Lines Matching refs:cert
32 import java.security.cert.CertificateException;
33 import java.security.cert.CertPathValidatorException;
34 import java.security.cert.PKIXReason;
35 import java.security.cert.CertStore;
36 import java.security.cert.CertStoreException;
37 import java.security.cert.PKIXBuilderParameters;
38 import java.security.cert.PKIXCertPathChecker;
39 import java.security.cert.TrustAnchor;
40 import java.security.cert.X509Certificate;
41 import java.security.cert.X509CertSelector;
121 * As each cert is added, it is sorted based on the PKIXCertComparator
125 new PKIXCertComparator(trustedSubjectDNs, currState.cert);
155 * First, retrieve clone of current target cert constraints,
205 // no need to continue: this means we never can match a CA cert
256 * Match on subject (issuer of previous cert)
262 * (checks that current cert's name constraints permit it
271 caSelector.setValidityPeriod(currentState.cert.getNotBefore(),
272 currentState.cert.getNotAfter());
336 currentState.cert.getAuthorityInfoAccessExtension();
398 * Preference order for current cert:
505 /* If one cert's issuer matches a trusted subject, then it is
526 /* If one cert's issuer is a naming descendant of a trusted subject,
557 /* If one cert's issuer is a naming ancestor of a trusted subject,
589 /* If one cert's issuer is in the same namespace as a trusted
629 /* If one cert's issuer is an ancestor of that cert's subject,
633 debug.println(METHOD_NME+" CERT ISSUER/SUBJECT COMPARISON TEST...");
679 * signature and revocation status of the previous cert.
684 * regardless of whether or not the last cert is an end-entity
685 * cert or not. This allows callers to certify CA certs as
688 * @param cert the certificate to be verified
689 * @param currentState the current state against which the cert is verified
693 void verifyCert(X509Certificate cert, State currentState,
699 + Debug.toHexString(cert.getSerialNumber())
700 + "\n Issuer: " + cert.getIssuerX500Principal() + ")"
701 + "\n Subject: " + cert.getSubjectX500Principal() + ")");
709 // currState.untrustedChecker.check(cert, Collections.<String>emptySet());
718 if (cert.equals(cpListCert)) {
727 /* check if trusted cert */
728 boolean isTrustedCert = trustedCerts.contains(cert);
730 /* we don't perform any validation of the trusted cert */
737 Set<String> unresCritExts = cert.getCriticalExtensionOIDs();
742 checker.check(cert, unresCritExts);
790 /* we don't perform any validation of the trusted cert */
792 /* Make sure this is a CA cert */
793 if (cert.getBasicConstraints() == -1) {
794 throw new CertificateException("cert is NOT a CA cert");
800 KeyChecker.verifyCAKeyUsage(cert);
804 * the following checks are performed even when the cert
805 * is a trusted cert, since we are only extracting the
806 * subjectDN, and publicKey from the cert
807 * in order to verify a previous cert
817 (currState.cert).verify(cert.getPublicKey(),
820 (currState.cert).verify(cert.getPublicKey());
827 * First checks the cert against each trust anchor that was specified,
828 * in order, and returns true if the cert matches the trust anchor
831 * If no match has been found, does a second check of the cert against
832 * anchors specified as a trusted {pubkey, caname} pair to see if the cert
834 * Returns false if none of the trust anchors are valid for this cert.
837 boolean isPathCompleted(X509Certificate cert) {
839 // first, check if cert is already trusted
842 if (cert.equals(anchor.getTrustedCert())) {
853 principal.equals(cert.getSubjectX500Principal())) {
854 if (publicKey.equals(cert.getPublicKey())) {
855 // the cert itself is a trust anchor
863 // next, check if cert is issued by anchor specified by key/name
869 !principal.equals(cert.getIssuerX500Principal())) {
884 cert.verify(publicKey, buildParams.sigProvider());
886 cert.verify(publicKey);
912 * @param cert the certificate to be added
916 void addCertToPath(X509Certificate cert,
919 certPathList.addFirst(cert);
