PageRenderTime 53ms CodeModel.GetById 10ms RepoModel.GetById 0ms app.codeStats 0ms

/android/upstream/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi.java

https://bitbucket.org/festevezga/xobotos
Java | 521 lines | 321 code | 79 blank | 121 comment | 40 complexity | 5a9fb72bd67793358351ea3ccac7a820 MD5 | raw file
  1. package org.bouncycastle.jce.provider;
  2. // BEGIN android-added
  3. import java.math.BigInteger;
  4. // END android-added
  5. import java.security.InvalidAlgorithmParameterException;
  6. import java.security.PublicKey;
  7. import java.security.cert.CertPath;
  8. import java.security.cert.CertPathParameters;
  9. import java.security.cert.CertPathValidatorException;
  10. import java.security.cert.CertPathValidatorResult;
  11. import java.security.cert.CertPathValidatorSpi;
  12. import java.security.cert.PKIXCertPathChecker;
  13. import java.security.cert.PKIXCertPathValidatorResult;
  14. import java.security.cert.PKIXParameters;
  15. import java.security.cert.TrustAnchor;
  16. import java.security.cert.X509Certificate;
  17. import java.util.ArrayList;
  18. import java.util.Arrays;
  19. import java.util.HashSet;
  20. import java.util.Iterator;
  21. import java.util.List;
  22. import java.util.Set;
  23. import javax.security.auth.x500.X500Principal;
  24. import org.bouncycastle.asn1.DEREncodable;
  25. import org.bouncycastle.asn1.DERObjectIdentifier;
  26. import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
  27. // BEGIN android-added
  28. import org.bouncycastle.crypto.Digest;
  29. import org.bouncycastle.crypto.digests.OpenSSLDigest;
  30. // END android-added
  31. import org.bouncycastle.jce.exception.ExtCertPathValidatorException;
  32. import org.bouncycastle.x509.ExtendedPKIXParameters;
  33. /**
  34. * CertPathValidatorSpi implementation for X.509 Certificate validation � la RFC
  35. * 3280.
  36. */
  37. public class PKIXCertPathValidatorSpi
  38. extends CertPathValidatorSpi
  39. {
  40. // BEGIN android-added
  41. // From http://src.chromium.org/viewvc/chrome/trunk/src/net/base/x509_certificate.cc?revision=78748&view=markup
  42. private static final Set<BigInteger> SERIAL_BLACKLIST = new HashSet<BigInteger>(Arrays.asList(
  43. // Not a real certificate. For testing only.
  44. new BigInteger(1, new byte[] {(byte)0x07,(byte)0x7a,(byte)0x59,(byte)0xbc,(byte)0xd5,(byte)0x34,(byte)0x59,(byte)0x60,(byte)0x1c,(byte)0xa6,(byte)0x90,(byte)0x72,(byte)0x67,(byte)0xa6,(byte)0xdd,(byte)0x1c}),
  45. new BigInteger(1, new byte[] {(byte)0x04,(byte)0x7e,(byte)0xcb,(byte)0xe9,(byte)0xfc,(byte)0xa5,(byte)0x5f,(byte)0x7b,(byte)0xd0,(byte)0x9e,(byte)0xae,(byte)0x36,(byte)0xe1,(byte)0x0c,(byte)0xae,(byte)0x1e}),
  46. new BigInteger(1, new byte[] {(byte)0xd8,(byte)0xf3,(byte)0x5f,(byte)0x4e,(byte)0xb7,(byte)0x87,(byte)0x2b,(byte)0x2d,(byte)0xab,(byte)0x06,(byte)0x92,(byte)0xe3,(byte)0x15,(byte)0x38,(byte)0x2f,(byte)0xb0}),
  47. new BigInteger(1, new byte[] {(byte)0xb0,(byte)0xb7,(byte)0x13,(byte)0x3e,(byte)0xd0,(byte)0x96,(byte)0xf9,(byte)0xb5,(byte)0x6f,(byte)0xae,(byte)0x91,(byte)0xc8,(byte)0x74,(byte)0xbd,(byte)0x3a,(byte)0xc0}),
  48. new BigInteger(1, new byte[] {(byte)0x92,(byte)0x39,(byte)0xd5,(byte)0x34,(byte)0x8f,(byte)0x40,(byte)0xd1,(byte)0x69,(byte)0x5a,(byte)0x74,(byte)0x54,(byte)0x70,(byte)0xe1,(byte)0xf2,(byte)0x3f,(byte)0x43}),
  49. new BigInteger(1, new byte[] {(byte)0xe9,(byte)0x02,(byte)0x8b,(byte)0x95,(byte)0x78,(byte)0xe4,(byte)0x15,(byte)0xdc,(byte)0x1a,(byte)0x71,(byte)0x0a,(byte)0x2b,(byte)0x88,(byte)0x15,(byte)0x44,(byte)0x47}),
  50. new BigInteger(1, new byte[] {(byte)0xd7,(byte)0x55,(byte)0x8f,(byte)0xda,(byte)0xf5,(byte)0xf1,(byte)0x10,(byte)0x5b,(byte)0xb2,(byte)0x13,(byte)0x28,(byte)0x2b,(byte)0x70,(byte)0x77,(byte)0x29,(byte)0xa3}),
  51. new BigInteger(1, new byte[] {(byte)0xf5,(byte)0xc8,(byte)0x6a,(byte)0xf3,(byte)0x61,(byte)0x62,(byte)0xf1,(byte)0x3a,(byte)0x64,(byte)0xf5,(byte)0x4f,(byte)0x6d,(byte)0xc9,(byte)0x58,(byte)0x7c,(byte)0x06}),
  52. new BigInteger(1, new byte[] {(byte)0x39,(byte)0x2a,(byte)0x43,(byte)0x4f,(byte)0x0e,(byte)0x07,(byte)0xdf,(byte)0x1f,(byte)0x8a,(byte)0xa3,(byte)0x05,(byte)0xde,(byte)0x34,(byte)0xe0,(byte)0xc2,(byte)0x29}),
  53. new BigInteger(1, new byte[] {(byte)0x3e,(byte)0x75,(byte)0xce,(byte)0xd4,(byte)0x6b,(byte)0x69,(byte)0x30,(byte)0x21,(byte)0x21,(byte)0x88,(byte)0x30,(byte)0xae,(byte)0x86,(byte)0xa8,(byte)0x2a,(byte)0x71})
  54. ));
  55. // From http://src.chromium.org/viewvc/chrome/branches/782/src/net/base/x509_certificate.cc?r1=98750&r2=98749&pathrev=98750
  56. private static final byte[][] PUBLIC_KEY_SHA1_BLACKLIST = {
  57. // C=NL, O=DigiNotar, CN=DigiNotar Root CA/emailAddress=info@diginotar.nl
  58. {(byte)0x41, (byte)0x0f, (byte)0x36, (byte)0x36, (byte)0x32, (byte)0x58, (byte)0xf3, (byte)0x0b, (byte)0x34, (byte)0x7d,
  59. (byte)0x12, (byte)0xce, (byte)0x48, (byte)0x63, (byte)0xe4, (byte)0x33, (byte)0x43, (byte)0x78, (byte)0x06, (byte)0xa8},
  60. // Subject: CN=DigiNotar Cyber CA
  61. // Issuer: CN=GTE CyberTrust Global Root
  62. {(byte)0xba, (byte)0x3e, (byte)0x7b, (byte)0xd3, (byte)0x8c, (byte)0xd7, (byte)0xe1, (byte)0xe6, (byte)0xb9, (byte)0xcd,
  63. (byte)0x4c, (byte)0x21, (byte)0x99, (byte)0x62, (byte)0xe5, (byte)0x9d, (byte)0x7a, (byte)0x2f, (byte)0x4e, (byte)0x37},
  64. // Subject: CN=DigiNotar Services 1024 CA
  65. // Issuer: CN=Entrust.net
  66. {(byte)0xe2, (byte)0x3b, (byte)0x8d, (byte)0x10, (byte)0x5f, (byte)0x87, (byte)0x71, (byte)0x0a, (byte)0x68, (byte)0xd9,
  67. (byte)0x24, (byte)0x80, (byte)0x50, (byte)0xeb, (byte)0xef, (byte)0xc6, (byte)0x27, (byte)0xbe, (byte)0x4c, (byte)0xa6},
  68. // Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2
  69. // Issuer: CN=Staat der Nederlanden Organisatie CA - G2
  70. {(byte)0x7b, (byte)0x2e, (byte)0x16, (byte)0xbc, (byte)0x39, (byte)0xbc, (byte)0xd7, (byte)0x2b, (byte)0x45, (byte)0x6e,
  71. (byte)0x9f, (byte)0x05, (byte)0x5d, (byte)0x1d, (byte)0xe6, (byte)0x15, (byte)0xb7, (byte)0x49, (byte)0x45, (byte)0xdb},
  72. // Subject: CN=DigiNotar PKIoverheid CA Overheid en Bedrijven
  73. // Issuer: CN=Staat der Nederlanden Overheid CA
  74. {(byte)0xe8, (byte)0xf9, (byte)0x12, (byte)0x00, (byte)0xc6, (byte)0x5c, (byte)0xee, (byte)0x16, (byte)0xe0, (byte)0x39,
  75. (byte)0xb9, (byte)0xf8, (byte)0x83, (byte)0x84, (byte)0x16, (byte)0x61, (byte)0x63, (byte)0x5f, (byte)0x81, (byte)0xc5},
  76. };
  77. private static boolean isPublicKeyBlackListed(PublicKey publicKey) {
  78. byte[] encoded = publicKey.getEncoded();
  79. Digest digest = new OpenSSLDigest.SHA1();
  80. digest.update(encoded, 0, encoded.length);
  81. byte[] out = new byte[digest.getDigestSize()];
  82. digest.doFinal(out, 0);
  83. for (byte[] sha1 : PUBLIC_KEY_SHA1_BLACKLIST) {
  84. if (Arrays.equals(out, sha1)) {
  85. return true;
  86. }
  87. }
  88. return false;
  89. }
  90. // END android-added
  91. public CertPathValidatorResult engineValidate(
  92. CertPath certPath,
  93. CertPathParameters params)
  94. throws CertPathValidatorException,
  95. InvalidAlgorithmParameterException
  96. {
  97. if (!(params instanceof PKIXParameters))
  98. {
  99. throw new InvalidAlgorithmParameterException("Parameters must be a " + PKIXParameters.class.getName()
  100. + " instance.");
  101. }
  102. ExtendedPKIXParameters paramsPKIX;
  103. if (params instanceof ExtendedPKIXParameters)
  104. {
  105. paramsPKIX = (ExtendedPKIXParameters)params;
  106. }
  107. else
  108. {
  109. paramsPKIX = ExtendedPKIXParameters.getInstance((PKIXParameters)params);
  110. }
  111. if (paramsPKIX.getTrustAnchors() == null)
  112. {
  113. throw new InvalidAlgorithmParameterException(
  114. "trustAnchors is null, this is not allowed for certification path validation.");
  115. }
  116. //
  117. // 6.1.1 - inputs
  118. //
  119. //
  120. // (a)
  121. //
  122. List certs = certPath.getCertificates();
  123. int n = certs.size();
  124. if (certs.isEmpty())
  125. {
  126. throw new CertPathValidatorException("Certification path is empty.", null, certPath, 0);
  127. }
  128. // BEGIN android-added
  129. {
  130. X509Certificate cert = (X509Certificate) certs.get(0);
  131. if (cert != null) {
  132. BigInteger serial = cert.getSerialNumber();
  133. if (serial != null && SERIAL_BLACKLIST.contains(serial)) {
  134. // emulate CRL exception message in RFC3280CertPathUtilities.checkCRLs
  135. String message = "Certificate revocation of serial 0x" + serial.toString(16);
  136. System.out.println(message);
  137. AnnotatedException e = new AnnotatedException(message);
  138. throw new CertPathValidatorException(e.getMessage(), e, certPath, 0);
  139. }
  140. }
  141. }
  142. // END android-added
  143. //
  144. // (b)
  145. //
  146. // Date validDate = CertPathValidatorUtilities.getValidDate(paramsPKIX);
  147. //
  148. // (c)
  149. //
  150. Set userInitialPolicySet = paramsPKIX.getInitialPolicies();
  151. //
  152. // (d)
  153. //
  154. TrustAnchor trust;
  155. try
  156. {
  157. trust = CertPathValidatorUtilities.findTrustAnchor((X509Certificate) certs.get(certs.size() - 1),
  158. paramsPKIX.getTrustAnchors(), paramsPKIX.getSigProvider());
  159. }
  160. catch (AnnotatedException e)
  161. {
  162. throw new CertPathValidatorException(e.getMessage(), e, certPath, certs.size() - 1);
  163. }
  164. if (trust == null)
  165. {
  166. throw new CertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1);
  167. }
  168. //
  169. // (e), (f), (g) are part of the paramsPKIX object.
  170. //
  171. Iterator certIter;
  172. int index = 0;
  173. int i;
  174. // Certificate for each interation of the validation loop
  175. // Signature information for each iteration of the validation loop
  176. //
  177. // 6.1.2 - setup
  178. //
  179. //
  180. // (a)
  181. //
  182. List[] policyNodes = new ArrayList[n + 1];
  183. for (int j = 0; j < policyNodes.length; j++)
  184. {
  185. policyNodes[j] = new ArrayList();
  186. }
  187. Set policySet = new HashSet();
  188. policySet.add(RFC3280CertPathUtilities.ANY_POLICY);
  189. PKIXPolicyNode validPolicyTree = new PKIXPolicyNode(new ArrayList(), 0, policySet, null, new HashSet(),
  190. RFC3280CertPathUtilities.ANY_POLICY, false);
  191. policyNodes[0].add(validPolicyTree);
  192. //
  193. // (b) and (c)
  194. //
  195. PKIXNameConstraintValidator nameConstraintValidator = new PKIXNameConstraintValidator();
  196. // (d)
  197. //
  198. int explicitPolicy;
  199. Set acceptablePolicies = new HashSet();
  200. if (paramsPKIX.isExplicitPolicyRequired())
  201. {
  202. explicitPolicy = 0;
  203. }
  204. else
  205. {
  206. explicitPolicy = n + 1;
  207. }
  208. //
  209. // (e)
  210. //
  211. int inhibitAnyPolicy;
  212. if (paramsPKIX.isAnyPolicyInhibited())
  213. {
  214. inhibitAnyPolicy = 0;
  215. }
  216. else
  217. {
  218. inhibitAnyPolicy = n + 1;
  219. }
  220. //
  221. // (f)
  222. //
  223. int policyMapping;
  224. if (paramsPKIX.isPolicyMappingInhibited())
  225. {
  226. policyMapping = 0;
  227. }
  228. else
  229. {
  230. policyMapping = n + 1;
  231. }
  232. //
  233. // (g), (h), (i), (j)
  234. //
  235. PublicKey workingPublicKey;
  236. X500Principal workingIssuerName;
  237. X509Certificate sign = trust.getTrustedCert();
  238. try
  239. {
  240. if (sign != null)
  241. {
  242. workingIssuerName = CertPathValidatorUtilities.getSubjectPrincipal(sign);
  243. workingPublicKey = sign.getPublicKey();
  244. }
  245. else
  246. {
  247. workingIssuerName = new X500Principal(trust.getCAName());
  248. workingPublicKey = trust.getCAPublicKey();
  249. }
  250. }
  251. catch (IllegalArgumentException ex)
  252. {
  253. throw new ExtCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", ex, certPath,
  254. -1);
  255. }
  256. AlgorithmIdentifier workingAlgId = null;
  257. try
  258. {
  259. workingAlgId = CertPathValidatorUtilities.getAlgorithmIdentifier(workingPublicKey);
  260. }
  261. catch (CertPathValidatorException e)
  262. {
  263. throw new ExtCertPathValidatorException(
  264. "Algorithm identifier of public key of trust anchor could not be read.", e, certPath, -1);
  265. }
  266. DERObjectIdentifier workingPublicKeyAlgorithm = workingAlgId.getObjectId();
  267. DEREncodable workingPublicKeyParameters = workingAlgId.getParameters();
  268. //
  269. // (k)
  270. //
  271. int maxPathLength = n;
  272. //
  273. // 6.1.3
  274. //
  275. if (paramsPKIX.getTargetConstraints() != null
  276. && !paramsPKIX.getTargetConstraints().match((X509Certificate) certs.get(0)))
  277. {
  278. throw new ExtCertPathValidatorException(
  279. "Target certificate in certification path does not match targetConstraints.", null, certPath, 0);
  280. }
  281. //
  282. // initialize CertPathChecker's
  283. //
  284. List pathCheckers = paramsPKIX.getCertPathCheckers();
  285. certIter = pathCheckers.iterator();
  286. while (certIter.hasNext())
  287. {
  288. ((PKIXCertPathChecker) certIter.next()).init(false);
  289. }
  290. X509Certificate cert = null;
  291. for (index = certs.size() - 1; index >= 0; index--)
  292. {
  293. // BEGIN android-added
  294. if (isPublicKeyBlackListed(workingPublicKey)) {
  295. // emulate CRL exception message in RFC3280CertPathUtilities.checkCRLs
  296. String message = "Certificate revocation of public key " + workingPublicKey;
  297. System.out.println(message);
  298. AnnotatedException e = new AnnotatedException(message);
  299. throw new CertPathValidatorException(e.getMessage(), e, certPath, index);
  300. }
  301. // END android-added
  302. // try
  303. // {
  304. //
  305. // i as defined in the algorithm description
  306. //
  307. i = n - index;
  308. //
  309. // set certificate to be checked in this round
  310. // sign and workingPublicKey and workingIssuerName are set
  311. // at the end of the for loop and initialized the
  312. // first time from the TrustAnchor
  313. //
  314. cert = (X509Certificate) certs.get(index);
  315. boolean verificationAlreadyPerformed = (index == certs.size() - 1);
  316. //
  317. // 6.1.3
  318. //
  319. RFC3280CertPathUtilities.processCertA(certPath, paramsPKIX, index, workingPublicKey,
  320. verificationAlreadyPerformed, workingIssuerName, sign);
  321. RFC3280CertPathUtilities.processCertBC(certPath, index, nameConstraintValidator);
  322. validPolicyTree = RFC3280CertPathUtilities.processCertD(certPath, index, acceptablePolicies,
  323. validPolicyTree, policyNodes, inhibitAnyPolicy);
  324. validPolicyTree = RFC3280CertPathUtilities.processCertE(certPath, index, validPolicyTree);
  325. RFC3280CertPathUtilities.processCertF(certPath, index, validPolicyTree, explicitPolicy);
  326. //
  327. // 6.1.4
  328. //
  329. if (i != n)
  330. {
  331. if (cert != null && cert.getVersion() == 1)
  332. {
  333. throw new CertPathValidatorException("Version 1 certificates can't be used as CA ones.", null,
  334. certPath, index);
  335. }
  336. RFC3280CertPathUtilities.prepareNextCertA(certPath, index);
  337. validPolicyTree = RFC3280CertPathUtilities.prepareCertB(certPath, index, policyNodes, validPolicyTree,
  338. policyMapping);
  339. RFC3280CertPathUtilities.prepareNextCertG(certPath, index, nameConstraintValidator);
  340. // (h)
  341. explicitPolicy = RFC3280CertPathUtilities.prepareNextCertH1(certPath, index, explicitPolicy);
  342. policyMapping = RFC3280CertPathUtilities.prepareNextCertH2(certPath, index, policyMapping);
  343. inhibitAnyPolicy = RFC3280CertPathUtilities.prepareNextCertH3(certPath, index, inhibitAnyPolicy);
  344. //
  345. // (i)
  346. //
  347. explicitPolicy = RFC3280CertPathUtilities.prepareNextCertI1(certPath, index, explicitPolicy);
  348. policyMapping = RFC3280CertPathUtilities.prepareNextCertI2(certPath, index, policyMapping);
  349. // (j)
  350. inhibitAnyPolicy = RFC3280CertPathUtilities.prepareNextCertJ(certPath, index, inhibitAnyPolicy);
  351. // (k)
  352. RFC3280CertPathUtilities.prepareNextCertK(certPath, index);
  353. // (l)
  354. maxPathLength = RFC3280CertPathUtilities.prepareNextCertL(certPath, index, maxPathLength);
  355. // (m)
  356. maxPathLength = RFC3280CertPathUtilities.prepareNextCertM(certPath, index, maxPathLength);
  357. // (n)
  358. RFC3280CertPathUtilities.prepareNextCertN(certPath, index);
  359. Set criticalExtensions = cert.getCriticalExtensionOIDs();
  360. if (criticalExtensions != null)
  361. {
  362. criticalExtensions = new HashSet(criticalExtensions);
  363. // these extensions are handled by the algorithm
  364. criticalExtensions.remove(RFC3280CertPathUtilities.KEY_USAGE);
  365. criticalExtensions.remove(RFC3280CertPathUtilities.CERTIFICATE_POLICIES);
  366. criticalExtensions.remove(RFC3280CertPathUtilities.POLICY_MAPPINGS);
  367. criticalExtensions.remove(RFC3280CertPathUtilities.INHIBIT_ANY_POLICY);
  368. criticalExtensions.remove(RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT);
  369. criticalExtensions.remove(RFC3280CertPathUtilities.DELTA_CRL_INDICATOR);
  370. criticalExtensions.remove(RFC3280CertPathUtilities.POLICY_CONSTRAINTS);
  371. criticalExtensions.remove(RFC3280CertPathUtilities.BASIC_CONSTRAINTS);
  372. criticalExtensions.remove(RFC3280CertPathUtilities.SUBJECT_ALTERNATIVE_NAME);
  373. criticalExtensions.remove(RFC3280CertPathUtilities.NAME_CONSTRAINTS);
  374. }
  375. else
  376. {
  377. criticalExtensions = new HashSet();
  378. }
  379. // (o)
  380. RFC3280CertPathUtilities.prepareNextCertO(certPath, index, criticalExtensions, pathCheckers);
  381. // set signing certificate for next round
  382. sign = cert;
  383. // (c)
  384. workingIssuerName = CertPathValidatorUtilities.getSubjectPrincipal(sign);
  385. // (d)
  386. try
  387. {
  388. workingPublicKey = CertPathValidatorUtilities.getNextWorkingKey(certPath.getCertificates(), index);
  389. }
  390. catch (CertPathValidatorException e)
  391. {
  392. throw new CertPathValidatorException("Next working key could not be retrieved.", e, certPath, index);
  393. }
  394. workingAlgId = CertPathValidatorUtilities.getAlgorithmIdentifier(workingPublicKey);
  395. // (f)
  396. workingPublicKeyAlgorithm = workingAlgId.getObjectId();
  397. // (e)
  398. workingPublicKeyParameters = workingAlgId.getParameters();
  399. }
  400. }
  401. //
  402. // 6.1.5 Wrap-up procedure
  403. //
  404. explicitPolicy = RFC3280CertPathUtilities.wrapupCertA(explicitPolicy, cert);
  405. explicitPolicy = RFC3280CertPathUtilities.wrapupCertB(certPath, index + 1, explicitPolicy);
  406. //
  407. // (c) (d) and (e) are already done
  408. //
  409. //
  410. // (f)
  411. //
  412. Set criticalExtensions = cert.getCriticalExtensionOIDs();
  413. if (criticalExtensions != null)
  414. {
  415. criticalExtensions = new HashSet(criticalExtensions);
  416. // these extensions are handled by the algorithm
  417. criticalExtensions.remove(RFC3280CertPathUtilities.KEY_USAGE);
  418. criticalExtensions.remove(RFC3280CertPathUtilities.CERTIFICATE_POLICIES);
  419. criticalExtensions.remove(RFC3280CertPathUtilities.POLICY_MAPPINGS);
  420. criticalExtensions.remove(RFC3280CertPathUtilities.INHIBIT_ANY_POLICY);
  421. criticalExtensions.remove(RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT);
  422. criticalExtensions.remove(RFC3280CertPathUtilities.DELTA_CRL_INDICATOR);
  423. criticalExtensions.remove(RFC3280CertPathUtilities.POLICY_CONSTRAINTS);
  424. criticalExtensions.remove(RFC3280CertPathUtilities.BASIC_CONSTRAINTS);
  425. criticalExtensions.remove(RFC3280CertPathUtilities.SUBJECT_ALTERNATIVE_NAME);
  426. criticalExtensions.remove(RFC3280CertPathUtilities.NAME_CONSTRAINTS);
  427. criticalExtensions.remove(RFC3280CertPathUtilities.CRL_DISTRIBUTION_POINTS);
  428. }
  429. else
  430. {
  431. criticalExtensions = new HashSet();
  432. }
  433. RFC3280CertPathUtilities.wrapupCertF(certPath, index + 1, pathCheckers, criticalExtensions);
  434. PKIXPolicyNode intersection = RFC3280CertPathUtilities.wrapupCertG(certPath, paramsPKIX, userInitialPolicySet,
  435. index + 1, policyNodes, validPolicyTree, acceptablePolicies);
  436. if ((explicitPolicy > 0) || (intersection != null))
  437. {
  438. return new PKIXCertPathValidatorResult(trust, intersection, cert.getPublicKey());
  439. }
  440. throw new CertPathValidatorException("Path processing failed on policy.", null, certPath, index);
  441. }
  442. }