use of com.github.zhenwei.pkix.cert.path.CertPathValidationException in project LinLong-Java by zhenwei1108.
the class ParentCertIssuedValidation method validate.
public void validate(CertPathValidationContext context, X509CertificateHolder certificate) throws CertPathValidationException {
if (workingIssuerName != null) {
if (!workingIssuerName.equals(certificate.getIssuer())) {
throw new CertPathValidationException("Certificate issue does not match parent");
}
}
if (workingPublicKey != null) {
try {
SubjectPublicKeyInfo validatingKeyInfo;
if (workingPublicKey.getAlgorithm().equals(workingAlgId)) {
validatingKeyInfo = workingPublicKey;
} else {
validatingKeyInfo = new SubjectPublicKeyInfo(workingAlgId, workingPublicKey.parsePublicKey());
}
if (!certificate.isSignatureValid(contentVerifierProvider.build(validatingKeyInfo))) {
throw new CertPathValidationException("Certificate signature not for public key in parent");
}
} catch (OperatorCreationException e) {
throw new CertPathValidationException("Unable to create verifier: " + e.getMessage(), e);
} catch (CertException e) {
throw new CertPathValidationException("Unable to validate signature: " + e.getMessage(), e);
} catch (IOException e) {
throw new CertPathValidationException("Unable to build public key: " + e.getMessage(), e);
}
}
workingIssuerName = certificate.getSubject();
workingPublicKey = certificate.getSubjectPublicKeyInfo();
if (workingAlgId != null) {
// check for inherited parameters
if (workingPublicKey.getAlgorithm().getAlgorithm().equals(workingAlgId.getAlgorithm())) {
if (!isNull(workingPublicKey.getAlgorithm().getParameters())) {
workingAlgId = workingPublicKey.getAlgorithm();
}
} else {
workingAlgId = workingPublicKey.getAlgorithm();
}
} else {
workingAlgId = workingPublicKey.getAlgorithm();
}
}
use of com.github.zhenwei.pkix.cert.path.CertPathValidationException in project LinLong-Java by zhenwei1108.
the class CRLValidation method validate.
public void validate(CertPathValidationContext context, X509CertificateHolder certificate) throws CertPathValidationException {
// TODO: add handling of delta CRLs
Collection matches = crls.getMatches(new Selector() {
public boolean match(Object obj) {
X509CRLHolder crl = (X509CRLHolder) obj;
return (crl.getIssuer().equals(workingIssuerName));
}
public Object clone() {
return this;
}
});
if (matches.isEmpty()) {
throw new CertPathValidationException("CRL for " + workingIssuerName + " not found");
}
for (Iterator it = matches.iterator(); it.hasNext(); ) {
X509CRLHolder crl = (X509CRLHolder) it.next();
// TODO: not quite right!
if (crl.getRevokedCertificate(certificate.getSerialNumber()) != null) {
throw new CertPathValidationException("Certificate revoked");
}
}
this.workingIssuerName = certificate.getSubject();
}
use of com.github.zhenwei.pkix.cert.path.CertPathValidationException in project LinLong-Java by zhenwei1108.
the class BasicConstraintsValidation method validate.
public void validate(CertPathValidationContext context, X509CertificateHolder certificate) throws CertPathValidationException {
context.addHandledExtension(Extension.basicConstraints);
// verify that the issuing certificate is in fact a CA
if (!previousCertWasCA) {
throw new CertPathValidationException("Basic constraints violated: issuer is not a CA");
}
// RFC 5280 ยง 6.1.4 (k)
// If this certificate is a CA, remember that for processing in the next step
BasicConstraints bc = BasicConstraints.fromExtensions(certificate.getExtensions());
this.previousCertWasCA = (bc != null && bc.isCA()) || (bc == null && !this.isMandatory);
// NOTE: self-issued != self-signed. We only need to compare subject DN and issuer DN here.
if (maxPathLength != null && !certificate.getSubject().equals(certificate.getIssuer())) {
if (maxPathLength.intValue() < 0) {
throw new CertPathValidationException("Basic constraints violated: path length exceeded");
}
maxPathLength = Integers.valueOf(maxPathLength.intValue() - 1);
}
// Update maxPathLength if appropriate
if (bc != null) {
BigInteger bigPathLen = bc.getPathLenConstraint();
if (bigPathLen != null) {
// use intValueExact to prevent issues with weird certificates that include ridiculous path lengths
int newPathLength = BigIntegers.intValueExact(bigPathLen);
maxPathLength = maxPathLength == null ? Integers.valueOf(newPathLength) : Integers.valueOf(Math.min(newPathLength, maxPathLength.intValue()));
}
}
}
Aggregations