added cap on size of subject alt name extension reviewer will accept.

pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertPathReviewer.java

@@ -89,6 +89,8 @@ public class PKIXCertPathReviewer extends CertPathValidatorUtilities
 
     private static final String RESOURCE_NAME = "org.bouncycastle.pkix.CertPathReviewerMessages";
 
+    private static final int NAME_CHECK_MAX = (1 << 10);
+
     // input parameters
 
     protected CertPath certPath;
@@ -501,6 +503,12 @@ private void checkNameConstraints()
 
                     if (altName != null)
                     {
+                        if (altName.size() > NAME_CHECK_MAX)
+                        {
+                            ErrorBundle msg = createErrorBundle("CertPathReviewer.subjAltNameExtError");
+                            throw new CertPathReviewerException(msg,certPath,index);
+                        }
+
                         for (int j = 0; j < altName.size(); j++)
                         {
                             GeneralName name = GeneralName.getInstance(altName.getObjectAt(j));
@@ -516,87 +524,6 @@ private void checkNameConstraints()
                                         new Object[] {new UntrustedInput(name)});
                                 throw new CertPathReviewerException(msg,cpve,certPath,index);
                             }
-//                            switch(o.getTagNo())            TODO - move resources to PKIXNameConstraints
-//                            {
-//                            case 1:
-//                                String email = ASN1IA5String.getInstance(o, true).getString();
-//
-//                                try
-//                                {
-//                                    checkPermittedEmail(permittedSubtreesEmail, email);
-//                                }
-//                                catch (CertPathValidatorException cpve)
-//                                {
-//                                    ErrorBundle msg = createErrorBundle("CertPathReviewer.notPermittedEmail",
-//                                            new Object[] {new UntrustedInput(email)});
-//                                    throw new CertPathReviewerException(msg,cpve,certPath,index);
-//                                }
-//
-//                                try
-//                                {
-//                                    checkExcludedEmail(excludedSubtreesEmail, email);
-//                                }
-//                                catch (CertPathValidatorException cpve)
-//                                {
-//                                    ErrorBundle msg = createErrorBundle("CertPathReviewer.excludedEmail",
-//                                            new Object[] {new UntrustedInput(email)});
-//                                    throw new CertPathReviewerException(msg,cpve,certPath,index);
-//                                }
-//
-//                                break;
-//                            case 4:
-//                                ASN1Sequence altDN = ASN1Sequence.getInstance(o, true);
-//
-//                                try
-//                                {
-//                                    checkPermittedDN(permittedSubtreesDN, altDN);
-//                                }
-//                                catch (CertPathValidatorException cpve)
-//                                {
-//                                    X509Name altDNName = new X509Name(altDN);
-//                                    ErrorBundle msg = createErrorBundle("CertPathReviewer.notPermittedDN",
-//                                            new Object[] {new UntrustedInput(altDNName)});
-//                                    throw new CertPathReviewerException(msg,cpve,certPath,index);
-//                                }
-//
-//                                try
-//                                {
-//                                    checkExcludedDN(excludedSubtreesDN, altDN);
-//                                }
-//                                catch (CertPathValidatorException cpve)
-//                                {
-//                                    X509Name altDNName = new X509Name(altDN);
-//                                    ErrorBundle msg = createErrorBundle("CertPathReviewer.excludedDN",
-//                                            new Object[] {new UntrustedInput(altDNName)});
-//                                    throw new CertPathReviewerException(msg,cpve,certPath,index);
-//                                }
-//
-//                                break;
-//                            case 7:
-//                                byte[] ip = ASN1OctetString.getInstance(o, true).getOctets();
-//
-//                                try
-//                                {
-//                                    checkPermittedIP(permittedSubtreesIP, ip);
-//                                }
-//                                catch (CertPathValidatorException cpve)
-//                                {
-//                                    ErrorBundle msg = createErrorBundle("CertPathReviewer.notPermittedIP",
-//                                            new Object[] {IPtoString(ip)});
-//                                    throw new CertPathReviewerException(msg,cpve,certPath,index);
-//                                }
-//
-//                                try
-//                                {
-//                                    checkExcludedIP(excludedSubtreesIP, ip);
-//                                }
-//                                catch (CertPathValidatorException cpve)
-//                                {
-//                                    ErrorBundle msg = createErrorBundle("CertPathReviewer.excludedIP",
-//                                            new Object[] {IPtoString(ip)});
-//                                    throw new CertPathReviewerException(msg,cpve,certPath,index);
-//                                }
-//                            }
                         }
                     }
                 }

pkix/src/test/java/org/bouncycastle/pkix/test/AllTests.java

@@ -22,6 +22,7 @@ public static Test suite()
 
         suite.addTestSuite(CheckerTest.class);
         suite.addTestSuite(RevocationTest.class);
+        suite.addTestSuite(CheckNameConstraintsTest.class);
 
         return new BCTestSetup(suite);
     }

pkix/src/test/java/org/bouncycastle/pkix/test/CheckNameConstraintsTest.java

@@ -0,0 +1,122 @@
+package org.bouncycastle.pkix.test;
+
+import java.security.Security;
+import java.security.cert.CertPath;
+import java.security.cert.CertPathBuilder;
+import java.security.cert.CertPathValidator;
+import java.security.cert.CertStore;
+import java.security.cert.CertificateFactory;
+import java.security.cert.CollectionCertStoreParameters;
+import java.security.cert.PKIXBuilderParameters;
+import java.security.cert.PKIXCertPathBuilderResult;
+import java.security.cert.PKIXParameters;
+import java.security.cert.TrustAnchor;
+import java.security.cert.X509CertSelector;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import junit.framework.TestCase;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.pkix.jcajce.PKIXCertPathReviewer;
+import org.bouncycastle.test.TestResourceFinder;
+
+public class CheckNameConstraintsTest 
+    extends TestCase
+{
+    public void testPKIXCertPathReviewer()
+        throws Exception
+    {
+        Security.addProvider(new BouncyCastleProvider());
+
+        CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC");
+
+        X509Certificate root = (X509Certificate) cf.generateCertificate(TestResourceFinder.findTestResource("pkix", "mal-root.crt"));
+        X509Certificate ca1 = (X509Certificate) cf.generateCertificate(TestResourceFinder.findTestResource("pkix", "mal-ca1.crt"));
+        X509Certificate ca2 = (X509Certificate) cf.generateCertificate(TestResourceFinder.findTestResource("pkix", "mal-ca2.crt"));
+        X509Certificate leaf = (X509Certificate) cf.generateCertificate(TestResourceFinder.findTestResource("pkix", "mal-leaf.crt"));
+
+        List certchain = new ArrayList();
+        certchain.add(root);
+        certchain.add(ca1);
+        certchain.add(ca2);
+        certchain.add(leaf);
+
+        CertPath cp = cf.generateCertPath(certchain);
+
+        Set trust = new HashSet();
+        trust.add(new TrustAnchor(root, null));
+        PKIXParameters param = new PKIXParameters(trust);
+
+        PKIXCertPathReviewer certPathReviewer = new PKIXCertPathReviewer();
+        certPathReviewer.init(cp, param);
+
+        assertFalse(certPathReviewer.isValidCertPath()); // hit
+    }
+
+    public void testPKIXCertPathBuilder()
+        throws Exception
+    {
+        Security.addProvider(new BouncyCastleProvider());
+
+        CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC");
+        X509Certificate rootCert = (X509Certificate) cf.generateCertificate(TestResourceFinder.findTestResource("pkix", "mal-root.crt"));
+        X509Certificate endCert = (X509Certificate) cf.generateCertificate(TestResourceFinder.findTestResource("pkix", "mal-ca1.crt"));
+
+        // create CertStore to support path building
+        List list = new ArrayList();
+        list.add(endCert);
+
+        CollectionCertStoreParameters params = new CollectionCertStoreParameters(list);
+        CertStore                     store = CertStore.getInstance("Collection", params, "BC");
+
+        // build the path
+        CertPathBuilder  builder = CertPathBuilder.getInstance("PKIX", "BC");
+        X509CertSelector pathConstraints = new X509CertSelector();
+
+        pathConstraints.setCertificate(endCert);
+
+        PKIXBuilderParameters buildParams = new PKIXBuilderParameters(Collections.singleton(new TrustAnchor(rootCert, null)), pathConstraints);
+
+        buildParams.addCertStore(store);
+        buildParams.setDate(new Date());
+        buildParams.setRevocationEnabled(false);
+
+        PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult)builder.build(buildParams);
+        CertPath                  path = result.getCertPath();
+
+        if (path.getCertificates().size() != 1)
+        {
+            fail("wrong number of certs in testPKIXCertPathBuilder path");
+        }
+    }
+
+    public void testPKIXCertPathValidator()
+        throws Exception
+    {
+        Security.addProvider(new BouncyCastleProvider());
+
+        CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC");
+
+        X509Certificate rootCert = (X509Certificate) cf.generateCertificate(TestResourceFinder.findTestResource("pkix", "mal-root.crt"));
+        X509Certificate endCert = (X509Certificate) cf.generateCertificate(TestResourceFinder.findTestResource("pkix", "mal-ca1.crt"));
+
+        List list = new ArrayList();
+        list.add(endCert);
+
+        CertPath certPath = cf.generateCertPath(list);
+
+        Set trust = new HashSet();
+        trust.add(new TrustAnchor(rootCert, null));
+
+        CertPathValidator cpv = CertPathValidator.getInstance("PKIX", "BC");
+        PKIXParameters param = new PKIXParameters(trust);
+        param.setRevocationEnabled(false);
+
+        cpv.validate(certPath, param);
+    }
+}