Start line:  
End line:  

Snippet Preview

Snippet HTML Code

Stack Overflow Questions
   package org.bouncycastle.x509;
   
   import java.io.IOException;
   import java.math.BigInteger;
   import java.net.InetAddress;
   import java.net.URL;
  import java.util.Date;
  import java.util.HashMap;
  import java.util.HashSet;
  import java.util.List;
  import java.util.Map;
  import java.util.Set;
  import java.util.Vector;
  
  
PKIXCertPathReviewer
Validation of X.509 Certificate Paths. Tries to find as much errors in the Path as possible.
  
  {
      
      private static final String QC_STATEMENT = ..getId();
      private static final String CRL_DIST_POINTS = ..getId();
      private static final String AUTH_INFO_ACCESS = ..getId();
      
      private static final String RESOURCE_NAME = "org.bouncycastle.x509.CertPathReviewerMessages";
      
      // input parameters
      
      protected CertPath certPath;
  
      protected PKIXParameters pkixParams;
  
      protected Date validDate;
 
     // state variables
     
     protected List certs;
 
     protected int n;
     
     // output variables
     
     protected List[] notifications;
     protected List[] errors;
     protected TrustAnchor trustAnchor;
     protected PublicKey subjectPublicKey;
     protected PolicyNode policyTree;
     
     private boolean initialized;
    
    
Initializes the PKIXCertPathReviewer with the given java.security.cert.CertPath and java.security.cert.PKIXParameters params

Parameters:
certPath the java.security.cert.CertPath to validate
params the java.security.cert.PKIXParameters to use
Throws:
CertPathReviewerException if the certPath is empty
java.lang.IllegalStateException if the PKIXCertPathReviewer is already initialized
 
     public void init(CertPath certPathPKIXParameters params)
             throws CertPathReviewerException
     {
         if ()
         {
             throw new IllegalStateException("object is already initialized!");
         }
          = true;
         
         // check input parameters
         if (certPath == null)
         {
             throw new NullPointerException("certPath was null");
         }
         this. = certPath;
 
          = certPath.getCertificates();
          = .size();
         if (.isEmpty())
         {
             throw new CertPathReviewerException(
                     new ErrorBundle(,"CertPathReviewer.emptyCertPath"));
         }
 
          = (PKIXParametersparams.clone();
 
         // 6.1.1 - Inputs
 
         // a) done
 
         // b)
 
          = getValidDate();
 
         // c) part of pkixParams
 
         // d) done at the beginning of checkSignatures
 
         // e) f) g) part of pkixParams
         
         // initialize output parameters
         
          = null;
          = null;
          = null;
          = null;
          = null;
     }
    
    
Creates a PKIXCertPathReviewer and initializes it with the given java.security.cert.CertPath and java.security.cert.PKIXParameters params

Parameters:
certPath the java.security.cert.CertPath to validate
params the java.security.cert.PKIXParameters to use
Throws:
CertPathReviewerException if the certPath is empty
 
     public PKIXCertPathReviewer(CertPath certPathPKIXParameters params)
             throws CertPathReviewerException
     {
         init(certPathparams);
     }
    
    
Creates an empty PKIXCertPathReviewer. Don't forget to call init() to initialize the object.
 
     public PKIXCertPathReviewer()
     {
         // do nothing
     }
    
    

Returns:
the CertPath that was validated
 
     public CertPath getCertPath()
     {
         return ;
     }
    
    

Returns:
the size of the CertPath
 
     public int getCertPathSize()
     {
         return ;
     }

    
Returns an Array of Lists which contains a List of global error messages and a List of error messages for each certificate in the path. The global error List is at index 0. The error lists for each certificate at index 1 to n. The error messages are of type.

Returns:
the Array of Lists which contain the error messages
Throws:
java.lang.IllegalStateException if the PKIXCertPathReviewer was not initialized
 
     public List[] getErrors()
     {
         doChecks();
         return ;
     }
    
    
Returns an List of error messages for the certificate at the given index in the CertPath. If index == -1 then the list of global errors is returned with errors not specific to a certificate.

Parameters:
index the index of the certificate in the CertPath
Returns:
List of error messages for the certificate
Throws:
java.lang.IllegalStateException if the PKIXCertPathReviewer was not initialized
 
     public List getErrors(int index)
     {
         doChecks();
         return [index + 1];
     }

    
Returns an Array of Lists which contains a List of global notification messages and a List of botification messages for each certificate in the path. The global notificatio List is at index 0. The notification lists for each certificate at index 1 to n. The error messages are of type.

Returns:
the Array of Lists which contain the notification messages
Throws:
java.lang.IllegalStateException if the PKIXCertPathReviewer was not initialized
 
     public List[] getNotifications()
     {
         doChecks();
         return ;
     }
    
    
Returns an List of notification messages for the certificate at the given index in the CertPath. If index == -1 then the list of global notifications is returned with notifications not specific to a certificate.

Parameters:
index the index of the certificate in the CertPath
Returns:
List of notification messages for the certificate
Throws:
java.lang.IllegalStateException if the PKIXCertPathReviewer was not initialized
 
     public List getNotifications(int index)
     {
         doChecks();
         return [index + 1];
     }

    

Returns:
the valid policy tree, null if no valid policy exists.
Throws:
java.lang.IllegalStateException if the PKIXCertPathReviewer was not initialized
 
     public PolicyNode getPolicyTree()
     {
         doChecks();
         return ;
     }

    

Returns:
the PublicKey if the last certificate in the CertPath
Throws:
java.lang.IllegalStateException if the PKIXCertPathReviewer was not initialized
 
     public PublicKey getSubjectPublicKey()
     {
         doChecks();
         return ;
     }

    

Returns:
the TrustAnchor for the CertPath, null if no valid TrustAnchor was found.
Throws:
java.lang.IllegalStateException if the PKIXCertPathReviewer was not initialized
 
     public TrustAnchor getTrustAnchor()
     {
         doChecks();
         return ;
     }
    
    

Returns:
if the CertPath is valid
Throws:
java.lang.IllegalStateException if the PKIXCertPathReviewer was not initialized
 
     public boolean isValidCertPath()
     {
         doChecks();
         boolean valid = true;
         for (int i = 0; i < .i++)
         {
             if (![i].isEmpty())
             {
                 valid = false;
                 break;
             }
         }
         return valid;
     }
     
     protected void addNotification(ErrorBundle msg)
     {
         [0].add(msg);
     }
     
     protected void addNotification(ErrorBundle msgint index)
     {
         if (index < -1 || index >= )
         {
             throw new IndexOutOfBoundsException();
         }
         [index + 1].add(msg);
     }
 
     protected void addError(ErrorBundle msg
     {
         [0].add(msg);
     }
     
     protected void addError(ErrorBundle msgint index)
     {
         if (index < -1 || index >= )
         {
             throw new IndexOutOfBoundsException();
         }
         [index + 1].add(msg);
     }
     
     protected void doChecks()
     {
         if (!)
         {
             throw new IllegalStateException("Object not initialized. Call init() first.");
         }
         if ( == null)
         {
             // initialize lists
              = new List[+1];
              = new List[+1];
             
             for (int i = 0; i < .i++)
             {
                 [i] = new ArrayList();
                 [i] = new ArrayList();
             }
             
             // check Signatures
             checkSignatures();
             
             // check Name Constraints
             checkNameConstraints();
             
             // check Path Length
             checkPathLength();
             
             // check Policy
             checkPolicy();
             
             // check other critical extensions
             checkCriticalExtensions();
             
         }
     }
 
     private void checkNameConstraints()
     {
         X509Certificate cert = null;
         
         //
         // Setup
         //
         
         // (b)  and (c)
         PKIXNameConstraintValidator nameConstraintValidator = new PKIXNameConstraintValidator();
 
         //
         // process each certificate except the last in the path
         //
         int index;
         int i;
         
         try 
         {
             for (index = .size()-1; index>0; index--) 
             {
                 i =  - index;
                 
                 //
                 // certificate processing
                 //    
                 
                 cert = (X509Certificate.get(index);
                 
                 // b),c)
                 
                 if (!isSelfIssued(cert))
                 {
                     X500Principal principal = getSubjectPrincipal(cert);
                     ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(principal.getEncoded()));
                     ASN1Sequence    dns;
     
                     try
                     {
                         dns = (ASN1Sequence)aIn.readObject();
                     }
                     catch (IOException e)
                     {
                         ErrorBundle msg = new ErrorBundle(,"CertPathReviewer.ncSubjectNameError"
                                 new Object[] {new UntrustedInput(principal)});
                         throw new CertPathReviewerException(msg,e,,index);
                     }
     
                     try
                     {
                         nameConstraintValidator.checkPermittedDN(dns);
                     }
                     catch (PKIXNameConstraintValidatorException cpve)
                     {
                         ErrorBundle msg = new ErrorBundle(,"CertPathReviewer.notPermittedDN"
                                 new Object[] {new UntrustedInput(principal.getName())});
                         throw new CertPathReviewerException(msg,cpve,,index);
                     }
                     
                     try
                     {
                         nameConstraintValidator.checkExcludedDN(dns);
                     }
                     catch (PKIXNameConstraintValidatorException cpve)
                     {
                         ErrorBundle msg = new ErrorBundle(,"CertPathReviewer.excludedDN",
                                 new Object[] {new UntrustedInput(principal.getName())});
                         throw new CertPathReviewerException(msg,cpve,,index);
                     }
             
                     ASN1Sequence altName;
                     try 
                     {
                         altName = (ASN1Sequence)getExtensionValue(cert);
                     }
                     catch (AnnotatedException ae)
                     {
                         ErrorBundle msg = new ErrorBundle(,"CertPathReviewer.subjAltNameExtError");
                         throw new CertPathReviewerException(msg,ae,,index);
                     }
                     
                     if (altName != null)
                     {
                         for (int j = 0; j < altName.size(); j++)
                         {
                             GeneralName name = GeneralName.getInstance(altName.getObjectAt(j));
 
                             try
                             {
                                 nameConstraintValidator.checkPermitted(name);
                                 nameConstraintValidator.checkExcluded(name);
                             }
                             catch (PKIXNameConstraintValidatorException cpve)
                             {
                                 ErrorBundle msg = new ErrorBundle(,"CertPathReviewer.notPermittedEmail",
                                         new Object[] {new UntrustedInput(name)});
                                 throw new CertPathReviewerException(msg,cpve,,index);
                             }
 //                            switch(o.getTagNo())            TODO - move resources to PKIXNameConstraints
 //                            {
 //                            case 1:
 //                                String email = DERIA5String.getInstance(o, true).getString();
 //
 //                                try
 //                                {
 //                                    checkPermittedEmail(permittedSubtreesEmail, email);
 //                                }
 //                                catch (CertPathValidatorException cpve)
 //                                {
 //                                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.notPermittedEmail",
 //                                            new Object[] {new UntrustedInput(email)});
 //                                    throw new CertPathReviewerException(msg,cpve,certPath,index);
 //                                }
 //
 //                                try
 //                                {
 //                                    checkExcludedEmail(excludedSubtreesEmail, email);
 //                                }
 //                                catch (CertPathValidatorException cpve)
 //                                {
 //                                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.excludedEmail",
 //                                            new Object[] {new UntrustedInput(email)});
 //                                    throw new CertPathReviewerException(msg,cpve,certPath,index);
 //                                }
 //
 //                                break;
 //                            case 4:
 //                                ASN1Sequence altDN = ASN1Sequence.getInstance(o, true);
 //
 //                                try
 //                                {
 //                                    checkPermittedDN(permittedSubtreesDN, altDN);
 //                                }
 //                                catch (CertPathValidatorException cpve)
 //                                {
 //                                    X509Name altDNName = new X509Name(altDN);
 //                                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.notPermittedDN",
 //                                            new Object[] {new UntrustedInput(altDNName)});
 //                                    throw new CertPathReviewerException(msg,cpve,certPath,index);
 //                                }
 //
 //                                try
 //                                {
 //                                    checkExcludedDN(excludedSubtreesDN, altDN);
 //                                }
 //                                catch (CertPathValidatorException cpve)
 //                                {
 //                                    X509Name altDNName = new X509Name(altDN);
 //                                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.excludedDN",
 //                                            new Object[] {new UntrustedInput(altDNName)});
 //                                    throw new CertPathReviewerException(msg,cpve,certPath,index);
 //                                }
 //
 //                                break;
 //                            case 7:
 //                                byte[] ip = ASN1OctetString.getInstance(o, true).getOctets();
 //
 //                                try
 //                                {
 //                                    checkPermittedIP(permittedSubtreesIP, ip);
 //                                }
 //                                catch (CertPathValidatorException cpve)
 //                                {
 //                                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.notPermittedIP",
 //                                            new Object[] {IPtoString(ip)});
 //                                    throw new CertPathReviewerException(msg,cpve,certPath,index);
 //                                }
 //
 //                                try
 //                                {
 //                                    checkExcludedIP(excludedSubtreesIP, ip);
 //                                }
 //                                catch (CertPathValidatorException cpve)
 //                                {
 //                                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.excludedIP",
 //                                            new Object[] {IPtoString(ip)});
 //                                    throw new CertPathReviewerException(msg,cpve,certPath,index);
 //                                }
 //                            }
                         }
                     }
                 }
                 
                 //
                 // prepare for next certificate
                 //
                 
                 //
                 // (g) handle the name constraints extension
                 //
                 ASN1Sequence ncSeq;
                 try 
                 {
                     ncSeq = (ASN1Sequence)getExtensionValue(cert);
                 }
                 catch (AnnotatedException ae)
                 {
                     ErrorBundle msg = new ErrorBundle(,"CertPathReviewer.ncExtError");
                     throw new CertPathReviewerException(msg,ae,,index);
                 }
                 
                 if (ncSeq != null)
                 {
                     NameConstraints nc = NameConstraints.getInstance(ncSeq);
 
                     //
                     // (g) (1) permitted subtrees
                     //
                     GeneralSubtree[] permitted = nc.getPermittedSubtrees();
                     if (permitted != null)
                     {
                         nameConstraintValidator.intersectPermittedSubtree(permitted);
                     }
                 
                     //
                     // (g) (2) excluded subtrees
                     //
                     GeneralSubtree[] excluded = nc.getExcludedSubtrees();
                     if (excluded != null)
                     {
                         for (int c = 0; c != excluded.lengthc++)
                         {
                              nameConstraintValidator.addExcludedSubtree(excluded[c]);
                         }
                     }
                 }
                 
             } // for
         }
         catch (CertPathReviewerException cpre)
         {
             addError(cpre.getErrorMessage(),cpre.getIndex());
         }
         
     }
 
     /*
      * checks: - path length constraints and reports - total path length
      */
     private void checkPathLength()
     {
         // init
         int maxPathLength = ;
         int totalPathLength = 0;
 
         X509Certificate cert = null;
 
         int i;
         for (int index = .size() - 1; index > 0; index--)
         {
             i =  - index;
 
             cert = (X509Certificate.get(index);
 
             // l)
 
             if (!isSelfIssued(cert))
             {
                 if (maxPathLength <= 0)
                 {
                     ErrorBundle msg = new ErrorBundle(,"CertPathReviewer.pathLenghtExtended");
                     addError(msg);
                 }
                 maxPathLength--;
                 totalPathLength++;
             }
 
             // m)
 
             BasicConstraints bc;
             try
             {
                 bc = BasicConstraints.getInstance(getExtensionValue(cert,
                         ));
             }
             catch (AnnotatedException ae)
             {
                 ErrorBundle msg = new ErrorBundle(,"CertPathReviewer.processLengthConstError");
                 addError(msg,index);
                 bc = null;
             }
 
             if (bc != null)
             {
                 BigInteger _pathLengthConstraint = bc.getPathLenConstraint();
 
                 if (_pathLengthConstraint != null)
                 {
                     int _plc = _pathLengthConstraint.intValue();
 
                     if (_plc < maxPathLength)
                     {
                         maxPathLength = _plc;
                     }
                 }
             }
 
         }
 
         ErrorBundle msg = new ErrorBundle(,"CertPathReviewer.totalPathLength",
                 new Object[]{Integers.valueOf(totalPathLength)});
         
         addNotification(msg);
     }
 
     /*
      * checks: - signatures - name chaining - validity of certificates - todo:
      * if certificate revoked (if specified in the parameters)
      */
     private void checkSignatures()
     {
         // 1.6.1 - Inputs
         
         // d)
         
         TrustAnchor trust = null;
         X500Principal trustPrincipal = null;
         
         // validation date
         {
             ErrorBundle msg = new ErrorBundle(,"CertPathReviewer.certPathValidDate",
                     new Object[] {new TrustedInput(), new TrustedInput(new Date())});
             addNotification(msg);
         }
         
         // find trust anchors
         try
         {
             X509Certificate cert = (X509Certificate.get(.size() - 1);
             Collection trustColl = getTrustAnchors(cert,.getTrustAnchors());
             if (trustColl.size() > 1)
             {
                 // conflicting trust anchors                
                 ErrorBundle msg = new ErrorBundle(,
                         "CertPathReviewer.conflictingTrustAnchors",
                         new Object[]{Integers.valueOf(trustColl.size()),
                             new UntrustedInput(cert.getIssuerX500Principal())});
                 addError(msg);
             }
             else if (trustColl.isEmpty())
             {
                 ErrorBundle msg = new ErrorBundle(,
                         "CertPathReviewer.noTrustAnchorFound",
                         new Object[]{new UntrustedInput(cert.getIssuerX500Principal()),
                             Integers.valueOf(.getTrustAnchors().size())});
                 addError(msg);
             }
             else
             {
                 PublicKey trustPublicKey;
                 trust = (TrustAnchortrustColl.iterator().next();
                 if (trust.getTrustedCert() != null)
                 {
                     trustPublicKey = trust.getTrustedCert().getPublicKey();
                 }
                 else
                 {
                     trustPublicKey = trust.getCAPublicKey();
                 }
                 try
                 {
                     CertPathValidatorUtilities.verifyX509Certificate(certtrustPublicKey,
                         .getSigProvider());
                 }
                 catch (SignatureException e)
                 {
                     ErrorBundle msg = new ErrorBundle(,"CertPathReviewer.trustButInvalidCert");
                     addError(msg);
                 }
                 catch (Exception e)
                 {
                     // do nothing, error occurs again later
                 }
             }
         }
         catch (CertPathReviewerException cpre)
         {
             addError(cpre.getErrorMessage());
         }
         catch (Throwable t)
         {
             ErrorBundle msg = new ErrorBundle(,
                     "CertPathReviewer.unknown",
                     new Object[] {new UntrustedInput(t.getMessage()), new UntrustedInput(t)});
             addError(msg);
         }
         
         if (trust != null)
         {
             // get the name of the trustAnchor
             X509Certificate sign = trust.getTrustedCert();
             try
             {
                 if (sign != null)
                 {
                     trustPrincipal = getSubjectPrincipal(sign);
                 }
                 else
                 {
                     trustPrincipal = new X500Principal(trust.getCAName());
                 }
             }
             catch (IllegalArgumentException ex)
             {
                 ErrorBundle msg = new ErrorBundle(,"CertPathReviewer.trustDNInvalid",
                         new Object[] {new UntrustedInput(trust.getCAName())});
                 addError(msg);
             }
             
             // test key usages of the trust anchor
             if (sign != null)
             {
                 boolean[] ku = sign.getKeyUsage(); 
                 if (ku != null && !ku[5])
                 {
                     ErrorBundle msg = new ErrorBundle("CertPathReviewer.trustKeyUsage");
                     addNotification(msg);
                 }
             }
         }
         
         // 1.6.2 - Initialization
         
         PublicKey workingPublicKey = null;
         X500Principal workingIssuerName = trustPrincipal;
         
         X509Certificate sign = null;
 
         AlgorithmIdentifier workingAlgId = null;
         ASN1ObjectIdentifier workingPublicKeyAlgorithm = null;
         ASN1Encodable workingPublicKeyParameters = null;
         
         if (trust != null)
         {
             sign = trust.getTrustedCert();
             
             if (sign != null)
             {
                 workingPublicKey = sign.getPublicKey();
             }
             else
             {
                 workingPublicKey = trust.getCAPublicKey();
             }
         
             try
             {
                 workingAlgId = getAlgorithmIdentifier(workingPublicKey);
                 workingPublicKeyAlgorithm = workingAlgId.getObjectId();
                 workingPublicKeyParameters = workingAlgId.getParameters();
             }
             catch (CertPathValidatorException ex)
             {
                 ErrorBundle msg = new ErrorBundle(,"CertPathReviewer.trustPubKeyError");
                 addError(msg);
                 workingAlgId = null;
             }
             
         }
 
         // Basic cert checks
 
         X509Certificate cert = null;
         int i;
 
         for (int index = .size() - 1; index >= 0; index--)
         {
             //
             // i as defined in the algorithm description
             //
             i =  - index;
 
             //
             // set certificate to be checked in this round
             // sign and workingPublicKey and workingIssuerName are set
             // at the end of the for loop and initialied the
             // first time from the TrustAnchor
             //
             cert = (X509Certificate.get(index);
 
             // verify signature
             if (workingPublicKey != null)
             {
                 try
                 {
                     CertPathValidatorUtilities.verifyX509Certificate(certworkingPublicKey,
                         .getSigProvider());
                 }
                 catch (GeneralSecurityException ex)
                 {
                     ErrorBundle msg = new ErrorBundle(,"CertPathReviewer.signatureNotVerified",
                             new Object[] {ex.getMessage(),ex,ex.getClass().getName()}); 
                     addError(msg,index);
                 }
             }
             else if (isSelfIssued(cert))
             {
                 try
                 {
                     CertPathValidatorUtilities.verifyX509Certificate(certcert.getPublicKey(),
                         .getSigProvider());
                     ErrorBundle msg = new ErrorBundle(,"CertPathReviewer.rootKeyIsValidButNotATrustAnchor");
                     addError(msgindex);
                 }
                 catch (GeneralSecurityException ex)
                 {
                     ErrorBundle msg = new ErrorBundle(,"CertPathReviewer.signatureNotVerified",
                             new Object[] {ex.getMessage(),ex,ex.getClass().getName()}); 
                     addError(msg,index);
                 }
             }
             else
             {
                 ErrorBundle msg = new ErrorBundle(,"CertPathReviewer.NoIssuerPublicKey");
                 // if there is an authority key extension add the serial and issuer of the missing certificate
                 byte[] akiBytes = cert.getExtensionValue(..getId());
                 if (akiBytes != null)
                 {
                     try
                     {
                         AuthorityKeyIdentifier aki = AuthorityKeyIdentifier.getInstance(
                             X509ExtensionUtil.fromExtensionValue(akiBytes));
                         GeneralNames issuerNames = aki.getAuthorityCertIssuer();
                         if (issuerNames != null)
                         {
                             GeneralName name = issuerNames.getNames()[0];
                             BigInteger serial = aki.getAuthorityCertSerialNumber(); 
                             if (serial != null)
                             {
                                 Object[] extraArgs = {new LocaleString("missingIssuer"), " \""name , 
                                         "\" "new LocaleString("missingSerial") , " "serial};
                                 msg.setExtraArguments(extraArgs);
                             }
                         }
                     }
                     catch (IOException e)
                     {
                         // ignore
                     }
                 }
                 addError(msg,index);
             }
 
             // certificate valid?
             try
             {
                 cert.checkValidity();
             }
             catch (CertificateNotYetValidException cnve)
             {
                 ErrorBundle msg = new ErrorBundle(,"CertPathReviewer.certificateNotYetValid",
                         new Object[] {new TrustedInput(cert.getNotBefore())});
                 addError(msg,index);
             }
             catch (CertificateExpiredException cee)
             {
                 ErrorBundle msg = new ErrorBundle(,"CertPathReviewer.certificateExpired",
                         new Object[] {new TrustedInput(cert.getNotAfter())});
                 addError(msg,index);
             }
 
             // certificate revoked?
             if (.isRevocationEnabled())
             {
                 // read crl distribution points extension
                 CRLDistPoint crlDistPoints = null;
                 try
                 {
                     ASN1Primitive crl_dp = getExtensionValue(cert,);
                     if (crl_dp != null)
                     {
                         crlDistPoints = CRLDistPoint.getInstance(crl_dp);
                     }
                 }
                 catch (AnnotatedException ae)
                 {
                     ErrorBundle msg = new ErrorBundle(,"CertPathReviewer.crlDistPtExtError");
                     addError(msg,index);
                 }
 
                 // read authority information access extension
                 AuthorityInformationAccess authInfoAcc = null;
                 try
                 {
                     ASN1Primitive auth_info_acc = getExtensionValue(cert,);
                     if (auth_info_acc != null)
                     {
                         authInfoAcc = AuthorityInformationAccess.getInstance(auth_info_acc);
                     }
                 }
                 catch (AnnotatedException ae)
                 {
                     ErrorBundle msg = new ErrorBundle(,"CertPathReviewer.crlAuthInfoAccError");
                     addError(msg,index);
                 }
                 
                 Vector crlDistPointUrls = getCRLDistUrls(crlDistPoints);
                 Vector ocspUrls = getOCSPUrls(authInfoAcc);
                 
                 // add notifications with the crl distribution points
                 
                 // output crl distribution points
                 Iterator urlIt = crlDistPointUrls.iterator();
                 while (urlIt.hasNext())
                 {
                     ErrorBundle msg = new ErrorBundle(,"CertPathReviewer.crlDistPoint",
                                 new Object[] {new UntrustedUrlInput(urlIt.next())});
                     addNotification(msg,index);
                 }
                 
                 // output ocsp urls
                 urlIt = ocspUrls.iterator();
                 while (urlIt.hasNext())
                 {
                     ErrorBundle msg = new ErrorBundle(,"CertPathReviewer.ocspLocation",
                             new Object[] {new UntrustedUrlInput(urlIt.next())});
                     addNotification(msg,index);
                 }
                
                // TODO also support Netscapes revocation-url and/or OCSP instead of CRLs for revocation checking
                // check CRLs
                try 
                {
                    checkRevocation(certsignworkingPublicKeycrlDistPointUrlsocspUrlsindex);
                }
                catch (CertPathReviewerException cpre)
                {
                    addError(cpre.getErrorMessage(),index);
                }
            }
            // certificate issuer correct
            if (workingIssuerName != null && !cert.getIssuerX500Principal().equals(workingIssuerName))
            {
                ErrorBundle msg = new ErrorBundle(,"CertPathReviewer.certWrongIssuer",
                            new Object[] {workingIssuerName.getName(),
                            cert.getIssuerX500Principal().getName()});
                addError(msg,index);
            }
            //
            // prepare for next certificate
            //
            if (i != )
            {
                if (cert != null && cert.getVersion() == 1)
                {
                    ErrorBundle msg = new ErrorBundle(,"CertPathReviewer.noCACert");
                    addError(msg,index);
                }
                // k)
                BasicConstraints bc;
                try
                {
                    bc = BasicConstraints.getInstance(getExtensionValue(cert,
                            ));
                    if (bc != null)
                    {
                        if (!bc.isCA())
                        {
                            ErrorBundle msg = new ErrorBundle(,"CertPathReviewer.noCACert");
                            addError(msg,index);
                        }
                    }
                    else
                    {
                        ErrorBundle msg = new ErrorBundle(,"CertPathReviewer.noBasicConstraints");
                        addError(msg,index);
                    }
                }
                catch (AnnotatedException ae)
                {
                    ErrorBundle msg = new ErrorBundle(,"CertPathReviewer.errorProcesingBC");
                    addError(msg,index);
                }
                // n)
                boolean[] _usage = cert.getKeyUsage();
                if ((_usage != null) && !_usage[])
                {
                    ErrorBundle msg = new ErrorBundle(,"CertPathReviewer.noCertSign");
                    addError(msg,index);
                }
            } // if
            // set signing certificate for next round
            sign = cert;
            
            // c)
            workingIssuerName = cert.getSubjectX500Principal();
            // d) e) f)
            try
            {
                workingPublicKey = getNextWorkingKey(index);
                workingAlgId = getAlgorithmIdentifier(workingPublicKey);
                workingPublicKeyAlgorithm = workingAlgId.getObjectId();
                workingPublicKeyParameters = workingAlgId.getParameters();
            }
            catch (CertPathValidatorException ex)
            {
                ErrorBundle msg = new ErrorBundle(,"CertPathReviewer.pubKeyError");
                addError(msg,index);
                workingAlgId = null;
                workingPublicKeyAlgorithm = null;
                workingPublicKeyParameters = null;
            }
        } // for
         = trust;
         = workingPublicKey;
    }
    private void checkPolicy()
    {
        //
        // 6.1.1 Inputs
        //
        // c) Initial Policy Set
        Set userInitialPolicySet = .getInitialPolicies();
        // e) f) g) are part of pkixParams
        //
        // 6.1.2 Initialization
        //
        // a) valid policy tree
        List[] policyNodes = new ArrayList[ + 1];
        for (int j = 0; j < policyNodes.lengthj++)
        {
            policyNodes[j] = new ArrayList();
        }
        Set policySet = new HashSet();
        policySet.add();
        PKIXPolicyNode validPolicyTree = new PKIXPolicyNode(new ArrayList(), 0,
                policySetnullnew HashSet(), false);
        policyNodes[0].add(validPolicyTree);
        // d) explicit policy
        int explicitPolicy;
        {
            explicitPolicy = 0;
        }
        else
        {
            explicitPolicy =  + 1;
        }
        // e) inhibit any policy
        int inhibitAnyPolicy;
        if (.isAnyPolicyInhibited())
        {
            inhibitAnyPolicy = 0;
        }
        else
        {
            inhibitAnyPolicy =  + 1;
        }
        // f) policy mapping
        int policyMapping;
        {
            policyMapping = 0;
        }
        else
        {
            policyMapping =  + 1;
        }
        Set acceptablePolicies = null;
        //
        // 6.1.3 Basic Certificate processing
        //
        X509Certificate cert = null;
        int index;
        int i;
        try 
        {
            for (index = .size() - 1; index >= 0; index--)
            {
                // i as defined in the algorithm description