private void validateNoCache(List<? extends X509Certificate> certs) throws SignatureException { try { CertPathValidator validator = CertPathValidator.getInstance( VALIDATOR_TYPE); PKIXParameters params = new PKIXParameters(trustRoots); params.addCertPathChecker(WAVE_OID_CHECKER); params.setDate(timeSource.now()); // turn off default revocation-checking mechanism params.setRevocationEnabled(false); // TODO: add a way for clients to add certificate revocation checks, // perhaps by letting them pass in PKIXCertPathCheckers. This can also be // useful to check for Wave-specific certificate extensions. CertificateFactory certFactory = CertificateFactory.getInstance( CERTIFICATE_TYPE); CertPath certPath = certFactory.generateCertPath(certs); validator.validate(certPath, params); } catch (GeneralSecurityException e) { throw new SignatureException("Certificate validation failure", e); } }
public CertPathReviewerException( ErrorBundle errorMessage, Throwable throwable, CertPath certPath, int index) { super(errorMessage, throwable); if (certPath == null || index == -1) { throw new IllegalArgumentException(); } if (index < -1 || (certPath != null && index >= certPath.getCertificates().size())) { throw new IndexOutOfBoundsException(); } this.certPath = certPath; this.index = index; }
public CertPathReviewerException( ErrorBundle errorMessage, CertPath certPath, int index) { super(errorMessage); if (certPath == null || index == -1) { throw new IllegalArgumentException(); } if (index < -1 || (certPath != null && index >= certPath.getCertificates().size())) { throw new IndexOutOfBoundsException(); } this.certPath = certPath; this.index = index; }
protected static void processCertF( CertPath certPath, int index, PKIXPolicyNode validPolicyTree, int explicitPolicy) throws CertPathValidatorException { // // (f) // if (explicitPolicy <= 0 && validPolicyTree == null) { throw new ExtCertPathValidatorException("No valid policy tree found when one expected.", null, certPath, index); } }
protected static int prepareNextCertL( CertPath certPath, int index, int maxPathLength) throws CertPathValidatorException { List certs = certPath.getCertificates(); X509Certificate cert = (X509Certificate)certs.get(index); // // (l) // if (!CertPathValidatorUtilities.isSelfIssued(cert)) { if (maxPathLength <= 0) { throw new ExtCertPathValidatorException("Max path length not greater than zero", null, certPath, index); } return maxPathLength - 1; } return maxPathLength; }
protected static void prepareNextCertN( CertPath certPath, int index) throws CertPathValidatorException { List certs = certPath.getCertificates(); X509Certificate cert = (X509Certificate)certs.get(index); // // (n) // boolean[] _usage = cert.getKeyUsage(); if ((_usage != null) && !_usage[RFC3280CertPathUtilities.KEY_CERT_SIGN]) { throw new ExtCertPathValidatorException( "Issuer certificate keyusage extension is critical and does not permit key signing.", null, certPath, index); } }
protected static int prepareNextCertH1( CertPath certPath, int index, int explicitPolicy) { List certs = certPath.getCertificates(); X509Certificate cert = (X509Certificate)certs.get(index); // // (h) // if (!CertPathValidatorUtilities.isSelfIssued(cert)) { // // (1) // if (explicitPolicy != 0) { return explicitPolicy - 1; } } return explicitPolicy; }
protected static int prepareNextCertH2( CertPath certPath, int index, int policyMapping) { List certs = certPath.getCertificates(); X509Certificate cert = (X509Certificate)certs.get(index); // // (h) // if (!CertPathValidatorUtilities.isSelfIssued(cert)) { // // (2) // if (policyMapping != 0) { return policyMapping - 1; } } return policyMapping; }
protected static int prepareNextCertH3( CertPath certPath, int index, int inhibitAnyPolicy) { List certs = certPath.getCertificates(); X509Certificate cert = (X509Certificate)certs.get(index); // // (h) // if (!CertPathValidatorUtilities.isSelfIssued(cert)) { // // (3) // if (inhibitAnyPolicy != 0) { return inhibitAnyPolicy - 1; } } return inhibitAnyPolicy; }
public CertPath engineGenerateCertPath( List certificates) throws CertificateException { Iterator iter = certificates.iterator(); Object obj; while (iter.hasNext()) { obj = iter.next(); if (obj != null) { if (!(obj instanceof X509Certificate)) { throw new CertificateException("list contains non X509Certificate object while creating CertPath\n" + obj.toString()); } } } return new PKIXCertPath(certificates); }
private Certificate[] tryParsePKIPathChain(File chainFile) throws IOException, FileNotFoundException, CertificateException { Certificate[] internalCertificateChain = null; CertificateFactory cf = CertificateFactory.getInstance("X.509"); try (FileInputStream inputStream = new FileInputStream(chainFile)) { CertPath certPath = cf.generateCertPath(inputStream); List<? extends Certificate> certList = certPath.getCertificates(); internalCertificateChain = certList.toArray(new Certificate[]{}); } catch (CertificateException e){ LOG.info("Tried and failed to parse file as a PKI :" + chainFile.getName(), e); } return internalCertificateChain; }
public static void main(String[] args) throws Exception { // Make the CertPath whose encoded form has already been stored CertificateFactory certFac = CertificateFactory.getInstance("X509"); final List<Certificate> certs = new ArrayList<>(); certs.add(certFac.generateCertificate(new ByteArrayInputStream(cert1.getBytes()))); certs.add(certFac.generateCertificate(new ByteArrayInputStream(cert2.getBytes()))); CertPath cp = certFac.generateCertPath(certs); // Get the encoded form of the CertPath we made byte[] encoded = cp.getEncoded("PKCS7"); // check if it matches the encoded value if (!Arrays.equals(encoded, Base64.getMimeDecoder().decode(pkcs7path.getBytes()))) { throw new RuntimeException("PKCS#7 encoding doesn't match stored value"); } // Generate a CertPath from the encoded value and check if it equals // the CertPath generated from the certificates CertPath decodedCP = certFac.generateCertPath(new ByteArrayInputStream(encoded), "PKCS7"); if (!decodedCP.equals(cp)) { throw new RuntimeException("CertPath decoded from PKCS#7 isn't equal to original"); } }
/** * Creates a {@code JarSigner.Builder} object with a private key and * a certification path. * * @param privateKey the private key of the signer. * @param certPath the certification path of the signer. * @throws IllegalArgumentException if {@code certPath} is empty, or * the {@code privateKey} algorithm does not match the algorithm * of the {@code PublicKey} in the end entity certificate * (the first certificate in {@code certPath}). */ public Builder(PrivateKey privateKey, CertPath certPath) { List<? extends Certificate> certs = certPath.getCertificates(); if (certs.isEmpty()) { throw new IllegalArgumentException("certPath cannot be empty"); } if (!privateKey.getAlgorithm().equals (certs.get(0).getPublicKey().getAlgorithm())) { throw new IllegalArgumentException ("private key algorithm does not match " + "algorithm of public key in end entity " + "certificate (the 1st in certPath)"); } this.privateKey = privateKey; try { this.certChain = certs.toArray(new X509Certificate[certs.size()]); } catch (ArrayStoreException ase) { // Wrong type, not X509Certificate. throw new IllegalArgumentException( "Entry does not contain X509Certificate"); } }
private static void runTest(CertificateFactory cf, List<X509Certificate> certList, TrustAnchor anchor) throws Exception { CertPath path = cf.generateCertPath(certList); CertPathValidator validator = CertPathValidator.getInstance("PKIX"); System.out.println(anchor); // Attach the OCSP responses to a PKIXParameters object PKIXRevocationChecker pkrev = (PKIXRevocationChecker)validator.getRevocationChecker(); Map<X509Certificate, byte[]> responseMap = new HashMap<>(); responseMap.put(certList.get(0), DECODER.decode(EE_OCSP_RESP)); responseMap.put(certList.get(1), DECODER.decode(INT_CA_OCSP_RESP)); pkrev.setOcspResponses(responseMap); PKIXParameters params = new PKIXParameters(Collections.singleton(anchor)); params.addCertPathChecker(pkrev); params.setDate(EVAL_DATE); validator.validate(path, params); }
public void buildSignedMultiReleaseJar() throws Exception { String testsrc = System.getProperty("test.src","."); String testdir = findTestDir(testsrc); String keystore = testdir + "/sun/security/tools/jarsigner/JarSigning.keystore"; // jarsigner -keystore keystore -storepass "bbbbbb" // -signedJar signed-multi-release.jar multi-release.jar b char[] password = "bbbbbb".toCharArray(); KeyStore ks = KeyStore.getInstance(new File(keystore), password); PrivateKey pkb = (PrivateKey)ks.getKey("b", password); CertPath cp = CertificateFactory.getInstance("X.509") .generateCertPath(Arrays.asList(ks.getCertificateChain("b"))); JarSigner js = new JarSigner.Builder(pkb, cp).build(); try (ZipFile in = new ZipFile("multi-release.jar"); FileOutputStream os = new FileOutputStream("signed-multi-release.jar")) { js.sign(in, os); } }
@Override /** * @see org.apache.ws.security.components.crypto.Crypto#getX509Certificates(byte[], boolean) */ public X509Certificate[] getX509Certificates(byte[] data, boolean reverse) throws WSSecurityException { InputStream in = new ByteArrayInputStream(data); CertPath path; try { path = getCertificateFactory().generateCertPath(in); } catch (CertificateException e) { throw new WSSecurityException(WSSecurityException.SECURITY_TOKEN_UNAVAILABLE, "parseError"); } List l = path.getCertificates(); X509Certificate[] certs = new X509Certificate[l.size()]; Iterator iterator = l.iterator(); for (int i = 0; i < l.size(); i++) { certs[reverse ? (l.size() - 1 - i) : i] = (X509Certificate) iterator.next(); } return certs; }
@Override public CertPath engineGenerateCertPath(List<? extends Certificate> certificates) throws CertificateException { final List<X509Certificate> filtered = new ArrayList<X509Certificate>(certificates.size()); for (int i = 0; i < certificates.size(); i++) { final Certificate c = certificates.get(i); if (!(c instanceof X509Certificate)) { throw new CertificateException("Certificate not X.509 type at index " + i); } filtered.add((X509Certificate) c); } return new OpenSSLX509CertPath(filtered); }
protected static PKIXPolicyNode processCertE( CertPath certPath, int index, PKIXPolicyNode validPolicyTree) throws CertPathValidatorException { List certs = certPath.getCertificates(); X509Certificate cert = (X509Certificate)certs.get(index); // // (e) // ASN1Sequence certPolicies = null; try { certPolicies = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.CERTIFICATE_POLICIES)); } catch (AnnotatedException e) { throw new ExtCertPathValidatorException("Could not read certificate policies extension from certificate.", e, certPath, index); } if (certPolicies == null) { validPolicyTree = null; } return validPolicyTree; }
protected static int prepareNextCertJ( CertPath certPath, int index, int inhibitAnyPolicy) throws CertPathValidatorException { List certs = certPath.getCertificates(); X509Certificate cert = (X509Certificate)certs.get(index); // // (j) // DERInteger iap = null; try { iap = DERInteger.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.INHIBIT_ANY_POLICY)); } catch (Exception e) { throw new ExtCertPathValidatorException("Inhibit any-policy extension cannot be decoded.", e, certPath, index); } if (iap != null) { int _inhibitAnyPolicy = iap.getValue().intValue(); if (_inhibitAnyPolicy < inhibitAnyPolicy) { return _inhibitAnyPolicy; } } return inhibitAnyPolicy; }
protected static void prepareNextCertK( CertPath certPath, int index) throws CertPathValidatorException { List certs = certPath.getCertificates(); X509Certificate cert = (X509Certificate)certs.get(index); // // (k) // BasicConstraints bc = null; try { bc = BasicConstraints.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.BASIC_CONSTRAINTS)); } catch (Exception e) { throw new ExtCertPathValidatorException("Basic constraints extension cannot be decoded.", e, certPath, index); } if (bc != null) { if (!(bc.isCA())) { throw new CertPathValidatorException("Not a CA certificate"); } } else { throw new CertPathValidatorException("Intermediate certificate lacks BasicConstraints"); } }
protected static int prepareNextCertM( CertPath certPath, int index, int maxPathLength) throws CertPathValidatorException { List certs = certPath.getCertificates(); X509Certificate cert = (X509Certificate)certs.get(index); // // (m) // BasicConstraints bc = null; try { bc = BasicConstraints.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.BASIC_CONSTRAINTS)); } catch (Exception e) { throw new ExtCertPathValidatorException("Basic constraints extension cannot be decoded.", e, certPath, index); } if (bc != null) { BigInteger _pathLengthConstraint = bc.getPathLenConstraint(); if (_pathLengthConstraint != null) { int _plc = _pathLengthConstraint.intValue(); if (_plc < maxPathLength) { return _plc; } } } return maxPathLength; }
protected static void prepareNextCertO( CertPath certPath, int index, Set criticalExtensions, List pathCheckers) throws CertPathValidatorException { List certs = certPath.getCertificates(); X509Certificate cert = (X509Certificate)certs.get(index); // // (o) // Iterator tmpIter; tmpIter = pathCheckers.iterator(); while (tmpIter.hasNext()) { try { ((PKIXCertPathChecker)tmpIter.next()).check(cert, criticalExtensions); } catch (CertPathValidatorException e) { throw new CertPathValidatorException(e.getMessage(), e.getCause(), certPath, index); } } if (!criticalExtensions.isEmpty()) { throw new ExtCertPathValidatorException("Certificate has unsupported critical extension: " + criticalExtensions, null, certPath, index); } }
protected static void wrapupCertF( CertPath certPath, int index, List pathCheckers, Set criticalExtensions) throws CertPathValidatorException { List certs = certPath.getCertificates(); X509Certificate cert = (X509Certificate)certs.get(index); Iterator tmpIter; tmpIter = pathCheckers.iterator(); while (tmpIter.hasNext()) { try { ((PKIXCertPathChecker)tmpIter.next()).check(cert, criticalExtensions); } catch (CertPathValidatorException e) { throw new ExtCertPathValidatorException("Additional certificate path checker failed.", e, certPath, index); } } if (!criticalExtensions.isEmpty()) { throw new ExtCertPathValidatorException("Certificate has unsupported critical extension: " + criticalExtensions, null, certPath, index); } }
public CertPath engineGenerateCertPath( InputStream inStream, String encoding) throws CertificateException { return new PKIXCertPath(inStream, encoding); }
/** * Constructs a Timestamp. * * @param timestamp is the timestamp's date and time. It must not be null. * @param signerCertPath is the TSA's certificate path. It must not be null. * @throws NullPointerException if timestamp or signerCertPath is null. */ public Timestamp(Date timestamp, CertPath signerCertPath) { if (timestamp == null || signerCertPath == null) { throw new NullPointerException(); } this.timestamp = new Date(timestamp.getTime()); // clone this.signerCertPath = signerCertPath; }
