use of com.github.zhenwei.core.util.Selector in project LinLong-Java by zhenwei1108.
the class CRLValidation method validate.
public void validate(CertPathValidationContext context, X509CertificateHolder certificate) throws CertPathValidationException {
// TODO: add handling of delta CRLs
Collection matches = crls.getMatches(new Selector() {
public boolean match(Object obj) {
X509CRLHolder crl = (X509CRLHolder) obj;
return (crl.getIssuer().equals(workingIssuerName));
}
public Object clone() {
return this;
}
});
if (matches.isEmpty()) {
throw new CertPathValidationException("CRL for " + workingIssuerName + " not found");
}
for (Iterator it = matches.iterator(); it.hasNext(); ) {
X509CRLHolder crl = (X509CRLHolder) it.next();
// TODO: not quite right!
if (crl.getRevokedCertificate(certificate.getSerialNumber()) != null) {
throw new CertPathValidationException("Certificate revoked");
}
}
this.workingIssuerName = certificate.getSubject();
}
use of com.github.zhenwei.core.util.Selector in project LinLong-Java by zhenwei1108.
the class PKIXAttrCertPathBuilderSpi method engineBuild.
/**
* Build and validate a CertPath using the given parameter.
*
* @param params PKIXBuilderParameters object containing all information to build the CertPath
*/
public CertPathBuilderResult engineBuild(CertPathParameters params) throws CertPathBuilderException, InvalidAlgorithmParameterException {
if (!(params instanceof PKIXBuilderParameters) && !(params instanceof ExtendedPKIXBuilderParameters) && !(params instanceof PKIXExtendedBuilderParameters)) {
throw new InvalidAlgorithmParameterException("Parameters must be an instance of " + PKIXBuilderParameters.class.getName() + " or " + PKIXExtendedBuilderParameters.class.getName() + ".");
}
List targetStores = new ArrayList();
PKIXExtendedBuilderParameters paramsPKIX;
if (params instanceof PKIXBuilderParameters) {
PKIXExtendedBuilderParameters.Builder paramsPKIXBldr = new PKIXExtendedBuilderParameters.Builder((PKIXBuilderParameters) params);
if (params instanceof ExtendedPKIXParameters) {
ExtendedPKIXBuilderParameters extPKIX = (ExtendedPKIXBuilderParameters) params;
paramsPKIXBldr.addExcludedCerts(extPKIX.getExcludedCerts());
paramsPKIXBldr.setMaxPathLength(extPKIX.getMaxPathLength());
targetStores = extPKIX.getStores();
}
paramsPKIX = paramsPKIXBldr.build();
} else {
paramsPKIX = (PKIXExtendedBuilderParameters) params;
}
Collection targets;
Iterator targetIter;
List certPathList = new ArrayList();
X509AttributeCertificate cert;
// search target certificates
PKIXExtendedParameters baseParams = paramsPKIX.getBaseParameters();
Selector certSelect = baseParams.getTargetConstraints();
if (!(certSelect instanceof X509AttributeCertStoreSelector)) {
throw new CertPathBuilderException("TargetConstraints must be an instance of " + X509AttributeCertStoreSelector.class.getName() + " for " + this.getClass().getName() + " class.");
}
try {
targets = findCertificates((X509AttributeCertStoreSelector) certSelect, targetStores);
} catch (AnnotatedException e) {
throw new ExtCertPathBuilderException("Error finding target attribute certificate.", e);
}
if (targets.isEmpty()) {
throw new CertPathBuilderException("No attribute certificate found matching targetConstraints.");
}
CertPathBuilderResult result = null;
// check all potential target certificates
targetIter = targets.iterator();
while (targetIter.hasNext() && result == null) {
cert = (X509AttributeCertificate) targetIter.next();
X509CertStoreSelector selector = new X509CertStoreSelector();
Principal[] principals = cert.getIssuer().getPrincipals();
LinkedHashSet issuers = new LinkedHashSet();
for (int i = 0; i < principals.length; i++) {
try {
if (principals[i] instanceof X500Principal) {
selector.setSubject(((X500Principal) principals[i]).getEncoded());
}
PKIXCertStoreSelector certStoreSelector = new PKIXCertStoreSelector.Builder(selector).build();
CertPathValidatorUtilities.findCertificates(issuers, certStoreSelector, baseParams.getCertStores());
CertPathValidatorUtilities.findCertificates(issuers, certStoreSelector, baseParams.getCertificateStores());
} catch (AnnotatedException e) {
throw new ExtCertPathBuilderException("Public key certificate for attribute certificate cannot be searched.", e);
} catch (IOException e) {
throw new ExtCertPathBuilderException("cannot encode X500Principal.", e);
}
}
if (issuers.isEmpty()) {
throw new CertPathBuilderException("Public key certificate for attribute certificate cannot be found.");
}
Iterator it = issuers.iterator();
while (it.hasNext() && result == null) {
result = build(cert, (X509Certificate) it.next(), paramsPKIX, certPathList);
}
}
if (result == null && certPathException != null) {
throw new ExtCertPathBuilderException("Possible certificate chain could not be validated.", certPathException);
}
if (result == null && certPathException == null) {
throw new CertPathBuilderException("Unable to find certificate chain.");
}
return result;
}
use of com.github.zhenwei.core.util.Selector in project LinLong-Java by zhenwei1108.
the class PKIXAttrCertPathValidatorSpi method engineValidate.
/**
* Validates an attribute certificate with the given certificate path.
*
* <p>
* <code>params</code> must be an instance of
* <code>ExtendedPKIXParameters</code>.
* <p>
* The target constraints in the <code>params</code> must be an
* <code>X509AttributeCertStoreSelector</code> with at least the attribute
* certificate criterion set. Obey that also target informations may be necessary to correctly
* validate this attribute certificate.
* <p>
* The attribute certificate issuer must be added to the trusted attribute issuers with {@link
* com.github.zhenwei.provider.x509.ExtendedPKIXParameters#setTrustedACIssuers(Set)}.
*
* @param certPath The certificate path which belongs to the attribute certificate issuer public
* key certificate.
* @param params The PKIX parameters.
* @return A <code>PKIXCertPathValidatorResult</code> of the result of validating the
* <code>certPath</code>.
* @throws InvalidAlgorithmParameterException if <code>params</code> is inappropriate for this
* validator.
* @throws CertPathValidatorException if the verification fails.
*/
public CertPathValidatorResult engineValidate(CertPath certPath, CertPathParameters params) throws CertPathValidatorException, InvalidAlgorithmParameterException {
if (!(params instanceof ExtendedPKIXParameters || params instanceof PKIXExtendedParameters)) {
throw new InvalidAlgorithmParameterException("Parameters must be a " + ExtendedPKIXParameters.class.getName() + " instance.");
}
Set attrCertCheckers = new HashSet();
Set prohibitedACAttrbiutes = new HashSet();
Set necessaryACAttributes = new HashSet();
Set trustedACIssuers = new HashSet();
PKIXExtendedParameters paramsPKIX;
if (params instanceof PKIXParameters) {
PKIXExtendedParameters.Builder paramsPKIXBldr = new PKIXExtendedParameters.Builder((PKIXParameters) params);
if (params instanceof ExtendedPKIXParameters) {
ExtendedPKIXParameters extPKIX = (ExtendedPKIXParameters) params;
paramsPKIXBldr.setUseDeltasEnabled(extPKIX.isUseDeltasEnabled());
paramsPKIXBldr.setValidityModel(extPKIX.getValidityModel());
attrCertCheckers = extPKIX.getAttrCertCheckers();
prohibitedACAttrbiutes = extPKIX.getProhibitedACAttributes();
necessaryACAttributes = extPKIX.getNecessaryACAttributes();
}
paramsPKIX = paramsPKIXBldr.build();
} else {
paramsPKIX = (PKIXExtendedParameters) params;
}
final Date currentDate = new Date();
final Date validityDate = CertPathValidatorUtilities.getValidityDate(paramsPKIX, currentDate);
Selector certSelect = paramsPKIX.getTargetConstraints();
if (!(certSelect instanceof X509AttributeCertStoreSelector)) {
throw new InvalidAlgorithmParameterException("TargetConstraints must be an instance of " + X509AttributeCertStoreSelector.class.getName() + " for " + this.getClass().getName() + " class.");
}
X509AttributeCertificate attrCert = ((X509AttributeCertStoreSelector) certSelect).getAttributeCert();
CertPath holderCertPath = RFC3281CertPathUtilities.processAttrCert1(attrCert, paramsPKIX);
CertPathValidatorResult result = RFC3281CertPathUtilities.processAttrCert2(certPath, paramsPKIX);
X509Certificate issuerCert = (X509Certificate) certPath.getCertificates().get(0);
RFC3281CertPathUtilities.processAttrCert3(issuerCert, paramsPKIX);
RFC3281CertPathUtilities.processAttrCert4(issuerCert, trustedACIssuers);
RFC3281CertPathUtilities.processAttrCert5(attrCert, validityDate);
// 6 already done in X509AttributeCertStoreSelector
RFC3281CertPathUtilities.processAttrCert7(attrCert, certPath, holderCertPath, paramsPKIX, attrCertCheckers);
RFC3281CertPathUtilities.additionalChecks(attrCert, prohibitedACAttrbiutes, necessaryACAttributes);
RFC3281CertPathUtilities.checkCRLs(attrCert, paramsPKIX, currentDate, validityDate, issuerCert, certPath.getCertificates(), helper);
return result;
}
use of com.github.zhenwei.core.util.Selector in project LinLong-Java by zhenwei1108.
the class ExtendedPKIXParameters method setParams.
/**
* Method to support <code>clone()</code> under J2ME.
* <code>super.clone()</code> does not exist and fields are not copied.
*
* @param params Parameters to set. If this are
* <code>ExtendedPKIXParameters</code> they are copied to.
*/
protected void setParams(PKIXParameters params) {
setDate(params.getDate());
setCertPathCheckers(params.getCertPathCheckers());
setCertStores(params.getCertStores());
setAnyPolicyInhibited(params.isAnyPolicyInhibited());
setExplicitPolicyRequired(params.isExplicitPolicyRequired());
setPolicyMappingInhibited(params.isPolicyMappingInhibited());
setRevocationEnabled(params.isRevocationEnabled());
setInitialPolicies(params.getInitialPolicies());
setPolicyQualifiersRejected(params.getPolicyQualifiersRejected());
setSigProvider(params.getSigProvider());
setTargetCertConstraints(params.getTargetCertConstraints());
try {
setTrustAnchors(params.getTrustAnchors());
} catch (Exception e) {
// cannot happen
throw new RuntimeException(e.getMessage());
}
if (params instanceof ExtendedPKIXParameters) {
ExtendedPKIXParameters _params = (ExtendedPKIXParameters) params;
validityModel = _params.validityModel;
useDeltas = _params.useDeltas;
additionalLocationsEnabled = _params.additionalLocationsEnabled;
selector = _params.selector == null ? null : (Selector) _params.selector.clone();
stores = new ArrayList(_params.stores);
additionalStores = new ArrayList(_params.additionalStores);
trustedACIssuers = new HashSet(_params.trustedACIssuers);
prohibitedACAttributes = new HashSet(_params.prohibitedACAttributes);
necessaryACAttributes = new HashSet(_params.necessaryACAttributes);
attrCertCheckers = new HashSet(_params.attrCertCheckers);
}
}
Aggregations