java.security.cert.CertStoreException Java Examples

The following examples show how to use java.security.cert.CertStoreException. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: CertStoreHelper.java    From openjdk-jdk8u with GNU General Public License v2.0 6 votes vote down vote up
static boolean isCausedByNetworkIssue(String type, CertStoreException cse) {
    switch (type) {
        case "LDAP":
        case "SSLServer":
            try {
                CertStoreHelper csh = CertStoreHelper.getInstance(type);
                return csh.isCausedByNetworkIssue(cse);
            } catch (NoSuchAlgorithmException nsae) {
                return false;
            }
        case "URI":
            Throwable t = cse.getCause();
            return (t != null && t instanceof IOException);
        default:
            // we don't know about any other remote CertStore types
            return false;
    }
}
 
Example #2
Source File: MultiCertStoreSpi.java    From RipplePower with Apache License 2.0 6 votes vote down vote up
public Collection engineGetCertificates(CertSelector certSelector)
    throws CertStoreException
{
    boolean searchAllStores = params.getSearchAllStores();
    Iterator iter = params.getCertStores().iterator();
    List allCerts = searchAllStores ? new ArrayList() : Collections.EMPTY_LIST;

    while (iter.hasNext())
    {
        CertStore store = (CertStore)iter.next();
        Collection certs = store.getCertificates(certSelector);

        if (searchAllStores)
        {
            allCerts.addAll(certs);
        }
        else if (!certs.isEmpty())
        {
            return certs;
        }
    }

    return allCerts;
}
 
Example #3
Source File: PKIXCRLStoreSelector.java    From RipplePower with Apache License 2.0 6 votes vote down vote up
public static Collection<? extends CRL> getCRLs(final PKIXCRLStoreSelector selector, CertStore certStore)
    throws CertStoreException
{
    return certStore.getCRLs(new CRLSelector()
    {
        public boolean match(CRL crl)
        {
            return selector.match(crl);
        }

        public Object clone()
        {
            return this;
        }
    });
}
 
Example #4
Source File: CertStoreHelper.java    From jdk8u-jdk with GNU General Public License v2.0 6 votes vote down vote up
static boolean isCausedByNetworkIssue(String type, CertStoreException cse) {
    switch (type) {
        case "LDAP":
        case "SSLServer":
            try {
                CertStoreHelper csh = CertStoreHelper.getInstance(type);
                return csh.isCausedByNetworkIssue(cse);
            } catch (NoSuchAlgorithmException nsae) {
                return false;
            }
        case "URI":
            Throwable t = cse.getCause();
            return (t != null && t instanceof IOException);
        default:
            // we don't know about any other remote CertStore types
            return false;
    }
}
 
Example #5
Source File: ReverseBuilder.java    From jdk8u-dev-jdk with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Retrieves all certs from the specified CertStores that satisfy the
 * requirements specified in the parameters and the current
 * PKIX state (name constraints, policy constraints, etc).
 *
 * @param currentState the current state.
 *        Must be an instance of <code>ReverseState</code>
 * @param certStores list of CertStores
 */
@Override
Collection<X509Certificate> getMatchingCerts
    (State currState, List<CertStore> certStores)
    throws CertStoreException, CertificateException, IOException
{
    ReverseState currentState = (ReverseState) currState;

    if (debug != null)
        debug.println("In ReverseBuilder.getMatchingCerts.");

    /*
     * The last certificate could be an EE or a CA certificate
     * (we may be building a partial certification path or
     * establishing trust in a CA).
     *
     * Try the EE certs before the CA certs. It will be more
     * common to build a path to an end entity.
     */
    Collection<X509Certificate> certs =
        getMatchingEECerts(currentState, certStores);
    certs.addAll(getMatchingCACerts(currentState, certStores));

    return certs;
}
 
Example #6
Source File: CertStoreHelper.java    From dragonwell8_jdk with GNU General Public License v2.0 6 votes vote down vote up
static boolean isCausedByNetworkIssue(String type, CertStoreException cse) {
    switch (type) {
        case "LDAP":
        case "SSLServer":
            try {
                CertStoreHelper csh = CertStoreHelper.getInstance(type);
                return csh.isCausedByNetworkIssue(cse);
            } catch (NoSuchAlgorithmException nsae) {
                return false;
            }
        case "URI":
            Throwable t = cse.getCause();
            return (t != null && t instanceof IOException);
        default:
            // we don't know about any other remote CertStore types
            return false;
    }
}
 
Example #7
Source File: CertStoreHelper.java    From openjdk-8 with GNU General Public License v2.0 6 votes vote down vote up
static boolean isCausedByNetworkIssue(String type, CertStoreException cse) {
    switch (type) {
        case "LDAP":
        case "SSLServer":
            try {
                CertStoreHelper csh = CertStoreHelper.getInstance(type);
                return csh.isCausedByNetworkIssue(cse);
            } catch (NoSuchAlgorithmException nsae) {
                return false;
            }
        case "URI":
            Throwable t = cse.getCause();
            return (t != null && t instanceof IOException);
        default:
            // we don't know about any other remote CertStore types
            return false;
    }
}
 
Example #8
Source File: ReverseBuilder.java    From jdk8u60 with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Retrieves all certs from the specified CertStores that satisfy the
 * requirements specified in the parameters and the current
 * PKIX state (name constraints, policy constraints, etc).
 *
 * @param currentState the current state.
 *        Must be an instance of <code>ReverseState</code>
 * @param certStores list of CertStores
 */
@Override
Collection<X509Certificate> getMatchingCerts
    (State currState, List<CertStore> certStores)
    throws CertStoreException, CertificateException, IOException
{
    ReverseState currentState = (ReverseState) currState;

    if (debug != null)
        debug.println("In ReverseBuilder.getMatchingCerts.");

    /*
     * The last certificate could be an EE or a CA certificate
     * (we may be building a partial certification path or
     * establishing trust in a CA).
     *
     * Try the EE certs before the CA certs. It will be more
     * common to build a path to an end entity.
     */
    Collection<X509Certificate> certs =
        getMatchingEECerts(currentState, certStores);
    certs.addAll(getMatchingCACerts(currentState, certStores));

    return certs;
}
 
Example #9
Source File: CertPathPKIXTrustEvaluator.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Determine whether there are any CRL's in the {@link CertStore} that is to be used.
 * 
 * @param certStore the cert store that will be used for validation
 * @return true if the store contains at least 1 CRL instance, false otherwise
 */
protected boolean storeContainsCRLs(CertStore certStore) {
    Collection<? extends CRL> crls = null;
    try {
        //Save some cycles and memory: Collection cert store allows null as specifier to return all.
        //crls = certStore.getCRLs( new X509CRLSelector() );
        crls = certStore.getCRLs(null);
    } catch (CertStoreException e) {
        log.error("Error examining cert store for CRL's, treating as if no CRL's present", e);
        return false;
    }
    if (crls != null && !crls.isEmpty()) {
        return true;
    }
    return false;
}
 
Example #10
Source File: CertStoreHelper.java    From openjdk-jdk8u-backup with GNU General Public License v2.0 6 votes vote down vote up
static boolean isCausedByNetworkIssue(String type, CertStoreException cse) {
    switch (type) {
        case "LDAP":
        case "SSLServer":
            try {
                CertStoreHelper csh = CertStoreHelper.getInstance(type);
                return csh.isCausedByNetworkIssue(cse);
            } catch (NoSuchAlgorithmException nsae) {
                return false;
            }
        case "URI":
            Throwable t = cse.getCause();
            return (t != null && t instanceof IOException);
        default:
            // we don't know about any other remote CertStore types
            return false;
    }
}
 
Example #11
Source File: SdsSslContextProvider.java    From grpc-java with Apache License 2.0 6 votes vote down vote up
private void updateSslContext() {
  try {
    CertificateValidationContext localCertValidationContext = mergeStaticAndDynamicCertContexts();
    SslContextBuilder sslContextBuilder = getSslContextBuilder(localCertValidationContext);
    CommonTlsContext commonTlsContext = getCommonTlsContext();
    if (commonTlsContext != null && commonTlsContext.getAlpnProtocolsCount() > 0) {
      List<String> alpnList = commonTlsContext.getAlpnProtocolsList();
      ApplicationProtocolConfig apn = new ApplicationProtocolConfig(
          ApplicationProtocolConfig.Protocol.ALPN,
          ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
          ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
          alpnList);
      sslContextBuilder.applicationProtocolConfig(apn);
    }
    SslContext sslContextCopy = sslContextBuilder.build();
    sslContext = sslContextCopy;
    makePendingCallbacks(sslContextCopy);
  } catch (CertificateException | IOException | CertStoreException e) {
    logger.log(Level.SEVERE, "exception in updateSslContext", e);
  }
}
 
Example #12
Source File: PKIXCRLStoreSelector.java    From ripple-lib-java with ISC License 6 votes vote down vote up
public static Collection<? extends CRL> getCRLs(final PKIXCRLStoreSelector selector, CertStore certStore)
    throws CertStoreException
{
    return certStore.getCRLs(new CRLSelector()
    {
        public boolean match(CRL crl)
        {
            return selector.match(crl);
        }

        public Object clone()
        {
            return this;
        }
    });
}
 
Example #13
Source File: CertStoreHelper.java    From j2objc with Apache License 2.0 6 votes vote down vote up
static boolean isCausedByNetworkIssue(String type, CertStoreException cse) {
        switch (type) {
//            case "LDAP":
            case "SSLServer":
                try {
                    CertStoreHelper csh = CertStoreHelper.getInstance(type);
                    return csh.isCausedByNetworkIssue(cse);
                } catch (NoSuchAlgorithmException nsae) {
                    return false;
                }
            case "URI":
                Throwable t = cse.getCause();
                return (t != null && t instanceof IOException);
            default:
                // we don't know about any other remote CertStore types
                return false;
        }
    }
 
Example #14
Source File: CertStoreHelper.java    From jdk8u_jdk with GNU General Public License v2.0 6 votes vote down vote up
static boolean isCausedByNetworkIssue(String type, CertStoreException cse) {
    switch (type) {
        case "LDAP":
        case "SSLServer":
            try {
                CertStoreHelper csh = CertStoreHelper.getInstance(type);
                return csh.isCausedByNetworkIssue(cse);
            } catch (NoSuchAlgorithmException nsae) {
                return false;
            }
        case "URI":
            Throwable t = cse.getCause();
            return (t != null && t instanceof IOException);
        default:
            // we don't know about any other remote CertStore types
            return false;
    }
}
 
Example #15
Source File: MultiCertStoreSpi.java    From RipplePower with Apache License 2.0 6 votes vote down vote up
public Collection engineGetCRLs(CRLSelector crlSelector)
    throws CertStoreException
{
    boolean searchAllStores = params.getSearchAllStores();
    Iterator iter = params.getCertStores().iterator();
    List allCRLs = searchAllStores ? new ArrayList() : Collections.EMPTY_LIST;
    
    while (iter.hasNext())
    {
        CertStore store = (CertStore)iter.next();
        Collection crls = store.getCRLs(crlSelector);

        if (searchAllStores)
        {
            allCRLs.addAll(crls);
        }
        else if (!crls.isEmpty())
        {
            return crls;
        }
    }

    return allCRLs;
}
 
Example #16
Source File: CertStoreHelper.java    From hottub with GNU General Public License v2.0 6 votes vote down vote up
static boolean isCausedByNetworkIssue(String type, CertStoreException cse) {
    switch (type) {
        case "LDAP":
        case "SSLServer":
            try {
                CertStoreHelper csh = CertStoreHelper.getInstance(type);
                return csh.isCausedByNetworkIssue(cse);
            } catch (NoSuchAlgorithmException nsae) {
                return false;
            }
        case "URI":
            Throwable t = cse.getCause();
            return (t != null && t instanceof IOException);
        default:
            // we don't know about any other remote CertStore types
            return false;
    }
}
 
Example #17
Source File: MultiCertStoreSpi.java    From ripple-lib-java with ISC License 6 votes vote down vote up
public Collection engineGetCRLs(CRLSelector crlSelector)
    throws CertStoreException
{
    boolean searchAllStores = params.getSearchAllStores();
    Iterator iter = params.getCertStores().iterator();
    List allCRLs = searchAllStores ? new ArrayList() : Collections.EMPTY_LIST;
    
    while (iter.hasNext())
    {
        CertStore store = (CertStore)iter.next();
        Collection crls = store.getCRLs(crlSelector);

        if (searchAllStores)
        {
            allCRLs.addAll(crls);
        }
        else if (!crls.isEmpty())
        {
            return crls;
        }
    }

    return allCRLs;
}
 
Example #18
Source File: ReverseBuilder.java    From openjdk-8-source with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Retrieves all certs from the specified CertStores that satisfy the
 * requirements specified in the parameters and the current
 * PKIX state (name constraints, policy constraints, etc).
 *
 * @param currentState the current state.
 *        Must be an instance of <code>ReverseState</code>
 * @param certStores list of CertStores
 */
@Override
Collection<X509Certificate> getMatchingCerts
    (State currState, List<CertStore> certStores)
    throws CertStoreException, CertificateException, IOException
{
    ReverseState currentState = (ReverseState) currState;

    if (debug != null)
        debug.println("In ReverseBuilder.getMatchingCerts.");

    /*
     * The last certificate could be an EE or a CA certificate
     * (we may be building a partial certification path or
     * establishing trust in a CA).
     *
     * Try the EE certs before the CA certs. It will be more
     * common to build a path to an end entity.
     */
    Collection<X509Certificate> certs =
        getMatchingEECerts(currentState, certStores);
    certs.addAll(getMatchingCACerts(currentState, certStores));

    return certs;
}
 
Example #19
Source File: SecretVolumeServerSslContextProvider.java    From grpc-java with Apache License 2.0 5 votes vote down vote up
@VisibleForTesting
SslContext buildSslContextFromSecrets()
    throws IOException, CertificateException, CertStoreException {
  SslContextBuilder sslContextBuilder =
      GrpcSslContexts.forServer(
          new File(certificateChain), new File(privateKey), privateKeyPassword);
  setClientAuthValues(sslContextBuilder, certContext);
  return sslContextBuilder.build();
}
 
Example #20
Source File: SdsServerSslContextProvider.java    From grpc-java with Apache License 2.0 5 votes vote down vote up
@Override
SslContextBuilder getSslContextBuilder(
    CertificateValidationContext localCertValidationContext)
    throws CertificateException, IOException, CertStoreException {
  SslContextBuilder sslContextBuilder =
      GrpcSslContexts.forServer(
          tlsCertificate.getCertificateChain().getInlineBytes().newInput(),
          tlsCertificate.getPrivateKey().getInlineBytes().newInput(),
          tlsCertificate.hasPassword()
              ? tlsCertificate.getPassword().getInlineString()
              : null);
  setClientAuthValues(sslContextBuilder, localCertValidationContext);
  return sslContextBuilder;
}
 
Example #21
Source File: CertStoreExceptionTest.java    From j2objc with Apache License 2.0 5 votes vote down vote up
/**
 * Test for <code>CertStoreException(String)</code> constructor Assertion:
 * constructs CertStoreException when <code>msg</code> is null
 */
public void testCertStoreException03() {
    String msg = null;
    CertStoreException tE = new CertStoreException(msg);
    assertNull("getMessage() must return null.", tE.getMessage());
    assertNull("getCause() must return null", tE.getCause());
}
 
Example #22
Source File: MyCertStoreSpi.java    From j2objc with Apache License 2.0 5 votes vote down vote up
public Collection<Certificate> engineGetCertificates(CertSelector selector)
        throws CertStoreException {
    if (selector == null) {
        throw new CertStoreException("Parameter is null");
    }
    return null;
}
 
Example #23
Source File: ForwardBuilder.java    From Bytecoder with Apache License 2.0 5 votes vote down vote up
/**
 * Download Certificates from the given AIA and add them to the
 * specified Collection.
 */
// cs.getCertificates(caSelector) returns a collection of X509Certificate's
// because of the selector, so the cast is safe
@SuppressWarnings("unchecked")
private boolean getCerts(AuthorityInfoAccessExtension aiaExt,
                         Collection<X509Certificate> certs)
{
    if (Builder.USE_AIA == false) {
        return false;
    }
    List<AccessDescription> adList = aiaExt.getAccessDescriptions();
    if (adList == null || adList.isEmpty()) {
        return false;
    }

    boolean add = false;
    for (AccessDescription ad : adList) {
        CertStore cs = URICertStore.getInstance(ad);
        if (cs != null) {
            try {
                if (certs.addAll((Collection<X509Certificate>)
                    cs.getCertificates(caSelector))) {
                    add = true;
                    if (!searchAllCertStores) {
                        return true;
                    }
                }
            } catch (CertStoreException cse) {
                if (debug != null) {
                    debug.println("exception getting certs from CertStore:");
                    cse.printStackTrace();
                }
            }
        }
    }
    return add;
}
 
Example #24
Source File: ForwardBuilder.java    From Bytecoder with Apache License 2.0 5 votes vote down vote up
/**
 * Retrieves all certs from the specified CertStores that satisfy the
 * requirements specified in the parameters and the current
 * PKIX state (name constraints, policy constraints, etc).
 *
 * @param currentState the current state.
 *        Must be an instance of <code>ForwardState</code>
 * @param certStores list of CertStores
 */
@Override
Collection<X509Certificate> getMatchingCerts(State currentState,
                                             List<CertStore> certStores)
    throws CertStoreException, CertificateException, IOException
{
    if (debug != null) {
        debug.println("ForwardBuilder.getMatchingCerts()...");
    }

    ForwardState currState = (ForwardState) currentState;

    /*
     * We store certs in a Set because we don't want duplicates.
     * As each cert is added, it is sorted based on the PKIXCertComparator
     * algorithm.
     */
    Comparator<X509Certificate> comparator =
        new PKIXCertComparator(trustedSubjectDNs, currState.cert);
    Set<X509Certificate> certs = new TreeSet<>(comparator);

    /*
     * Only look for EE certs if search has just started.
     */
    if (currState.isInitial()) {
        getMatchingEECerts(currState, certStores, certs);
    }
    getMatchingCACerts(currState, certStores, certs);

    return certs;
}
 
Example #25
Source File: CertStoreExceptionTest.java    From j2objc with Apache License 2.0 5 votes vote down vote up
/**
 * Test for <code>CertStoreException(String, Throwable)</code> constructor
 * Assertion: constructs CertStoreException when <code>cause</code> is not
 * null <code>msg</code> is null
 */
public void testCertStoreException08() {
    CertStoreException tE = new CertStoreException(null, tCause);
    if (tE.getMessage() != null) {
        String toS = tCause.toString();
        String getM = tE.getMessage();
        assertTrue("getMessage() must should ".concat(toS), (getM
                .indexOf(toS) != -1));
    }
    assertNotNull("getCause() must not return null", tE.getCause());
    assertEquals("getCause() must return ".concat(tCause.toString()), tE
            .getCause(), tCause);
}
 
Example #26
Source File: SdsX509TrustManagerTest.java    From grpc-java with Apache License 2.0 5 votes vote down vote up
@Test
public void checkServerTrustedSslEngine()
    throws CertificateException, IOException, CertStoreException {
  TestSslEngine sslEngine = buildTrustManagerAndGetSslEngine();
  X509Certificate[] serverCerts =
      CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE));
  trustManager.checkServerTrusted(serverCerts, "ECDHE_ECDSA", sslEngine);
  verify(sslEngine, times(1)).getHandshakeSession();
}
 
Example #27
Source File: ForwardBuilder.java    From openjdk-jdk8u with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Download Certificates from the given AIA and add them to the
 * specified Collection.
 */
// cs.getCertificates(caSelector) returns a collection of X509Certificate's
// because of the selector, so the cast is safe
@SuppressWarnings("unchecked")
private boolean getCerts(AuthorityInfoAccessExtension aiaExt,
                         Collection<X509Certificate> certs)
{
    if (Builder.USE_AIA == false) {
        return false;
    }
    List<AccessDescription> adList = aiaExt.getAccessDescriptions();
    if (adList == null || adList.isEmpty()) {
        return false;
    }

    boolean add = false;
    for (AccessDescription ad : adList) {
        CertStore cs = URICertStore.getInstance(ad);
        if (cs != null) {
            try {
                if (certs.addAll((Collection<X509Certificate>)
                    cs.getCertificates(caSelector))) {
                    add = true;
                    if (!searchAllCertStores) {
                        return true;
                    }
                }
            } catch (CertStoreException cse) {
                if (debug != null) {
                    debug.println("exception getting certs from CertStore:");
                    cse.printStackTrace();
                }
            }
        }
    }
    return add;
}
 
Example #28
Source File: ForwardBuilder.java    From openjdk-jdk8u with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Retrieves all certs from the specified CertStores that satisfy the
 * requirements specified in the parameters and the current
 * PKIX state (name constraints, policy constraints, etc).
 *
 * @param currentState the current state.
 *        Must be an instance of <code>ForwardState</code>
 * @param certStores list of CertStores
 */
@Override
Collection<X509Certificate> getMatchingCerts(State currentState,
                                             List<CertStore> certStores)
    throws CertStoreException, CertificateException, IOException
{
    if (debug != null) {
        debug.println("ForwardBuilder.getMatchingCerts()...");
    }

    ForwardState currState = (ForwardState) currentState;

    /*
     * We store certs in a Set because we don't want duplicates.
     * As each cert is added, it is sorted based on the PKIXCertComparator
     * algorithm.
     */
    Comparator<X509Certificate> comparator =
        new PKIXCertComparator(trustedSubjectDNs, currState.cert);
    Set<X509Certificate> certs = new TreeSet<>(comparator);

    /*
     * Only look for EE certs if search has just started.
     */
    if (currState.isInitial()) {
        getMatchingEECerts(currState, certStores, certs);
    }
    getMatchingCACerts(currState, certStores, certs);

    return certs;
}
 
Example #29
Source File: ForwardBuilder.java    From jdk8u-jdk with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Retrieves all certs from the specified CertStores that satisfy the
 * requirements specified in the parameters and the current
 * PKIX state (name constraints, policy constraints, etc).
 *
 * @param currentState the current state.
 *        Must be an instance of <code>ForwardState</code>
 * @param certStores list of CertStores
 */
@Override
Collection<X509Certificate> getMatchingCerts(State currentState,
                                             List<CertStore> certStores)
    throws CertStoreException, CertificateException, IOException
{
    if (debug != null) {
        debug.println("ForwardBuilder.getMatchingCerts()...");
    }

    ForwardState currState = (ForwardState) currentState;

    /*
     * We store certs in a Set because we don't want duplicates.
     * As each cert is added, it is sorted based on the PKIXCertComparator
     * algorithm.
     */
    Set<X509Certificate> certs = new TreeSet<>(comparator);

    /*
     * Only look for EE certs if search has just started.
     */
    if (currState.isInitial()) {
        getMatchingEECerts(currState, certStores, certs);
    }
    getMatchingCACerts(currState, certStores, certs);

    return certs;
}
 
Example #30
Source File: ForwardBuilder.java    From dragonwell8_jdk with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Retrieves all certs from the specified CertStores that satisfy the
 * requirements specified in the parameters and the current
 * PKIX state (name constraints, policy constraints, etc).
 *
 * @param currentState the current state.
 *        Must be an instance of <code>ForwardState</code>
 * @param certStores list of CertStores
 */
@Override
Collection<X509Certificate> getMatchingCerts(State currentState,
                                             List<CertStore> certStores)
    throws CertStoreException, CertificateException, IOException
{
    if (debug != null) {
        debug.println("ForwardBuilder.getMatchingCerts()...");
    }

    ForwardState currState = (ForwardState) currentState;

    /*
     * We store certs in a Set because we don't want duplicates.
     * As each cert is added, it is sorted based on the PKIXCertComparator
     * algorithm.
     */
    Comparator<X509Certificate> comparator =
        new PKIXCertComparator(trustedSubjectDNs, currState.cert);
    Set<X509Certificate> certs = new TreeSet<>(comparator);

    /*
     * Only look for EE certs if search has just started.
     */
    if (currState.isInitial()) {
        getMatchingEECerts(currState, certStores, certs);
    }
    getMatchingCACerts(currState, certStores, certs);

    return certs;
}