Start line:  
End line:  

Snippet Preview

Snippet HTML Code

Stack Overflow Questions
   package org.bouncycastle.jce.provider;
   
   import java.io.IOException;
   import java.math.BigInteger;
  import java.util.Date;
  import java.util.HashMap;
  import java.util.HashSet;
  import java.util.List;
  import java.util.Map;
  import java.util.Set;
  
  
  {
      private static final PKIXCRLUtil CRL_UTIL = new PKIXCRLUtil();

    
If the complete CRL includes an issuing distribution point (IDP) CRL extension check the following:

(i) If the distribution point name is present in the IDP CRL extension and the distribution field is present in the DP, then verify that one of the names in the IDP matches one of the names in the DP. If the distribution point name is present in the IDP CRL extension and the distribution field is omitted from the DP, then verify that one of the names in the IDP matches one of the names in the cRLIssuer field of the DP.

(ii) If the onlyContainsUserCerts boolean is asserted in the IDP CRL extension, verify that the certificate does not include the basic constraints extension with the cA boolean asserted.

(iii) If the onlyContainsCACerts boolean is asserted in the IDP CRL extension, verify that the certificate includes the basic constraints extension with the cA boolean asserted.

(iv) Verify that the onlyContainsAttributeCerts boolean is not asserted.

Parameters:
dp The distribution point.
cert The certificate.
crl The CRL.
Throws:
AnnotatedException if one of the conditions is not met or an error occurs.
 
     protected static void processCRLB2(
         DistributionPoint dp,
         Object cert,
         X509CRL crl)
         throws AnnotatedException
     {
         IssuingDistributionPoint idp = null;
         try
         {
             idp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(crl,
                 .));
         }
         catch (Exception e)
         {
             throw new AnnotatedException("Issuing distribution point extension could not be decoded."e);
         }
         // (b) (2) (i)
         // distribution point name is present
         if (idp != null)
         {
             if (idp.getDistributionPoint() != null)
             {
                 // make list of names
                 DistributionPointName dpName = IssuingDistributionPoint.getInstance(idp).getDistributionPoint();
                 List names = new ArrayList();
 
                 if (dpName.getType() == .)
                 {
                     GeneralName[] genNames = GeneralNames.getInstance(dpName.getName()).getNames();
                     for (int j = 0; j < genNames.lengthj++)
                     {
                         names.add(genNames[j]);
                     }
                 }
                 if (dpName.getType() == .)
                 {
                     ASN1EncodableVector vec = new ASN1EncodableVector();
                     try
                     {
                         Enumeration e = ASN1Sequence.getInstance(PrincipalUtils.getIssuerPrincipal(crl)).getObjects();
                         while (e.hasMoreElements())
                         {
                             vec.add((ASN1Encodable)e.nextElement());
                         }
                     }
                     catch (Exception e)
                     {
                         throw new AnnotatedException("Could not read CRL issuer."e);
                     }
                     vec.add(dpName.getName());
                     names.add(new GeneralName(X500Name.getInstance(new DERSequence(vec))));
                 }
                 boolean matches = false;
                 // verify that one of the names in the IDP matches one
                 // of the names in the DP.
                 if (dp.getDistributionPoint() != null)
                 {
                     dpName = dp.getDistributionPoint();
                     GeneralName[] genNames = null;
                     if (dpName.getType() == .)
                     {
                         genNames = GeneralNames.getInstance(dpName.getName()).getNames();
                     }
                     if (dpName.getType() == .)
                     {
                         if (dp.getCRLIssuer() != null)
                         {
                             genNames = dp.getCRLIssuer().getNames();
                         }
                         else
                         {
                             genNames = new GeneralName[1];
                             try
                             {
                                 genNames[0] = new GeneralName(X500Name.getInstance(PrincipalUtils
                                     .getEncodedIssuerPrincipal(cert).getEncoded()));
                             }
                             catch (Exception e)
                             {
                                 throw new AnnotatedException("Could not read certificate issuer."e);
                             }
                         }
                         for (int j = 0; j < genNames.lengthj++)
                         {
                             Enumeration e = ASN1Sequence.getInstance(genNames[j].getName().toASN1Primitive()).getObjects();
                             ASN1EncodableVector vec = new ASN1EncodableVector();
                             while (e.hasMoreElements())
                             {
                                 vec.add((ASN1Encodable)e.nextElement());
                             }
                             vec.add(dpName.getName());
                             genNames[j] = new GeneralName(X500Name.getInstance(new DERSequence(vec)));
                         }
                     }
                     if (genNames != null)
                     {
                         for (int j = 0; j < genNames.lengthj++)
                         {
                             if (names.contains(genNames[j]))
                             {
                                 matches = true;
                                 break;
                             }
                         }
                     }
                     if (!matches)
                     {
                         throw new AnnotatedException(
                             "No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point.");
                     }
                 }
                 // verify that one of the names in
                 // the IDP matches one of the names in the cRLIssuer field of
                 // the DP
                 else
                 {
                     if (dp.getCRLIssuer() == null)
                     {
                         throw new AnnotatedException("Either the cRLIssuer or the distributionPoint field must "
                             + "be contained in DistributionPoint.");
                     }
                     GeneralName[] genNames = dp.getCRLIssuer().getNames();
                     for (int j = 0; j < genNames.lengthj++)
                     {
                         if (names.contains(genNames[j]))
                         {
                             matches = true;
                             break;
                         }
                     }
                     if (!matches)
                     {
                         throw new AnnotatedException(
                             "No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point.");
                     }
                 }
             }
             BasicConstraints bc = null;
             try
             {
                 bc = BasicConstraints.getInstance(CertPathValidatorUtilities.getExtensionValue((X509Extension)cert,
                     ));
             }
             catch (Exception e)
             {
                 throw new AnnotatedException("Basic constraints extension could not be decoded."e);
             }
 
             if (cert instanceof X509Certificate)
             {
                 // (b) (2) (ii)
                 if (idp.onlyContainsUserCerts() && (bc != null && bc.isCA()))
                 {
                     throw new AnnotatedException("CA Cert CRL only contains user certificates.");
                 }
 
                 // (b) (2) (iii)
                 if (idp.onlyContainsCACerts() && (bc == null || !bc.isCA()))
                 {
                     throw new AnnotatedException("End CRL only contains CA certificates.");
                 }
             }
 
             // (b) (2) (iv)
             if (idp.onlyContainsAttributeCerts())
             {
                 throw new AnnotatedException("onlyContainsAttributeCerts boolean is asserted.");
             }
         }
     }

    
If the DP includes cRLIssuer, then verify that the issuer field in the complete CRL matches cRLIssuer in the DP and that the complete CRL contains an issuing distribution point extension with the indirectCRL boolean asserted. Otherwise, verify that the CRL issuer matches the certificate issuer.

Parameters:
dp The distribution point.
cert The certificate ot attribute certificate.
crl The CRL for cert.
Throws:
AnnotatedException if one of the above conditions does not apply or an error occurs.
 
     protected static void processCRLB1(
         DistributionPoint dp,
         Object cert,
         X509CRL crl)
         throws AnnotatedException
     {
         ASN1Primitive idp = CertPathValidatorUtilities.getExtensionValue(crl);
         boolean isIndirect = false;
         if (idp != null)
         {
             if (IssuingDistributionPoint.getInstance(idp).isIndirectCRL())
             {
                 isIndirect = true;
             }
         }
         byte[] issuerBytes;
 
         try
         {
             issuerBytes = PrincipalUtils.getIssuerPrincipal(crl).getEncoded();
         }
         catch (IOException e)
         {
             throw new AnnotatedException("Exception encoding CRL issuer: " + e.getMessage(), e);
         }
 
         boolean matchIssuer = false;
         if (dp.getCRLIssuer() != null)
         {
             GeneralName genNames[] = dp.getCRLIssuer().getNames();
             for (int j = 0; j < genNames.lengthj++)
             {
                 if (genNames[j].getTagNo() == .)
                 {
                     try
                     {
                         if (Arrays.areEqual(genNames[j].getName().toASN1Primitive().getEncoded(), issuerBytes))
                         {
                             matchIssuer = true;
                         }
                     }
                     catch (IOException e)
                     {
                         throw new AnnotatedException(
                             "CRL issuer information from distribution point cannot be decoded."e);
                     }
                 }
             }
             if (matchIssuer && !isIndirect)
             {
                 throw new AnnotatedException("Distribution point contains cRLIssuer field but CRL is not indirect.");
             }
             if (!matchIssuer)
             {
                 throw new AnnotatedException("CRL issuer of CRL does not match CRL issuer of distribution point.");
             }
         }
         else
         {
             if (PrincipalUtils.getIssuerPrincipal(crl).equals(
                 PrincipalUtils.getEncodedIssuerPrincipal(cert)))
             {
                 matchIssuer = true;
             }
         }
         if (!matchIssuer)
         {
             throw new AnnotatedException("Cannot find matching CRL issuer for certificate.");
         }
     }
 
     protected static ReasonsMask processCRLD(
         X509CRL crl,
         DistributionPoint dp)
         throws AnnotatedException
     {
         IssuingDistributionPoint idp = null;
         try
         {
             idp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(crl,
                 .));
         }
         catch (Exception e)
         {
             throw new AnnotatedException("Issuing distribution point extension could not be decoded."e);
         }
         // (d) (1)
         if (idp != null && idp.getOnlySomeReasons() != null && dp.getReasons() != null)
         {
             return new ReasonsMask(dp.getReasons()).intersect(new ReasonsMask(idp.getOnlySomeReasons()));
         }
         // (d) (4)
         if ((idp == null || idp.getOnlySomeReasons() == null) && dp.getReasons() == null)
         {
             return .;
         }
         // (d) (2) and (d)(3)
         return (dp.getReasons() == null
             ? .
             : new ReasonsMask(dp.getReasons())).intersect(idp == null
             ? .
             : new ReasonsMask(idp.getOnlySomeReasons()));
 
     }
 
     public static final String CERTIFICATE_POLICIES = ..getId();
 
     public static final String POLICY_MAPPINGS = ..getId();
 
     public static final String INHIBIT_ANY_POLICY = ..getId();
 
 
     public static final String FRESHEST_CRL = ..getId();
 
     public static final String DELTA_CRL_INDICATOR = ..getId();
 
     public static final String POLICY_CONSTRAINTS = ..getId();
 
     public static final String BASIC_CONSTRAINTS = ..getId();
 
     public static final String CRL_DISTRIBUTION_POINTS = ..getId();
 
 
     public static final String NAME_CONSTRAINTS = ..getId();
 
 
     public static final String KEY_USAGE = ..getId();
 
     public static final String CRL_NUMBER = ..getId();
 
     public static final String ANY_POLICY = "2.5.29.32.0";
 
     /*
      * key usage bits
      */
     protected static final int KEY_CERT_SIGN = 5;
 
     protected static final int CRL_SIGN = 6;

    
Obtain and validate the certification path for the complete CRL issuer. If a key usage extension is present in the CRL issuer's certificate, verify that the cRLSign bit is set.

Parameters:
crl CRL which contains revocation information for the certificate cert.
cert The attribute certificate or certificate to check if it is revoked.
defaultCRLSignCert The issuer certificate of the certificate cert.
defaultCRLSignKey The public key of the issuer certificate defaultCRLSignCert.
paramsPKIX paramsPKIX PKIX parameters.
certPathCerts The certificates on the certification path.
Returns:
A Set with all keys of possible CRL issuer certificates.
Throws:
AnnotatedException if the CRL is not valid or the status cannot be checked or some error occurs.
 
     protected static Set processCRLF(
         X509CRL crl,
         Object cert,
         X509Certificate defaultCRLSignCert,
         PublicKey defaultCRLSignKey,
         PKIXExtendedParameters paramsPKIX,
         List certPathCerts,
         JcaJceHelper helper)
         throws AnnotatedException
     {
         // (f)
 
         // get issuer from CRL
         X509CertSelector certSelector = new X509CertSelector();
         try
         {
             byte[] issuerPrincipal = PrincipalUtils.getIssuerPrincipal(crl).getEncoded();
             certSelector.setSubject(issuerPrincipal);
         }
         catch (IOException e)
         {
             throw new AnnotatedException(
                 "Subject criteria for certificate selector to find issuer certificate for CRL could not be set."e);
         }
 
         PKIXCertStoreSelector selector = new PKIXCertStoreSelector.Builder(certSelector).build();
 
         // get CRL signing certs
         Collection coll;
         try
         {
             coll = CertPathValidatorUtilities.findCertificates(selectorparamsPKIX.getCertificateStores());
             coll.addAll(CertPathValidatorUtilities.findCertificates(selectorparamsPKIX.getCertStores()));
         }
         catch (AnnotatedException e)
         {
             throw new AnnotatedException("Issuer certificate for CRL cannot be searched."e);
         }
 
         coll.add(defaultCRLSignCert);
 
         Iterator cert_it = coll.iterator();
 
         List validCerts = new ArrayList();
         List validKeys = new ArrayList();
 
         while (cert_it.hasNext())
         {
             X509Certificate signingCert = (X509Certificate)cert_it.next();
 
             /*
              * CA of the certificate, for which this CRL is checked, has also
              * signed CRL, so skip the path validation, because is already done
              */
             if (signingCert.equals(defaultCRLSignCert))
             {
                 validCerts.add(signingCert);
                 validKeys.add(defaultCRLSignKey);
                 continue;
             }
             try
             {
                 PKIXCertPathBuilderSpi builder = new PKIXCertPathBuilderSpi();
                 X509CertSelector tmpCertSelector = new X509CertSelector();
                 tmpCertSelector.setCertificate(signingCert);
 
                 PKIXExtendedParameters.Builder paramsBuilder = new PKIXExtendedParameters.Builder(paramsPKIX)
                     .setTargetConstraints(new PKIXCertStoreSelector.Builder(tmpCertSelector).build());
 
                 /*
                  * if signingCert is placed not higher on the cert path a
                  * dependency loop results. CRL for cert is checked, but
                  * signingCert is needed for checking the CRL which is dependent
                  * on checking cert because it is higher in the cert path and so
                  * signing signingCert transitively. so, revocation is disabled,
                  * forgery attacks of the CRL are detected in this outer loop
                  * for all other it must be enabled to prevent forgery attacks
                  */
                 if (certPathCerts.contains(signingCert))
                 {
                     paramsBuilder.setRevocationEnabled(false);
                 }
                 else
                 {
                     paramsBuilder.setRevocationEnabled(true);
                 }
 
                 PKIXExtendedBuilderParameters extParams = new PKIXExtendedBuilderParameters.Builder(paramsBuilder.build()).build();
 
                 List certs = builder.engineBuild(extParams).getCertPath().getCertificates();
                 validCerts.add(signingCert);
                 validKeys.add(CertPathValidatorUtilities.getNextWorkingKey(certs, 0, helper));
             }
             catch (CertPathBuilderException e)
             {
                 throw new AnnotatedException("CertPath for CRL signer failed to validate."e);
             }
             catch (CertPathValidatorException e)
             {
                 throw new AnnotatedException("Public key of issuer certificate of CRL could not be retrieved."e);
             }
             catch (Exception e)
             {
                 throw new AnnotatedException(e.getMessage());
             }
         }
 
         Set checkKeys = new HashSet();
 
         AnnotatedException lastException = null;
         for (int i = 0; i < validCerts.size(); i++)
         {
             X509Certificate signCert = (X509Certificate)validCerts.get(i);
             boolean[] keyusage = signCert.getKeyUsage();
 
             if (keyusage != null && (keyusage.length < 7 || !keyusage[]))
             {
                 lastException = new AnnotatedException(
                     "Issuer certificate key usage extension does not permit CRL signing.");
             }
             else
             {
                 checkKeys.add(validKeys.get(i));
             }
         }
 
         if (checkKeys.isEmpty() && lastException == null)
         {
             throw new AnnotatedException("Cannot find a valid issuer certificate.");
         }
         if (checkKeys.isEmpty() && lastException != null)
         {
             throw lastException;
         }
 
         return checkKeys;
     }
 
     protected static PublicKey processCRLG(
         X509CRL crl,
         Set keys)
         throws AnnotatedException
     {
         Exception lastException = null;
         for (Iterator it = keys.iterator(); it.hasNext();)
         {
             PublicKey key = (PublicKey)it.next();
             try
             {
                 crl.verify(key);
                 return key;
             }
             catch (Exception e)
             {
                 lastException = e;
             }
         }
         throw new AnnotatedException("Cannot verify CRL."lastException);
     }
 
     protected static X509CRL processCRLH(
         Set deltacrls,
         PublicKey key)
         throws AnnotatedException
     {
         Exception lastException = null;
 
         for (Iterator it = deltacrls.iterator(); it.hasNext();)
         {
             X509CRL crl = (X509CRL)it.next();
             try
             {
                 crl.verify(key);
                 return crl;
             }
             catch (Exception e)
             {
                 lastException = e;
             }
         }
 
         if (lastException != null)
         {
             throw new AnnotatedException("Cannot verify delta CRL."lastException);
         }
         return null;
     }
 
     protected static Set processCRLA1i(
         Date currentDate,
         PKIXExtendedParameters paramsPKIX,
         X509Certificate cert,
         X509CRL crl)
         throws AnnotatedException
     {
         Set set = new HashSet();
         if (paramsPKIX.isUseDeltasEnabled())
         {
             CRLDistPoint freshestCRL = null;
             try
             {
                 freshestCRL = CRLDistPoint
                     .getInstance(CertPathValidatorUtilities.getExtensionValue(cert));
             }
             catch (AnnotatedException e)
             {
                 throw new AnnotatedException("Freshest CRL extension could not be decoded from certificate."e);
             }
             if (freshestCRL == null)
             {
                 try
                 {
                     freshestCRL = CRLDistPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(crl,
                         ));
                 }
                 catch (AnnotatedException e)
                 {
                     throw new AnnotatedException("Freshest CRL extension could not be decoded from CRL."e);
                 }
             }
             if (freshestCRL != null)
             {
                 List crlStores = new ArrayList();
 
                 crlStores.addAll(paramsPKIX.getCRLStores());
 
                 try
                 {
                     crlStores.addAll(CertPathValidatorUtilities.getAdditionalStoresFromCRLDistributionPoint(freshestCRLparamsPKIX.getNamedCRLStoreMap()));
                 }
                 catch (AnnotatedException e)
                 {
                     throw new AnnotatedException(
                         "No new delta CRL locations could be added from Freshest CRL extension."e);
                 }
 
                 // get delta CRL(s)
                 try
                 {
                     set.addAll(CertPathValidatorUtilities.getDeltaCRLs(currentDatecrlparamsPKIX.getCertStores(), crlStores));
                 }
                 catch (AnnotatedException e)
                 {
                     throw new AnnotatedException("Exception obtaining delta CRLs."e);
                 }
             }
         }
         return set;
     }
 
     protected static Set[] processCRLA1ii(
         Date currentDate,
         PKIXExtendedParameters paramsPKIX,
         X509Certificate cert,
         X509CRL crl)
         throws AnnotatedException
     {
         Set deltaSet = new HashSet();
         X509CRLSelector crlselect = new X509CRLSelector();
         crlselect.setCertificateChecking(cert);
 
         try
         {
             crlselect.addIssuerName(PrincipalUtils.getIssuerPrincipal(crl).getEncoded());
         }
         catch (IOException e)
         {
             throw new AnnotatedException("Cannot extract issuer from CRL." + ee);
         }
 
         PKIXCRLStoreSelector extSelect = new PKIXCRLStoreSelector.Builder(crlselect).setCompleteCRLEnabled(true).build();
 
         Date validityDate = currentDate;
 
         if (paramsPKIX.getDate() != null)
         {
             validityDate = paramsPKIX.getDate();
         }
 
         Set completeSet = .findCRLs(extSelectvalidityDateparamsPKIX.getCertStores(), paramsPKIX.getCRLStores());
 
         if (paramsPKIX.isUseDeltasEnabled())
         {
             // get delta CRL(s)
             try
             {
                 deltaSet.addAll(CertPathValidatorUtilities.getDeltaCRLs(validityDatecrlparamsPKIX.getCertStores(), paramsPKIX.getCRLStores()));
             }
             catch (AnnotatedException e)
             {
                 throw new AnnotatedException("Exception obtaining delta CRLs."e);
             }
         }
         return new Set[]
             {
                 completeSet,
                 deltaSet};
     }



    
If use-deltas is set, verify the issuer and scope of the delta CRL.

Parameters:
deltaCRL The delta CRL.
completeCRL The complete CRL.
pkixParams The PKIX paramaters.
Throws:
AnnotatedException if an exception occurs.
 
     protected static void processCRLC(
         X509CRL deltaCRL,
         X509CRL completeCRL,
         PKIXExtendedParameters pkixParams)
         throws AnnotatedException
     {
         if (deltaCRL == null)
         {
             return;
         }
         IssuingDistributionPoint completeidp = null;
         try
         {
             completeidp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(
                 completeCRL.));
         }
         catch (Exception e)
         {
             throw new AnnotatedException("Issuing distribution point extension could not be decoded."e);
         }
 
         if (pkixParams.isUseDeltasEnabled())
         {
             // (c) (1)
             if (!PrincipalUtils.getIssuerPrincipal(deltaCRL).equals(PrincipalUtils.getIssuerPrincipal(completeCRL)))
             {
                 throw new AnnotatedException("Complete CRL issuer does not match delta CRL issuer.");
             }
 
             // (c) (2)
             IssuingDistributionPoint deltaidp = null;
             try
             {
                 deltaidp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(
                     deltaCRL));
             }
             catch (Exception e)
             {
                 throw new AnnotatedException(
                     "Issuing distribution point extension from delta CRL could not be decoded."e);
             }
 
             boolean match = false;
             if (completeidp == null)
             {
                 if (deltaidp == null)
                 {
                     match = true;
                 }
             }
             else
             {
                 if (completeidp.equals(deltaidp))
                 {
                     match = true;
                 }
             }
             if (!match)
             {
                 throw new AnnotatedException(
                     "Issuing distribution point extension from delta CRL and complete CRL does not match.");
             }
 
             // (c) (3)
             ASN1Primitive completeKeyIdentifier = null;
             try
             {
                 completeKeyIdentifier = CertPathValidatorUtilities.getExtensionValue(
                     completeCRL);
             }
             catch (AnnotatedException e)
             {
                 throw new AnnotatedException(
                     "Authority key identifier extension could not be extracted from complete CRL."e);
             }
 
             ASN1Primitive deltaKeyIdentifier = null;
             try
             {
                 deltaKeyIdentifier = CertPathValidatorUtilities.getExtensionValue(
                     deltaCRL);
             }
             catch (AnnotatedException e)
             {
                 throw new AnnotatedException(
                     "Authority key identifier extension could not be extracted from delta CRL."e);
             }
 
             if (completeKeyIdentifier == null)
             {
                 throw new AnnotatedException("CRL authority key identifier is null.");
             }
 
             if (deltaKeyIdentifier == null)
             {
                 throw new AnnotatedException("Delta CRL authority key identifier is null.");
             }
 
             if (!completeKeyIdentifier.equals(deltaKeyIdentifier))
             {
                 throw new AnnotatedException(
                     "Delta CRL authority key identifier does not match complete CRL authority key identifier.");
             }
         }
     }
 
     protected static void processCRLI(
         Date validDate,
         X509CRL deltacrl,
         Object cert,
         CertStatus certStatus,
         PKIXExtendedParameters pkixParams)
         throws AnnotatedException
     {
         if (pkixParams.isUseDeltasEnabled() && deltacrl != null)
         {
             CertPathValidatorUtilities.getCertStatus(validDatedeltacrlcertcertStatus);
         }
     }
 
     protected static void processCRLJ(
         Date validDate,
         X509CRL completecrl,
         Object cert,
         CertStatus certStatus)
         throws AnnotatedException
     {
         if (certStatus.getCertStatus() == .)
         {
             CertPathValidatorUtilities.getCertStatus(validDatecompletecrlcertcertStatus);
         }
     }
 
     protected static PKIXPolicyNode prepareCertB(
         CertPath certPath,
         int index,
         List[] policyNodes,
         PKIXPolicyNode validPolicyTree,
         int policyMapping)
         throws CertPathValidatorException
     {
         List certs = certPath.getCertificates();
         X509Certificate cert = (X509Certificate)certs.get(index);
         int n = certs.size();
         // i as defined in the algorithm description
         int i = n - index;
         // (b)
         //
         ASN1Sequence pm = null;
         try
         {
             pm = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert,
                 .));
         }
         catch (AnnotatedException ex)
         {
             throw new ExtCertPathValidatorException("Policy mappings extension could not be decoded."excertPath,
                 index);
         }
         PKIXPolicyNode _validPolicyTree = validPolicyTree;
         if (pm != null)
         {
             ASN1Sequence mappings = (ASN1Sequence)pm;
             Map m_idp = new HashMap();
             Set s_idp = new HashSet();
 
             for (int j = 0; j < mappings.size(); j++)
             {
                 ASN1Sequence mapping = (ASN1Sequence)mappings.getObjectAt(j);
                 String id_p = ((ASN1ObjectIdentifier)mapping.getObjectAt(0)).getId();
                 String sd_p = ((ASN1ObjectIdentifier)mapping.getObjectAt(1)).getId();
                 Set tmp;
 
                 if (!m_idp.containsKey(id_p))
                 {
                     tmp = new HashSet();
                     tmp.add(sd_p);
                     m_idp.put(id_ptmp);
                     s_idp.add(id_p);
                 }
                 else
                 {
                     tmp = (Set)m_idp.get(id_p);
                     tmp.add(sd_p);
                 }
             }
 
             Iterator it_idp = s_idp.iterator();
             while (it_idp.hasNext())
             {
                 String id_p = (String)it_idp.next();
 
                 //
                 // (1)
                 //
                 if (policyMapping > 0)
                 {
                     boolean idp_found = false;
                     Iterator nodes_i = policyNodes[i].iterator();
                     while (nodes_i.hasNext())
                     {
                         PKIXPolicyNode node = (PKIXPolicyNode)nodes_i.next();
                         if (node.getValidPolicy().equals(id_p))
                         {
                             idp_found = true;
                             node.expectedPolicies = (Set)m_idp.get(id_p);
                             break;
                         }
                     }
 
                     if (!idp_found)
                     {
                         nodes_i = policyNodes[i].iterator();
                         while (nodes_i.hasNext())
                         {
                             PKIXPolicyNode node = (PKIXPolicyNode)nodes_i.next();
                             if (..equals(node.getValidPolicy()))
                             {
                                 Set pq = null;
                                 ASN1Sequence policies = null;
                                 try
                                 {
                                     policies = (ASN1Sequence)CertPathValidatorUtilities.getExtensionValue(cert,
                                         .);
                                 }
                                 catch (AnnotatedException e)
                                 {
                                     throw new ExtCertPathValidatorException(
                                         "Certificate policies extension could not be decoded."ecertPathindex);
                                 }
                                 Enumeration e = policies.getObjects();
                                 while (e.hasMoreElements())
                                 {
                                     PolicyInformation pinfo = null;
                                     try
                                     {
                                         pinfo = PolicyInformation.getInstance(e.nextElement());
                                     }
                                     catch (Exception ex)
                                     {
                                         throw new CertPathValidatorException(
                                             "Policy information could not be decoded."excertPathindex);
                                     }
                                     if (..equals(pinfo.getPolicyIdentifier().getId()))
                                     {
                                        try
                                        {
                                            pq = CertPathValidatorUtilities
                                                .getQualifierSet(pinfo.getPolicyQualifiers());
                                        }
                                        catch (CertPathValidatorException ex)
                                        {
                                            throw new ExtCertPathValidatorException(
                                                "Policy qualifier info set could not be decoded."excertPath,
                                                index);
                                        }
                                        break;
                                    }
                                }
                                boolean ci = false;
                                if (cert.getCriticalExtensionOIDs() != null)
                                {
                                    ci = cert.getCriticalExtensionOIDs().contains(
                                        .);
                                }
                                PKIXPolicyNode p_node = (PKIXPolicyNode)node.getParent();
                                if (..equals(p_node.getValidPolicy()))
                                {
                                    PKIXPolicyNode c_node = new PKIXPolicyNode(new ArrayList(), i, (Set)m_idp
                                        .get(id_p), p_nodepqid_pci);
                                    p_node.addChild(c_node);
                                    policyNodes[i].add(c_node);
                                }
                                break;
                            }
                        }
                    }
                    //
                    // (2)
                    //
                }
                else if (policyMapping <= 0)
                {
                    Iterator nodes_i = policyNodes[i].iterator();
                    while (nodes_i.hasNext())
                    {
                        PKIXPolicyNode node = (PKIXPolicyNode)nodes_i.next();
                        if (node.getValidPolicy().equals(id_p))
                        {
                            PKIXPolicyNode p_node = (PKIXPolicyNode)node.getParent();
                            p_node.removeChild(node);
                            nodes_i.remove();
                            for (int k = (i - 1); k >= 0; k--)
                            {
                                List nodes = policyNodes[k];
                                for (int l = 0; l < nodes.size(); l++)
                                {
                                    PKIXPolicyNode node2 = (PKIXPolicyNode)nodes.get(l);
                                    if (!node2.hasChildren())
                                    {
                                        _validPolicyTree = CertPathValidatorUtilities.removePolicyNode(
                                            _validPolicyTreepolicyNodesnode2);
                                        if (_validPolicyTree == null)
                                        {
                                            break;
                                        }
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
        return _validPolicyTree;
    }
    protected static void prepareNextCertA(
        CertPath certPath,
        int index)
        throws CertPathValidatorException
    {
        List certs = certPath.getCertificates();
        X509Certificate cert = (X509Certificate)certs.get(index);
        //
        //
        // (a) check the policy mappings
        //
        ASN1Sequence pm = null;
        try
        {
            pm = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert,
                .));
        }
        catch (AnnotatedException ex)
        {
            throw new ExtCertPathValidatorException("Policy mappings extension could not be decoded."excertPath,
                index);
        }
        if (pm != null)
        {
            ASN1Sequence mappings = pm;
            for (int j = 0; j < mappings.size(); j++)
            {
                ASN1ObjectIdentifier issuerDomainPolicy = null;
                ASN1ObjectIdentifier subjectDomainPolicy = null;
                try
                {
                    ASN1Sequence mapping = DERSequence.getInstance(mappings.getObjectAt(j));
                    issuerDomainPolicy = ASN1ObjectIdentifier.getInstance(mapping.getObjectAt(0));
                    subjectDomainPolicy = ASN1ObjectIdentifier.getInstance(mapping.getObjectAt(1));
                }
                catch (Exception e)
                {
                    throw new ExtCertPathValidatorException("Policy mappings extension contents could not be decoded.",
                        ecertPathindex);
                }
                if (..equals(issuerDomainPolicy.getId()))
                {
                    throw new CertPathValidatorException("IssuerDomainPolicy is anyPolicy"nullcertPathindex);
                }
                if (..equals(subjectDomainPolicy.getId()))
                {
                    throw new CertPathValidatorException("SubjectDomainPolicy is anyPolicy,"nullcertPathindex);
                }
            }
        }
    }
    protected static void processCertF(
        CertPath certPath,
        int index,
        PKIXPolicyNode validPolicyTree,
        int explicitPolicy)
        throws CertPathValidatorException
    {
        //
        // (f)
        //
        if (explicitPolicy <= 0 && validPolicyTree == null)
        {
            throw new ExtCertPathValidatorException("No valid policy tree found when one expected."nullcertPath,
                index);
        }
    }
    protected static PKIXPolicyNode processCertE(
        CertPath certPath,
        int index,
        PKIXPolicyNode validPolicyTree)
        throws