/** * Verifies the key usage extension in a CA cert. * The key usage extension, if present, must assert the keyCertSign bit. * The extended key usage extension is not checked (see CR 4776794 for * more information). */ static void verifyCAKeyUsage(X509Certificate cert) throws CertPathValidatorException { String msg = "CA key usage"; if (debug != null) { debug.println("KeyChecker.verifyCAKeyUsage() ---checking " + msg + "..."); } boolean[] keyUsageBits = cert.getKeyUsage(); // getKeyUsage returns null if the KeyUsage extension is not present // in the certificate - in which case there is nothing to check if (keyUsageBits == null) { return; } // throw an exception if the keyCertSign bit is not set if (!keyUsageBits[KEY_CERT_SIGN]) { throw new CertPathValidatorException (msg + " check failed: keyCertSign bit is not set", null, null, -1, PKIXReason.INVALID_KEY_USAGE); } if (debug != null) { debug.println("KeyChecker.verifyCAKeyUsage() " + msg + " verified."); } }
/** * Internal method to check the name constraints against a cert */ private void verifyNameConstraints(X509Certificate currCert) throws CertPathValidatorException { String msg = "name constraints"; if (debug != null) { debug.println("---checking " + msg + "..."); } // check name constraints only if there is a previous name constraint // and either the currCert is the final cert or the currCert is not // self-issued if (prevNC != null && ((i == certPathLength) || !X509CertImpl.isSelfIssued(currCert))) { if (debug != null) { debug.println("prevNC = " + prevNC); debug.println("currDN = " + currCert.getSubjectX500Principal()); } try { if (!prevNC.verify(currCert)) { throw new CertPathValidatorException(msg + " check failed", null, null, -1, PKIXReason.INVALID_NAME); } } catch (IOException ioe) { throw new CertPathValidatorException(ioe); } } // merge name constraints regardless of whether cert is self-issued prevNC = mergeNameConstraints(currCert, prevNC); if (debug != null) debug.println(msg + " verified."); }
/** * Internal method to check that cert has a valid DN to be next in a chain */ private void verifyNameChaining(X509Certificate cert) throws CertPathValidatorException { if (prevSubject != null) { String msg = "subject/issuer name chaining"; if (debug != null) debug.println("---checking " + msg + "..."); X500Principal currIssuer = cert.getIssuerX500Principal(); // reject null or empty issuer DNs if (X500Name.asX500Name(currIssuer).isEmpty()) { throw new CertPathValidatorException (msg + " check failed: " + "empty/null issuer DN in certificate is invalid", null, null, -1, PKIXReason.NAME_CHAINING); } if (!(currIssuer.equals(prevSubject))) { throw new CertPathValidatorException (msg + " check failed", null, null, -1, PKIXReason.NAME_CHAINING); } if (debug != null) debug.println(msg + " verified."); } }
/** * Internal method to check the name constraints against a cert */ private void verifyNameConstraints(X509Certificate currCert) throws CertPathValidatorException { String msg = "name constraints"; if (debug != null) { debug.println("---checking " + msg + "..."); } // check name constraints only if there is a previous name constraint // and either the currCert is the final cert or the currCert is not // self-issued if (prevNC != null && ((i == certPathLength) || !X509CertImpl.isSelfIssued(currCert))) { if (debug != null) { debug.println("prevNC = " + prevNC + ", currDN = " + currCert.getSubjectX500Principal()); } try { if (!prevNC.verify(currCert)) { throw new CertPathValidatorException(msg + " check failed", null, null, -1, PKIXReason.INVALID_NAME); } } catch (IOException ioe) { throw new CertPathValidatorException(ioe); } } // merge name constraints regardless of whether cert is self-issued prevNC = mergeNameConstraints(currCert, prevNC); if (debug != null) debug.println(msg + " verified."); }
public static void main(String[] args) throws Exception { try { parseArgs(args); validate(path, params); throw new Exception("Successfully validated invalid path."); } catch (CertPathValidatorException e) { if (e.getReason() != PKIXReason.INVALID_NAME) { throw new Exception("unexpected reason: " + e.getReason()); } System.out.println("Path rejected as expected: " + e); } }
/** * Static method to verify that the key usage and extended key usage * extension in a CA cert. The key usage extension, if present, must * assert the keyCertSign bit. The extended key usage extension, if * present, must include anyExtendedKeyUsage. */ static void verifyCAKeyUsage(X509Certificate cert) throws CertPathValidatorException { String msg = "CA key usage"; if (debug != null) { debug.println("KeyChecker.verifyCAKeyUsage() ---checking " + msg + "..."); } boolean[] keyUsageBits = cert.getKeyUsage(); // getKeyUsage returns null if the KeyUsage extension is not present // in the certificate - in which case there is nothing to check if (keyUsageBits == null) { return; } // throw an exception if the keyCertSign bit is not set if (!keyUsageBits[keyCertSign]) { throw new CertPathValidatorException (msg + " check failed: keyCertSign bit is not set", null, null, -1, PKIXReason.INVALID_KEY_USAGE); } if (debug != null) { debug.println("KeyChecker.verifyCAKeyUsage() " + msg + " verified."); } }
/** * Internal method to check that cert has a valid DN to be next in a chain */ private void verifyNameChaining(X509Certificate cert, X500Principal prevSubject) throws CertPathValidatorException { if (prevSubject != null) { String msg = "subject/issuer name chaining"; if (debug != null) debug.println("---checking " + msg + "..."); X500Principal currIssuer = cert.getIssuerX500Principal(); // reject null or empty issuer DNs if (X500Name.asX500Name(currIssuer).isEmpty()) { throw new CertPathValidatorException (msg + " check failed: " + "empty/null issuer DN in certificate is invalid", null, null, -1, PKIXReason.NAME_CHAINING); } if (!(currIssuer.equals(prevSubject))) { throw new CertPathValidatorException (msg + " check failed", null, null, -1, PKIXReason.NAME_CHAINING); } if (debug != null) debug.println(msg + " verified."); } }
