/** * Checks a validation failure to see if it failed for the reason we think * it should. This comes in as an SSLException of some sort, but it * encapsulates a ValidatorException which in turn encapsulates the * CertPathValidatorException we are interested in. * * @param e the exception thrown at the top level * @param reason the underlying CertPathValidatorException BasicReason * we are expecting it to have. * * @return true if the reason matches up, false otherwise. */ static boolean checkClientValidationFailure(Exception e, BasicReason reason) { boolean result = false; if (e instanceof SSLException) { Throwable valExc = e.getCause(); if (valExc instanceof sun.security.validator.ValidatorException) { Throwable cause = valExc.getCause(); if (cause instanceof CertPathValidatorException) { CertPathValidatorException cpve = (CertPathValidatorException)cause; if (cpve.getReason() == reason) { result = true; } } } } return result; }
protected static void processCertF( CertPath certPath, int index, PKIXPolicyNode validPolicyTree, int explicitPolicy) throws CertPathValidatorException { // // (f) // if (explicitPolicy <= 0 && validPolicyTree == null) { throw new ExtCertPathValidatorException("No valid policy tree found when one expected.", null, certPath, index); } }
protected static int prepareNextCertL( CertPath certPath, int index, int maxPathLength) throws CertPathValidatorException { List certs = certPath.getCertificates(); X509Certificate cert = (X509Certificate)certs.get(index); // // (l) // if (!CertPathValidatorUtilities.isSelfIssued(cert)) { if (maxPathLength <= 0) { throw new ExtCertPathValidatorException("Max path length not greater than zero", null, certPath, index); } return maxPathLength - 1; } return maxPathLength; }
@Test public void getVerificationKeyForEntity_shouldThrowExceptionIfCertificateIsInvalid() throws Exception { final CertificateDto certOneDto = getX509Certificate(STUB_IDP_ONE); when(certificatesConfigProxy.getSignatureVerificationCertificates(issuerId)).thenReturn(of(certOneDto)); when(x509CertificateFactory.createCertificate(certOneDto.getCertificate())).thenReturn(x509Certificate); when(trustStoreForCertificateProvider.getTrustStoreFor(any(FederationEntityType.class))).thenReturn(trustStore); CertPathValidatorException underlyingException = new CertPathValidatorException("Invalid Certificate"); when(certificateChainValidator.validate(x509Certificate, trustStore)).thenReturn(invalid(underlyingException)); try { configServiceKeyStore.getVerifyingKeysForEntity(issuerId); Assert.fail(String.format("Expected [%s]", CertificateChainValidationException.class.getSimpleName())); } catch (CertificateChainValidationException success) { assertThat(success.getMessage()).isEqualTo("Certificate is not valid: Unable to get DN"); assertThat(success.getCause()).isEqualTo(underlyingException); } }
@Test public void getEncryptionKeyForEntity_shouldThrowExceptionIfCertificateIsInvalid() throws Exception { final CertificateDto certOneDto = getX509Certificate(STUB_IDP_ONE); when(certificatesConfigProxy.getEncryptionCertificate(issuerId)).thenReturn(certOneDto); when(x509CertificateFactory.createCertificate(certOneDto.getCertificate())).thenReturn(x509Certificate); when(trustStoreForCertificateProvider.getTrustStoreFor(any(FederationEntityType.class))).thenReturn(trustStore); CertPathValidatorException underlyingException = new CertPathValidatorException("Invalid Certificate"); when(certificateChainValidator.validate(x509Certificate, trustStore)).thenReturn(invalid(underlyingException)); try { configServiceKeyStore.getEncryptionKeyForEntity(issuerId); Assert.fail(String.format("Expected [%s]", CertificateChainValidationException.class.getSimpleName())); } catch (CertificateChainValidationException success) { assertThat(success.getMessage()).isEqualTo("Certificate is not valid: Unable to get DN"); assertThat(success.getCause()).isEqualTo(underlyingException); } }
@Test public void getVerificationKeyForEntity_shouldThrowExceptionIfCertificateIsInvalid() throws Exception { final CertificateDto certOneDto = getX509Certificate(IDP_ENTITY_ID); when(certificatesConfigProxy.getSignatureVerificationCertificates(issuerId)).thenReturn(of(certOneDto)); when(x509CertificateFactory.createCertificate(certOneDto.getCertificate())).thenReturn(x509Certificate); when(trustStoreForCertificateProvider.getTrustStoreFor(any(FederationEntityType.class))).thenReturn(trustStore); CertPathValidatorException underlyingException = new CertPathValidatorException("Invalid Certificate"); when(certificateChainValidator.validate(x509Certificate, trustStore)).thenReturn(invalid(underlyingException)); try { configServiceKeyStore.getVerifyingKeysForEntity(issuerId); Assert.fail(String.format("Expected [%s]", CertificateChainValidationException.class.getSimpleName())); } catch (CertificateChainValidationException success) { assertThat(success.getMessage()).isEqualTo("Certificate is not valid: Unable to get DN"); assertThat(success.getCause()).isEqualTo(underlyingException); } }
@Test public void getEncryptionKeyForEntity_shouldThrowExceptionIfCertificateIsInvalid() throws Exception { final CertificateDto certOneDto = getX509Certificate(IDP_ENTITY_ID); when(certificatesConfigProxy.getEncryptionCertificate(issuerId)).thenReturn(certOneDto); when(x509CertificateFactory.createCertificate(certOneDto.getCertificate())).thenReturn(x509Certificate); when(trustStoreForCertificateProvider.getTrustStoreFor(any(FederationEntityType.class))).thenReturn(trustStore); CertPathValidatorException underlyingException = new CertPathValidatorException("Invalid Certificate"); when(certificateChainValidator.validate(x509Certificate, trustStore)).thenReturn(invalid(underlyingException)); try { configServiceKeyStore.getEncryptionKeyForEntity(issuerId); Assert.fail(String.format("Expected [%s]", CertificateChainValidationException.class.getSimpleName())); } catch (CertificateChainValidationException success) { assertThat(success.getMessage()).isEqualTo("Certificate is not valid: Unable to get DN"); assertThat(success.getCause()).isEqualTo(underlyingException); } }
@Test public void getEncryptionKeyForEntity_shouldThrowExceptionIfCertificateIsInvalid() throws Exception { final CertificateDto certOneDto = buildCertificateDto(IDP_ENTITY_ID, idpSigningCertPrimary); when(certificatesConfigProxy.getEncryptionCertificate(issuerId)).thenReturn(certOneDto); when(x509CertificateFactory.createCertificate(certOneDto.getCertificate())).thenReturn(x509Certificate); when(trustStoreForCertificateProvider.getTrustStoreFor(any(FederationEntityType.class))).thenReturn(trustStore); CertPathValidatorException underlyingException = new CertPathValidatorException("Invalid Certificate"); when(certificateChainValidator.validate(x509Certificate, trustStore)).thenReturn(invalid(underlyingException)); try { configServiceKeyStore.getEncryptionKeyForEntity(issuerId); Assert.fail(String.format("Expected [%s]", CertificateChainValidationException.class.getSimpleName())); } catch (CertificateChainValidationException success) { assertThat(success.getMessage()).isEqualTo("Certificate is not valid: Unable to get DN"); assertThat(success.getCause()).isEqualTo(underlyingException); } }
/** * Obtains the revocation status of a certificate using OCSP using the most * common defaults. The OCSP responder URI is retrieved from the * certificate's AIA extension. The OCSP responder certificate is assumed * to be the issuer's certificate (or issued by the issuer CA). * * @param cert the certificate to be checked * @param issuerCert the issuer certificate * @return the RevocationStatus * @throws IOException if there is an exception connecting to or * communicating with the OCSP responder * @throws CertPathValidatorException if an exception occurs while * encoding the OCSP Request or validating the OCSP Response */ public static RevocationStatus check(X509Certificate cert, X509Certificate issuerCert) throws IOException, CertPathValidatorException { CertId certId = null; URI responderURI = null; try { X509CertImpl certImpl = X509CertImpl.toImpl(cert); responderURI = getResponderURI(certImpl); if (responderURI == null) { throw new CertPathValidatorException ("No OCSP Responder URI in certificate"); } certId = new CertId(issuerCert, certImpl.getSerialNumberObject()); } catch (CertificateException | IOException e) { throw new CertPathValidatorException ("Exception while encoding OCSPRequest", e); } OCSPResponse ocspResponse = check(Collections.singletonList(certId), responderURI, issuerCert, null, null, Collections.<Extension>emptyList()); return (RevocationStatus)ocspResponse.getSingleResponse(certId); }
@Override public void check(Certificate cert, Collection<String> unresolvedCritExts) throws CertPathValidatorException { X509Certificate currCert = (X509Certificate)cert; if (UntrustedCertificates.isUntrusted(currCert)) { if (debug != null) { debug.println("UntrustedChecker: untrusted certificate " + currCert.getSubjectX500Principal()); } throw new CertPathValidatorException( "Untrusted certificate: " + currCert.getSubjectX500Principal()); } }
/** * Performs the basic constraints and name constraints * checks on the certificate using its internal state. * * @param cert the <code>Certificate</code> to be checked * @param unresCritExts a <code>Collection</code> of OID strings * representing the current set of unresolved critical extensions * @throws CertPathValidatorException if the specified certificate * does not pass the check */ @Override public void check(Certificate cert, Collection<String> unresCritExts) throws CertPathValidatorException { X509Certificate currCert = (X509Certificate)cert; i++; // MUST run NC check second, since it depends on BC check to // update remainingCerts checkBasicConstraints(currCert); verifyNameConstraints(currCert); if (unresCritExts != null && !unresCritExts.isEmpty()) { unresCritExts.remove(BasicConstraints_Id.toString()); unresCritExts.remove(NameConstraints_Id.toString()); } }
/** * Internal method to manage state information at each iteration */ private void updateState(X509Certificate currCert) throws CertPathValidatorException { PublicKey cKey = currCert.getPublicKey(); if (debug != null) { debug.println("BasicChecker.updateState issuer: " + currCert.getIssuerX500Principal().toString() + "; subject: " + currCert.getSubjectX500Principal() + "; serial#: " + currCert.getSerialNumber().toString()); } if (PKIX.isDSAPublicKeyWithoutParams(cKey)) { // cKey needs to inherit DSA parameters from prev key cKey = makeInheritedParamsKey(cKey, prevPubKey); if (debug != null) debug.println("BasicChecker.updateState Made " + "key with inherited params"); } prevPubKey = cKey; prevSubject = currCert.getSubjectX500Principal(); }
/** * Internal method to create a new key with inherited key parameters. * * @param keyValueKey key from which to obtain key value * @param keyParamsKey key from which to obtain key parameters * @return new public key having value and parameters * @throws CertPathValidatorException if keys are not appropriate types * for this operation */ static PublicKey makeInheritedParamsKey(PublicKey keyValueKey, PublicKey keyParamsKey) throws CertPathValidatorException { if (!(keyValueKey instanceof DSAPublicKey) || !(keyParamsKey instanceof DSAPublicKey)) throw new CertPathValidatorException("Input key is not " + "appropriate type for " + "inheriting parameters"); DSAParams params = ((DSAPublicKey)keyParamsKey).getParams(); if (params == null) throw new CertPathValidatorException("Key parameters missing"); try { BigInteger y = ((DSAPublicKey)keyValueKey).getY(); KeyFactory kf = KeyFactory.getInstance("DSA"); DSAPublicKeySpec ks = new DSAPublicKeySpec(y, params.getP(), params.getQ(), params.getG()); return kf.generatePublic(ks); } catch (GeneralSecurityException e) { throw new CertPathValidatorException("Unable to generate key with" + " inherited parameters: " + e.getMessage(), e); } }
public static RevocationStatus check(X509Certificate cert, X509Certificate issuerCert, URI responderURI, X509Certificate responderCert, Date date, List<Extension> extensions) throws IOException, CertPathValidatorException { CertId certId = null; try { X509CertImpl certImpl = X509CertImpl.toImpl(cert); certId = new CertId(issuerCert, certImpl.getSerialNumberObject()); } catch (CertificateException | IOException e) { throw new CertPathValidatorException ("Exception while encoding OCSPRequest", e); } OCSPResponse ocspResponse = check(Collections.singletonList(certId), responderURI, issuerCert, responderCert, date, extensions); return (RevocationStatus) ocspResponse.getSingleResponse(certId); }
public static RevocationStatus check(X509Certificate cert, URI responderURI, TrustAnchor anchor, X509Certificate issuerCert, X509Certificate responderCert, Date date, List<Extension> extensions, String variant) throws IOException, CertPathValidatorException { CertId certId; try { X509CertImpl certImpl = X509CertImpl.toImpl(cert); certId = new CertId(issuerCert, certImpl.getSerialNumberObject()); } catch (CertificateException | IOException e) { throw new CertPathValidatorException ("Exception while encoding OCSPRequest", e); } OCSPResponse ocspResponse = check(Collections.singletonList(certId), responderURI, new OCSPResponse.IssuerInfo(anchor, issuerCert), responderCert, date, extensions, variant); return (RevocationStatus) ocspResponse.getSingleResponse(certId); }
/** * Initialize the state. * * @param certPathCheckers the list of user-defined PKIXCertPathCheckers */ public void initState(List<PKIXCertPathChecker> certPathCheckers) throws CertPathValidatorException { subjectNamesTraversed = new HashSet<GeneralNameInterface>(); traversedCACerts = 0; /* * Populate forwardCheckers with every user-defined checker * that supports forward checking and initialize the forwardCheckers */ forwardCheckers = new ArrayList<PKIXCertPathChecker>(); for (PKIXCertPathChecker checker : certPathCheckers) { if (checker.isForwardCheckingSupported()) { checker.init(true); forwardCheckers.add(checker); } } init = true; }
/** * Initializes the internal state of the checker from parameters * specified in the constructor. */ @Override public void init(boolean forward) throws CertPathValidatorException { if (!forward) { prevPubKey = trustedPubKey; if (PKIX.isDSAPublicKeyWithoutParams(prevPubKey)) { // If TrustAnchor is a DSA public key and it has no params, it // cannot be used to verify the signature of the first cert, // so throw exception throw new CertPathValidatorException("Key parameters missing"); } prevSubject = caName; } else { throw new CertPathValidatorException("forward checking not supported"); } }
private void checkConstraints(Set<CryptoPrimitive> primitives, CertConstraintParameters cp) throws CertPathValidatorException { X509Certificate cert = cp.getCertificate(); String algorithm = cert.getSigAlgName(); // Check signature algorithm is not disabled if (!permits(primitives, algorithm, null)) { throw new CertPathValidatorException( "Algorithm constraints check failed on disabled "+ "signature algorithm: " + algorithm, null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); } // Check key algorithm is not disabled if (!permits(primitives, cert.getPublicKey().getAlgorithm(), null)) { throw new CertPathValidatorException( "Algorithm constraints check failed on disabled "+ "public key algorithm: " + algorithm, null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); } // Check the certificate and key constraints algorithmConstraints.permits(cp); }
/** * Checks a validation failure to see if it failed for the reason we think * it should. This comes in as an SSLException of some sort, but it * encapsulates a ValidatorException which in turn encapsulates the * CertPathValidatorException we are interested in. * * @param e the exception thrown at the top level * @param reason the underlying CertPathValidatorException BasicReason * we are expecting it to have. * * @return true if the reason matches up, false otherwise. */ static boolean checkClientValidationFailure(Exception e, CertPathValidatorException.BasicReason reason) { boolean result = false; if (e instanceof SSLException) { Throwable sslhe = e.getCause(); if (sslhe instanceof SSLHandshakeException) { Throwable valExc = sslhe.getCause(); if (valExc instanceof sun.security.validator.ValidatorException) { Throwable cause = valExc.getCause(); if (cause instanceof CertPathValidatorException) { CertPathValidatorException cpve = (CertPathValidatorException)cause; if (cpve.getReason() == reason) { result = true; } } } } } return result; }
public static RevocationStatus check(X509Certificate cert, X509Certificate issuerCert, URI responderURI, X509Certificate responderCert, Date date, List<Extension> extensions, String variant) throws IOException, CertPathValidatorException { return check(cert, responderURI, null, issuerCert, responderCert, date, extensions, variant); }
/** * Merges the specified inhibitAnyPolicy value with the * SkipCerts value of the InhibitAnyPolicy * extension obtained from the certificate. * * @param inhibitAnyPolicy an integer which indicates whether * "any-policy" is considered a match * @param currCert the Certificate to be processed * @return returns the new inhibitAnyPolicy value * @exception CertPathValidatorException Exception thrown if an error * occurs */ static int mergeInhibitAnyPolicy(int inhibitAnyPolicy, X509CertImpl currCert) throws CertPathValidatorException { if ((inhibitAnyPolicy > 0) && !X509CertImpl.isSelfIssued(currCert)) { inhibitAnyPolicy--; } try { InhibitAnyPolicyExtension inhAnyPolExt = (InhibitAnyPolicyExtension) currCert.getExtension(InhibitAnyPolicy_Id); if (inhAnyPolExt == null) return inhibitAnyPolicy; int skipCerts = inhAnyPolExt.get(InhibitAnyPolicyExtension.SKIP_CERTS).intValue(); if (debug != null) debug.println("PolicyChecker.mergeInhibitAnyPolicy() " + "skipCerts Index from cert = " + skipCerts); if (skipCerts != -1) { if (skipCerts < inhibitAnyPolicy) { inhibitAnyPolicy = skipCerts; } } } catch (IOException e) { if (debug != null) { debug.println("PolicyChecker.mergeInhibitAnyPolicy " + "unexpected exception"); e.printStackTrace(); } throw new CertPathValidatorException(e); } return inhibitAnyPolicy; }
protected static final Set getQualifierSet(ASN1Sequence qualifiers) throws CertPathValidatorException { Set pq = new HashSet(); if (qualifiers == null) { return pq; } ByteArrayOutputStream bOut = new ByteArrayOutputStream(); ASN1OutputStream aOut = new ASN1OutputStream(bOut); Enumeration e = qualifiers.getObjects(); while (e.hasMoreElements()) { try { aOut.writeObject((ASN1Encodable)e.nextElement()); pq.add(new PolicyQualifierInfo(bOut.toByteArray())); } catch (IOException ex) { throw new ExtCertPathValidatorException("Policy qualifier info cannot be decoded.", ex); } bOut.reset(); } return pq; }
public static void main(String args[]) throws Exception { if (debug) { System.setProperty("javax.net.debug", "ssl"); } // Create the PKI we will use for the test and start the OCSP servers createPKI(); // Set the certificate entry in the intermediate OCSP responder // with a revocation date of 8 hours ago. X509Certificate sslCert = (X509Certificate)serverKeystore.getCertificate(SSL_ALIAS); Map<BigInteger, SimpleOCSPServer.CertStatusInfo> revInfo = new HashMap<>(); revInfo.put(sslCert.getSerialNumber(), new SimpleOCSPServer.CertStatusInfo( SimpleOCSPServer.CertStatus.CERT_STATUS_REVOKED, new Date(System.currentTimeMillis() - TimeUnit.HOURS.toMillis(8)))); intOcsp.updateStatusDb(revInfo); SSLEngineWithStapling test = new SSLEngineWithStapling(); try { test.runTest(); throw new RuntimeException("Expected failure due to revocation " + "did not occur"); } catch (Exception e) { if (!checkClientValidationFailure(e, CertPathValidatorException.BasicReason.REVOKED)) { System.out.println("*** Didn't find the exception we wanted"); throw e; } } System.out.println("Test Passed."); }
protected static int prepareNextCertJ( CertPath certPath, int index, int inhibitAnyPolicy) throws CertPathValidatorException { List certs = certPath.getCertificates(); X509Certificate cert = (X509Certificate)certs.get(index); // // (j) // DERInteger iap = null; try { iap = DERInteger.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.INHIBIT_ANY_POLICY)); } catch (Exception e) { throw new ExtCertPathValidatorException("Inhibit any-policy extension cannot be decoded.", e, certPath, index); } if (iap != null) { int _inhibitAnyPolicy = iap.getValue().intValue(); if (_inhibitAnyPolicy < inhibitAnyPolicy) { return _inhibitAnyPolicy; } } return inhibitAnyPolicy; }
protected static void prepareNextCertK( CertPath certPath, int index) throws CertPathValidatorException { List certs = certPath.getCertificates(); X509Certificate cert = (X509Certificate)certs.get(index); // // (k) // BasicConstraints bc = null; try { bc = BasicConstraints.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.BASIC_CONSTRAINTS)); } catch (Exception e) { throw new ExtCertPathValidatorException("Basic constraints extension cannot be decoded.", e, certPath, index); } if (bc != null) { if (!(bc.isCA())) { throw new CertPathValidatorException("Not a CA certificate"); } } else { throw new CertPathValidatorException("Intermediate certificate lacks BasicConstraints"); } }
@Override public void init(boolean forward) throws CertPathValidatorException { if (!forward) { i = 0; maxPathLength = certPathLength; prevNC = null; } else { throw new CertPathValidatorException ("forward checking not supported"); } }
protected static void prepareNextCertO( CertPath certPath, int index, Set criticalExtensions, List pathCheckers) throws CertPathValidatorException { List certs = certPath.getCertificates(); X509Certificate cert = (X509Certificate)certs.get(index); // // (o) // Iterator tmpIter; tmpIter = pathCheckers.iterator(); while (tmpIter.hasNext()) { try { ((PKIXCertPathChecker)tmpIter.next()).check(cert, criticalExtensions); } catch (CertPathValidatorException e) { throw new CertPathValidatorException(e.getMessage(), e.getCause(), certPath, index); } } if (!criticalExtensions.isEmpty()) { throw new ExtCertPathValidatorException("Certificate has unsupported critical extension: " + criticalExtensions, null, certPath, index); } }
protected static void wrapupCertF( CertPath certPath, int index, List pathCheckers, Set criticalExtensions) throws CertPathValidatorException { List certs = certPath.getCertificates(); X509Certificate cert = (X509Certificate)certs.get(index); Iterator tmpIter; tmpIter = pathCheckers.iterator(); while (tmpIter.hasNext()) { try { ((PKIXCertPathChecker)tmpIter.next()).check(cert, criticalExtensions); } catch (CertPathValidatorException e) { throw new ExtCertPathValidatorException("Additional certificate path checker failed.", e, certPath, index); } } if (!criticalExtensions.isEmpty()) { throw new ExtCertPathValidatorException("Certificate has unsupported critical extension: " + criticalExtensions, null, certPath, index); } }
/** * Check the signature algorithm with the specified public key. * * @param key the public key to verify the CRL signature * @param algorithmId signature algorithm Algorithm ID * @param variant is the Validator variants of the operation. A null value * passed will set it to Validator.GENERIC. */ static void check(PublicKey key, AlgorithmId algorithmId, String variant) throws CertPathValidatorException { String sigAlgName = algorithmId.getName(); AlgorithmParameters sigAlgParams = algorithmId.getParameters(); certPathDefaultConstraints.permits(new ConstraintsParameters( sigAlgName, sigAlgParams, key, variant)); }
private Function<Map<CertificateDetails, CertificateValidity>, InvalidCertificateDto> toInvalidCertificates() { return input -> { CertificateDetails certificateDetail = getOnlyElement(input.keySet()); CertificateValidity certificateValidity = getOnlyElement(input.values()); CertPathValidatorException certPathValidatorException = certificateValidity.getException().get(); return new InvalidCertificateDto( certificateDetail.getIssuerId(), certPathValidatorException.getReason(), certificateDetail.getKeyUse(), certificateDetail.getFederationEntityType(), certPathValidatorException.getMessage()); }; }
/** * Initializes the internal state of the checker from parameters * specified in the constructor * * @param forward a boolean indicating whether this checker should be * initialized capable of building in the forward direction * @throws CertPathValidatorException if user wants to enable forward * checking and forward checking is not supported. */ @Override public void init(boolean forward) throws CertPathValidatorException { if (forward) { throw new CertPathValidatorException ("forward checking not supported"); } certIndex = 1; explicitPolicy = (expPolicyRequired ? 0 : certPathLen + 1); policyMapping = (polMappingInhibited ? 0 : certPathLen + 1); inhibitAnyPolicy = (anyPolicyInhibited ? 0 : certPathLen + 1); }
@Test public void createInvalidCertificatesException() throws Exception { InvalidCertificateDto invalidCertificateDto = new InvalidCertificateDto("entity-id", CertPathValidatorException.BasicReason.EXPIRED, CertificateType.ENCRYPTION, FederationEntityType.IDP, "description"); ConfigValidationException exception = ConfigValidationException.createInvalidCertificatesException(asList(invalidCertificateDto)); assertThat(exception.getMessage()).isEqualTo("Invalid certificate found.\n" + "Entity Id: entity-id\n" + "Certificate Type: ENCRYPTION\n" + "Federation Type: IDP\n" + "Reason: EXPIRED\n" + "Description: description"); }
public static void main(String[] args) throws Exception { Throwable[] causes = { new Throwable(), new Throwable("message"), new Throwable("message", new Throwable()) }; for (Throwable cause: causes) { CertPathValidatorException cpve = new CertPathValidatorException(cause); // from CertPathValidatorException(Throwable cause) spec: // The detail message is set to (cause==null ? null : cause.toString() ) // (which typically contains the class and detail message of cause). String expMsg = (cause == null ? null : cause.toString()); String actualMsg = cpve.getMessage(); boolean msgsEqual = (expMsg == null ? actualMsg == null : expMsg.equals(actualMsg)); if (!msgsEqual) { System.out.println("expected message:" + expMsg); System.out.println("getMessage():" + actualMsg); failed = true; } } if (failed) { throw new Exception("Some tests FAILED"); } }
private boolean verifySignature(X509Certificate cert) throws CertPathValidatorException { try { Signature respSignature = Signature.getInstance(sigAlgId.getName()); respSignature.initVerify(cert.getPublicKey()); respSignature.update(tbsResponseData); if (respSignature.verify(signature)) { if (debug != null) { debug.println("Verified signature of OCSP Response"); } return true; } else { if (debug != null) { debug.println( "Error verifying signature of OCSP Response"); } return false; } } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException e) { throw new CertPathValidatorException(e); } }
/** * Check the signature algorithm with the specified public key. * * @param key the public key to verify the CRL signature * @param crl the target CRL * @param variant is the Validator variants of the operation. A null value * passed will set it to Validator.GENERIC. */ static void check(PublicKey key, X509CRL crl, String variant) throws CertPathValidatorException { X509CRLImpl x509CRLImpl = null; try { x509CRLImpl = X509CRLImpl.toImpl(crl); } catch (CRLException ce) { throw new CertPathValidatorException(ce); } AlgorithmId algorithmId = x509CRLImpl.getSigAlgId(); check(key, algorithmId, variant); }
