Search in sources :

Example 21 with CertPathBuilderException

use of java.security.cert.CertPathBuilderException in project oxAuth by GluuFederation.

the class PathCertificateVerifier method verifyCertificate.

public PKIXCertPathBuilderResult verifyCertificate(X509Certificate certificate, List<X509Certificate> additionalCerts) {
    try {
        // Check for self-signed certificate
        if (!verifySelfSignedCertificate && isSelfSigned(certificate)) {
            log.error("The certificate is self-signed!");
            return null;
        }
        // Prepare a set of trusted root CA certificates and a set of
        // intermediate certificates
        Set<X509Certificate> trustedRootCerts = new HashSet<X509Certificate>();
        Set<X509Certificate> intermediateCerts = new HashSet<X509Certificate>();
        for (X509Certificate additionalCert : additionalCerts) {
            if (isSelfSigned(additionalCert)) {
                trustedRootCerts.add(additionalCert);
            } else {
                intermediateCerts.add(additionalCert);
            }
        }
        // Attempt to build the certification chain and verify it
        PKIXCertPathBuilderResult certPathBuilderResult = verifyCertificate(certificate, trustedRootCerts, intermediateCerts);
        // Check that first certificate is an EE certificate
        CertPath certPath = certPathBuilderResult.getCertPath();
        List<? extends Certificate> certList = certPath.getCertificates();
        X509Certificate cert = (X509Certificate) certList.get(0);
        if (cert.getBasicConstraints() != -1) {
            log.error("Target certificate is not an EE certificate!");
            return null;
        }
        // The chain is verified. Return it as a result
        return certPathBuilderResult;
    } catch (CertPathBuilderException ex) {
        log.error("Failed to build certificate path", ex);
    } catch (GeneralSecurityException ex) {
        log.error("Failed to build certificate path", ex);
    }
    return null;
}
Also used : CertPathBuilderException(java.security.cert.CertPathBuilderException) PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult) GeneralSecurityException(java.security.GeneralSecurityException) CertPath(java.security.cert.CertPath) X509Certificate(java.security.cert.X509Certificate) HashSet(java.util.HashSet)

Example 22 with CertPathBuilderException

use of java.security.cert.CertPathBuilderException in project cloudstack by apache.

the class CertServiceImpl method validateChain.

private void validateChain(final List<Certificate> chain, final Certificate cert) {
    final List<Certificate> certs = new ArrayList<Certificate>();
    final Set<TrustAnchor> anchors = new HashSet<TrustAnchor>();
    // adding for self signed certs
    certs.add(cert);
    certs.addAll(chain);
    for (final Certificate c : certs) {
        if (!(c instanceof X509Certificate)) {
            throw new IllegalArgumentException("Invalid chain format. Expected X509 certificate");
        }
        final X509Certificate xCert = (X509Certificate) c;
        anchors.add(new TrustAnchor(xCert, null));
    }
    final X509CertSelector target = new X509CertSelector();
    target.setCertificate((X509Certificate) cert);
    PKIXBuilderParameters params = null;
    try {
        params = new PKIXBuilderParameters(anchors, target);
        params.setRevocationEnabled(false);
        params.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certs)));
        final CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC");
        builder.build(params);
    } catch (final InvalidAlgorithmParameterException | CertPathBuilderException | NoSuchAlgorithmException e) {
        throw new IllegalStateException("Invalid certificate chain", e);
    } catch (final NoSuchProviderException e) {
        throw new CloudRuntimeException("No provider for certificate validation", e);
    }
}
Also used : InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) ArrayList(java.util.ArrayList) TrustAnchor(java.security.cert.TrustAnchor) X509CertSelector(java.security.cert.X509CertSelector) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) X509Certificate(java.security.cert.X509Certificate) CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) CertPathBuilderException(java.security.cert.CertPathBuilderException) CloudRuntimeException(com.cloud.utils.exception.CloudRuntimeException) CertPathBuilder(java.security.cert.CertPathBuilder) NoSuchProviderException(java.security.NoSuchProviderException) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate) HashSet(java.util.HashSet)

Aggregations

CertPathBuilderException (java.security.cert.CertPathBuilderException)22 X509Certificate (java.security.cert.X509Certificate)9 CertPathBuilder (java.security.cert.CertPathBuilder)7 PKIXBuilderParameters (java.security.cert.PKIXBuilderParameters)7 ArrayList (java.util.ArrayList)7 IOException (java.io.IOException)5 GeneralSecurityException (java.security.GeneralSecurityException)5 CertPathBuilderResult (java.security.cert.CertPathBuilderResult)5 PKIXCertPathBuilderResult (java.security.cert.PKIXCertPathBuilderResult)5 HashSet (java.util.HashSet)5 InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)4 CertPathValidatorException (java.security.cert.CertPathValidatorException)4 X509CertSelector (java.security.cert.X509CertSelector)4 Collection (java.util.Collection)4 Iterator (java.util.Iterator)4 List (java.util.List)4 ExtendedPKIXBuilderParameters (org.bouncycastle.x509.ExtendedPKIXBuilderParameters)4 X509CertStoreSelector (org.bouncycastle.x509.X509CertStoreSelector)4 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)3 CertPath (java.security.cert.CertPath)3