Search in sources :

Example 11 with CertPathBuilderException

use of java.security.cert.CertPathBuilderException in project cxf by apache.

the class TrustedAuthorityValidator method isCertificateChainValid.

/**
 * Checks if a certificate is signed by a trusted authority.
 *
 * @param x509Certificate to check
 * @return the validity state of the certificate
 */
boolean isCertificateChainValid(List<X509Certificate> certificates) {
    X509Certificate targetCert = certificates.get(0);
    X509CertSelector selector = new X509CertSelector();
    selector.setCertificate(targetCert);
    try {
        List<X509Certificate> intermediateCerts = certRepo.getCaCerts();
        List<X509Certificate> trustedAuthorityCerts = certRepo.getTrustedCaCerts();
        Set<TrustAnchor> trustAnchors = asTrustAnchors(trustedAuthorityCerts);
        CertStoreParameters intermediateParams = new CollectionCertStoreParameters(intermediateCerts);
        CertStoreParameters certificateParams = new CollectionCertStoreParameters(certificates);
        PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
        pkixParams.addCertStore(CertStore.getInstance("Collection", intermediateParams));
        pkixParams.addCertStore(CertStore.getInstance("Collection", certificateParams));
        pkixParams.setRevocationEnabled(false);
        CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
        CertPath certPath = builder.build(pkixParams).getCertPath();
        // Now validate the CertPath (including CRL checking)
        if (enableRevocation) {
            List<X509CRL> crls = certRepo.getCRLs();
            if (!crls.isEmpty()) {
                pkixParams.setRevocationEnabled(true);
                CertStoreParameters crlParams = new CollectionCertStoreParameters(crls);
                pkixParams.addCertStore(CertStore.getInstance("Collection", crlParams));
            }
        }
        CertPathValidator validator = CertPathValidator.getInstance("PKIX");
        validator.validate(certPath, pkixParams);
    } catch (InvalidAlgorithmParameterException e) {
        LOG.log(Level.WARNING, "Invalid algorithm parameter by certificate chain validation. " + "It is likely that issuer certificates are not found in XKMS trusted storage. " + e.getMessage(), e);
        return false;
    } catch (NoSuchAlgorithmException e) {
        LOG.log(Level.WARNING, "Unknown algorithm by trust chain validation: " + e.getMessage(), e);
        return false;
    } catch (CertPathBuilderException e) {
        LOG.log(Level.WARNING, "Cannot build certification path: " + e.getMessage(), e);
        return false;
    } catch (CertPathValidatorException e) {
        LOG.log(Level.WARNING, "Cannot vaidate certification path: " + e.getMessage(), e);
        return false;
    }
    return true;
}
Also used : X509CRL(java.security.cert.X509CRL) InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) X509CertSelector(java.security.cert.X509CertSelector) TrustAnchor(java.security.cert.TrustAnchor) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) X509Certificate(java.security.cert.X509Certificate) CertStoreParameters(java.security.cert.CertStoreParameters) CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) CertPathValidator(java.security.cert.CertPathValidator) CertPathValidatorException(java.security.cert.CertPathValidatorException) CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) CertPathBuilderException(java.security.cert.CertPathBuilderException) CertPathBuilder(java.security.cert.CertPathBuilder) CertPath(java.security.cert.CertPath)

Example 12 with CertPathBuilderException

use of java.security.cert.CertPathBuilderException in project gitblit by gitblit.

the class X509Utils method verifyChain.

/**
	 * Verifies a certificate's chain to ensure that it will function properly.
	 *
	 * @param testCert
	 * @param additionalCerts
	 * @return
	 */
public static PKIXCertPathBuilderResult verifyChain(X509Certificate testCert, X509Certificate... additionalCerts) {
    try {
        // Check for self-signed certificate
        if (isSelfSigned(testCert)) {
            throw new RuntimeException("The certificate is self-signed.  Nothing to verify.");
        }
        // Prepare a set of all certificates
        // chain builder must have all certs, including cert to validate
        // http://stackoverflow.com/a/10788392
        Set<X509Certificate> certs = new HashSet<X509Certificate>();
        certs.add(testCert);
        certs.addAll(Arrays.asList(additionalCerts));
        // Attempt to build the certification chain and verify it
        // Create the selector that specifies the starting certificate
        X509CertSelector selector = new X509CertSelector();
        selector.setCertificate(testCert);
        // Create the trust anchors (set of root CA certificates)
        Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
        for (X509Certificate cert : additionalCerts) {
            if (isSelfSigned(cert)) {
                trustAnchors.add(new TrustAnchor(cert, null));
            }
        }
        // Configure the PKIX certificate builder
        PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
        pkixParams.setRevocationEnabled(false);
        pkixParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certs), BC));
        // Build and verify the certification chain
        CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", BC);
        PKIXCertPathBuilderResult verifiedCertChain = (PKIXCertPathBuilderResult) builder.build(pkixParams);
        // The chain is built and verified
        return verifiedCertChain;
    } catch (CertPathBuilderException e) {
        throw new RuntimeException("Error building certification path: " + testCert.getSubjectX500Principal(), e);
    } catch (Exception e) {
        throw new RuntimeException("Error verifying the certificate: " + testCert.getSubjectX500Principal(), e);
    }
}
Also used : PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) X509CertSelector(java.security.cert.X509CertSelector) TrustAnchor(java.security.cert.TrustAnchor) X509Certificate(java.security.cert.X509Certificate) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) SignatureException(java.security.SignatureException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) InvalidKeyException(java.security.InvalidKeyException) CertificateEncodingException(java.security.cert.CertificateEncodingException) CertPathBuilderException(java.security.cert.CertPathBuilderException) IOException(java.io.IOException) CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) CertPathBuilderException(java.security.cert.CertPathBuilderException) PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult) CertPathBuilder(java.security.cert.CertPathBuilder) HashSet(java.util.HashSet)

Example 13 with CertPathBuilderException

use of java.security.cert.CertPathBuilderException in project XobotOS by xamarin.

the class PKIXCertPathBuilderSpi method engineBuild.

/**
     * Build and validate a CertPath using the given parameter.
     * 
     * @param params PKIXBuilderParameters object containing all information to
     *            build the CertPath
     */
public CertPathBuilderResult engineBuild(CertPathParameters params) throws CertPathBuilderException, InvalidAlgorithmParameterException {
    if (!(params instanceof PKIXBuilderParameters) && !(params instanceof ExtendedPKIXBuilderParameters)) {
        throw new InvalidAlgorithmParameterException("Parameters must be an instance of " + PKIXBuilderParameters.class.getName() + " or " + ExtendedPKIXBuilderParameters.class.getName() + ".");
    }
    ExtendedPKIXBuilderParameters pkixParams = null;
    if (params instanceof ExtendedPKIXBuilderParameters) {
        pkixParams = (ExtendedPKIXBuilderParameters) params;
    } else {
        pkixParams = (ExtendedPKIXBuilderParameters) ExtendedPKIXBuilderParameters.getInstance((PKIXBuilderParameters) params);
    }
    Collection targets;
    Iterator targetIter;
    List certPathList = new ArrayList();
    X509Certificate cert;
    // search target certificates
    Selector certSelect = pkixParams.getTargetConstraints();
    if (!(certSelect instanceof X509CertStoreSelector)) {
        throw new CertPathBuilderException("TargetConstraints must be an instance of " + X509CertStoreSelector.class.getName() + " for " + this.getClass().getName() + " class.");
    }
    try {
        targets = CertPathValidatorUtilities.findCertificates((X509CertStoreSelector) certSelect, pkixParams.getStores());
        targets.addAll(CertPathValidatorUtilities.findCertificates((X509CertStoreSelector) certSelect, pkixParams.getCertStores()));
    } catch (AnnotatedException e) {
        throw new ExtCertPathBuilderException("Error finding target certificate.", e);
    }
    if (targets.isEmpty()) {
        throw new CertPathBuilderException("No certificate found matching targetContraints.");
    }
    CertPathBuilderResult result = null;
    // check all potential target certificates
    targetIter = targets.iterator();
    while (targetIter.hasNext() && result == null) {
        cert = (X509Certificate) targetIter.next();
        result = build(cert, pkixParams, certPathList);
    }
    if (result == null && certPathException != null) {
        if (certPathException instanceof AnnotatedException) {
            throw new CertPathBuilderException(certPathException.getMessage(), certPathException.getCause());
        }
        throw new CertPathBuilderException("Possible certificate chain could not be validated.", certPathException);
    }
    if (result == null && certPathException == null) {
        throw new CertPathBuilderException("Unable to find certificate chain.");
    }
    return result;
}
Also used : InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) ExtendedPKIXBuilderParameters(org.bouncycastle.x509.ExtendedPKIXBuilderParameters) ExtendedPKIXBuilderParameters(org.bouncycastle.x509.ExtendedPKIXBuilderParameters) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) X509CertStoreSelector(org.bouncycastle.x509.X509CertStoreSelector) CertPathBuilderResult(java.security.cert.CertPathBuilderResult) PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult) ArrayList(java.util.ArrayList) X509Certificate(java.security.cert.X509Certificate) ExtCertPathBuilderException(org.bouncycastle.jce.exception.ExtCertPathBuilderException) CertPathBuilderException(java.security.cert.CertPathBuilderException) Iterator(java.util.Iterator) ExtCertPathBuilderException(org.bouncycastle.jce.exception.ExtCertPathBuilderException) Collection(java.util.Collection) ArrayList(java.util.ArrayList) List(java.util.List) Selector(org.bouncycastle.util.Selector) X509CertStoreSelector(org.bouncycastle.x509.X509CertStoreSelector)

Example 14 with CertPathBuilderException

use of java.security.cert.CertPathBuilderException in project robovm by robovm.

the class CertPathBuilderExceptionTest method testCertPathBuilderException07.

/**
     * Test for <code>CertPathBuilderException(String, Throwable)</code>
     * constructor Assertion: constructs CertPathBuilderException when
     * <code>cause</code> is null <code>msg</code> is not null
     */
public void testCertPathBuilderException07() {
    CertPathBuilderException tE;
    for (int i = 0; i < msgs.length; i++) {
        tE = new CertPathBuilderException(msgs[i], null);
        assertEquals("getMessage() must return: ".concat(msgs[i]), tE.getMessage(), msgs[i]);
        assertNull("getCause() must return null", tE.getCause());
    }
}
Also used : CertPathBuilderException(java.security.cert.CertPathBuilderException)

Example 15 with CertPathBuilderException

use of java.security.cert.CertPathBuilderException in project robovm by robovm.

the class CertPathBuilderExceptionTest method testCertPathBuilderException09.

/**
     * Test for <code>CertPathBuilderException(String, Throwable)</code>
     * constructor Assertion: constructs CertPathBuilderException when
     * <code>cause</code> is not null <code>msg</code> is not null
     */
public void testCertPathBuilderException09() {
    CertPathBuilderException tE;
    for (int i = 0; i < msgs.length; i++) {
        tE = new CertPathBuilderException(msgs[i], tCause);
        String getM = tE.getMessage();
        String toS = tCause.toString();
        if (msgs[i].length() > 0) {
            assertTrue("getMessage() must contain ".concat(msgs[i]), getM.indexOf(msgs[i]) != -1);
            if (!getM.equals(msgs[i])) {
                assertTrue("getMessage() should contain ".concat(toS), getM.indexOf(toS) != -1);
            }
        }
        assertNotNull("getCause() must not return null", tE.getCause());
        assertEquals("getCause() must return ".concat(tCause.toString()), tE.getCause(), tCause);
    }
}
Also used : CertPathBuilderException(java.security.cert.CertPathBuilderException)

Aggregations

CertPathBuilderException (java.security.cert.CertPathBuilderException)23 X509Certificate (java.security.cert.X509Certificate)10 CertPathBuilder (java.security.cert.CertPathBuilder)8 PKIXBuilderParameters (java.security.cert.PKIXBuilderParameters)8 ArrayList (java.util.ArrayList)7 IOException (java.io.IOException)5 GeneralSecurityException (java.security.GeneralSecurityException)5 InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)5 CertPathBuilderResult (java.security.cert.CertPathBuilderResult)5 CertPathValidatorException (java.security.cert.CertPathValidatorException)5 PKIXCertPathBuilderResult (java.security.cert.PKIXCertPathBuilderResult)5 X509CertSelector (java.security.cert.X509CertSelector)5 HashSet (java.util.HashSet)5 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)4 CertPath (java.security.cert.CertPath)4 CollectionCertStoreParameters (java.security.cert.CollectionCertStoreParameters)4 Collection (java.util.Collection)4 Iterator (java.util.Iterator)4 List (java.util.List)4 ExtendedPKIXBuilderParameters (org.bouncycastle.x509.ExtendedPKIXBuilderParameters)4