1212 * rights and limitations under the License.
1313 *
1414 * Copyright (C) 2006 Ola Bini <[email protected] > 15- *
15+ *
1616 * Alternatively, the contents of this file may be used under the terms of
1717 * either of the GNU General Public License Version 2 or later (the "GPL"),
1818 * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
2727 ***** END LICENSE BLOCK *****/
2828package org .jruby .ext .openssl .x509store ;
2929
30-
3130import java .util .ArrayList ;
3231import java .util .List ;
3332
33+ import java .security .cert .CertificateException ;
34+
3435/**
3536 * c: X509_PURPOSE
3637 *
@@ -45,25 +46,23 @@ public class Purpose {
4546 "1.3.6.1.4.1.311.10.3.3" // Microsoft Server Gated Crypto
4647 };
4748
48- public static interface CheckPurposeFunction extends Function3 {
49- public static final CheckPurposeFunction EMPTY = new CheckPurposeFunction (){
50- public int call (Object arg0 , Object arg1 , Object arg2 ) {
51- return -1 ;
52- }
53- };
49+ static interface CheckPurposeFunction extends Function3 <Purpose , X509AuxCertificate , Integer > {
50+
51+ int call (Purpose purpose , X509AuxCertificate x , Integer ca ) throws CertificateException ;
52+
5453 }
5554
5655 public int purpose ;
5756 public int trust ; /* Default trust ID */
5857 public int flags ;
59- public CheckPurposeFunction checkPurpose ;
58+ CheckPurposeFunction checkPurpose ;
6059 public String name ;
6160 public String sname ;
6261 public Object userData ;
6362
64- public Purpose () {}
63+ private Purpose () {}
6564
66- public Purpose (int p , int t , int f , CheckPurposeFunction cp , String n , String s , Object u ) {
65+ Purpose (int p , int t , int f , CheckPurposeFunction cp , String n , String s , Object u ) {
6766 this .purpose = p ; this .trust = t ;
6867 this .flags = f ; this .checkPurpose = cp ;
6968 this .name = n ; this .sname = s ;
@@ -73,16 +72,14 @@ public Purpose(int p, int t, int f, CheckPurposeFunction cp, String n, String s,
7372 /**
7473 * c: X509_check_purpose
7574 */
76- public static int checkPurpose (X509AuxCertificate x , int id , int ca ) throws Exception {
77- if (id == -1 ) {
78- return 1 ;
79- }
75+ public static int checkPurpose (X509AuxCertificate x , int id , int ca ) throws CertificateException {
76+ if ( id == -1 ) return 1 ;
77+
8078 int idx = getByID (id );
81- if (idx == -1 ) {
82- return -1 ;
83- }
79+ if ( idx == -1 ) return -1 ;
80+
8481 Purpose pt = getFirst (idx );
85- return pt .checkPurpose .call (pt ,x , new Integer (ca ));
82+ return pt .checkPurpose .call (pt , x , Integer . valueOf (ca ));
8683 }
8784
8885 /**
@@ -210,11 +207,11 @@ public String getSName() {
210207 public int getTrust () {
211208 return trust ;
212209 }
213-
210+
214211 /**
215212 * c: X509_check_ca
216213 */
217- public static int checkCA (X509AuxCertificate x ) throws Exception {
214+ public static int checkCA (X509AuxCertificate x ) throws CertificateException {
218215 if (x .getKeyUsage () != null && !x .getKeyUsage ()[5 ]) { // KEY_CERT_SIGN
219216 return 0 ;
220217 }
@@ -242,7 +239,7 @@ public static int checkCA(X509AuxCertificate x) throws Exception {
242239 /**
243240 * c: check_ssl_ca
244241 */
245- public static int checkSSLCA (X509AuxCertificate x ) throws Exception {
242+ public static int checkSSLCA (X509AuxCertificate x ) throws CertificateException {
246243 int ca_ret = checkCA (x );
247244 if (ca_ret == 0 ) {
248245 return 0 ;
@@ -258,11 +255,11 @@ public static int checkSSLCA(X509AuxCertificate x) throws Exception {
258255 /**
259256 * c: xku_reject: check if the cert must be rejected(true) or not
260257 */
261- public static boolean xkuReject (X509AuxCertificate x , String mustHaveXku ) throws Exception {
258+ public static boolean xkuReject (X509AuxCertificate x , String mustHaveXku ) throws CertificateException {
262259 List <String > xku = x .getExtendedKeyUsage ();
263260 return (xku != null ) && !xku .contains (mustHaveXku );
264261 }
265- public static boolean xkuReject (X509AuxCertificate x , String [] mustHaveOneOfXku ) throws Exception {
262+ public static boolean xkuReject (X509AuxCertificate x , String [] mustHaveOneOfXku ) throws CertificateException {
266263 List <String > xku = x .getExtendedKeyUsage ();
267264 if (xku == null ) {
268265 return false ;
@@ -278,15 +275,15 @@ public static boolean xkuReject(X509AuxCertificate x, String[] mustHaveOneOfXku)
278275 /**
279276 * c: ns_reject
280277 */
281- public static boolean nsReject (X509AuxCertificate x , int mustHaveCertType ) throws Exception {
278+ public static boolean nsReject (X509AuxCertificate x , int mustHaveCertType ) throws CertificateException {
282279 Integer nsCertType = x .getNsCertType ();
283280 return (nsCertType != null ) && (nsCertType & mustHaveCertType ) == 0 ;
284281 }
285282
286283 /**
287284 * c: purpose_smime
288285 */
289- public static int purposeSMIME (X509AuxCertificate x , int ca ) throws Exception {
286+ public static int purposeSMIME (X509AuxCertificate x , int ca ) throws CertificateException {
290287 if (xkuReject (x ,XKU_EMAIL_PROTECT )) {
291288 return 0 ; // must allow email protection
292289 }
@@ -319,158 +316,144 @@ public static int purposeSMIME(X509AuxCertificate x, int ca) throws Exception {
319316 /**
320317 * c: check_purpose_ssl_client
321318 */
322- public final static CheckPurposeFunction checkPurposeSSLClient = new CheckPurposeFunction () {
323- public int call (Object _xp , Object _x , Object _ca ) throws Exception {
324- X509AuxCertificate x = (X509AuxCertificate )_x ;
325- if (xkuReject (x , XKU_SSL_CLIENT )) {
326- return 0 ;
327- }
328- int ca = ((Integer )_ca ).intValue ();
329- if (ca != 0 ) {
330- return checkSSLCA (x );
331- }
332- if (x .getKeyUsage () != null && !x .getKeyUsage ()[0 ]) {
333- return 0 ;
334- }
335- if (nsReject (x , X509Utils .NS_SSL_CLIENT )) {
336- // when the cert has nsCertType, it must include NS_SSL_CLIENT
337- return 0 ;
338- }
339- return 1 ;
319+ final static CheckPurposeFunction checkPurposeSSLClient = new CheckPurposeFunction () {
320+ public int call (Purpose purpose , X509AuxCertificate x , Integer ca ) throws CertificateException {
321+ if ( xkuReject (x , XKU_SSL_CLIENT ) ) {
322+ return 0 ;
340323 }
341- };
324+ if (ca .intValue () != 0 ) {
325+ return checkSSLCA (x );
326+ }
327+ if ( x .getKeyUsage () != null && ! x .getKeyUsage ()[0 ] ) {
328+ return 0 ;
329+ }
330+ if ( nsReject (x , X509Utils .NS_SSL_CLIENT ) ) {
331+ // when the cert has nsCertType, it must include NS_SSL_CLIENT
332+ return 0 ;
333+ }
334+ return 1 ;
335+ }
336+ };
342337
343338 /**
344339 * c: check_purpose_ssl_server
345340 */
346- public final static CheckPurposeFunction checkPurposeSSLServer = new CheckPurposeFunction () {
347- public int call (Object _xp , Object _x , Object _ca ) throws Exception {
348- X509AuxCertificate x = (X509AuxCertificate )_x ;
349- int ca = ((Integer )_ca ).intValue ();
350- if (xkuReject (x , XKU_SSL_SERVER )) {
351- return 0 ;
352- }
353- if (ca != 0 ) {
354- return checkSSLCA (x );
355- }
356- if (nsReject (x , X509Utils .NS_SSL_SERVER )) {
357- // when the cert has nsCertType, it must include NS_SSL_SERVER
358- return 0 ;
359- }
360- /* Now as for keyUsage: we'll at least need to sign OR encipher */
361- if (x .getKeyUsage () != null && !(x .getKeyUsage ()[0 ] || x .getKeyUsage ()[2 ])) {
362- return 0 ;
363- }
364- return 1 ;
341+ final static CheckPurposeFunction checkPurposeSSLServer = new CheckPurposeFunction () {
342+ public int call (Purpose purpose , X509AuxCertificate x , Integer ca ) throws CertificateException {
343+ if ( xkuReject (x , XKU_SSL_SERVER ) ) {
344+ return 0 ;
345+ }
346+ if ( ca .intValue () != 0 ) {
347+ return checkSSLCA (x );
348+ }
349+ if ( nsReject (x , X509Utils .NS_SSL_SERVER ) ) {
350+ // when the cert has nsCertType, it must include NS_SSL_SERVER
351+ return 0 ;
365352 }
366- };
353+ /* Now as for keyUsage: we'll at least need to sign OR encipher */
354+ if ( x .getKeyUsage () != null && ! ( x .getKeyUsage ()[0 ] || x .getKeyUsage ()[2 ] ) ) {
355+ return 0 ;
356+ }
357+ return 1 ;
358+ }
359+ };
367360
368361 /**
369362 * c: check_purpose_ns_ssl_server
370363 */
371- public final static CheckPurposeFunction checkPurposeNSSSLServer = new CheckPurposeFunction () {
372- public int call (Object _xp , Object _x , Object _ca ) throws Exception {
373- Purpose xp = (Purpose )_xp ;
374- X509AuxCertificate x = (X509AuxCertificate )_x ;
375- int ca = ((Integer )_ca ).intValue ();
376- int ret = checkPurposeSSLServer .call (xp ,x ,_ca );
377- if (ret == 0 || ca != 0 ) {
378- return ret ;
379- }
380- if (x .getKeyUsage () != null && !x .getKeyUsage ()[2 ]) {
381- return 0 ;
382- }
383- return 1 ;
364+ final static CheckPurposeFunction checkPurposeNSSSLServer = new CheckPurposeFunction () {
365+ public int call (Purpose purpose , X509AuxCertificate x , Integer ca ) throws CertificateException {
366+ int ret = checkPurposeSSLServer .call (purpose , x , ca );
367+ if ( ret == 0 || ca != 0 ) {
368+ return ret ;
369+ }
370+ if ( x .getKeyUsage () != null && ! x .getKeyUsage ()[2 ] ) {
371+ return 0 ;
384372 }
385- };
373+ return 1 ;
374+ }
375+ };
386376
387377 /**
388378 * c: check_purpose_smime_sign
389379 */
390- public final static CheckPurposeFunction checkPurposeSMIMESign = new CheckPurposeFunction () {
391- public int call (Object _xp , Object _x , Object _ca ) throws Exception {
392- X509AuxCertificate x = (X509AuxCertificate )_x ;
393- int ca = ((Integer )_ca ).intValue ();
394- int ret = purposeSMIME (x ,ca );
395- if (ret == 0 || ca != 0 ) {
396- return ret ;
397- }
398- if (x .getKeyUsage () != null && (!x .getKeyUsage ()[0 ] || !x .getKeyUsage ()[1 ])) {
399- return 0 ;
400- }
380+ final static CheckPurposeFunction checkPurposeSMIMESign = new CheckPurposeFunction () {
381+ public int call (Purpose purpose , X509AuxCertificate x , Integer ca ) throws CertificateException {
382+ int ret = purposeSMIME (x , ca );
383+ if ( ret == 0 || ca != 0 ) {
401384 return ret ;
402385 }
403- };
386+ if ( x .getKeyUsage () != null && ( ! x .getKeyUsage ()[0 ] || ! x .getKeyUsage ()[1 ] ) ) {
387+ return 0 ;
388+ }
389+ return ret ;
390+ }
391+ };
404392
405393 /**
406394 * c: check_purpose_smime_encrypt
407395 */
408- public final static CheckPurposeFunction checkPurposeSMIMEEncrypt = new CheckPurposeFunction () {
409- public int call (Object _xp , Object _x , Object _ca ) throws Exception {
410- X509AuxCertificate x = (X509AuxCertificate )_x ;
411- int ca = ((Integer )_ca ).intValue ();
412- int ret = purposeSMIME (x ,ca );
413- if (ret == 0 || ca != 0 ) {
414- return ret ;
415- }
416- if (x .getKeyUsage () != null && !x .getKeyUsage ()[2 ]) {
417- return 0 ;
418- }
396+ final static CheckPurposeFunction checkPurposeSMIMEEncrypt = new CheckPurposeFunction () {
397+ public int call (Purpose purpose , X509AuxCertificate x , Integer ca ) throws CertificateException {
398+ int ret = purposeSMIME (x ,ca );
399+ if ( ret == 0 || ca != 0 ) {
419400 return ret ;
420401 }
421- };
402+ if ( x .getKeyUsage () != null && ! x .getKeyUsage ()[2 ] ) {
403+ return 0 ;
404+ }
405+ return ret ;
406+ }
407+ };
422408
423409 /**
424410 * c: check_purpose_crl_sign
425411 */
426- public final static CheckPurposeFunction checkPurposeCRLSign = new CheckPurposeFunction () {
427- public int call (Object _xp , Object _x , Object _ca ) throws Exception {
428- X509AuxCertificate x = (X509AuxCertificate )_x ;
429- int ca = ((Integer )_ca ).intValue ();
430-
431- if (ca != 0 ) {
432- int ca_ret = checkCA (x );
433- if (ca_ret != 2 ) {
434- return ca_ret ;
435- }
436- return 0 ;
437- }
438- if (x .getKeyUsage () != null && !x .getKeyUsage ()[6 ]) {
439- return 0 ;
412+ final static CheckPurposeFunction checkPurposeCRLSign = new CheckPurposeFunction () {
413+ public int call (Purpose purpose , X509AuxCertificate x , Integer ca ) throws CertificateException {
414+ if ( ca .intValue () != 0 ) {
415+ int ca_ret = checkCA (x );
416+ if ( ca_ret != 2 ) {
417+ return ca_ret ;
440418 }
441- return 1 ;
419+ return 0 ;
420+ }
421+ if ( x .getKeyUsage () != null && ! x .getKeyUsage ()[6 ] ) {
422+ return 0 ;
442423 }
443- };
424+ return 1 ;
425+ }
426+ };
444427
445428 /**
446429 * c: no_check
447430 */
448- public final static CheckPurposeFunction noCheck = new CheckPurposeFunction () {
449- public int call (Object _xp , Object _x , Object _ca ) {
450- return 1 ;
451- }
452- };
431+ final static CheckPurposeFunction noCheck = new CheckPurposeFunction () {
432+ public int call (Purpose purpose , X509AuxCertificate x , Integer ca ) throws CertificateException {
433+ return 1 ;
434+ }
435+ };
453436
454437 /**
455438 * c: ocsp_helper
456439 */
457- public final static CheckPurposeFunction oscpHelper = new CheckPurposeFunction () {
458- public int call (Object _xp , Object _x , Object _ca ) throws Exception {
459- if (((Integer )_ca ).intValue () != 0 ) {
460- return checkCA ((X509AuxCertificate )_x );
461- }
462- return 1 ;
440+ final static CheckPurposeFunction oscpHelper = new CheckPurposeFunction () {
441+ public int call (Purpose purpose , X509AuxCertificate x , Integer ca ) throws CertificateException {
442+ if ( ca .intValue () != 0 ) {
443+ return checkCA (x );
463444 }
464- };
465-
466- public final static Purpose [] xstandard = new Purpose [] {
467- new Purpose (X509Utils .X509_PURPOSE_SSL_CLIENT , X509Utils .X509_TRUST_SSL_CLIENT , 0 , checkPurposeSSLClient , "SSL client" , "sslclient" , null ),
468- new Purpose (X509Utils .X509_PURPOSE_SSL_SERVER , X509Utils .X509_TRUST_SSL_SERVER , 0 , checkPurposeSSLServer , "SSL server" , "sslserver" , null ),
469- new Purpose (X509Utils .X509_PURPOSE_NS_SSL_SERVER , X509Utils .X509_TRUST_SSL_SERVER , 0 , checkPurposeNSSSLServer , "Netscape SSL server" , "nssslserver" , null ),
470- new Purpose (X509Utils .X509_PURPOSE_SMIME_SIGN , X509Utils .X509_TRUST_EMAIL , 0 , checkPurposeSMIMESign , "S/MIME signing" , "smimesign" , null ),
471- new Purpose (X509Utils .X509_PURPOSE_SMIME_ENCRYPT , X509Utils .X509_TRUST_EMAIL , 0 , checkPurposeSMIMEEncrypt , "S/MIME encryption" , "smimeencrypt" , null ),
472- new Purpose (X509Utils .X509_PURPOSE_CRL_SIGN , X509Utils .X509_TRUST_COMPAT , 0 , checkPurposeCRLSign , "CRL signing" , "crlsign" , null ),
473- new Purpose (X509Utils .X509_PURPOSE_ANY , X509Utils .X509_TRUST_DEFAULT , 0 , noCheck , "Any Purpose" , "any" , null ),
474- new Purpose (X509Utils .X509_PURPOSE_OCSP_HELPER , X509Utils .X509_TRUST_COMPAT , 0 , oscpHelper , "OCSP helper" , "ocsphelper" , null ),
445+ return 1 ;
446+ }
447+ };
448+
449+ private final static Purpose [] xstandard = new Purpose [] {
450+ new Purpose (X509Utils .X509_PURPOSE_SSL_CLIENT , X509Utils .X509_TRUST_SSL_CLIENT , 0 , checkPurposeSSLClient , "SSL client" , "sslclient" , null ),
451+ new Purpose (X509Utils .X509_PURPOSE_SSL_SERVER , X509Utils .X509_TRUST_SSL_SERVER , 0 , checkPurposeSSLServer , "SSL server" , "sslserver" , null ),
452+ new Purpose (X509Utils .X509_PURPOSE_NS_SSL_SERVER , X509Utils .X509_TRUST_SSL_SERVER , 0 , checkPurposeNSSSLServer , "Netscape SSL server" , "nssslserver" , null ),
453+ new Purpose (X509Utils .X509_PURPOSE_SMIME_SIGN , X509Utils .X509_TRUST_EMAIL , 0 , checkPurposeSMIMESign , "S/MIME signing" , "smimesign" , null ),
454+ new Purpose (X509Utils .X509_PURPOSE_SMIME_ENCRYPT , X509Utils .X509_TRUST_EMAIL , 0 , checkPurposeSMIMEEncrypt , "S/MIME encryption" , "smimeencrypt" , null ),
455+ new Purpose (X509Utils .X509_PURPOSE_CRL_SIGN , X509Utils .X509_TRUST_COMPAT , 0 , checkPurposeCRLSign , "CRL signing" , "crlsign" , null ),
456+ new Purpose (X509Utils .X509_PURPOSE_ANY , X509Utils .X509_TRUST_DEFAULT , 0 , noCheck , "Any Purpose" , "any" , null ),
457+ new Purpose (X509Utils .X509_PURPOSE_OCSP_HELPER , X509Utils .X509_TRUST_COMPAT , 0 , oscpHelper , "OCSP helper" , "ocsphelper" , null ),
475458 };
476459}// X509_PURPOSE
0 commit comments