Example 21 with CertPathBuilderException
use of java.security.cert.CertPathBuilderException in project oxAuth by GluuFederation.
the class PathCertificateVerifier method verifyCertificate.
public PKIXCertPathBuilderResult verifyCertificate(X509Certificate certificate, List<X509Certificate> additionalCerts) {
try {
// Check for self-signed certificate
if (!verifySelfSignedCertificate && isSelfSigned(certificate)) {
log.error("The certificate is self-signed!");
return null;
}
// Prepare a set of trusted root CA certificates and a set of
// intermediate certificates
Set<X509Certificate> trustedRootCerts = new HashSet<X509Certificate>();
Set<X509Certificate> intermediateCerts = new HashSet<X509Certificate>();
for (X509Certificate additionalCert : additionalCerts) {
if (isSelfSigned(additionalCert)) {
trustedRootCerts.add(additionalCert);
} else {
intermediateCerts.add(additionalCert);
}
}
// Attempt to build the certification chain and verify it
PKIXCertPathBuilderResult certPathBuilderResult = verifyCertificate(certificate, trustedRootCerts, intermediateCerts);
// Check that first certificate is an EE certificate
CertPath certPath = certPathBuilderResult.getCertPath();
List<? extends Certificate> certList = certPath.getCertificates();
X509Certificate cert = (X509Certificate) certList.get(0);
if (cert.getBasicConstraints() != -1) {
log.error("Target certificate is not an EE certificate!");
return null;
}
// The chain is verified. Return it as a result
return certPathBuilderResult;
} catch (CertPathBuilderException ex) {
log.error("Failed to build certificate path", ex);
} catch (GeneralSecurityException ex) {
log.error("Failed to build certificate path", ex);
}
return null;
}
Also used :
CertPathBuilderException(java.security.cert.CertPathBuilderException)
PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult)
GeneralSecurityException(java.security.GeneralSecurityException)
CertPath(java.security.cert.CertPath)
X509Certificate(java.security.cert.X509Certificate)
HashSet(java.util.HashSet)
Example 22 with CertPathBuilderException
use of java.security.cert.CertPathBuilderException in project cloudstack by apache.
the class CertServiceImpl method validateChain.
private void validateChain(final List<Certificate> chain, final Certificate cert) {
final List<Certificate> certs = new ArrayList<Certificate>();
final Set<TrustAnchor> anchors = new HashSet<TrustAnchor>();
// adding for self signed certs
certs.add(cert);
certs.addAll(chain);
for (final Certificate c : certs) {
if (!(c instanceof X509Certificate)) {
throw new IllegalArgumentException("Invalid chain format. Expected X509 certificate");
}
final X509Certificate xCert = (X509Certificate) c;
anchors.add(new TrustAnchor(xCert, null));
}
final X509CertSelector target = new X509CertSelector();
target.setCertificate((X509Certificate) cert);
PKIXBuilderParameters params = null;
try {
params = new PKIXBuilderParameters(anchors, target);
params.setRevocationEnabled(false);
params.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certs)));
final CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC");
builder.build(params);
} catch (final InvalidAlgorithmParameterException | CertPathBuilderException | NoSuchAlgorithmException e) {
throw new IllegalStateException("Invalid certificate chain", e);
} catch (final NoSuchProviderException e) {
throw new CloudRuntimeException("No provider for certificate validation", e);
}
}
Also used :
InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException)
PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters)
ArrayList(java.util.ArrayList)
TrustAnchor(java.security.cert.TrustAnchor)
X509CertSelector(java.security.cert.X509CertSelector)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
X509Certificate(java.security.cert.X509Certificate)
CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters)
CertPathBuilderException(java.security.cert.CertPathBuilderException)
CloudRuntimeException(com.cloud.utils.exception.CloudRuntimeException)
CertPathBuilder(java.security.cert.CertPathBuilder)
NoSuchProviderException(java.security.NoSuchProviderException)
X509Certificate(java.security.cert.X509Certificate)
Certificate(java.security.cert.Certificate)
HashSet(java.util.HashSet)
Aggregations
CertPathBuilderException (java.security.cert.CertPathBuilderException)22
X509Certificate (java.security.cert.X509Certificate)9
CertPathBuilder (java.security.cert.CertPathBuilder)7
PKIXBuilderParameters (java.security.cert.PKIXBuilderParameters)7
ArrayList (java.util.ArrayList)7
IOException (java.io.IOException)5
GeneralSecurityException (java.security.GeneralSecurityException)5
CertPathBuilderResult (java.security.cert.CertPathBuilderResult)5
PKIXCertPathBuilderResult (java.security.cert.PKIXCertPathBuilderResult)5
HashSet (java.util.HashSet)5
InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)4
CertPathValidatorException (java.security.cert.CertPathValidatorException)4
X509CertSelector (java.security.cert.X509CertSelector)4
Collection (java.util.Collection)4
Iterator (java.util.Iterator)4
List (java.util.List)4
ExtendedPKIXBuilderParameters (org.bouncycastle.x509.ExtendedPKIXBuilderParameters)4
X509CertStoreSelector (org.bouncycastle.x509.X509CertStoreSelector)4
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)3
CertPath (java.security.cert.CertPath)3
