Search in sources :

Example 1 with Selector

use of com.github.zhenwei.core.util.Selector in project LinLong-Java by zhenwei1108.

the class CRLValidation method validate.

public void validate(CertPathValidationContext context, X509CertificateHolder certificate) throws CertPathValidationException {
    // TODO: add handling of delta CRLs
    Collection matches = crls.getMatches(new Selector() {

        public boolean match(Object obj) {
            X509CRLHolder crl = (X509CRLHolder) obj;
            return (crl.getIssuer().equals(workingIssuerName));
        }

        public Object clone() {
            return this;
        }
    });
    if (matches.isEmpty()) {
        throw new CertPathValidationException("CRL for " + workingIssuerName + " not found");
    }
    for (Iterator it = matches.iterator(); it.hasNext(); ) {
        X509CRLHolder crl = (X509CRLHolder) it.next();
        // TODO: not quite right!
        if (crl.getRevokedCertificate(certificate.getSerialNumber()) != null) {
            throw new CertPathValidationException("Certificate revoked");
        }
    }
    this.workingIssuerName = certificate.getSubject();
}
Also used : CertPathValidationException(com.github.zhenwei.pkix.cert.path.CertPathValidationException) X509CRLHolder(com.github.zhenwei.pkix.cert.X509CRLHolder) Iterator(java.util.Iterator) Collection(java.util.Collection) Selector(com.github.zhenwei.core.util.Selector)

Example 2 with Selector

use of com.github.zhenwei.core.util.Selector in project LinLong-Java by zhenwei1108.

the class PKIXAttrCertPathBuilderSpi method engineBuild.

/**
 * Build and validate a CertPath using the given parameter.
 *
 * @param params PKIXBuilderParameters object containing all information to build the CertPath
 */
public CertPathBuilderResult engineBuild(CertPathParameters params) throws CertPathBuilderException, InvalidAlgorithmParameterException {
    if (!(params instanceof PKIXBuilderParameters) && !(params instanceof ExtendedPKIXBuilderParameters) && !(params instanceof PKIXExtendedBuilderParameters)) {
        throw new InvalidAlgorithmParameterException("Parameters must be an instance of " + PKIXBuilderParameters.class.getName() + " or " + PKIXExtendedBuilderParameters.class.getName() + ".");
    }
    List targetStores = new ArrayList();
    PKIXExtendedBuilderParameters paramsPKIX;
    if (params instanceof PKIXBuilderParameters) {
        PKIXExtendedBuilderParameters.Builder paramsPKIXBldr = new PKIXExtendedBuilderParameters.Builder((PKIXBuilderParameters) params);
        if (params instanceof ExtendedPKIXParameters) {
            ExtendedPKIXBuilderParameters extPKIX = (ExtendedPKIXBuilderParameters) params;
            paramsPKIXBldr.addExcludedCerts(extPKIX.getExcludedCerts());
            paramsPKIXBldr.setMaxPathLength(extPKIX.getMaxPathLength());
            targetStores = extPKIX.getStores();
        }
        paramsPKIX = paramsPKIXBldr.build();
    } else {
        paramsPKIX = (PKIXExtendedBuilderParameters) params;
    }
    Collection targets;
    Iterator targetIter;
    List certPathList = new ArrayList();
    X509AttributeCertificate cert;
    // search target certificates
    PKIXExtendedParameters baseParams = paramsPKIX.getBaseParameters();
    Selector certSelect = baseParams.getTargetConstraints();
    if (!(certSelect instanceof X509AttributeCertStoreSelector)) {
        throw new CertPathBuilderException("TargetConstraints must be an instance of " + X509AttributeCertStoreSelector.class.getName() + " for " + this.getClass().getName() + " class.");
    }
    try {
        targets = findCertificates((X509AttributeCertStoreSelector) certSelect, targetStores);
    } catch (AnnotatedException e) {
        throw new ExtCertPathBuilderException("Error finding target attribute certificate.", e);
    }
    if (targets.isEmpty()) {
        throw new CertPathBuilderException("No attribute certificate found matching targetConstraints.");
    }
    CertPathBuilderResult result = null;
    // check all potential target certificates
    targetIter = targets.iterator();
    while (targetIter.hasNext() && result == null) {
        cert = (X509AttributeCertificate) targetIter.next();
        X509CertStoreSelector selector = new X509CertStoreSelector();
        Principal[] principals = cert.getIssuer().getPrincipals();
        LinkedHashSet issuers = new LinkedHashSet();
        for (int i = 0; i < principals.length; i++) {
            try {
                if (principals[i] instanceof X500Principal) {
                    selector.setSubject(((X500Principal) principals[i]).getEncoded());
                }
                PKIXCertStoreSelector certStoreSelector = new PKIXCertStoreSelector.Builder(selector).build();
                CertPathValidatorUtilities.findCertificates(issuers, certStoreSelector, baseParams.getCertStores());
                CertPathValidatorUtilities.findCertificates(issuers, certStoreSelector, baseParams.getCertificateStores());
            } catch (AnnotatedException e) {
                throw new ExtCertPathBuilderException("Public key certificate for attribute certificate cannot be searched.", e);
            } catch (IOException e) {
                throw new ExtCertPathBuilderException("cannot encode X500Principal.", e);
            }
        }
        if (issuers.isEmpty()) {
            throw new CertPathBuilderException("Public key certificate for attribute certificate cannot be found.");
        }
        Iterator it = issuers.iterator();
        while (it.hasNext() && result == null) {
            result = build(cert, (X509Certificate) it.next(), paramsPKIX, certPathList);
        }
    }
    if (result == null && certPathException != null) {
        throw new ExtCertPathBuilderException("Possible certificate chain could not be validated.", certPathException);
    }
    if (result == null && certPathException == null) {
        throw new CertPathBuilderException("Unable to find certificate chain.");
    }
    return result;
}
Also used : LinkedHashSet(java.util.LinkedHashSet) ExtendedPKIXBuilderParameters(com.github.zhenwei.provider.x509.ExtendedPKIXBuilderParameters) CertPathBuilderResult(java.security.cert.CertPathBuilderResult) PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult) ArrayList(java.util.ArrayList) X509AttributeCertificate(com.github.zhenwei.provider.x509.X509AttributeCertificate) PKIXExtendedBuilderParameters(com.github.zhenwei.provider.jcajce.PKIXExtendedBuilderParameters) CertPathBuilderException(java.security.cert.CertPathBuilderException) ExtCertPathBuilderException(com.github.zhenwei.provider.jce.exception.ExtCertPathBuilderException) Iterator(java.util.Iterator) ArrayList(java.util.ArrayList) List(java.util.List) X509AttributeCertStoreSelector(com.github.zhenwei.provider.x509.X509AttributeCertStoreSelector) Selector(com.github.zhenwei.core.util.Selector) PKIXCertStoreSelector(com.github.zhenwei.provider.jcajce.PKIXCertStoreSelector) X509CertStoreSelector(com.github.zhenwei.provider.x509.X509CertStoreSelector) InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) ExtendedPKIXBuilderParameters(com.github.zhenwei.provider.x509.ExtendedPKIXBuilderParameters) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) X509CertStoreSelector(com.github.zhenwei.provider.x509.X509CertStoreSelector) X509AttributeCertStoreSelector(com.github.zhenwei.provider.x509.X509AttributeCertStoreSelector) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) PKIXCertStoreSelector(com.github.zhenwei.provider.jcajce.PKIXCertStoreSelector) PKIXExtendedParameters(com.github.zhenwei.provider.jcajce.PKIXExtendedParameters) ExtendedPKIXParameters(com.github.zhenwei.provider.x509.ExtendedPKIXParameters) ExtCertPathBuilderException(com.github.zhenwei.provider.jce.exception.ExtCertPathBuilderException) Collection(java.util.Collection) X500Principal(javax.security.auth.x500.X500Principal) X500Principal(javax.security.auth.x500.X500Principal) Principal(java.security.Principal)

Example 3 with Selector

use of com.github.zhenwei.core.util.Selector in project LinLong-Java by zhenwei1108.

the class PKIXAttrCertPathValidatorSpi method engineValidate.

/**
 * Validates an attribute certificate with the given certificate path.
 *
 * <p>
 * <code>params</code> must be an instance of
 * <code>ExtendedPKIXParameters</code>.
 * <p>
 * The target constraints in the <code>params</code> must be an
 * <code>X509AttributeCertStoreSelector</code> with at least the attribute
 * certificate criterion set. Obey that also target informations may be necessary to correctly
 * validate this attribute certificate.
 * <p>
 * The attribute certificate issuer must be added to the trusted attribute issuers with {@link
 * com.github.zhenwei.provider.x509.ExtendedPKIXParameters#setTrustedACIssuers(Set)}.
 *
 * @param certPath The certificate path which belongs to the attribute certificate issuer public
 *                 key certificate.
 * @param params   The PKIX parameters.
 * @return A <code>PKIXCertPathValidatorResult</code> of the result of validating the
 * <code>certPath</code>.
 * @throws InvalidAlgorithmParameterException if <code>params</code> is inappropriate for this
 *                                            validator.
 * @throws CertPathValidatorException         if the verification fails.
 */
public CertPathValidatorResult engineValidate(CertPath certPath, CertPathParameters params) throws CertPathValidatorException, InvalidAlgorithmParameterException {
    if (!(params instanceof ExtendedPKIXParameters || params instanceof PKIXExtendedParameters)) {
        throw new InvalidAlgorithmParameterException("Parameters must be a " + ExtendedPKIXParameters.class.getName() + " instance.");
    }
    Set attrCertCheckers = new HashSet();
    Set prohibitedACAttrbiutes = new HashSet();
    Set necessaryACAttributes = new HashSet();
    Set trustedACIssuers = new HashSet();
    PKIXExtendedParameters paramsPKIX;
    if (params instanceof PKIXParameters) {
        PKIXExtendedParameters.Builder paramsPKIXBldr = new PKIXExtendedParameters.Builder((PKIXParameters) params);
        if (params instanceof ExtendedPKIXParameters) {
            ExtendedPKIXParameters extPKIX = (ExtendedPKIXParameters) params;
            paramsPKIXBldr.setUseDeltasEnabled(extPKIX.isUseDeltasEnabled());
            paramsPKIXBldr.setValidityModel(extPKIX.getValidityModel());
            attrCertCheckers = extPKIX.getAttrCertCheckers();
            prohibitedACAttrbiutes = extPKIX.getProhibitedACAttributes();
            necessaryACAttributes = extPKIX.getNecessaryACAttributes();
        }
        paramsPKIX = paramsPKIXBldr.build();
    } else {
        paramsPKIX = (PKIXExtendedParameters) params;
    }
    final Date currentDate = new Date();
    final Date validityDate = CertPathValidatorUtilities.getValidityDate(paramsPKIX, currentDate);
    Selector certSelect = paramsPKIX.getTargetConstraints();
    if (!(certSelect instanceof X509AttributeCertStoreSelector)) {
        throw new InvalidAlgorithmParameterException("TargetConstraints must be an instance of " + X509AttributeCertStoreSelector.class.getName() + " for " + this.getClass().getName() + " class.");
    }
    X509AttributeCertificate attrCert = ((X509AttributeCertStoreSelector) certSelect).getAttributeCert();
    CertPath holderCertPath = RFC3281CertPathUtilities.processAttrCert1(attrCert, paramsPKIX);
    CertPathValidatorResult result = RFC3281CertPathUtilities.processAttrCert2(certPath, paramsPKIX);
    X509Certificate issuerCert = (X509Certificate) certPath.getCertificates().get(0);
    RFC3281CertPathUtilities.processAttrCert3(issuerCert, paramsPKIX);
    RFC3281CertPathUtilities.processAttrCert4(issuerCert, trustedACIssuers);
    RFC3281CertPathUtilities.processAttrCert5(attrCert, validityDate);
    // 6 already done in X509AttributeCertStoreSelector
    RFC3281CertPathUtilities.processAttrCert7(attrCert, certPath, holderCertPath, paramsPKIX, attrCertCheckers);
    RFC3281CertPathUtilities.additionalChecks(attrCert, prohibitedACAttrbiutes, necessaryACAttributes);
    RFC3281CertPathUtilities.checkCRLs(attrCert, paramsPKIX, currentDate, validityDate, issuerCert, certPath.getCertificates(), helper);
    return result;
}
Also used : InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) Set(java.util.Set) HashSet(java.util.HashSet) X509AttributeCertStoreSelector(com.github.zhenwei.provider.x509.X509AttributeCertStoreSelector) X509AttributeCertificate(com.github.zhenwei.provider.x509.X509AttributeCertificate) Date(java.util.Date) X509Certificate(java.security.cert.X509Certificate) PKIXExtendedParameters(com.github.zhenwei.provider.jcajce.PKIXExtendedParameters) ExtendedPKIXParameters(com.github.zhenwei.provider.x509.ExtendedPKIXParameters) ExtendedPKIXParameters(com.github.zhenwei.provider.x509.ExtendedPKIXParameters) PKIXParameters(java.security.cert.PKIXParameters) CertPath(java.security.cert.CertPath) CertPathValidatorResult(java.security.cert.CertPathValidatorResult) HashSet(java.util.HashSet) X509AttributeCertStoreSelector(com.github.zhenwei.provider.x509.X509AttributeCertStoreSelector) Selector(com.github.zhenwei.core.util.Selector)

Example 4 with Selector

use of com.github.zhenwei.core.util.Selector in project LinLong-Java by zhenwei1108.

the class ExtendedPKIXParameters method setParams.

/**
 * Method to support <code>clone()</code> under J2ME.
 * <code>super.clone()</code> does not exist and fields are not copied.
 *
 * @param params Parameters to set. If this are
 *               <code>ExtendedPKIXParameters</code> they are copied to.
 */
protected void setParams(PKIXParameters params) {
    setDate(params.getDate());
    setCertPathCheckers(params.getCertPathCheckers());
    setCertStores(params.getCertStores());
    setAnyPolicyInhibited(params.isAnyPolicyInhibited());
    setExplicitPolicyRequired(params.isExplicitPolicyRequired());
    setPolicyMappingInhibited(params.isPolicyMappingInhibited());
    setRevocationEnabled(params.isRevocationEnabled());
    setInitialPolicies(params.getInitialPolicies());
    setPolicyQualifiersRejected(params.getPolicyQualifiersRejected());
    setSigProvider(params.getSigProvider());
    setTargetCertConstraints(params.getTargetCertConstraints());
    try {
        setTrustAnchors(params.getTrustAnchors());
    } catch (Exception e) {
        // cannot happen
        throw new RuntimeException(e.getMessage());
    }
    if (params instanceof ExtendedPKIXParameters) {
        ExtendedPKIXParameters _params = (ExtendedPKIXParameters) params;
        validityModel = _params.validityModel;
        useDeltas = _params.useDeltas;
        additionalLocationsEnabled = _params.additionalLocationsEnabled;
        selector = _params.selector == null ? null : (Selector) _params.selector.clone();
        stores = new ArrayList(_params.stores);
        additionalStores = new ArrayList(_params.additionalStores);
        trustedACIssuers = new HashSet(_params.trustedACIssuers);
        prohibitedACAttributes = new HashSet(_params.prohibitedACAttributes);
        necessaryACAttributes = new HashSet(_params.necessaryACAttributes);
        attrCertCheckers = new HashSet(_params.attrCertCheckers);
    }
}
Also used : ArrayList(java.util.ArrayList) InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) Selector(com.github.zhenwei.core.util.Selector) X509CertSelector(java.security.cert.X509CertSelector) CertSelector(java.security.cert.CertSelector) HashSet(java.util.HashSet)

Aggregations

Selector (com.github.zhenwei.core.util.Selector)4 InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)3 PKIXExtendedParameters (com.github.zhenwei.provider.jcajce.PKIXExtendedParameters)2 ExtendedPKIXParameters (com.github.zhenwei.provider.x509.ExtendedPKIXParameters)2 X509AttributeCertStoreSelector (com.github.zhenwei.provider.x509.X509AttributeCertStoreSelector)2 X509AttributeCertificate (com.github.zhenwei.provider.x509.X509AttributeCertificate)2 X509Certificate (java.security.cert.X509Certificate)2 ArrayList (java.util.ArrayList)2 Collection (java.util.Collection)2 HashSet (java.util.HashSet)2 Iterator (java.util.Iterator)2 X509CRLHolder (com.github.zhenwei.pkix.cert.X509CRLHolder)1 CertPathValidationException (com.github.zhenwei.pkix.cert.path.CertPathValidationException)1 PKIXCertStoreSelector (com.github.zhenwei.provider.jcajce.PKIXCertStoreSelector)1 PKIXExtendedBuilderParameters (com.github.zhenwei.provider.jcajce.PKIXExtendedBuilderParameters)1 ExtCertPathBuilderException (com.github.zhenwei.provider.jce.exception.ExtCertPathBuilderException)1 ExtendedPKIXBuilderParameters (com.github.zhenwei.provider.x509.ExtendedPKIXBuilderParameters)1 X509CertStoreSelector (com.github.zhenwei.provider.x509.X509CertStoreSelector)1 IOException (java.io.IOException)1 Principal (java.security.Principal)1