summaryrefslogtreecommitdiff
path: root/libjava/classpath/gnu/java/security/provider
diff options
context:
space:
mode:
authorupstream source tree <ports@midipix.org>2015-03-15 20:14:05 -0400
committerupstream source tree <ports@midipix.org>2015-03-15 20:14:05 -0400
commit554fd8c5195424bdbcabf5de30fdc183aba391bd (patch)
tree976dc5ab7fddf506dadce60ae936f43f58787092 /libjava/classpath/gnu/java/security/provider
downloadcbb-gcc-4.6.4-554fd8c5195424bdbcabf5de30fdc183aba391bd.tar.bz2
cbb-gcc-4.6.4-554fd8c5195424bdbcabf5de30fdc183aba391bd.tar.xz
obtained gcc-4.6.4.tar.bz2 from upstream website;upstream
verified gcc-4.6.4.tar.bz2.sig; imported gcc-4.6.4 source tree from verified upstream tarball. downloading a git-generated archive based on the 'upstream' tag should provide you with a source tree that is binary identical to the one extracted from the above tarball. if you have obtained the source via the command 'git clone', however, do note that line-endings of files in your working directory might differ from line-endings of the respective files in the upstream repository.
Diffstat (limited to 'libjava/classpath/gnu/java/security/provider')
-rw-r--r--libjava/classpath/gnu/java/security/provider/CollectionCertStoreImpl.java102
-rw-r--r--libjava/classpath/gnu/java/security/provider/DefaultPolicy.java68
-rw-r--r--libjava/classpath/gnu/java/security/provider/Gnu.java306
-rw-r--r--libjava/classpath/gnu/java/security/provider/PKIXCertPathValidatorImpl.java693
-rw-r--r--libjava/classpath/gnu/java/security/provider/X509CertificateFactory.java295
-rw-r--r--libjava/classpath/gnu/java/security/provider/package.html46
6 files changed, 1510 insertions, 0 deletions
diff --git a/libjava/classpath/gnu/java/security/provider/CollectionCertStoreImpl.java b/libjava/classpath/gnu/java/security/provider/CollectionCertStoreImpl.java
new file mode 100644
index 000000000..4bf3d5434
--- /dev/null
+++ b/libjava/classpath/gnu/java/security/provider/CollectionCertStoreImpl.java
@@ -0,0 +1,102 @@
+/* CollectionCertStore.java -- Collection-based cert store.
+ Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING. If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package gnu.java.security.provider;
+
+import java.security.InvalidAlgorithmParameterException;
+import java.security.cert.CRL;
+import java.security.cert.CRLSelector;
+import java.security.cert.CertSelector;
+import java.security.cert.CertStoreException;
+import java.security.cert.CertStoreParameters;
+import java.security.cert.CertStoreSpi;
+import java.security.cert.Certificate;
+import java.security.cert.CollectionCertStoreParameters;
+import java.util.Collection;
+import java.util.Iterator;
+import java.util.LinkedList;
+
+public final class CollectionCertStoreImpl extends CertStoreSpi
+{
+
+ // Fields.
+ // -------------------------------------------------------------------------
+
+ private final Collection store;
+
+ // Constructors.
+ // -------------------------------------------------------------------------
+
+ public CollectionCertStoreImpl(CertStoreParameters params)
+ throws InvalidAlgorithmParameterException
+ {
+ super(params);
+ if (! (params instanceof CollectionCertStoreParameters))
+ throw new InvalidAlgorithmParameterException("not a CollectionCertStoreParameters object");
+ store = ((CollectionCertStoreParameters) params).getCollection();
+ }
+
+ // Instance methods.
+ // -------------------------------------------------------------------------
+
+ public Collection engineGetCertificates(CertSelector selector)
+ throws CertStoreException
+ {
+ LinkedList result = new LinkedList();
+ for (Iterator it = store.iterator(); it.hasNext(); )
+ {
+ Object o = it.next();
+ if ((o instanceof Certificate) && selector.match((Certificate) o))
+ result.add(o);
+ }
+ return result;
+ }
+
+ public Collection engineGetCRLs(CRLSelector selector)
+ throws CertStoreException
+ {
+ LinkedList result = new LinkedList();
+ for (Iterator it = store.iterator(); it.hasNext(); )
+ {
+ Object o = it.next();
+ if ((o instanceof CRL) && selector.match((CRL) o))
+ result.add(o);
+ }
+ return result;
+ }
+}
diff --git a/libjava/classpath/gnu/java/security/provider/DefaultPolicy.java b/libjava/classpath/gnu/java/security/provider/DefaultPolicy.java
new file mode 100644
index 000000000..566c949da
--- /dev/null
+++ b/libjava/classpath/gnu/java/security/provider/DefaultPolicy.java
@@ -0,0 +1,68 @@
+/* DefaultPolicy.java --
+ Copyright (C) 2001, 2002 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING. If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version. */
+
+package gnu.java.security.provider;
+
+import java.security.AllPermission;
+import java.security.CodeSource;
+import java.security.Permission;
+import java.security.PermissionCollection;
+import java.security.Permissions;
+import java.security.Policy;
+
+/**
+ * This is just a stub policy implementation which grants all permissions
+ * to any code source. FIXME: This should be replaced with a real
+ * implementation that reads the policy configuration from a file, like
+ * $JAVA_HOME/jre/lib/security/java.security.
+ */
+public class DefaultPolicy extends Policy
+{
+ static Permission allPermission = new AllPermission();
+
+ public PermissionCollection getPermissions(CodeSource codesource)
+ {
+ Permissions perms = new Permissions();
+ perms.add(allPermission);
+ return perms;
+ }
+
+ public void refresh()
+ {
+ // Nothing.
+ }
+}
diff --git a/libjava/classpath/gnu/java/security/provider/Gnu.java b/libjava/classpath/gnu/java/security/provider/Gnu.java
new file mode 100644
index 000000000..62bb0a29e
--- /dev/null
+++ b/libjava/classpath/gnu/java/security/provider/Gnu.java
@@ -0,0 +1,306 @@
+/* Gnu.java --- Gnu provider main class
+ Copyright (C) 1999, 2002, 2003, 2005 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING. If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package gnu.java.security.provider;
+
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+import java.security.Provider;
+
+public final class Gnu
+ extends Provider
+{
+ public Gnu()
+ {
+ super("GNU", 1.0,
+ "GNU provider v1.0 implementing SHA-1, MD5, DSA, RSA, X.509 "
+ + "Certificates and CRLs, PKIX certificate path validators, "
+ + "Collection cert stores, Diffie-Hellman key agreement and "
+ + "key pair generator");
+ AccessController.doPrivileged (new PrivilegedAction()
+ {
+ public Object run()
+ {
+ // Note that all implementation class names are referenced by using
+ // Class.getName(). That way when we staticly link the Gnu provider
+ // we automatically get all the implementation classes.
+
+ // Signature
+ put("Signature.SHA160withDSS",
+ gnu.java.security.jce.sig.SHA160withDSS.class.getName());
+ put("Alg.Alias.Signature.SHA1withDSA", "SHA160withDSS");
+ put("Alg.Alias.Signature.DSS", "SHA160withDSS");
+ put("Alg.Alias.Signature.DSA", "SHA160withDSS");
+ put("Alg.Alias.Signature.SHAwithDSA", "SHA160withDSS");
+ put("Alg.Alias.Signature.DSAwithSHA", "SHA160withDSS");
+ put("Alg.Alias.Signature.DSAwithSHA1", "SHA160withDSS");
+ put("Alg.Alias.Signature.SHA/DSA", "SHA160withDSS");
+ put("Alg.Alias.Signature.SHA-1/DSA", "SHA160withDSS");
+ put("Alg.Alias.Signature.SHA1/DSA", "SHA160withDSS");
+ put("Alg.Alias.Signature.OID.1.2.840.10040.4.3", "SHA160withDSS");
+ put("Alg.Alias.Signature.1.2.840.10040.4.3", "SHA160withDSS");
+ put("Alg.Alias.Signature.1.3.14.3.2.13", "SHA160withDSS");
+ put("Alg.Alias.Signature.1.3.14.3.2.27", "SHA160withDSS");
+
+ put("Signature.MD2withRSA",
+ gnu.java.security.jce.sig.MD2withRSA.class.getName());
+ put("Signature.MD2withRSA ImplementedIn", "Software");
+ put("Alg.Alias.Signature.md2WithRSAEncryption", "MD2withRSA");
+ put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.2", "MD2withRSA");
+ put("Alg.Alias.Signature.1.2.840.113549.1.1.2", "MD2withRSA");
+
+ put("Signature.MD5withRSA",
+ gnu.java.security.jce.sig.MD5withRSA.class.getName());
+ put("Signature.MD5withRSA ImplementedIn", "Software");
+ put("Alg.Alias.Signature.md5WithRSAEncryption", "MD5withRSA");
+ put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.4", "MD5withRSA");
+ put("Alg.Alias.Signature.1.2.840.113549.1.1.4", "MD5withRSA");
+ put("Alg.Alias.Signature.RSA", "MD5withRSA");
+
+ put("Signature.SHA160withRSA",
+ gnu.java.security.jce.sig.SHA160withRSA.class.getName());
+ put("Signature.SHA160withRSA ImplementedIn", "Software");
+ put("Alg.Alias.Signature.sha-1WithRSAEncryption", "SHA160withRSA");
+ put("Alg.Alias.Signature.sha-160WithRSAEncryption", "SHA160withRSA");
+ put("Alg.Alias.Signature.sha1WithRSAEncryption", "SHA160withRSA");
+ put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.5", "SHA160withRSA");
+ put("Alg.Alias.Signature.1.2.840.113549.1.1.5", "SHA160withRSA");
+ put("Alg.Alias.Signature.SHA1withRSA", "SHA160withRSA");
+
+ put("Signature.SHA256withRSA",
+ gnu.java.security.jce.sig.SHA256withRSA.class.getName());
+ put("Signature.SHA160withRSA ImplementedIn", "Software");
+ put("Alg.Alias.Signature.sha256WithRSAEncryption", "SHA256withRSA");
+ put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.11", "SHA256withRSA");
+ put("Alg.Alias.Signature.1.2.840.113549.1.1.11", "SHA256withRSA");
+
+ put("Signature.SHA384withRSA",
+ gnu.java.security.jce.sig.SHA384withRSA.class.getName());
+ put("Signature.SHA160withRSA ImplementedIn", "Software");
+ put("Alg.Alias.Signature.sha384WithRSAEncryption", "SHA384withRSA");
+ put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.12", "SHA384withRSA");
+ put("Alg.Alias.Signature.1.2.840.113549.1.1.12", "SHA384withRSA");
+
+ put("Signature.SHA512withRSA",
+ gnu.java.security.jce.sig.SHA512withRSA.class.getName());
+ put("Signature.SHA160withRSA ImplementedIn", "Software");
+ put("Alg.Alias.Signature.sha512WithRSAEncryption", "SHA512withRSA");
+ put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.13", "SHA512withRSA");
+ put("Alg.Alias.Signature.1.2.840.113549.1.1.13", "SHA512withRSA");
+
+ put("Signature.DSS/RAW",
+ gnu.java.security.jce.sig.DSSRawSignatureSpi.class.getName());
+ put("Signature.DSS/RAW KeySize", "1024");
+ put("Signature.DSS/RAW ImplementedIn", "Software");
+
+ put("Signature.RSA-PSS/RAW",
+ gnu.java.security.jce.sig.RSAPSSRawSignatureSpi.class.getName());
+ put("Signature.RSA-PSS/RAW KeySize", "1024");
+ put("Signature.RSA-PSS/RAW ImplementedIn", "Software");
+
+ // Key Pair Generator
+ put("KeyPairGenerator.DSS",
+ gnu.java.security.jce.sig.DSSKeyPairGeneratorSpi.class.getName());
+ put("KeyPairGenerator.DSS KeySize", "1024");
+ put("KeyPairGenerator.DSS ImplementedIn", "Software");
+ put("Alg.Alias.KeyPairGenerator.DSA", "DSS");
+ put("Alg.Alias.KeyPairGenerator.OID.1.2.840.10040.4.1", "DSS");
+ put("Alg.Alias.KeyPairGenerator.1.2.840.10040.4.1", "DSS");
+ put("Alg.Alias.KeyPairGenerator.1.3.14.3.2.12", "DSS");
+
+ put("KeyPairGenerator.RSA",
+ gnu.java.security.jce.sig.RSAKeyPairGeneratorSpi.class.getName());
+ put("KeyPairGenerator.RSA KeySize", "1024");
+ put("KeyPairGenerator.RSA ImplementedIn", "Software");
+
+ // Key Factory
+ put("KeyFactory.DSS",
+ gnu.java.security.jce.sig.DSSKeyFactory.class.getName());
+ put("Alg.Alias.KeyFactory.DSA", "DSS");
+ put("Alg.Alias.KeyFactory.OID.1.2.840.10040.4.1", "DSS");
+ put("Alg.Alias.KeyFactory.1.2.840.10040.4.1", "DSS");
+ put("Alg.Alias.KeyFactory.1.3.14.3.2.12", "DSS");
+
+ put("KeyFactory.RSA",
+ gnu.java.security.jce.sig.RSAKeyFactory.class.getName());
+
+ put("KeyFactory.Encoded",
+ gnu.java.security.jce.sig.EncodedKeyFactory.class.getName());
+ put("KeyFactory.Encoded ImplementedIn", "Software");
+ put("Alg.Alias.KeyFactory.X.509", "Encoded");
+ put("Alg.Alias.KeyFactory.X509", "Encoded");
+ put("Alg.Alias.KeyFactory.PKCS#8", "Encoded");
+ put("Alg.Alias.KeyFactory.PKCS8", "Encoded");
+
+ put("MessageDigest.HAVAL",
+ gnu.java.security.jce.hash.HavalSpi.class.getName());
+ put("MessageDigest.HAVAL ImplementedIn", "Software");
+ put("MessageDigest.MD2",
+ gnu.java.security.jce.hash.MD2Spi.class.getName());
+ put("MessageDigest.MD2 ImplementedIn", "Software");
+ put("MessageDigest.MD4",
+ gnu.java.security.jce.hash.MD4Spi.class.getName());
+ put("MessageDigest.MD4 ImplementedIn", "Software");
+ put("MessageDigest.MD5",
+ gnu.java.security.jce.hash.MD5Spi.class.getName());
+ put("MessageDigest.MD5 ImplementedIn", "Software");
+ put("MessageDigest.RIPEMD128",
+ gnu.java.security.jce.hash.RipeMD128Spi.class.getName());
+ put("MessageDigest.RIPEMD128 ImplementedIn", "Software");
+ put("MessageDigest.RIPEMD160",
+ gnu.java.security.jce.hash.RipeMD160Spi.class.getName());
+ put("MessageDigest.RIPEMD160 ImplementedIn", "Software");
+ put("MessageDigest.SHA-160",
+ gnu.java.security.jce.hash.Sha160Spi.class.getName());
+ put("MessageDigest.SHA-160 ImplementedIn", "Software");
+ put("MessageDigest.SHA-256",
+ gnu.java.security.jce.hash.Sha256Spi.class.getName());
+ put("MessageDigest.SHA-256 ImplementedIn", "Software");
+ put("MessageDigest.SHA-384",
+ gnu.java.security.jce.hash.Sha384Spi.class.getName());
+ put("MessageDigest.SHA-384 ImplementedIn", "Software");
+ put("MessageDigest.SHA-512",
+ gnu.java.security.jce.hash.Sha512Spi.class.getName());
+ put("MessageDigest.SHA-512 ImplementedIn", "Software");
+ put("MessageDigest.TIGER",
+ gnu.java.security.jce.hash.TigerSpi.class.getName());
+ put("MessageDigest.TIGER ImplementedIn", "Software");
+ put("MessageDigest.WHIRLPOOL",
+ gnu.java.security.jce.hash.WhirlpoolSpi.class.getName());
+ put("MessageDigest.WHIRLPOOL ImplementedIn", "Software");
+
+ put("Alg.Alias.MessageDigest.SHS", "SHA-160");
+ put("Alg.Alias.MessageDigest.SHA", "SHA-160");
+ put("Alg.Alias.MessageDigest.SHA1", "SHA-160");
+ put("Alg.Alias.MessageDigest.SHA-1", "SHA-160");
+ put("Alg.Alias.MessageDigest.SHA2-256", "SHA-256");
+ put("Alg.Alias.MessageDigest.SHA2-384", "SHA-384");
+ put("Alg.Alias.MessageDigest.SHA2-512", "SHA-512");
+ put("Alg.Alias.MessageDigest.SHA256", "SHA-256");
+ put("Alg.Alias.MessageDigest.SHA384", "SHA-384");
+ put("Alg.Alias.MessageDigest.SHA512", "SHA-512");
+ put("Alg.Alias.MessageDigest.RIPEMD-160", "RIPEMD160");
+ put("Alg.Alias.MessageDigest.RIPEMD-128", "RIPEMD128");
+ put("Alg.Alias.MessageDigest.OID.1.2.840.11359.2.2", "MD2");
+ put("Alg.Alias.MessageDigest.1.2.840.11359.2.2", "MD2");
+ put("Alg.Alias.MessageDigest.OID.1.2.840.11359.2.5", "MD5");
+ put("Alg.Alias.MessageDigest.1.2.840.11359.2.5", "MD5");
+ put("Alg.Alias.MessageDigest.OID.1.3.14.3.2.26", "SHA1");
+ put("Alg.Alias.MessageDigest.1.3.14.3.2.26", "SHA1");
+
+ // Algorithm Parameters
+ put("AlgorithmParameters.DSS",
+ gnu.java.security.jce.sig.DSSParameters.class.getName());
+ put("Alg.Alias.AlgorithmParameters.DSA", "DSS");
+ put("Alg.Alias.AlgorithmParameters.SHAwithDSA", "DSS");
+ put("Alg.Alias.AlgorithmParameters.OID.1.2.840.10040.4.3", "DSS");
+ put("Alg.Alias.AlgorithmParameters.1.2.840.10040.4.3", "DSS");
+
+ // Algorithm Parameter Generator
+ put("AlgorithmParameterGenerator.DSA",
+ gnu.java.security.jce.sig.DSSParametersGenerator.class.getName());
+ put("Alg.Alias.AlgorithmParameterGenerator.DSA", "DSS");
+
+ // SecureRandom
+ put("SecureRandom.SHA1PRNG",
+ gnu.java.security.jce.prng.Sha160RandomSpi.class.getName());
+
+ put("SecureRandom.MD2PRNG",
+ gnu.java.security.jce.prng.MD2RandomSpi.class.getName());
+ put("SecureRandom.MD2PRNG ImplementedIn", "Software");
+ put("SecureRandom.MD4PRNG",
+ gnu.java.security.jce.prng.MD4RandomSpi.class.getName());
+ put("SecureRandom.MD4PRNG ImplementedIn", "Software");
+ put("SecureRandom.MD5PRNG",
+ gnu.java.security.jce.prng.MD5RandomSpi.class.getName());
+ put("SecureRandom.MD5PRNG ImplementedIn", "Software");
+ put("SecureRandom.RIPEMD128PRNG",
+ gnu.java.security.jce.prng.RipeMD128RandomSpi.class.getName());
+ put("SecureRandom.RIPEMD128PRNG ImplementedIn", "Software");
+ put("SecureRandom.RIPEMD160PRNG",
+ gnu.java.security.jce.prng.RipeMD160RandomSpi.class.getName());
+ put("SecureRandom.RIPEMD160PRNG ImplementedIn", "Software");
+ put("SecureRandom.SHA-160PRNG",
+ gnu.java.security.jce.prng.Sha160RandomSpi.class.getName());
+ put("SecureRandom.SHA-160PRNG ImplementedIn", "Software");
+ put("SecureRandom.SHA-256PRNG",
+ gnu.java.security.jce.prng.Sha256RandomSpi.class.getName());
+ put("SecureRandom.SHA-256PRNG ImplementedIn", "Software");
+ put("SecureRandom.SHA-384PRNG",
+ gnu.java.security.jce.prng.Sha384RandomSpi.class.getName());
+ put("SecureRandom.SHA-384PRNG ImplementedIn", "Software");
+ put("SecureRandom.SHA-512PRNG",
+ gnu.java.security.jce.prng.Sha512RandomSpi.class.getName());
+ put("SecureRandom.SHA-512PRNG ImplementedIn", "Software");
+ put("SecureRandom.TIGERPRNG",
+ gnu.java.security.jce.prng.TigerRandomSpi.class.getName());
+ put("SecureRandom.TIGERPRNG ImplementedIn", "Software");
+ put("SecureRandom.HAVALPRNG",
+ gnu.java.security.jce.prng.HavalRandomSpi.class.getName());
+ put("SecureRandom.HAVALPRNG ImplementedIn", "Software");
+ put("SecureRandom.WHIRLPOOLPRNG",
+ gnu.java.security.jce.prng.WhirlpoolRandomSpi.class.getName());
+ put("SecureRandom.WHIRLPOOLPRNG ImplementedIn", "Software");
+
+ put("Alg.Alias.SecureRandom.SHA-1PRNG", "SHA-160PRNG");
+ put("Alg.Alias.SecureRandom.SHA1PRNG", "SHA-160PRNG");
+ put("Alg.Alias.SecureRandom.SHAPRNG", "SHA-160PRNG");
+ put("Alg.Alias.SecureRandom.SHA-256PRNG", "SHA-256PRNG");
+ put("Alg.Alias.SecureRandom.SHA-2-1PRNG", "SHA-256PRNG");
+ put("Alg.Alias.SecureRandom.SHA-384PRNG", "SHA-384PRNG");
+ put("Alg.Alias.SecureRandom.SHA-2-2PRNG", "SHA-384PRNG");
+ put("Alg.Alias.SecureRandom.SHA-512PRNG", "SHA-512PRNG");
+ put("Alg.Alias.SecureRandom.SHA-2-3PRNG", "SHA-512PRNG");
+
+ // CertificateFactory
+ put("CertificateFactory.X509", X509CertificateFactory.class.getName());
+ put("CertificateFactory.X509 ImplementedIn", "Software");
+ put("Alg.Alias.CertificateFactory.X.509", "X509");
+
+ // CertPathValidator
+ put("CertPathValidator.PKIX", PKIXCertPathValidatorImpl.class.getName());
+ put("CertPathValidator.PKIX ImplementedIn", "Software");
+
+ // CertStore
+ put("CertStore.Collection", CollectionCertStoreImpl.class.getName());
+
+ return null;
+ }
+ });
+ }
+}
diff --git a/libjava/classpath/gnu/java/security/provider/PKIXCertPathValidatorImpl.java b/libjava/classpath/gnu/java/security/provider/PKIXCertPathValidatorImpl.java
new file mode 100644
index 000000000..d4ce4aeb4
--- /dev/null
+++ b/libjava/classpath/gnu/java/security/provider/PKIXCertPathValidatorImpl.java
@@ -0,0 +1,693 @@
+/* PKIXCertPathValidatorImpl.java -- PKIX certificate path validator.
+ Copyright (C) 2004, 2005, 2006 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING. If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package gnu.java.security.provider;
+
+import gnu.java.security.Configuration;
+import gnu.java.security.OID;
+import gnu.java.security.Registry;
+import gnu.java.security.key.dss.DSSPublicKey;
+import gnu.java.security.x509.GnuPKIExtension;
+import gnu.java.security.x509.PolicyNodeImpl;
+import gnu.java.security.x509.X509CRLSelectorImpl;
+import gnu.java.security.x509.X509CertSelectorImpl;
+import gnu.java.security.x509.ext.BasicConstraints;
+import gnu.java.security.x509.ext.CertificatePolicies;
+import gnu.java.security.x509.ext.Extension;
+import gnu.java.security.x509.ext.KeyUsage;
+import gnu.java.security.x509.ext.PolicyConstraint;
+
+import java.io.IOException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.PublicKey;
+import java.security.cert.CRL;
+import java.security.cert.CertPath;
+import java.security.cert.CertPathParameters;
+import java.security.cert.CertPathValidatorException;
+import java.security.cert.CertPathValidatorResult;
+import java.security.cert.CertPathValidatorSpi;
+import java.security.cert.CertStore;
+import java.security.cert.CertStoreException;
+import java.security.cert.CertificateException;
+import java.security.cert.PKIXCertPathChecker;
+import java.security.cert.PKIXCertPathValidatorResult;
+import java.security.cert.PKIXParameters;
+import java.security.cert.TrustAnchor;
+import java.security.cert.X509CRL;
+import java.security.cert.X509Certificate;
+import java.security.interfaces.DSAParams;
+import java.security.interfaces.DSAPublicKey;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Set;
+import java.util.logging.Logger;
+
+/**
+ * An implementation of the Public Key Infrastructure's X.509 certificate path
+ * validation algorithm.
+ * <p>
+ * See <a href="http://www.ietf.org/rfc/rfc3280.txt">RFC 3280: Internet X.509
+ * Public Key Infrastructure Certificate and Certificate Revocation List (CRL)
+ * Profile</a>.
+ *
+ * @author Casey Marshall (rsdio@metastatic.org)
+ */
+public class PKIXCertPathValidatorImpl
+ extends CertPathValidatorSpi
+{
+ private static final Logger log = Logger.getLogger(PKIXCertPathValidatorImpl.class.getName());
+
+ public static final String ANY_POLICY = "2.5.29.32.0";
+
+ public PKIXCertPathValidatorImpl()
+ {
+ super();
+ }
+
+ public CertPathValidatorResult engineValidate(CertPath path,
+ CertPathParameters params)
+ throws CertPathValidatorException, InvalidAlgorithmParameterException
+ {
+ if (! (params instanceof PKIXParameters))
+ throw new InvalidAlgorithmParameterException("not a PKIXParameters object");
+ // First check if the certificate path is valid.
+ //
+ // This means that:
+ //
+ // (a) for all x in {1, ..., n-1}, the subject of certificate x is
+ // the issuer of certificate x+1;
+ //
+ // (b) for all x in {1, ..., n}, the certificate was valid at the
+ // time in question.
+ //
+ // Because this is the X.509 algorithm, we also check if all
+ // cerificates are of type X509Certificate.
+ PolicyNodeImpl rootNode = new PolicyNodeImpl();
+ Set initPolicies = ((PKIXParameters) params).getInitialPolicies();
+ rootNode.setValidPolicy(ANY_POLICY);
+ rootNode.setCritical(false);
+ rootNode.setDepth(0);
+ if (initPolicies != null)
+ rootNode.addAllExpectedPolicies(initPolicies);
+ else
+ rootNode.addExpectedPolicy(ANY_POLICY);
+ List checks = ((PKIXParameters) params).getCertPathCheckers();
+ List l = path.getCertificates();
+ if (l == null || l.size() == 0)
+ throw new CertPathValidatorException();
+ X509Certificate[] p = null;
+ try
+ {
+ p = (X509Certificate[]) l.toArray(new X509Certificate[l.size()]);
+ }
+ catch (ClassCastException cce)
+ {
+ throw new CertPathValidatorException("invalid certificate path");
+ }
+ String sigProvider = ((PKIXParameters) params).getSigProvider();
+ PublicKey prevKey = null;
+ Date now = ((PKIXParameters) params).getDate();
+ if (now == null)
+ now = new Date();
+ LinkedList policyConstraints = new LinkedList();
+ for (int i = p.length - 1; i >= 0; i--)
+ {
+ try
+ {
+ p[i].checkValidity(now);
+ }
+ catch (CertificateException ce)
+ {
+ throw new CertPathValidatorException(ce.toString());
+ }
+ Set uce = getCritExts(p[i]);
+ for (Iterator check = checks.iterator(); check.hasNext();)
+ {
+ try
+ {
+ ((PKIXCertPathChecker) check.next()).check(p[i], uce);
+ }
+ catch (Exception x)
+ {
+ }
+ }
+ PolicyConstraint constr = null;
+ if (p[i] instanceof GnuPKIExtension)
+ {
+ Extension pcx = ((GnuPKIExtension) p[i]).getExtension(PolicyConstraint.ID);
+ if (pcx != null)
+ constr = (PolicyConstraint) pcx.getValue();
+ }
+ else
+ {
+ byte[] pcx = p[i].getExtensionValue(PolicyConstraint.ID.toString());
+ if (pcx != null)
+ {
+ try
+ {
+ constr = new PolicyConstraint(pcx);
+ }
+ catch (Exception x)
+ {
+ }
+ }
+ }
+ if (constr != null && constr.getRequireExplicitPolicy() >= 0)
+ policyConstraints.add(new int[] { p.length - i,
+ constr.getRequireExplicitPolicy() });
+ updatePolicyTree(p[i], rootNode, p.length - i, (PKIXParameters) params,
+ checkExplicitPolicy(p.length - i, policyConstraints));
+ // The rest of the tests involve this cert's relationship with the
+ // next in the path. If this cert is the end entity, we can stop.
+ if (i == 0)
+ break;
+
+ basicSanity(p, i);
+ PublicKey pubKey = null;
+ try
+ {
+ pubKey = p[i].getPublicKey();
+ if (pubKey instanceof DSAPublicKey)
+ {
+ DSAParams dsa = ((DSAPublicKey) pubKey).getParams();
+ // If the DSA public key is missing its parameters, use those
+ // from the previous cert's key.
+ if (dsa == null || dsa.getP() == null || dsa.getG() == null
+ || dsa.getQ() == null)
+ {
+ if (prevKey == null)
+ throw new InvalidKeyException("DSA keys not chainable");
+ if (! (prevKey instanceof DSAPublicKey))
+ throw new InvalidKeyException("DSA keys not chainable");
+ dsa = ((DSAPublicKey) prevKey).getParams();
+ pubKey = new DSSPublicKey(Registry.X509_ENCODING_ID,
+ dsa.getP(), dsa.getQ(),
+ dsa.getG(),
+ ((DSAPublicKey) pubKey).getY());
+ }
+ }
+ if (sigProvider == null)
+ p[i - 1].verify(pubKey);
+ else
+ p[i - 1].verify(pubKey, sigProvider);
+ prevKey = pubKey;
+ }
+ catch (Exception e)
+ {
+ throw new CertPathValidatorException(e.toString());
+ }
+ if (! p[i].getSubjectDN().equals(p[i - 1].getIssuerDN()))
+ throw new CertPathValidatorException("issuer DN mismatch");
+ boolean[] issuerUid = p[i - 1].getIssuerUniqueID();
+ boolean[] subjectUid = p[i].getSubjectUniqueID();
+ if (issuerUid != null && subjectUid != null)
+ if (! Arrays.equals(issuerUid, subjectUid))
+ throw new CertPathValidatorException("UID mismatch");
+
+ // Check the certificate against the revocation lists.
+ if (((PKIXParameters) params).isRevocationEnabled())
+ {
+ X509CRLSelectorImpl selector = new X509CRLSelectorImpl();
+ try
+ {
+ selector.addIssuerName(p[i].getSubjectDN());
+ }
+ catch (IOException ioe)
+ {
+ throw new CertPathValidatorException("error selecting CRLs");
+ }
+ List certStores = ((PKIXParameters) params).getCertStores();
+ List crls = new LinkedList();
+ for (Iterator it = certStores.iterator(); it.hasNext();)
+ {
+ CertStore cs = (CertStore) it.next();
+ try
+ {
+ Collection c = cs.getCRLs(selector);
+ crls.addAll(c);
+ }
+ catch (CertStoreException cse)
+ {
+ }
+ }
+ if (crls.isEmpty())
+ throw new CertPathValidatorException("no CRLs for issuer");
+ boolean certOk = false;
+ for (Iterator it = crls.iterator(); it.hasNext();)
+ {
+ CRL crl = (CRL) it.next();
+ if (! (crl instanceof X509CRL))
+ continue;
+ X509CRL xcrl = (X509CRL) crl;
+ if (! checkCRL(xcrl, p, now, p[i], pubKey, certStores))
+ continue;
+ if (xcrl.isRevoked(p[i - 1]))
+ throw new CertPathValidatorException("certificate is revoked");
+ else
+ certOk = true;
+ }
+ if (! certOk)
+ throw new CertPathValidatorException(
+ "certificate's validity could not be determined");
+ }
+ }
+ rootNode.setReadOnly();
+ // Now ensure that the first certificate in the chain was issued
+ // by a trust anchor.
+ Exception cause = null;
+ Set anchors = ((PKIXParameters) params).getTrustAnchors();
+ for (Iterator i = anchors.iterator(); i.hasNext();)
+ {
+ TrustAnchor anchor = (TrustAnchor) i.next();
+ X509Certificate anchorCert = null;
+ PublicKey anchorKey = null;
+ if (anchor.getTrustedCert() != null)
+ {
+ anchorCert = anchor.getTrustedCert();
+ anchorKey = anchorCert.getPublicKey();
+ }
+ else
+ anchorKey = anchor.getCAPublicKey();
+ if (anchorKey == null)
+ continue;
+ try
+ {
+ if (anchorCert != null)
+ anchorCert.checkValidity(now);
+ p[p.length - 1].verify(anchorKey);
+ if (anchorCert != null && anchorCert.getBasicConstraints() >= 0
+ && anchorCert.getBasicConstraints() < p.length)
+ continue;
+
+ if (((PKIXParameters) params).isRevocationEnabled())
+ {
+ X509CRLSelectorImpl selector = new X509CRLSelectorImpl();
+ if (anchorCert != null)
+ try
+ {
+ selector.addIssuerName(anchorCert.getSubjectDN());
+ }
+ catch (IOException ioe)
+ {
+ }
+ else
+ selector.addIssuerName(anchor.getCAName());
+ List certStores = ((PKIXParameters) params).getCertStores();
+ List crls = new LinkedList();
+ for (Iterator it = certStores.iterator(); it.hasNext();)
+ {
+ CertStore cs = (CertStore) it.next();
+ try
+ {
+ Collection c = cs.getCRLs(selector);
+ crls.addAll(c);
+ }
+ catch (CertStoreException cse)
+ {
+ }
+ }
+ if (crls.isEmpty())
+ continue;
+ for (Iterator it = crls.iterator(); it.hasNext();)
+ {
+ CRL crl = (CRL) it.next();
+ if (! (crl instanceof X509CRL))
+ continue;
+ X509CRL xcrl = (X509CRL) crl;
+ try
+ {
+ xcrl.verify(anchorKey);
+ }
+ catch (Exception x)
+ {
+ continue;
+ }
+ Date nextUpdate = xcrl.getNextUpdate();
+ if (nextUpdate != null && nextUpdate.compareTo(now) < 0)
+ continue;
+ if (xcrl.isRevoked(p[p.length - 1]))
+ throw new CertPathValidatorException("certificate is revoked");
+ }
+ }
+ // The chain is valid; return the result.
+ return new PKIXCertPathValidatorResult(anchor, rootNode,
+ p[0].getPublicKey());
+ }
+ catch (Exception ignored)
+ {
+ cause = ignored;
+ continue;
+ }
+ }
+ // The path is not valid.
+ CertPathValidatorException cpve =
+ new CertPathValidatorException("path validation failed");
+ if (cause != null)
+ cpve.initCause(cause);
+ throw cpve;
+ }
+
+ /**
+ * Check if a given CRL is acceptable for checking the revocation status of
+ * certificates in the path being checked.
+ * <p>
+ * The CRL is accepted iff:
+ * <ol>
+ * <li>The <i>nextUpdate</i> field (if present) is in the future.</li>
+ * <li>The CRL does not contain any unsupported critical extensions.</li>
+ * <li>The CRL is signed by one of the certificates in the path, or,</li>
+ * <li>The CRL is signed by the given public key and was issued by the public
+ * key's subject, or,</li>
+ * <li>The CRL is signed by a certificate in the given cert stores, and that
+ * cert is signed by one of the certificates in the path.</li>
+ * </ol>
+ *
+ * @param crl The CRL being checked.
+ * @param path The path this CRL is being checked against.
+ * @param now The value to use as 'now'.
+ * @param pubKeyCert The certificate authenticating the public key.
+ * @param pubKey The public key to check.
+ * @return True if the CRL is acceptable.
+ */
+ private static boolean checkCRL(X509CRL crl, X509Certificate[] path,
+ Date now, X509Certificate pubKeyCert,
+ PublicKey pubKey, List certStores)
+ {
+ Date nextUpdate = crl.getNextUpdate();
+ if (nextUpdate != null && nextUpdate.compareTo(now) < 0)
+ return false;
+ if (crl.hasUnsupportedCriticalExtension())
+ return false;
+ for (int i = 0; i < path.length; i++)
+ {
+ if (! path[i].getSubjectDN().equals(crl.getIssuerDN()))
+ continue;
+ boolean[] keyUsage = path[i].getKeyUsage();
+ if (keyUsage != null)
+ {
+ if (! keyUsage[KeyUsage.CRL_SIGN])
+ continue;
+ }
+ try
+ {
+ crl.verify(path[i].getPublicKey());
+ return true;
+ }
+ catch (Exception x)
+ {
+ }
+ }
+ if (crl.getIssuerDN().equals(pubKeyCert.getSubjectDN()))
+ {
+ try
+ {
+ boolean[] keyUsage = pubKeyCert.getKeyUsage();
+ if (keyUsage != null)
+ {
+ if (! keyUsage[KeyUsage.CRL_SIGN])
+ throw new Exception();
+ }
+ crl.verify(pubKey);
+ return true;
+ }
+ catch (Exception x)
+ {
+ }
+ }
+ try
+ {
+ X509CertSelectorImpl select = new X509CertSelectorImpl();
+ select.addSubjectName(crl.getIssuerDN());
+ List certs = new LinkedList();
+ for (Iterator it = certStores.iterator(); it.hasNext();)
+ {
+ CertStore cs = (CertStore) it.next();
+ try
+ {
+ certs.addAll(cs.getCertificates(select));
+ }
+ catch (CertStoreException cse)
+ {
+ }
+ }
+ for (Iterator it = certs.iterator(); it.hasNext();)
+ {
+ X509Certificate c = (X509Certificate) it.next();
+ for (int i = 0; i < path.length; i++)
+ {
+ if (! c.getIssuerDN().equals(path[i].getSubjectDN()))
+ continue;
+ boolean[] keyUsage = c.getKeyUsage();
+ if (keyUsage != null)
+ {
+ if (! keyUsage[KeyUsage.CRL_SIGN])
+ continue;
+ }
+ try
+ {
+ c.verify(path[i].getPublicKey());
+ crl.verify(c.getPublicKey());
+ return true;
+ }
+ catch (Exception x)
+ {
+ }
+ }
+ if (c.getIssuerDN().equals(pubKeyCert.getSubjectDN()))
+ {
+ c.verify(pubKey);
+ crl.verify(c.getPublicKey());
+ }
+ }
+ }
+ catch (Exception x)
+ {
+ }
+ return false;
+ }
+
+ private static Set getCritExts(X509Certificate cert)
+ {
+ HashSet s = new HashSet();
+ if (cert instanceof GnuPKIExtension)
+ {
+ Collection exts = ((GnuPKIExtension) cert).getExtensions();
+ for (Iterator it = exts.iterator(); it.hasNext();)
+ {
+ Extension ext = (Extension) it.next();
+ if (ext.isCritical() && ! ext.isSupported())
+ s.add(ext.getOid().toString());
+ }
+ }
+ else
+ s.addAll(cert.getCriticalExtensionOIDs());
+ return s;
+ }
+
+ /**
+ * Perform a basic sanity check on the CA certificate at <code>index</code>.
+ */
+ private static void basicSanity(X509Certificate[] path, int index)
+ throws CertPathValidatorException
+ {
+ X509Certificate cert = path[index];
+ int pathLen = 0;
+ for (int i = index - 1; i > 0; i--)
+ {
+ if (! path[i].getIssuerDN().equals(path[i].getSubjectDN()))
+ pathLen++;
+ }
+ Extension e = null;
+ if (cert instanceof GnuPKIExtension)
+ {
+ e = ((GnuPKIExtension) cert).getExtension(BasicConstraints.ID);
+ }
+ else
+ {
+ try
+ {
+ e = new Extension(cert.getExtensionValue(BasicConstraints.ID.toString()));
+ }
+ catch (Exception x)
+ {
+ }
+ }
+ if (e == null)
+ throw new CertPathValidatorException("no basicConstraints");
+ BasicConstraints bc = (BasicConstraints) e.getValue();
+ if (! bc.isCA())
+ throw new CertPathValidatorException(
+ "certificate cannot be used to verify signatures");
+ if (bc.getPathLengthConstraint() >= 0
+ && bc.getPathLengthConstraint() < pathLen)
+ throw new CertPathValidatorException("path is too long");
+
+ boolean[] keyUsage = cert.getKeyUsage();
+ if (keyUsage != null)
+ {
+ if (! keyUsage[KeyUsage.KEY_CERT_SIGN])
+ throw new CertPathValidatorException(
+ "certificate cannot be used to sign certificates");
+ }
+ }
+
+ private static void updatePolicyTree(X509Certificate cert,
+ PolicyNodeImpl root, int depth,
+ PKIXParameters params,
+ boolean explicitPolicy)
+ throws CertPathValidatorException
+ {
+ if (Configuration.DEBUG)
+ log.fine("updatePolicyTree depth == " + depth);
+ Set nodes = new HashSet();
+ LinkedList stack = new LinkedList();
+ Iterator current = null;
+ stack.addLast(Collections.singleton(root).iterator());
+ do
+ {
+ current = (Iterator) stack.removeLast();
+ while (current.hasNext())
+ {
+ PolicyNodeImpl p = (PolicyNodeImpl) current.next();
+ if (Configuration.DEBUG)
+ log.fine("visiting node == " + p);
+ if (p.getDepth() == depth - 1)
+ {
+ if (Configuration.DEBUG)
+ log.fine("added node");
+ nodes.add(p);
+ }
+ else
+ {
+ if (Configuration.DEBUG)
+ log.fine("skipped node");
+ stack.addLast(current);
+ current = p.getChildren();
+ }
+ }
+ }
+ while (! stack.isEmpty());
+
+ Extension e = null;
+ CertificatePolicies policies = null;
+ List qualifierInfos = null;
+ if (cert instanceof GnuPKIExtension)
+ {
+ e = ((GnuPKIExtension) cert).getExtension(CertificatePolicies.ID);
+ if (e != null)
+ policies = (CertificatePolicies) e.getValue();
+ }
+
+ List cp = null;
+ if (policies != null)
+ cp = policies.getPolicies();
+ else
+ cp = Collections.EMPTY_LIST;
+ boolean match = false;
+ if (Configuration.DEBUG)
+ {
+ log.fine("nodes are == " + nodes);
+ log.fine("cert policies are == " + cp);
+ }
+ for (Iterator it = nodes.iterator(); it.hasNext();)
+ {
+ PolicyNodeImpl parent = (PolicyNodeImpl) it.next();
+ if (Configuration.DEBUG)
+ log.fine("adding policies to " + parent);
+ for (Iterator it2 = cp.iterator(); it2.hasNext();)
+ {
+ OID policy = (OID) it2.next();
+ if (Configuration.DEBUG)
+ log.fine("trying to add policy == " + policy);
+ if (policy.toString().equals(ANY_POLICY)
+ && params.isAnyPolicyInhibited())
+ continue;
+ PolicyNodeImpl child = new PolicyNodeImpl();
+ child.setValidPolicy(policy.toString());
+ child.addExpectedPolicy(policy.toString());
+ if (parent.getExpectedPolicies().contains(policy.toString()))
+ {
+ parent.addChild(child);
+ match = true;
+ }
+ else if (parent.getExpectedPolicies().contains(ANY_POLICY))
+ {
+ parent.addChild(child);
+ match = true;
+ }
+ else if (ANY_POLICY.equals(policy.toString()))
+ {
+ parent.addChild(child);
+ match = true;
+ }
+ if (match && policies != null)
+ {
+ List qualifiers = policies.getPolicyQualifierInfos(policy);
+ if (qualifiers != null)
+ child.addAllPolicyQualifiers(qualifiers);
+ }
+ }
+ }
+ if (! match && (params.isExplicitPolicyRequired() || explicitPolicy))
+ throw new CertPathValidatorException("policy tree building failed");
+ }
+
+ private boolean checkExplicitPolicy(int depth, List explicitPolicies)
+ {
+ if (Configuration.DEBUG)
+ log.fine("checkExplicitPolicy depth=" + depth);
+ for (Iterator it = explicitPolicies.iterator(); it.hasNext();)
+ {
+ int[] i = (int[]) it.next();
+ int caDepth = i[0];
+ int limit = i[1];
+ if (Configuration.DEBUG)
+ log.fine(" caDepth=" + caDepth + " limit=" + limit);
+ if (depth - caDepth >= limit)
+ return true;
+ }
+ return false;
+ }
+}
diff --git a/libjava/classpath/gnu/java/security/provider/X509CertificateFactory.java b/libjava/classpath/gnu/java/security/provider/X509CertificateFactory.java
new file mode 100644
index 000000000..644033156
--- /dev/null
+++ b/libjava/classpath/gnu/java/security/provider/X509CertificateFactory.java
@@ -0,0 +1,295 @@
+/* X509CertificateFactory.java -- generates X.509 certificates.
+ Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING. If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package gnu.java.security.provider;
+
+import gnu.java.io.Base64InputStream;
+import gnu.java.lang.CPStringBuilder;
+import gnu.java.security.x509.X509CRL;
+import gnu.java.security.x509.X509CertPath;
+import gnu.java.security.x509.X509Certificate;
+
+import java.io.BufferedInputStream;
+import java.io.EOFException;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.cert.CRL;
+import java.security.cert.CRLException;
+import java.security.cert.CertPath;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactorySpi;
+import java.util.Collection;
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.List;
+
+public class X509CertificateFactory
+ extends CertificateFactorySpi
+{
+ public static final String BEGIN_CERTIFICATE = "-----BEGIN CERTIFICATE-----";
+
+ public static final String END_CERTIFICATE = "-----END CERTIFICATE-----";
+
+ public static final String BEGIN_X509_CRL = "-----BEGIN X509 CRL-----";
+
+ public static final String END_X509_CRL = "-----END X509 CRL-----";
+
+ public X509CertificateFactory()
+ {
+ super();
+ }
+
+ public Certificate engineGenerateCertificate(InputStream inStream)
+ throws CertificateException
+ {
+ try
+ {
+ return generateCert(inStream);
+ }
+ catch (IOException ioe)
+ {
+ CertificateException ce = new CertificateException(ioe.getMessage());
+ ce.initCause(ioe);
+ throw ce;
+ }
+ }
+
+ public Collection engineGenerateCertificates(InputStream inStream)
+ throws CertificateException
+ {
+ LinkedList certs = new LinkedList();
+ while (true)
+ {
+ try
+ {
+ certs.add(generateCert(inStream));
+ }
+ catch (EOFException eof)
+ {
+ break;
+ }
+ catch (IOException ioe)
+ {
+ CertificateException ce = new CertificateException(ioe.getMessage());
+ ce.initCause(ioe);
+ throw ce;
+ }
+ }
+ return certs;
+ }
+
+ public CRL engineGenerateCRL(InputStream inStream) throws CRLException
+ {
+ try
+ {
+ return generateCRL(inStream);
+ }
+ catch (IOException ioe)
+ {
+ CRLException crle = new CRLException(ioe.getMessage());
+ crle.initCause(ioe);
+ throw crle;
+ }
+ }
+
+ public Collection engineGenerateCRLs(InputStream inStream)
+ throws CRLException
+ {
+ LinkedList crls = new LinkedList();
+ while (true)
+ {
+ try
+ {
+ crls.add(generateCRL(inStream));
+ }
+ catch (EOFException eof)
+ {
+ break;
+ }
+ catch (IOException ioe)
+ {
+ CRLException crle = new CRLException(ioe.getMessage());
+ crle.initCause(ioe);
+ throw crle;
+ }
+ }
+ return crls;
+ }
+
+ public CertPath engineGenerateCertPath(List certs)
+ {
+ return new X509CertPath(certs);
+ }
+
+ public CertPath engineGenerateCertPath(InputStream in)
+ throws CertificateEncodingException
+ {
+ return new X509CertPath(in);
+ }
+
+ public CertPath engineGenerateCertPath(InputStream in, String encoding)
+ throws CertificateEncodingException
+ {
+ return new X509CertPath(in, encoding);
+ }
+
+ public Iterator engineGetCertPathEncodings()
+ {
+ return X509CertPath.ENCODINGS.iterator();
+ }
+
+ private X509Certificate generateCert(InputStream inStream)
+ throws IOException, CertificateException
+ {
+ if (inStream == null)
+ throw new CertificateException("missing input stream");
+ if (! inStream.markSupported())
+ inStream = new BufferedInputStream(inStream, 8192);
+ inStream.mark(20);
+ int i = inStream.read();
+ if (i == -1)
+ throw new EOFException();
+ // If the input is in binary DER format, the first byte MUST be
+ // 0x30, which stands for the ASN.1 [UNIVERSAL 16], which is the
+ // UNIVERSAL SEQUENCE, with the CONSTRUCTED bit (0x20) set.
+ //
+ // So if we do not see 0x30 here we will assume it is in Base-64.
+ if (i != 0x30)
+ {
+ inStream.reset();
+ CPStringBuilder line = new CPStringBuilder(80);
+ do
+ {
+ line.setLength(0);
+ do
+ {
+ i = inStream.read();
+ if (i == -1)
+ throw new EOFException();
+ if (i != '\n' && i != '\r')
+ line.append((char) i);
+ }
+ while (i != '\n' && i != '\r');
+ }
+ while (! line.toString().equals(BEGIN_CERTIFICATE));
+ X509Certificate ret = new X509Certificate(
+ new BufferedInputStream(new Base64InputStream(inStream), 8192));
+ line.setLength(0);
+ line.append('-'); // Base64InputStream will eat this.
+ do
+ {
+ i = inStream.read();
+ if (i == -1)
+ throw new EOFException();
+ if (i != '\n' && i != '\r')
+ line.append((char) i);
+ }
+ while (i != '\n' && i != '\r');
+ // XXX ???
+ if (! line.toString().equals(END_CERTIFICATE))
+ throw new CertificateException("no end-of-certificate marker");
+ return ret;
+ }
+ else
+ {
+ inStream.reset();
+ return new X509Certificate(inStream);
+ }
+ }
+
+ private X509CRL generateCRL(InputStream inStream) throws IOException,
+ CRLException
+ {
+ if (inStream == null)
+ throw new CRLException("missing input stream");
+ if (! inStream.markSupported())
+ inStream = new BufferedInputStream(inStream, 8192);
+ inStream.mark(20);
+ int i = inStream.read();
+ if (i == -1)
+ throw new EOFException();
+ // If the input is in binary DER format, the first byte MUST be
+ // 0x30, which stands for the ASN.1 [UNIVERSAL 16], which is the
+ // UNIVERSAL SEQUENCE, with the CONSTRUCTED bit (0x20) set.
+ //
+ // So if we do not see 0x30 here we will assume it is in Base-64.
+ if (i != 0x30)
+ {
+ inStream.reset();
+ CPStringBuilder line = new CPStringBuilder(80);
+ do
+ {
+ line.setLength(0);
+ do
+ {
+ i = inStream.read();
+ if (i == -1)
+ throw new EOFException();
+ if (i != '\n' && i != '\r')
+ line.append((char) i);
+ }
+ while (i != '\n' && i != '\r');
+ }
+ while (! line.toString().startsWith(BEGIN_X509_CRL));
+ X509CRL ret = new X509CRL(
+ new BufferedInputStream(new Base64InputStream(inStream), 8192));
+ line.setLength(0);
+ line.append('-'); // Base64InputStream will eat this.
+ do
+ {
+ i = inStream.read();
+ if (i == -1)
+ throw new EOFException();
+ if (i != '\n' && i != '\r')
+ line.append((char) i);
+ }
+ while (i != '\n' && i != '\r');
+ // XXX ???
+ if (! line.toString().startsWith(END_X509_CRL))
+ throw new CRLException("no end-of-CRL marker");
+ return ret;
+ }
+ else
+ {
+ inStream.reset();
+ return new X509CRL(inStream);
+ }
+ }
+}
diff --git a/libjava/classpath/gnu/java/security/provider/package.html b/libjava/classpath/gnu/java/security/provider/package.html
new file mode 100644
index 000000000..641a22aff
--- /dev/null
+++ b/libjava/classpath/gnu/java/security/provider/package.html
@@ -0,0 +1,46 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<!-- package.html - describes classes in gnu.java.security.provider package.
+ Copyright (C) 2005 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING. If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version. -->
+
+<html>
+<head><title>GNU Classpath - gnu.java.security.provider</title></head>
+
+<body>
+<p></p>
+
+</body>
+</html>