Java Code Examples for java.security.cert.X509CertSelector#setCertificateValid()

private void testCertificateValid() {
    System.out.println("X.509 Certificate Match on certificateValid");
    // bad match
    X509CertSelector selector = new X509CertSelector();
    Calendar cal = Calendar.getInstance();
    cal.set(1968, 12, 31);
    selector.setCertificateValid(cal.getTime());
    checkMatch(selector, cert, false);

    // good match
    selector.setCertificateValid(cert.getNotBefore());
    checkMatch(selector, cert, true);
}
 

private void testCertificateValid() {
    System.out.println("X.509 Certificate Match on certificateValid");
    // bad match
    X509CertSelector selector = new X509CertSelector();
    Calendar cal = Calendar.getInstance();
    cal.set(1968, 12, 31);
    selector.setCertificateValid(cal.getTime());
    checkMatch(selector, cert, false);

    // good match
    selector.setCertificateValid(cert.getNotBefore());
    checkMatch(selector, cert, true);
}
 

private void testCertificateValid() {
    System.out.println("X.509 Certificate Match on certificateValid");
    // bad match
    X509CertSelector selector = new X509CertSelector();
    Calendar cal = Calendar.getInstance();
    cal.set(1968, 12, 31);
    selector.setCertificateValid(cal.getTime());
    checkMatch(selector, cert, false);

    // good match
    selector.setCertificateValid(cert.getNotBefore());
    checkMatch(selector, cert, true);
}
 

private void testCertificateValid() {
    System.out.println("X.509 Certificate Match on certificateValid");
    // bad match
    X509CertSelector selector = new X509CertSelector();
    Calendar cal = Calendar.getInstance();
    cal.set(1968, 12, 31);
    selector.setCertificateValid(cal.getTime());
    checkMatch(selector, cert, false);

    // good match
    selector.setCertificateValid(cert.getNotBefore());
    checkMatch(selector, cert, true);
}
 

private void testCertificateValid() {
    System.out.println("X.509 Certificate Match on certificateValid");
    // bad match
    X509CertSelector selector = new X509CertSelector();
    Calendar cal = Calendar.getInstance();
    cal.set(1968, 12, 31);
    selector.setCertificateValid(cal.getTime());
    checkMatch(selector, cert, false);

    // good match
    selector.setCertificateValid(cert.getNotBefore());
    checkMatch(selector, cert, true);
}
 

private void testCertificateValid() {
    System.out.println("X.509 Certificate Match on certificateValid");
    // bad match
    X509CertSelector selector = new X509CertSelector();
    Calendar cal = Calendar.getInstance();
    cal.set(1968, 12, 31);
    selector.setCertificateValid(cal.getTime());
    checkMatch(selector, cert, false);

    // good match
    selector.setCertificateValid(cert.getNotBefore());
    checkMatch(selector, cert, true);
}
 

/**
 * Validate certificate path. As it is exception, no checks against revocation or time validity are done but path
 * still have to be validated in order to find connection between certificate presented by server and root CA in
 * KeyStore
 * 
 * @throws NoSuchAlgorithmException
 * @throws KeyStoreException
 * @throws InvalidAlgorithmParameterException
 * @throws CertPathValidatorException
 * @throws CertPathBuilderException
 * @throws CertificateException
 */
private void validatePath(X509Certificate[] chain)
        throws NoSuchAlgorithmException, KeyStoreException, InvalidAlgorithmParameterException,
        CertPathValidatorException, CertPathBuilderException, CertificateException {

    CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
    CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");
    X509CertSelector certSelector = new X509CertSelector();
    certSelector.setCertificate(chain[chain.length - 1]);
    // checks against time validity aren't done here as it exceptions list
    certSelector.setCertificateValid(null);
    PKIXBuilderParameters parameters = new PKIXBuilderParameters(allStore, certSelector);
    // no checks against revocation as it is exception
    parameters.setRevocationEnabled(false);

    CertPathBuilderResult pathResult = certPathBuilder.build(parameters);
    CertPath certPath = pathResult.getCertPath();
    PKIXCertPathValidatorResult validationResult = (PKIXCertPathValidatorResult) certPathValidator
            .validate(certPath, parameters);
    X509Certificate trustedCert = validationResult.getTrustAnchor().getTrustedCert();

    if (trustedCert == null) {
        throw new CertificateException("Certificate path failed");
    } else {
        Log.debug("ClientTrustManager: Trusted CA: " + trustedCert.getSubjectDN());
    }

}
 

private void testCertificateValid() {
    System.out.println("X.509 Certificate Match on certificateValid");
    // bad match
    X509CertSelector selector = new X509CertSelector();
    Calendar cal = Calendar.getInstance();
    cal.set(1968, 12, 31);
    selector.setCertificateValid(cal.getTime());
    checkMatch(selector, cert, false);

    // good match
    selector.setCertificateValid(cert.getNotBefore());
    checkMatch(selector, cert, true);
}
 

/**
 * Validate certificate path
 * 
 * @throws NoSuchAlgorithmException
 * @throws KeyStoreException
 * @throws InvalidAlgorithmParameterException
 * @throws CertPathValidatorException
 * @throws CertPathBuilderException
 * @throws CertificateException
 */
private void validatePath(X509Certificate[] chain)
        throws NoSuchAlgorithmException, KeyStoreException, InvalidAlgorithmParameterException,
        CertPathValidatorException, CertPathBuilderException, CertificateException {
    // PKIX algorithm is defined in rfc3280
    CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
    CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");

    X509CertSelector certSelector = new X509CertSelector();

    // set last certificate (often root CA) from chain for CertSelector so trust store must contain it
    certSelector.setCertificate(chain[chain.length - 1]);

    // checks against time validity aren't done here as are already done in checkDateValidity (X509Certificate[]
    // chain)
    certSelector.setCertificateValid(null);
    // create parameters using trustStore as source of Trust Anchors and using X509CertSelector
    PKIXBuilderParameters parameters = new PKIXBuilderParameters(allStore, certSelector);

    // will use PKIXRevocationChecker (or nothing if revocation mechanisms are
    // disabled) instead of the default revocation checker
    parameters.setRevocationEnabled(false);   

    // if revoked certificates aren't accepted, but no revocation checks then only
    // certificates from blacklist will be rejected
    if (acceptRevoked == false) {
        
        // OCSP checking is done according to Java PKI Programmer's Guide, PKIXRevocationChecker was added in Java 8:
        // https://docs.oracle.com/javase/8/docs/technotes/guides/security/certpath/CertPathProgGuide.html#PKIXRevocationChecker
        PKIXRevocationChecker checker = (PKIXRevocationChecker) certPathBuilder.getRevocationChecker();

        EnumSet<PKIXRevocationChecker.Option> checkerOptions = EnumSet.noneOf(PKIXRevocationChecker.Option.class);
        // if soft fail isn't enabled then OCSP or CRL must pass validation, in case
        // when any of them cannot be validated verification will fail, if soft fail
        // is enabled then in case of network issues revocation checking is omitted
        if (allowSoftFail) {
            checkerOptions.add(PKIXRevocationChecker.Option.SOFT_FAIL);
        }
        // check OCSP, CRL serve as backup
        if (checkOCSP && checkCRL) {
            checker.setOptions(checkerOptions);
            parameters.addCertPathChecker(checker);
        } else if (!checkOCSP && checkCRL) {
            // check only CRL, if CRL fail then there is no fallback to OCSP
            checkerOptions.add(PKIXRevocationChecker.Option.PREFER_CRLS);
            checkerOptions.add(PKIXRevocationChecker.Option.NO_FALLBACK);
            checker.setOptions(checkerOptions);
            parameters.addCertPathChecker(checker);
        }
                    
    }
    
    try {
        CertPathBuilderResult pathResult = certPathBuilder.build(parameters);
        CertPath certPath = pathResult.getCertPath();

        PKIXCertPathValidatorResult validationResult = (PKIXCertPathValidatorResult) certPathValidator
                .validate(certPath, parameters);
        X509Certificate trustedCert = validationResult.getTrustAnchor().getTrustedCert();

        if (trustedCert == null) {
            throw new CertificateException("certificate path failed: Trusted CA is NULL");
        }
        // check if all certificates in path have Basic Constraints, only certificate that isn't required to have
        // this extension is last certificate: root CA
        for (int i = 0; i < chain.length - 1; i++) {
            checkBasicConstraints(chain[i]);
        }
    } catch (CertificateRevokedException e) {
        Log.warning("Certificate was revoked", e);
        for (X509Certificate cert : chain) {
            for (X509CRL crl : crlCollection) {
                if (crl.isRevoked(cert)) {
                    try {
                        addToBlackList(cert);
                    } catch (IOException | HeadlessException | InvalidNameException e1) {
                        Log.error("Couldn't move to the blacklist", e1);
                    }
                    break;
                }
            }
        }
        throw new CertificateException("Certificate was revoked");
    }
}
 

private Collection<X509Certificate> getMatchingCACerts
    (ReverseState currentState, List<CertStore> certStores)
    throws CertificateException, CertStoreException, IOException {

    /*
     * Compose a CertSelector to filter out
     * certs which do not satisfy requirements.
     */
    X509CertSelector sel = new X509CertSelector();

    /*
     * Match on issuer (subject of previous cert)
     */
    sel.setIssuer(currentState.subjectDN);

    /*
     * Match on certificate validity date.
     */
    sel.setCertificateValid(buildParams.date());

    /*
     * Match on target subject name (checks that current cert's
     * name constraints permit it to certify target).
     * (4 is the integer type for DIRECTORY name).
     */
    byte[] subject = targetCertConstraints.getSubjectAsBytes();
    if (subject != null) {
        sel.addPathToName(4, subject);
    } else {
        X509Certificate cert = targetCertConstraints.getCertificate();
        if (cert != null) {
            sel.addPathToName(4,
                              cert.getSubjectX500Principal().getEncoded());
        }
    }

    /*
     * Policy processing optimizations
     */
    if (currentState.explicitPolicy == 0)
        sel.setPolicy(getMatchingPolicies());

    /*
     * If previous cert has a subject key identifier extension,
     * use it to match on authority key identifier extension.
     */
    /*if (currentState.subjKeyId != null) {
      AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
            (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
                            null, null);
      sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
    }*/

    /*
     * Require CA certs
     */
    sel.setBasicConstraints(0);

    /* Retrieve matching certs from CertStores */
    ArrayList<X509Certificate> reverseCerts = new ArrayList<>();
    addMatchingCerts(sel, certStores, reverseCerts, true);

    /* Sort remaining certs using name constraints */
    Collections.sort(reverseCerts, new PKIXCertComparator());

    if (debug != null)
        debug.println("ReverseBuilder.getMatchingCACerts got " +
                      reverseCerts.size() + " certs.");
    return reverseCerts;
}
 

private Collection<X509Certificate> getMatchingEECerts
    (ReverseState currentState, List<CertStore> certStores)
    throws CertStoreException, CertificateException, IOException {

    /*
     * Compose a CertSelector to filter out
     * certs which do not satisfy requirements.
     *
     * First, retrieve clone of current target cert constraints, and
     * then add more selection criteria based on current validation state.
     */
    X509CertSelector sel = (X509CertSelector) targetCertConstraints.clone();

    /*
     * Match on issuer (subject of previous cert)
     */
    sel.setIssuer(currentState.subjectDN);

    /*
     * Match on certificate validity date.
     */
    sel.setCertificateValid(buildParams.date());

    /*
     * Policy processing optimizations
     */
    if (currentState.explicitPolicy == 0)
        sel.setPolicy(getMatchingPolicies());

    /*
     * If previous cert has a subject key identifier extension,
     * use it to match on authority key identifier extension.
     */
    /*if (currentState.subjKeyId != null) {
      AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
            (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
            null, null);
    sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
    }*/

    /*
     * Require EE certs
     */
    sel.setBasicConstraints(-2);

    /* Retrieve matching certs from CertStores */
    HashSet<X509Certificate> eeCerts = new HashSet<>();
    addMatchingCerts(sel, certStores, eeCerts, true);

    if (debug != null) {
        debug.println("ReverseBuilder.getMatchingEECerts got "
                      + eeCerts.size() + " certs.");
    }
    return eeCerts;
}
 

private Collection<X509Certificate> getMatchingCACerts
    (ReverseState currentState, List<CertStore> certStores)
    throws CertificateException, CertStoreException, IOException {

    /*
     * Compose a CertSelector to filter out
     * certs which do not satisfy requirements.
     */
    X509CertSelector sel = new X509CertSelector();

    /*
     * Match on issuer (subject of previous cert)
     */
    sel.setIssuer(currentState.subjectDN);

    /*
     * Match on certificate validity date.
     */
    sel.setCertificateValid(buildParams.date());

    /*
     * Match on target subject name (checks that current cert's
     * name constraints permit it to certify target).
     * (4 is the integer type for DIRECTORY name).
     */
    byte[] subject = targetCertConstraints.getSubjectAsBytes();
    if (subject != null) {
        sel.addPathToName(4, subject);
    } else {
        X509Certificate cert = targetCertConstraints.getCertificate();
        if (cert != null) {
            sel.addPathToName(4,
                              cert.getSubjectX500Principal().getEncoded());
        }
    }

    /*
     * Policy processing optimizations
     */
    if (currentState.explicitPolicy == 0)
        sel.setPolicy(getMatchingPolicies());

    /*
     * If previous cert has a subject key identifier extension,
     * use it to match on authority key identifier extension.
     */
    /*if (currentState.subjKeyId != null) {
      AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
            (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
                            null, null);
      sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
    }*/

    /*
     * Require CA certs
     */
    sel.setBasicConstraints(0);

    /* Retrieve matching certs from CertStores */
    ArrayList<X509Certificate> reverseCerts = new ArrayList<>();
    addMatchingCerts(sel, certStores, reverseCerts, true);

    /* Sort remaining certs using name constraints */
    Collections.sort(reverseCerts, new PKIXCertComparator());

    if (debug != null)
        debug.println("ReverseBuilder.getMatchingCACerts got " +
                      reverseCerts.size() + " certs.");
    return reverseCerts;
}
 

private Collection<X509Certificate> getMatchingCACerts
    (ReverseState currentState, List<CertStore> certStores)
    throws CertificateException, CertStoreException, IOException {

    /*
     * Compose a CertSelector to filter out
     * certs which do not satisfy requirements.
     */
    X509CertSelector sel = new X509CertSelector();

    /*
     * Match on issuer (subject of previous cert)
     */
    sel.setIssuer(currentState.subjectDN);

    /*
     * Match on certificate validity date.
     */
    sel.setCertificateValid(buildParams.date());

    /*
     * Match on target subject name (checks that current cert's
     * name constraints permit it to certify target).
     * (4 is the integer type for DIRECTORY name).
     */
    byte[] subject = targetCertConstraints.getSubjectAsBytes();
    if (subject != null) {
        sel.addPathToName(4, subject);
    } else {
        X509Certificate cert = targetCertConstraints.getCertificate();
        if (cert != null) {
            sel.addPathToName(4,
                              cert.getSubjectX500Principal().getEncoded());
        }
    }

    /*
     * Policy processing optimizations
     */
    if (currentState.explicitPolicy == 0)
        sel.setPolicy(getMatchingPolicies());

    /*
     * If previous cert has a subject key identifier extension,
     * use it to match on authority key identifier extension.
     */
    /*if (currentState.subjKeyId != null) {
      AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
            (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
                            null, null);
      sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
    }*/

    /*
     * Require CA certs
     */
    sel.setBasicConstraints(0);

    /* Retrieve matching certs from CertStores */
    ArrayList<X509Certificate> reverseCerts = new ArrayList<>();
    addMatchingCerts(sel, certStores, reverseCerts, true);

    /* Sort remaining certs using name constraints */
    Collections.sort(reverseCerts, new PKIXCertComparator());

    if (debug != null)
        debug.println("ReverseBuilder.getMatchingCACerts got " +
                      reverseCerts.size() + " certs.");
    return reverseCerts;
}
 

private Collection<X509Certificate> getMatchingEECerts
    (ReverseState currentState, List<CertStore> certStores)
    throws CertStoreException, CertificateException, IOException {

    /*
     * Compose a CertSelector to filter out
     * certs which do not satisfy requirements.
     *
     * First, retrieve clone of current target cert constraints, and
     * then add more selection criteria based on current validation state.
     */
    X509CertSelector sel = (X509CertSelector) targetCertConstraints.clone();

    /*
     * Match on issuer (subject of previous cert)
     */
    sel.setIssuer(currentState.subjectDN);

    /*
     * Match on certificate validity date.
     */
    sel.setCertificateValid(buildParams.date());

    /*
     * Policy processing optimizations
     */
    if (currentState.explicitPolicy == 0)
        sel.setPolicy(getMatchingPolicies());

    /*
     * If previous cert has a subject key identifier extension,
     * use it to match on authority key identifier extension.
     */
    /*if (currentState.subjKeyId != null) {
      AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
            (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
            null, null);
    sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
    }*/

    /*
     * Require EE certs
     */
    sel.setBasicConstraints(-2);

    /* Retrieve matching certs from CertStores */
    HashSet<X509Certificate> eeCerts = new HashSet<>();
    addMatchingCerts(sel, certStores, eeCerts, true);

    if (debug != null) {
        debug.println("ReverseBuilder.getMatchingEECerts got "
                      + eeCerts.size() + " certs.");
    }
    return eeCerts;
}
 

private Collection<X509Certificate> getMatchingCACerts
    (ReverseState currentState, List<CertStore> certStores)
    throws CertificateException, CertStoreException, IOException {

    /*
     * Compose a CertSelector to filter out
     * certs which do not satisfy requirements.
     */
    X509CertSelector sel = new X509CertSelector();

    /*
     * Match on issuer (subject of previous cert)
     */
    sel.setIssuer(currentState.subjectDN);

    /*
     * Match on certificate validity date.
     */
    sel.setCertificateValid(buildParams.date());

    /*
     * Match on target subject name (checks that current cert's
     * name constraints permit it to certify target).
     * (4 is the integer type for DIRECTORY name).
     */
    byte[] subject = targetCertConstraints.getSubjectAsBytes();
    if (subject != null) {
        sel.addPathToName(4, subject);
    } else {
        X509Certificate cert = targetCertConstraints.getCertificate();
        if (cert != null) {
            sel.addPathToName(4,
                              cert.getSubjectX500Principal().getEncoded());
        }
    }

    /*
     * Policy processing optimizations
     */
    if (currentState.explicitPolicy == 0)
        sel.setPolicy(getMatchingPolicies());

    /*
     * If previous cert has a subject key identifier extension,
     * use it to match on authority key identifier extension.
     */
    /*if (currentState.subjKeyId != null) {
      AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
            (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
                            null, null);
      sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
    }*/

    /*
     * Require CA certs
     */
    sel.setBasicConstraints(0);

    /* Retrieve matching certs from CertStores */
    ArrayList<X509Certificate> reverseCerts = new ArrayList<>();
    addMatchingCerts(sel, certStores, reverseCerts, true);

    /* Sort remaining certs using name constraints */
    Collections.sort(reverseCerts, new PKIXCertComparator());

    if (debug != null)
        debug.println("ReverseBuilder.getMatchingCACerts got " +
                      reverseCerts.size() + " certs.");
    return reverseCerts;
}
 

private Collection<X509Certificate> getMatchingEECerts
    (ReverseState currentState, List<CertStore> certStores)
    throws CertStoreException, CertificateException, IOException {

    /*
     * Compose a CertSelector to filter out
     * certs which do not satisfy requirements.
     *
     * First, retrieve clone of current target cert constraints, and
     * then add more selection criteria based on current validation state.
     */
    X509CertSelector sel = (X509CertSelector) targetCertConstraints.clone();

    /*
     * Match on issuer (subject of previous cert)
     */
    sel.setIssuer(currentState.subjectDN);

    /*
     * Match on certificate validity date.
     */
    sel.setCertificateValid(buildParams.date());

    /*
     * Policy processing optimizations
     */
    if (currentState.explicitPolicy == 0)
        sel.setPolicy(getMatchingPolicies());

    /*
     * If previous cert has a subject key identifier extension,
     * use it to match on authority key identifier extension.
     */
    /*if (currentState.subjKeyId != null) {
      AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
            (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
            null, null);
    sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
    }*/

    /*
     * Require EE certs
     */
    sel.setBasicConstraints(-2);

    /* Retrieve matching certs from CertStores */
    HashSet<X509Certificate> eeCerts = new HashSet<>();
    addMatchingCerts(sel, certStores, eeCerts, true);

    if (debug != null) {
        debug.println("ReverseBuilder.getMatchingEECerts got "
                      + eeCerts.size() + " certs.");
    }
    return eeCerts;
}
 

private Collection<X509Certificate> getMatchingCACerts
    (ReverseState currentState, List<CertStore> certStores)
    throws CertificateException, CertStoreException, IOException {

    /*
     * Compose a CertSelector to filter out
     * certs which do not satisfy requirements.
     */
    X509CertSelector sel = new X509CertSelector();

    /*
     * Match on issuer (subject of previous cert)
     */
    sel.setIssuer(currentState.subjectDN);

    /*
     * Match on certificate validity date.
     */
    sel.setCertificateValid(buildParams.date());

    /*
     * Match on target subject name (checks that current cert's
     * name constraints permit it to certify target).
     * (4 is the integer type for DIRECTORY name).
     */
    byte[] subject = targetCertConstraints.getSubjectAsBytes();
    if (subject != null) {
        sel.addPathToName(4, subject);
    } else {
        X509Certificate cert = targetCertConstraints.getCertificate();
        if (cert != null) {
            sel.addPathToName(4,
                              cert.getSubjectX500Principal().getEncoded());
        }
    }

    /*
     * Policy processing optimizations
     */
    if (currentState.explicitPolicy == 0)
        sel.setPolicy(getMatchingPolicies());

    /*
     * If previous cert has a subject key identifier extension,
     * use it to match on authority key identifier extension.
     */
    /*if (currentState.subjKeyId != null) {
      AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
            (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
                            null, null);
      sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
    }*/

    /*
     * Require CA certs
     */
    sel.setBasicConstraints(0);

    /* Retrieve matching certs from CertStores */
    ArrayList<X509Certificate> reverseCerts = new ArrayList<>();
    addMatchingCerts(sel, certStores, reverseCerts, true);

    /* Sort remaining certs using name constraints */
    Collections.sort(reverseCerts, new PKIXCertComparator());

    if (debug != null)
        debug.println("ReverseBuilder.getMatchingCACerts got " +
                      reverseCerts.size() + " certs.");
    return reverseCerts;
}
 

private Collection<X509Certificate> getMatchingEECerts
    (ReverseState currentState, List<CertStore> certStores)
    throws CertStoreException, CertificateException, IOException {

    /*
     * Compose a CertSelector to filter out
     * certs which do not satisfy requirements.
     *
     * First, retrieve clone of current target cert constraints, and
     * then add more selection criteria based on current validation state.
     */
    X509CertSelector sel = (X509CertSelector) targetCertConstraints.clone();

    /*
     * Match on issuer (subject of previous cert)
     */
    sel.setIssuer(currentState.subjectDN);

    /*
     * Match on certificate validity date.
     */
    sel.setCertificateValid(buildParams.date());

    /*
     * Policy processing optimizations
     */
    if (currentState.explicitPolicy == 0)
        sel.setPolicy(getMatchingPolicies());

    /*
     * If previous cert has a subject key identifier extension,
     * use it to match on authority key identifier extension.
     */
    /*if (currentState.subjKeyId != null) {
      AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
            (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
            null, null);
    sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
    }*/

    /*
     * Require EE certs
     */
    sel.setBasicConstraints(-2);

    /* Retrieve matching certs from CertStores */
    HashSet<X509Certificate> eeCerts = new HashSet<>();
    addMatchingCerts(sel, certStores, eeCerts, true);

    if (debug != null) {
        debug.println("ReverseBuilder.getMatchingEECerts got "
                      + eeCerts.size() + " certs.");
    }
    return eeCerts;
}
 

private Collection<X509Certificate> getMatchingCACerts
    (ReverseState currentState, List<CertStore> certStores)
    throws CertificateException, CertStoreException, IOException {

    /*
     * Compose a CertSelector to filter out
     * certs which do not satisfy requirements.
     */
    X509CertSelector sel = new X509CertSelector();

    /*
     * Match on issuer (subject of previous cert)
     */
    sel.setIssuer(currentState.subjectDN);

    /*
     * Match on certificate validity date.
     */
    sel.setCertificateValid(buildParams.date());

    /*
     * Match on target subject name (checks that current cert's
     * name constraints permit it to certify target).
     * (4 is the integer type for DIRECTORY name).
     */
    byte[] subject = targetCertConstraints.getSubjectAsBytes();
    if (subject != null) {
        sel.addPathToName(4, subject);
    } else {
        X509Certificate cert = targetCertConstraints.getCertificate();
        if (cert != null) {
            sel.addPathToName(4,
                              cert.getSubjectX500Principal().getEncoded());
        }
    }

    /*
     * Policy processing optimizations
     */
    if (currentState.explicitPolicy == 0)
        sel.setPolicy(getMatchingPolicies());

    /*
     * If previous cert has a subject key identifier extension,
     * use it to match on authority key identifier extension.
     */
    /*if (currentState.subjKeyId != null) {
      AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
            (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
                            null, null);
      sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
    }*/

    /*
     * Require CA certs
     */
    sel.setBasicConstraints(0);

    /* Retrieve matching certs from CertStores */
    ArrayList<X509Certificate> reverseCerts = new ArrayList<>();
    addMatchingCerts(sel, certStores, reverseCerts, true);

    /* Sort remaining certs using name constraints */
    Collections.sort(reverseCerts, new PKIXCertComparator());

    if (debug != null)
        debug.println("ReverseBuilder.getMatchingCACerts got " +
                      reverseCerts.size() + " certs.");
    return reverseCerts;
}
 

private Collection<X509Certificate> getMatchingEECerts
    (ReverseState currentState, List<CertStore> certStores)
    throws CertStoreException, CertificateException, IOException {

    /*
     * Compose a CertSelector to filter out
     * certs which do not satisfy requirements.
     *
     * First, retrieve clone of current target cert constraints, and
     * then add more selection criteria based on current validation state.
     */
    X509CertSelector sel = (X509CertSelector) targetCertConstraints.clone();

    /*
     * Match on issuer (subject of previous cert)
     */
    sel.setIssuer(currentState.subjectDN);

    /*
     * Match on certificate validity date.
     */
    sel.setCertificateValid(buildParams.date());

    /*
     * Policy processing optimizations
     */
    if (currentState.explicitPolicy == 0)
        sel.setPolicy(getMatchingPolicies());

    /*
     * If previous cert has a subject key identifier extension,
     * use it to match on authority key identifier extension.
     */
    /*if (currentState.subjKeyId != null) {
      AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
            (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
            null, null);
    sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
    }*/

    /*
     * Require EE certs
     */
    sel.setBasicConstraints(-2);

    /* Retrieve matching certs from CertStores */
    HashSet<X509Certificate> eeCerts = new HashSet<>();
    addMatchingCerts(sel, certStores, eeCerts, true);

    if (debug != null) {
        debug.println("ReverseBuilder.getMatchingEECerts got "
                      + eeCerts.size() + " certs.");
    }
    return eeCerts;
}