use of com.github.zhenwei.provider.jcajce.PKIXExtendedParameters in project LinLong-Java by zhenwei1108.
the class RFC3280CertPathUtilities method processCRLF.
/**
* Obtain and validate the certification path for the complete CRL issuer. If a key usage
* extension is present in the CRL issuer's certificate, verify that the cRLSign bit is set.
*
* @param crl CRL which contains revocation information for the certificate
* <code>cert</code>.
* @param cert The attribute certificate or certificate to check if it is revoked.
* @param defaultCRLSignCert The issuer certificate of the certificate <code>cert</code>.
* @param defaultCRLSignKey The public key of the issuer certificate
* <code>defaultCRLSignCert</code>.
* @param paramsPKIX paramsPKIX PKIX parameters.
* @param certPathCerts The certificates on the certification path.
* @return A <code>Set</code> with all keys of possible CRL issuer certificates.
* @throws AnnotatedException if the CRL is not valid or the status cannot be checked or some
* error occurs.
*/
protected static Set processCRLF(X509CRL crl, Object cert, X509Certificate defaultCRLSignCert, PublicKey defaultCRLSignKey, PKIXExtendedParameters paramsPKIX, List certPathCerts, JcaJceHelper helper) throws AnnotatedException {
// (f)
// get issuer from CRL
X509CertSelector certSelector = new X509CertSelector();
try {
byte[] issuerPrincipal = PrincipalUtils.getIssuerPrincipal(crl).getEncoded();
certSelector.setSubject(issuerPrincipal);
} catch (IOException e) {
throw new AnnotatedException("Subject criteria for certificate selector to find issuer certificate for CRL could not be set.", e);
}
PKIXCertStoreSelector selector = new PKIXCertStoreSelector.Builder(certSelector).build();
// get CRL signing certs
LinkedHashSet coll = new LinkedHashSet();
try {
CertPathValidatorUtilities.findCertificates(coll, selector, paramsPKIX.getCertificateStores());
CertPathValidatorUtilities.findCertificates(coll, selector, paramsPKIX.getCertStores());
} catch (AnnotatedException e) {
throw new AnnotatedException("Issuer certificate for CRL cannot be searched.", e);
}
coll.add(defaultCRLSignCert);
Iterator cert_it = coll.iterator();
List validCerts = new ArrayList();
List validKeys = new ArrayList();
while (cert_it.hasNext()) {
X509Certificate signingCert = (X509Certificate) cert_it.next();
/*
* CA of the certificate, for which this CRL is checked, has also
* signed CRL, so skip the path validation, because is already done
*/
if (signingCert.equals(defaultCRLSignCert)) {
validCerts.add(signingCert);
validKeys.add(defaultCRLSignKey);
continue;
}
try {
CertPathBuilderSpi builder = (revChkClass != null) ? new PKIXCertPathBuilderSpi_8(true) : new PKIXCertPathBuilderSpi(true);
X509CertSelector tmpCertSelector = new X509CertSelector();
tmpCertSelector.setCertificate(signingCert);
PKIXExtendedParameters.Builder paramsBuilder = new PKIXExtendedParameters.Builder(paramsPKIX).setTargetConstraints(new PKIXCertStoreSelector.Builder(tmpCertSelector).build());
/*
* if signingCert is placed not higher on the cert path a
* dependency loop results. CRL for cert is checked, but
* signingCert is needed for checking the CRL which is dependent
* on checking cert because it is higher in the cert path and so
* signing signingCert transitively. so, revocation is disabled,
* forgery attacks of the CRL are detected in this outer loop
* for all other it must be enabled to prevent forgery attacks
*/
if (certPathCerts.contains(signingCert)) {
paramsBuilder.setRevocationEnabled(false);
} else {
paramsBuilder.setRevocationEnabled(true);
}
PKIXExtendedBuilderParameters extParams = new PKIXExtendedBuilderParameters.Builder(paramsBuilder.build()).build();
List certs = builder.engineBuild(extParams).getCertPath().getCertificates();
validCerts.add(signingCert);
validKeys.add(CertPathValidatorUtilities.getNextWorkingKey(certs, 0, helper));
} catch (CertPathBuilderException e) {
throw new AnnotatedException("CertPath for CRL signer failed to validate.", e);
} catch (CertPathValidatorException e) {
throw new AnnotatedException("Public key of issuer certificate of CRL could not be retrieved.", e);
} catch (Exception e) {
throw new AnnotatedException(e.getMessage());
}
}
Set checkKeys = new HashSet();
AnnotatedException lastException = null;
for (int i = 0; i < validCerts.size(); i++) {
X509Certificate signCert = (X509Certificate) validCerts.get(i);
boolean[] keyUsage = signCert.getKeyUsage();
if (keyUsage != null && (keyUsage.length <= CRL_SIGN || !keyUsage[CRL_SIGN])) {
lastException = new AnnotatedException("Issuer certificate key usage extension does not permit CRL signing.");
} else {
checkKeys.add(validKeys.get(i));
}
}
if (checkKeys.isEmpty() && lastException == null) {
throw new AnnotatedException("Cannot find a valid issuer certificate.");
}
if (checkKeys.isEmpty() && lastException != null) {
throw lastException;
}
return checkKeys;
}
use of com.github.zhenwei.provider.jcajce.PKIXExtendedParameters in project LinLong-Java by zhenwei1108.
the class RFC3281CertPathUtilities method processAttrCert1.
/**
* Searches for a holder public key certificate and verifies its certification path.
*
* @param attrCert the attribute certificate.
* @param pkixParams The PKIX parameters.
* @return The certificate path of the holder certificate.
* @throws AnnotatedException if
* <ul>
* <li>no public key certificate can be found although holder
* information is given by an entity name or a base certificate
* ID
* <li>support classes cannot be created
* <li>no certification path for the public key certificate can
* be built
* </ul>
*/
protected static CertPath processAttrCert1(X509AttributeCertificate attrCert, PKIXExtendedParameters pkixParams) throws CertPathValidatorException {
CertPathBuilderResult result = null;
// find holder PKCs
LinkedHashSet holderPKCs = new LinkedHashSet();
if (attrCert.getHolder().getIssuer() != null) {
X509CertSelector selector = new X509CertSelector();
selector.setSerialNumber(attrCert.getHolder().getSerialNumber());
Principal[] principals = attrCert.getHolder().getIssuer();
for (int i = 0; i < principals.length; i++) {
try {
if (principals[i] instanceof X500Principal) {
selector.setIssuer(((X500Principal) principals[i]).getEncoded());
}
PKIXCertStoreSelector certSelect = new PKIXCertStoreSelector.Builder(selector).build();
CertPathValidatorUtilities.findCertificates(holderPKCs, certSelect, pkixParams.getCertStores());
} catch (AnnotatedException e) {
throw new ExtCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", e);
} catch (IOException e) {
throw new ExtCertPathValidatorException("Unable to encode X500 principal.", e);
}
}
if (holderPKCs.isEmpty()) {
throw new CertPathValidatorException("Public key certificate specified in base certificate ID for attribute certificate cannot be found.");
}
}
if (attrCert.getHolder().getEntityNames() != null) {
X509CertStoreSelector selector = new X509CertStoreSelector();
Principal[] principals = attrCert.getHolder().getEntityNames();
for (int i = 0; i < principals.length; i++) {
try {
if (principals[i] instanceof X500Principal) {
selector.setIssuer(((X500Principal) principals[i]).getEncoded());
}
PKIXCertStoreSelector certSelect = new PKIXCertStoreSelector.Builder(selector).build();
CertPathValidatorUtilities.findCertificates(holderPKCs, certSelect, pkixParams.getCertStores());
} catch (AnnotatedException e) {
throw new ExtCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", e);
} catch (IOException e) {
throw new ExtCertPathValidatorException("Unable to encode X500 principal.", e);
}
}
if (holderPKCs.isEmpty()) {
throw new CertPathValidatorException("Public key certificate specified in entity name for attribute certificate cannot be found.");
}
}
// verify cert paths for PKCs
PKIXExtendedParameters.Builder paramsBldr = new PKIXExtendedParameters.Builder(pkixParams);
CertPathValidatorException lastException = null;
for (Iterator it = holderPKCs.iterator(); it.hasNext(); ) {
X509CertStoreSelector selector = new X509CertStoreSelector();
selector.setCertificate((X509Certificate) it.next());
paramsBldr.setTargetConstraints(new PKIXCertStoreSelector.Builder(selector).build());
CertPathBuilder builder = null;
try {
builder = CertPathBuilder.getInstance("PKIX", WeGooProvider.PROVIDER_NAME);
} catch (NoSuchProviderException e) {
throw new ExtCertPathValidatorException("Support class could not be created.", e);
} catch (NoSuchAlgorithmException e) {
throw new ExtCertPathValidatorException("Support class could not be created.", e);
}
try {
result = builder.build(new PKIXExtendedBuilderParameters.Builder(paramsBldr.build()).build());
} catch (CertPathBuilderException e) {
lastException = new ExtCertPathValidatorException("Certification path for public key certificate of attribute certificate could not be build.", e);
} catch (InvalidAlgorithmParameterException e) {
// must be a programming error
throw new RuntimeException(e.getMessage());
}
}
if (lastException != null) {
throw lastException;
}
return result.getCertPath();
}
use of com.github.zhenwei.provider.jcajce.PKIXExtendedParameters in project LinLong-Java by zhenwei1108.
the class RFC3281CertPathUtilities method checkCRLs.
/**
* Checks if an attribute certificate is revoked.
*
* @param attrCert Attribute certificate to check if it is revoked.
* @param paramsPKIX PKIX parameters.
* @param validityDate The date when the certificate revocation status should be checked.
* @param issuerCert The issuer certificate of the attribute certificate
* <code>attrCert</code>.
* @param certPathCerts The certificates of the certification path to be checked.
* @throws CertPathValidatorException if the certificate is revoked or the status cannot be
* checked or some error occurs.
*/
protected static void checkCRLs(X509AttributeCertificate attrCert, PKIXExtendedParameters paramsPKIX, Date currentDate, Date validityDate, X509Certificate issuerCert, List certPathCerts, JcaJceHelper helper) throws CertPathValidatorException {
if (paramsPKIX.isRevocationEnabled()) {
// check if revocation is available
if (attrCert.getExtensionValue(NO_REV_AVAIL) == null) {
CRLDistPoint crldp = null;
try {
crldp = CRLDistPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(attrCert, CRL_DISTRIBUTION_POINTS));
} catch (AnnotatedException e) {
throw new CertPathValidatorException("CRL distribution point extension could not be read.", e);
}
List crlStores = new ArrayList();
try {
crlStores.addAll(CertPathValidatorUtilities.getAdditionalStoresFromCRLDistributionPoint(crldp, paramsPKIX.getNamedCRLStoreMap(), validityDate, helper));
} catch (AnnotatedException e) {
throw new CertPathValidatorException("No additional CRL locations could be decoded from CRL distribution point extension.", e);
}
PKIXExtendedParameters.Builder bldr = new PKIXExtendedParameters.Builder(paramsPKIX);
for (Iterator it = crlStores.iterator(); it.hasNext(); ) {
bldr.addCRLStore((PKIXCRLStore) crlStores);
}
paramsPKIX = bldr.build();
CertStatus certStatus = new CertStatus();
ReasonsMask reasonsMask = new ReasonsMask();
AnnotatedException lastException = null;
boolean validCrlFound = false;
// for each distribution point
if (crldp != null) {
DistributionPoint[] dps = null;
try {
dps = crldp.getDistributionPoints();
} catch (Exception e) {
throw new ExtCertPathValidatorException("Distribution points could not be read.", e);
}
try {
for (int i = 0; i < dps.length && certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons(); i++) {
PKIXExtendedParameters paramsPKIXClone = (PKIXExtendedParameters) paramsPKIX.clone();
checkCRL(dps[i], attrCert, paramsPKIXClone, currentDate, validityDate, issuerCert, certStatus, reasonsMask, certPathCerts, helper);
validCrlFound = true;
}
} catch (AnnotatedException e) {
lastException = new AnnotatedException("No valid CRL for distribution point found.", e);
}
}
if (certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons()) {
try {
/*
* assume a DP with both the reasons and the cRLIssuer
* fields omitted and a distribution point name of the
* certificate issuer.
*/
X500Name issuer;
try {
issuer = PrincipalUtils.getEncodedIssuerPrincipal(attrCert);
} catch (Exception e) {
throw new AnnotatedException("Issuer from certificate for CRL could not be reencoded.", e);
}
DistributionPoint dp = new DistributionPoint(new DistributionPointName(0, new GeneralNames(new GeneralName(GeneralName.directoryName, issuer))), null, null);
PKIXExtendedParameters paramsPKIXClone = (PKIXExtendedParameters) paramsPKIX.clone();
checkCRL(dp, attrCert, paramsPKIXClone, currentDate, validityDate, issuerCert, certStatus, reasonsMask, certPathCerts, helper);
validCrlFound = true;
} catch (AnnotatedException e) {
lastException = new AnnotatedException("No valid CRL for distribution point found.", e);
}
}
if (!validCrlFound) {
throw new ExtCertPathValidatorException("No valid CRL found.", lastException);
}
if (certStatus.getCertStatus() != CertStatus.UNREVOKED) {
String message = "Attribute certificate revocation after " + certStatus.getRevocationDate();
message += ", reason: " + RFC3280CertPathUtilities.crlReasons[certStatus.getCertStatus()];
throw new CertPathValidatorException(message);
}
if (!reasonsMask.isAllReasons() && certStatus.getCertStatus() == CertStatus.UNREVOKED) {
certStatus.setCertStatus(CertStatus.UNDETERMINED);
}
if (certStatus.getCertStatus() == CertStatus.UNDETERMINED) {
throw new CertPathValidatorException("Attribute certificate status could not be determined.");
}
} else {
if (attrCert.getExtensionValue(CRL_DISTRIBUTION_POINTS) != null || attrCert.getExtensionValue(AUTHORITY_INFO_ACCESS) != null) {
throw new CertPathValidatorException("No rev avail extension is set, but also an AC revocation pointer.");
}
}
}
}
use of com.github.zhenwei.provider.jcajce.PKIXExtendedParameters in project LinLong-Java by zhenwei1108.
the class PKIXAttrCertPathBuilderSpi method engineBuild.
/**
* Build and validate a CertPath using the given parameter.
*
* @param params PKIXBuilderParameters object containing all information to build the CertPath
*/
public CertPathBuilderResult engineBuild(CertPathParameters params) throws CertPathBuilderException, InvalidAlgorithmParameterException {
if (!(params instanceof PKIXBuilderParameters) && !(params instanceof ExtendedPKIXBuilderParameters) && !(params instanceof PKIXExtendedBuilderParameters)) {
throw new InvalidAlgorithmParameterException("Parameters must be an instance of " + PKIXBuilderParameters.class.getName() + " or " + PKIXExtendedBuilderParameters.class.getName() + ".");
}
List targetStores = new ArrayList();
PKIXExtendedBuilderParameters paramsPKIX;
if (params instanceof PKIXBuilderParameters) {
PKIXExtendedBuilderParameters.Builder paramsPKIXBldr = new PKIXExtendedBuilderParameters.Builder((PKIXBuilderParameters) params);
if (params instanceof ExtendedPKIXParameters) {
ExtendedPKIXBuilderParameters extPKIX = (ExtendedPKIXBuilderParameters) params;
paramsPKIXBldr.addExcludedCerts(extPKIX.getExcludedCerts());
paramsPKIXBldr.setMaxPathLength(extPKIX.getMaxPathLength());
targetStores = extPKIX.getStores();
}
paramsPKIX = paramsPKIXBldr.build();
} else {
paramsPKIX = (PKIXExtendedBuilderParameters) params;
}
Collection targets;
Iterator targetIter;
List certPathList = new ArrayList();
X509AttributeCertificate cert;
// search target certificates
PKIXExtendedParameters baseParams = paramsPKIX.getBaseParameters();
Selector certSelect = baseParams.getTargetConstraints();
if (!(certSelect instanceof X509AttributeCertStoreSelector)) {
throw new CertPathBuilderException("TargetConstraints must be an instance of " + X509AttributeCertStoreSelector.class.getName() + " for " + this.getClass().getName() + " class.");
}
try {
targets = findCertificates((X509AttributeCertStoreSelector) certSelect, targetStores);
} catch (AnnotatedException e) {
throw new ExtCertPathBuilderException("Error finding target attribute certificate.", e);
}
if (targets.isEmpty()) {
throw new CertPathBuilderException("No attribute certificate found matching targetConstraints.");
}
CertPathBuilderResult result = null;
// check all potential target certificates
targetIter = targets.iterator();
while (targetIter.hasNext() && result == null) {
cert = (X509AttributeCertificate) targetIter.next();
X509CertStoreSelector selector = new X509CertStoreSelector();
Principal[] principals = cert.getIssuer().getPrincipals();
LinkedHashSet issuers = new LinkedHashSet();
for (int i = 0; i < principals.length; i++) {
try {
if (principals[i] instanceof X500Principal) {
selector.setSubject(((X500Principal) principals[i]).getEncoded());
}
PKIXCertStoreSelector certStoreSelector = new PKIXCertStoreSelector.Builder(selector).build();
CertPathValidatorUtilities.findCertificates(issuers, certStoreSelector, baseParams.getCertStores());
CertPathValidatorUtilities.findCertificates(issuers, certStoreSelector, baseParams.getCertificateStores());
} catch (AnnotatedException e) {
throw new ExtCertPathBuilderException("Public key certificate for attribute certificate cannot be searched.", e);
} catch (IOException e) {
throw new ExtCertPathBuilderException("cannot encode X500Principal.", e);
}
}
if (issuers.isEmpty()) {
throw new CertPathBuilderException("Public key certificate for attribute certificate cannot be found.");
}
Iterator it = issuers.iterator();
while (it.hasNext() && result == null) {
result = build(cert, (X509Certificate) it.next(), paramsPKIX, certPathList);
}
}
if (result == null && certPathException != null) {
throw new ExtCertPathBuilderException("Possible certificate chain could not be validated.", certPathException);
}
if (result == null && certPathException == null) {
throw new CertPathBuilderException("Unable to find certificate chain.");
}
return result;
}
use of com.github.zhenwei.provider.jcajce.PKIXExtendedParameters in project LinLong-Java by zhenwei1108.
the class PKIXAttrCertPathBuilderSpi method build.
private CertPathBuilderResult build(X509AttributeCertificate attrCert, X509Certificate tbvCert, PKIXExtendedBuilderParameters pkixParams, List tbvPath) {
// PKI graph.
if (tbvPath.contains(tbvCert)) {
return null;
}
// chain
if (pkixParams.getExcludedCerts().contains(tbvCert)) {
return null;
}
// test if certificate path exceeds maximum length
if (pkixParams.getMaxPathLength() != -1) {
if (tbvPath.size() - 1 > pkixParams.getMaxPathLength()) {
return null;
}
}
tbvPath.add(tbvCert);
CertificateFactory cFact;
CertPathValidator validator;
CertPathBuilderResult builderResult = null;
try {
cFact = CertificateFactory.getInstance("X.509", WeGooProvider.PROVIDER_NAME);
validator = CertPathValidator.getInstance("RFC3281", WeGooProvider.PROVIDER_NAME);
} catch (Exception e) {
// cannot happen
throw new RuntimeException("Exception creating support classes.");
}
try {
// check whether the issuer of <tbvCert> is a TrustAnchor
PKIXExtendedParameters baseParams = pkixParams.getBaseParameters();
if (CertPathValidatorUtilities.isIssuerTrustAnchor(tbvCert, baseParams.getTrustAnchors(), baseParams.getSigProvider())) {
CertPath certPath;
try {
certPath = cFact.generateCertPath(tbvPath);
} catch (Exception e) {
throw new AnnotatedException("Certification path could not be constructed from certificate list.", e);
}
PKIXCertPathValidatorResult result;
try {
result = (PKIXCertPathValidatorResult) validator.validate(certPath, pkixParams);
} catch (Exception e) {
throw new AnnotatedException("Certification path could not be validated.", e);
}
return new PKIXCertPathBuilderResult(certPath, result.getTrustAnchor(), result.getPolicyTree(), result.getPublicKey());
} else {
List stores = new ArrayList();
stores.addAll(baseParams.getCertificateStores());
// add additional X.509 stores from locations in certificate
try {
stores.addAll(CertPathValidatorUtilities.getAdditionalStoresFromAltNames(tbvCert.getExtensionValue(Extension.issuerAlternativeName.getId()), baseParams.getNamedCertificateStoreMap()));
} catch (CertificateParsingException e) {
throw new AnnotatedException("No additional X.509 stores can be added from certificate locations.", e);
}
Collection issuers = new HashSet();
// of the stores
try {
issuers.addAll(CertPathValidatorUtilities.findIssuerCerts(tbvCert, baseParams.getCertStores(), stores));
} catch (AnnotatedException e) {
throw new AnnotatedException("Cannot find issuer certificate for certificate in certification path.", e);
}
if (issuers.isEmpty()) {
throw new AnnotatedException("No issuer certificate for certificate in certification path found.");
}
Iterator it = issuers.iterator();
while (it.hasNext() && builderResult == null) {
X509Certificate issuer = (X509Certificate) it.next();
// if untrusted self signed certificate continue
if (issuer.getIssuerX500Principal().equals(issuer.getSubjectX500Principal())) {
continue;
}
builderResult = build(attrCert, issuer, pkixParams, tbvPath);
}
}
} catch (AnnotatedException e) {
certPathException = new AnnotatedException("No valid certification path could be build.", e);
}
if (builderResult == null) {
tbvPath.remove(tbvCert);
}
return builderResult;
}
Aggregations