下面列出了java.security.cert.X509CertSelector#setCertificateValid() 实例代码,或者点击链接到github查看源代码,也可以在右侧发表评论。
private void testCertificateValid() {
System.out.println("X.509 Certificate Match on certificateValid");
// bad match
X509CertSelector selector = new X509CertSelector();
Calendar cal = Calendar.getInstance();
cal.set(1968, 12, 31);
selector.setCertificateValid(cal.getTime());
checkMatch(selector, cert, false);
// good match
selector.setCertificateValid(cert.getNotBefore());
checkMatch(selector, cert, true);
}
private void testCertificateValid() {
System.out.println("X.509 Certificate Match on certificateValid");
// bad match
X509CertSelector selector = new X509CertSelector();
Calendar cal = Calendar.getInstance();
cal.set(1968, 12, 31);
selector.setCertificateValid(cal.getTime());
checkMatch(selector, cert, false);
// good match
selector.setCertificateValid(cert.getNotBefore());
checkMatch(selector, cert, true);
}
private void testCertificateValid() {
System.out.println("X.509 Certificate Match on certificateValid");
// bad match
X509CertSelector selector = new X509CertSelector();
Calendar cal = Calendar.getInstance();
cal.set(1968, 12, 31);
selector.setCertificateValid(cal.getTime());
checkMatch(selector, cert, false);
// good match
selector.setCertificateValid(cert.getNotBefore());
checkMatch(selector, cert, true);
}
private void testCertificateValid() {
System.out.println("X.509 Certificate Match on certificateValid");
// bad match
X509CertSelector selector = new X509CertSelector();
Calendar cal = Calendar.getInstance();
cal.set(1968, 12, 31);
selector.setCertificateValid(cal.getTime());
checkMatch(selector, cert, false);
// good match
selector.setCertificateValid(cert.getNotBefore());
checkMatch(selector, cert, true);
}
private void testCertificateValid() {
System.out.println("X.509 Certificate Match on certificateValid");
// bad match
X509CertSelector selector = new X509CertSelector();
Calendar cal = Calendar.getInstance();
cal.set(1968, 12, 31);
selector.setCertificateValid(cal.getTime());
checkMatch(selector, cert, false);
// good match
selector.setCertificateValid(cert.getNotBefore());
checkMatch(selector, cert, true);
}
private void testCertificateValid() {
System.out.println("X.509 Certificate Match on certificateValid");
// bad match
X509CertSelector selector = new X509CertSelector();
Calendar cal = Calendar.getInstance();
cal.set(1968, 12, 31);
selector.setCertificateValid(cal.getTime());
checkMatch(selector, cert, false);
// good match
selector.setCertificateValid(cert.getNotBefore());
checkMatch(selector, cert, true);
}
private void testCertificateValid() {
System.out.println("X.509 Certificate Match on certificateValid");
// bad match
X509CertSelector selector = new X509CertSelector();
Calendar cal = Calendar.getInstance();
cal.set(1968, 12, 31);
selector.setCertificateValid(cal.getTime());
checkMatch(selector, cert, false);
// good match
selector.setCertificateValid(cert.getNotBefore());
checkMatch(selector, cert, true);
}
/**
* Validate certificate path. As it is exception, no checks against revocation or time validity are done but path
* still have to be validated in order to find connection between certificate presented by server and root CA in
* KeyStore
*
* @throws NoSuchAlgorithmException
* @throws KeyStoreException
* @throws InvalidAlgorithmParameterException
* @throws CertPathValidatorException
* @throws CertPathBuilderException
* @throws CertificateException
*/
private void validatePath(X509Certificate[] chain)
throws NoSuchAlgorithmException, KeyStoreException, InvalidAlgorithmParameterException,
CertPathValidatorException, CertPathBuilderException, CertificateException {
CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");
X509CertSelector certSelector = new X509CertSelector();
certSelector.setCertificate(chain[chain.length - 1]);
// checks against time validity aren't done here as it exceptions list
certSelector.setCertificateValid(null);
PKIXBuilderParameters parameters = new PKIXBuilderParameters(allStore, certSelector);
// no checks against revocation as it is exception
parameters.setRevocationEnabled(false);
CertPathBuilderResult pathResult = certPathBuilder.build(parameters);
CertPath certPath = pathResult.getCertPath();
PKIXCertPathValidatorResult validationResult = (PKIXCertPathValidatorResult) certPathValidator
.validate(certPath, parameters);
X509Certificate trustedCert = validationResult.getTrustAnchor().getTrustedCert();
if (trustedCert == null) {
throw new CertificateException("Certificate path failed");
} else {
Log.debug("ClientTrustManager: Trusted CA: " + trustedCert.getSubjectDN());
}
}
private Collection<X509Certificate> getMatchingEECerts
(ReverseState currentState, List<CertStore> certStores)
throws CertStoreException, CertificateException, IOException {
/*
* Compose a CertSelector to filter out
* certs which do not satisfy requirements.
*
* First, retrieve clone of current target cert constraints, and
* then add more selection criteria based on current validation state.
*/
X509CertSelector sel = (X509CertSelector) targetCertConstraints.clone();
/*
* Match on issuer (subject of previous cert)
*/
sel.setIssuer(currentState.subjectDN);
/*
* Match on certificate validity date.
*/
sel.setCertificateValid(buildParams.date());
/*
* Policy processing optimizations
*/
if (currentState.explicitPolicy == 0)
sel.setPolicy(getMatchingPolicies());
/*
* If previous cert has a subject key identifier extension,
* use it to match on authority key identifier extension.
*/
/*if (currentState.subjKeyId != null) {
AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
(KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
null, null);
sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
}*/
/*
* Require EE certs
*/
sel.setBasicConstraints(-2);
/* Retrieve matching certs from CertStores */
HashSet<X509Certificate> eeCerts = new HashSet<>();
addMatchingCerts(sel, certStores, eeCerts, true);
if (debug != null) {
debug.println("ReverseBuilder.getMatchingEECerts got "
+ eeCerts.size() + " certs.");
}
return eeCerts;
}
private Collection<X509Certificate> getMatchingCACerts
(ReverseState currentState, List<CertStore> certStores)
throws CertificateException, CertStoreException, IOException {
/*
* Compose a CertSelector to filter out
* certs which do not satisfy requirements.
*/
X509CertSelector sel = new X509CertSelector();
/*
* Match on issuer (subject of previous cert)
*/
sel.setIssuer(currentState.subjectDN);
/*
* Match on certificate validity date.
*/
sel.setCertificateValid(buildParams.date());
/*
* Match on target subject name (checks that current cert's
* name constraints permit it to certify target).
* (4 is the integer type for DIRECTORY name).
*/
byte[] subject = targetCertConstraints.getSubjectAsBytes();
if (subject != null) {
sel.addPathToName(4, subject);
} else {
X509Certificate cert = targetCertConstraints.getCertificate();
if (cert != null) {
sel.addPathToName(4,
cert.getSubjectX500Principal().getEncoded());
}
}
/*
* Policy processing optimizations
*/
if (currentState.explicitPolicy == 0)
sel.setPolicy(getMatchingPolicies());
/*
* If previous cert has a subject key identifier extension,
* use it to match on authority key identifier extension.
*/
/*if (currentState.subjKeyId != null) {
AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
(KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
null, null);
sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
}*/
/*
* Require CA certs
*/
sel.setBasicConstraints(0);
/* Retrieve matching certs from CertStores */
ArrayList<X509Certificate> reverseCerts = new ArrayList<>();
addMatchingCerts(sel, certStores, reverseCerts, true);
/* Sort remaining certs using name constraints */
Collections.sort(reverseCerts, new PKIXCertComparator());
if (debug != null)
debug.println("ReverseBuilder.getMatchingCACerts got " +
reverseCerts.size() + " certs.");
return reverseCerts;
}
private Collection<X509Certificate> getMatchingEECerts
(ReverseState currentState, List<CertStore> certStores)
throws CertStoreException, CertificateException, IOException {
/*
* Compose a CertSelector to filter out
* certs which do not satisfy requirements.
*
* First, retrieve clone of current target cert constraints, and
* then add more selection criteria based on current validation state.
*/
X509CertSelector sel = (X509CertSelector) targetCertConstraints.clone();
/*
* Match on issuer (subject of previous cert)
*/
sel.setIssuer(currentState.subjectDN);
/*
* Match on certificate validity date.
*/
sel.setCertificateValid(buildParams.date());
/*
* Policy processing optimizations
*/
if (currentState.explicitPolicy == 0)
sel.setPolicy(getMatchingPolicies());
/*
* If previous cert has a subject key identifier extension,
* use it to match on authority key identifier extension.
*/
/*if (currentState.subjKeyId != null) {
AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
(KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
null, null);
sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
}*/
/*
* Require EE certs
*/
sel.setBasicConstraints(-2);
/* Retrieve matching certs from CertStores */
HashSet<X509Certificate> eeCerts = new HashSet<>();
addMatchingCerts(sel, certStores, eeCerts, true);
if (debug != null) {
debug.println("ReverseBuilder.getMatchingEECerts got "
+ eeCerts.size() + " certs.");
}
return eeCerts;
}
private Collection<X509Certificate> getMatchingCACerts
(ReverseState currentState, List<CertStore> certStores)
throws CertificateException, CertStoreException, IOException {
/*
* Compose a CertSelector to filter out
* certs which do not satisfy requirements.
*/
X509CertSelector sel = new X509CertSelector();
/*
* Match on issuer (subject of previous cert)
*/
sel.setIssuer(currentState.subjectDN);
/*
* Match on certificate validity date.
*/
sel.setCertificateValid(buildParams.date());
/*
* Match on target subject name (checks that current cert's
* name constraints permit it to certify target).
* (4 is the integer type for DIRECTORY name).
*/
byte[] subject = targetCertConstraints.getSubjectAsBytes();
if (subject != null) {
sel.addPathToName(4, subject);
} else {
X509Certificate cert = targetCertConstraints.getCertificate();
if (cert != null) {
sel.addPathToName(4,
cert.getSubjectX500Principal().getEncoded());
}
}
/*
* Policy processing optimizations
*/
if (currentState.explicitPolicy == 0)
sel.setPolicy(getMatchingPolicies());
/*
* If previous cert has a subject key identifier extension,
* use it to match on authority key identifier extension.
*/
/*if (currentState.subjKeyId != null) {
AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
(KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
null, null);
sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
}*/
/*
* Require CA certs
*/
sel.setBasicConstraints(0);
/* Retrieve matching certs from CertStores */
ArrayList<X509Certificate> reverseCerts = new ArrayList<>();
addMatchingCerts(sel, certStores, reverseCerts, true);
/* Sort remaining certs using name constraints */
Collections.sort(reverseCerts, new PKIXCertComparator());
if (debug != null)
debug.println("ReverseBuilder.getMatchingCACerts got " +
reverseCerts.size() + " certs.");
return reverseCerts;
}
private Collection<X509Certificate> getMatchingEECerts
(ReverseState currentState, List<CertStore> certStores)
throws CertStoreException, CertificateException, IOException {
/*
* Compose a CertSelector to filter out
* certs which do not satisfy requirements.
*
* First, retrieve clone of current target cert constraints, and
* then add more selection criteria based on current validation state.
*/
X509CertSelector sel = (X509CertSelector) targetCertConstraints.clone();
/*
* Match on issuer (subject of previous cert)
*/
sel.setIssuer(currentState.subjectDN);
/*
* Match on certificate validity date.
*/
sel.setCertificateValid(buildParams.date());
/*
* Policy processing optimizations
*/
if (currentState.explicitPolicy == 0)
sel.setPolicy(getMatchingPolicies());
/*
* If previous cert has a subject key identifier extension,
* use it to match on authority key identifier extension.
*/
/*if (currentState.subjKeyId != null) {
AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
(KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
null, null);
sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
}*/
/*
* Require EE certs
*/
sel.setBasicConstraints(-2);
/* Retrieve matching certs from CertStores */
HashSet<X509Certificate> eeCerts = new HashSet<>();
addMatchingCerts(sel, certStores, eeCerts, true);
if (debug != null) {
debug.println("ReverseBuilder.getMatchingEECerts got "
+ eeCerts.size() + " certs.");
}
return eeCerts;
}
private Collection<X509Certificate> getMatchingCACerts
(ReverseState currentState, List<CertStore> certStores)
throws CertificateException, CertStoreException, IOException {
/*
* Compose a CertSelector to filter out
* certs which do not satisfy requirements.
*/
X509CertSelector sel = new X509CertSelector();
/*
* Match on issuer (subject of previous cert)
*/
sel.setIssuer(currentState.subjectDN);
/*
* Match on certificate validity date.
*/
sel.setCertificateValid(buildParams.date());
/*
* Match on target subject name (checks that current cert's
* name constraints permit it to certify target).
* (4 is the integer type for DIRECTORY name).
*/
byte[] subject = targetCertConstraints.getSubjectAsBytes();
if (subject != null) {
sel.addPathToName(4, subject);
} else {
X509Certificate cert = targetCertConstraints.getCertificate();
if (cert != null) {
sel.addPathToName(4,
cert.getSubjectX500Principal().getEncoded());
}
}
/*
* Policy processing optimizations
*/
if (currentState.explicitPolicy == 0)
sel.setPolicy(getMatchingPolicies());
/*
* If previous cert has a subject key identifier extension,
* use it to match on authority key identifier extension.
*/
/*if (currentState.subjKeyId != null) {
AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
(KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
null, null);
sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
}*/
/*
* Require CA certs
*/
sel.setBasicConstraints(0);
/* Retrieve matching certs from CertStores */
ArrayList<X509Certificate> reverseCerts = new ArrayList<>();
addMatchingCerts(sel, certStores, reverseCerts, true);
/* Sort remaining certs using name constraints */
Collections.sort(reverseCerts, new PKIXCertComparator());
if (debug != null)
debug.println("ReverseBuilder.getMatchingCACerts got " +
reverseCerts.size() + " certs.");
return reverseCerts;
}
private Collection<X509Certificate> getMatchingEECerts
(ReverseState currentState, List<CertStore> certStores)
throws CertStoreException, CertificateException, IOException {
/*
* Compose a CertSelector to filter out
* certs which do not satisfy requirements.
*
* First, retrieve clone of current target cert constraints, and
* then add more selection criteria based on current validation state.
*/
X509CertSelector sel = (X509CertSelector) targetCertConstraints.clone();
/*
* Match on issuer (subject of previous cert)
*/
sel.setIssuer(currentState.subjectDN);
/*
* Match on certificate validity date.
*/
sel.setCertificateValid(buildParams.date());
/*
* Policy processing optimizations
*/
if (currentState.explicitPolicy == 0)
sel.setPolicy(getMatchingPolicies());
/*
* If previous cert has a subject key identifier extension,
* use it to match on authority key identifier extension.
*/
/*if (currentState.subjKeyId != null) {
AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
(KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
null, null);
sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
}*/
/*
* Require EE certs
*/
sel.setBasicConstraints(-2);
/* Retrieve matching certs from CertStores */
HashSet<X509Certificate> eeCerts = new HashSet<>();
addMatchingCerts(sel, certStores, eeCerts, true);
if (debug != null) {
debug.println("ReverseBuilder.getMatchingEECerts got "
+ eeCerts.size() + " certs.");
}
return eeCerts;
}
private Collection<X509Certificate> getMatchingCACerts
(ReverseState currentState, List<CertStore> certStores)
throws CertificateException, CertStoreException, IOException {
/*
* Compose a CertSelector to filter out
* certs which do not satisfy requirements.
*/
X509CertSelector sel = new X509CertSelector();
/*
* Match on issuer (subject of previous cert)
*/
sel.setIssuer(currentState.subjectDN);
/*
* Match on certificate validity date.
*/
sel.setCertificateValid(buildParams.date());
/*
* Match on target subject name (checks that current cert's
* name constraints permit it to certify target).
* (4 is the integer type for DIRECTORY name).
*/
byte[] subject = targetCertConstraints.getSubjectAsBytes();
if (subject != null) {
sel.addPathToName(4, subject);
} else {
X509Certificate cert = targetCertConstraints.getCertificate();
if (cert != null) {
sel.addPathToName(4,
cert.getSubjectX500Principal().getEncoded());
}
}
/*
* Policy processing optimizations
*/
if (currentState.explicitPolicy == 0)
sel.setPolicy(getMatchingPolicies());
/*
* If previous cert has a subject key identifier extension,
* use it to match on authority key identifier extension.
*/
/*if (currentState.subjKeyId != null) {
AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
(KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
null, null);
sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
}*/
/*
* Require CA certs
*/
sel.setBasicConstraints(0);
/* Retrieve matching certs from CertStores */
ArrayList<X509Certificate> reverseCerts = new ArrayList<>();
addMatchingCerts(sel, certStores, reverseCerts, true);
/* Sort remaining certs using name constraints */
Collections.sort(reverseCerts, new PKIXCertComparator());
if (debug != null)
debug.println("ReverseBuilder.getMatchingCACerts got " +
reverseCerts.size() + " certs.");
return reverseCerts;
}
private Collection<X509Certificate> getMatchingCACerts
(ReverseState currentState, List<CertStore> certStores)
throws CertificateException, CertStoreException, IOException {
/*
* Compose a CertSelector to filter out
* certs which do not satisfy requirements.
*/
X509CertSelector sel = new X509CertSelector();
/*
* Match on issuer (subject of previous cert)
*/
sel.setIssuer(currentState.subjectDN);
/*
* Match on certificate validity date.
*/
sel.setCertificateValid(buildParams.date());
/*
* Match on target subject name (checks that current cert's
* name constraints permit it to certify target).
* (4 is the integer type for DIRECTORY name).
*/
byte[] subject = targetCertConstraints.getSubjectAsBytes();
if (subject != null) {
sel.addPathToName(4, subject);
} else {
X509Certificate cert = targetCertConstraints.getCertificate();
if (cert != null) {
sel.addPathToName(4,
cert.getSubjectX500Principal().getEncoded());
}
}
/*
* Policy processing optimizations
*/
if (currentState.explicitPolicy == 0)
sel.setPolicy(getMatchingPolicies());
/*
* If previous cert has a subject key identifier extension,
* use it to match on authority key identifier extension.
*/
/*if (currentState.subjKeyId != null) {
AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
(KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
null, null);
sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
}*/
/*
* Require CA certs
*/
sel.setBasicConstraints(0);
/* Retrieve matching certs from CertStores */
ArrayList<X509Certificate> reverseCerts = new ArrayList<>();
addMatchingCerts(sel, certStores, reverseCerts, true);
/* Sort remaining certs using name constraints */
Collections.sort(reverseCerts, new PKIXCertComparator());
if (debug != null)
debug.println("ReverseBuilder.getMatchingCACerts got " +
reverseCerts.size() + " certs.");
return reverseCerts;
}
private Collection<X509Certificate> getMatchingEECerts
(ReverseState currentState, List<CertStore> certStores)
throws CertStoreException, CertificateException, IOException {
/*
* Compose a CertSelector to filter out
* certs which do not satisfy requirements.
*
* First, retrieve clone of current target cert constraints, and
* then add more selection criteria based on current validation state.
*/
X509CertSelector sel = (X509CertSelector) targetCertConstraints.clone();
/*
* Match on issuer (subject of previous cert)
*/
sel.setIssuer(currentState.subjectDN);
/*
* Match on certificate validity date.
*/
sel.setCertificateValid(buildParams.date());
/*
* Policy processing optimizations
*/
if (currentState.explicitPolicy == 0)
sel.setPolicy(getMatchingPolicies());
/*
* If previous cert has a subject key identifier extension,
* use it to match on authority key identifier extension.
*/
/*if (currentState.subjKeyId != null) {
AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
(KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
null, null);
sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
}*/
/*
* Require EE certs
*/
sel.setBasicConstraints(-2);
/* Retrieve matching certs from CertStores */
HashSet<X509Certificate> eeCerts = new HashSet<>();
addMatchingCerts(sel, certStores, eeCerts, true);
if (debug != null) {
debug.println("ReverseBuilder.getMatchingEECerts got "
+ eeCerts.size() + " certs.");
}
return eeCerts;
}
private Collection<X509Certificate> getMatchingCACerts
(ReverseState currentState, List<CertStore> certStores)
throws CertificateException, CertStoreException, IOException {
/*
* Compose a CertSelector to filter out
* certs which do not satisfy requirements.
*/
X509CertSelector sel = new X509CertSelector();
/*
* Match on issuer (subject of previous cert)
*/
sel.setIssuer(currentState.subjectDN);
/*
* Match on certificate validity date.
*/
sel.setCertificateValid(buildParams.date());
/*
* Match on target subject name (checks that current cert's
* name constraints permit it to certify target).
* (4 is the integer type for DIRECTORY name).
*/
byte[] subject = targetCertConstraints.getSubjectAsBytes();
if (subject != null) {
sel.addPathToName(4, subject);
} else {
X509Certificate cert = targetCertConstraints.getCertificate();
if (cert != null) {
sel.addPathToName(4,
cert.getSubjectX500Principal().getEncoded());
}
}
/*
* Policy processing optimizations
*/
if (currentState.explicitPolicy == 0)
sel.setPolicy(getMatchingPolicies());
/*
* If previous cert has a subject key identifier extension,
* use it to match on authority key identifier extension.
*/
/*if (currentState.subjKeyId != null) {
AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
(KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
null, null);
sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
}*/
/*
* Require CA certs
*/
sel.setBasicConstraints(0);
/* Retrieve matching certs from CertStores */
ArrayList<X509Certificate> reverseCerts = new ArrayList<>();
addMatchingCerts(sel, certStores, reverseCerts, true);
/* Sort remaining certs using name constraints */
Collections.sort(reverseCerts, new PKIXCertComparator());
if (debug != null)
debug.println("ReverseBuilder.getMatchingCACerts got " +
reverseCerts.size() + " certs.");
return reverseCerts;
}
/**
* Validate certificate path
*
* @throws NoSuchAlgorithmException
* @throws KeyStoreException
* @throws InvalidAlgorithmParameterException
* @throws CertPathValidatorException
* @throws CertPathBuilderException
* @throws CertificateException
*/
private void validatePath(X509Certificate[] chain)
throws NoSuchAlgorithmException, KeyStoreException, InvalidAlgorithmParameterException,
CertPathValidatorException, CertPathBuilderException, CertificateException {
// PKIX algorithm is defined in rfc3280
CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");
X509CertSelector certSelector = new X509CertSelector();
// set last certificate (often root CA) from chain for CertSelector so trust store must contain it
certSelector.setCertificate(chain[chain.length - 1]);
// checks against time validity aren't done here as are already done in checkDateValidity (X509Certificate[]
// chain)
certSelector.setCertificateValid(null);
// create parameters using trustStore as source of Trust Anchors and using X509CertSelector
PKIXBuilderParameters parameters = new PKIXBuilderParameters(allStore, certSelector);
// will use PKIXRevocationChecker (or nothing if revocation mechanisms are
// disabled) instead of the default revocation checker
parameters.setRevocationEnabled(false);
// if revoked certificates aren't accepted, but no revocation checks then only
// certificates from blacklist will be rejected
if (acceptRevoked == false) {
// OCSP checking is done according to Java PKI Programmer's Guide, PKIXRevocationChecker was added in Java 8:
// https://docs.oracle.com/javase/8/docs/technotes/guides/security/certpath/CertPathProgGuide.html#PKIXRevocationChecker
PKIXRevocationChecker checker = (PKIXRevocationChecker) certPathBuilder.getRevocationChecker();
EnumSet<PKIXRevocationChecker.Option> checkerOptions = EnumSet.noneOf(PKIXRevocationChecker.Option.class);
// if soft fail isn't enabled then OCSP or CRL must pass validation, in case
// when any of them cannot be validated verification will fail, if soft fail
// is enabled then in case of network issues revocation checking is omitted
if (allowSoftFail) {
checkerOptions.add(PKIXRevocationChecker.Option.SOFT_FAIL);
}
// check OCSP, CRL serve as backup
if (checkOCSP && checkCRL) {
checker.setOptions(checkerOptions);
parameters.addCertPathChecker(checker);
} else if (!checkOCSP && checkCRL) {
// check only CRL, if CRL fail then there is no fallback to OCSP
checkerOptions.add(PKIXRevocationChecker.Option.PREFER_CRLS);
checkerOptions.add(PKIXRevocationChecker.Option.NO_FALLBACK);
checker.setOptions(checkerOptions);
parameters.addCertPathChecker(checker);
}
}
try {
CertPathBuilderResult pathResult = certPathBuilder.build(parameters);
CertPath certPath = pathResult.getCertPath();
PKIXCertPathValidatorResult validationResult = (PKIXCertPathValidatorResult) certPathValidator
.validate(certPath, parameters);
X509Certificate trustedCert = validationResult.getTrustAnchor().getTrustedCert();
if (trustedCert == null) {
throw new CertificateException("certificate path failed: Trusted CA is NULL");
}
// check if all certificates in path have Basic Constraints, only certificate that isn't required to have
// this extension is last certificate: root CA
for (int i = 0; i < chain.length - 1; i++) {
checkBasicConstraints(chain[i]);
}
} catch (CertificateRevokedException e) {
Log.warning("Certificate was revoked", e);
for (X509Certificate cert : chain) {
for (X509CRL crl : crlCollection) {
if (crl.isRevoked(cert)) {
try {
addToBlackList(cert);
} catch (IOException | HeadlessException | InvalidNameException e1) {
Log.error("Couldn't move to the blacklist", e1);
}
break;
}
}
}
throw new CertificateException("Certificate was revoked");
}
}