Search in sources :

Example 16 with CertPathValidatorException

use of java.security.cert.CertPathValidatorException in project robovm by robovm.

the class TrustManagerImpl method checkTrusted.

private List<X509Certificate> checkTrusted(X509Certificate[] chain, String authType, String host, boolean clientAuth) throws CertificateException {
    if (chain == null || chain.length == 0 || authType == null || authType.length() == 0) {
        throw new IllegalArgumentException("null or zero-length parameter");
    }
    if (err != null) {
        throw new CertificateException(err);
    }
    // get the cleaned up chain and trust anchor
    // there can only be one!
    Set<TrustAnchor> trustAnchor = new HashSet<TrustAnchor>();
    X509Certificate[] newChain = cleanupCertChainAndFindTrustAnchors(chain, trustAnchor);
    // add the first trust anchor to the chain, which may be an intermediate
    List<X509Certificate> wholeChain = new ArrayList<X509Certificate>();
    wholeChain.addAll(Arrays.asList(newChain));
    // trustAnchor is actually just a single element
    for (TrustAnchor trust : trustAnchor) {
        wholeChain.add(trust.getTrustedCert());
    }
    // add all the cached certificates from the cert index, avoiding loops
    // this gives us a full chain from leaf to root, which we use for cert pinning and pass
    // back out to callers when we return.
    X509Certificate last = wholeChain.get(wholeChain.size() - 1);
    while (true) {
        TrustAnchor cachedTrust = trustedCertificateIndex.findByIssuerAndSignature(last);
        // trusted a non-self-signed cert.
        if (cachedTrust == null) {
            break;
        }
        // at this point we have a cached trust anchor, but don't know if its one we got from
        // the server. Extract the cert, compare it to the last element in the chain, and add it
        // if we haven't seen it before.
        X509Certificate next = cachedTrust.getTrustedCert();
        if (next != last) {
            wholeChain.add(next);
            last = next;
        } else {
            // if next == last then we found a self-signed cert and the chain is done
            break;
        }
    }
    // build the cert path from the array of certs sans trust anchors
    CertPath certPath = factory.generateCertPath(Arrays.asList(newChain));
    if (host != null) {
        boolean chainIsNotPinned = true;
        try {
            chainIsNotPinned = pinManager.chainIsNotPinned(host, wholeChain);
        } catch (PinManagerException e) {
            throw new CertificateException(e);
        }
        if (chainIsNotPinned) {
            throw new CertificateException(new CertPathValidatorException("Certificate path is not properly pinned.", null, certPath, -1));
        }
    }
    if (newChain.length == 0) {
        // chain was entirely trusted, skip the validator
        return wholeChain;
    }
    if (trustAnchor.isEmpty()) {
        throw new CertificateException(new CertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1));
    }
    // There's no point in checking trust anchors here, and it will throw off the MD5 check,
    // so we just hand it the chain without anchors
    ChainStrengthAnalyzer.check(newChain);
    try {
        PKIXParameters params = new PKIXParameters(trustAnchor);
        params.setRevocationEnabled(false);
        params.addCertPathChecker(new ExtendedKeyUsagePKIXCertPathChecker(clientAuth, newChain[0]));
        validator.validate(certPath, params);
        // cleanupCertChainAndFindTrustAnchors.  http://b/3404902
        for (int i = 1; i < newChain.length; i++) {
            trustedCertificateIndex.index(newChain[i]);
        }
    } catch (InvalidAlgorithmParameterException e) {
        throw new CertificateException(e);
    } catch (CertPathValidatorException e) {
        throw new CertificateException(e);
    }
    return wholeChain;
}
Also used : InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) ArrayList(java.util.ArrayList) CertificateException(java.security.cert.CertificateException) TrustAnchor(java.security.cert.TrustAnchor) X509Certificate(java.security.cert.X509Certificate) CertPathValidatorException(java.security.cert.CertPathValidatorException) PKIXParameters(java.security.cert.PKIXParameters) CertPath(java.security.cert.CertPath) HashSet(java.util.HashSet)

Example 17 with CertPathValidatorException

use of java.security.cert.CertPathValidatorException in project robovm by robovm.

the class invalidParams method testCertPathValidator12.

/**
     * Test for
     * <code>CertPathValidator</code> constructor
     * Assertion: returns CertPathValidator object
     */
public void testCertPathValidator12() throws CertificateException, NoSuchProviderException, NoSuchAlgorithmException, CertPathValidatorException, InvalidAlgorithmParameterException {
    if (!PKIXSupport) {
        fail(NotSupportMsg);
        return;
    }
    CertPathValidatorSpi spi = new MyCertPathValidatorSpi();
    CertPathValidator certPV = new myCertPathValidator(spi, defaultProvider, defaultType);
    assertEquals("Incorrect algorithm", certPV.getAlgorithm(), defaultType);
    assertEquals("Incorrect provider", certPV.getProvider(), defaultProvider);
    certPV.validate(null, null);
    try {
        certPV.validate(null, null);
        fail("CertPathValidatorException must be thrown");
    } catch (CertPathValidatorException e) {
    }
    certPV = new myCertPathValidator(null, null, null);
    assertNull("Incorrect algorithm", certPV.getAlgorithm());
    assertNull("Incorrect provider", certPV.getProvider());
    try {
        certPV.validate(null, null);
        fail("NullPointerException must be thrown");
    } catch (NullPointerException e) {
    }
}
Also used : CertPathValidator(java.security.cert.CertPathValidator) CertPathValidatorException(java.security.cert.CertPathValidatorException) MyCertPathValidatorSpi(org.apache.harmony.security.tests.support.cert.MyCertPathValidatorSpi) MyCertPathValidatorSpi(org.apache.harmony.security.tests.support.cert.MyCertPathValidatorSpi) CertPathValidatorSpi(java.security.cert.CertPathValidatorSpi)

Example 18 with CertPathValidatorException

use of java.security.cert.CertPathValidatorException in project robovm by robovm.

the class CertPathValidatorExceptionTest method testCertPathValidatorException03.

/**
     * Test for <code>CertPathValidatorException(String)</code> constructor
     * Assertion: constructs CertPathValidatorException when <code>msg</code>
     * is null
     */
public void testCertPathValidatorException03() {
    String msg = null;
    CertPathValidatorException tE = new CertPathValidatorException(msg);
    assertNull("getMessage() must return null.", tE.getMessage());
    assertNull("getCause() must return null", tE.getCause());
}
Also used : CertPathValidatorException(java.security.cert.CertPathValidatorException)

Example 19 with CertPathValidatorException

use of java.security.cert.CertPathValidatorException in project robovm by robovm.

the class CertPathValidatorExceptionTest method testCertPathValidatorException01.

/**
     * Test for <code>CertPathValidatorException()</code> constructor
     * Assertion: constructs CertPathValidatorException with no detail message
     */
public void testCertPathValidatorException01() {
    CertPathValidatorException tE = new CertPathValidatorException();
    assertNull("getMessage() must return null.", tE.getMessage());
    assertNull("getCause() must return null", tE.getCause());
}
Also used : CertPathValidatorException(java.security.cert.CertPathValidatorException)

Example 20 with CertPathValidatorException

use of java.security.cert.CertPathValidatorException in project robovm by robovm.

the class CertPathValidatorExceptionTest method testCertPathValidatorException12.

/**
     * Test for
     * <code>CertPathValidatorException(String, Throwable, CertPath, int)</code>
     * constructor Assertion: constructs CertPathValidatorException when
     * <code>cause</code> not null <code>msg</code> not null
     * <code>certPath</code> is null <code>index</code> is -1
     */
public void testCertPathValidatorException12() {
    CertPathValidatorException tE;
    for (int i = 0; i < msgs.length; i++) {
        try {
            tE = new CertPathValidatorException(msgs[i], tCause, null, -1);
            String getM = tE.getMessage();
            String toS = tCause.toString();
            if (msgs[i].length() > 0) {
                assertTrue("getMessage() must contain ".concat(msgs[i]), getM.indexOf(msgs[i]) != -1);
                if (!getM.equals(msgs[i])) {
                    assertTrue("getMessage() should contain ".concat(toS), getM.indexOf(toS) != -1);
                }
            }
            assertNotNull("getCause() must not return null", tE.getCause());
            assertEquals("getCause() must return ".concat(tCause.toString()), tE.getCause(), tCause);
            assertNull("getCertPath() must return null", tE.getCertPath());
            assertEquals("getIndex() must return -1", tE.getIndex(), -1);
        } catch (IndexOutOfBoundsException e) {
            fail("Unexpected exception: " + e.toString() + " Parameters: msg: " + msgs[i] + ", certPath is null and index is -1");
        }
    }
}
Also used : CertPathValidatorException(java.security.cert.CertPathValidatorException)

Aggregations

CertPathValidatorException (java.security.cert.CertPathValidatorException)92 IOException (java.io.IOException)45 X509Certificate (java.security.cert.X509Certificate)43 ExtCertPathValidatorException (org.bouncycastle.jce.exception.ExtCertPathValidatorException)36 ArrayList (java.util.ArrayList)35 GeneralSecurityException (java.security.GeneralSecurityException)32 List (java.util.List)30 CertPathBuilderException (java.security.cert.CertPathBuilderException)24 CertificateExpiredException (java.security.cert.CertificateExpiredException)24 CertificateNotYetValidException (java.security.cert.CertificateNotYetValidException)24 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)23 DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)23 IssuingDistributionPoint (org.bouncycastle.asn1.x509.IssuingDistributionPoint)21 ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)18 Enumeration (java.util.Enumeration)15 Iterator (java.util.Iterator)15 CertificateException (java.security.cert.CertificateException)13 CertPath (java.security.cert.CertPath)12 HashSet (java.util.HashSet)12 Set (java.util.Set)10