Examples with CertPath java.security.cert.CertPath used on opensource projects

Example 26 with CertPath

use of java.security.cert.CertPath in project robovm by robovm.

the class TrustManagerImpl method checkTrusted.

private List<X509Certificate> checkTrusted(X509Certificate[] chain, String authType, String host, boolean clientAuth) throws CertificateException {
    if (chain == null || chain.length == 0 || authType == null || authType.length() == 0) {
        throw new IllegalArgumentException("null or zero-length parameter");
    }
    if (err != null) {
        throw new CertificateException(err);
    }
    // get the cleaned up chain and trust anchor
    // there can only be one!
    Set<TrustAnchor> trustAnchor = new HashSet<TrustAnchor>();
    X509Certificate[] newChain = cleanupCertChainAndFindTrustAnchors(chain, trustAnchor);
    // add the first trust anchor to the chain, which may be an intermediate
    List<X509Certificate> wholeChain = new ArrayList<X509Certificate>();
    wholeChain.addAll(Arrays.asList(newChain));
    // trustAnchor is actually just a single element
    for (TrustAnchor trust : trustAnchor) {
        wholeChain.add(trust.getTrustedCert());
    }
    // add all the cached certificates from the cert index, avoiding loops
    // this gives us a full chain from leaf to root, which we use for cert pinning and pass
    // back out to callers when we return.
    X509Certificate last = wholeChain.get(wholeChain.size() - 1);
    while (true) {
        TrustAnchor cachedTrust = trustedCertificateIndex.findByIssuerAndSignature(last);
        // trusted a non-self-signed cert.
        if (cachedTrust == null) {
            break;
        }
        // at this point we have a cached trust anchor, but don't know if its one we got from
        // the server. Extract the cert, compare it to the last element in the chain, and add it
        // if we haven't seen it before.
        X509Certificate next = cachedTrust.getTrustedCert();
        if (next != last) {
            wholeChain.add(next);
            last = next;
        } else {
            // if next == last then we found a self-signed cert and the chain is done
            break;
        }
    }
    // build the cert path from the array of certs sans trust anchors
    CertPath certPath = factory.generateCertPath(Arrays.asList(newChain));
    if (host != null) {
        boolean chainIsNotPinned = true;
        try {
            chainIsNotPinned = pinManager.chainIsNotPinned(host, wholeChain);
        } catch (PinManagerException e) {
            throw new CertificateException(e);
        }
        if (chainIsNotPinned) {
            throw new CertificateException(new CertPathValidatorException("Certificate path is not properly pinned.", null, certPath, -1));
        }
    }
    if (newChain.length == 0) {
        // chain was entirely trusted, skip the validator
        return wholeChain;
    }
    if (trustAnchor.isEmpty()) {
        throw new CertificateException(new CertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1));
    }
    // There's no point in checking trust anchors here, and it will throw off the MD5 check,
    // so we just hand it the chain without anchors
    ChainStrengthAnalyzer.check(newChain);
    try {
        PKIXParameters params = new PKIXParameters(trustAnchor);
        params.setRevocationEnabled(false);
        params.addCertPathChecker(new ExtendedKeyUsagePKIXCertPathChecker(clientAuth, newChain[0]));
        validator.validate(certPath, params);
        // cleanupCertChainAndFindTrustAnchors.  http://b/3404902
        for (int i = 1; i < newChain.length; i++) {
            trustedCertificateIndex.index(newChain[i]);
        }
    } catch (InvalidAlgorithmParameterException e) {
        throw new CertificateException(e);
    } catch (CertPathValidatorException e) {
        throw new CertificateException(e);
    }
    return wholeChain;
}

Example 27 with CertPath

use of java.security.cert.CertPath in project robovm by robovm.

the class X509CertSelectorTest method test_addPathToNameLintLjava_lang_String2.

/**
     * java.security.cert.X509CertSelector#addPathToName(int, String)
     */
public void test_addPathToNameLintLjava_lang_String2() throws Exception {
    setupEnvironment();
    byte[] bytes, bytesName;
    // GeneralName name = new GeneralName(1, "822.Name");
    // bytes = name.getEncoded();
    // bytesName = name.getEncodedName();
    bytes = new byte[] { -127, 8, 56, 50, 50, 46, 78, 97, 109, 101 };
    bytesName = new byte[] { 22, 8, 56, 50, 50, 46, 78, 97, 109, 101 };
    assertNotNull(bytes);
    byte[] b = new byte[bytes.length];
    b = bytes;
    b[bytes.length - 3] = (byte) 200;
    try {
        theCertSelector.addPathToName(1, new String(b));
    } catch (IOException e) {
    // ok
    }
    theCertSelector.setPathToNames(null);
    theCertSelector.addPathToName(1, new String(bytesName));
    assertNotNull(theCertSelector.getPathToNames());
    CertPath p = buildCertPath();
    assertNull(p);
    theCertSelector.setPathToNames(null);
    theCertSelector.addPathToName(1, rootCertificate.getIssuerX500Principal().getName());
    assertNotNull(theCertSelector.getPathToNames());
//p = buildCertPath();
//assertNotNull(p);
}

Example 28 with CertPath

use of java.security.cert.CertPath in project robovm by robovm.

the class X509CertSelectorTest method test_addPathToNameLintLbyte_array2.

/**
     * java.security.cert.X509CertSelector#addPathToName(int, byte[])
     */
public void test_addPathToNameLintLbyte_array2() throws Exception {
    TestUtils.initCertPathSSCertChain();
    setupEnvironment();
    byte[] bytes, bytesName;
    // GeneralName name = new GeneralName(1, "822.Name");
    // bytes = name.getEncoded();
    // bytesName = name.getEncodedName();
    bytes = new byte[] { -127, 8, 56, 50, 50, 46, 78, 97, 109, 101 };
    bytesName = new byte[] { 22, 8, 56, 50, 50, 46, 78, 97, 109, 101 };
    bytes[bytes.length - 3] = (byte) 200;
    try {
        theCertSelector.addPathToName(1, bytes);
    } catch (IOException e) {
    // ok
    }
    theCertSelector.setPathToNames(null);
    theCertSelector.addPathToName(1, bytesName);
    assertNotNull(theCertSelector.getPathToNames());
    CertPath p = buildCertPath();
    assertNull(p);
    theCertSelector.setPathToNames(null);
    //        name = new GeneralName(new Name("O=Android"));
    //        theCertSelector.addPathToName(4, endCertificate.getSubjectDN().getName());
    theCertSelector.addPathToName(4, TestUtils.rootCertificateSS.getIssuerX500Principal().getEncoded());
    assertNotNull(theCertSelector.getPathToNames());
    p = TestUtils.buildCertPathSSCertChain();
    assertNotNull(p);
}

Example 29 with CertPath

use of java.security.cert.CertPath in project jdk8u_jdk by JetBrains.

the class SignerInfo method getTimestamp.

/*
     * Extracts a timestamp from a PKCS7 SignerInfo.
     *
     * Examines the signer's unsigned attributes for a
     * {@code signatureTimestampToken} attribute. If present,
     * then it is parsed to extract the date and time at which the
     * timestamp was generated.
     *
     * @param info A signer information element of a PKCS 7 block.
     *
     * @return A timestamp token or null if none is present.
     * @throws IOException if an error is encountered while parsing the
     *         PKCS7 data.
     * @throws NoSuchAlgorithmException if an error is encountered while
     *         verifying the PKCS7 object.
     * @throws SignatureException if an error is encountered while
     *         verifying the PKCS7 object.
     * @throws CertificateException if an error is encountered while generating
     *         the TSA's certpath.
     */
public Timestamp getTimestamp() throws IOException, NoSuchAlgorithmException, SignatureException, CertificateException {
    if (timestamp != null || !hasTimestamp)
        return timestamp;
    PKCS7 tsToken = getTsToken();
    if (tsToken == null) {
        hasTimestamp = false;
        return null;
    }
    // Extract the content (an encoded timestamp token info)
    byte[] encTsTokenInfo = tsToken.getContentInfo().getData();
    // Extract the signer (the Timestamping Authority)
    // while verifying the content
    SignerInfo[] tsa = tsToken.verify(encTsTokenInfo);
    // Expect only one signer
    ArrayList<X509Certificate> chain = tsa[0].getCertificateChain(tsToken);
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    CertPath tsaChain = cf.generateCertPath(chain);
    // Create a timestamp token info object
    TimestampToken tsTokenInfo = new TimestampToken(encTsTokenInfo);
    // Check that the signature timestamp applies to this signature
    verifyTimestamp(tsTokenInfo);
    // Create a timestamp object
    timestamp = new Timestamp(tsTokenInfo.getDate(), tsaChain);
    return timestamp;
}

Example 30 with CertPath

use of java.security.cert.CertPath in project jdk8u_jdk by JetBrains.

the class Serial method main.

public static void main(String[] args) throws Exception {
    File f = new File(System.getProperty("test.src", "."), "cert_file");
    FileInputStream fis = new FileInputStream(f);
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    Certificate c = cf.generateCertificate(fis);
    fis.close();
    CertPath cp = cf.generateCertPath(Collections.singletonList(c));
    CertPathValidatorException cpve1 = new CertPathValidatorException("Test", new Exception("Expired"), cp, 0, BasicReason.EXPIRED);
    ByteArrayOutputStream baos = new ByteArrayOutputStream();
    //        FileOutputStream fos = new FileOutputStream("jdk7.serial");
    ObjectOutputStream oos = new ObjectOutputStream(baos);
    //        ObjectOutputStream foos = new ObjectOutputStream(fos);
    oos.writeObject(cpve1);
    //        foos.writeObject(cpve1);
    ByteArrayInputStream bais = new ByteArrayInputStream(baos.toByteArray());
    ObjectInputStream ois = new ObjectInputStream(bais);
    CertPathValidatorException cpve2 = (CertPathValidatorException) ois.readObject();
    check(!cpve1.getMessage().equals(cpve2.getMessage()), "CertPathValidatorException messages not equal");
    check(!cpve1.getCause().getMessage().equals(cpve2.getCause().getMessage()), "CertPathValidatorException causes not equal");
    check(!cpve1.getCertPath().equals(cpve2.getCertPath()), "CertPathValidatorException certpaths not equal");
    check(cpve1.getIndex() != cpve2.getIndex(), "CertPathValidatorException indexes not equal");
    check(cpve1.getReason() != cpve2.getReason(), "CertPathValidatorException reasons not equal");
    oos.close();
    ois.close();
    f = new File(System.getProperty("test.src", "."), "jdk6.serial");
    fis = new FileInputStream(f);
    ois = new ObjectInputStream(fis);
    cpve2 = (CertPathValidatorException) ois.readObject();
    check(!cpve1.getMessage().equals(cpve2.getMessage()), "CertPathValidatorException messages not equal");
    check(!cpve1.getCause().getMessage().equals(cpve2.getCause().getMessage()), "CertPathValidatorException causes not equal");
    check(!cpve1.getCertPath().equals(cpve2.getCertPath()), "CertPathValidatorException certpaths not equal");
    check(cpve1.getIndex() != cpve2.getIndex(), "CertPathValidatorException indexes not equal");
    //      System.out.println(cpve2.getReason());
    check(cpve2.getReason() != BasicReason.UNSPECIFIED, "CertPathValidatorException reasons not equal");
    oos.close();
    ois.close();
    if (failed) {
        throw new Exception("Some tests FAILED");
    }
}