Example 11 with ExtCertPathValidatorException
use of com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException in project LinLong-Java by zhenwei1108.
the class RFC3281CertPathUtilities method processAttrCert1.
/**
* Searches for a holder public key certificate and verifies its certification path.
*
* @param attrCert the attribute certificate.
* @param pkixParams The PKIX parameters.
* @return The certificate path of the holder certificate.
* @throws AnnotatedException if
* <ul>
* <li>no public key certificate can be found although holder
* information is given by an entity name or a base certificate
* ID
* <li>support classes cannot be created
* <li>no certification path for the public key certificate can
* be built
* </ul>
*/
protected static CertPath processAttrCert1(X509AttributeCertificate attrCert, PKIXExtendedParameters pkixParams) throws CertPathValidatorException {
CertPathBuilderResult result = null;
// find holder PKCs
LinkedHashSet holderPKCs = new LinkedHashSet();
if (attrCert.getHolder().getIssuer() != null) {
X509CertSelector selector = new X509CertSelector();
selector.setSerialNumber(attrCert.getHolder().getSerialNumber());
Principal[] principals = attrCert.getHolder().getIssuer();
for (int i = 0; i < principals.length; i++) {
try {
if (principals[i] instanceof X500Principal) {
selector.setIssuer(((X500Principal) principals[i]).getEncoded());
}
PKIXCertStoreSelector certSelect = new PKIXCertStoreSelector.Builder(selector).build();
CertPathValidatorUtilities.findCertificates(holderPKCs, certSelect, pkixParams.getCertStores());
} catch (AnnotatedException e) {
throw new ExtCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", e);
} catch (IOException e) {
throw new ExtCertPathValidatorException("Unable to encode X500 principal.", e);
}
}
if (holderPKCs.isEmpty()) {
throw new CertPathValidatorException("Public key certificate specified in base certificate ID for attribute certificate cannot be found.");
}
}
if (attrCert.getHolder().getEntityNames() != null) {
X509CertStoreSelector selector = new X509CertStoreSelector();
Principal[] principals = attrCert.getHolder().getEntityNames();
for (int i = 0; i < principals.length; i++) {
try {
if (principals[i] instanceof X500Principal) {
selector.setIssuer(((X500Principal) principals[i]).getEncoded());
}
PKIXCertStoreSelector certSelect = new PKIXCertStoreSelector.Builder(selector).build();
CertPathValidatorUtilities.findCertificates(holderPKCs, certSelect, pkixParams.getCertStores());
} catch (AnnotatedException e) {
throw new ExtCertPathValidatorException("Public key certificate for attribute certificate cannot be searched.", e);
} catch (IOException e) {
throw new ExtCertPathValidatorException("Unable to encode X500 principal.", e);
}
}
if (holderPKCs.isEmpty()) {
throw new CertPathValidatorException("Public key certificate specified in entity name for attribute certificate cannot be found.");
}
}
// verify cert paths for PKCs
PKIXExtendedParameters.Builder paramsBldr = new PKIXExtendedParameters.Builder(pkixParams);
CertPathValidatorException lastException = null;
for (Iterator it = holderPKCs.iterator(); it.hasNext(); ) {
X509CertStoreSelector selector = new X509CertStoreSelector();
selector.setCertificate((X509Certificate) it.next());
paramsBldr.setTargetConstraints(new PKIXCertStoreSelector.Builder(selector).build());
CertPathBuilder builder = null;
try {
builder = CertPathBuilder.getInstance("PKIX", WeGooProvider.PROVIDER_NAME);
} catch (NoSuchProviderException e) {
throw new ExtCertPathValidatorException("Support class could not be created.", e);
} catch (NoSuchAlgorithmException e) {
throw new ExtCertPathValidatorException("Support class could not be created.", e);
}
try {
result = builder.build(new PKIXExtendedBuilderParameters.Builder(paramsBldr.build()).build());
} catch (CertPathBuilderException e) {
lastException = new ExtCertPathValidatorException("Certification path for public key certificate of attribute certificate could not be build.", e);
} catch (InvalidAlgorithmParameterException e) {
// must be a programming error
throw new RuntimeException(e.getMessage());
}
}
if (lastException != null) {
throw lastException;
}
return result.getCertPath();
}
Also used :
LinkedHashSet(java.util.LinkedHashSet)
CertPathBuilderResult(java.security.cert.CertPathBuilderResult)
CertPathBuilder(java.security.cert.CertPathBuilder)
X509CertSelector(java.security.cert.X509CertSelector)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
PKIXExtendedBuilderParameters(com.github.zhenwei.provider.jcajce.PKIXExtendedBuilderParameters)
CertPathBuilderException(java.security.cert.CertPathBuilderException)
Iterator(java.util.Iterator)
CertPathBuilder(java.security.cert.CertPathBuilder)
InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException)
X509CertStoreSelector(com.github.zhenwei.provider.x509.X509CertStoreSelector)
IOException(java.io.IOException)
DistributionPoint(com.github.zhenwei.core.asn1.x509.DistributionPoint)
CRLDistPoint(com.github.zhenwei.core.asn1.x509.CRLDistPoint)
PKIXCertStoreSelector(com.github.zhenwei.provider.jcajce.PKIXCertStoreSelector)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException)
ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException)
PKIXExtendedParameters(com.github.zhenwei.provider.jcajce.PKIXExtendedParameters)
X500Principal(javax.security.auth.x500.X500Principal)
NoSuchProviderException(java.security.NoSuchProviderException)
X500Principal(javax.security.auth.x500.X500Principal)
Principal(java.security.Principal)
Example 12 with ExtCertPathValidatorException
use of com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException in project LinLong-Java by zhenwei1108.
the class RFC3281CertPathUtilities method processAttrCert7.
protected static void processAttrCert7(X509AttributeCertificate attrCert, CertPath certPath, CertPath holderCertPath, PKIXExtendedParameters pkixParams, Set attrCertCheckers) throws CertPathValidatorException {
// TODO:
// AA Controls
// Attribute encryption
// Proxy
Set set = attrCert.getCriticalExtensionOIDs();
// target information checked in step 6 / X509AttributeCertStoreSelector
if (set.contains(TARGET_INFORMATION)) {
try {
TargetInformation.getInstance(CertPathValidatorUtilities.getExtensionValue(attrCert, TARGET_INFORMATION));
} catch (AnnotatedException e) {
throw new ExtCertPathValidatorException("Target information extension could not be read.", e);
} catch (IllegalArgumentException e) {
throw new ExtCertPathValidatorException("Target information extension could not be read.", e);
}
}
set.remove(TARGET_INFORMATION);
for (Iterator it = attrCertCheckers.iterator(); it.hasNext(); ) {
((PKIXAttrCertChecker) it.next()).check(attrCert, certPath, holderCertPath, set);
}
if (!set.isEmpty()) {
throw new CertPathValidatorException("Attribute certificate contains unsupported critical extensions: " + set);
}
}
Also used :
CertPathValidatorException(java.security.cert.CertPathValidatorException)
ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException)
LinkedHashSet(java.util.LinkedHashSet)
Set(java.util.Set)
ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException)
Iterator(java.util.Iterator)
PKIXAttrCertChecker(com.github.zhenwei.provider.x509.PKIXAttrCertChecker)
Example 13 with ExtCertPathValidatorException
use of com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException in project LinLong-Java by zhenwei1108.
the class RFC3281CertPathUtilities method checkCRLs.
/**
* Checks if an attribute certificate is revoked.
*
* @param attrCert Attribute certificate to check if it is revoked.
* @param paramsPKIX PKIX parameters.
* @param validityDate The date when the certificate revocation status should be checked.
* @param issuerCert The issuer certificate of the attribute certificate
* <code>attrCert</code>.
* @param certPathCerts The certificates of the certification path to be checked.
* @throws CertPathValidatorException if the certificate is revoked or the status cannot be
* checked or some error occurs.
*/
protected static void checkCRLs(X509AttributeCertificate attrCert, PKIXExtendedParameters paramsPKIX, Date currentDate, Date validityDate, X509Certificate issuerCert, List certPathCerts, JcaJceHelper helper) throws CertPathValidatorException {
if (paramsPKIX.isRevocationEnabled()) {
// check if revocation is available
if (attrCert.getExtensionValue(NO_REV_AVAIL) == null) {
CRLDistPoint crldp = null;
try {
crldp = CRLDistPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(attrCert, CRL_DISTRIBUTION_POINTS));
} catch (AnnotatedException e) {
throw new CertPathValidatorException("CRL distribution point extension could not be read.", e);
}
List crlStores = new ArrayList();
try {
crlStores.addAll(CertPathValidatorUtilities.getAdditionalStoresFromCRLDistributionPoint(crldp, paramsPKIX.getNamedCRLStoreMap(), validityDate, helper));
} catch (AnnotatedException e) {
throw new CertPathValidatorException("No additional CRL locations could be decoded from CRL distribution point extension.", e);
}
PKIXExtendedParameters.Builder bldr = new PKIXExtendedParameters.Builder(paramsPKIX);
for (Iterator it = crlStores.iterator(); it.hasNext(); ) {
bldr.addCRLStore((PKIXCRLStore) crlStores);
}
paramsPKIX = bldr.build();
CertStatus certStatus = new CertStatus();
ReasonsMask reasonsMask = new ReasonsMask();
AnnotatedException lastException = null;
boolean validCrlFound = false;
// for each distribution point
if (crldp != null) {
DistributionPoint[] dps = null;
try {
dps = crldp.getDistributionPoints();
} catch (Exception e) {
throw new ExtCertPathValidatorException("Distribution points could not be read.", e);
}
try {
for (int i = 0; i < dps.length && certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons(); i++) {
PKIXExtendedParameters paramsPKIXClone = (PKIXExtendedParameters) paramsPKIX.clone();
checkCRL(dps[i], attrCert, paramsPKIXClone, currentDate, validityDate, issuerCert, certStatus, reasonsMask, certPathCerts, helper);
validCrlFound = true;
}
} catch (AnnotatedException e) {
lastException = new AnnotatedException("No valid CRL for distribution point found.", e);
}
}
if (certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons()) {
try {
/*
* assume a DP with both the reasons and the cRLIssuer
* fields omitted and a distribution point name of the
* certificate issuer.
*/
X500Name issuer;
try {
issuer = PrincipalUtils.getEncodedIssuerPrincipal(attrCert);
} catch (Exception e) {
throw new AnnotatedException("Issuer from certificate for CRL could not be reencoded.", e);
}
DistributionPoint dp = new DistributionPoint(new DistributionPointName(0, new GeneralNames(new GeneralName(GeneralName.directoryName, issuer))), null, null);
PKIXExtendedParameters paramsPKIXClone = (PKIXExtendedParameters) paramsPKIX.clone();
checkCRL(dp, attrCert, paramsPKIXClone, currentDate, validityDate, issuerCert, certStatus, reasonsMask, certPathCerts, helper);
validCrlFound = true;
} catch (AnnotatedException e) {
lastException = new AnnotatedException("No valid CRL for distribution point found.", e);
}
}
if (!validCrlFound) {
throw new ExtCertPathValidatorException("No valid CRL found.", lastException);
}
if (certStatus.getCertStatus() != CertStatus.UNREVOKED) {
String message = "Attribute certificate revocation after " + certStatus.getRevocationDate();
message += ", reason: " + RFC3280CertPathUtilities.crlReasons[certStatus.getCertStatus()];
throw new CertPathValidatorException(message);
}
if (!reasonsMask.isAllReasons() && certStatus.getCertStatus() == CertStatus.UNREVOKED) {
certStatus.setCertStatus(CertStatus.UNDETERMINED);
}
if (certStatus.getCertStatus() == CertStatus.UNDETERMINED) {
throw new CertPathValidatorException("Attribute certificate status could not be determined.");
}
} else {
if (attrCert.getExtensionValue(CRL_DISTRIBUTION_POINTS) != null || attrCert.getExtensionValue(AUTHORITY_INFO_ACCESS) != null) {
throw new CertPathValidatorException("No rev avail extension is set, but also an AC revocation pointer.");
}
}
}
}
Also used :
CertPathBuilder(java.security.cert.CertPathBuilder)
ArrayList(java.util.ArrayList)
DistributionPointName(com.github.zhenwei.core.asn1.x509.DistributionPointName)
X500Name(com.github.zhenwei.core.asn1.x500.X500Name)
CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException)
CertificateExpiredException(java.security.cert.CertificateExpiredException)
InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException)
CertPathBuilderException(java.security.cert.CertPathBuilderException)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
IOException(java.io.IOException)
ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
NoSuchProviderException(java.security.NoSuchProviderException)
DistributionPoint(com.github.zhenwei.core.asn1.x509.DistributionPoint)
CRLDistPoint(com.github.zhenwei.core.asn1.x509.CRLDistPoint)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException)
PKIXExtendedParameters(com.github.zhenwei.provider.jcajce.PKIXExtendedParameters)
ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException)
GeneralNames(com.github.zhenwei.core.asn1.x509.GeneralNames)
Iterator(java.util.Iterator)
ArrayList(java.util.ArrayList)
List(java.util.List)
DistributionPoint(com.github.zhenwei.core.asn1.x509.DistributionPoint)
GeneralName(com.github.zhenwei.core.asn1.x509.GeneralName)
CRLDistPoint(com.github.zhenwei.core.asn1.x509.CRLDistPoint)
Example 14 with ExtCertPathValidatorException
use of com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException in project LinLong-Java by zhenwei1108.
the class CertPathValidatorUtilities method prepareNextCertB1.
protected static void prepareNextCertB1(int i, List[] policyNodes, String id_p, Map m_idp, X509Certificate cert) throws AnnotatedException, CertPathValidatorException {
boolean idp_found = false;
Iterator nodes_i = policyNodes[i].iterator();
while (nodes_i.hasNext()) {
PKIXPolicyNode node = (PKIXPolicyNode) nodes_i.next();
if (node.getValidPolicy().equals(id_p)) {
idp_found = true;
node.setExpectedPolicies((Set) m_idp.get(id_p));
break;
}
}
if (!idp_found) {
nodes_i = policyNodes[i].iterator();
while (nodes_i.hasNext()) {
PKIXPolicyNode node = (PKIXPolicyNode) nodes_i.next();
if (ANY_POLICY.equals(node.getValidPolicy())) {
Set pq = null;
ASN1Sequence policies = null;
try {
policies = DERSequence.getInstance(getExtensionValue(cert, CERTIFICATE_POLICIES));
} catch (Exception e) {
throw new AnnotatedException("Certificate policies cannot be decoded.", e);
}
Enumeration e = policies.getObjects();
while (e.hasMoreElements()) {
PolicyInformation pinfo = null;
try {
pinfo = PolicyInformation.getInstance(e.nextElement());
} catch (Exception ex) {
throw new AnnotatedException("Policy information cannot be decoded.", ex);
}
if (ANY_POLICY.equals(pinfo.getPolicyIdentifier().getId())) {
try {
pq = getQualifierSet(pinfo.getPolicyQualifiers());
} catch (CertPathValidatorException ex) {
throw new ExtCertPathValidatorException("Policy qualifier info set could not be built.", ex);
}
break;
}
}
boolean ci = false;
if (cert.getCriticalExtensionOIDs() != null) {
ci = cert.getCriticalExtensionOIDs().contains(CERTIFICATE_POLICIES);
}
PKIXPolicyNode p_node = (PKIXPolicyNode) node.getParent();
if (ANY_POLICY.equals(p_node.getValidPolicy())) {
PKIXPolicyNode c_node = new PKIXPolicyNode(new ArrayList(), i, (Set) m_idp.get(id_p), p_node, pq, id_p, ci);
p_node.addChild(c_node);
policyNodes[i].add(c_node);
}
break;
}
}
}
}
Also used :
CertPathValidatorException(java.security.cert.CertPathValidatorException)
ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException)
Set(java.util.Set)
HashSet(java.util.HashSet)
ASN1Sequence(com.github.zhenwei.core.asn1.ASN1Sequence)
Enumeration(java.util.Enumeration)
ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException)
PolicyInformation(com.github.zhenwei.core.asn1.x509.PolicyInformation)
Iterator(java.util.Iterator)
ArrayList(java.util.ArrayList)
PKIXPolicyNode(com.github.zhenwei.provider.jce.provider.PKIXPolicyNode)
GeneralSecurityException(java.security.GeneralSecurityException)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
AnnotatedException(com.github.zhenwei.provider.jce.provider.AnnotatedException)
CertStoreException(java.security.cert.CertStoreException)
ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException)
CRLException(java.security.cert.CRLException)
StoreException(com.github.zhenwei.core.util.StoreException)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
AnnotatedException(com.github.zhenwei.provider.jce.provider.AnnotatedException)
Example 15 with ExtCertPathValidatorException
use of com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException in project LinLong-Java by zhenwei1108.
the class CertPathValidatorUtilities method getAlgorithmIdentifier.
protected static AlgorithmIdentifier getAlgorithmIdentifier(PublicKey key) throws CertPathValidatorException {
try {
ASN1InputStream aIn = new ASN1InputStream(key.getEncoded());
SubjectPublicKeyInfo info = SubjectPublicKeyInfo.getInstance(aIn.readObject());
return info.getAlgorithmId();
} catch (Exception e) {
throw new ExtCertPathValidatorException("Subject public key cannot be decoded.", e);
}
}
Also used :
ASN1InputStream(com.github.zhenwei.core.asn1.ASN1InputStream)
ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException)
SubjectPublicKeyInfo(com.github.zhenwei.core.asn1.x509.SubjectPublicKeyInfo)
GeneralSecurityException(java.security.GeneralSecurityException)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
AnnotatedException(com.github.zhenwei.provider.jce.provider.AnnotatedException)
CertStoreException(java.security.cert.CertStoreException)
ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException)
CRLException(java.security.cert.CRLException)
StoreException(com.github.zhenwei.core.util.StoreException)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
Aggregations
ExtCertPathValidatorException (com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException)28
ArrayList (java.util.ArrayList)22
CertPathValidatorException (java.security.cert.CertPathValidatorException)21
List (java.util.List)21
X509Certificate (java.security.cert.X509Certificate)19
IOException (java.io.IOException)18
GeneralSecurityException (java.security.GeneralSecurityException)15
CertPathBuilderException (java.security.cert.CertPathBuilderException)13
CRLDistPoint (com.github.zhenwei.core.asn1.x509.CRLDistPoint)12
DistributionPoint (com.github.zhenwei.core.asn1.x509.DistributionPoint)12
CertificateExpiredException (java.security.cert.CertificateExpiredException)12
CertificateNotYetValidException (java.security.cert.CertificateNotYetValidException)12
Iterator (java.util.Iterator)12
ASN1Sequence (com.github.zhenwei.core.asn1.ASN1Sequence)11
IssuingDistributionPoint (com.github.zhenwei.core.asn1.x509.IssuingDistributionPoint)10
Set (java.util.Set)10
Enumeration (java.util.Enumeration)9
HashSet (java.util.HashSet)9
LinkedHashSet (java.util.LinkedHashSet)7
ASN1ObjectIdentifier (com.github.zhenwei.core.asn1.ASN1ObjectIdentifier)5
