuilderParameters paramsPKIX;
+ if (params instanceof PKIXBuilderParameters)
{
- pkixParams = (ExtendedPKIXBuilderParameters) params;
+ PKIXExtendedBuilderParameters.Builder paramsPKIXBldr = new PKIXExtendedBuilderParameters.Builder((PKIXBuilderParameters)params);
+
+ if (params instanceof ExtendedPKIXParameters)
+ {
+ ExtendedPKIXBuilderParameters extPKIX = (ExtendedPKIXBuilderParameters)params;
+
+ paramsPKIXBldr.addExcludedCerts(extPKIX.getExcludedCerts());
+ paramsPKIXBldr.setMaxPathLength(extPKIX.getMaxPathLength());
+ targetStores = extPKIX.getStores();
+ }
+
+ paramsPKIX = paramsPKIXBldr.build();
}
else
{
- pkixParams = (ExtendedPKIXBuilderParameters) ExtendedPKIXBuilderParameters
- .getInstance((PKIXBuilderParameters) params);
+ paramsPKIX = (PKIXExtendedBuilderParameters)params;
}
Collection targets;
@@ -72,7 +98,7 @@ public class PKIXAttrCertPathBuilderSpi
// search target certificates
- Selector certSelect = pkixParams.getTargetConstraints();
+ Selector certSelect = paramsPKIX.getBaseParameters().getTargetConstraints();
if (!(certSelect instanceof X509AttributeCertStoreSelector))
{
throw new CertPathBuilderException(
@@ -81,9 +107,10 @@ public class PKIXAttrCertPathBuilderSpi
+ " for "+this.getClass().getName()+" class.");
}
+
try
{
- targets = CertPathValidatorUtilities.findCertificates((X509AttributeCertStoreSelector)certSelect, pkixParams.getStores());
+ targets = findCertificates((X509AttributeCertStoreSelector)certSelect, targetStores);
}
catch (AnnotatedException e)
{
@@ -115,8 +142,9 @@ public class PKIXAttrCertPathBuilderSpi
{
selector.setSubject(((X500Principal)principals[i]).getEncoded());
}
- issuers.addAll(CertPathValidatorUtilities.findCertificates(selector, pkixParams.getStores()));
- issuers.addAll(CertPathValidatorUtilities.findCertificates(selector, pkixParams.getCertStores()));
+ PKIXCertStoreSelector certStoreSelector = new PKIXCertStoreSelector.Builder(selector).build();
+ issuers.addAll(CertPathValidatorUtilities.findCertificates(certStoreSelector, paramsPKIX.getBaseParameters().getCertStores()));
+ issuers.addAll(CertPathValidatorUtilities.findCertificates(certStoreSelector, paramsPKIX.getBaseParameters().getCertificateStores()));
}
catch (AnnotatedException e)
{
@@ -139,7 +167,7 @@ public class PKIXAttrCertPathBuilderSpi
Iterator it = issuers.iterator();
while (it.hasNext() && result == null)
{
- result = build(cert, (X509Certificate)it.next(), pkixParams, certPathList);
+ result = build(cert, (X509Certificate)it.next(), paramsPKIX, certPathList);
}
}
@@ -162,7 +190,7 @@ public class PKIXAttrCertPathBuilderSpi
private Exception certPathException;
private CertPathBuilderResult build(X509AttributeCertificate attrCert, X509Certificate tbvCert,
- ExtendedPKIXBuilderParameters pkixParams, List tbvPath)
+ PKIXExtendedBuilderParameters pkixParams, List tbvPath)
{
// If tbvCert is readily present in tbvPath, it indicates having run
@@ -208,8 +236,8 @@ public class PKIXAttrCertPathBuilderSpi
try
{
// check whether the issuer of <tbvCert> is a TrustAnchor
- if (CertPathValidatorUtilities.findTrustAnchor(tbvCert, pkixParams.getTrustAnchors(),
- pkixParams.getSigProvider()) != null)
+ if (CertPathValidatorUtilities.findTrustAnchor(tbvCert, pkixParams.getBaseParameters().getTrustAnchors(),
+ pkixParams.getBaseParameters().getSigProvider()) != null)
{
CertPath certPath;
PKIXCertPathValidatorResult result;
@@ -243,10 +271,13 @@ public class PKIXAttrCertPathBuilderSpi
}
else
{
+ List stores = new ArrayList();
+
+ stores.addAll(pkixParams.getBaseParameters().getCertificateStores());
// add additional X.509 stores from locations in certificate
try
{
- CertPathValidatorUtilities.addAdditionalStoresFromAltNames(tbvCert, pkixParams);
+ stores.addAll(CertPathValidatorUtilities.getAdditionalStoresFromAltNames(tbvCert.getExtensionValue(Extension.issuerAlternativeName.getId()), pkixParams.getBaseParameters().getNamedCertificateStoreMap()));
}
catch (CertificateParsingException e)
{
@@ -259,7 +290,7 @@ public class PKIXAttrCertPathBuilderSpi
// of the stores
try
{
- issuers.addAll(CertPathValidatorUtilities.findIssuerCerts(tbvCert, pkixParams));
+ issuers.addAll(CertPathValidatorUtilities.findIssuerCerts(tbvCert, pkixParams.getBaseParameters().getCertStores(), stores));
}
catch (AnnotatedException e)
{
@@ -300,4 +331,31 @@ public class PKIXAttrCertPathBuilderSpi
return builderResult;
}
+ protected static Collection findCertificates(X509AttributeCertStoreSelector certSelect,
+ List certStores)
+ throws AnnotatedException
+ {
+ Set certs = new HashSet();
+ Iterator iter = certStores.iterator();
+
+ while (iter.hasNext())
+ {
+ Object obj = iter.next();
+
+ if (obj instanceof Store)
+ {
+ Store certStore = (Store)obj;
+ try
+ {
+ certs.addAll(certStore.getMatches(certSelect));
+ }
+ catch (StoreException e)
+ {
+ throw new AnnotatedException(
+ "Problem while picking certificates from X.509 store.", e);
+ }
+ }
+ }
+ return certs;
+ }
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-04 08:01:47 +0000