联系人列表为空,请先登录

  1. 查询
  2. 包列表
  3. 类列表
  4. 方法
  5. java.security.cert.X509CertSelector#setBasicConstraints()

java.security.cert.X509CertSelector#setBasicConstraints()源码实例Demo

下面列出了java.security.cert.X509CertSelector#setBasicConstraints() 实例代码,或者点击链接到github查看源代码,也可以在右侧发表评论。

源代码1 项目: oxAuth   文件: PathCertificateVerifier.java 
/**
 * Attempts to build a certification chain for given certificate to verify
 * it. Relies on a set of root CA certificates (trust anchors) and a set of
 * intermediate certificates (to be used as part of the chain).
 */
private PKIXCertPathBuilderResult verifyCertificate(X509Certificate certificate, Set<X509Certificate> trustedRootCerts, Set<X509Certificate> intermediateCerts)
		throws GeneralSecurityException {

	// Create the selector that specifies the starting certificate
	X509CertSelector selector = new X509CertSelector();
	selector.setBasicConstraints(-2);
	selector.setCertificate(certificate);

	// Create the trust anchors (set of root CA certificates)
	Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
	for (X509Certificate trustedRootCert : trustedRootCerts) {
		trustAnchors.add(new TrustAnchor(trustedRootCert, null));
	}

	// Configure the PKIX certificate builder algorithm parameters
	PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);

	// Turn off default revocation-checking mechanism
	pkixParams.setRevocationEnabled(false);

	// Specify a list of intermediate certificates
	CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(intermediateCerts));
	pkixParams.addCertStore(intermediateCertStore);

	// Build and verify the certification chain
	CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME);
	PKIXCertPathBuilderResult certPathBuilderResult = (PKIXCertPathBuilderResult) builder.build(pkixParams);

	// Additional check to Verify cert path
	CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME);
	PKIXCertPathValidatorResult certPathValidationResult = (PKIXCertPathValidatorResult) certPathValidator.validate(certPathBuilderResult.getCertPath(), pkixParams);

	return certPathBuilderResult;
}
源代码2 项目: jdk8u_jdk   文件: X509CertSelectorTest.java 
private void testBasicConstraints() {
    System.out.println("X.509 Certificate Match on basic constraints");
    // bad match
    X509CertSelector selector = new X509CertSelector();
    int mpl = cert.getBasicConstraints();
    selector.setBasicConstraints(0);
    checkMatch(selector, cert, false);

    // good match
    selector.setBasicConstraints(mpl);
    checkMatch(selector, cert, true);
}
源代码3 项目: TencentKona-8   文件: X509CertSelectorTest.java 
private void testBasicConstraints() {
    System.out.println("X.509 Certificate Match on basic constraints");
    // bad match
    X509CertSelector selector = new X509CertSelector();
    int mpl = cert.getBasicConstraints();
    selector.setBasicConstraints(0);
    checkMatch(selector, cert, false);

    // good match
    selector.setBasicConstraints(mpl);
    checkMatch(selector, cert, true);
}
源代码4 项目: openjdk-8   文件: BuildEEBasicConstraints.java 
public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");

    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor
        (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters
        (Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp =
        new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}
源代码5 项目: jdk8u60   文件: BuildEEBasicConstraints.java 
public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");

    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor
        (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters
        (Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp =
        new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}
源代码6 项目: openjdk-jdk8u   文件: BuildEEBasicConstraints.java 
public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");

    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor
        (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters
        (Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp =
        new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}
源代码7 项目: openjdk-jdk8u   文件: X509CertSelectorTest.java 
private void testBasicConstraints() {
    System.out.println("X.509 Certificate Match on basic constraints");
    // bad match
    X509CertSelector selector = new X509CertSelector();
    int mpl = cert.getBasicConstraints();
    selector.setBasicConstraints(0);
    checkMatch(selector, cert, false);

    // good match
    selector.setBasicConstraints(mpl);
    checkMatch(selector, cert, true);
}
源代码8 项目: jdk8u_jdk   文件: BuildEEBasicConstraints.java 
public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");

    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor
        (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters
        (Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp =
        new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}
源代码9 项目: openjdk-jdk8u-backup   文件: X509CertSelectorTest.java 
private void testBasicConstraints() {
    System.out.println("X.509 Certificate Match on basic constraints");
    // bad match
    X509CertSelector selector = new X509CertSelector();
    int mpl = cert.getBasicConstraints();
    selector.setBasicConstraints(0);
    checkMatch(selector, cert, false);

    // good match
    selector.setBasicConstraints(mpl);
    checkMatch(selector, cert, true);
}
源代码10 项目: openjdk-jdk9   文件: X509CertSelectorTest.java 
private void testBasicConstraints() {
    System.out.println("X.509 Certificate Match on basic constraints");
    // bad match
    X509CertSelector selector = new X509CertSelector();
    int mpl = cert.getBasicConstraints();
    selector.setBasicConstraints(0);
    checkMatch(selector, cert, false);

    // good match
    selector.setBasicConstraints(mpl);
    checkMatch(selector, cert, true);
}
源代码11 项目: jdk8u-jdk   文件: BuildEEBasicConstraints.java 
public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");

    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor
        (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters
        (Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp =
        new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}
源代码12 项目: jdk8u-jdk   文件: X509CertSelectorTest.java 
private void testBasicConstraints() {
    System.out.println("X.509 Certificate Match on basic constraints");
    // bad match
    X509CertSelector selector = new X509CertSelector();
    int mpl = cert.getBasicConstraints();
    selector.setBasicConstraints(0);
    checkMatch(selector, cert, false);

    // good match
    selector.setBasicConstraints(mpl);
    checkMatch(selector, cert, true);
}
源代码13 项目: openjdk-8-source   文件: BuildEEBasicConstraints.java 
public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");

    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor
        (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters
        (Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp =
        new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}
源代码14 项目: j2objc   文件: ReverseBuilder.java 
private Collection<X509Certificate> getMatchingEECerts
    (ReverseState currentState, List<CertStore> certStores)
    throws CertStoreException, CertificateException, IOException {

    /*
     * Compose a CertSelector to filter out
     * certs which do not satisfy requirements.
     *
     * First, retrieve clone of current target cert constraints, and
     * then add more selection criteria based on current validation state.
     */
    X509CertSelector sel = (X509CertSelector) targetCertConstraints.clone();

    /*
     * Match on issuer (subject of previous cert)
     */
    sel.setIssuer(currentState.subjectDN);

    /*
     * Match on certificate validity date.
     */
    sel.setCertificateValid(buildParams.date());

    /*
     * Policy processing optimizations
     */
    if (currentState.explicitPolicy == 0)
        sel.setPolicy(getMatchingPolicies());

    /*
     * If previous cert has a subject key identifier extension,
     * use it to match on authority key identifier extension.
     */
    /*if (currentState.subjKeyId != null) {
      AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
            (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
            null, null);
    sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
    }*/

    /*
     * Require EE certs
     */
    sel.setBasicConstraints(-2);

    /* Retrieve matching certs from CertStores */
    HashSet<X509Certificate> eeCerts = new HashSet<>();
    addMatchingCerts(sel, certStores, eeCerts, true);

    if (debug != null) {
        debug.println("ReverseBuilder.getMatchingEECerts got "
                      + eeCerts.size() + " certs.");
    }
    return eeCerts;
}
源代码15 项目: jdk8u60   文件: ReverseBuilder.java 
private Collection<X509Certificate> getMatchingEECerts
    (ReverseState currentState, List<CertStore> certStores)
    throws CertStoreException, CertificateException, IOException {

    /*
     * Compose a CertSelector to filter out
     * certs which do not satisfy requirements.
     *
     * First, retrieve clone of current target cert constraints, and
     * then add more selection criteria based on current validation state.
     */
    X509CertSelector sel = (X509CertSelector) targetCertConstraints.clone();

    /*
     * Match on issuer (subject of previous cert)
     */
    sel.setIssuer(currentState.subjectDN);

    /*
     * Match on certificate validity date.
     */
    sel.setCertificateValid(buildParams.date());

    /*
     * Policy processing optimizations
     */
    if (currentState.explicitPolicy == 0)
        sel.setPolicy(getMatchingPolicies());

    /*
     * If previous cert has a subject key identifier extension,
     * use it to match on authority key identifier extension.
     */
    /*if (currentState.subjKeyId != null) {
      AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
            (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
            null, null);
    sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
    }*/

    /*
     * Require EE certs
     */
    sel.setBasicConstraints(-2);

    /* Retrieve matching certs from CertStores */
    HashSet<X509Certificate> eeCerts = new HashSet<>();
    addMatchingCerts(sel, certStores, eeCerts, true);

    if (debug != null) {
        debug.println("ReverseBuilder.getMatchingEECerts got "
                      + eeCerts.size() + " certs.");
    }
    return eeCerts;
}
源代码16 项目: jdk8u-jdk   文件: ReverseBuilder.java 
private Collection<X509Certificate> getMatchingEECerts
    (ReverseState currentState, List<CertStore> certStores)
    throws CertStoreException, CertificateException, IOException {

    /*
     * Compose a CertSelector to filter out
     * certs which do not satisfy requirements.
     *
     * First, retrieve clone of current target cert constraints, and
     * then add more selection criteria based on current validation state.
     */
    X509CertSelector sel = (X509CertSelector) targetCertConstraints.clone();

    /*
     * Match on issuer (subject of previous cert)
     */
    sel.setIssuer(currentState.subjectDN);

    /*
     * Match on certificate validity date.
     */
    sel.setCertificateValid(buildParams.date());

    /*
     * Policy processing optimizations
     */
    if (currentState.explicitPolicy == 0)
        sel.setPolicy(getMatchingPolicies());

    /*
     * If previous cert has a subject key identifier extension,
     * use it to match on authority key identifier extension.
     */
    /*if (currentState.subjKeyId != null) {
      AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
            (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
            null, null);
    sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
    }*/

    /*
     * Require EE certs
     */
    sel.setBasicConstraints(-2);

    /* Retrieve matching certs from CertStores */
    HashSet<X509Certificate> eeCerts = new HashSet<>();
    addMatchingCerts(sel, certStores, eeCerts, true);

    if (debug != null) {
        debug.println("ReverseBuilder.getMatchingEECerts got "
                      + eeCerts.size() + " certs.");
    }
    return eeCerts;
}
源代码17 项目: j2objc   文件: ReverseBuilder.java 
private Collection<X509Certificate> getMatchingCACerts
    (ReverseState currentState, List<CertStore> certStores)
    throws CertificateException, CertStoreException, IOException {

    /*
     * Compose a CertSelector to filter out
     * certs which do not satisfy requirements.
     */
    X509CertSelector sel = new X509CertSelector();

    /*
     * Match on issuer (subject of previous cert)
     */
    sel.setIssuer(currentState.subjectDN);

    /*
     * Match on certificate validity date.
     */
    sel.setCertificateValid(buildParams.date());

    /*
     * Match on target subject name (checks that current cert's
     * name constraints permit it to certify target).
     * (4 is the integer type for DIRECTORY name).
     */
    byte[] subject = targetCertConstraints.getSubjectAsBytes();
    if (subject != null) {
        sel.addPathToName(4, subject);
    } else {
        X509Certificate cert = targetCertConstraints.getCertificate();
        if (cert != null) {
            sel.addPathToName(4,
                              cert.getSubjectX500Principal().getEncoded());
        }
    }

    /*
     * Policy processing optimizations
     */
    if (currentState.explicitPolicy == 0)
        sel.setPolicy(getMatchingPolicies());

    /*
     * If previous cert has a subject key identifier extension,
     * use it to match on authority key identifier extension.
     */
    /*if (currentState.subjKeyId != null) {
      AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
            (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
                            null, null);
      sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
    }*/

    /*
     * Require CA certs
     */
    sel.setBasicConstraints(0);

    /* Retrieve matching certs from CertStores */
    ArrayList<X509Certificate> reverseCerts = new ArrayList<>();
    addMatchingCerts(sel, certStores, reverseCerts, true);

    /* Sort remaining certs using name constraints */
    Collections.sort(reverseCerts, new PKIXCertComparator());

    if (debug != null)
        debug.println("ReverseBuilder.getMatchingCACerts got " +
                      reverseCerts.size() + " certs.");
    return reverseCerts;
}
源代码18 项目: openjdk-8-source   文件: ReverseBuilder.java 
private Collection<X509Certificate> getMatchingEECerts
    (ReverseState currentState, List<CertStore> certStores)
    throws CertStoreException, CertificateException, IOException {

    /*
     * Compose a CertSelector to filter out
     * certs which do not satisfy requirements.
     *
     * First, retrieve clone of current target cert constraints, and
     * then add more selection criteria based on current validation state.
     */
    X509CertSelector sel = (X509CertSelector) targetCertConstraints.clone();

    /*
     * Match on issuer (subject of previous cert)
     */
    sel.setIssuer(currentState.subjectDN);

    /*
     * Match on certificate validity date.
     */
    sel.setCertificateValid(buildParams.date());

    /*
     * Policy processing optimizations
     */
    if (currentState.explicitPolicy == 0)
        sel.setPolicy(getMatchingPolicies());

    /*
     * If previous cert has a subject key identifier extension,
     * use it to match on authority key identifier extension.
     */
    /*if (currentState.subjKeyId != null) {
      AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
            (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
            null, null);
    sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
    }*/

    /*
     * Require EE certs
     */
    sel.setBasicConstraints(-2);

    /* Retrieve matching certs from CertStores */
    HashSet<X509Certificate> eeCerts = new HashSet<>();
    addMatchingCerts(sel, certStores, eeCerts, true);

    if (debug != null) {
        debug.println("ReverseBuilder.getMatchingEECerts got "
                      + eeCerts.size() + " certs.");
    }
    return eeCerts;
}
源代码19 项目: openjdk-8-source   文件: ReverseBuilder.java 
private Collection<X509Certificate> getMatchingCACerts
    (ReverseState currentState, List<CertStore> certStores)
    throws CertificateException, CertStoreException, IOException {

    /*
     * Compose a CertSelector to filter out
     * certs which do not satisfy requirements.
     */
    X509CertSelector sel = new X509CertSelector();

    /*
     * Match on issuer (subject of previous cert)
     */
    sel.setIssuer(currentState.subjectDN);

    /*
     * Match on certificate validity date.
     */
    sel.setCertificateValid(buildParams.date());

    /*
     * Match on target subject name (checks that current cert's
     * name constraints permit it to certify target).
     * (4 is the integer type for DIRECTORY name).
     */
    byte[] subject = targetCertConstraints.getSubjectAsBytes();
    if (subject != null) {
        sel.addPathToName(4, subject);
    } else {
        X509Certificate cert = targetCertConstraints.getCertificate();
        if (cert != null) {
            sel.addPathToName(4,
                              cert.getSubjectX500Principal().getEncoded());
        }
    }

    /*
     * Policy processing optimizations
     */
    if (currentState.explicitPolicy == 0)
        sel.setPolicy(getMatchingPolicies());

    /*
     * If previous cert has a subject key identifier extension,
     * use it to match on authority key identifier extension.
     */
    /*if (currentState.subjKeyId != null) {
      AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
            (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
                            null, null);
      sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
    }*/

    /*
     * Require CA certs
     */
    sel.setBasicConstraints(0);

    /* Retrieve matching certs from CertStores */
    ArrayList<X509Certificate> reverseCerts = new ArrayList<>();
    addMatchingCerts(sel, certStores, reverseCerts, true);

    /* Sort remaining certs using name constraints */
    Collections.sort(reverseCerts, new PKIXCertComparator());

    if (debug != null)
        debug.println("ReverseBuilder.getMatchingCACerts got " +
                      reverseCerts.size() + " certs.");
    return reverseCerts;
}
源代码20 项目: openjdk-8   文件: ReverseBuilder.java 
private Collection<X509Certificate> getMatchingEECerts
    (ReverseState currentState, List<CertStore> certStores)
    throws CertStoreException, CertificateException, IOException {

    /*
     * Compose a CertSelector to filter out
     * certs which do not satisfy requirements.
     *
     * First, retrieve clone of current target cert constraints, and
     * then add more selection criteria based on current validation state.
     */
    X509CertSelector sel = (X509CertSelector) targetCertConstraints.clone();

    /*
     * Match on issuer (subject of previous cert)
     */
    sel.setIssuer(currentState.subjectDN);

    /*
     * Match on certificate validity date.
     */
    sel.setCertificateValid(buildParams.date());

    /*
     * Policy processing optimizations
     */
    if (currentState.explicitPolicy == 0)
        sel.setPolicy(getMatchingPolicies());

    /*
     * If previous cert has a subject key identifier extension,
     * use it to match on authority key identifier extension.
     */
    /*if (currentState.subjKeyId != null) {
      AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
            (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
            null, null);
    sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
    }*/

    /*
     * Require EE certs
     */
    sel.setBasicConstraints(-2);

    /* Retrieve matching certs from CertStores */
    HashSet<X509Certificate> eeCerts = new HashSet<>();
    addMatchingCerts(sel, certStores, eeCerts, true);

    if (debug != null) {
        debug.println("ReverseBuilder.getMatchingEECerts got "
                      + eeCerts.size() + " certs.");
    }
    return eeCerts;
}
 方法所在类
java.security.cert.X509CertSelector
 同类方法
setSerialNumber()
setSerialNumber()
setCertificate()
setSubject()
setBasicConstraints()
setPolicy()
setSubjectKeyIdentifier()
setIssuer()
setSubjectPublicKey()
setCertificateValid()
addSubjectAlternativeName()
setSubjectAlternativeNames()
setMatchAllSubjectAltNames()
setAuthorityKeyIdentifier()
match()
setNameConstraints()
setKeyUsage()
setPrivateKeyValid()