Example 66 with PKIXBuilderParameters
use of java.security.cert.PKIXBuilderParameters in project pdfbox by apache.
the class CertificateVerifier method verifyCertificate.
/**
* Attempts to build a certification chain for given certificate and to
* verify it. Relies on a set of root CA certificates (trust anchors) and a
* set of intermediate certificates (to be used as part of the chain).
*
* @param cert - certificate for validation
* @param trustAnchors - set of trust anchors
* @param intermediateCerts - set of intermediate certificates
* @param signDate the date when the signing took place
* @return the certification chain (if verification is successful)
* @throws GeneralSecurityException - if the verification is not successful
* (e.g. certification path cannot be built or some certificate in the chain
* is expired)
*/
private static PKIXCertPathBuilderResult verifyCertificate(X509Certificate cert, Set<TrustAnchor> trustAnchors, Set<X509Certificate> intermediateCerts, Date signDate) throws GeneralSecurityException {
// Create the selector that specifies the starting certificate
X509CertSelector selector = new X509CertSelector();
selector.setCertificate(cert);
// Configure the PKIX certificate builder algorithm parameters
PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
// Disable CRL checks (this is done manually as additional step)
pkixParams.setRevocationEnabled(false);
// not doing this brings
// "SunCertPathBuilderException: unable to find valid certification path to requested target"
// (when using -Djava.security.debug=certpath: "critical policy qualifiers present in certificate")
// for files like 021496.pdf that have the "Adobe CDS Certificate Policy" 1.2.840.113583.1.2.1
// CDS = "Certified Document Services"
// https://www.adobe.com/misc/pdfs/Adobe_CDS_CP.pdf
pkixParams.setPolicyQualifiersRejected(false);
// However, maybe there is still work to do:
// "If the policyQualifiersRejected flag is set to false, it is up to the application
// to validate all policy qualifiers in this manner in order to be PKIX compliant."
pkixParams.setDate(signDate);
// Specify a list of intermediate certificates
CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(intermediateCerts));
pkixParams.addCertStore(intermediateCertStore);
// Build and verify the certification chain
// If this doesn't work although it should, it can be debugged
// by starting java with -Djava.security.debug=certpath
// see also
// https://docs.oracle.com/javase/8/docs/technotes/guides/security/troubleshooting-security.html
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
return (PKIXCertPathBuilderResult) builder.build(pkixParams);
}
Also used :
CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters)
PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters)
PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult)
X509CertSelector(java.security.cert.X509CertSelector)
CertPathBuilder(java.security.cert.CertPathBuilder)
CertStore(java.security.cert.CertStore)
Aggregations
PKIXBuilderParameters (java.security.cert.PKIXBuilderParameters)66
X509CertSelector (java.security.cert.X509CertSelector)55
CollectionCertStoreParameters (java.security.cert.CollectionCertStoreParameters)33
X509Certificate (java.security.cert.X509Certificate)29
CertPathBuilder (java.security.cert.CertPathBuilder)23
TrustAnchor (java.security.cert.TrustAnchor)21
HashSet (java.util.HashSet)19
KeyStore (java.security.KeyStore)17
CertStore (java.security.cert.CertStore)17
InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)16
CertPathTrustManagerParameters (javax.net.ssl.CertPathTrustManagerParameters)15
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)14
PKIXCertPathBuilderResult (java.security.cert.PKIXCertPathBuilderResult)13
ArrayList (java.util.ArrayList)13
CertPathBuilderException (java.security.cert.CertPathBuilderException)12
CertPathBuilderResult (java.security.cert.CertPathBuilderResult)11
TrustManagerFactory (javax.net.ssl.TrustManagerFactory)11
IOException (java.io.IOException)10
CertPath (java.security.cert.CertPath)10
CertificateException (java.security.cert.CertificateException)10
