Search in sources :

Example 86 with CertPathValidatorException

use of java.security.cert.CertPathValidatorException in project jdk8u_jdk by JetBrains.

the class OCSP method check.

/**
     * Checks the revocation status of a list of certificates using OCSP.
     *
     * @param certIds the CertIds to be checked
     * @param responderURI the URI of the OCSP responder
     * @param issuerInfo the issuer's certificate and/or subject and public key
     * @param responderCert the OCSP responder's certificate
     * @param date the time the validity of the OCSP responder's certificate
     *    should be checked against. If null, the current time is used.
     * @param extensions zero or more OCSP extensions to be included in the
     *    request.  If no extensions are requested, an empty {@code List} must
     *    be used.  A {@code null} value is not allowed.
     * @return the OCSPResponse
     * @throws IOException if there is an exception connecting to or
     *    communicating with the OCSP responder
     * @throws CertPathValidatorException if an exception occurs while
     *    encoding the OCSP Request or validating the OCSP Response
     */
static OCSPResponse check(List<CertId> certIds, URI responderURI, OCSPResponse.IssuerInfo issuerInfo, X509Certificate responderCert, Date date, List<Extension> extensions, String variant) throws IOException, CertPathValidatorException {
    byte[] nonce = null;
    for (Extension ext : extensions) {
        if (ext.getId().equals(PKIXExtensions.OCSPNonce_Id.toString())) {
            nonce = ext.getValue();
        }
    }
    OCSPResponse ocspResponse = null;
    try {
        byte[] response = getOCSPBytes(certIds, responderURI, extensions);
        ocspResponse = new OCSPResponse(response);
        // verify the response
        ocspResponse.verify(certIds, issuerInfo, responderCert, date, nonce, variant);
    } catch (IOException ioe) {
        throw new CertPathValidatorException("Unable to determine revocation status due to network error", ioe, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
    }
    return ocspResponse;
}
Also used : AuthorityInfoAccessExtension(sun.security.x509.AuthorityInfoAccessExtension) Extension(java.security.cert.Extension) CertPathValidatorException(java.security.cert.CertPathValidatorException) IOException(java.io.IOException)

Example 87 with CertPathValidatorException

use of java.security.cert.CertPathValidatorException in project jdk8u_jdk by JetBrains.

the class GetMessage method main.

public static void main(String[] args) throws Exception {
    Throwable[] causes = { new Throwable(), new Throwable("message"), new Throwable("message", new Throwable()) };
    for (Throwable cause : causes) {
        CertPathValidatorException cpve = new CertPathValidatorException(cause);
        // from CertPathValidatorException(Throwable cause) spec:
        // The detail message is set to (cause==null ? null : cause.toString() )
        // (which typically contains the class and detail message of cause).
        String expMsg = (cause == null ? null : cause.toString());
        String actualMsg = cpve.getMessage();
        boolean msgsEqual = (expMsg == null ? actualMsg == null : expMsg.equals(actualMsg));
        if (!msgsEqual) {
            System.out.println("expected message:" + expMsg);
            System.out.println("getMessage():" + actualMsg);
            failed = true;
        }
    }
    if (failed) {
        throw new Exception("Some tests FAILED");
    }
}
Also used : CertPathValidatorException(java.security.cert.CertPathValidatorException) CertPathValidatorException(java.security.cert.CertPathValidatorException)

Example 88 with CertPathValidatorException

use of java.security.cert.CertPathValidatorException in project jdk8u_jdk by JetBrains.

the class PKIXMasterCertPathValidator method validate.

/**
     * Validates a certification path consisting exclusively of
     * <code>X509Certificate</code>s using the specified
     * <code>PKIXCertPathChecker</code>s. It is assumed that the
     * <code>PKIXCertPathChecker</code>s
     * have been initialized with any input parameters they may need.
     *
     * @param cpOriginal the original X509 CertPath passed in by the user
     * @param reversedCertList the reversed X509 CertPath (as a List)
     * @param certPathCheckers the PKIXCertPathCheckers
     * @throws CertPathValidatorException if cert path does not validate
     */
static void validate(CertPath cpOriginal, List<X509Certificate> reversedCertList, List<PKIXCertPathChecker> certPathCheckers) throws CertPathValidatorException {
    // we actually process reversedCertList, but we keep cpOriginal because
    // we need to return the original certPath when we throw an exception.
    // we will also need to modify the index appropriately when we
    // throw an exception.
    int cpSize = reversedCertList.size();
    if (debug != null) {
        debug.println("--------------------------------------------------" + "------------");
        debug.println("Executing PKIX certification path validation " + "algorithm.");
    }
    for (int i = 0; i < cpSize; i++) {
        /* The basic loop algorithm is that we get the
             * current certificate, we verify the current certificate using
             * information from the previous certificate and from the state,
             * and we modify the state for the next loop by setting the
             * current certificate of this loop to be the previous certificate
             * of the next loop. The state is initialized during first loop.
             */
        X509Certificate currCert = reversedCertList.get(i);
        if (debug != null) {
            debug.println("Checking cert" + (i + 1) + " - Subject: " + currCert.getSubjectX500Principal());
        }
        Set<String> unresCritExts = currCert.getCriticalExtensionOIDs();
        if (unresCritExts == null) {
            unresCritExts = Collections.<String>emptySet();
        }
        if (debug != null && !unresCritExts.isEmpty()) {
            StringJoiner joiner = new StringJoiner(", ", "{", "}");
            for (String oid : unresCritExts) {
                joiner.add(oid);
            }
            debug.println("Set of critical extensions: " + joiner.toString());
        }
        for (int j = 0; j < certPathCheckers.size(); j++) {
            PKIXCertPathChecker currChecker = certPathCheckers.get(j);
            if (debug != null) {
                debug.println("-Using checker" + (j + 1) + " ... [" + currChecker.getClass().getName() + "]");
            }
            if (i == 0)
                currChecker.init(false);
            try {
                currChecker.check(currCert, unresCritExts);
                if (debug != null) {
                    debug.println("-checker" + (j + 1) + " validation succeeded");
                }
            } catch (CertPathValidatorException cpve) {
                throw new CertPathValidatorException(cpve.getMessage(), (cpve.getCause() != null) ? cpve.getCause() : cpve, cpOriginal, cpSize - (i + 1), cpve.getReason());
            }
        }
        if (!unresCritExts.isEmpty()) {
            throw new CertPathValidatorException("unrecognized " + "critical extension(s)", null, cpOriginal, cpSize - (i + 1), PKIXReason.UNRECOGNIZED_CRIT_EXT);
        }
        if (debug != null)
            debug.println("\ncert" + (i + 1) + " validation succeeded.\n");
    }
    if (debug != null) {
        debug.println("Cert path validation succeeded. (PKIX validation " + "algorithm)");
        debug.println("-------------------------------------------------" + "-------------");
    }
}
Also used : CertPathValidatorException(java.security.cert.CertPathValidatorException) PKIXCertPathChecker(java.security.cert.PKIXCertPathChecker) X509Certificate(java.security.cert.X509Certificate) StringJoiner(java.util.StringJoiner)

Example 89 with CertPathValidatorException

use of java.security.cert.CertPathValidatorException in project jdk8u_jdk by JetBrains.

the class PolicyChecker method mergePolicyMapping.

/**
     * Merges the specified policyMapping value with the
     * inhibitPolicyMapping field of the <code>PolicyConstraints</code>
     * extension obtained from the certificate. A policyMapping
     * value of -1 implies no constraint.
     *
     * @param policyMapping an integer which indicates if policy mapping
     * is inhibited
     * @param currCert the Certificate to be processed
     * @return returns the new policyMapping value
     * @exception CertPathValidatorException Exception thrown if an error
     * occurs
     */
static int mergePolicyMapping(int policyMapping, X509CertImpl currCert) throws CertPathValidatorException {
    if ((policyMapping > 0) && !X509CertImpl.isSelfIssued(currCert)) {
        policyMapping--;
    }
    try {
        PolicyConstraintsExtension polConstExt = currCert.getPolicyConstraintsExtension();
        if (polConstExt == null)
            return policyMapping;
        int inhibit = polConstExt.get(PolicyConstraintsExtension.INHIBIT).intValue();
        if (debug != null)
            debug.println("PolicyChecker.mergePolicyMapping() " + "inhibit Index from cert = " + inhibit);
        if (inhibit != -1) {
            if ((policyMapping == -1) || (inhibit < policyMapping)) {
                policyMapping = inhibit;
            }
        }
    } catch (IOException e) {
        if (debug != null) {
            debug.println("PolicyChecker.mergePolicyMapping " + "unexpected exception");
            e.printStackTrace();
        }
        throw new CertPathValidatorException(e);
    }
    return policyMapping;
}
Also used : CertPathValidatorException(java.security.cert.CertPathValidatorException) PolicyConstraintsExtension(sun.security.x509.PolicyConstraintsExtension) IOException(java.io.IOException)

Example 90 with CertPathValidatorException

use of java.security.cert.CertPathValidatorException in project jdk8u_jdk by JetBrains.

the class PolicyChecker method processPolicies.

/**
     * Processes certificate policies in the certificate.
     *
     * @param certIndex the index of the certificate
     * @param initPolicies the initial policies required by the user
     * @param explicitPolicy an integer which indicates if a non-null
     * valid policy tree is required
     * @param policyMapping an integer which indicates if policy
     * mapping is inhibited
     * @param inhibitAnyPolicy an integer which indicates whether
     * "any-policy" is considered a match
     * @param rejectPolicyQualifiers a boolean indicating whether the
     * user wants to reject policies that have qualifiers
     * @param origRootNode the root node of the valid policy tree
     * @param currCert the Certificate to be processed
     * @param finalCert a boolean indicating whether currCert is the final
     * cert in the cert path
     * @return the root node of the valid policy tree after modification
     * @exception CertPathValidatorException Exception thrown if an
     * error occurs while processing policies.
     */
static PolicyNodeImpl processPolicies(int certIndex, Set<String> initPolicies, int explicitPolicy, int policyMapping, int inhibitAnyPolicy, boolean rejectPolicyQualifiers, PolicyNodeImpl origRootNode, X509CertImpl currCert, boolean finalCert) throws CertPathValidatorException {
    boolean policiesCritical = false;
    List<PolicyInformation> policyInfo;
    PolicyNodeImpl rootNode = null;
    Set<PolicyQualifierInfo> anyQuals = new HashSet<>();
    if (origRootNode == null)
        rootNode = null;
    else
        rootNode = origRootNode.copyTree();
    // retrieve policyOIDs from currCert
    CertificatePoliciesExtension currCertPolicies = currCert.getCertificatePoliciesExtension();
    // PKIX: Section 6.1.3: Step (d)
    if ((currCertPolicies != null) && (rootNode != null)) {
        policiesCritical = currCertPolicies.isCritical();
        if (debug != null)
            debug.println("PolicyChecker.processPolicies() " + "policiesCritical = " + policiesCritical);
        try {
            policyInfo = currCertPolicies.get(CertificatePoliciesExtension.POLICIES);
        } catch (IOException ioe) {
            throw new CertPathValidatorException("Exception while " + "retrieving policyOIDs", ioe);
        }
        if (debug != null)
            debug.println("PolicyChecker.processPolicies() " + "rejectPolicyQualifiers = " + rejectPolicyQualifiers);
        boolean foundAnyPolicy = false;
        // process each policy in cert
        for (PolicyInformation curPolInfo : policyInfo) {
            String curPolicy = curPolInfo.getPolicyIdentifier().getIdentifier().toString();
            if (curPolicy.equals(ANY_POLICY)) {
                foundAnyPolicy = true;
                anyQuals = curPolInfo.getPolicyQualifiers();
            } else {
                // PKIX: Section 6.1.3: Step (d)(1)
                if (debug != null)
                    debug.println("PolicyChecker.processPolicies() " + "processing policy: " + curPolicy);
                // retrieve policy qualifiers from cert
                Set<PolicyQualifierInfo> pQuals = curPolInfo.getPolicyQualifiers();
                // the policyQualifiersRejected flag is set in the params
                if (!pQuals.isEmpty() && rejectPolicyQualifiers && policiesCritical) {
                    throw new CertPathValidatorException("critical policy qualifiers present in certificate", null, null, -1, PKIXReason.INVALID_POLICY);
                }
                // PKIX: Section 6.1.3: Step (d)(1)(i)
                boolean foundMatch = processParents(certIndex, policiesCritical, rejectPolicyQualifiers, rootNode, curPolicy, pQuals, false);
                if (!foundMatch) {
                    // PKIX: Section 6.1.3: Step (d)(1)(ii)
                    processParents(certIndex, policiesCritical, rejectPolicyQualifiers, rootNode, curPolicy, pQuals, true);
                }
            }
        }
        // PKIX: Section 6.1.3: Step (d)(2)
        if (foundAnyPolicy) {
            if ((inhibitAnyPolicy > 0) || (!finalCert && X509CertImpl.isSelfIssued(currCert))) {
                if (debug != null) {
                    debug.println("PolicyChecker.processPolicies() " + "processing policy: " + ANY_POLICY);
                }
                processParents(certIndex, policiesCritical, rejectPolicyQualifiers, rootNode, ANY_POLICY, anyQuals, true);
            }
        }
        // PKIX: Section 6.1.3: Step (d)(3)
        rootNode.prune(certIndex);
        if (!rootNode.getChildren().hasNext()) {
            rootNode = null;
        }
    } else if (currCertPolicies == null) {
        if (debug != null)
            debug.println("PolicyChecker.processPolicies() " + "no policies present in cert");
        // PKIX: Section 6.1.3: Step (e)
        rootNode = null;
    }
    // resulting in a null tree
    if (rootNode != null) {
        if (!finalCert) {
            // PKIX: Section 6.1.4: Steps (a)-(b)
            rootNode = processPolicyMappings(currCert, certIndex, policyMapping, rootNode, policiesCritical, anyQuals);
        }
    }
    if ((rootNode != null) && (!initPolicies.contains(ANY_POLICY)) && (currCertPolicies != null)) {
        rootNode = removeInvalidNodes(rootNode, certIndex, initPolicies, currCertPolicies);
        // PKIX: Section 6.1.5: Step (g)(iii)
        if ((rootNode != null) && finalCert) {
            // rewrite anyPolicy leaf nodes (see method comments)
            rootNode = rewriteLeafNodes(certIndex, initPolicies, rootNode);
        }
    }
    if (finalCert) {
        // PKIX: Section 6.1.5: Steps (a) and (b)
        explicitPolicy = mergeExplicitPolicy(explicitPolicy, currCert, finalCert);
    }
    if ((explicitPolicy == 0) && (rootNode == null)) {
        throw new CertPathValidatorException("non-null policy tree required and policy tree is null", null, null, -1, PKIXReason.INVALID_POLICY);
    }
    return rootNode;
}
Also used : CertPathValidatorException(java.security.cert.CertPathValidatorException) PolicyInformation(sun.security.x509.PolicyInformation) PolicyQualifierInfo(java.security.cert.PolicyQualifierInfo) CertificatePoliciesExtension(sun.security.x509.CertificatePoliciesExtension) IOException(java.io.IOException)

Aggregations

CertPathValidatorException (java.security.cert.CertPathValidatorException)102 IOException (java.io.IOException)46 X509Certificate (java.security.cert.X509Certificate)44 ExtCertPathValidatorException (org.bouncycastle.jce.exception.ExtCertPathValidatorException)36 ArrayList (java.util.ArrayList)35 GeneralSecurityException (java.security.GeneralSecurityException)32 List (java.util.List)30 CertPathBuilderException (java.security.cert.CertPathBuilderException)25 CertificateExpiredException (java.security.cert.CertificateExpiredException)24 CertificateNotYetValidException (java.security.cert.CertificateNotYetValidException)24 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)23 DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)23 IssuingDistributionPoint (org.bouncycastle.asn1.x509.IssuingDistributionPoint)21 ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)18 Enumeration (java.util.Enumeration)15 Iterator (java.util.Iterator)15 CertPath (java.security.cert.CertPath)13 CertificateException (java.security.cert.CertificateException)13 HashSet (java.util.HashSet)12 InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)10