use of com.unboundid.util.ssl.cert.AuthorityKeyIdentifierExtension in project ldapsdk by pingidentity.
the class JVMDefaultTrustManager method checkIncompleteChain.
/**
* Checks to determine whether the provided certificate chain may be
* incomplete, and if so, whether we can find and trust the issuer of the last
* certificate in the chain.
*
* @param chain The chain to validate.
*
* @return {@code true} if the chain could be validated, or {@code false} if
* not.
*/
private boolean checkIncompleteChain(@NotNull final X509Certificate[] chain) {
try {
// Get the last certificate in the chain and decode it as one that we can
// more fully inspect.
final com.unboundid.util.ssl.cert.X509Certificate c = new com.unboundid.util.ssl.cert.X509Certificate(chain[chain.length - 1].getEncoded());
// If the certificate is self-signed, then it can't be trusted.
if (c.isSelfSigned()) {
return false;
}
// so, then use it to try to find the issuer.
for (final X509CertificateExtension e : c.getExtensions()) {
if (e instanceof AuthorityKeyIdentifierExtension) {
final AuthorityKeyIdentifierExtension akie = (AuthorityKeyIdentifierExtension) e;
final ASN1OctetString authorityKeyID = new ASN1OctetString(akie.getKeyIdentifier().getValue());
final com.unboundid.util.ssl.cert.X509Certificate issuer = trustedCertsByKeyID.get(authorityKeyID);
if ((issuer != null) && issuer.isWithinValidityWindow()) {
c.verifySignature(issuer);
return true;
}
}
}
} catch (final Exception e) {
Debug.debugException(e);
}
return false;
}
use of com.unboundid.util.ssl.cert.AuthorityKeyIdentifierExtension in project ldapsdk by pingidentity.
the class JVMDefaultTrustManager method findIssuer.
/**
* Finds the issuer for the provided certificate, if it is in the JVM-default
* trust store.
*
* @param cert The certificate for which to find the issuer. It must
* have already been retrieved from the JVM-default trust
* store.
* @param currentDate The current date to use when verifying validity.
*
* @return The issuer for the provided certificate, or {@code null} if the
* provided certificate is self-signed.
*
* @throws CertificateException If the provided certificate is not
* self-signed but its issuer could not be
* found, or if the issuer certificate is
* not currently valid.
*/
@Nullable()
private X509Certificate findIssuer(@NotNull final X509Certificate cert, @NotNull final Date currentDate) throws CertificateException {
try {
// More fully decode the provided certificate so that we can better
// examine it.
final com.unboundid.util.ssl.cert.X509Certificate c = new com.unboundid.util.ssl.cert.X509Certificate(cert.getEncoded());
// If the certificate is self-signed, then it doesn't have an issuer.
if (c.isSelfSigned()) {
return null;
}
// so, then use it to try to find the issuer.
for (final X509CertificateExtension e : c.getExtensions()) {
if (e instanceof AuthorityKeyIdentifierExtension) {
final AuthorityKeyIdentifierExtension akie = (AuthorityKeyIdentifierExtension) e;
final ASN1OctetString authorityKeyID = new ASN1OctetString(akie.getKeyIdentifier().getValue());
final com.unboundid.util.ssl.cert.X509Certificate issuer = trustedCertsByKeyID.get(authorityKeyID);
if ((issuer != null) && issuer.isWithinValidityWindow(currentDate)) {
c.verifySignature(issuer);
return (X509Certificate) issuer.toCertificate();
}
}
}
} catch (final Exception e) {
Debug.debugException(e);
}
throw new CertificateException(ERR_JVM_DEFAULT_TRUST_MANAGER_CANNOT_FIND_ISSUER.get(String.valueOf(cert.getSubjectDN())));
}
Aggregations