Example 11 with PKIXCertPathValidatorResult
use of java.security.cert.PKIXCertPathValidatorResult in project robovm by robovm.
the class PKIXCertPathValidatorResultTest method testPKIXCertPathValidatorResult03.
/**
* Test #3 for <code>PKIXCertPathValidatorResult(TrustAnchor,
* PolicyNode, PublicKey)</code> constructor<br>
* Assertion: <code>NullPointerException</code> if
* <code>PublicKey</code> parameter is <code>null</code>
*/
public final void testPKIXCertPathValidatorResult03() {
TrustAnchor ta = TestUtils.getTrustAnchor();
if (ta == null) {
fail(getName() + ": not performed (could not create test TrustAnchor)");
}
try {
// pass null
new PKIXCertPathValidatorResult(ta, TestUtils.getPolicyTree(), null);
fail("NPE expected");
} catch (NullPointerException e) {
}
}
Also used :
PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult)
TrustAnchor(java.security.cert.TrustAnchor)
Example 12 with PKIXCertPathValidatorResult
use of java.security.cert.PKIXCertPathValidatorResult in project robovm by robovm.
the class CertificateTest method testVerifyMD2_chain.
public void testVerifyMD2_chain() throws Exception {
CertificateFactory certificateFactory = CertificateFactory.getInstance("X509");
// First check with the trust anchor not included in the chain
CertPath path = certificateFactory.generateCertPath(getCertList(true, false));
CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
PKIXParameters params = createPKIXParams();
CertPathValidatorResult res = certPathValidator.validate(path, params);
assertTrue("wrong result type", res instanceof PKIXCertPathValidatorResult);
PKIXCertPathValidatorResult r = (PKIXCertPathValidatorResult) res;
assertTrue("Wrong trust anchor returned", params.getTrustAnchors().contains(r.getTrustAnchor()));
// Now check with the trust anchor included in the chain
path = certificateFactory.generateCertPath(getCertList(true, true));
certPathValidator = CertPathValidator.getInstance("PKIX");
params = createPKIXParams();
if (StandardNames.IS_RI) {
res = certPathValidator.validate(path, params);
assertTrue("wrong result type", res instanceof PKIXCertPathValidatorResult);
r = (PKIXCertPathValidatorResult) res;
assertTrue("Wrong trust anchor returned", params.getTrustAnchors().contains(r.getTrustAnchor()));
} else {
try {
certPathValidator.validate(path, params);
fail();
} catch (CertPathValidatorException expected) {
}
}
}
Also used :
CertPathValidator(java.security.cert.CertPathValidator)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
PKIXParameters(java.security.cert.PKIXParameters)
PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult)
CertPath(java.security.cert.CertPath)
CertPathValidatorResult(java.security.cert.CertPathValidatorResult)
PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult)
CertificateFactory(java.security.cert.CertificateFactory)
Example 13 with PKIXCertPathValidatorResult
use of java.security.cert.PKIXCertPathValidatorResult in project robovm by robovm.
the class CertificateTest method testVerifyMD5_chain.
public void testVerifyMD5_chain() throws Exception {
CertificateFactory certificateFactory = CertificateFactory.getInstance("X509");
// First check with the trust anchor not included in the chain
CertPath path = certificateFactory.generateCertPath(getCertList(false, false));
CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
PKIXParameters params = createPKIXParams();
CertPathValidatorResult res = certPathValidator.validate(path, params);
assertTrue("wrong result type", res instanceof PKIXCertPathValidatorResult);
PKIXCertPathValidatorResult r = (PKIXCertPathValidatorResult) res;
assertTrue("Wrong trust anchor returned", params.getTrustAnchors().contains(r.getTrustAnchor()));
// Now check with the trust anchor included in the chain
path = certificateFactory.generateCertPath(getCertList(false, true));
certPathValidator = CertPathValidator.getInstance("PKIX");
params = createPKIXParams();
res = certPathValidator.validate(path, params);
assertTrue("wrong result type", res instanceof PKIXCertPathValidatorResult);
r = (PKIXCertPathValidatorResult) res;
assertTrue("Wrong trust anchor returned", params.getTrustAnchors().contains(r.getTrustAnchor()));
}
Also used :
CertPathValidator(java.security.cert.CertPathValidator)
PKIXParameters(java.security.cert.PKIXParameters)
PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult)
CertPath(java.security.cert.CertPath)
CertPathValidatorResult(java.security.cert.CertPathValidatorResult)
PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult)
CertificateFactory(java.security.cert.CertificateFactory)
Example 14 with PKIXCertPathValidatorResult
use of java.security.cert.PKIXCertPathValidatorResult in project XobotOS by xamarin.
the class PKIXCertPathValidatorSpi method engineValidate.
// END android-added
public CertPathValidatorResult engineValidate(CertPath certPath, CertPathParameters params) throws CertPathValidatorException, InvalidAlgorithmParameterException {
if (!(params instanceof PKIXParameters)) {
throw new InvalidAlgorithmParameterException("Parameters must be a " + PKIXParameters.class.getName() + " instance.");
}
ExtendedPKIXParameters paramsPKIX;
if (params instanceof ExtendedPKIXParameters) {
paramsPKIX = (ExtendedPKIXParameters) params;
} else {
paramsPKIX = ExtendedPKIXParameters.getInstance((PKIXParameters) params);
}
if (paramsPKIX.getTrustAnchors() == null) {
throw new InvalidAlgorithmParameterException("trustAnchors is null, this is not allowed for certification path validation.");
}
//
// 6.1.1 - inputs
//
//
// (a)
//
List certs = certPath.getCertificates();
int n = certs.size();
if (certs.isEmpty()) {
throw new CertPathValidatorException("Certification path is empty.", null, certPath, 0);
}
// BEGIN android-added
{
X509Certificate cert = (X509Certificate) certs.get(0);
if (cert != null) {
BigInteger serial = cert.getSerialNumber();
if (serial != null && SERIAL_BLACKLIST.contains(serial)) {
// emulate CRL exception message in RFC3280CertPathUtilities.checkCRLs
String message = "Certificate revocation of serial 0x" + serial.toString(16);
System.out.println(message);
AnnotatedException e = new AnnotatedException(message);
throw new CertPathValidatorException(e.getMessage(), e, certPath, 0);
}
}
}
// END android-added
//
// (b)
//
// Date validDate = CertPathValidatorUtilities.getValidDate(paramsPKIX);
//
// (c)
//
Set userInitialPolicySet = paramsPKIX.getInitialPolicies();
//
// (d)
//
TrustAnchor trust;
try {
trust = CertPathValidatorUtilities.findTrustAnchor((X509Certificate) certs.get(certs.size() - 1), paramsPKIX.getTrustAnchors(), paramsPKIX.getSigProvider());
} catch (AnnotatedException e) {
throw new CertPathValidatorException(e.getMessage(), e, certPath, certs.size() - 1);
}
if (trust == null) {
throw new CertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1);
}
//
// (e), (f), (g) are part of the paramsPKIX object.
//
Iterator certIter;
int index = 0;
int i;
// Certificate for each interation of the validation loop
// Signature information for each iteration of the validation loop
//
// 6.1.2 - setup
//
//
// (a)
//
List[] policyNodes = new ArrayList[n + 1];
for (int j = 0; j < policyNodes.length; j++) {
policyNodes[j] = new ArrayList();
}
Set policySet = new HashSet();
policySet.add(RFC3280CertPathUtilities.ANY_POLICY);
PKIXPolicyNode validPolicyTree = new PKIXPolicyNode(new ArrayList(), 0, policySet, null, new HashSet(), RFC3280CertPathUtilities.ANY_POLICY, false);
policyNodes[0].add(validPolicyTree);
//
// (b) and (c)
//
PKIXNameConstraintValidator nameConstraintValidator = new PKIXNameConstraintValidator();
// (d)
//
int explicitPolicy;
Set acceptablePolicies = new HashSet();
if (paramsPKIX.isExplicitPolicyRequired()) {
explicitPolicy = 0;
} else {
explicitPolicy = n + 1;
}
//
// (e)
//
int inhibitAnyPolicy;
if (paramsPKIX.isAnyPolicyInhibited()) {
inhibitAnyPolicy = 0;
} else {
inhibitAnyPolicy = n + 1;
}
//
// (f)
//
int policyMapping;
if (paramsPKIX.isPolicyMappingInhibited()) {
policyMapping = 0;
} else {
policyMapping = n + 1;
}
//
// (g), (h), (i), (j)
//
PublicKey workingPublicKey;
X500Principal workingIssuerName;
X509Certificate sign = trust.getTrustedCert();
try {
if (sign != null) {
workingIssuerName = CertPathValidatorUtilities.getSubjectPrincipal(sign);
workingPublicKey = sign.getPublicKey();
} else {
workingIssuerName = new X500Principal(trust.getCAName());
workingPublicKey = trust.getCAPublicKey();
}
} catch (IllegalArgumentException ex) {
throw new ExtCertPathValidatorException("Subject of trust anchor could not be (re)encoded.", ex, certPath, -1);
}
AlgorithmIdentifier workingAlgId = null;
try {
workingAlgId = CertPathValidatorUtilities.getAlgorithmIdentifier(workingPublicKey);
} catch (CertPathValidatorException e) {
throw new ExtCertPathValidatorException("Algorithm identifier of public key of trust anchor could not be read.", e, certPath, -1);
}
DERObjectIdentifier workingPublicKeyAlgorithm = workingAlgId.getObjectId();
DEREncodable workingPublicKeyParameters = workingAlgId.getParameters();
//
// (k)
//
int maxPathLength = n;
if (paramsPKIX.getTargetConstraints() != null && !paramsPKIX.getTargetConstraints().match((X509Certificate) certs.get(0))) {
throw new ExtCertPathValidatorException("Target certificate in certification path does not match targetConstraints.", null, certPath, 0);
}
//
// initialize CertPathChecker's
//
List pathCheckers = paramsPKIX.getCertPathCheckers();
certIter = pathCheckers.iterator();
while (certIter.hasNext()) {
((PKIXCertPathChecker) certIter.next()).init(false);
}
X509Certificate cert = null;
for (index = certs.size() - 1; index >= 0; index--) {
// BEGIN android-added
if (isPublicKeyBlackListed(workingPublicKey)) {
// emulate CRL exception message in RFC3280CertPathUtilities.checkCRLs
String message = "Certificate revocation of public key " + workingPublicKey;
System.out.println(message);
AnnotatedException e = new AnnotatedException(message);
throw new CertPathValidatorException(e.getMessage(), e, certPath, index);
}
// END android-added
// try
// {
//
// i as defined in the algorithm description
//
i = n - index;
//
// set certificate to be checked in this round
// sign and workingPublicKey and workingIssuerName are set
// at the end of the for loop and initialized the
// first time from the TrustAnchor
//
cert = (X509Certificate) certs.get(index);
boolean verificationAlreadyPerformed = (index == certs.size() - 1);
//
// 6.1.3
//
RFC3280CertPathUtilities.processCertA(certPath, paramsPKIX, index, workingPublicKey, verificationAlreadyPerformed, workingIssuerName, sign);
RFC3280CertPathUtilities.processCertBC(certPath, index, nameConstraintValidator);
validPolicyTree = RFC3280CertPathUtilities.processCertD(certPath, index, acceptablePolicies, validPolicyTree, policyNodes, inhibitAnyPolicy);
validPolicyTree = RFC3280CertPathUtilities.processCertE(certPath, index, validPolicyTree);
RFC3280CertPathUtilities.processCertF(certPath, index, validPolicyTree, explicitPolicy);
if (i != n) {
if (cert != null && cert.getVersion() == 1) {
throw new CertPathValidatorException("Version 1 certificates can't be used as CA ones.", null, certPath, index);
}
RFC3280CertPathUtilities.prepareNextCertA(certPath, index);
validPolicyTree = RFC3280CertPathUtilities.prepareCertB(certPath, index, policyNodes, validPolicyTree, policyMapping);
RFC3280CertPathUtilities.prepareNextCertG(certPath, index, nameConstraintValidator);
// (h)
explicitPolicy = RFC3280CertPathUtilities.prepareNextCertH1(certPath, index, explicitPolicy);
policyMapping = RFC3280CertPathUtilities.prepareNextCertH2(certPath, index, policyMapping);
inhibitAnyPolicy = RFC3280CertPathUtilities.prepareNextCertH3(certPath, index, inhibitAnyPolicy);
//
// (i)
//
explicitPolicy = RFC3280CertPathUtilities.prepareNextCertI1(certPath, index, explicitPolicy);
policyMapping = RFC3280CertPathUtilities.prepareNextCertI2(certPath, index, policyMapping);
// (j)
inhibitAnyPolicy = RFC3280CertPathUtilities.prepareNextCertJ(certPath, index, inhibitAnyPolicy);
// (k)
RFC3280CertPathUtilities.prepareNextCertK(certPath, index);
// (l)
maxPathLength = RFC3280CertPathUtilities.prepareNextCertL(certPath, index, maxPathLength);
// (m)
maxPathLength = RFC3280CertPathUtilities.prepareNextCertM(certPath, index, maxPathLength);
// (n)
RFC3280CertPathUtilities.prepareNextCertN(certPath, index);
Set criticalExtensions = cert.getCriticalExtensionOIDs();
if (criticalExtensions != null) {
criticalExtensions = new HashSet(criticalExtensions);
// these extensions are handled by the algorithm
criticalExtensions.remove(RFC3280CertPathUtilities.KEY_USAGE);
criticalExtensions.remove(RFC3280CertPathUtilities.CERTIFICATE_POLICIES);
criticalExtensions.remove(RFC3280CertPathUtilities.POLICY_MAPPINGS);
criticalExtensions.remove(RFC3280CertPathUtilities.INHIBIT_ANY_POLICY);
criticalExtensions.remove(RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT);
criticalExtensions.remove(RFC3280CertPathUtilities.DELTA_CRL_INDICATOR);
criticalExtensions.remove(RFC3280CertPathUtilities.POLICY_CONSTRAINTS);
criticalExtensions.remove(RFC3280CertPathUtilities.BASIC_CONSTRAINTS);
criticalExtensions.remove(RFC3280CertPathUtilities.SUBJECT_ALTERNATIVE_NAME);
criticalExtensions.remove(RFC3280CertPathUtilities.NAME_CONSTRAINTS);
} else {
criticalExtensions = new HashSet();
}
// (o)
RFC3280CertPathUtilities.prepareNextCertO(certPath, index, criticalExtensions, pathCheckers);
// set signing certificate for next round
sign = cert;
// (c)
workingIssuerName = CertPathValidatorUtilities.getSubjectPrincipal(sign);
// (d)
try {
workingPublicKey = CertPathValidatorUtilities.getNextWorkingKey(certPath.getCertificates(), index);
} catch (CertPathValidatorException e) {
throw new CertPathValidatorException("Next working key could not be retrieved.", e, certPath, index);
}
workingAlgId = CertPathValidatorUtilities.getAlgorithmIdentifier(workingPublicKey);
// (f)
workingPublicKeyAlgorithm = workingAlgId.getObjectId();
// (e)
workingPublicKeyParameters = workingAlgId.getParameters();
}
}
//
// 6.1.5 Wrap-up procedure
//
explicitPolicy = RFC3280CertPathUtilities.wrapupCertA(explicitPolicy, cert);
explicitPolicy = RFC3280CertPathUtilities.wrapupCertB(certPath, index + 1, explicitPolicy);
//
// (c) (d) and (e) are already done
//
//
// (f)
//
Set criticalExtensions = cert.getCriticalExtensionOIDs();
if (criticalExtensions != null) {
criticalExtensions = new HashSet(criticalExtensions);
// these extensions are handled by the algorithm
criticalExtensions.remove(RFC3280CertPathUtilities.KEY_USAGE);
criticalExtensions.remove(RFC3280CertPathUtilities.CERTIFICATE_POLICIES);
criticalExtensions.remove(RFC3280CertPathUtilities.POLICY_MAPPINGS);
criticalExtensions.remove(RFC3280CertPathUtilities.INHIBIT_ANY_POLICY);
criticalExtensions.remove(RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT);
criticalExtensions.remove(RFC3280CertPathUtilities.DELTA_CRL_INDICATOR);
criticalExtensions.remove(RFC3280CertPathUtilities.POLICY_CONSTRAINTS);
criticalExtensions.remove(RFC3280CertPathUtilities.BASIC_CONSTRAINTS);
criticalExtensions.remove(RFC3280CertPathUtilities.SUBJECT_ALTERNATIVE_NAME);
criticalExtensions.remove(RFC3280CertPathUtilities.NAME_CONSTRAINTS);
criticalExtensions.remove(RFC3280CertPathUtilities.CRL_DISTRIBUTION_POINTS);
} else {
criticalExtensions = new HashSet();
}
RFC3280CertPathUtilities.wrapupCertF(certPath, index + 1, pathCheckers, criticalExtensions);
PKIXPolicyNode intersection = RFC3280CertPathUtilities.wrapupCertG(certPath, paramsPKIX, userInitialPolicySet, index + 1, policyNodes, validPolicyTree, acceptablePolicies);
if ((explicitPolicy > 0) || (intersection != null)) {
return new PKIXCertPathValidatorResult(trust, intersection, cert.getPublicKey());
}
throw new CertPathValidatorException("Path processing failed on policy.", null, certPath, index);
}
Also used :
HashSet(java.util.HashSet)
Set(java.util.Set)
ArrayList(java.util.ArrayList)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
ExtendedPKIXParameters(org.bouncycastle.x509.ExtendedPKIXParameters)
PKIXParameters(java.security.cert.PKIXParameters)
PKIXCertPathChecker(java.security.cert.PKIXCertPathChecker)
Iterator(java.util.Iterator)
ArrayList(java.util.ArrayList)
List(java.util.List)
HashSet(java.util.HashSet)
InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException)
PublicKey(java.security.PublicKey)
TrustAnchor(java.security.cert.TrustAnchor)
DERObjectIdentifier(org.bouncycastle.asn1.DERObjectIdentifier)
X509Certificate(java.security.cert.X509Certificate)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException)
ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException)
ExtendedPKIXParameters(org.bouncycastle.x509.ExtendedPKIXParameters)
PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult)
DEREncodable(org.bouncycastle.asn1.DEREncodable)
BigInteger(java.math.BigInteger)
X500Principal(javax.security.auth.x500.X500Principal)
Example 15 with PKIXCertPathValidatorResult
use of java.security.cert.PKIXCertPathValidatorResult in project robovm by robovm.
the class PKIXCertPathValidatorResultTest method testGetPublicKey.
/**
* Test for <code>getPublicKey()</code> method<br>
* Assertion: returns the subject's public key (never <code>null</code>)
* @throws NoSuchAlgorithmException
* @throws InvalidKeySpecException
*/
public final void testGetPublicKey() throws Exception {
TrustAnchor ta = TestUtils.getTrustAnchor();
if (ta == null) {
fail(getName() + ": not performed (could not create test TrustAnchor)");
}
PublicKey pk = testPublicKey;
PKIXCertPathValidatorResult vr = new PKIXCertPathValidatorResult(ta, null, pk);
// must return the same reference passed
// as a parameter to the constructor
assertSame(pk, vr.getPublicKey());
}
Also used :
PublicKey(java.security.PublicKey)
PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult)
TrustAnchor(java.security.cert.TrustAnchor)
Aggregations
PKIXCertPathValidatorResult (java.security.cert.PKIXCertPathValidatorResult)20
TrustAnchor (java.security.cert.TrustAnchor)13
CertPath (java.security.cert.CertPath)7
CertPathValidator (java.security.cert.CertPathValidator)7
X509Certificate (java.security.cert.X509Certificate)7
InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)6
CertPathValidatorException (java.security.cert.CertPathValidatorException)5
CertificateFactory (java.security.cert.CertificateFactory)5
PKIXParameters (java.security.cert.PKIXParameters)5
HashSet (java.util.HashSet)5
PublicKey (java.security.PublicKey)4
ArrayList (java.util.ArrayList)4
Iterator (java.util.Iterator)4
CertPathBuilderException (java.security.cert.CertPathBuilderException)3
CertPathBuilderResult (java.security.cert.CertPathBuilderResult)3
PKIXCertPathBuilderResult (java.security.cert.PKIXCertPathBuilderResult)3
BigInteger (java.math.BigInteger)2
CertPathBuilder (java.security.cert.CertPathBuilder)2
CertPathValidatorResult (java.security.cert.CertPathValidatorResult)2
CertificateException (java.security.cert.CertificateException)2
