Search in sources :

Example 11 with PKIXCertPathValidatorResult

use of java.security.cert.PKIXCertPathValidatorResult in project robovm by robovm.

the class PKIXCertPathValidatorResultTest method testPKIXCertPathValidatorResult03.

/**
     * Test #3 for <code>PKIXCertPathValidatorResult(TrustAnchor,
     * PolicyNode, PublicKey)</code> constructor<br>
     * Assertion: <code>NullPointerException</code> if
     * <code>PublicKey</code> parameter is <code>null</code>
     */
public final void testPKIXCertPathValidatorResult03() {
    TrustAnchor ta = TestUtils.getTrustAnchor();
    if (ta == null) {
        fail(getName() + ": not performed (could not create test TrustAnchor)");
    }
    try {
        // pass null
        new PKIXCertPathValidatorResult(ta, TestUtils.getPolicyTree(), null);
        fail("NPE expected");
    } catch (NullPointerException e) {
    }
}
Also used : PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult) TrustAnchor(java.security.cert.TrustAnchor)

Example 12 with PKIXCertPathValidatorResult

use of java.security.cert.PKIXCertPathValidatorResult in project robovm by robovm.

the class CertificateTest method testVerifyMD2_chain.

public void testVerifyMD2_chain() throws Exception {
    CertificateFactory certificateFactory = CertificateFactory.getInstance("X509");
    // First check with the trust anchor not included in the chain
    CertPath path = certificateFactory.generateCertPath(getCertList(true, false));
    CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
    PKIXParameters params = createPKIXParams();
    CertPathValidatorResult res = certPathValidator.validate(path, params);
    assertTrue("wrong result type", res instanceof PKIXCertPathValidatorResult);
    PKIXCertPathValidatorResult r = (PKIXCertPathValidatorResult) res;
    assertTrue("Wrong trust anchor returned", params.getTrustAnchors().contains(r.getTrustAnchor()));
    // Now check with the trust anchor included in the chain
    path = certificateFactory.generateCertPath(getCertList(true, true));
    certPathValidator = CertPathValidator.getInstance("PKIX");
    params = createPKIXParams();
    if (StandardNames.IS_RI) {
        res = certPathValidator.validate(path, params);
        assertTrue("wrong result type", res instanceof PKIXCertPathValidatorResult);
        r = (PKIXCertPathValidatorResult) res;
        assertTrue("Wrong trust anchor returned", params.getTrustAnchors().contains(r.getTrustAnchor()));
    } else {
        try {
            certPathValidator.validate(path, params);
            fail();
        } catch (CertPathValidatorException expected) {
        }
    }
}
Also used : CertPathValidator(java.security.cert.CertPathValidator) CertPathValidatorException(java.security.cert.CertPathValidatorException) PKIXParameters(java.security.cert.PKIXParameters) PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult) CertPath(java.security.cert.CertPath) CertPathValidatorResult(java.security.cert.CertPathValidatorResult) PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult) CertificateFactory(java.security.cert.CertificateFactory)

Example 13 with PKIXCertPathValidatorResult

use of java.security.cert.PKIXCertPathValidatorResult in project robovm by robovm.

the class CertificateTest method testVerifyMD5_chain.

public void testVerifyMD5_chain() throws Exception {
    CertificateFactory certificateFactory = CertificateFactory.getInstance("X509");
    // First check with the trust anchor not included in the chain
    CertPath path = certificateFactory.generateCertPath(getCertList(false, false));
    CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
    PKIXParameters params = createPKIXParams();
    CertPathValidatorResult res = certPathValidator.validate(path, params);
    assertTrue("wrong result type", res instanceof PKIXCertPathValidatorResult);
    PKIXCertPathValidatorResult r = (PKIXCertPathValidatorResult) res;
    assertTrue("Wrong trust anchor returned", params.getTrustAnchors().contains(r.getTrustAnchor()));
    // Now check with the trust anchor included in the chain
    path = certificateFactory.generateCertPath(getCertList(false, true));
    certPathValidator = CertPathValidator.getInstance("PKIX");
    params = createPKIXParams();
    res = certPathValidator.validate(path, params);
    assertTrue("wrong result type", res instanceof PKIXCertPathValidatorResult);
    r = (PKIXCertPathValidatorResult) res;
    assertTrue("Wrong trust anchor returned", params.getTrustAnchors().contains(r.getTrustAnchor()));
}
Also used : CertPathValidator(java.security.cert.CertPathValidator) PKIXParameters(java.security.cert.PKIXParameters) PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult) CertPath(java.security.cert.CertPath) CertPathValidatorResult(java.security.cert.CertPathValidatorResult) PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult) CertificateFactory(java.security.cert.CertificateFactory)

Example 14 with PKIXCertPathValidatorResult

use of java.security.cert.PKIXCertPathValidatorResult in project XobotOS by xamarin.

the class PKIXCertPathValidatorSpi method engineValidate.

// END android-added
public CertPathValidatorResult engineValidate(CertPath certPath, CertPathParameters params) throws CertPathValidatorException, InvalidAlgorithmParameterException {
    if (!(params instanceof PKIXParameters)) {
        throw new InvalidAlgorithmParameterException("Parameters must be a " + PKIXParameters.class.getName() + " instance.");
    }
    ExtendedPKIXParameters paramsPKIX;
    if (params instanceof ExtendedPKIXParameters) {
        paramsPKIX = (ExtendedPKIXParameters) params;
    } else {
        paramsPKIX = ExtendedPKIXParameters.getInstance((PKIXParameters) params);
    }
    if (paramsPKIX.getTrustAnchors() == null) {
        throw new InvalidAlgorithmParameterException("trustAnchors is null, this is not allowed for certification path validation.");
    }
    //
    // 6.1.1 - inputs
    //
    //
    // (a)
    //
    List certs = certPath.getCertificates();
    int n = certs.size();
    if (certs.isEmpty()) {
        throw new CertPathValidatorException("Certification path is empty.", null, certPath, 0);
    }
    // BEGIN android-added
    {
        X509Certificate cert = (X509Certificate) certs.get(0);
        if (cert != null) {
            BigInteger serial = cert.getSerialNumber();
            if (serial != null && SERIAL_BLACKLIST.contains(serial)) {
                // emulate CRL exception message in RFC3280CertPathUtilities.checkCRLs
                String message = "Certificate revocation of serial 0x" + serial.toString(16);
                System.out.println(message);
                AnnotatedException e = new AnnotatedException(message);
                throw new CertPathValidatorException(e.getMessage(), e, certPath, 0);
            }
        }
    }
    // END android-added
    //
    // (b)
    //
    // Date validDate = CertPathValidatorUtilities.getValidDate(paramsPKIX);
    //
    // (c)
    //
    Set userInitialPolicySet = paramsPKIX.getInitialPolicies();
    //
    // (d)
    // 
    TrustAnchor trust;
    try {
        trust = CertPathValidatorUtilities.findTrustAnchor((X509Certificate) certs.get(certs.size() - 1), paramsPKIX.getTrustAnchors(), paramsPKIX.getSigProvider());
    } catch (AnnotatedException e) {
        throw new CertPathValidatorException(e.getMessage(), e, certPath, certs.size() - 1);
    }
    if (trust == null) {
        throw new CertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1);
    }
    //
    // (e), (f), (g) are part of the paramsPKIX object.
    //
    Iterator certIter;
    int index = 0;
    int i;
    // Certificate for each interation of the validation loop
    // Signature information for each iteration of the validation loop
    //
    // 6.1.2 - setup
    //
    //
    // (a)
    //
    List[] policyNodes = new ArrayList[n + 1];
    for (int j = 0; j < policyNodes.length; j++) {
        policyNodes[j] = new ArrayList();
    }
    Set policySet = new HashSet();
    policySet.add(RFC3280CertPathUtilities.ANY_POLICY);
    PKIXPolicyNode validPolicyTree = new PKIXPolicyNode(new ArrayList(), 0, policySet, null, new HashSet(), RFC3280CertPathUtilities.ANY_POLICY, false);
    policyNodes[0].add(validPolicyTree);
    //
    // (b) and (c)
    //
    PKIXNameConstraintValidator nameConstraintValidator = new PKIXNameConstraintValidator();
    // (d)
    //
    int explicitPolicy;
    Set acceptablePolicies = new HashSet();
    if (paramsPKIX.isExplicitPolicyRequired()) {
        explicitPolicy = 0;
    } else {
        explicitPolicy = n + 1;
    }
    //
    // (e)
    //
    int inhibitAnyPolicy;
    if (paramsPKIX.isAnyPolicyInhibited()) {
        inhibitAnyPolicy = 0;
    } else {
        inhibitAnyPolicy = n + 1;
    }
    //
    // (f)
    //
    int policyMapping;
    if (paramsPKIX.isPolicyMappingInhibited()) {
        policyMapping = 0;
    } else {
        policyMapping = n + 1;
    }
    //
    // (g), (h), (i), (j)
    //
    PublicKey workingPublicKey;
    X500Principal workingIssuerName;
    X509Certificate sign = trust.getTrustedCert();
    try {
        if (sign != null) {
            workingIssuerName = CertPathValidatorUtilities.getSubjectPrincipal(sign);
            workingPublicKey = sign.getPublicKey();
        } else {
            workingIssuerName = new X500Principal(trust.getCAName());
            workingPublicKey = trust.getCAPublicKey();
        }
    } catch (IllegalArgumentException ex) {
        throw new ExtCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", ex, certPath, -1);
    }
    AlgorithmIdentifier workingAlgId = null;
    try {
        workingAlgId = CertPathValidatorUtilities.getAlgorithmIdentifier(workingPublicKey);
    } catch (CertPathValidatorException e) {
        throw new ExtCertPathValidatorException("Algorithm identifier of public key of trust anchor could not be read.", e, certPath, -1);
    }
    DERObjectIdentifier workingPublicKeyAlgorithm = workingAlgId.getObjectId();
    DEREncodable workingPublicKeyParameters = workingAlgId.getParameters();
    //
    // (k)
    //
    int maxPathLength = n;
    if (paramsPKIX.getTargetConstraints() != null && !paramsPKIX.getTargetConstraints().match((X509Certificate) certs.get(0))) {
        throw new ExtCertPathValidatorException("Target certificate in certification path does not match targetConstraints.", null, certPath, 0);
    }
    // 
    // initialize CertPathChecker's
    //
    List pathCheckers = paramsPKIX.getCertPathCheckers();
    certIter = pathCheckers.iterator();
    while (certIter.hasNext()) {
        ((PKIXCertPathChecker) certIter.next()).init(false);
    }
    X509Certificate cert = null;
    for (index = certs.size() - 1; index >= 0; index--) {
        // BEGIN android-added
        if (isPublicKeyBlackListed(workingPublicKey)) {
            // emulate CRL exception message in RFC3280CertPathUtilities.checkCRLs
            String message = "Certificate revocation of public key " + workingPublicKey;
            System.out.println(message);
            AnnotatedException e = new AnnotatedException(message);
            throw new CertPathValidatorException(e.getMessage(), e, certPath, index);
        }
        // END android-added
        // try
        // {
        //
        // i as defined in the algorithm description
        //
        i = n - index;
        //
        // set certificate to be checked in this round
        // sign and workingPublicKey and workingIssuerName are set
        // at the end of the for loop and initialized the
        // first time from the TrustAnchor
        //
        cert = (X509Certificate) certs.get(index);
        boolean verificationAlreadyPerformed = (index == certs.size() - 1);
        //
        // 6.1.3
        //
        RFC3280CertPathUtilities.processCertA(certPath, paramsPKIX, index, workingPublicKey, verificationAlreadyPerformed, workingIssuerName, sign);
        RFC3280CertPathUtilities.processCertBC(certPath, index, nameConstraintValidator);
        validPolicyTree = RFC3280CertPathUtilities.processCertD(certPath, index, acceptablePolicies, validPolicyTree, policyNodes, inhibitAnyPolicy);
        validPolicyTree = RFC3280CertPathUtilities.processCertE(certPath, index, validPolicyTree);
        RFC3280CertPathUtilities.processCertF(certPath, index, validPolicyTree, explicitPolicy);
        if (i != n) {
            if (cert != null && cert.getVersion() == 1) {
                throw new CertPathValidatorException("Version 1 certificates can't be used as CA ones.", null, certPath, index);
            }
            RFC3280CertPathUtilities.prepareNextCertA(certPath, index);
            validPolicyTree = RFC3280CertPathUtilities.prepareCertB(certPath, index, policyNodes, validPolicyTree, policyMapping);
            RFC3280CertPathUtilities.prepareNextCertG(certPath, index, nameConstraintValidator);
            // (h)
            explicitPolicy = RFC3280CertPathUtilities.prepareNextCertH1(certPath, index, explicitPolicy);
            policyMapping = RFC3280CertPathUtilities.prepareNextCertH2(certPath, index, policyMapping);
            inhibitAnyPolicy = RFC3280CertPathUtilities.prepareNextCertH3(certPath, index, inhibitAnyPolicy);
            //
            // (i)
            //
            explicitPolicy = RFC3280CertPathUtilities.prepareNextCertI1(certPath, index, explicitPolicy);
            policyMapping = RFC3280CertPathUtilities.prepareNextCertI2(certPath, index, policyMapping);
            // (j)
            inhibitAnyPolicy = RFC3280CertPathUtilities.prepareNextCertJ(certPath, index, inhibitAnyPolicy);
            // (k)
            RFC3280CertPathUtilities.prepareNextCertK(certPath, index);
            // (l)
            maxPathLength = RFC3280CertPathUtilities.prepareNextCertL(certPath, index, maxPathLength);
            // (m)
            maxPathLength = RFC3280CertPathUtilities.prepareNextCertM(certPath, index, maxPathLength);
            // (n)
            RFC3280CertPathUtilities.prepareNextCertN(certPath, index);
            Set criticalExtensions = cert.getCriticalExtensionOIDs();
            if (criticalExtensions != null) {
                criticalExtensions = new HashSet(criticalExtensions);
                // these extensions are handled by the algorithm
                criticalExtensions.remove(RFC3280CertPathUtilities.KEY_USAGE);
                criticalExtensions.remove(RFC3280CertPathUtilities.CERTIFICATE_POLICIES);
                criticalExtensions.remove(RFC3280CertPathUtilities.POLICY_MAPPINGS);
                criticalExtensions.remove(RFC3280CertPathUtilities.INHIBIT_ANY_POLICY);
                criticalExtensions.remove(RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT);
                criticalExtensions.remove(RFC3280CertPathUtilities.DELTA_CRL_INDICATOR);
                criticalExtensions.remove(RFC3280CertPathUtilities.POLICY_CONSTRAINTS);
                criticalExtensions.remove(RFC3280CertPathUtilities.BASIC_CONSTRAINTS);
                criticalExtensions.remove(RFC3280CertPathUtilities.SUBJECT_ALTERNATIVE_NAME);
                criticalExtensions.remove(RFC3280CertPathUtilities.NAME_CONSTRAINTS);
            } else {
                criticalExtensions = new HashSet();
            }
            // (o)
            RFC3280CertPathUtilities.prepareNextCertO(certPath, index, criticalExtensions, pathCheckers);
            // set signing certificate for next round
            sign = cert;
            // (c)
            workingIssuerName = CertPathValidatorUtilities.getSubjectPrincipal(sign);
            // (d)
            try {
                workingPublicKey = CertPathValidatorUtilities.getNextWorkingKey(certPath.getCertificates(), index);
            } catch (CertPathValidatorException e) {
                throw new CertPathValidatorException("Next working key could not be retrieved.", e, certPath, index);
            }
            workingAlgId = CertPathValidatorUtilities.getAlgorithmIdentifier(workingPublicKey);
            // (f)
            workingPublicKeyAlgorithm = workingAlgId.getObjectId();
            // (e)
            workingPublicKeyParameters = workingAlgId.getParameters();
        }
    }
    //
    // 6.1.5 Wrap-up procedure
    //
    explicitPolicy = RFC3280CertPathUtilities.wrapupCertA(explicitPolicy, cert);
    explicitPolicy = RFC3280CertPathUtilities.wrapupCertB(certPath, index + 1, explicitPolicy);
    //
    // (c) (d) and (e) are already done
    //
    //
    // (f)
    //
    Set criticalExtensions = cert.getCriticalExtensionOIDs();
    if (criticalExtensions != null) {
        criticalExtensions = new HashSet(criticalExtensions);
        // these extensions are handled by the algorithm
        criticalExtensions.remove(RFC3280CertPathUtilities.KEY_USAGE);
        criticalExtensions.remove(RFC3280CertPathUtilities.CERTIFICATE_POLICIES);
        criticalExtensions.remove(RFC3280CertPathUtilities.POLICY_MAPPINGS);
        criticalExtensions.remove(RFC3280CertPathUtilities.INHIBIT_ANY_POLICY);
        criticalExtensions.remove(RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT);
        criticalExtensions.remove(RFC3280CertPathUtilities.DELTA_CRL_INDICATOR);
        criticalExtensions.remove(RFC3280CertPathUtilities.POLICY_CONSTRAINTS);
        criticalExtensions.remove(RFC3280CertPathUtilities.BASIC_CONSTRAINTS);
        criticalExtensions.remove(RFC3280CertPathUtilities.SUBJECT_ALTERNATIVE_NAME);
        criticalExtensions.remove(RFC3280CertPathUtilities.NAME_CONSTRAINTS);
        criticalExtensions.remove(RFC3280CertPathUtilities.CRL_DISTRIBUTION_POINTS);
    } else {
        criticalExtensions = new HashSet();
    }
    RFC3280CertPathUtilities.wrapupCertF(certPath, index + 1, pathCheckers, criticalExtensions);
    PKIXPolicyNode intersection = RFC3280CertPathUtilities.wrapupCertG(certPath, paramsPKIX, userInitialPolicySet, index + 1, policyNodes, validPolicyTree, acceptablePolicies);
    if ((explicitPolicy > 0) || (intersection != null)) {
        return new PKIXCertPathValidatorResult(trust, intersection, cert.getPublicKey());
    }
    throw new CertPathValidatorException("Path processing failed on policy.", null, certPath, index);
}
Also used : HashSet(java.util.HashSet) Set(java.util.Set) ArrayList(java.util.ArrayList) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier) ExtendedPKIXParameters(org.bouncycastle.x509.ExtendedPKIXParameters) PKIXParameters(java.security.cert.PKIXParameters) PKIXCertPathChecker(java.security.cert.PKIXCertPathChecker) Iterator(java.util.Iterator) ArrayList(java.util.ArrayList) List(java.util.List) HashSet(java.util.HashSet) InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) PublicKey(java.security.PublicKey) TrustAnchor(java.security.cert.TrustAnchor) DERObjectIdentifier(org.bouncycastle.asn1.DERObjectIdentifier) X509Certificate(java.security.cert.X509Certificate) CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) ExtendedPKIXParameters(org.bouncycastle.x509.ExtendedPKIXParameters) PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult) DEREncodable(org.bouncycastle.asn1.DEREncodable) BigInteger(java.math.BigInteger) X500Principal(javax.security.auth.x500.X500Principal)

Example 15 with PKIXCertPathValidatorResult

use of java.security.cert.PKIXCertPathValidatorResult in project robovm by robovm.

the class PKIXCertPathValidatorResultTest method testGetPublicKey.

/**
     * Test for <code>getPublicKey()</code> method<br>
     * Assertion: returns the subject's public key (never <code>null</code>)
     * @throws NoSuchAlgorithmException
     * @throws InvalidKeySpecException
     */
public final void testGetPublicKey() throws Exception {
    TrustAnchor ta = TestUtils.getTrustAnchor();
    if (ta == null) {
        fail(getName() + ": not performed (could not create test TrustAnchor)");
    }
    PublicKey pk = testPublicKey;
    PKIXCertPathValidatorResult vr = new PKIXCertPathValidatorResult(ta, null, pk);
    // must return the same reference passed
    // as a parameter to the constructor
    assertSame(pk, vr.getPublicKey());
}
Also used : PublicKey(java.security.PublicKey) PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult) TrustAnchor(java.security.cert.TrustAnchor)

Aggregations

PKIXCertPathValidatorResult (java.security.cert.PKIXCertPathValidatorResult)20 TrustAnchor (java.security.cert.TrustAnchor)13 CertPath (java.security.cert.CertPath)7 CertPathValidator (java.security.cert.CertPathValidator)7 X509Certificate (java.security.cert.X509Certificate)7 InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)6 CertPathValidatorException (java.security.cert.CertPathValidatorException)5 CertificateFactory (java.security.cert.CertificateFactory)5 PKIXParameters (java.security.cert.PKIXParameters)5 HashSet (java.util.HashSet)5 PublicKey (java.security.PublicKey)4 ArrayList (java.util.ArrayList)4 Iterator (java.util.Iterator)4 CertPathBuilderException (java.security.cert.CertPathBuilderException)3 CertPathBuilderResult (java.security.cert.CertPathBuilderResult)3 PKIXCertPathBuilderResult (java.security.cert.PKIXCertPathBuilderResult)3 BigInteger (java.math.BigInteger)2 CertPathBuilder (java.security.cert.CertPathBuilder)2 CertPathValidatorResult (java.security.cert.CertPathValidatorResult)2 CertificateException (java.security.cert.CertificateException)2