java.security.cert.CertPathParameters Java Examples

public CertPathValidatorResult engineValidate(CertPath certPath,
        CertPathParameters params) throws CertPathValidatorException,
        InvalidAlgorithmParameterException {
    ++sw;
    if (certPath == null) {
        if ((sw % 2) == 0) {
            throw new CertPathValidatorException("certPath null");
        }
    }
    if (params == null) {
        if ((sw % 3) == 0) {
            throw new InvalidAlgorithmParameterException("params null");
        }
    }
    return null;
}
 

/**
 * Return the initialization parameters for the TrustManager.
 * Currently, only the default <code>PKIX</code> is supported.
 *
 * @param crlf The path to the CRL file.
 * @param trustStore The configured TrustStore.
 * @param revocationEnabled Should the JSSE provider perform revocation
 *                          checks? Ignored if {@code crlf} is non-null.
 *                          Configuration of revocation checks are expected
 *                          to be via proprietary JSSE provider methods.
 * @return The parameters including the CRLs and TrustStore.
 * @throws Exception An error occurred
 */
protected CertPathParameters getParameters(String crlf, KeyStore trustStore,
        boolean revocationEnabled) throws Exception {

    PKIXBuilderParameters xparams =
            new PKIXBuilderParameters(trustStore, new X509CertSelector());
    if (crlf != null && crlf.length() > 0) {
        Collection<? extends CRL> crls = getCRLs(crlf);
        CertStoreParameters csp = new CollectionCertStoreParameters(crls);
        CertStore store = CertStore.getInstance("Collection", csp);
        xparams.addCertStore(store);
        xparams.setRevocationEnabled(true);
    } else {
        xparams.setRevocationEnabled(revocationEnabled);
    }
    xparams.setMaxPathLength(sslHostConfig.getCertificateVerificationDepth());
    return xparams;
}
 

/**
 * 
 */
private CertPathParameters getCertPathParameters(KeyStore keystore)
  throws GeneralSecurityException
{
  HashSet<TrustAnchor> tas = new HashSet<TrustAnchor>();
  for (Enumeration<String> e = keystore.aliases(); e.hasMoreElements(); ) {
    String name = e.nextElement();
    Certificate c = keystore.getCertificate(name);
    if (c != null) {
      if (trustKeys || keystore.isCertificateEntry(name)) {
        tas.add(new TrustAnchor((X509Certificate)c, null)); 
      }
    }
  }
  PKIXParameters p = new PKIXParameters(tas);
  // NYI! Handle CRLs
  p.setRevocationEnabled(false);
  if (validationDate != null) {
    p.setDate(validationDate);
  }
  return p;
}
 

/**
 * Check if a certificate chain is to be trusted.
 *
 * @return true, if validator trusts certificate chain, otherwise false.
 */
public boolean validateCertificateChain(List<X509Certificate> chain) {
  if (keystore == null) {
    return false;
  }
  try {
    CertPath c = getCertificateFactory().generateCertPath(chain);
    CertPathValidator cpv = getCertPathValidator();
    CertPathParameters params = getCertPathParameters(keystore);
    cpv.validate(c, params);
  } catch (GeneralSecurityException gse) {
    if (debug.certificates) {
      debug.printStackTrace("Failed to validate cert", gse);
    }
    // NYI! Log this?
    return false;
  }
  return true;
}
 

/**
 * Return the initialization parameters for the TrustManager.
 * Currently, only the default <code>PKIX</code> is supported.
 *
 * @param algorithm The algorithm to get parameters for.
 * @param crlFilename The path to the CRL file.
 * @param maxCertificateChainLength Optional maximum cert chain length.
 * @param trustStore The configured TrustStore.
 *
 * @return The parameters including the TrustStore and any CRLs.
 *
 * @throws InvalidAlgorithmParameterException
 * @throws KeyStoreException
 * @throws IOException
 * @throws CertificateException
 * @throws CRLException
 * @throws NoSuchAlgorithmException
 */
protected static CertPathParameters getParameters(String algorithm,
                                                  String crlFilename,
                                                  Integer maxCertificateChainLength,
                                                  KeyStore trustStore)
    throws KeyStoreException, InvalidAlgorithmParameterException, CRLException, CertificateException, IOException, NoSuchAlgorithmException
{
    CertPathParameters params = null;
    if("PKIX".equalsIgnoreCase(algorithm)) {
        PKIXBuilderParameters xparams =
            new PKIXBuilderParameters(trustStore, new X509CertSelector());
        Collection<? extends CRL> crls = getCRLs(crlFilename);
        CertStoreParameters csp = new CollectionCertStoreParameters(crls);
        CertStore store = CertStore.getInstance("Collection", csp);
        xparams.addCertStore(store);
        xparams.setRevocationEnabled(true);

        if(maxCertificateChainLength != null)
            xparams.setMaxPathLength(maxCertificateChainLength.intValue());

        params = xparams;
    } else {
        throw new CRLException("CRLs not supported for type: " + algorithm);
    }
    return params;
}
 

/**
 * Test for <code>CertPathBuilderSpi</code> constructor Assertion:
 * constructs CertPathBuilderSpi
 */
public void testCertPathBuilderSpi01() throws CertPathBuilderException,
        InvalidAlgorithmParameterException {
    CertPathBuilderSpi certPathBuilder = new MyCertPathBuilderSpi();
    CertPathParameters cpp = null;
    try {
        certPathBuilder.engineBuild(cpp);
        fail("CertPathBuilderException must be thrown");
    } catch (CertPathBuilderException e) {
    }
    CertPathBuilderResult cpbResult = certPathBuilder.engineBuild(cpp);
    assertNull("Not null CertPathBuilderResult", cpbResult);
}
 

public CertPathBuilderResult engineBuild(CertPathParameters params)
        throws CertPathBuilderException, InvalidAlgorithmParameterException {
    swi++;
    if ((params == null) && ((swi %2 ) != 0)) {
        throw new CertPathBuilderException("Null parameter");
    }
    return null;
}
 

/**
 * Return the initialization parameters for the TrustManager.
 * Currently, only the default <code>PKIX</code> is supported.
 *
 * @param algorithm The algorithm to get parameters for.
 * @param crlf The path to the CRL file.
 * @param trustStore The configured TrustStore.
 * @return The parameters including the CRLs and TrustStore.
 */
protected CertPathParameters getParameters(String algorithm,
                                            String crlf,
                                            KeyStore trustStore)
    throws Exception {
    CertPathParameters params = null;
    if("PKIX".equalsIgnoreCase(algorithm)) {
        PKIXBuilderParameters xparams =
            new PKIXBuilderParameters(trustStore, new X509CertSelector());
        Collection<? extends CRL> crls = getCRLs(crlf);
        CertStoreParameters csp = new CollectionCertStoreParameters(crls);
        CertStore store = CertStore.getInstance("Collection", csp);
        xparams.addCertStore(store);
        xparams.setRevocationEnabled(true);
        String trustLength = endpoint.getTrustMaxCertLength();
        if(trustLength != null) {
            try {
                xparams.setMaxPathLength(Integer.parseInt(trustLength));
            } catch(Exception ex) {
                log.warn("Bad maxCertLength: "+trustLength);
            }
        }

        params = xparams;
    } else {
        throw new CRLException("CRLs not supported for type: "+algorithm);
    }
    return params;
}
 

/**
 * Return the initialization parameters for the TrustManager.
 * Currently, only the default <code>PKIX</code> is supported.
 *
 * @param algorithm The algorithm to get parameters for.
 * @param crlf The path to the CRL file.
 * @param trustStore The configured TrustStore.
 * @return The parameters including the CRLs and TrustStore.
 */
protected CertPathParameters getParameters(String algorithm,
                                            String crlf,
                                            KeyStore trustStore)
    throws Exception {
    CertPathParameters params = null;
    if("PKIX".equalsIgnoreCase(algorithm)) {
        PKIXBuilderParameters xparams =
            new PKIXBuilderParameters(trustStore, new X509CertSelector());
        Collection<? extends CRL> crls = getCRLs(crlf);
        CertStoreParameters csp = new CollectionCertStoreParameters(crls);
        CertStore store = CertStore.getInstance("Collection", csp);
        xparams.addCertStore(store);
        xparams.setRevocationEnabled(true);
        String trustLength = endpoint.getTrustMaxCertLength();
        if(trustLength != null) {
            try {
                xparams.setMaxPathLength(Integer.parseInt(trustLength));
            } catch(Exception ex) {
                log.warn("Bad maxCertLength: "+trustLength);
            }
        }

        params = xparams;
    } else {
        throw new CRLException("CRLs not supported for type: "+algorithm);
    }
    return params;
}
 

/**
 * Gets an array of TrustManagers for the specified trust store
 * and optional CRL file.
 *
 * @param trustStoreFilename
 * @param trustStorePassword
 * @param trustStoreType
 * @param trustStoreProvider
 * @param trustStoreAlgorithm
 * @param maxCertificatePathLength
 * @param crlFilename
 *
 * @return An array of TrustManagers
 *
 * @throws IOException
 * @throws KeyStoreException
 * @throws NoSuchProviderException
 * @throws NoSuchAlgorithmException
 * @throws CertificateException
 * @throws InvalidAlgorithmParameterException
 * @throws CRLException
 */
protected static TrustManager[] getTrustManagers(String trustStoreFilename,
                                                 String trustStorePassword,
                                                 String trustStoreType,
                                                 String trustStoreProvider,
                                                 String trustStoreAlgorithm,
                                                 Integer maxCertificatePathLength,
                                                 String crlFilename)
    throws IOException, KeyStoreException, NoSuchProviderException, NoSuchAlgorithmException, CertificateException, InvalidAlgorithmParameterException, CRLException
{
    KeyStore trustStore = getStore(trustStoreFilename,
                                   trustStorePassword,
                                   trustStoreType,
                                   trustStoreProvider);

    if(null == trustStoreAlgorithm)
        trustStoreAlgorithm = TrustManagerFactory.getDefaultAlgorithm();

    TrustManagerFactory tmf =
            TrustManagerFactory.getInstance(trustStoreAlgorithm);
    if (null == crlFilename)
    {
        tmf.init(trustStore);
    }
    else
    {
        CertPathParameters params =
            getParameters(trustStoreAlgorithm,
                          crlFilename,
                          maxCertificatePathLength,
                          trustStore);

        ManagerFactoryParameters mfp =
            new CertPathTrustManagerParameters(params);

        tmf.init(mfp);
    }

    return tmf.getTrustManagers();
}
 

public CertPathBuilderResult engineBuild(CertPathParameters params) {
    called = true;
    return null;
}
 

private CertPathParameters getParameters(KeyStore trustStore)
{
    try
    {
        final PKIXBuilderParameters parameters = new PKIXBuilderParameters(trustStore, new X509CertSelector());
        parameters.setRevocationEnabled(_certificateRevocationCheckEnabled);
        if (_certificateRevocationCheckEnabled)
        {
            if (_certificateRevocationListUrl != null)
            {
                parameters.addCertStore(
                        CertStore.getInstance("Collection", new CollectionCertStoreParameters(getCRLs())));
            }
            final PKIXRevocationChecker revocationChecker = (PKIXRevocationChecker) CertPathBuilder
                    .getInstance(TrustManagerFactory.getDefaultAlgorithm()).getRevocationChecker();
            final Set<PKIXRevocationChecker.Option> options = new HashSet<>();
            if (_certificateRevocationCheckOfOnlyEndEntityCertificates)
            {
                options.add(PKIXRevocationChecker.Option.ONLY_END_ENTITY);
            }
            if (_certificateRevocationCheckWithPreferringCertificateRevocationList)
            {
                options.add(PKIXRevocationChecker.Option.PREFER_CRLS);
            }
            if (_certificateRevocationCheckWithNoFallback)
            {
                options.add(PKIXRevocationChecker.Option.NO_FALLBACK);
            }
            if (_certificateRevocationCheckWithIgnoringSoftFailures)
            {
                options.add(PKIXRevocationChecker.Option.SOFT_FAIL);
            }
            revocationChecker.setOptions(options);
            parameters.addCertPathChecker(revocationChecker);
        }
        return parameters;
    }
    catch (NoSuchAlgorithmException | KeyStoreException | InvalidAlgorithmParameterException e)
    {
        throw new IllegalConfigurationException("Cannot create trust manager factory parameters for truststore '" +
                getName() + "' :" + e, e);
    }
}
 

public CertPathBuilderResult engineBuild(CertPathParameters params) {
    called = true;
    return null;
}
 

public CertPathBuilderResult engineBuild(CertPathParameters params) {
    called = true;
    return null;
}
 

public CertPathBuilderResult engineBuild(CertPathParameters params) {
    called = true;
    return null;
}
 

public CertPathBuilderResult engineBuild(CertPathParameters params) {
    called = true;
    return null;
}
 

public CertPathBuilderResult engineBuild(CertPathParameters params) {
    called = true;
    return null;
}
 

public CertPathBuilderResult engineBuild(CertPathParameters params) {
    called = true;
    return null;
}
 

public CertPathBuilderResult engineBuild(CertPathParameters params) {
    called = true;
    return null;
}
 

/**
 * Validates an attribute certificate with the given certificate path.
 * 
 * <p>
 * <code>params</code> must be an instance of
 * <code>ExtendedPKIXParameters</code>.
 * <p>
 * The target constraints in the <code>params</code> must be an
 * <code>X509AttributeCertStoreSelector</code> with at least the attribute
 * certificate criterion set. Obey that also target informations may be
 * necessary to correctly validate this attribute certificate.
 * <p>
 * The attribute certificate issuer must be added to the trusted attribute
 * issuers with {@link org.ripple.bouncycastle.x509.ExtendedPKIXParameters#setTrustedACIssuers(java.util.Set)}.
 * 
 * @param certPath The certificate path which belongs to the attribute
 *            certificate issuer public key certificate.
 * @param params The PKIX parameters.
 * @return A <code>PKIXCertPathValidatorResult</code> of the result of
 *         validating the <code>certPath</code>.
 * @throws java.security.InvalidAlgorithmParameterException if <code>params</code> is
 *             inappropriate for this validator.
 * @throws java.security.cert.CertPathValidatorException if the verification fails.
 */
public CertPathValidatorResult engineValidate(CertPath certPath,
    CertPathParameters params) throws CertPathValidatorException,
    InvalidAlgorithmParameterException
{
    if (!(params instanceof ExtendedPKIXParameters || params instanceof PKIXExtendedParameters))
    {
        throw new InvalidAlgorithmParameterException(
            "Parameters must be a "
                + ExtendedPKIXParameters.class.getName() + " instance.");
    }
    Set attrCertCheckers = new HashSet();
    Set prohibitedACAttrbiutes = new HashSet();
    Set necessaryACAttributes = new HashSet();
    Set trustedACIssuers = new HashSet();

    PKIXExtendedParameters paramsPKIX;
    if (params instanceof PKIXParameters)
    {
        PKIXExtendedParameters.Builder paramsPKIXBldr = new PKIXExtendedParameters.Builder((PKIXParameters)params);

        if (params instanceof ExtendedPKIXParameters)
        {
            ExtendedPKIXParameters extPKIX = (ExtendedPKIXParameters)params;

            paramsPKIXBldr.setUseDeltasEnabled(extPKIX.isUseDeltasEnabled());
            paramsPKIXBldr.setValidityModel(extPKIX.getValidityModel());
            attrCertCheckers = extPKIX.getAttrCertCheckers();
            prohibitedACAttrbiutes = extPKIX.getProhibitedACAttributes();
            necessaryACAttributes = extPKIX.getNecessaryACAttributes();
        }

        paramsPKIX = paramsPKIXBldr.build();
    }
    else
    {
        paramsPKIX = (PKIXExtendedParameters)params;
    }

    Selector certSelect = paramsPKIX.getTargetConstraints();
    if (!(certSelect instanceof X509AttributeCertStoreSelector))
    {
        throw new InvalidAlgorithmParameterException(
            "TargetConstraints must be an instance of "
                + X509AttributeCertStoreSelector.class.getName() + " for "
                + this.getClass().getName() + " class.");
    }

    X509AttributeCertificate attrCert = ((X509AttributeCertStoreSelector) certSelect)
        .getAttributeCert();

    CertPath holderCertPath = RFC3281CertPathUtilities.processAttrCert1(attrCert, paramsPKIX);
    CertPathValidatorResult result = RFC3281CertPathUtilities.processAttrCert2(certPath, paramsPKIX);
    X509Certificate issuerCert = (X509Certificate) certPath
        .getCertificates().get(0);
    RFC3281CertPathUtilities.processAttrCert3(issuerCert, paramsPKIX);
    RFC3281CertPathUtilities.processAttrCert4(issuerCert, trustedACIssuers);
    RFC3281CertPathUtilities.processAttrCert5(attrCert, paramsPKIX);
    // 6 already done in X509AttributeCertStoreSelector
    RFC3281CertPathUtilities.processAttrCert7(attrCert, certPath, holderCertPath, paramsPKIX, attrCertCheckers);
    RFC3281CertPathUtilities.additionalChecks(attrCert, prohibitedACAttrbiutes, necessaryACAttributes);
    Date date = null;
    try
    {
        date = CertPathValidatorUtilities.getValidCertDateFromValidityModel(paramsPKIX, null, -1);
    }
    catch (AnnotatedException e)
    {
        throw new ExtCertPathValidatorException(
            "Could not get validity date from attribute certificate.", e);
    }
    RFC3281CertPathUtilities.checkCRLs(attrCert, paramsPKIX, issuerCert, date, certPath.getCertificates(), helper);
    return result;
}
 

/**
 * Validates an attribute certificate with the given certificate path.
 * 
 * <p>
 * <code>params</code> must be an instance of
 * <code>ExtendedPKIXParameters</code>.
 * <p>
 * The target constraints in the <code>params</code> must be an
 * <code>X509AttributeCertStoreSelector</code> with at least the attribute
 * certificate criterion set. Obey that also target informations may be
 * necessary to correctly validate this attribute certificate.
 * <p>
 * The attribute certificate issuer must be added to the trusted attribute
 * issuers with {@link org.ripple.bouncycastle.x509.ExtendedPKIXParameters#setTrustedACIssuers(java.util.Set)}.
 * 
 * @param certPath The certificate path which belongs to the attribute
 *            certificate issuer public key certificate.
 * @param params The PKIX parameters.
 * @return A <code>PKIXCertPathValidatorResult</code> of the result of
 *         validating the <code>certPath</code>.
 * @throws java.security.InvalidAlgorithmParameterException if <code>params</code> is
 *             inappropriate for this validator.
 * @throws java.security.cert.CertPathValidatorException if the verification fails.
 */
public CertPathValidatorResult engineValidate(CertPath certPath,
    CertPathParameters params) throws CertPathValidatorException,
    InvalidAlgorithmParameterException
{
    if (!(params instanceof ExtendedPKIXParameters || params instanceof PKIXExtendedParameters))
    {
        throw new InvalidAlgorithmParameterException(
            "Parameters must be a "
                + ExtendedPKIXParameters.class.getName() + " instance.");
    }
    Set attrCertCheckers = new HashSet();
    Set prohibitedACAttrbiutes = new HashSet();
    Set necessaryACAttributes = new HashSet();
    Set trustedACIssuers = new HashSet();

    PKIXExtendedParameters paramsPKIX;
    if (params instanceof PKIXParameters)
    {
        PKIXExtendedParameters.Builder paramsPKIXBldr = new PKIXExtendedParameters.Builder((PKIXParameters)params);

        if (params instanceof ExtendedPKIXParameters)
        {
            ExtendedPKIXParameters extPKIX = (ExtendedPKIXParameters)params;

            paramsPKIXBldr.setUseDeltasEnabled(extPKIX.isUseDeltasEnabled());
            paramsPKIXBldr.setValidityModel(extPKIX.getValidityModel());
            attrCertCheckers = extPKIX.getAttrCertCheckers();
            prohibitedACAttrbiutes = extPKIX.getProhibitedACAttributes();
            necessaryACAttributes = extPKIX.getNecessaryACAttributes();
        }

        paramsPKIX = paramsPKIXBldr.build();
    }
    else
    {
        paramsPKIX = (PKIXExtendedParameters)params;
    }

    Selector certSelect = paramsPKIX.getTargetConstraints();
    if (!(certSelect instanceof X509AttributeCertStoreSelector))
    {
        throw new InvalidAlgorithmParameterException(
            "TargetConstraints must be an instance of "
                + X509AttributeCertStoreSelector.class.getName() + " for "
                + this.getClass().getName() + " class.");
    }

    X509AttributeCertificate attrCert = ((X509AttributeCertStoreSelector) certSelect)
        .getAttributeCert();

    CertPath holderCertPath = RFC3281CertPathUtilities.processAttrCert1(attrCert, paramsPKIX);
    CertPathValidatorResult result = RFC3281CertPathUtilities.processAttrCert2(certPath, paramsPKIX);
    X509Certificate issuerCert = (X509Certificate) certPath
        .getCertificates().get(0);
    RFC3281CertPathUtilities.processAttrCert3(issuerCert, paramsPKIX);
    RFC3281CertPathUtilities.processAttrCert4(issuerCert, trustedACIssuers);
    RFC3281CertPathUtilities.processAttrCert5(attrCert, paramsPKIX);
    // 6 already done in X509AttributeCertStoreSelector
    RFC3281CertPathUtilities.processAttrCert7(attrCert, certPath, holderCertPath, paramsPKIX, attrCertCheckers);
    RFC3281CertPathUtilities.additionalChecks(attrCert, prohibitedACAttrbiutes, necessaryACAttributes);
    Date date = null;
    try
    {
        date = CertPathValidatorUtilities.getValidCertDateFromValidityModel(paramsPKIX, null, -1);
    }
    catch (AnnotatedException e)
    {
        throw new ExtCertPathValidatorException(
            "Could not get validity date from attribute certificate.", e);
    }
    RFC3281CertPathUtilities.checkCRLs(attrCert, paramsPKIX, issuerCert, date, certPath.getCertificates(), helper);
    return result;
}
 

public CertPathBuilderResult engineBuild(CertPathParameters params) {
    called = true;
    return null;
}
 

public CertPathBuilderResult engineBuild(CertPathParameters params) {
    called = true;
    return null;
}
 

public CertPathBuilderResult engineBuild(CertPathParameters params) {
    called = true;
    return null;
}
 

public CertPathBuilderResult engineBuild(CertPathParameters params) {
    called = true;
    return null;
}
 

public CertPathBuilderResult engineBuild(CertPathParameters params) {
    called = true;
    return null;
}
 

/**
 * Construct new CertPathTrustManagerParameters from the specified
 * parameters. The parameters are cloned to protect against subsequent
 * modification.
 *
 * @param parameters the CertPathParameters to be used
 *
 * @throws NullPointerException if parameters is null
 */
public CertPathTrustManagerParameters(CertPathParameters parameters) {
    this.parameters = (CertPathParameters)parameters.clone();
}
 

/**
 * Return a clone of the CertPathParameters encapsulated by this class.
 *
 * @return a clone of the CertPathParameters encapsulated by this class.
 */
public CertPathParameters getParameters() {
    return (CertPathParameters)parameters.clone();
}
 

/**
 * Construct new CertPathTrustManagerParameters from the specified
 * parameters. The parameters are cloned to protect against subsequent
 * modification.
 *
 * @param parameters the CertPathParameters to be used
 *
 * @throws NullPointerException if parameters is null
 */
public CertPathTrustManagerParameters(CertPathParameters parameters) {
    this.parameters = (CertPathParameters)parameters.clone();
}
 

/**
 * Return a clone of the CertPathParameters encapsulated by this class.
 *
 * @return a clone of the CertPathParameters encapsulated by this class.
 */
public CertPathParameters getParameters() {
    return (CertPathParameters)parameters.clone();
}