Search in sources :

Example 36 with CertPathBuilder

use of java.security.cert.CertPathBuilder in project gitblit by gitblit.

the class X509Utils method verifyChain.

/**
 * Verifies a certificate's chain to ensure that it will function properly.
 *
 * @param testCert
 * @param additionalCerts
 * @return
 */
public static PKIXCertPathBuilderResult verifyChain(X509Certificate testCert, X509Certificate... additionalCerts) {
    try {
        // Check for self-signed certificate
        if (isSelfSigned(testCert)) {
            throw new RuntimeException("The certificate is self-signed.  Nothing to verify.");
        }
        // Prepare a set of all certificates
        // chain builder must have all certs, including cert to validate
        // http://stackoverflow.com/a/10788392
        Set<X509Certificate> certs = new HashSet<X509Certificate>();
        certs.add(testCert);
        certs.addAll(Arrays.asList(additionalCerts));
        // Attempt to build the certification chain and verify it
        // Create the selector that specifies the starting certificate
        X509CertSelector selector = new X509CertSelector();
        selector.setCertificate(testCert);
        // Create the trust anchors (set of root CA certificates)
        Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
        for (X509Certificate cert : additionalCerts) {
            if (isSelfSigned(cert)) {
                trustAnchors.add(new TrustAnchor(cert, null));
            }
        }
        // Configure the PKIX certificate builder
        PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
        pkixParams.setRevocationEnabled(false);
        pkixParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certs), BC));
        // Build and verify the certification chain
        CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", BC);
        PKIXCertPathBuilderResult verifiedCertChain = (PKIXCertPathBuilderResult) builder.build(pkixParams);
        // The chain is built and verified
        return verifiedCertChain;
    } catch (CertPathBuilderException e) {
        throw new RuntimeException("Error building certification path: " + testCert.getSubjectX500Principal(), e);
    } catch (Exception e) {
        throw new RuntimeException("Error verifying the certificate: " + testCert.getSubjectX500Principal(), e);
    }
}
Also used : PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) X509CertSelector(java.security.cert.X509CertSelector) TrustAnchor(java.security.cert.TrustAnchor) X509Certificate(java.security.cert.X509Certificate) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) SignatureException(java.security.SignatureException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) InvalidKeyException(java.security.InvalidKeyException) CertificateEncodingException(java.security.cert.CertificateEncodingException) CertPathBuilderException(java.security.cert.CertPathBuilderException) IOException(java.io.IOException) CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) CertPathBuilderException(java.security.cert.CertPathBuilderException) PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult) CertPathBuilder(java.security.cert.CertPathBuilder) HashSet(java.util.HashSet)

Aggregations

CertPathBuilder (java.security.cert.CertPathBuilder)36 PKIXBuilderParameters (java.security.cert.PKIXBuilderParameters)20 X509CertSelector (java.security.cert.X509CertSelector)20 X509Certificate (java.security.cert.X509Certificate)19 CollectionCertStoreParameters (java.security.cert.CollectionCertStoreParameters)15 HashSet (java.util.HashSet)14 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)10 CertPathBuilderException (java.security.cert.CertPathBuilderException)10 CertPathBuilderResult (java.security.cert.CertPathBuilderResult)10 TrustAnchor (java.security.cert.TrustAnchor)10 ArrayList (java.util.ArrayList)9 CertPath (java.security.cert.CertPath)8 InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)7 NoSuchProviderException (java.security.NoSuchProviderException)7 CertPathValidator (java.security.cert.CertPathValidator)7 CertStore (java.security.cert.CertStore)7 GeneralSecurityException (java.security.GeneralSecurityException)6 Certificate (java.security.cert.Certificate)6 PKIXCertPathBuilderResult (java.security.cert.PKIXCertPathBuilderResult)6 IOException (java.io.IOException)5