Example 81 with TrustAnchor
use of java.security.cert.TrustAnchor in project robovm by robovm.
the class TrustAnchorTest method testTrustAnchorX500PrincipalPublicKeybyteArray02.
/**
* Test #2 for <code>TrustAnchor(X500Principal, PublicKey, byte[])</code> constructor<br>
* Assertion: creates <code>TrustAnchor</code> instance<br>
* Test preconditions: <code>null</code> as nameConstraints passed<br>
* Expected: must pass without any exceptions
* @throws InvalidKeySpecException
*/
public final void testTrustAnchorX500PrincipalPublicKeybyteArray02() throws Exception {
PublicKey pk = new TestKeyPair(keyAlg).getPublic();
X500Principal x500p = new X500Principal(validCaNameRfc2253);
new TrustAnchor(x500p, pk, null);
}
Also used :
TestKeyPair(org.apache.harmony.security.tests.support.TestKeyPair)
PublicKey(java.security.PublicKey)
X500Principal(javax.security.auth.x500.X500Principal)
TrustAnchor(java.security.cert.TrustAnchor)
Example 82 with TrustAnchor
use of java.security.cert.TrustAnchor in project robovm by robovm.
the class CertPathValidatorUtilities method findTrustAnchor.
/**
* Search the given Set of TrustAnchor's for one that is the
* issuer of the given X509 certificate. Uses the specified
* provider for signature verification, or the default provider
* if null.
*
* @param cert the X509 certificate
* @param trustAnchors a Set of TrustAnchor's
* @param sigProvider the provider to use for signature verification
* @return the <code>TrustAnchor</code> object if found or
* <code>null</code> if not.
* @throws AnnotatedException if a TrustAnchor was found but the signature verification
* on the given certificate has thrown an exception.
*/
protected static TrustAnchor findTrustAnchor(X509Certificate cert, Set trustAnchors, String sigProvider) throws AnnotatedException {
TrustAnchor trust = null;
PublicKey trustPublicKey = null;
Exception invalidKeyEx = null;
X509CertSelector certSelectX509 = new X509CertSelector();
X500Principal certIssuer = getEncodedIssuerPrincipal(cert);
try {
certSelectX509.setSubject(certIssuer.getEncoded());
} catch (IOException ex) {
throw new AnnotatedException("Cannot set subject search criteria for trust anchor.", ex);
}
Iterator iter = trustAnchors.iterator();
while (iter.hasNext() && trust == null) {
trust = (TrustAnchor) iter.next();
if (trust.getTrustedCert() != null) {
if (certSelectX509.match(trust.getTrustedCert())) {
trustPublicKey = trust.getTrustedCert().getPublicKey();
} else {
trust = null;
}
} else if (trust.getCAName() != null && trust.getCAPublicKey() != null) {
try {
X500Principal caName = new X500Principal(trust.getCAName());
if (certIssuer.equals(caName)) {
trustPublicKey = trust.getCAPublicKey();
} else {
trust = null;
}
} catch (IllegalArgumentException ex) {
trust = null;
}
} else {
trust = null;
}
if (trustPublicKey != null) {
try {
verifyX509Certificate(cert, trustPublicKey, sigProvider);
} catch (Exception ex) {
invalidKeyEx = ex;
trust = null;
trustPublicKey = null;
}
}
}
if (trust == null && invalidKeyEx != null) {
throw new AnnotatedException("TrustAnchor found but certificate validation failed.", invalidKeyEx);
}
return trust;
}
Also used :
PublicKey(java.security.PublicKey)
DSAPublicKey(java.security.interfaces.DSAPublicKey)
Iterator(java.util.Iterator)
X500Principal(javax.security.auth.x500.X500Principal)
TrustAnchor(java.security.cert.TrustAnchor)
X509CertSelector(java.security.cert.X509CertSelector)
IOException(java.io.IOException)
GeneralSecurityException(java.security.GeneralSecurityException)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
ParseException(java.text.ParseException)
ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException)
CertStoreException(java.security.cert.CertStoreException)
CRLException(java.security.cert.CRLException)
CertificateParsingException(java.security.cert.CertificateParsingException)
StoreException(org.bouncycastle.util.StoreException)
IOException(java.io.IOException)
Example 83 with TrustAnchor
use of java.security.cert.TrustAnchor in project robovm by robovm.
the class TrustManagerImpl method cleanupCertChainAndFindTrustAnchors.
/**
* Clean up the certificate chain, returning a cleaned up chain,
* which may be a new array instance if elements were removed.
* Theoretically, we shouldn't have to do this, but various web
* servers in practice are mis-configured to have out-of-order
* certificates, expired self-issued root certificate, or CAs with
* unsupported signature algorithms such as
* md2WithRSAEncryption. This also handles removing old certs
* after bridge CA certs.
*/
private X509Certificate[] cleanupCertChainAndFindTrustAnchors(X509Certificate[] chain, Set<TrustAnchor> trustAnchors) {
X509Certificate[] original = chain;
// 1. Clean the received certificates chain.
int currIndex;
// is the leaf certificate (server or client cert).
for (currIndex = 0; currIndex < chain.length; currIndex++) {
// Walk the chain to find a "subject" matching
// the "issuer" of the current certificate. In a properly
// ordered chain this should be the next cert and be fast.
// If not, we reorder things to be as the validator will
// expect.
boolean foundNext = false;
for (int nextIndex = currIndex + 1; nextIndex < chain.length; nextIndex++) {
if (chain[currIndex].getIssuerDN().equals(chain[nextIndex].getSubjectDN())) {
foundNext = true;
// Exchange certificates so that 0 through currIndex + 1 are in proper order
if (nextIndex != currIndex + 1) {
// don't mutuate original chain, which may be directly from an SSLSession
if (chain == original) {
chain = original.clone();
}
X509Certificate tempCertificate = chain[nextIndex];
chain[nextIndex] = chain[currIndex + 1];
chain[currIndex + 1] = tempCertificate;
}
break;
}
}
// chain.
if (!foundNext) {
break;
}
}
// 2. Find the trust anchor in the chain, if any
int anchorIndex;
for (anchorIndex = 0; anchorIndex <= currIndex; anchorIndex++) {
// If the current cert is a TrustAnchor, we can ignore the rest of the chain.
// This avoids including "bridge" CA certs that added for legacy compatibility.
TrustAnchor trustAnchor = findTrustAnchorBySubjectAndPublicKey(chain[anchorIndex]);
if (trustAnchor != null) {
trustAnchors.add(trustAnchor);
break;
}
}
// 3. If the chain is now shorter, copy to an appropriately sized array.
int chainLength = anchorIndex;
X509Certificate[] newChain = ((chainLength == chain.length) ? chain : Arrays.copyOf(chain, chainLength));
// 4. If we didn't find a trust anchor earlier, look for one now
if (trustAnchors.isEmpty()) {
TrustAnchor trustAnchor = findTrustAnchorByIssuerAndSignature(newChain[anchorIndex - 1]);
if (trustAnchor != null) {
trustAnchors.add(trustAnchor);
}
}
return newChain;
}
Also used :
TrustAnchor(java.security.cert.TrustAnchor)
X509Certificate(java.security.cert.X509Certificate)
Example 84 with TrustAnchor
use of java.security.cert.TrustAnchor in project robovm by robovm.
the class TrustManagerImpl method findTrustAnchorByIssuerAndSignature.
private TrustAnchor findTrustAnchorByIssuerAndSignature(X509Certificate lastCert) {
TrustAnchor trustAnchor = trustedCertificateIndex.findByIssuerAndSignature(lastCert);
if (trustAnchor != null) {
return trustAnchor;
}
if (trustedCertificateStore == null) {
return null;
}
// we have a KeyStore and the issuer of the last cert in
// the chain seems to be missing from the
// TrustedCertificateIndex, check the KeyStore for a hit
X509Certificate issuer = trustedCertificateStore.findIssuer(lastCert);
if (issuer != null) {
return trustedCertificateIndex.index(issuer);
}
return null;
}
Also used :
TrustAnchor(java.security.cert.TrustAnchor)
X509Certificate(java.security.cert.X509Certificate)
Example 85 with TrustAnchor
use of java.security.cert.TrustAnchor in project robovm by robovm.
the class TrustedCertificateIndex method index.
public void index(TrustAnchor anchor) {
X500Principal subject;
X509Certificate cert = anchor.getTrustedCert();
if (cert != null) {
subject = cert.getSubjectX500Principal();
} else {
subject = anchor.getCA();
}
synchronized (subjectToTrustAnchors) {
List<TrustAnchor> anchors = subjectToTrustAnchors.get(subject);
if (anchors == null) {
anchors = new ArrayList<TrustAnchor>(1);
subjectToTrustAnchors.put(subject, anchors);
}
anchors.add(anchor);
}
}
Also used :
X500Principal(javax.security.auth.x500.X500Principal)
TrustAnchor(java.security.cert.TrustAnchor)
X509Certificate(java.security.cert.X509Certificate)
Aggregations
TrustAnchor (java.security.cert.TrustAnchor)103
X509Certificate (java.security.cert.X509Certificate)47
PublicKey (java.security.PublicKey)26
HashSet (java.util.HashSet)25
X500Principal (javax.security.auth.x500.X500Principal)23
PKIXParameters (java.security.cert.PKIXParameters)20
PKIXBuilderParameters (java.security.cert.PKIXBuilderParameters)19
X509CertSelector (java.security.cert.X509CertSelector)18
TestKeyPair (org.apache.harmony.security.tests.support.TestKeyPair)16
CertificateFactory (java.security.cert.CertificateFactory)15
InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)14
CertPathValidatorException (java.security.cert.CertPathValidatorException)14
PKIXCertPathValidatorResult (java.security.cert.PKIXCertPathValidatorResult)14
ArrayList (java.util.ArrayList)14
CollectionCertStoreParameters (java.security.cert.CollectionCertStoreParameters)13
PKIXCertPathBuilderResult (java.security.cert.PKIXCertPathBuilderResult)13
IOException (java.io.IOException)12
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)10
CertPathBuilder (java.security.cert.CertPathBuilder)10
CertificateException (java.security.cert.CertificateException)10
