Java Code Examples for java.security.cert.X509Certificate

private void validateX5c(TPMAttestationStatement attestationStatement, TPMSAttest certInfo, AuthenticatorData<RegistrationExtensionAuthenticatorOutput<?>> authenticatorData) {
    X509Certificate aikCert = attestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate();

    /// Verify the sig is a valid signature over certInfo using the attestation public key in aikCert with the algorithm specified in alg.
    String jcaName = getJcaName(attestationStatement.getAlg());
    Signature certInfoSignature = SignatureUtil.createSignature(jcaName);
    try {
        certInfoSignature.initVerify(aikCert.getPublicKey());
        certInfoSignature.update(certInfo.getBytes());
        if (!certInfoSignature.verify(attestationStatement.getSig())) {
            throw new BadAttestationStatementException("hash of certInfo doesn't match with sig.");
        }
    } catch (SignatureException | InvalidKeyException e) {
        throw new BadAttestationStatementException("Failed to validate the signature.", e);
    }

    /// Verify that aikCert meets the requirements in §8.3.1 TPM Attestation Statement Certificate Requirements.
    validateAikCert(aikCert);

    /// If aikCert contains an extension with OID 1 3 6 1 4 1 45724 1 1 4 (id-fido-gen-ce-aaguid) verify that the value of this extension matches the aaguid in authenticatorData.
    byte[] aaguidBytes = aikCert.getExtensionValue(ID_FIDO_GEN_CE_AAGUID);
    if (aaguidBytes != null && !Objects.equals(new AAGUID(aaguidBytes), authenticatorData.getAttestedCredentialData().getAaguid())) {
        throw new BadAttestationStatementException("AAGUID in aikCert doesn't match with that in authenticatorData");
    }
}
 

protected D obtainCompleteness(X509Certificate certificate, PrivateKey privateKey, C consultRequest) throws TechnicalConnectorException {
   if (certificate != null && privateKey != null) {
      GenericRequest request = ServiceFactory.getTSConsultService(certificate, privateKey);
      request.setPayload(consultRequest);

      try {
         return be.ehealth.technicalconnector.ws.ServiceFactory.getGenericWsSender().send(request).asObject(this.clazzD);
      } catch (SOAPException var6) {
         throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.ERROR_WS, new Object[]{var6.getMessage(), var6});
      }
   } else {
      TechnicalConnectorExceptionValues errorValue = TechnicalConnectorExceptionValues.SECURITY_NO_CERTIFICATE;
      LOG.debug("\t## " + errorValue.getMessage());
      throw new TechnicalConnectorException(errorValue, (Throwable)null, new Object[0]);
   }
}
 

@Test
public void testAddFingerPrintFailedToWrite() throws CertificateException, IOException {

    Path notWritable = Paths.get(tmpDir.getRoot().getPath(), "notWritable");

    Files.createFile(notWritable);
    Files.setPosixFilePermissions(notWritable, PosixFilePermissions.fromString("r--------"));

    trustManager = new TrustOnFirstUseManager(notWritable);

    X509Certificate certificate = mock(X509Certificate.class);
    when(certificate.getEncoded()).thenReturn("certificate".getBytes(UTF_8));
    X500Principal cn = new X500Principal("CN=localhost");
    when(certificate.getSubjectX500Principal()).thenReturn(cn);

    try {
        trustManager.checkServerTrusted(new X509Certificate[]{certificate}, "s");
        trustManager.checkClientTrusted(new X509Certificate[]{certificate}, "s");

        failBecauseExceptionWasNotThrown(CertificateException.class);
    } catch (Exception ex) {
        assertThat(ex).isInstanceOf(CertificateException.class);
    }
}
 

private EncryptionToken getEtkBasedOnX509(X509Certificate cert) throws TechnicalConnectorException {
   CertificateParser parser = new CertificateParser(cert);
   IdentifierType identifierType = parser.getIdentifier();
   String identifierValue = parser.getId();
   String application = parser.getApplication();
   if (identifierType != null && !StringUtils.isEmpty(identifierValue) && StringUtils.isNumeric(identifierValue)) {
      try {
         return this.getEtk(identifierType, Long.parseLong(identifierValue), application);
      } catch (NumberFormatException var7) {
         LOG.error(TechnicalConnectorExceptionValues.ERROR_ETK_NOTFOUND.getMessage());
         throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.ERROR_ETK_NOTFOUND, var7, new Object[0]);
      }
   } else {
      LOG.error(TechnicalConnectorExceptionValues.ERROR_ETK_NOTFOUND.getMessage());
      throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.ERROR_ETK_NOTFOUND, new Object[0]);
   }
}
 

/**
 * Initialize the builder with the input parameters.
 *
 * @param params the parameter set used to build a certification path
 */
ForwardBuilder(BuilderParams buildParams, boolean searchAllCertStores) {
    super(buildParams);

    // populate sets of trusted certificates and subject DNs
    trustAnchors = buildParams.trustAnchors();
    trustedCerts = new HashSet<X509Certificate>(trustAnchors.size());
    trustedSubjectDNs = new HashSet<X500Principal>(trustAnchors.size());
    for (TrustAnchor anchor : trustAnchors) {
        X509Certificate trustedCert = anchor.getTrustedCert();
        if (trustedCert != null) {
            trustedCerts.add(trustedCert);
            trustedSubjectDNs.add(trustedCert.getSubjectX500Principal());
        } else {
            trustedSubjectDNs.add(anchor.getCA());
        }
    }
    this.searchAllCertStores = searchAllCertStores;
}
 

/**
 * Initialize the builder with the input parameters.
 *
 * @param params the parameter set used to build a certification path
 */
ForwardBuilder(BuilderParams buildParams, boolean searchAllCertStores) {
    super(buildParams);

    // populate sets of trusted certificates and subject DNs
    trustAnchors = buildParams.trustAnchors();
    trustedCerts = new HashSet<X509Certificate>(trustAnchors.size());
    trustedSubjectDNs = new HashSet<X500Principal>(trustAnchors.size());
    for (TrustAnchor anchor : trustAnchors) {
        X509Certificate trustedCert = anchor.getTrustedCert();
        if (trustedCert != null) {
            trustedCerts.add(trustedCert);
            trustedSubjectDNs.add(trustedCert.getSubjectX500Principal());
        } else {
            trustedSubjectDNs.add(anchor.getCA());
        }
    }
    this.searchAllCertStores = searchAllCertStores;
}
 

public String sendCertificateSecured(String url, String payload, X509Certificate certificate, PrivateKey privateKey, String soapAction) throws TechnicalConnectorException {
   GenericRequest request = new GenericRequest();
   request.setPayload(payload);
   request.setEndpoint(url);
   if (soapAction != null && soapAction.isEmpty()) {
      request.setSoapAction(soapAction);
   }

   request.setHandlerChain((new HandlerChain()).register(HandlerPosition.SECURITY, new CertificateCallback(certificate, privateKey)).register(HandlerPosition.SECURITY, new SoapActionHandler()));
   request.setDefaultHandlerChain();

   try {
      return this.send(request).asString();
   } catch (SOAPException var8) {
      throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.ERROR_WS, var8, new Object[]{var8.getMessage()});
   }
}
 

public CertPath engineGenerateCertPath(
    List certificates)
    throws CertificateException
{
    Iterator iter = certificates.iterator();
    Object obj;
    while (iter.hasNext())
    {
        obj = iter.next();
        if (obj != null)
        {
            if (!(obj instanceof X509Certificate))
            {
                throw new CertificateException("list contains non X509Certificate object while creating CertPath\n" + obj.toString());
            }
        }
    }
    return new PKIXCertPath(certificates);
}
 

@Test
public void testCertificateNotValidForRecognisedAddress() throws CertificateException, IOException {
    testAddThumbPrintToKnownHostsList();

    when(certificate.getEncoded()).thenReturn("ADifferentCertificate".getBytes(UTF_8));
    X500Principal cn = new X500Principal("CN=localhost");
    when(certificate.getSubjectX500Principal()).thenReturn(cn);

    try {
        trustManager.checkServerTrusted(new X509Certificate[]{certificate}, "str");
        failBecauseExceptionWasNotThrown(IOException.class);
    } catch (Exception ex) {
        assertThat(ex)
            .isInstanceOf(CertificateException.class)
            .hasMessageContaining("This address has been associated with a different certificate");
    }

    verify(certificate, times(3)).getEncoded();
    verify(certificate, times(3)).getSubjectX500Principal();

}
 

/**
 * Returns the X.509 certificate listed in this PKCS7 block
 * which has a matching serial number and Issuer name, or
 * null if one is not found.
 *
 * @param serial the serial number of the certificate to retrieve.
 * @param issuerName the Distinguished Name of the Issuer.
 */
public X509Certificate getCertificate(BigInteger serial, X500Name issuerName) {
    if (certificates != null) {
        if (certIssuerNames == null)
            populateCertIssuerNames();
        for (int i = 0; i < certificates.length; i++) {
            X509Certificate cert = certificates[i];
            BigInteger thisSerial = cert.getSerialNumber();
            if (serial.equals(thisSerial)
                && issuerName.equals(certIssuerNames[i]))
            {
                return cert;
            }
        }
    }
    return null;
}
 

public static Optional<X509Certificate> readCertificateFile(Path root, AthenzIdentity service) {
    try {
        Path certificateFile = getCertificateFile(root, service);
        if (Files.notExists(certificateFile)) return Optional.empty();
        return Optional.of(X509CertificateUtils.fromPem(new String(Files.readAllBytes(certificateFile))));
    } catch (IOException e) {
        throw new UncheckedIOException(e);
    }
}
 

/**
 * Generates a PKCS #7 signed data message that includes a signature
 * timestamp.
 * This method is used when a signature has already been generated.
 * The signature, a signature timestamp, the signer's certificate chain,
 * and optionally the content that was signed, are packaged into a PKCS #7
 * signed data message.
 *
 * @param params The non-null input parameters.
 * @param omitContent true if the content should be omitted from the
 *        signed data message. Otherwise the content is included.
 * @param applyTimestamp true if the signature should be timestamped.
 *        Otherwise timestamping is not performed.
 * @return A PKCS #7 signed data message including a signature timestamp.
 * @throws NoSuchAlgorithmException The exception is thrown if the signature
 *         algorithm is unrecognised.
 * @throws CertificateException The exception is thrown if an error occurs
 *         while processing the signer's certificate or the TSA's
 *         certificate.
 * @throws IOException The exception is thrown if an error occurs while
 *         generating the signature timestamp or while generating the signed
 *         data message.
 * @throws NullPointerException The exception is thrown if parameters is
 *         null.
 */
public byte[] generateSignedData(ContentSignerParameters params,
    boolean omitContent, boolean applyTimestamp)
        throws NoSuchAlgorithmException, CertificateException, IOException {

    if (params == null) {
        throw new NullPointerException();
    }

    // Parse the signature algorithm to extract the digest
    // algorithm. The expected format is:
    //     "<digest>with<encryption>"
    // or  "<digest>with<encryption>and<mgf>"
    String signatureAlgorithm = params.getSignatureAlgorithm();

    X509Certificate[] signerChain = params.getSignerCertificateChain();
    byte[] signature = params.getSignature();

    // Include or exclude content
    byte[] content = (omitContent == true) ? null : params.getContent();

    URI tsaURI = null;
    if (applyTimestamp) {
        tsaURI = params.getTimestampingAuthority();
        if (tsaURI == null) {
            // Examine TSA cert
            tsaURI = getTimestampingURI(
                params.getTimestampingAuthorityCertificate());
            if (tsaURI == null) {
                throw new CertificateException(
                    "Subject Information Access extension not found");
            }
        }
    }
    return PKCS7.generateSignedData(signature, signerChain, content,
                                    params.getSignatureAlgorithm(), tsaURI,
                                    params.getTSAPolicyID(),
                                    params.getTSADigestAlg());
}
 

/**
 * Constructor XMLX509IssuerSerial
 *
 * @param doc
 * @param x509certificate
 */
public XMLX509IssuerSerial(Document doc, X509Certificate x509certificate) {
    this(
        doc,
        x509certificate.getIssuerX500Principal().getName(),
        x509certificate.getSerialNumber()
    );
}
 

static Date getIssueDate() throws Exception {
    KeyStore ks = KeyStore.getInstance("jks");
    try (FileInputStream fis = new FileInputStream("jks")) {
        ks.load(fis, "changeit".toCharArray());
    }
    X509Certificate cert = (X509Certificate)ks.getCertificate("me");
    return cert.getNotBefore();
}
 

@Override
public void check(Certificate cert,
                  Collection<String> unresolvedCritExts)
        throws CertPathValidatorException {
    X509Certificate currCert = (X509Certificate)cert;
    // check that this is an EE cert
    if (currCert.getBasicConstraints() == -1) {
        if (unresolvedCritExts != null &&
                !unresolvedCritExts.isEmpty()) {
            unresolvedCritExts.remove("1.2.3.4");
        }
    }
}
 

private static byte[] getDigest(X509Certificate cert, String algorithm) {
    try {
        MessageDigest md = MessageDigest.getInstance(algorithm);
        return md.digest(cert.getEncoded());
    } catch (GeneralSecurityException e) {
        throw new ProviderException(e);
    }
}
 

/**
 * Retrieves a x509Certificate from the given information
 * @param e
 * @param baseURI
 * @param storage
 * @return
 * @throws KeyResolverException
 */
private static X509Certificate resolveCertificate(
    Element e, String baseURI, StorageResolver storage
) throws KeyResolverException {
    if (log.isLoggable(java.util.logging.Level.FINE)) {
        log.log(java.util.logging.Level.FINE, "Now we have a {" + e.getNamespaceURI() + "}"
            + e.getLocalName() + " Element");
    }
    // An element has been provided
    if (e != null) {
        return KeyResolver.getX509Certificate(e, baseURI, storage);
    }
    return null;
}
 

/**
 * Returns CRLs described in a X509Certificate's CRLDistributionPoints
 * Extension. Only those containing a general name of type URI are read.
 */
public static List<CRL> readCRLsFromCert(X509Certificate cert)
        throws Exception {
    List<CRL> crls = new ArrayList<>();
    CRLDistributionPointsExtension ext =
            X509CertImpl.toImpl(cert).getCRLDistributionPointsExtension();
    if (ext == null) return crls;
    List<DistributionPoint> distPoints =
            ext.get(CRLDistributionPointsExtension.POINTS);
    for (DistributionPoint o: distPoints) {
        GeneralNames names = o.getFullName();
        if (names != null) {
            for (GeneralName name: names.names()) {
                if (name.getType() == GeneralNameInterface.NAME_URI) {
                    URIName uriName = (URIName)name.getName();
                    for (CRL crl: loadCRLs(uriName.getName())) {
                        if (crl instanceof X509CRL) {
                            crls.add((X509CRL)crl);
                        }
                    }
                    break;  // Different name should point to same CRL
                }
            }
        }
    }
    return crls;
}
 

private PrivateKey resolveX509SubjectName(XMLX509SubjectName x509SubjectName) throws KeyStoreException {
    log.log(java.util.logging.Level.FINE, "Can I resolve X509SubjectName?");

    Enumeration<String> aliases = keyStore.aliases();
    while (aliases.hasMoreElements()) {
        String alias = aliases.nextElement();
        if (keyStore.isKeyEntry(alias)) {

            Certificate cert = keyStore.getCertificate(alias);
            if (cert instanceof X509Certificate) {
                XMLX509SubjectName certSN =
                    new XMLX509SubjectName(x509SubjectName.getDocument(), (X509Certificate) cert);

                if (certSN.equals(x509SubjectName)) {
                    log.log(java.util.logging.Level.FINE, "match !!! ");

                    try {
                        Key key = keyStore.getKey(alias, password);
                        if (key instanceof PrivateKey) {
                            return (PrivateKey) key;
                        }
                    } catch (Exception e) {
                        log.log(java.util.logging.Level.FINE, "Cannot recover the key", e);
                        // Keep searching
                    }
                }
            }
        }
    }

    return null;
}
 

public boolean contains(List<? extends X509Certificate> key) {
   synchronized(map) {
     EntryWithAge entry = map.get(key);
     if ((entry != null)
         && (timeSource.currentTimeMillis() < entry.expireMillis)) {
       return true;
     }
     return false;
   }
}
 

public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");

    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor
        (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters
        (Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp =
        new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}
 

/**
 * @param args {cacerts keystore, cert chain}
 */
public static void main(String[] args) throws Exception {

    KeyStore ks = KeyStore.getInstance("JKS");
    ks.load(new FileInputStream(args[0]), "changeit".toCharArray());
    Validator v = Validator.getInstance
        (Validator.TYPE_PKIX, Validator.VAR_GENERIC, ks);
    X509Certificate[] chain = createPath(args[1]);
    System.out.println("Chain: ");
    for (X509Certificate c: v.validate(chain)) {
        System.out.println("   " + c.getSubjectX500Principal() +
                " issued by " + c.getIssuerX500Principal());
    }
}
 

/**
 * Method engineResolvePublicKey
 *
 * @param element
 * @param BaseURI
 * @param storage
 * @return null if no {@link PublicKey} could be obtained
 * @throws KeyResolverException
 */
public PublicKey engineLookupAndResolvePublicKey(
    Element element, String baseURI, StorageResolver storage
) throws KeyResolverException {

    X509Certificate cert =
        this.engineLookupResolveX509Certificate(element, baseURI, storage);

    if (cert != null) {
        return cert.getPublicKey();
    }

    return null;
}
 

/**
 * Read certificates from a file.
 *
 * @param filename file name under resources directory
 * @return an array of X509Certificate
 * @throws Throwable raise if any error occurs
 */
private List<X509Certificate> getX509CertificatesFromFile(String filename) throws Throwable
{
  CertificateFactory fact = CertificateFactory.getInstance("X.509");
  List<X509Certificate> certList = new ArrayList<>();
  for (Certificate cert : fact.generateCertificates(getFile(filename)))
  {
    certList.add((X509Certificate) cert);
  }
  return certList;
}
 

/**
 * Method getSKIBytesFromCert
 *
 * @param cert
 * @return ski bytes from the given certificate
 *
 * @throws XMLSecurityException
 * @see java.security.cert.X509Extension#getExtensionValue(java.lang.String)
 */
public static byte[] getSKIBytesFromCert(X509Certificate cert)
    throws XMLSecurityException {

    if (cert.getVersion() < 3) {
        Object exArgs[] = { Integer.valueOf(cert.getVersion()) };
        throw new XMLSecurityException("certificate.noSki.lowVersion", exArgs);
    }

    /*
     * Gets the DER-encoded OCTET string for the extension value
     * (extnValue) identified by the passed-in oid String. The oid
     * string is represented by a set of positive whole numbers
     * separated by periods.
     */
    byte[] extensionValue = cert.getExtensionValue(XMLX509SKI.SKI_OID);
    if (extensionValue == null) {
        throw new XMLSecurityException("certificate.noSki.null");
    }

    /**
     * Strip away first four bytes from the extensionValue
     * The first two bytes are the tag and length of the extensionValue
     * OCTET STRING, and the next two bytes are the tag and length of
     * the ski OCTET STRING.
     */
    byte skidValue[] = new byte[extensionValue.length - 4];

    System.arraycopy(extensionValue, 4, skidValue, 0, skidValue.length);

    if (log.isLoggable(java.util.logging.Level.FINE)) {
        log.log(java.util.logging.Level.FINE, "Base64 of SKI is " + Base64.encode(skidValue));
    }

    return skidValue;
}
 

private VaultResponseData generateKeyPair(Date startDate, long valid) throws Exception {
    CertAndKeyGen certGen = new CertAndKeyGen("RSA", "SHA256WithRSA");
    certGen.generate(2048);

    X500Name x500Name = new X500Name("CN=Test");
    X509Certificate cert = certGen.getSelfCertificate(x500Name, startDate, valid);


    byte[] encodedPrivateKey = certGen.getPrivateKey().getEncoded();
    byte[] encodedPublicKey = cert.getEncoded();

    String privateKeySb = "-----BEGIN PRIVATE KEY-----\n" +
            Base64.getMimeEncoder().encodeToString(encodedPrivateKey) +
            "\n-----END PRIVATE KEY-----";
    String publicKey = "-----BEGIN PUBLIC KEY-----\n" +
            Base64.getMimeEncoder().encodeToString(encodedPublicKey) +
            "\n-----END PUBLIC KEY-----";

    privateKeySb = privateKeySb.replaceAll("\\n", "\\\\n");
    privateKeySb = privateKeySb.replaceAll("\\r", "");

    publicKey = publicKey.replaceAll("\\n", "\\\\n");
    publicKey = publicKey.replaceAll("\\r", "");

    VaultResponseData vaultResponseData = new VaultResponseData();
    vaultResponseData.setPrivate_key(privateKeySb);
    vaultResponseData.setCertificate(publicKey);
    return vaultResponseData;
}
 

/**
 * Constructor XMLX509Certificate
 *
 * @param doc
 * @param x509certificate
 * @throws XMLSecurityException
 */
public XMLX509Certificate(Document doc, X509Certificate x509certificate)
    throws XMLSecurityException {
    super(doc);

    try {
        this.addBase64Text(x509certificate.getEncoded());
    } catch (java.security.cert.CertificateEncodingException ex) {
        throw new XMLSecurityException("empty", ex);
    }
}
 

public static X509Certificate generateX509FromInputStream(InputStream instr) {
    try {
        CertificateFactory certFactory = CertificateFactory.getInstance("X.509", "BCFIPS");
        return (X509Certificate) certFactory.generateCertificate(instr);
    } catch (CertificateException | NoSuchProviderException ex) {
        logp(Level.SEVERE, classname, "generateX509FromBytes", "CRYPTO-MSG-1000", printStackTrace(ex));
    }
    return null;
}
 

@Override
public QualifyingProperty verify(
        CompleteCertificateRefsData propData,
        QualifyingPropertyVerificationContext ctx) throws InvalidPropertyException
{
    List<X509Certificate> caCerts = ctx.getCertChainData().getCertificateChain();
    caCerts = caCerts.subList(1, caCerts.size());
    Collection<CertRef> caCertRefs = propData.getCertRefs();

    // "Check that there are no references to certificates out of those that
    // are part of the certification path."

    for (X509Certificate caCert : caCerts)
    {
        CertRef caRef = CertRefUtils.findCertRef(caCert, caCertRefs, this.dnComparer);
        if (null == caRef)
            throw new CompleteCertRefsCertNotFoundException(caCert);
        try
        {
            CertRefUtils.checkCertRef(caRef, caCert, messageDigestProvider);
        } catch (CertRefUtils.InvalidCertRefException ex)
        {
            throw new CompleteCertRefsReferenceException(caCert, caRef, ex.getMessage());
        }
    }

    return new CompleteCertificateRefsProperty(Collections.unmodifiableList(caCerts));
}
 

public List<X509Certificate> certificates()
    throws KeyStoreException, NoSuchAlgorithmException, CertificateException {
  final List<X509Certificate> results = Lists.newArrayList();

  final KeyStore p12 = loadP12KeyStore(pkcs12File, password);
  final Enumeration<String> aliases = p12.aliases();
  while (aliases.hasMoreElements()) {
    results.add((X509Certificate) p12.getCertificate(aliases.nextElement()));
  }
  return results;
}