Search in sources :

Example 1 with PKIXExtendedParameters

use of com.github.zhenwei.provider.jcajce.PKIXExtendedParameters in project LinLong-Java by zhenwei1108.

the class RFC3280CertPathUtilities method processCRLF.

/**
 * Obtain and validate the certification path for the complete CRL issuer. If a key usage
 * extension is present in the CRL issuer's certificate, verify that the cRLSign bit is set.
 *
 * @param crl                CRL which contains revocation information for the certificate
 *                           <code>cert</code>.
 * @param cert               The attribute certificate or certificate to check if it is revoked.
 * @param defaultCRLSignCert The issuer certificate of the certificate <code>cert</code>.
 * @param defaultCRLSignKey  The public key of the issuer certificate
 *                           <code>defaultCRLSignCert</code>.
 * @param paramsPKIX         paramsPKIX PKIX parameters.
 * @param certPathCerts      The certificates on the certification path.
 * @return A <code>Set</code> with all keys of possible CRL issuer certificates.
 * @throws AnnotatedException if the CRL is not valid or the status cannot be checked or some
 *                            error occurs.
 */
protected static Set processCRLF(X509CRL crl, Object cert, X509Certificate defaultCRLSignCert, PublicKey defaultCRLSignKey, PKIXExtendedParameters paramsPKIX, List certPathCerts, JcaJceHelper helper) throws AnnotatedException {
    // (f)
    // get issuer from CRL
    X509CertSelector certSelector = new X509CertSelector();
    try {
        byte[] issuerPrincipal = PrincipalUtils.getIssuerPrincipal(crl).getEncoded();
        certSelector.setSubject(issuerPrincipal);
    } catch (IOException e) {
        throw new AnnotatedException("Subject criteria for certificate selector to find issuer certificate for CRL could not be set.", e);
    }
    PKIXCertStoreSelector selector = new PKIXCertStoreSelector.Builder(certSelector).build();
    // get CRL signing certs
    LinkedHashSet coll = new LinkedHashSet();
    try {
        CertPathValidatorUtilities.findCertificates(coll, selector, paramsPKIX.getCertificateStores());
        CertPathValidatorUtilities.findCertificates(coll, selector, paramsPKIX.getCertStores());
    } catch (AnnotatedException e) {
        throw new AnnotatedException("Issuer certificate for CRL cannot be searched.", e);
    }
    coll.add(defaultCRLSignCert);
    Iterator cert_it = coll.iterator();
    List validCerts = new ArrayList();
    List validKeys = new ArrayList();
    while (cert_it.hasNext()) {
        X509Certificate signingCert = (X509Certificate) cert_it.next();
        /*
       * CA of the certificate, for which this CRL is checked, has also
       * signed CRL, so skip the path validation, because is already done
       */
        if (signingCert.equals(defaultCRLSignCert)) {
            validCerts.add(signingCert);
            validKeys.add(defaultCRLSignKey);
            continue;
        }
        try {
            CertPathBuilderSpi builder = (revChkClass != null) ? new PKIXCertPathBuilderSpi_8(true) : new PKIXCertPathBuilderSpi(true);
            X509CertSelector tmpCertSelector = new X509CertSelector();
            tmpCertSelector.setCertificate(signingCert);
            PKIXExtendedParameters.Builder paramsBuilder = new PKIXExtendedParameters.Builder(paramsPKIX).setTargetConstraints(new PKIXCertStoreSelector.Builder(tmpCertSelector).build());
            /*
         * if signingCert is placed not higher on the cert path a
         * dependency loop results. CRL for cert is checked, but
         * signingCert is needed for checking the CRL which is dependent
         * on checking cert because it is higher in the cert path and so
         * signing signingCert transitively. so, revocation is disabled,
         * forgery attacks of the CRL are detected in this outer loop
         * for all other it must be enabled to prevent forgery attacks
         */
            if (certPathCerts.contains(signingCert)) {
                paramsBuilder.setRevocationEnabled(false);
            } else {
                paramsBuilder.setRevocationEnabled(true);
            }
            PKIXExtendedBuilderParameters extParams = new PKIXExtendedBuilderParameters.Builder(paramsBuilder.build()).build();
            List certs = builder.engineBuild(extParams).getCertPath().getCertificates();
            validCerts.add(signingCert);
            validKeys.add(CertPathValidatorUtilities.getNextWorkingKey(certs, 0, helper));
        } catch (CertPathBuilderException e) {
            throw new AnnotatedException("CertPath for CRL signer failed to validate.", e);
        } catch (CertPathValidatorException e) {
            throw new AnnotatedException("Public key of issuer certificate of CRL could not be retrieved.", e);
        } catch (Exception e) {
            throw new AnnotatedException(e.getMessage());
        }
    }
    Set checkKeys = new HashSet();
    AnnotatedException lastException = null;
    for (int i = 0; i < validCerts.size(); i++) {
        X509Certificate signCert = (X509Certificate) validCerts.get(i);
        boolean[] keyUsage = signCert.getKeyUsage();
        if (keyUsage != null && (keyUsage.length <= CRL_SIGN || !keyUsage[CRL_SIGN])) {
            lastException = new AnnotatedException("Issuer certificate key usage extension does not permit CRL signing.");
        } else {
            checkKeys.add(validKeys.get(i));
        }
    }
    if (checkKeys.isEmpty() && lastException == null) {
        throw new AnnotatedException("Cannot find a valid issuer certificate.");
    }
    if (checkKeys.isEmpty() && lastException != null) {
        throw lastException;
    }
    return checkKeys;
}
Also used : LinkedHashSet(java.util.LinkedHashSet) Set(java.util.Set) HashSet(java.util.HashSet) LinkedHashSet(java.util.LinkedHashSet) ArrayList(java.util.ArrayList) X509CertSelector(java.security.cert.X509CertSelector) PKIXExtendedBuilderParameters(com.github.zhenwei.provider.jcajce.PKIXExtendedBuilderParameters) CertPathBuilderException(java.security.cert.CertPathBuilderException) Iterator(java.util.Iterator) List(java.util.List) ArrayList(java.util.ArrayList) HashSet(java.util.HashSet) LinkedHashSet(java.util.LinkedHashSet) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) CertificateExpiredException(java.security.cert.CertificateExpiredException) GeneralSecurityException(java.security.GeneralSecurityException) CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException) CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException) CertPathBuilderException(java.security.cert.CertPathBuilderException) IOException(java.io.IOException) IssuingDistributionPoint(com.github.zhenwei.core.asn1.x509.IssuingDistributionPoint) CRLDistPoint(com.github.zhenwei.core.asn1.x509.CRLDistPoint) DistributionPoint(com.github.zhenwei.core.asn1.x509.DistributionPoint) CertPathBuilderSpi(java.security.cert.CertPathBuilderSpi) PKIXCertStoreSelector(com.github.zhenwei.provider.jcajce.PKIXCertStoreSelector) CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException) PKIXExtendedParameters(com.github.zhenwei.provider.jcajce.PKIXExtendedParameters)

Example 2 with PKIXExtendedParameters

use of com.github.zhenwei.provider.jcajce.PKIXExtendedParameters in project LinLong-Java by zhenwei1108.

the class RFC3281CertPathUtilities method processAttrCert1.

/**
 * Searches for a holder public key certificate and verifies its certification path.
 *
 * @param attrCert   the attribute certificate.
 * @param pkixParams The PKIX parameters.
 * @return The certificate path of the holder certificate.
 * @throws AnnotatedException if
 *                            <ul>
 *                            <li>no public key certificate can be found although holder
 *                            information is given by an entity name or a base certificate
 *                            ID
 *                            <li>support classes cannot be created
 *                            <li>no certification path for the public key certificate can
 *                            be built
 *                            </ul>
 */
protected static CertPath processAttrCert1(X509AttributeCertificate attrCert, PKIXExtendedParameters pkixParams) throws CertPathValidatorException {
    CertPathBuilderResult result = null;
    // find holder PKCs
    LinkedHashSet holderPKCs = new LinkedHashSet();
    if (attrCert.getHolder().getIssuer() != null) {
        X509CertSelector selector = new X509CertSelector();
        selector.setSerialNumber(attrCert.getHolder().getSerialNumber());
        Principal[] principals = attrCert.getHolder().getIssuer();
        for (int i = 0; i < principals.length; i++) {
            try {
                if (principals[i] instanceof X500Principal) {
                    selector.setIssuer(((X500Principal) principals[i]).getEncoded());
                }
                PKIXCertStoreSelector certSelect = new PKIXCertStoreSelector.Builder(selector).build();
                CertPathValidatorUtilities.findCertificates(holderPKCs, certSelect, pkixParams.getCertStores());
            } catch (AnnotatedException e) {
                throw new ExtCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", e);
            } catch (IOException e) {
                throw new ExtCertPathValidatorException("Unable to encode X500 principal.", e);
            }
        }
        if (holderPKCs.isEmpty()) {
            throw new CertPathValidatorException("Public key certificate specified in base certificate ID for attribute certificate cannot be found.");
        }
    }
    if (attrCert.getHolder().getEntityNames() != null) {
        X509CertStoreSelector selector = new X509CertStoreSelector();
        Principal[] principals = attrCert.getHolder().getEntityNames();
        for (int i = 0; i < principals.length; i++) {
            try {
                if (principals[i] instanceof X500Principal) {
                    selector.setIssuer(((X500Principal) principals[i]).getEncoded());
                }
                PKIXCertStoreSelector certSelect = new PKIXCertStoreSelector.Builder(selector).build();
                CertPathValidatorUtilities.findCertificates(holderPKCs, certSelect, pkixParams.getCertStores());
            } catch (AnnotatedException e) {
                throw new ExtCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", e);
            } catch (IOException e) {
                throw new ExtCertPathValidatorException("Unable to encode X500 principal.", e);
            }
        }
        if (holderPKCs.isEmpty()) {
            throw new CertPathValidatorException("Public key certificate specified in entity name for attribute certificate cannot be found.");
        }
    }
    // verify cert paths for PKCs
    PKIXExtendedParameters.Builder paramsBldr = new PKIXExtendedParameters.Builder(pkixParams);
    CertPathValidatorException lastException = null;
    for (Iterator it = holderPKCs.iterator(); it.hasNext(); ) {
        X509CertStoreSelector selector = new X509CertStoreSelector();
        selector.setCertificate((X509Certificate) it.next());
        paramsBldr.setTargetConstraints(new PKIXCertStoreSelector.Builder(selector).build());
        CertPathBuilder builder = null;
        try {
            builder = CertPathBuilder.getInstance("PKIX", WeGooProvider.PROVIDER_NAME);
        } catch (NoSuchProviderException e) {
            throw new ExtCertPathValidatorException("Support class could not be created.", e);
        } catch (NoSuchAlgorithmException e) {
            throw new ExtCertPathValidatorException("Support class could not be created.", e);
        }
        try {
            result = builder.build(new PKIXExtendedBuilderParameters.Builder(paramsBldr.build()).build());
        } catch (CertPathBuilderException e) {
            lastException = new ExtCertPathValidatorException("Certification path for public key certificate of attribute certificate could not be build.", e);
        } catch (InvalidAlgorithmParameterException e) {
            // must be a programming error
            throw new RuntimeException(e.getMessage());
        }
    }
    if (lastException != null) {
        throw lastException;
    }
    return result.getCertPath();
}
Also used : LinkedHashSet(java.util.LinkedHashSet) CertPathBuilderResult(java.security.cert.CertPathBuilderResult) CertPathBuilder(java.security.cert.CertPathBuilder) X509CertSelector(java.security.cert.X509CertSelector) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) PKIXExtendedBuilderParameters(com.github.zhenwei.provider.jcajce.PKIXExtendedBuilderParameters) CertPathBuilderException(java.security.cert.CertPathBuilderException) Iterator(java.util.Iterator) CertPathBuilder(java.security.cert.CertPathBuilder) InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) X509CertStoreSelector(com.github.zhenwei.provider.x509.X509CertStoreSelector) IOException(java.io.IOException) DistributionPoint(com.github.zhenwei.core.asn1.x509.DistributionPoint) CRLDistPoint(com.github.zhenwei.core.asn1.x509.CRLDistPoint) PKIXCertStoreSelector(com.github.zhenwei.provider.jcajce.PKIXCertStoreSelector) CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException) ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException) PKIXExtendedParameters(com.github.zhenwei.provider.jcajce.PKIXExtendedParameters) X500Principal(javax.security.auth.x500.X500Principal) NoSuchProviderException(java.security.NoSuchProviderException) X500Principal(javax.security.auth.x500.X500Principal) Principal(java.security.Principal)

Example 3 with PKIXExtendedParameters

use of com.github.zhenwei.provider.jcajce.PKIXExtendedParameters in project LinLong-Java by zhenwei1108.

the class RFC3281CertPathUtilities method checkCRLs.

/**
 * Checks if an attribute certificate is revoked.
 *
 * @param attrCert      Attribute certificate to check if it is revoked.
 * @param paramsPKIX    PKIX parameters.
 * @param validityDate  The date when the certificate revocation status should be checked.
 * @param issuerCert    The issuer certificate of the attribute certificate
 *                      <code>attrCert</code>.
 * @param certPathCerts The certificates of the certification path to be checked.
 * @throws CertPathValidatorException if the certificate is revoked or the status cannot be
 *                                    checked or some error occurs.
 */
protected static void checkCRLs(X509AttributeCertificate attrCert, PKIXExtendedParameters paramsPKIX, Date currentDate, Date validityDate, X509Certificate issuerCert, List certPathCerts, JcaJceHelper helper) throws CertPathValidatorException {
    if (paramsPKIX.isRevocationEnabled()) {
        // check if revocation is available
        if (attrCert.getExtensionValue(NO_REV_AVAIL) == null) {
            CRLDistPoint crldp = null;
            try {
                crldp = CRLDistPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(attrCert, CRL_DISTRIBUTION_POINTS));
            } catch (AnnotatedException e) {
                throw new CertPathValidatorException("CRL distribution point extension could not be read.", e);
            }
            List crlStores = new ArrayList();
            try {
                crlStores.addAll(CertPathValidatorUtilities.getAdditionalStoresFromCRLDistributionPoint(crldp, paramsPKIX.getNamedCRLStoreMap(), validityDate, helper));
            } catch (AnnotatedException e) {
                throw new CertPathValidatorException("No additional CRL locations could be decoded from CRL distribution point extension.", e);
            }
            PKIXExtendedParameters.Builder bldr = new PKIXExtendedParameters.Builder(paramsPKIX);
            for (Iterator it = crlStores.iterator(); it.hasNext(); ) {
                bldr.addCRLStore((PKIXCRLStore) crlStores);
            }
            paramsPKIX = bldr.build();
            CertStatus certStatus = new CertStatus();
            ReasonsMask reasonsMask = new ReasonsMask();
            AnnotatedException lastException = null;
            boolean validCrlFound = false;
            // for each distribution point
            if (crldp != null) {
                DistributionPoint[] dps = null;
                try {
                    dps = crldp.getDistributionPoints();
                } catch (Exception e) {
                    throw new ExtCertPathValidatorException("Distribution points could not be read.", e);
                }
                try {
                    for (int i = 0; i < dps.length && certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons(); i++) {
                        PKIXExtendedParameters paramsPKIXClone = (PKIXExtendedParameters) paramsPKIX.clone();
                        checkCRL(dps[i], attrCert, paramsPKIXClone, currentDate, validityDate, issuerCert, certStatus, reasonsMask, certPathCerts, helper);
                        validCrlFound = true;
                    }
                } catch (AnnotatedException e) {
                    lastException = new AnnotatedException("No valid CRL for distribution point found.", e);
                }
            }
            if (certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons()) {
                try {
                    /*
             * assume a DP with both the reasons and the cRLIssuer
             * fields omitted and a distribution point name of the
             * certificate issuer.
             */
                    X500Name issuer;
                    try {
                        issuer = PrincipalUtils.getEncodedIssuerPrincipal(attrCert);
                    } catch (Exception e) {
                        throw new AnnotatedException("Issuer from certificate for CRL could not be reencoded.", e);
                    }
                    DistributionPoint dp = new DistributionPoint(new DistributionPointName(0, new GeneralNames(new GeneralName(GeneralName.directoryName, issuer))), null, null);
                    PKIXExtendedParameters paramsPKIXClone = (PKIXExtendedParameters) paramsPKIX.clone();
                    checkCRL(dp, attrCert, paramsPKIXClone, currentDate, validityDate, issuerCert, certStatus, reasonsMask, certPathCerts, helper);
                    validCrlFound = true;
                } catch (AnnotatedException e) {
                    lastException = new AnnotatedException("No valid CRL for distribution point found.", e);
                }
            }
            if (!validCrlFound) {
                throw new ExtCertPathValidatorException("No valid CRL found.", lastException);
            }
            if (certStatus.getCertStatus() != CertStatus.UNREVOKED) {
                String message = "Attribute certificate revocation after " + certStatus.getRevocationDate();
                message += ", reason: " + RFC3280CertPathUtilities.crlReasons[certStatus.getCertStatus()];
                throw new CertPathValidatorException(message);
            }
            if (!reasonsMask.isAllReasons() && certStatus.getCertStatus() == CertStatus.UNREVOKED) {
                certStatus.setCertStatus(CertStatus.UNDETERMINED);
            }
            if (certStatus.getCertStatus() == CertStatus.UNDETERMINED) {
                throw new CertPathValidatorException("Attribute certificate status could not be determined.");
            }
        } else {
            if (attrCert.getExtensionValue(CRL_DISTRIBUTION_POINTS) != null || attrCert.getExtensionValue(AUTHORITY_INFO_ACCESS) != null) {
                throw new CertPathValidatorException("No rev avail extension is set, but also an AC revocation pointer.");
            }
        }
    }
}
Also used : CertPathBuilder(java.security.cert.CertPathBuilder) ArrayList(java.util.ArrayList) DistributionPointName(com.github.zhenwei.core.asn1.x509.DistributionPointName) X500Name(com.github.zhenwei.core.asn1.x500.X500Name) CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException) CertificateExpiredException(java.security.cert.CertificateExpiredException) InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) CertPathBuilderException(java.security.cert.CertPathBuilderException) CertPathValidatorException(java.security.cert.CertPathValidatorException) IOException(java.io.IOException) ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) NoSuchProviderException(java.security.NoSuchProviderException) DistributionPoint(com.github.zhenwei.core.asn1.x509.DistributionPoint) CRLDistPoint(com.github.zhenwei.core.asn1.x509.CRLDistPoint) CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException) PKIXExtendedParameters(com.github.zhenwei.provider.jcajce.PKIXExtendedParameters) ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException) GeneralNames(com.github.zhenwei.core.asn1.x509.GeneralNames) Iterator(java.util.Iterator) ArrayList(java.util.ArrayList) List(java.util.List) DistributionPoint(com.github.zhenwei.core.asn1.x509.DistributionPoint) GeneralName(com.github.zhenwei.core.asn1.x509.GeneralName) CRLDistPoint(com.github.zhenwei.core.asn1.x509.CRLDistPoint)

Example 4 with PKIXExtendedParameters

use of com.github.zhenwei.provider.jcajce.PKIXExtendedParameters in project LinLong-Java by zhenwei1108.

the class PKIXAttrCertPathBuilderSpi method engineBuild.

/**
 * Build and validate a CertPath using the given parameter.
 *
 * @param params PKIXBuilderParameters object containing all information to build the CertPath
 */
public CertPathBuilderResult engineBuild(CertPathParameters params) throws CertPathBuilderException, InvalidAlgorithmParameterException {
    if (!(params instanceof PKIXBuilderParameters) && !(params instanceof ExtendedPKIXBuilderParameters) && !(params instanceof PKIXExtendedBuilderParameters)) {
        throw new InvalidAlgorithmParameterException("Parameters must be an instance of " + PKIXBuilderParameters.class.getName() + " or " + PKIXExtendedBuilderParameters.class.getName() + ".");
    }
    List targetStores = new ArrayList();
    PKIXExtendedBuilderParameters paramsPKIX;
    if (params instanceof PKIXBuilderParameters) {
        PKIXExtendedBuilderParameters.Builder paramsPKIXBldr = new PKIXExtendedBuilderParameters.Builder((PKIXBuilderParameters) params);
        if (params instanceof ExtendedPKIXParameters) {
            ExtendedPKIXBuilderParameters extPKIX = (ExtendedPKIXBuilderParameters) params;
            paramsPKIXBldr.addExcludedCerts(extPKIX.getExcludedCerts());
            paramsPKIXBldr.setMaxPathLength(extPKIX.getMaxPathLength());
            targetStores = extPKIX.getStores();
        }
        paramsPKIX = paramsPKIXBldr.build();
    } else {
        paramsPKIX = (PKIXExtendedBuilderParameters) params;
    }
    Collection targets;
    Iterator targetIter;
    List certPathList = new ArrayList();
    X509AttributeCertificate cert;
    // search target certificates
    PKIXExtendedParameters baseParams = paramsPKIX.getBaseParameters();
    Selector certSelect = baseParams.getTargetConstraints();
    if (!(certSelect instanceof X509AttributeCertStoreSelector)) {
        throw new CertPathBuilderException("TargetConstraints must be an instance of " + X509AttributeCertStoreSelector.class.getName() + " for " + this.getClass().getName() + " class.");
    }
    try {
        targets = findCertificates((X509AttributeCertStoreSelector) certSelect, targetStores);
    } catch (AnnotatedException e) {
        throw new ExtCertPathBuilderException("Error finding target attribute certificate.", e);
    }
    if (targets.isEmpty()) {
        throw new CertPathBuilderException("No attribute certificate found matching targetConstraints.");
    }
    CertPathBuilderResult result = null;
    // check all potential target certificates
    targetIter = targets.iterator();
    while (targetIter.hasNext() && result == null) {
        cert = (X509AttributeCertificate) targetIter.next();
        X509CertStoreSelector selector = new X509CertStoreSelector();
        Principal[] principals = cert.getIssuer().getPrincipals();
        LinkedHashSet issuers = new LinkedHashSet();
        for (int i = 0; i < principals.length; i++) {
            try {
                if (principals[i] instanceof X500Principal) {
                    selector.setSubject(((X500Principal) principals[i]).getEncoded());
                }
                PKIXCertStoreSelector certStoreSelector = new PKIXCertStoreSelector.Builder(selector).build();
                CertPathValidatorUtilities.findCertificates(issuers, certStoreSelector, baseParams.getCertStores());
                CertPathValidatorUtilities.findCertificates(issuers, certStoreSelector, baseParams.getCertificateStores());
            } catch (AnnotatedException e) {
                throw new ExtCertPathBuilderException("Public key certificate for attribute certificate cannot be searched.", e);
            } catch (IOException e) {
                throw new ExtCertPathBuilderException("cannot encode X500Principal.", e);
            }
        }
        if (issuers.isEmpty()) {
            throw new CertPathBuilderException("Public key certificate for attribute certificate cannot be found.");
        }
        Iterator it = issuers.iterator();
        while (it.hasNext() && result == null) {
            result = build(cert, (X509Certificate) it.next(), paramsPKIX, certPathList);
        }
    }
    if (result == null && certPathException != null) {
        throw new ExtCertPathBuilderException("Possible certificate chain could not be validated.", certPathException);
    }
    if (result == null && certPathException == null) {
        throw new CertPathBuilderException("Unable to find certificate chain.");
    }
    return result;
}
Also used : LinkedHashSet(java.util.LinkedHashSet) ExtendedPKIXBuilderParameters(com.github.zhenwei.provider.x509.ExtendedPKIXBuilderParameters) CertPathBuilderResult(java.security.cert.CertPathBuilderResult) PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult) ArrayList(java.util.ArrayList) X509AttributeCertificate(com.github.zhenwei.provider.x509.X509AttributeCertificate) PKIXExtendedBuilderParameters(com.github.zhenwei.provider.jcajce.PKIXExtendedBuilderParameters) CertPathBuilderException(java.security.cert.CertPathBuilderException) ExtCertPathBuilderException(com.github.zhenwei.provider.jce.exception.ExtCertPathBuilderException) Iterator(java.util.Iterator) ArrayList(java.util.ArrayList) List(java.util.List) X509AttributeCertStoreSelector(com.github.zhenwei.provider.x509.X509AttributeCertStoreSelector) Selector(com.github.zhenwei.core.util.Selector) PKIXCertStoreSelector(com.github.zhenwei.provider.jcajce.PKIXCertStoreSelector) X509CertStoreSelector(com.github.zhenwei.provider.x509.X509CertStoreSelector) InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) ExtendedPKIXBuilderParameters(com.github.zhenwei.provider.x509.ExtendedPKIXBuilderParameters) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) X509CertStoreSelector(com.github.zhenwei.provider.x509.X509CertStoreSelector) X509AttributeCertStoreSelector(com.github.zhenwei.provider.x509.X509AttributeCertStoreSelector) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) PKIXCertStoreSelector(com.github.zhenwei.provider.jcajce.PKIXCertStoreSelector) PKIXExtendedParameters(com.github.zhenwei.provider.jcajce.PKIXExtendedParameters) ExtendedPKIXParameters(com.github.zhenwei.provider.x509.ExtendedPKIXParameters) ExtCertPathBuilderException(com.github.zhenwei.provider.jce.exception.ExtCertPathBuilderException) Collection(java.util.Collection) X500Principal(javax.security.auth.x500.X500Principal) X500Principal(javax.security.auth.x500.X500Principal) Principal(java.security.Principal)

Example 5 with PKIXExtendedParameters

use of com.github.zhenwei.provider.jcajce.PKIXExtendedParameters in project LinLong-Java by zhenwei1108.

the class PKIXAttrCertPathBuilderSpi method build.

private CertPathBuilderResult build(X509AttributeCertificate attrCert, X509Certificate tbvCert, PKIXExtendedBuilderParameters pkixParams, List tbvPath) {
    // PKI graph.
    if (tbvPath.contains(tbvCert)) {
        return null;
    }
    // chain
    if (pkixParams.getExcludedCerts().contains(tbvCert)) {
        return null;
    }
    // test if certificate path exceeds maximum length
    if (pkixParams.getMaxPathLength() != -1) {
        if (tbvPath.size() - 1 > pkixParams.getMaxPathLength()) {
            return null;
        }
    }
    tbvPath.add(tbvCert);
    CertificateFactory cFact;
    CertPathValidator validator;
    CertPathBuilderResult builderResult = null;
    try {
        cFact = CertificateFactory.getInstance("X.509", WeGooProvider.PROVIDER_NAME);
        validator = CertPathValidator.getInstance("RFC3281", WeGooProvider.PROVIDER_NAME);
    } catch (Exception e) {
        // cannot happen
        throw new RuntimeException("Exception creating support classes.");
    }
    try {
        // check whether the issuer of <tbvCert> is a TrustAnchor
        PKIXExtendedParameters baseParams = pkixParams.getBaseParameters();
        if (CertPathValidatorUtilities.isIssuerTrustAnchor(tbvCert, baseParams.getTrustAnchors(), baseParams.getSigProvider())) {
            CertPath certPath;
            try {
                certPath = cFact.generateCertPath(tbvPath);
            } catch (Exception e) {
                throw new AnnotatedException("Certification path could not be constructed from certificate list.", e);
            }
            PKIXCertPathValidatorResult result;
            try {
                result = (PKIXCertPathValidatorResult) validator.validate(certPath, pkixParams);
            } catch (Exception e) {
                throw new AnnotatedException("Certification path could not be validated.", e);
            }
            return new PKIXCertPathBuilderResult(certPath, result.getTrustAnchor(), result.getPolicyTree(), result.getPublicKey());
        } else {
            List stores = new ArrayList();
            stores.addAll(baseParams.getCertificateStores());
            // add additional X.509 stores from locations in certificate
            try {
                stores.addAll(CertPathValidatorUtilities.getAdditionalStoresFromAltNames(tbvCert.getExtensionValue(Extension.issuerAlternativeName.getId()), baseParams.getNamedCertificateStoreMap()));
            } catch (CertificateParsingException e) {
                throw new AnnotatedException("No additional X.509 stores can be added from certificate locations.", e);
            }
            Collection issuers = new HashSet();
            // of the stores
            try {
                issuers.addAll(CertPathValidatorUtilities.findIssuerCerts(tbvCert, baseParams.getCertStores(), stores));
            } catch (AnnotatedException e) {
                throw new AnnotatedException("Cannot find issuer certificate for certificate in certification path.", e);
            }
            if (issuers.isEmpty()) {
                throw new AnnotatedException("No issuer certificate for certificate in certification path found.");
            }
            Iterator it = issuers.iterator();
            while (it.hasNext() && builderResult == null) {
                X509Certificate issuer = (X509Certificate) it.next();
                // if untrusted self signed certificate continue
                if (issuer.getIssuerX500Principal().equals(issuer.getSubjectX500Principal())) {
                    continue;
                }
                builderResult = build(attrCert, issuer, pkixParams, tbvPath);
            }
        }
    } catch (AnnotatedException e) {
        certPathException = new AnnotatedException("No valid certification path could be build.", e);
    }
    if (builderResult == null) {
        tbvPath.remove(tbvCert);
    }
    return builderResult;
}
Also used : CertificateParsingException(java.security.cert.CertificateParsingException) CertPathBuilderResult(java.security.cert.CertPathBuilderResult) PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult) ArrayList(java.util.ArrayList) CertificateFactory(java.security.cert.CertificateFactory) CertificateParsingException(java.security.cert.CertificateParsingException) InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) CertPathBuilderException(java.security.cert.CertPathBuilderException) IOException(java.io.IOException) ExtCertPathBuilderException(com.github.zhenwei.provider.jce.exception.ExtCertPathBuilderException) StoreException(com.github.zhenwei.core.util.StoreException) X509Certificate(java.security.cert.X509Certificate) CertPathValidator(java.security.cert.CertPathValidator) PKIXExtendedParameters(com.github.zhenwei.provider.jcajce.PKIXExtendedParameters) PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult) PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult) Iterator(java.util.Iterator) Collection(java.util.Collection) ArrayList(java.util.ArrayList) List(java.util.List) CertPath(java.security.cert.CertPath) HashSet(java.util.HashSet) LinkedHashSet(java.util.LinkedHashSet)

Aggregations

PKIXExtendedParameters (com.github.zhenwei.provider.jcajce.PKIXExtendedParameters)13 Iterator (java.util.Iterator)11 ArrayList (java.util.ArrayList)10 CertPathValidatorException (java.security.cert.CertPathValidatorException)9 X509Certificate (java.security.cert.X509Certificate)9 List (java.util.List)9 CertPathBuilderException (java.security.cert.CertPathBuilderException)8 CRLDistPoint (com.github.zhenwei.core.asn1.x509.CRLDistPoint)7 DistributionPoint (com.github.zhenwei.core.asn1.x509.DistributionPoint)7 IOException (java.io.IOException)7 InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)7 PKIXExtendedBuilderParameters (com.github.zhenwei.provider.jcajce.PKIXExtendedBuilderParameters)6 ExtCertPathValidatorException (com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException)6 HashSet (java.util.HashSet)6 LinkedHashSet (java.util.LinkedHashSet)6 PKIXCertStoreSelector (com.github.zhenwei.provider.jcajce.PKIXCertStoreSelector)5 Date (java.util.Date)5 Set (java.util.Set)5 X500Name (com.github.zhenwei.core.asn1.x500.X500Name)4 ExtendedPKIXParameters (com.github.zhenwei.provider.x509.ExtendedPKIXParameters)4