package org.bouncycastle.cert.path.validations;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.path.CertPathValidation;
import org.bouncycastle.cert.path.CertPathValidationContext;
import org.bouncycastle.cert.path.CertPathValidationException;
import org.bouncycastle.util.Memoable;
public class KeyUsageValidation
implements CertPathValidation
{
private boolean isMandatory;
public KeyUsageValidation()
{
this(true);
}
public KeyUsageValidation(boolean isMandatory)
{
this.isMandatory = isMandatory;
}
public void validate(CertPathValidationContext context, X509CertificateHolder certificate)
throws CertPathValidationException
{
context.addHandledExtension(Extension.keyUsage);
if (!context.isEndEntity())
{
KeyUsage usage = KeyUsage.fromExtensions(certificate.getExtensions());
if (usage != null)
{
if (!usage.hasUsages(KeyUsage.keyCertSign))
{
throw new CertPathValidationException("Issuer certificate KeyUsage extension does not permit key signing");
}
}
else
{
if (isMandatory)
{
throw new CertPathValidationException("KeyUsage extension not present in CA certificate");
}
}
}
}
public Memoable copy()
{
return new KeyUsageValidation(isMandatory);
}
public void reset(Memoable other)
{
KeyUsageValidation v = (KeyUsageValidation)other;
this.isMandatory = v.isMandatory;
}
}