Examples with PKIXCertPathChecker java.security.cert.PKIXCertPathChecker used on opensource projects

Example 11 with PKIXCertPathChecker

use of java.security.cert.PKIXCertPathChecker in project robovm by robovm.

the class PKIXCertPathCheckerTest method testClone.

public final void testClone() {
    PKIXCertPathChecker pc1 = TestUtils.getTestCertPathChecker();
    PKIXCertPathChecker pc2 = (PKIXCertPathChecker) pc1.clone();
    assertNotSame("notSame", pc1, pc2);
}

Example 12 with PKIXCertPathChecker

use of java.security.cert.PKIXCertPathChecker in project robovm by robovm.

the class PKIXCertPathCheckerTest method testCheck.

public final void testCheck() throws CertPathValidatorException {
    PKIXCertPathChecker pc = TestUtils.getTestCertPathChecker();
    pc.check(new MyCertificate("", null), new HashSet<String>());
}

Example 13 with PKIXCertPathChecker

use of java.security.cert.PKIXCertPathChecker in project jdk8u_jdk by JetBrains.

the class ForwardBuilder method verifyCert.

/**
     * Verifies a matching certificate.
     *
     * This method executes the validation steps in the PKIX path
     * validation algorithm <draft-ietf-pkix-new-part1-08.txt> which were
     * not satisfied by the selection criteria used by getCertificates()
     * to find the certs and only the steps that can be executed in a
     * forward direction (target to trust anchor). Those steps that can
     * only be executed in a reverse direction are deferred until the
     * complete path has been built.
     *
     * Trust anchor certs are not validated, but are used to verify the
     * signature and revocation status of the previous cert.
     *
     * If the last certificate is being verified (the one whose subject
     * matches the target subject, then steps in 6.1.4 of the PKIX
     * Certification Path Validation algorithm are NOT executed,
     * regardless of whether or not the last cert is an end-entity
     * cert or not. This allows callers to certify CA certs as
     * well as EE certs.
     *
     * @param cert the certificate to be verified
     * @param currentState the current state against which the cert is verified
     * @param certPathList the certPathList generated thus far
     */
@Override
void verifyCert(X509Certificate cert, State currentState, List<X509Certificate> certPathList) throws GeneralSecurityException {
    if (debug != null) {
        debug.println("ForwardBuilder.verifyCert(SN: " + Debug.toHexString(cert.getSerialNumber()) + "\n  Issuer: " + cert.getIssuerX500Principal() + ")" + "\n  Subject: " + cert.getSubjectX500Principal() + ")");
    }
    ForwardState currState = (ForwardState) currentState;
    // Don't bother to verify untrusted certificate more.
    currState.untrustedChecker.check(cert, Collections.<String>emptySet());
    /*
         * check for looping - abort a loop if we encounter the same
         * certificate twice
         */
    if (certPathList != null) {
        for (X509Certificate cpListCert : certPathList) {
            if (cert.equals(cpListCert)) {
                if (debug != null) {
                    debug.println("loop detected!!");
                }
                throw new CertPathValidatorException("loop detected");
            }
        }
    }
    /* check if trusted cert */
    boolean isTrustedCert = trustedCerts.contains(cert);
    /* we don't perform any validation of the trusted cert */
    if (!isTrustedCert) {
        /*
             * Check CRITICAL private extensions for user checkers that
             * support forward checking (forwardCheckers) and remove
             * ones we know how to check.
             */
        Set<String> unresCritExts = cert.getCriticalExtensionOIDs();
        if (unresCritExts == null) {
            unresCritExts = Collections.<String>emptySet();
        }
        for (PKIXCertPathChecker checker : currState.forwardCheckers) {
            checker.check(cert, unresCritExts);
        }
        /*
             * Remove extensions from user checkers that don't support
             * forward checking. After this step, we will have removed
             * all extensions that all user checkers are capable of
             * processing.
             */
        for (PKIXCertPathChecker checker : buildParams.certPathCheckers()) {
            if (!checker.isForwardCheckingSupported()) {
                Set<String> supportedExts = checker.getSupportedExtensions();
                if (supportedExts != null) {
                    unresCritExts.removeAll(supportedExts);
                }
            }
        }
        /*
             * Look at the remaining extensions and remove any ones we know how
             * to check. If there are any left, throw an exception!
             */
        if (!unresCritExts.isEmpty()) {
            unresCritExts.remove(BasicConstraints_Id.toString());
            unresCritExts.remove(NameConstraints_Id.toString());
            unresCritExts.remove(CertificatePolicies_Id.toString());
            unresCritExts.remove(PolicyMappings_Id.toString());
            unresCritExts.remove(PolicyConstraints_Id.toString());
            unresCritExts.remove(InhibitAnyPolicy_Id.toString());
            unresCritExts.remove(SubjectAlternativeName_Id.toString());
            unresCritExts.remove(KeyUsage_Id.toString());
            unresCritExts.remove(ExtendedKeyUsage_Id.toString());
            if (!unresCritExts.isEmpty())
                throw new CertPathValidatorException("Unrecognized critical extension(s)", null, null, -1, PKIXReason.UNRECOGNIZED_CRIT_EXT);
        }
    }
    /*
         * if this is the target certificate (init=true), then we are
         * not able to do any more verification, so just return
         */
    if (currState.isInitial()) {
        return;
    }
    /* we don't perform any validation of the trusted cert */
    if (!isTrustedCert) {
        /* Make sure this is a CA cert */
        if (cert.getBasicConstraints() == -1) {
            throw new CertificateException("cert is NOT a CA cert");
        }
        /*
             * Check keyUsage extension
             */
        KeyChecker.verifyCAKeyUsage(cert);
    }
    /*
         * Check signature only if no key requiring key parameters has been
         * encountered.
         */
    if (!currState.keyParamsNeeded()) {
        (currState.cert).verify(cert.getPublicKey(), buildParams.sigProvider());
    }
}

Example 14 with PKIXCertPathChecker

use of java.security.cert.PKIXCertPathChecker in project jdk8u_jdk by JetBrains.

the class ForwardState method clone.

/*
     * Clone current state. The state is cloned as each cert is
     * added to the path. This is necessary if backtracking occurs,
     * and a prior state needs to be restored.
     *
     * Note that this is a SMART clone. Not all fields are fully copied,
     * because some of them will
     * not have their contents modified by subsequent calls to updateState.
     */
@Override
// Safe casts assuming clone() works correctly
@SuppressWarnings("unchecked")
public Object clone() {
    try {
        ForwardState clonedState = (ForwardState) super.clone();
        /* clone checkers, if cloneable */
        clonedState.forwardCheckers = (ArrayList<PKIXCertPathChecker>) forwardCheckers.clone();
        ListIterator<PKIXCertPathChecker> li = clonedState.forwardCheckers.listIterator();
        while (li.hasNext()) {
            PKIXCertPathChecker checker = li.next();
            if (checker instanceof Cloneable) {
                li.set((PKIXCertPathChecker) checker.clone());
            }
        }
        /*
             * Shallow copy traversed names. There is no need to
             * deep copy contents, since the elements of the Set
             * are never modified by subsequent calls to updateState().
             */
        clonedState.subjectNamesTraversed = (HashSet<GeneralNameInterface>) subjectNamesTraversed.clone();
        return clonedState;
    } catch (CloneNotSupportedException e) {
        throw new InternalError(e.toString(), e);
    }
}

Example 15 with PKIXCertPathChecker

use of java.security.cert.PKIXCertPathChecker in project jdk8u_jdk by JetBrains.

the class PKIXMasterCertPathValidator method validate.

/**
     * Validates a certification path consisting exclusively of
     * <code>X509Certificate</code>s using the specified
     * <code>PKIXCertPathChecker</code>s. It is assumed that the
     * <code>PKIXCertPathChecker</code>s
     * have been initialized with any input parameters they may need.
     *
     * @param cpOriginal the original X509 CertPath passed in by the user
     * @param reversedCertList the reversed X509 CertPath (as a List)
     * @param certPathCheckers the PKIXCertPathCheckers
     * @throws CertPathValidatorException if cert path does not validate
     */
static void validate(CertPath cpOriginal, List<X509Certificate> reversedCertList, List<PKIXCertPathChecker> certPathCheckers) throws CertPathValidatorException {
    // we actually process reversedCertList, but we keep cpOriginal because
    // we need to return the original certPath when we throw an exception.
    // we will also need to modify the index appropriately when we
    // throw an exception.
    int cpSize = reversedCertList.size();
    if (debug != null) {
        debug.println("--------------------------------------------------" + "------------");
        debug.println("Executing PKIX certification path validation " + "algorithm.");
    }
    for (int i = 0; i < cpSize; i++) {
        /* The basic loop algorithm is that we get the
             * current certificate, we verify the current certificate using
             * information from the previous certificate and from the state,
             * and we modify the state for the next loop by setting the
             * current certificate of this loop to be the previous certificate
             * of the next loop. The state is initialized during first loop.
             */
        X509Certificate currCert = reversedCertList.get(i);
        if (debug != null) {
            debug.println("Checking cert" + (i + 1) + " - Subject: " + currCert.getSubjectX500Principal());
        }
        Set<String> unresCritExts = currCert.getCriticalExtensionOIDs();
        if (unresCritExts == null) {
            unresCritExts = Collections.<String>emptySet();
        }
        if (debug != null && !unresCritExts.isEmpty()) {
            StringJoiner joiner = new StringJoiner(", ", "{", "}");
            for (String oid : unresCritExts) {
                joiner.add(oid);
            }
            debug.println("Set of critical extensions: " + joiner.toString());
        }
        for (int j = 0; j < certPathCheckers.size(); j++) {
            PKIXCertPathChecker currChecker = certPathCheckers.get(j);
            if (debug != null) {
                debug.println("-Using checker" + (j + 1) + " ... [" + currChecker.getClass().getName() + "]");
            }
            if (i == 0)
                currChecker.init(false);
            try {
                currChecker.check(currCert, unresCritExts);
                if (debug != null) {
                    debug.println("-checker" + (j + 1) + " validation succeeded");
                }
            } catch (CertPathValidatorException cpve) {
                throw new CertPathValidatorException(cpve.getMessage(), (cpve.getCause() != null) ? cpve.getCause() : cpve, cpOriginal, cpSize - (i + 1), cpve.getReason());
            }
        }
        if (!unresCritExts.isEmpty()) {
            throw new CertPathValidatorException("unrecognized " + "critical extension(s)", null, cpOriginal, cpSize - (i + 1), PKIXReason.UNRECOGNIZED_CRIT_EXT);
        }
        if (debug != null)
            debug.println("\ncert" + (i + 1) + " validation succeeded.\n");
    }
    if (debug != null) {
        debug.println("Cert path validation succeeded. (PKIX validation " + "algorithm)");
        debug.println("-------------------------------------------------" + "-------------");
    }
}