001: package org.bouncycastle.jce.provider;
002:
003: import org.bouncycastle.jce.exception.ExtCertPathValidatorException;
004: import org.bouncycastle.util.Selector;
005: import org.bouncycastle.x509.ExtendedPKIXParameters;
006: import org.bouncycastle.x509.X509AttributeCertStoreSelector;
007: import org.bouncycastle.x509.X509AttributeCertificate;
008:
009: import java.security.InvalidAlgorithmParameterException;
010: import java.security.cert.CertPath;
011: import java.security.cert.CertPathParameters;
012: import java.security.cert.CertPathValidatorException;
013: import java.security.cert.CertPathValidatorResult;
014: import java.security.cert.CertPathValidatorSpi;
015: import java.security.cert.X509Certificate;
016: import java.util.Date;
017: import java.util.Set;
018:
019: /**
020: * CertPathValidatorSpi implementation for X.509 Attribute Certificates la RFC 3281.
021: *
022: * @see org.bouncycastle.x509.ExtendedPKIXParameters
023: */
024: public class PKIXAttrCertPathValidatorSpi extends CertPathValidatorSpi {
025:
026: /**
027: * Validates an attribute certificate with the given certificate path.
028: *
029: * <p>
030: * <code>params</code> must be an instance of
031: * <code>ExtendedPKIXParameters</code>.
032: * <p>
033: * The target constraints in the <code>params</code> must be an
034: * <code>X509AttributeCertStoreSelector</code> with at least the attribute
035: * certificate criterion set. Obey that also target informations may be
036: * necessary to correctly validate this attribute certificate.
037: * <p>
038: * The attribute certificate issuer must be added to the trusted attribute
039: * issuers with {@link ExtendedPKIXParameters#setTrustedACIssuers(Set)}.
040: *
041: * @param certPath The certificate path which belongs to the attribute
042: * certificate issuer public key certificate.
043: * @param params The PKIX parameters.
044: * @return A <code>PKIXCertPathValidatorResult</code> of the result of
045: * validating the <code>certPath</code>.
046: * @throws InvalidAlgorithmParameterException if <code>params</code> is
047: * inappropriate for this validator.
048: * @throws CertPathValidatorException if the verification fails.
049: */
050: public CertPathValidatorResult engineValidate(CertPath certPath,
051: CertPathParameters params)
052: throws CertPathValidatorException,
053: InvalidAlgorithmParameterException {
054: if (!(params instanceof ExtendedPKIXParameters)) {
055: throw new InvalidAlgorithmParameterException(
056: "Parameters must be a "
057: + ExtendedPKIXParameters.class.getName()
058: + " instance.");
059: }
060: ExtendedPKIXParameters pkixParams = (ExtendedPKIXParameters) params;
061:
062: Selector certSelect = pkixParams.getTargetConstraints();
063: if (!(certSelect instanceof X509AttributeCertStoreSelector)) {
064: throw new InvalidAlgorithmParameterException(
065: "TargetConstraints must be an instance of "
066: + X509AttributeCertStoreSelector.class
067: .getName() + " for "
068: + this .getClass().getName() + " class.");
069: }
070: X509AttributeCertificate attrCert = ((X509AttributeCertStoreSelector) certSelect)
071: .getAttributeCert();
072:
073: CertPath holderCertPath = RFC3281CertPathUtilities
074: .processAttrCert1(attrCert, pkixParams);
075: CertPathValidatorResult result = RFC3281CertPathUtilities
076: .processAttrCert2(certPath, pkixParams);
077: X509Certificate issuerCert = (X509Certificate) certPath
078: .getCertificates().get(0);
079: RFC3281CertPathUtilities.processAttrCert3(issuerCert,
080: pkixParams);
081: RFC3281CertPathUtilities.processAttrCert4(issuerCert,
082: pkixParams);
083: RFC3281CertPathUtilities.processAttrCert5(attrCert, pkixParams);
084: // 6 already done in X509AttributeCertStoreSelector
085: RFC3281CertPathUtilities.processAttrCert7(attrCert, certPath,
086: holderCertPath, pkixParams);
087: RFC3281CertPathUtilities.additionalChecks(attrCert, pkixParams);
088: Date date = null;
089: try {
090: date = CertPathValidatorUtilities
091: .getValidCertDateFromValidityModel(pkixParams,
092: null, -1);
093: } catch (AnnotatedException e) {
094: throw new ExtCertPathValidatorException(
095: "Could not get validity date from attribute certificate.",
096: e);
097: }
098: RFC3281CertPathUtilities.checkCRLs(attrCert, pkixParams,
099: issuerCert, date);
100: return result;
101: }
102: }
|