Search in sources :

Example 1 with AuthorityKeyIdentifierExtension

use of com.unboundid.util.ssl.cert.AuthorityKeyIdentifierExtension in project ldapsdk by pingidentity.

the class JVMDefaultTrustManager method checkIncompleteChain.

/**
 * Checks to determine whether the provided certificate chain may be
 * incomplete, and if so, whether we can find and trust the issuer of the last
 * certificate in the chain.
 *
 * @param  chain  The chain to validate.
 *
 * @return  {@code true} if the chain could be validated, or {@code false} if
 *          not.
 */
private boolean checkIncompleteChain(@NotNull final X509Certificate[] chain) {
    try {
        // Get the last certificate in the chain and decode it as one that we can
        // more fully inspect.
        final com.unboundid.util.ssl.cert.X509Certificate c = new com.unboundid.util.ssl.cert.X509Certificate(chain[chain.length - 1].getEncoded());
        // If the certificate is self-signed, then it can't be trusted.
        if (c.isSelfSigned()) {
            return false;
        }
        // so, then use it to try to find the issuer.
        for (final X509CertificateExtension e : c.getExtensions()) {
            if (e instanceof AuthorityKeyIdentifierExtension) {
                final AuthorityKeyIdentifierExtension akie = (AuthorityKeyIdentifierExtension) e;
                final ASN1OctetString authorityKeyID = new ASN1OctetString(akie.getKeyIdentifier().getValue());
                final com.unboundid.util.ssl.cert.X509Certificate issuer = trustedCertsByKeyID.get(authorityKeyID);
                if ((issuer != null) && issuer.isWithinValidityWindow()) {
                    c.verifySignature(issuer);
                    return true;
                }
            }
        }
    } catch (final Exception e) {
        Debug.debugException(e);
    }
    return false;
}
Also used : ASN1OctetString(com.unboundid.asn1.ASN1OctetString) X509CertificateExtension(com.unboundid.util.ssl.cert.X509CertificateExtension) AuthorityKeyIdentifierExtension(com.unboundid.util.ssl.cert.AuthorityKeyIdentifierExtension) X509Certificate(java.security.cert.X509Certificate) CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException) CertificateExpiredException(java.security.cert.CertificateExpiredException) CertificateException(java.security.cert.CertificateException)

Example 2 with AuthorityKeyIdentifierExtension

use of com.unboundid.util.ssl.cert.AuthorityKeyIdentifierExtension in project ldapsdk by pingidentity.

the class JVMDefaultTrustManager method findIssuer.

/**
 * Finds the issuer for the provided certificate, if it is in the JVM-default
 * trust store.
 *
 * @param  cert         The certificate for which to find the issuer.  It must
 *                      have already been retrieved from the JVM-default trust
 *                      store.
 * @param  currentDate  The current date to use when verifying validity.
 *
 * @return  The issuer for the provided certificate, or {@code null} if the
 *          provided certificate is self-signed.
 *
 * @throws  CertificateException  If the provided certificate is not
 *                                self-signed but its issuer could not be
 *                                found, or if the issuer certificate is
 *                                not currently valid.
 */
@Nullable()
private X509Certificate findIssuer(@NotNull final X509Certificate cert, @NotNull final Date currentDate) throws CertificateException {
    try {
        // More fully decode the provided certificate so that we can better
        // examine it.
        final com.unboundid.util.ssl.cert.X509Certificate c = new com.unboundid.util.ssl.cert.X509Certificate(cert.getEncoded());
        // If the certificate is self-signed, then it doesn't have an issuer.
        if (c.isSelfSigned()) {
            return null;
        }
        // so, then use it to try to find the issuer.
        for (final X509CertificateExtension e : c.getExtensions()) {
            if (e instanceof AuthorityKeyIdentifierExtension) {
                final AuthorityKeyIdentifierExtension akie = (AuthorityKeyIdentifierExtension) e;
                final ASN1OctetString authorityKeyID = new ASN1OctetString(akie.getKeyIdentifier().getValue());
                final com.unboundid.util.ssl.cert.X509Certificate issuer = trustedCertsByKeyID.get(authorityKeyID);
                if ((issuer != null) && issuer.isWithinValidityWindow(currentDate)) {
                    c.verifySignature(issuer);
                    return (X509Certificate) issuer.toCertificate();
                }
            }
        }
    } catch (final Exception e) {
        Debug.debugException(e);
    }
    throw new CertificateException(ERR_JVM_DEFAULT_TRUST_MANAGER_CANNOT_FIND_ISSUER.get(String.valueOf(cert.getSubjectDN())));
}
Also used : ASN1OctetString(com.unboundid.asn1.ASN1OctetString) X509CertificateExtension(com.unboundid.util.ssl.cert.X509CertificateExtension) AuthorityKeyIdentifierExtension(com.unboundid.util.ssl.cert.AuthorityKeyIdentifierExtension) CertificateException(java.security.cert.CertificateException) X509Certificate(java.security.cert.X509Certificate) CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException) CertificateExpiredException(java.security.cert.CertificateExpiredException) CertificateException(java.security.cert.CertificateException) Nullable(com.unboundid.util.Nullable)

Aggregations

ASN1OctetString (com.unboundid.asn1.ASN1OctetString)2 AuthorityKeyIdentifierExtension (com.unboundid.util.ssl.cert.AuthorityKeyIdentifierExtension)2 X509CertificateExtension (com.unboundid.util.ssl.cert.X509CertificateExtension)2 CertificateException (java.security.cert.CertificateException)2 CertificateExpiredException (java.security.cert.CertificateExpiredException)2 CertificateNotYetValidException (java.security.cert.CertificateNotYetValidException)2 X509Certificate (java.security.cert.X509Certificate)2 Nullable (com.unboundid.util.Nullable)1