java.security.cert.CertPathBuilder Java Examples

private TrustManagerFactory createTrustManagerFactory(@Nullable final String trustedCertificates)
        throws NoSuchAlgorithmException, CertificateException, KeyStoreException,
        InvalidAlgorithmParameterException {
    final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(PKIX);
    if (trustedCertificates != null) {
        final KeyStore keystore = keyStoreFactory.newKeystore();
        final Collection<? extends Certificate> caCerts;
        final byte[] caCertsPem = trustedCertificates.getBytes(StandardCharsets.US_ASCII);
        caCerts = X509_CERTIFICATE_FACTORY.generateCertificates(new ByteArrayInputStream(caCertsPem));
        long cnt = 0;
        for (final Certificate caCert : caCerts) {
            keystore.setCertificateEntry("ca-" + cnt++, caCert);
        }
        trustManagerFactory.init(keystore);
    } else {
        // standard CAs; add revocation check
        final PKIXRevocationChecker revocationChecker =
                (PKIXRevocationChecker) CertPathBuilder.getInstance(PKIX).getRevocationChecker();
        final PKIXBuilderParameters parameters =
                new PKIXBuilderParameters(DEFAULT_CA_KEYSTORE, new X509CertSelector());
        parameters.addCertPathChecker(revocationChecker);
        trustManagerFactory.init(new CertPathTrustManagerParameters(parameters));
    }
    return trustManagerFactory;
}
 

/**
 * Initializes a new instance that uses the specified JCE providers for CertPathBuilder
 * and Signature.
 * @param trustAnchors the keystore with the trust-anchors ({@code TrustedCertificateEntry})
 * @param revocationEnabled whether revocation is enabled
 * @param maxPathLength the maximum length of the certification paths
 * @param certPathBuilderProvider the CertPathBuilder provider
 * @param signatureProvider the Signature provider
 * @param intermCertsAndCrls a set of {@code CertStore}s that contain certificates to be
 *      used in the construction of the certification path. May contain CRLs to be used
 *      if revocation is enabled
 * @see xades4j.utils.FileSystemDirectoryCertStore
 * @throws NoSuchAlgorithmException if there is no provider for PKIX CertPathBuilder
 */
public PKIXCertificateValidationProvider(
        KeyStore trustAnchors,
        boolean revocationEnabled,
        int maxPathLength,
        String certPathBuilderProvider,
        String signatureProvider,
        CertStore... intermCertsAndCrls) throws NoSuchAlgorithmException, NoSuchProviderException
{
    if (null == trustAnchors)
    {
        throw new NullPointerException("Trust anchors cannot be null");
    }

    this.trustAnchors = trustAnchors;
    this.revocationEnabled = revocationEnabled;
    this.maxPathLength = maxPathLength;
    this.certPathBuilder = certPathBuilderProvider == null ? CertPathBuilder.getInstance("PKIX") : CertPathBuilder.getInstance("PKIX", certPathBuilderProvider);
    this.signatureProvider = signatureProvider;
    this.intermCertsAndCrls = intermCertsAndCrls;
}
 

private static void validateCertificateChain(KeyStore ks, List<X509Certificate> inCerts, boolean enableRevocation) {
    // Initial chain validation, to be enhanced as needed
    try {
        X509CertSelector certSelect = new X509CertSelector();
        certSelect.setCertificate(inCerts.get(0));
        PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ks, certSelect);
        pbParams.addCertStore(CertStore.getInstance("Collection",
                                                    new CollectionCertStoreParameters(inCerts)));
        pbParams.setMaxPathLength(-1);
        pbParams.setRevocationEnabled(false);
        CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams);
        pbParams.setRevocationEnabled(enableRevocation);
        CertPath certPath = buildResult.getCertPath();
        CertPathValidator.getInstance("PKIX").validate(certPath, pbParams);
    } catch (Exception ex) {
        LOG.warning("Certificate path validation error");
        throw new JoseException(ex);
    }
}
 

/**
 * Perform a PKIX path build. On failure, throw an exception.
 *
 * @param params PKIXBuilderParameters to use in validation
 * @throws Exception on error
 */
public static PKIXCertPathBuilderResult build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    return (PKIXCertPathBuilderResult) builder.build(params);
}
 

/**
 * Perform a PKIX build.
 *
 * @param params PKIXBuilderParameters to use in building
 * @throws Exception on error
 */
public static void build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    CertPathBuilderResult cpbr = builder.build(params);
}
 

/**
 * Perform a PKIX build.
 *
 * @param params PKIXBuilderParameters to use in building
 * @throws Exception on error
 */
public static void build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    CertPathBuilderResult cpbr = builder.build(params);
}
 

private void doBuild(X509Certificate userCert) throws Exception {
        // get the set of trusted CA certificates (only one in this instance)
        HashSet trustAnchors = new HashSet();
        X509Certificate trustedCert = getTrustedCertificate();
        trustAnchors.add(new TrustAnchor(trustedCert, null));

        // put together a CertStore (repository of the certificates and CRLs)
        ArrayList certs = new ArrayList();
        certs.add(trustedCert);
        certs.add(userCert);
        CollectionCertStoreParameters certStoreParams = new CollectionCertStoreParameters(certs);
        CertStore certStore = CertStore.getInstance("Collection", certStoreParams);

        // specify the target certificate via a CertSelector
        X509CertSelector certSelector = new X509CertSelector();
        certSelector.setCertificate(userCert);
        certSelector.setSubject(userCert.getSubjectDN().getName()); // seems to be required

        // build a valid cerificate path
        CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX", "SUN");
        PKIXBuilderParameters certPathBuilderParams = new PKIXBuilderParameters(trustAnchors, certSelector);
        certPathBuilderParams.addCertStore(certStore);
        certPathBuilderParams.setRevocationEnabled(false);
        CertPathBuilderResult result = certPathBuilder.build(certPathBuilderParams);

        // get and show cert path
        CertPath certPath = result.getCertPath();
//        System.out.println(certPath.toString());
    }
 

/**
 * Perform a PKIX path build. On failure, throw an exception.
 *
 * @param params PKIXBuilderParameters to use in validation
 * @throws Exception on error
 */
public static PKIXCertPathBuilderResult build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    return (PKIXCertPathBuilderResult) builder.build(params);
}
 

/**
 * Perform a PKIX build.
 *
 * @param params PKIXBuilderParameters to use in the build
 * @throws Exception on error
 */
public static void build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX", "SUN");
    CertPathBuilderResult cpbr = builder.build(params);
}
 

/**
 * Perform a PKIX path build. On failure, throw an exception.
 *
 * @param params PKIXBuilderParameters to use in validation
 * @throws Exception on error
 */
public static PKIXCertPathBuilderResult build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    return (PKIXCertPathBuilderResult) builder.build(params);
}
 

public static void validateTrustChain(X509Certificate certificate,
                                      List<X509Certificate> chain,
                                      Set<X509Certificate> trustedCertificates,
                                      Set<X509Certificate> authorityCertificates) throws UaException {

    boolean certificateTrusted = trustedCertificates.stream()
            .anyMatch(c -> Arrays.equals(certificate.getSignature(), c.getSignature()));

    if (certificateTrusted) return;

    try {
        Set<TrustAnchor> trustAnchors = new HashSet<>();
        authorityCertificates.forEach(ca -> trustAnchors.add(new TrustAnchor(ca, null)));

        X509CertSelector selector = new X509CertSelector();
        selector.setCertificate(certificate);

        PKIXBuilderParameters params = new PKIXBuilderParameters(trustAnchors, selector);

        params.setRevocationEnabled(false);

        CertStore intermediateCertStore =
                CertStore.getInstance("Collection", new CollectionCertStoreParameters(chain));

        params.addCertStore(intermediateCertStore);

        CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");

        PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) builder.build(params);

        LOGGER.debug("Validated certificate chain: {}", result.getCertPath());
    } catch (Throwable t) {
        throw new UaException(StatusCodes.Bad_SecurityChecksFailed);
    }
}
 

/**
 * This method will validate a chain of certificates. It is provided as an alternative to the certificate chain
 * validation mechanisms that are under test. This method is intended to be used as a comparative benchmark against
 * other validation methods.
 *
 * The first certificate in the chain is expected to be the end-entity certificate.
 *
 * The last certificate in the chain is expected to be the root CA certificate.
 *
 * @param chain A certificate chain (cannot be null or empty).
 * @return CertPathBuilderResult result of validation.
 * @throws Exception When the chain is not valid.
 */
public CertPathBuilderResult testChain( X509Certificate[] chain ) throws Exception
{
    // Create the selector that specifies the starting certificate
    X509CertSelector selector = new X509CertSelector();
    selector.setCertificate( chain[0] );

    // Create the trust anchors (set of root CA certificates)
    Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
    trustAnchors.add(new TrustAnchor(chain[ chain.length - 1], null));

    // Configure the PKIX certificate builder algorithm parameters
    PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(
            trustAnchors, selector);

    // Disable CRL checks (this is done manually as additional step)
    pkixParams.setRevocationEnabled(false);

    // Specify a list of intermediate certificates
    Set<java.security.cert.Certificate> intermediateCerts = new HashSet<>();
    for (int i=1; i<chain.length -1; i++)
    {
        intermediateCerts.add( chain[ i ] );
    }

    CertStore intermediateCertStore = CertStore.getInstance("Collection",
            new CollectionCertStoreParameters(intermediateCerts));
    pkixParams.addCertStore(intermediateCertStore);

    // Build and verify the certification chain
    CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
    PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) builder
            .build(pkixParams);

    return result;
}
 

/**
 * Attempts to build a certification chain for given certificate to verify
 * it. Relies on a set of root CA certificates (trust anchors) and a set of
 * intermediate certificates (to be used as part of the chain).
 */
private PKIXCertPathBuilderResult verifyCertificate(X509Certificate certificate, Set<X509Certificate> trustedRootCerts, Set<X509Certificate> intermediateCerts)
		throws GeneralSecurityException {

	// Create the selector that specifies the starting certificate
	X509CertSelector selector = new X509CertSelector();
	selector.setBasicConstraints(-2);
	selector.setCertificate(certificate);

	// Create the trust anchors (set of root CA certificates)
	Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
	for (X509Certificate trustedRootCert : trustedRootCerts) {
		trustAnchors.add(new TrustAnchor(trustedRootCert, null));
	}

	// Configure the PKIX certificate builder algorithm parameters
	PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);

	// Turn off default revocation-checking mechanism
	pkixParams.setRevocationEnabled(false);

	// Specify a list of intermediate certificates
	CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(intermediateCerts));
	pkixParams.addCertStore(intermediateCertStore);

	// Build and verify the certification chain
	CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME);
	PKIXCertPathBuilderResult certPathBuilderResult = (PKIXCertPathBuilderResult) builder.build(pkixParams);

	// Additional check to Verify cert path
	CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME);
	PKIXCertPathValidatorResult certPathValidationResult = (PKIXCertPathValidatorResult) certPathValidator.validate(certPathBuilderResult.getCertPath(), pkixParams);

	return certPathBuilderResult;
}
 

/**
 * Based on https://svn.apache.org/repos/asf/cxf/tags/cxf-2.4.1/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CertificateVerifier.java
 *
 * @param cert
 * @throws CertificateException
 * @throws NoSuchAlgorithmException
 * @throws NoSuchProviderException
 * @throws InvalidAlgorithmParameterException
 * @throws CertPathBuilderException
 */
public void verifyCertificate(X509Certificate cert) throws CertificateException, NoSuchAlgorithmException,
        NoSuchProviderException, InvalidAlgorithmParameterException, CertPathBuilderException {
    // Prepare a set of trusted root CA certificates
    // and a set of intermediate certificates
    // Create the selector that specifies the starting certificate
    X509CertSelector selector = new X509CertSelector();
    selector.setCertificate(cert);

    // Create the trust anchors (set of root CA certificates)
    Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
    for (X509Certificate trustedRootCert : trustedRootCerts) {
        trustAnchors.add(new TrustAnchor(trustedRootCert, null));
    }

    // Configure the PKIX certificate builder algorithm parameters
    PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);

    // Disable CRL checks (this is done manually as additional step)
    pkixParams.setRevocationEnabled(false);

    // Specify a list of intermediate certificates
    CertStore intermediateCertStore = CertStore.getInstance("Collection",
            new CollectionCertStoreParameters(intermediateCerts));
    pkixParams.addCertStore(intermediateCertStore);

    // Build and verify the certification chain
    CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
    builder.build(pkixParams);
    // Attempt to build the certification chain and verify it

    // Check whether the certificate is revoked by the CRL
    // given in its CRL distribution point extension
    // CRLVerifier.verifyCertificateCRLs(cert);

    // The chain is verified.
}
 

/**
 * Validate certificate path. As it is exception, no checks against revocation or time validity are done but path
 * still have to be validated in order to find connection between certificate presented by server and root CA in
 * KeyStore
 * 
 * @throws NoSuchAlgorithmException
 * @throws KeyStoreException
 * @throws InvalidAlgorithmParameterException
 * @throws CertPathValidatorException
 * @throws CertPathBuilderException
 * @throws CertificateException
 */
private void validatePath(X509Certificate[] chain)
        throws NoSuchAlgorithmException, KeyStoreException, InvalidAlgorithmParameterException,
        CertPathValidatorException, CertPathBuilderException, CertificateException {

    CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
    CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");
    X509CertSelector certSelector = new X509CertSelector();
    certSelector.setCertificate(chain[chain.length - 1]);
    // checks against time validity aren't done here as it exceptions list
    certSelector.setCertificateValid(null);
    PKIXBuilderParameters parameters = new PKIXBuilderParameters(allStore, certSelector);
    // no checks against revocation as it is exception
    parameters.setRevocationEnabled(false);

    CertPathBuilderResult pathResult = certPathBuilder.build(parameters);
    CertPath certPath = pathResult.getCertPath();
    PKIXCertPathValidatorResult validationResult = (PKIXCertPathValidatorResult) certPathValidator
            .validate(certPath, parameters);
    X509Certificate trustedCert = validationResult.getTrustAnchor().getTrustedCert();

    if (trustedCert == null) {
        throw new CertificateException("Certificate path failed");
    } else {
        Log.debug("ClientTrustManager: Trusted CA: " + trustedCert.getSubjectDN());
    }

}
 

/**
 * Perform a PKIX build.
 *
 * @param params PKIXBuilderParameters to use in building
 * @throws Exception on error
 */
public static void build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    CertPathBuilderResult cpbr = builder.build(params);
}
 

private void doBuild(X509Certificate userCert) throws Exception {
        // get the set of trusted CA certificates (only one in this instance)
        HashSet trustAnchors = new HashSet();
        X509Certificate trustedCert = getTrustedCertificate();
        trustAnchors.add(new TrustAnchor(trustedCert, null));

        // put together a CertStore (repository of the certificates and CRLs)
        ArrayList certs = new ArrayList();
        certs.add(trustedCert);
        certs.add(userCert);
        CollectionCertStoreParameters certStoreParams = new CollectionCertStoreParameters(certs);
        CertStore certStore = CertStore.getInstance("Collection", certStoreParams);

        // specify the target certificate via a CertSelector
        X509CertSelector certSelector = new X509CertSelector();
        certSelector.setCertificate(userCert);
        certSelector.setSubject(userCert.getSubjectDN().getName()); // seems to be required

        // build a valid cerificate path
        CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX", "SUN");
        PKIXBuilderParameters certPathBuilderParams = new PKIXBuilderParameters(trustAnchors, certSelector);
        certPathBuilderParams.addCertStore(certStore);
        certPathBuilderParams.setRevocationEnabled(false);
        CertPathBuilderResult result = certPathBuilder.build(certPathBuilderParams);

        // get and show cert path
        CertPath certPath = result.getCertPath();
//        System.out.println(certPath.toString());
    }
 

private PKIXCertPathBuilderResult getPkixCertPathBuilderResult(final X509Certificate[] x509Certificates,
                                                               final Set<TrustAnchor> trustAnchors,
                                                               final Set<Certificate> otherCerts)
        throws GeneralSecurityException
{
    Set<Certificate> storeCerts = new HashSet<>();
    storeCerts.addAll(otherCerts);

    Iterator<X509Certificate> iterator = Arrays.asList(x509Certificates).iterator();

    if (!iterator.hasNext())
    {
        throw new IllegalArgumentException("Peer certificate not found");
    }

    final X509Certificate peerCertificate = iterator.next();
    while (iterator.hasNext())
    {
        X509Certificate intermediate = iterator.next();
        storeCerts.add(intermediate);
    }


    X509CertSelector selector = new X509CertSelector();
    selector.setCertificate(peerCertificate);
    // IBM JDK seems to require that the peer's certficate exists in the Collection too
    storeCerts.add(peerCertificate);

    PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
    pkixParams.setRevocationEnabled(false);

    CertStore intermediateCertStore = CertStore.getInstance("Collection",
                                                            new CollectionCertStoreParameters(storeCerts));
    pkixParams.addCertStore(intermediateCertStore);

    CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");

    return (PKIXCertPathBuilderResult) builder.build(pkixParams);
}
 

/**
 * Perform a PKIX build.
 *
 * @param params PKIXBuilderParameters to use in the build
 * @throws Exception on error
 */
public static void build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX", "SUN");
    CertPathBuilderResult cpbr = builder.build(params);
}
 

/**
 * Perform a PKIX build.
 *
 * @param params PKIXBuilderParameters to use in the build
 * @throws Exception on error
 */
public static void build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX", "SUN");
    CertPathBuilderResult cpbr = builder.build(params);
}
 

/**
 * Perform a PKIX build.
 *
 * @param params PKIXBuilderParameters to use in building
 * @throws Exception on error
 */
public static void build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    CertPathBuilderResult cpbr = builder.build(params);
}
 

private void doBuild(X509Certificate userCert) throws Exception {
        // get the set of trusted CA certificates (only one in this instance)
        HashSet trustAnchors = new HashSet();
        X509Certificate trustedCert = getTrustedCertificate();
        trustAnchors.add(new TrustAnchor(trustedCert, null));

        // put together a CertStore (repository of the certificates and CRLs)
        ArrayList certs = new ArrayList();
        certs.add(trustedCert);
        certs.add(userCert);
        CollectionCertStoreParameters certStoreParams = new CollectionCertStoreParameters(certs);
        CertStore certStore = CertStore.getInstance("Collection", certStoreParams);

        // specify the target certificate via a CertSelector
        X509CertSelector certSelector = new X509CertSelector();
        certSelector.setCertificate(userCert);
        certSelector.setSubject(userCert.getSubjectDN().getName()); // seems to be required

        // build a valid cerificate path
        CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX", "SUN");
        PKIXBuilderParameters certPathBuilderParams = new PKIXBuilderParameters(trustAnchors, certSelector);
        certPathBuilderParams.addCertStore(certStore);
        certPathBuilderParams.setRevocationEnabled(false);
        CertPathBuilderResult result = certPathBuilder.build(certPathBuilderParams);

        // get and show cert path
        CertPath certPath = result.getCertPath();
//        System.out.println(certPath.toString());
    }
 

/**
 * Perform a PKIX path build. On failure, throw an exception.
 *
 * @param params PKIXBuilderParameters to use in validation
 * @throws Exception on error
 */
public static PKIXCertPathBuilderResult build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    return (PKIXCertPathBuilderResult) builder.build(params);
}
 

/**
 * Perform a PKIX build.
 *
 * @param params PKIXBuilderParameters to use in the build
 * @throws Exception on error
 */
public static void build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX", "SUN");
    CertPathBuilderResult cpbr = builder.build(params);
}
 

/**
 * Perform a PKIX build.
 *
 * @param params PKIXBuilderParameters to use in building
 * @throws Exception on error
 */
public static void build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    CertPathBuilderResult cpbr = builder.build(params);
}
 

private void doBuild(X509Certificate userCert) throws Exception {
        // get the set of trusted CA certificates (only one in this instance)
        HashSet trustAnchors = new HashSet();
        X509Certificate trustedCert = getTrustedCertificate();
        trustAnchors.add(new TrustAnchor(trustedCert, null));

        // put together a CertStore (repository of the certificates and CRLs)
        ArrayList certs = new ArrayList();
        certs.add(trustedCert);
        certs.add(userCert);
        CollectionCertStoreParameters certStoreParams = new CollectionCertStoreParameters(certs);
        CertStore certStore = CertStore.getInstance("Collection", certStoreParams);

        // specify the target certificate via a CertSelector
        X509CertSelector certSelector = new X509CertSelector();
        certSelector.setCertificate(userCert);
        certSelector.setSubject(userCert.getSubjectDN().getName()); // seems to be required

        // build a valid cerificate path
        CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX", "SUN");
        PKIXBuilderParameters certPathBuilderParams = new PKIXBuilderParameters(trustAnchors, certSelector);
        certPathBuilderParams.addCertStore(certStore);
        certPathBuilderParams.setRevocationEnabled(false);
        CertPathBuilderResult result = certPathBuilder.build(certPathBuilderParams);

        // get and show cert path
        CertPath certPath = result.getCertPath();
//        System.out.println(certPath.toString());
    }
 

/**
 * Perform a PKIX path build. On failure, throw an exception.
 *
 * @param params PKIXBuilderParameters to use in validation
 * @throws Exception on error
 */
public static PKIXCertPathBuilderResult build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    return (PKIXCertPathBuilderResult) builder.build(params);
}
 

/**
 * Perform a PKIX build.
 *
 * @param params PKIXBuilderParameters to use in the build
 * @throws Exception on error
 */
public static void build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX", "SUN");
    CertPathBuilderResult cpbr = builder.build(params);
}
 

/**
 * Perform a PKIX build.
 *
 * @param params PKIXBuilderParameters to use in building
 * @throws Exception on error
 */
public static void build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    CertPathBuilderResult cpbr = builder.build(params);
}
 

private void doBuild(X509Certificate userCert) throws Exception {
        // get the set of trusted CA certificates (only one in this instance)
        HashSet trustAnchors = new HashSet();
        X509Certificate trustedCert = getTrustedCertificate();
        trustAnchors.add(new TrustAnchor(trustedCert, null));

        // put together a CertStore (repository of the certificates and CRLs)
        ArrayList certs = new ArrayList();
        certs.add(trustedCert);
        certs.add(userCert);
        CollectionCertStoreParameters certStoreParams = new CollectionCertStoreParameters(certs);
        CertStore certStore = CertStore.getInstance("Collection", certStoreParams);

        // specify the target certificate via a CertSelector
        X509CertSelector certSelector = new X509CertSelector();
        certSelector.setCertificate(userCert);
        certSelector.setSubject(userCert.getSubjectDN().getName()); // seems to be required

        // build a valid cerificate path
        CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX", "SUN");
        PKIXBuilderParameters certPathBuilderParams = new PKIXBuilderParameters(trustAnchors, certSelector);
        certPathBuilderParams.addCertStore(certStore);
        certPathBuilderParams.setRevocationEnabled(false);
        CertPathBuilderResult result = certPathBuilder.build(certPathBuilderParams);

        // get and show cert path
        CertPath certPath = result.getCertPath();
//        System.out.println(certPath.toString());
    }