Search in sources :

Example 1 with CertPathValidationException

use of com.github.zhenwei.pkix.cert.path.CertPathValidationException in project LinLong-Java by zhenwei1108.

the class ParentCertIssuedValidation method validate.

public void validate(CertPathValidationContext context, X509CertificateHolder certificate) throws CertPathValidationException {
    if (workingIssuerName != null) {
        if (!workingIssuerName.equals(certificate.getIssuer())) {
            throw new CertPathValidationException("Certificate issue does not match parent");
        }
    }
    if (workingPublicKey != null) {
        try {
            SubjectPublicKeyInfo validatingKeyInfo;
            if (workingPublicKey.getAlgorithm().equals(workingAlgId)) {
                validatingKeyInfo = workingPublicKey;
            } else {
                validatingKeyInfo = new SubjectPublicKeyInfo(workingAlgId, workingPublicKey.parsePublicKey());
            }
            if (!certificate.isSignatureValid(contentVerifierProvider.build(validatingKeyInfo))) {
                throw new CertPathValidationException("Certificate signature not for public key in parent");
            }
        } catch (OperatorCreationException e) {
            throw new CertPathValidationException("Unable to create verifier: " + e.getMessage(), e);
        } catch (CertException e) {
            throw new CertPathValidationException("Unable to validate signature: " + e.getMessage(), e);
        } catch (IOException e) {
            throw new CertPathValidationException("Unable to build public key: " + e.getMessage(), e);
        }
    }
    workingIssuerName = certificate.getSubject();
    workingPublicKey = certificate.getSubjectPublicKeyInfo();
    if (workingAlgId != null) {
        // check for inherited parameters
        if (workingPublicKey.getAlgorithm().getAlgorithm().equals(workingAlgId.getAlgorithm())) {
            if (!isNull(workingPublicKey.getAlgorithm().getParameters())) {
                workingAlgId = workingPublicKey.getAlgorithm();
            }
        } else {
            workingAlgId = workingPublicKey.getAlgorithm();
        }
    } else {
        workingAlgId = workingPublicKey.getAlgorithm();
    }
}
Also used : CertPathValidationException(com.github.zhenwei.pkix.cert.path.CertPathValidationException) CertException(com.github.zhenwei.pkix.cert.CertException) IOException(java.io.IOException) OperatorCreationException(com.github.zhenwei.pkix.operator.OperatorCreationException) SubjectPublicKeyInfo(com.github.zhenwei.core.asn1.x509.SubjectPublicKeyInfo)

Example 2 with CertPathValidationException

use of com.github.zhenwei.pkix.cert.path.CertPathValidationException in project LinLong-Java by zhenwei1108.

the class CRLValidation method validate.

public void validate(CertPathValidationContext context, X509CertificateHolder certificate) throws CertPathValidationException {
    // TODO: add handling of delta CRLs
    Collection matches = crls.getMatches(new Selector() {

        public boolean match(Object obj) {
            X509CRLHolder crl = (X509CRLHolder) obj;
            return (crl.getIssuer().equals(workingIssuerName));
        }

        public Object clone() {
            return this;
        }
    });
    if (matches.isEmpty()) {
        throw new CertPathValidationException("CRL for " + workingIssuerName + " not found");
    }
    for (Iterator it = matches.iterator(); it.hasNext(); ) {
        X509CRLHolder crl = (X509CRLHolder) it.next();
        // TODO: not quite right!
        if (crl.getRevokedCertificate(certificate.getSerialNumber()) != null) {
            throw new CertPathValidationException("Certificate revoked");
        }
    }
    this.workingIssuerName = certificate.getSubject();
}
Also used : CertPathValidationException(com.github.zhenwei.pkix.cert.path.CertPathValidationException) X509CRLHolder(com.github.zhenwei.pkix.cert.X509CRLHolder) Iterator(java.util.Iterator) Collection(java.util.Collection) Selector(com.github.zhenwei.core.util.Selector)

Example 3 with CertPathValidationException

use of com.github.zhenwei.pkix.cert.path.CertPathValidationException in project LinLong-Java by zhenwei1108.

the class BasicConstraintsValidation method validate.

public void validate(CertPathValidationContext context, X509CertificateHolder certificate) throws CertPathValidationException {
    context.addHandledExtension(Extension.basicConstraints);
    // verify that the issuing certificate is in fact a CA
    if (!previousCertWasCA) {
        throw new CertPathValidationException("Basic constraints violated: issuer is not a CA");
    }
    // RFC 5280 ยง 6.1.4 (k)
    // If this certificate is a CA, remember that for processing in the next step
    BasicConstraints bc = BasicConstraints.fromExtensions(certificate.getExtensions());
    this.previousCertWasCA = (bc != null && bc.isCA()) || (bc == null && !this.isMandatory);
    // NOTE: self-issued != self-signed. We only need to compare subject DN and issuer DN here.
    if (maxPathLength != null && !certificate.getSubject().equals(certificate.getIssuer())) {
        if (maxPathLength.intValue() < 0) {
            throw new CertPathValidationException("Basic constraints violated: path length exceeded");
        }
        maxPathLength = Integers.valueOf(maxPathLength.intValue() - 1);
    }
    // Update maxPathLength if appropriate
    if (bc != null) {
        BigInteger bigPathLen = bc.getPathLenConstraint();
        if (bigPathLen != null) {
            // use intValueExact to prevent issues with weird certificates that include ridiculous path lengths
            int newPathLength = BigIntegers.intValueExact(bigPathLen);
            maxPathLength = maxPathLength == null ? Integers.valueOf(newPathLength) : Integers.valueOf(Math.min(newPathLength, maxPathLength.intValue()));
        }
    }
}
Also used : CertPathValidationException(com.github.zhenwei.pkix.cert.path.CertPathValidationException) BigInteger(java.math.BigInteger) BasicConstraints(com.github.zhenwei.core.asn1.x509.BasicConstraints)

Aggregations

CertPathValidationException (com.github.zhenwei.pkix.cert.path.CertPathValidationException)3 BasicConstraints (com.github.zhenwei.core.asn1.x509.BasicConstraints)1 SubjectPublicKeyInfo (com.github.zhenwei.core.asn1.x509.SubjectPublicKeyInfo)1 Selector (com.github.zhenwei.core.util.Selector)1 CertException (com.github.zhenwei.pkix.cert.CertException)1 X509CRLHolder (com.github.zhenwei.pkix.cert.X509CRLHolder)1 OperatorCreationException (com.github.zhenwei.pkix.operator.OperatorCreationException)1 IOException (java.io.IOException)1 BigInteger (java.math.BigInteger)1 Collection (java.util.Collection)1 Iterator (java.util.Iterator)1