Search in sources :

Example 1 with PKIXCertPathValidatorResult

use of java.security.cert.PKIXCertPathValidatorResult in project XobotOS by xamarin.

the class PKIXCertPathBuilderSpi method build.

protected CertPathBuilderResult build(X509Certificate tbvCert, ExtendedPKIXBuilderParameters pkixParams, List tbvPath) {
    // PKI graph.
    if (tbvPath.contains(tbvCert)) {
        return null;
    }
    // chain.
    if (pkixParams.getExcludedCerts().contains(tbvCert)) {
        return null;
    }
    // test if certificate path exceeds maximum length
    if (pkixParams.getMaxPathLength() != -1) {
        if (tbvPath.size() - 1 > pkixParams.getMaxPathLength()) {
            return null;
        }
    }
    tbvPath.add(tbvCert);
    CertificateFactory cFact;
    CertPathValidator validator;
    CertPathBuilderResult builderResult = null;
    try {
        cFact = CertificateFactory.getInstance("X.509", BouncyCastleProvider.PROVIDER_NAME);
        validator = CertPathValidator.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME);
    } catch (Exception e) {
        // cannot happen
        throw new RuntimeException("Exception creating support classes.");
    }
    try {
        // check whether the issuer of <tbvCert> is a TrustAnchor
        if (CertPathValidatorUtilities.findTrustAnchor(tbvCert, pkixParams.getTrustAnchors(), pkixParams.getSigProvider()) != null) {
            // exception message from possibly later tried certification
            // chains
            CertPath certPath = null;
            PKIXCertPathValidatorResult result = null;
            try {
                certPath = cFact.generateCertPath(tbvPath);
            } catch (Exception e) {
                throw new AnnotatedException("Certification path could not be constructed from certificate list.", e);
            }
            try {
                result = (PKIXCertPathValidatorResult) validator.validate(certPath, pkixParams);
            } catch (Exception e) {
                throw new AnnotatedException("Certification path could not be validated.", e);
            }
            return new PKIXCertPathBuilderResult(certPath, result.getTrustAnchor(), result.getPolicyTree(), result.getPublicKey());
        } else {
            // add additional X.509 stores from locations in certificate
            try {
                CertPathValidatorUtilities.addAdditionalStoresFromAltNames(tbvCert, pkixParams);
            } catch (CertificateParsingException e) {
                throw new AnnotatedException("No additiontal X.509 stores can be added from certificate locations.", e);
            }
            Collection issuers = new HashSet();
            // of the stores
            try {
                issuers.addAll(CertPathValidatorUtilities.findIssuerCerts(tbvCert, pkixParams));
            } catch (AnnotatedException e) {
                throw new AnnotatedException("Cannot find issuer certificate for certificate in certification path.", e);
            }
            if (issuers.isEmpty()) {
                throw new AnnotatedException("No issuer certificate for certificate in certification path found.");
            }
            Iterator it = issuers.iterator();
            while (it.hasNext() && builderResult == null) {
                X509Certificate issuer = (X509Certificate) it.next();
                builderResult = build(issuer, pkixParams, tbvPath);
            }
        }
    } catch (AnnotatedException e) {
        certPathException = e;
    }
    if (builderResult == null) {
        tbvPath.remove(tbvCert);
    }
    return builderResult;
}
Also used : CertificateParsingException(java.security.cert.CertificateParsingException) CertPathBuilderResult(java.security.cert.CertPathBuilderResult) PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult) CertificateFactory(java.security.cert.CertificateFactory) CertificateParsingException(java.security.cert.CertificateParsingException) ExtCertPathBuilderException(org.bouncycastle.jce.exception.ExtCertPathBuilderException) InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) CertPathBuilderException(java.security.cert.CertPathBuilderException) X509Certificate(java.security.cert.X509Certificate) CertPathValidator(java.security.cert.CertPathValidator) PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult) PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult) Iterator(java.util.Iterator) Collection(java.util.Collection) CertPath(java.security.cert.CertPath) HashSet(java.util.HashSet)

Example 2 with PKIXCertPathValidatorResult

use of java.security.cert.PKIXCertPathValidatorResult in project oxAuth by GluuFederation.

the class PathCertificateVerifier method verifyCertificate.

/**
	 * Attempts to build a certification chain for given certificate to verify
	 * it. Relies on a set of root CA certificates (trust anchors) and a set of
	 * intermediate certificates (to be used as part of the chain).
	 */
private PKIXCertPathBuilderResult verifyCertificate(X509Certificate certificate, Set<X509Certificate> trustedRootCerts, Set<X509Certificate> intermediateCerts) throws GeneralSecurityException {
    // Create the selector that specifies the starting certificate
    X509CertSelector selector = new X509CertSelector();
    selector.setBasicConstraints(-2);
    selector.setCertificate(certificate);
    // Create the trust anchors (set of root CA certificates)
    Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
    for (X509Certificate trustedRootCert : trustedRootCerts) {
        trustAnchors.add(new TrustAnchor(trustedRootCert, null));
    }
    // Configure the PKIX certificate builder algorithm parameters
    PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
    // Turn off default revocation-checking mechanism
    pkixParams.setRevocationEnabled(false);
    // Specify a list of intermediate certificates
    CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(intermediateCerts));
    pkixParams.addCertStore(intermediateCertStore);
    // Build and verify the certification chain
    CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME);
    PKIXCertPathBuilderResult certPathBuilderResult = (PKIXCertPathBuilderResult) builder.build(pkixParams);
    // Additional check to Verify cert path
    CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME);
    PKIXCertPathValidatorResult certPathValidationResult = (PKIXCertPathValidatorResult) certPathValidator.validate(certPathBuilderResult.getCertPath(), pkixParams);
    return certPathBuilderResult;
}
Also used : CertPathValidator(java.security.cert.CertPathValidator) CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult) PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult) X509CertSelector(java.security.cert.X509CertSelector) TrustAnchor(java.security.cert.TrustAnchor) CertPathBuilder(java.security.cert.CertPathBuilder) CertStore(java.security.cert.CertStore) X509Certificate(java.security.cert.X509Certificate) HashSet(java.util.HashSet)

Example 3 with PKIXCertPathValidatorResult

use of java.security.cert.PKIXCertPathValidatorResult in project robovm by robovm.

the class PKIXCertPathValidatorResultTest method testPKIXCertPathValidatorResult01.

//
// Tests
//
/**
     * Test #1 for <code>PKIXCertPathValidatorResult(TrustAnchor,
     * PolicyNode, PublicKey)</code> constructor<br>
     * Assertion: creates an instance of
     * <code>PKIXCertPathValidatorResult</code>
     *
     * @throws NoSuchAlgorithmException
     * @throws InvalidKeySpecException
     */
public final void testPKIXCertPathValidatorResult01() throws InvalidKeySpecException, NoSuchAlgorithmException {
    TrustAnchor ta = TestUtils.getTrustAnchor();
    if (ta == null) {
        fail(getName() + ": not performed (could not create test TrustAnchor)");
    }
    new PKIXCertPathValidatorResult(ta, TestUtils.getPolicyTree(), testPublicKey);
}
Also used : PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult) TrustAnchor(java.security.cert.TrustAnchor)

Example 4 with PKIXCertPathValidatorResult

use of java.security.cert.PKIXCertPathValidatorResult in project robovm by robovm.

the class PKIXCertPathValidatorResultTest method testGetPolicyTree01.

/**
     * Test for <code>getPolicyTree()</code> method<br>
     * Assertion: returns the root node of the valid
     * policy tree or <code>null</code> if there are
     * no valid policies
     * @throws NoSuchAlgorithmException
     * @throws InvalidKeySpecException
     */
public final void testGetPolicyTree01() throws Exception {
    TrustAnchor ta = TestUtils.getTrustAnchor();
    if (ta == null) {
        fail(getName() + ": not performed (could not create test TrustAnchor)");
    }
    // valid policy tree case;
    PolicyNode pn = TestUtils.getPolicyTree();
    PKIXCertPathValidatorResult vr = new PKIXCertPathValidatorResult(ta, pn, testPublicKey);
    // must return the same reference passed
    // as a parameter to the constructor
    assertSame(pn, vr.getPolicyTree());
}
Also used : PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult) TrustAnchor(java.security.cert.TrustAnchor) PolicyNode(java.security.cert.PolicyNode)

Example 5 with PKIXCertPathValidatorResult

use of java.security.cert.PKIXCertPathValidatorResult in project robovm by robovm.

the class PKIXCertPathValidatorResultTest method testToString01.

/**
     * Test #1 for <code>toString()</code> method<br>
     * Assertion: Returns a formatted string describing this object
     * @throws NoSuchAlgorithmException
     * @throws InvalidKeySpecException
     */
public final void testToString01() throws Exception {
    TrustAnchor ta = TestUtils.getTrustAnchor();
    if (ta == null) {
        fail(getName() + ": not performed (could not create test TrustAnchor)");
    }
    PKIXCertPathValidatorResult vr = new PKIXCertPathValidatorResult(ta, TestUtils.getPolicyTree(), testPublicKey);
    assertNotNull(vr.toString());
}
Also used : PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult) TrustAnchor(java.security.cert.TrustAnchor)

Aggregations

PKIXCertPathValidatorResult (java.security.cert.PKIXCertPathValidatorResult)24 TrustAnchor (java.security.cert.TrustAnchor)14 X509Certificate (java.security.cert.X509Certificate)11 CertPath (java.security.cert.CertPath)10 CertPathValidator (java.security.cert.CertPathValidator)10 HashSet (java.util.HashSet)7 InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)6 CertPathValidatorException (java.security.cert.CertPathValidatorException)6 PKIXParameters (java.security.cert.PKIXParameters)6 CertPathBuilder (java.security.cert.CertPathBuilder)5 CertPathBuilderResult (java.security.cert.CertPathBuilderResult)5 CertificateFactory (java.security.cert.CertificateFactory)5 PKIXBuilderParameters (java.security.cert.PKIXBuilderParameters)5 X509CertSelector (java.security.cert.X509CertSelector)5 PublicKey (java.security.PublicKey)4 CertificateException (java.security.cert.CertificateException)4 PKIXCertPathBuilderResult (java.security.cert.PKIXCertPathBuilderResult)4 ArrayList (java.util.ArrayList)4 Iterator (java.util.Iterator)4 CertPathBuilderException (java.security.cert.CertPathBuilderException)3