Search in sources :

Example 81 with CertPathValidatorException

use of java.security.cert.CertPathValidatorException in project robovm by robovm.

the class RFC3280CertPathUtilities method prepareNextCertM.

protected static int prepareNextCertM(CertPath certPath, int index, int maxPathLength) throws CertPathValidatorException {
    List certs = certPath.getCertificates();
    X509Certificate cert = (X509Certificate) certs.get(index);
    //
    // (m)
    //
    BasicConstraints bc = null;
    try {
        bc = BasicConstraints.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.BASIC_CONSTRAINTS));
    } catch (Exception e) {
        throw new ExtCertPathValidatorException("Basic constraints extension cannot be decoded.", e, certPath, index);
    }
    if (bc != null) {
        BigInteger _pathLengthConstraint = bc.getPathLenConstraint();
        if (_pathLengthConstraint != null) {
            int _plc = _pathLengthConstraint.intValue();
            if (_plc < maxPathLength) {
                return _plc;
            }
        }
    }
    return maxPathLength;
}
Also used : ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) BigInteger(java.math.BigInteger) List(java.util.List) ArrayList(java.util.ArrayList) BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints) X509Certificate(java.security.cert.X509Certificate) CertificateExpiredException(java.security.cert.CertificateExpiredException) GeneralSecurityException(java.security.GeneralSecurityException) CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException) CertPathBuilderException(java.security.cert.CertPathBuilderException) IOException(java.io.IOException) IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)

Example 82 with CertPathValidatorException

use of java.security.cert.CertPathValidatorException in project jdk8u_jdk by JetBrains.

the class ForwardBuilder method verifyCert.

/**
     * Verifies a matching certificate.
     *
     * This method executes the validation steps in the PKIX path
     * validation algorithm <draft-ietf-pkix-new-part1-08.txt> which were
     * not satisfied by the selection criteria used by getCertificates()
     * to find the certs and only the steps that can be executed in a
     * forward direction (target to trust anchor). Those steps that can
     * only be executed in a reverse direction are deferred until the
     * complete path has been built.
     *
     * Trust anchor certs are not validated, but are used to verify the
     * signature and revocation status of the previous cert.
     *
     * If the last certificate is being verified (the one whose subject
     * matches the target subject, then steps in 6.1.4 of the PKIX
     * Certification Path Validation algorithm are NOT executed,
     * regardless of whether or not the last cert is an end-entity
     * cert or not. This allows callers to certify CA certs as
     * well as EE certs.
     *
     * @param cert the certificate to be verified
     * @param currentState the current state against which the cert is verified
     * @param certPathList the certPathList generated thus far
     */
@Override
void verifyCert(X509Certificate cert, State currentState, List<X509Certificate> certPathList) throws GeneralSecurityException {
    if (debug != null) {
        debug.println("ForwardBuilder.verifyCert(SN: " + Debug.toHexString(cert.getSerialNumber()) + "\n  Issuer: " + cert.getIssuerX500Principal() + ")" + "\n  Subject: " + cert.getSubjectX500Principal() + ")");
    }
    ForwardState currState = (ForwardState) currentState;
    // Don't bother to verify untrusted certificate more.
    currState.untrustedChecker.check(cert, Collections.<String>emptySet());
    /*
         * check for looping - abort a loop if we encounter the same
         * certificate twice
         */
    if (certPathList != null) {
        for (X509Certificate cpListCert : certPathList) {
            if (cert.equals(cpListCert)) {
                if (debug != null) {
                    debug.println("loop detected!!");
                }
                throw new CertPathValidatorException("loop detected");
            }
        }
    }
    /* check if trusted cert */
    boolean isTrustedCert = trustedCerts.contains(cert);
    /* we don't perform any validation of the trusted cert */
    if (!isTrustedCert) {
        /*
             * Check CRITICAL private extensions for user checkers that
             * support forward checking (forwardCheckers) and remove
             * ones we know how to check.
             */
        Set<String> unresCritExts = cert.getCriticalExtensionOIDs();
        if (unresCritExts == null) {
            unresCritExts = Collections.<String>emptySet();
        }
        for (PKIXCertPathChecker checker : currState.forwardCheckers) {
            checker.check(cert, unresCritExts);
        }
        /*
             * Remove extensions from user checkers that don't support
             * forward checking. After this step, we will have removed
             * all extensions that all user checkers are capable of
             * processing.
             */
        for (PKIXCertPathChecker checker : buildParams.certPathCheckers()) {
            if (!checker.isForwardCheckingSupported()) {
                Set<String> supportedExts = checker.getSupportedExtensions();
                if (supportedExts != null) {
                    unresCritExts.removeAll(supportedExts);
                }
            }
        }
        /*
             * Look at the remaining extensions and remove any ones we know how
             * to check. If there are any left, throw an exception!
             */
        if (!unresCritExts.isEmpty()) {
            unresCritExts.remove(BasicConstraints_Id.toString());
            unresCritExts.remove(NameConstraints_Id.toString());
            unresCritExts.remove(CertificatePolicies_Id.toString());
            unresCritExts.remove(PolicyMappings_Id.toString());
            unresCritExts.remove(PolicyConstraints_Id.toString());
            unresCritExts.remove(InhibitAnyPolicy_Id.toString());
            unresCritExts.remove(SubjectAlternativeName_Id.toString());
            unresCritExts.remove(KeyUsage_Id.toString());
            unresCritExts.remove(ExtendedKeyUsage_Id.toString());
            if (!unresCritExts.isEmpty())
                throw new CertPathValidatorException("Unrecognized critical extension(s)", null, null, -1, PKIXReason.UNRECOGNIZED_CRIT_EXT);
        }
    }
    /*
         * if this is the target certificate (init=true), then we are
         * not able to do any more verification, so just return
         */
    if (currState.isInitial()) {
        return;
    }
    /* we don't perform any validation of the trusted cert */
    if (!isTrustedCert) {
        /* Make sure this is a CA cert */
        if (cert.getBasicConstraints() == -1) {
            throw new CertificateException("cert is NOT a CA cert");
        }
        /*
             * Check keyUsage extension
             */
        KeyChecker.verifyCAKeyUsage(cert);
    }
    /*
         * Check signature only if no key requiring key parameters has been
         * encountered.
         */
    if (!currState.keyParamsNeeded()) {
        (currState.cert).verify(cert.getPublicKey(), buildParams.sigProvider());
    }
}
Also used : CertPathValidatorException(java.security.cert.CertPathValidatorException) PKIXCertPathChecker(java.security.cert.PKIXCertPathChecker) CertificateException(java.security.cert.CertificateException) X509Certificate(java.security.cert.X509Certificate)

Example 83 with CertPathValidatorException

use of java.security.cert.CertPathValidatorException in project jdk8u_jdk by JetBrains.

the class AlgorithmChecker method check.

@Override
public void check(Certificate cert, Collection<String> unresolvedCritExts) throws CertPathValidatorException {
    if (!(cert instanceof X509Certificate) || constraints == null) {
        // ignore the check for non-x.509 certificate or null constraints
        return;
    }
    // check the key usage and key size
    boolean[] keyUsage = ((X509Certificate) cert).getKeyUsage();
    if (keyUsage != null && keyUsage.length < 9) {
        throw new CertPathValidatorException("incorrect KeyUsage extension", null, null, -1, PKIXReason.INVALID_KEY_USAGE);
    }
    X509CertImpl x509Cert;
    AlgorithmId algorithmId;
    try {
        x509Cert = X509CertImpl.toImpl((X509Certificate) cert);
        algorithmId = (AlgorithmId) x509Cert.get(X509CertImpl.SIG_ALG);
    } catch (CertificateException ce) {
        throw new CertPathValidatorException(ce);
    }
    AlgorithmParameters currSigAlgParams = algorithmId.getParameters();
    PublicKey currPubKey = cert.getPublicKey();
    String currSigAlg = ((X509Certificate) cert).getSigAlgName();
    // Check the signature algorithm and parameters against constraints.
    if (!constraints.permits(SIGNATURE_PRIMITIVE_SET, currSigAlg, currSigAlgParams)) {
        throw new CertPathValidatorException("Algorithm constraints check failed on signature " + "algorithm: " + currSigAlg, null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
    }
    // Assume all key usage bits are set if key usage is not present
    Set<CryptoPrimitive> primitives = KU_PRIMITIVE_SET;
    if (keyUsage != null) {
        primitives = EnumSet.noneOf(CryptoPrimitive.class);
        if (keyUsage[0] || keyUsage[1] || keyUsage[5] || keyUsage[6]) {
            // keyUsage[0]: KeyUsage.digitalSignature
            // keyUsage[1]: KeyUsage.nonRepudiation
            // keyUsage[5]: KeyUsage.keyCertSign
            // keyUsage[6]: KeyUsage.cRLSign
            primitives.add(CryptoPrimitive.SIGNATURE);
        }
        if (keyUsage[2]) {
            // KeyUsage.keyEncipherment
            primitives.add(CryptoPrimitive.KEY_ENCAPSULATION);
        }
        if (keyUsage[3]) {
            // KeyUsage.dataEncipherment
            primitives.add(CryptoPrimitive.PUBLIC_KEY_ENCRYPTION);
        }
        if (keyUsage[4]) {
            // KeyUsage.keyAgreement
            primitives.add(CryptoPrimitive.KEY_AGREEMENT);
        }
        if (primitives.isEmpty()) {
            throw new CertPathValidatorException("incorrect KeyUsage extension bits", null, null, -1, PKIXReason.INVALID_KEY_USAGE);
        }
    }
    ConstraintsParameters cp = new ConstraintsParameters((X509Certificate) cert, trustedMatch, pkixdate, jarTimestamp, variant);
    // Check against local constraints if it is DisabledAlgorithmConstraints
    if (constraints instanceof DisabledAlgorithmConstraints) {
        ((DisabledAlgorithmConstraints) constraints).permits(currSigAlg, cp);
    // DisabledAlgorithmsConstraints does not check primitives, so key
    // additional key check.
    } else {
        // Perform the default constraints checking anyway.
        certPathDefaultConstraints.permits(currSigAlg, cp);
        // Call locally set constraints to check key with primitives.
        if (!constraints.permits(primitives, currPubKey)) {
            throw new CertPathValidatorException("Algorithm constraints check failed on key " + currPubKey.getAlgorithm() + " with size of " + sun.security.util.KeyUtil.getKeySize(currPubKey) + "bits", null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
        }
    }
    // If there is no previous key, set one and exit
    if (prevPubKey == null) {
        prevPubKey = currPubKey;
        return;
    }
    // Check with previous cert for signature algorithm and public key
    if (!constraints.permits(SIGNATURE_PRIMITIVE_SET, currSigAlg, prevPubKey, currSigAlgParams)) {
        throw new CertPathValidatorException("Algorithm constraints check failed on " + "signature algorithm: " + currSigAlg, null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
    }
    // Inherit key parameters from previous key
    if (PKIX.isDSAPublicKeyWithoutParams(currPubKey)) {
        // Inherit DSA parameters from previous key
        if (!(prevPubKey instanceof DSAPublicKey)) {
            throw new CertPathValidatorException("Input key is not " + "of a appropriate type for inheriting parameters");
        }
        DSAParams params = ((DSAPublicKey) prevPubKey).getParams();
        if (params == null) {
            throw new CertPathValidatorException("Key parameters missing from public key.");
        }
        try {
            BigInteger y = ((DSAPublicKey) currPubKey).getY();
            KeyFactory kf = KeyFactory.getInstance("DSA");
            DSAPublicKeySpec ks = new DSAPublicKeySpec(y, params.getP(), params.getQ(), params.getG());
            currPubKey = kf.generatePublic(ks);
        } catch (GeneralSecurityException e) {
            throw new CertPathValidatorException("Unable to generate " + "key with inherited parameters: " + e.getMessage(), e);
        }
    }
    // reset the previous public key
    prevPubKey = currPubKey;
}
Also used : DisabledAlgorithmConstraints(sun.security.util.DisabledAlgorithmConstraints) CryptoPrimitive(java.security.CryptoPrimitive) PublicKey(java.security.PublicKey) DSAPublicKey(java.security.interfaces.DSAPublicKey) GeneralSecurityException(java.security.GeneralSecurityException) CertificateException(java.security.cert.CertificateException) DSAParams(java.security.interfaces.DSAParams) ConstraintsParameters(sun.security.util.ConstraintsParameters) X509Certificate(java.security.cert.X509Certificate) DSAPublicKey(java.security.interfaces.DSAPublicKey) CertPathValidatorException(java.security.cert.CertPathValidatorException) AlgorithmId(sun.security.x509.AlgorithmId) X509CertImpl(sun.security.x509.X509CertImpl) BigInteger(java.math.BigInteger) KeyFactory(java.security.KeyFactory) AlgorithmParameters(java.security.AlgorithmParameters) DSAPublicKeySpec(java.security.spec.DSAPublicKeySpec)

Example 84 with CertPathValidatorException

use of java.security.cert.CertPathValidatorException in project jdk8u_jdk by JetBrains.

the class AlgorithmChecker method check.

/**
     * Check the signature algorithm with the specified public key.
     *
     * @param key the public key to verify the CRL signature
     * @param crl the target CRL
     * @param variant is the Validator variants of the operation. A null value
     *                passed will set it to Validator.GENERIC.
     */
static void check(PublicKey key, X509CRL crl, String variant) throws CertPathValidatorException {
    X509CRLImpl x509CRLImpl = null;
    try {
        x509CRLImpl = X509CRLImpl.toImpl(crl);
    } catch (CRLException ce) {
        throw new CertPathValidatorException(ce);
    }
    AlgorithmId algorithmId = x509CRLImpl.getSigAlgId();
    check(key, algorithmId, variant);
}
Also used : CertPathValidatorException(java.security.cert.CertPathValidatorException) AlgorithmId(sun.security.x509.AlgorithmId) X509CRLImpl(sun.security.x509.X509CRLImpl) CRLException(java.security.cert.CRLException)

Example 85 with CertPathValidatorException

use of java.security.cert.CertPathValidatorException in project jdk8u_jdk by JetBrains.

the class BasicChecker method makeInheritedParamsKey.

/**
     * Internal method to create a new key with inherited key parameters.
     *
     * @param keyValueKey key from which to obtain key value
     * @param keyParamsKey key from which to obtain key parameters
     * @return new public key having value and parameters
     * @throws CertPathValidatorException if keys are not appropriate types
     * for this operation
     */
static PublicKey makeInheritedParamsKey(PublicKey keyValueKey, PublicKey keyParamsKey) throws CertPathValidatorException {
    if (!(keyValueKey instanceof DSAPublicKey) || !(keyParamsKey instanceof DSAPublicKey))
        throw new CertPathValidatorException("Input key is not " + "appropriate type for " + "inheriting parameters");
    DSAParams params = ((DSAPublicKey) keyParamsKey).getParams();
    if (params == null)
        throw new CertPathValidatorException("Key parameters missing");
    try {
        BigInteger y = ((DSAPublicKey) keyValueKey).getY();
        KeyFactory kf = KeyFactory.getInstance("DSA");
        DSAPublicKeySpec ks = new DSAPublicKeySpec(y, params.getP(), params.getQ(), params.getG());
        return kf.generatePublic(ks);
    } catch (GeneralSecurityException e) {
        throw new CertPathValidatorException("Unable to generate key with" + " inherited parameters: " + e.getMessage(), e);
    }
}
Also used : CertPathValidatorException(java.security.cert.CertPathValidatorException) GeneralSecurityException(java.security.GeneralSecurityException) BigInteger(java.math.BigInteger) DSAParams(java.security.interfaces.DSAParams) KeyFactory(java.security.KeyFactory) DSAPublicKey(java.security.interfaces.DSAPublicKey) DSAPublicKeySpec(java.security.spec.DSAPublicKeySpec)

Aggregations

CertPathValidatorException (java.security.cert.CertPathValidatorException)102 IOException (java.io.IOException)46 X509Certificate (java.security.cert.X509Certificate)44 ExtCertPathValidatorException (org.bouncycastle.jce.exception.ExtCertPathValidatorException)36 ArrayList (java.util.ArrayList)35 GeneralSecurityException (java.security.GeneralSecurityException)32 List (java.util.List)30 CertPathBuilderException (java.security.cert.CertPathBuilderException)25 CertificateExpiredException (java.security.cert.CertificateExpiredException)24 CertificateNotYetValidException (java.security.cert.CertificateNotYetValidException)24 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)23 DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)23 IssuingDistributionPoint (org.bouncycastle.asn1.x509.IssuingDistributionPoint)21 ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)18 Enumeration (java.util.Enumeration)15 Iterator (java.util.Iterator)15 CertPath (java.security.cert.CertPath)13 CertificateException (java.security.cert.CertificateException)13 HashSet (java.util.HashSet)12 InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)10