Search in sources :

Example 26 with CertPathBuilderResult

use of java.security.cert.CertPathBuilderResult in project robovm by robovm.

the class PKIXCertPathBuilderSpi method engineBuild.

/**
     * Build and validate a CertPath using the given parameter.
     * 
     * @param params PKIXBuilderParameters object containing all information to
     *            build the CertPath
     */
public CertPathBuilderResult engineBuild(CertPathParameters params) throws CertPathBuilderException, InvalidAlgorithmParameterException {
    if (!(params instanceof PKIXBuilderParameters) && !(params instanceof ExtendedPKIXBuilderParameters)) {
        throw new InvalidAlgorithmParameterException("Parameters must be an instance of " + PKIXBuilderParameters.class.getName() + " or " + ExtendedPKIXBuilderParameters.class.getName() + ".");
    }
    ExtendedPKIXBuilderParameters pkixParams = null;
    if (params instanceof ExtendedPKIXBuilderParameters) {
        pkixParams = (ExtendedPKIXBuilderParameters) params;
    } else {
        pkixParams = (ExtendedPKIXBuilderParameters) ExtendedPKIXBuilderParameters.getInstance((PKIXBuilderParameters) params);
    }
    Collection targets;
    Iterator targetIter;
    List certPathList = new ArrayList();
    X509Certificate cert;
    // search target certificates
    Selector certSelect = pkixParams.getTargetConstraints();
    if (!(certSelect instanceof X509CertStoreSelector)) {
        throw new CertPathBuilderException("TargetConstraints must be an instance of " + X509CertStoreSelector.class.getName() + " for " + this.getClass().getName() + " class.");
    }
    try {
        targets = CertPathValidatorUtilities.findCertificates((X509CertStoreSelector) certSelect, pkixParams.getStores());
        targets.addAll(CertPathValidatorUtilities.findCertificates((X509CertStoreSelector) certSelect, pkixParams.getCertStores()));
    } catch (AnnotatedException e) {
        throw new ExtCertPathBuilderException("Error finding target certificate.", e);
    }
    if (targets.isEmpty()) {
        throw new CertPathBuilderException("No certificate found matching targetContraints.");
    }
    CertPathBuilderResult result = null;
    // check all potential target certificates
    targetIter = targets.iterator();
    while (targetIter.hasNext() && result == null) {
        cert = (X509Certificate) targetIter.next();
        result = build(cert, pkixParams, certPathList);
    }
    if (result == null && certPathException != null) {
        if (certPathException instanceof AnnotatedException) {
            throw new CertPathBuilderException(certPathException.getMessage(), certPathException.getCause());
        }
        throw new CertPathBuilderException("Possible certificate chain could not be validated.", certPathException);
    }
    if (result == null && certPathException == null) {
        throw new CertPathBuilderException("Unable to find certificate chain.");
    }
    return result;
}
Also used : InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) ExtendedPKIXBuilderParameters(org.bouncycastle.x509.ExtendedPKIXBuilderParameters) ExtendedPKIXBuilderParameters(org.bouncycastle.x509.ExtendedPKIXBuilderParameters) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) X509CertStoreSelector(org.bouncycastle.x509.X509CertStoreSelector) CertPathBuilderResult(java.security.cert.CertPathBuilderResult) PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult) ArrayList(java.util.ArrayList) X509Certificate(java.security.cert.X509Certificate) ExtCertPathBuilderException(org.bouncycastle.jce.exception.ExtCertPathBuilderException) CertPathBuilderException(java.security.cert.CertPathBuilderException) Iterator(java.util.Iterator) ExtCertPathBuilderException(org.bouncycastle.jce.exception.ExtCertPathBuilderException) Collection(java.util.Collection) ArrayList(java.util.ArrayList) List(java.util.List) Selector(org.bouncycastle.util.Selector) X509CertStoreSelector(org.bouncycastle.x509.X509CertStoreSelector)

Example 27 with CertPathBuilderResult

use of java.security.cert.CertPathBuilderResult in project jdk8u_jdk by JetBrains.

the class NoExtensions method doBuild.

private void doBuild(X509Certificate userCert) throws Exception {
    // get the set of trusted CA certificates (only one in this instance)
    HashSet trustAnchors = new HashSet();
    X509Certificate trustedCert = getTrustedCertificate();
    trustAnchors.add(new TrustAnchor(trustedCert, null));
    // put together a CertStore (repository of the certificates and CRLs)
    ArrayList certs = new ArrayList();
    certs.add(trustedCert);
    certs.add(userCert);
    CollectionCertStoreParameters certStoreParams = new CollectionCertStoreParameters(certs);
    CertStore certStore = CertStore.getInstance("Collection", certStoreParams);
    // specify the target certificate via a CertSelector
    X509CertSelector certSelector = new X509CertSelector();
    certSelector.setCertificate(userCert);
    // seems to be required
    certSelector.setSubject(userCert.getSubjectDN().getName());
    // build a valid cerificate path
    CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX", "SUN");
    PKIXBuilderParameters certPathBuilderParams = new PKIXBuilderParameters(trustAnchors, certSelector);
    certPathBuilderParams.addCertStore(certStore);
    certPathBuilderParams.setRevocationEnabled(false);
    CertPathBuilderResult result = certPathBuilder.build(certPathBuilderParams);
    // get and show cert path
    CertPath certPath = result.getCertPath();
//        System.out.println(certPath.toString());
}
Also used : CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) CertPathBuilderResult(java.security.cert.CertPathBuilderResult) ArrayList(java.util.ArrayList) TrustAnchor(java.security.cert.TrustAnchor) X509CertSelector(java.security.cert.X509CertSelector) CertPathBuilder(java.security.cert.CertPathBuilder) CertPath(java.security.cert.CertPath) CertStore(java.security.cert.CertStore) X509Certificate(java.security.cert.X509Certificate) HashSet(java.util.HashSet)

Example 28 with CertPathBuilderResult

use of java.security.cert.CertPathBuilderResult in project Spark by igniterealtime.

the class SparkExceptionsTrustManager method validatePath.

/**
 * Validate certificate path. As it is exception, no checks against revocation or time validity are done but path
 * still have to be validated in order to find connection between certificate presented by server and root CA in
 * KeyStore
 *
 * @throws NoSuchAlgorithmException
 * @throws KeyStoreException
 * @throws InvalidAlgorithmParameterException
 * @throws CertPathValidatorException
 * @throws CertPathBuilderException
 * @throws CertificateException
 */
private void validatePath(X509Certificate[] chain) throws NoSuchAlgorithmException, KeyStoreException, InvalidAlgorithmParameterException, CertPathValidatorException, CertPathBuilderException, CertificateException {
    CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
    CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");
    X509CertSelector certSelector = new X509CertSelector();
    certSelector.setCertificate(chain[chain.length - 1]);
    // checks against time validity aren't done here as it exceptions list
    certSelector.setCertificateValid(null);
    PKIXBuilderParameters parameters = new PKIXBuilderParameters(allStore, certSelector);
    // no checks against revocation as it is exception
    parameters.setRevocationEnabled(false);
    CertPathBuilderResult pathResult = certPathBuilder.build(parameters);
    CertPath certPath = pathResult.getCertPath();
    PKIXCertPathValidatorResult validationResult = (PKIXCertPathValidatorResult) certPathValidator.validate(certPath, parameters);
    X509Certificate trustedCert = validationResult.getTrustAnchor().getTrustedCert();
    if (trustedCert == null) {
        throw new CertificateException("Certificate path failed");
    } else {
        Log.debug("ClientTrustManager: Trusted CA: " + trustedCert.getSubjectDN());
    }
}
Also used : CertPathValidator(java.security.cert.CertPathValidator) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult) CertPathBuilderResult(java.security.cert.CertPathBuilderResult) X509CertSelector(java.security.cert.X509CertSelector) CertificateException(java.security.cert.CertificateException) CertPathBuilder(java.security.cert.CertPathBuilder) CertPath(java.security.cert.CertPath) X509Certificate(java.security.cert.X509Certificate)

Example 29 with CertPathBuilderResult

use of java.security.cert.CertPathBuilderResult in project LinLong-Java by zhenwei1108.

the class PKIXCertPathBuilderSpi method build.

protected CertPathBuilderResult build(X509Certificate tbvCert, PKIXExtendedBuilderParameters pkixParams, List tbvPath) {
    // PKI graph.
    if (tbvPath.contains(tbvCert)) {
        return null;
    }
    // chain.
    if (pkixParams.getExcludedCerts().contains(tbvCert)) {
        return null;
    }
    // test if certificate path exceeds maximum length
    if (pkixParams.getMaxPathLength() != -1) {
        if (tbvPath.size() - 1 > pkixParams.getMaxPathLength()) {
            return null;
        }
    }
    tbvPath.add(tbvCert);
    CertificateFactory cFact;
    PKIXCertPathValidatorSpi validator;
    CertPathBuilderResult builderResult = null;
    try {
        cFact = new CertificateFactory();
        validator = new PKIXCertPathValidatorSpi(isForCRLCheck);
    } catch (Exception e) {
        // cannot happen
        throw new RuntimeException("Exception creating support classes.");
    }
    try {
        // check whether the issuer of <tbvCert> is a TrustAnchor
        if (CertPathValidatorUtilities.isIssuerTrustAnchor(tbvCert, pkixParams.getBaseParameters().getTrustAnchors(), pkixParams.getBaseParameters().getSigProvider())) {
            // exception message from possibly later tried certification
            // chains
            CertPath certPath = null;
            PKIXCertPathValidatorResult result = null;
            try {
                certPath = cFact.engineGenerateCertPath(tbvPath);
            } catch (Exception e) {
                throw new AnnotatedException("Certification path could not be constructed from certificate list.", e);
            }
            try {
                result = (PKIXCertPathValidatorResult) validator.engineValidate(certPath, pkixParams);
            } catch (Exception e) {
                throw new AnnotatedException("Certification path could not be validated.", e);
            }
            return new PKIXCertPathBuilderResult(certPath, result.getTrustAnchor(), result.getPolicyTree(), result.getPublicKey());
        } else {
            List stores = new ArrayList();
            stores.addAll(pkixParams.getBaseParameters().getCertificateStores());
            // add additional X.509 stores from locations in certificate
            try {
                stores.addAll(CertPathValidatorUtilities.getAdditionalStoresFromAltNames(tbvCert.getExtensionValue(Extension.issuerAlternativeName.getId()), pkixParams.getBaseParameters().getNamedCertificateStoreMap()));
            } catch (CertificateParsingException e) {
                throw new AnnotatedException("No additional X.509 stores can be added from certificate locations.", e);
            }
            Collection issuers = new HashSet();
            // of the stores
            try {
                issuers.addAll(CertPathValidatorUtilities.findIssuerCerts(tbvCert, pkixParams.getBaseParameters().getCertStores(), stores));
            } catch (AnnotatedException e) {
                throw new AnnotatedException("Cannot find issuer certificate for certificate in certification path.", e);
            }
            if (issuers.isEmpty()) {
                throw new AnnotatedException("No issuer certificate for certificate in certification path found.");
            }
            Iterator it = issuers.iterator();
            while (it.hasNext() && builderResult == null) {
                X509Certificate issuer = (X509Certificate) it.next();
                builderResult = build(issuer, pkixParams, tbvPath);
            }
        }
    } catch (AnnotatedException e) {
        certPathException = e;
    }
    if (builderResult == null) {
        tbvPath.remove(tbvCert);
    }
    return builderResult;
}
Also used : CertificateParsingException(java.security.cert.CertificateParsingException) CertPathBuilderResult(java.security.cert.CertPathBuilderResult) PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult) ArrayList(java.util.ArrayList) CertificateFactory(com.github.zhenwei.provider.jcajce.provider.asymmetric.x509.CertificateFactory) CertificateParsingException(java.security.cert.CertificateParsingException) InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) CertPathBuilderException(java.security.cert.CertPathBuilderException) X509Certificate(java.security.cert.X509Certificate) PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult) PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult) Iterator(java.util.Iterator) Collection(java.util.Collection) ArrayList(java.util.ArrayList) List(java.util.List) CertPath(java.security.cert.CertPath) HashSet(java.util.HashSet)

Example 30 with CertPathBuilderResult

use of java.security.cert.CertPathBuilderResult in project LinLong-Java by zhenwei1108.

the class PKIXCertPathBuilderSpi_8 method build.

protected CertPathBuilderResult build(X509Certificate tbvCert, PKIXExtendedBuilderParameters pkixParams, List tbvPath) {
    // PKI graph.
    if (tbvPath.contains(tbvCert)) {
        return null;
    }
    // chain.
    if (pkixParams.getExcludedCerts().contains(tbvCert)) {
        return null;
    }
    // test if certificate path exceeds maximum length
    if (pkixParams.getMaxPathLength() != -1) {
        if (tbvPath.size() - 1 > pkixParams.getMaxPathLength()) {
            return null;
        }
    }
    tbvPath.add(tbvCert);
    CertPathBuilderResult builderResult = null;
    try {
        CertificateFactory cFact;
        PKIXCertPathValidatorSpi_8 validator;
        try {
            cFact = new CertificateFactory();
            validator = new PKIXCertPathValidatorSpi_8(isForCRLCheck);
        } catch (Exception e) {
            // cannot happen
            throw new RuntimeException("Exception creating support classes.");
        }
        // check whether the issuer of <tbvCert> is a TrustAnchor
        if (CertPathValidatorUtilities.isIssuerTrustAnchor(tbvCert, pkixParams.getBaseParameters().getTrustAnchors(), pkixParams.getBaseParameters().getSigProvider())) {
            // exception message from possibly later tried certification
            // chains
            CertPath certPath = null;
            PKIXCertPathValidatorResult result = null;
            try {
                certPath = cFact.engineGenerateCertPath(tbvPath);
            } catch (Exception e) {
                throw new AnnotatedException("Certification path could not be constructed from certificate list.", e);
            }
            try {
                result = (PKIXCertPathValidatorResult) validator.engineValidate(certPath, pkixParams);
            } catch (Exception e) {
                throw new AnnotatedException("Certification path could not be validated.", e);
            }
            return new PKIXCertPathBuilderResult(certPath, result.getTrustAnchor(), result.getPolicyTree(), result.getPublicKey());
        } else {
            List stores = new ArrayList();
            stores.addAll(pkixParams.getBaseParameters().getCertificateStores());
            // add additional X.509 stores from locations in certificate
            try {
                stores.addAll(CertPathValidatorUtilities.getAdditionalStoresFromAltNames(tbvCert.getExtensionValue(Extension.issuerAlternativeName.getId()), pkixParams.getBaseParameters().getNamedCertificateStoreMap()));
            } catch (CertificateParsingException e) {
                throw new AnnotatedException("No additional X.509 stores can be added from certificate locations.", e);
            }
            Collection issuers = new HashSet();
            // of the stores
            try {
                issuers.addAll(CertPathValidatorUtilities.findIssuerCerts(tbvCert, pkixParams.getBaseParameters().getCertStores(), stores));
            } catch (AnnotatedException e) {
                throw new AnnotatedException("Cannot find issuer certificate for certificate in certification path.", e);
            }
            if (issuers.isEmpty()) {
                throw new AnnotatedException("No issuer certificate for certificate in certification path found.");
            }
            Iterator it = issuers.iterator();
            while (it.hasNext() && builderResult == null) {
                X509Certificate issuer = (X509Certificate) it.next();
                builderResult = build(issuer, pkixParams, tbvPath);
            }
        }
    } catch (AnnotatedException e) {
        certPathException = e;
    }
    if (builderResult == null) {
        tbvPath.remove(tbvCert);
    }
    return builderResult;
}
Also used : CertificateParsingException(java.security.cert.CertificateParsingException) CertPathBuilderResult(java.security.cert.CertPathBuilderResult) PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult) ArrayList(java.util.ArrayList) CertificateFactory(com.github.zhenwei.provider.jcajce.provider.asymmetric.x509.CertificateFactory) CertificateParsingException(java.security.cert.CertificateParsingException) InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) CertPathBuilderException(java.security.cert.CertPathBuilderException) X509Certificate(java.security.cert.X509Certificate) PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult) PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult) Iterator(java.util.Iterator) Collection(java.util.Collection) ArrayList(java.util.ArrayList) List(java.util.List) CertPath(java.security.cert.CertPath) HashSet(java.util.HashSet)

Aggregations

CertPathBuilderResult (java.security.cert.CertPathBuilderResult)32 X509Certificate (java.security.cert.X509Certificate)18 CertPathBuilderException (java.security.cert.CertPathBuilderException)15 PKIXBuilderParameters (java.security.cert.PKIXBuilderParameters)15 CertPath (java.security.cert.CertPath)14 PKIXCertPathBuilderResult (java.security.cert.PKIXCertPathBuilderResult)14 InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)13 ArrayList (java.util.ArrayList)13 CertPathBuilder (java.security.cert.CertPathBuilder)12 X509CertSelector (java.security.cert.X509CertSelector)11 Iterator (java.util.Iterator)11 Collection (java.util.Collection)10 PKIXCertPathValidatorResult (java.security.cert.PKIXCertPathValidatorResult)8 List (java.util.List)8 CollectionCertStoreParameters (java.security.cert.CollectionCertStoreParameters)7 HashSet (java.util.HashSet)7 CertPathValidator (java.security.cert.CertPathValidator)6 CertificateException (java.security.cert.CertificateException)6 TrustAnchor (java.security.cert.TrustAnchor)6 PKIXExtendedParameters (com.github.zhenwei.provider.jcajce.PKIXExtendedParameters)5