Beispiel #1
0
  private X509Certificate[] doBuild(X509Certificate[] chain, Collection otherCerts)
      throws CertificateException {
    try {
      PKIXBuilderParameters params = (PKIXBuilderParameters) parameterTemplate.clone();
      setDate(params);

      // setup target constraints
      X509CertSelector selector = new X509CertSelector();
      selector.setCertificate(chain[0]);
      params.setTargetCertConstraints(selector);

      // setup CertStores
      Collection certs = new ArrayList();
      certs.addAll(Arrays.asList(chain));
      if (otherCerts != null) {
        certs.addAll(otherCerts);
      }
      CertStore store =
          CertStore.getInstance("Collection", new CollectionCertStoreParameters(certs));
      params.addCertStore(store);

      // do the build
      CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
      PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) builder.build(params);

      return toArray(result.getCertPath(), result.getTrustAnchor());
    } catch (GeneralSecurityException e) {
      throw new ValidatorException("PKIX path building failed: " + e.toString(), e);
    }
  }
Beispiel #2
0
 MyX509TrustManager() throws java.security.GeneralSecurityException {
   TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX");
   KeyStore ks = KeyStore.getInstance("JKS");
   CertificateFactory cf = CertificateFactory.getInstance("X.509");
   try {
     ks.load(null, null);
     File cacert = new File(cafile);
     if (!cacert.exists() || !cacert.canRead()) return;
     InputStream caStream = new FileInputStream(cafile);
     X509Certificate ca = (X509Certificate) cf.generateCertificate(caStream);
     ks.setCertificateEntry("CA", ca);
     PKIXBuilderParameters params = new PKIXBuilderParameters(ks, new X509CertSelector());
     File crlcert = new File(crlfile);
     if (!crlcert.exists() || !crlcert.canRead()) {
       params.setRevocationEnabled(false);
     } else {
       InputStream crlStream = new FileInputStream(crlfile);
       Collection<? extends CRL> crls = cf.generateCRLs(crlStream);
       CertStoreParameters csp = new CollectionCertStoreParameters(crls);
       CertStore store = CertStore.getInstance("Collection", csp);
       params.addCertStore(store);
       params.setRevocationEnabled(true);
     }
     tmf.init(new CertPathTrustManagerParameters(params));
   } catch (java.io.FileNotFoundException e) {
     vlog.error(e.toString());
   } catch (java.io.IOException e) {
     vlog.error(e.toString());
   }
   tm = (X509TrustManager) tmf.getTrustManagers()[0];
 }
Beispiel #3
0
 PKIXValidator(String variant, PKIXBuilderParameters params) {
   super(TYPE_PKIX, variant);
   trustedCerts = new HashSet();
   for (Iterator t = params.getTrustAnchors().iterator(); t.hasNext(); ) {
     TrustAnchor anchor = (TrustAnchor) t.next();
     X509Certificate cert = anchor.getTrustedCert();
     if (cert != null) {
       trustedCerts.add(cert);
     }
   }
   parameterTemplate = params;
   initCommon();
 }
Beispiel #4
0
 private X509Certificate[] doValidate(X509Certificate[] chain) throws CertificateException {
   PKIXBuilderParameters params = (PKIXBuilderParameters) parameterTemplate.clone();
   return doValidate(chain, params);
 }
Beispiel #5
0
 /** Set the check date (for debugging). */
 private void setDate(PKIXBuilderParameters params) {
   Date date = validationDate;
   if (date != null) {
     params.setDate(date);
   }
 }
Beispiel #6
0
  X509Certificate[] engineValidate(X509Certificate[] chain, Collection otherCerts, Object parameter)
      throws CertificateException {
    if ((chain == null) || (chain.length == 0)) {
      throw new CertificateException("null or zero-length certificate chain");
    }
    if (TRY_VALIDATOR) {
      // check that chain is in correct order and check if chain contains
      // trust anchor
      X500Principal prevIssuer = null;
      for (int i = 0; i < chain.length; i++) {
        X509Certificate cert = chain[i];
        X500Principal dn = cert.getSubjectX500Principal();
        if (i != 0 && !dn.equals(prevIssuer)) {
          // chain is not ordered correctly, call builder instead
          return doBuild(chain, otherCerts);
        }

        // Check if chain[i] is already trusted. It may be inside
        // trustedCerts, or has the same dn and public key as a cert
        // inside trustedCerts. The latter happens when a CA has
        // updated its cert with a stronger signature algorithm in JRE
        // but the weak one is still in circulation.

        if (trustedCerts.contains(cert)
            || // trusted cert
            (trustedSubjects.containsKey(dn)
                && // replacing ...
                trustedSubjects
                    .get(dn)
                    .contains( // ... weak cert
                        cert.getPublicKey()))) {
          if (i == 0) {
            return new X509Certificate[] {chain[0]};
          }
          // Remove and call validator on partial chain [0 .. i-1]
          X509Certificate[] newChain = new X509Certificate[i];
          System.arraycopy(chain, 0, newChain, 0, i);
          return doValidate(newChain);
        }
        prevIssuer = cert.getIssuerX500Principal();
      }

      // apparently issued by trust anchor?
      X509Certificate last = chain[chain.length - 1];
      X500Principal issuer = last.getIssuerX500Principal();
      X500Principal subject = last.getSubjectX500Principal();
      if (trustedSubjects.containsKey(issuer)
          && isSignatureValid(trustedSubjects.get(issuer), last)) {
        return doValidate(chain);
      }

      // don't fallback to builder if called from plugin/webstart
      if (plugin) {
        // Validate chain even if no trust anchor is found. This
        // allows plugin/webstart to make sure the chain is
        // otherwise valid
        if (chain.length > 1) {
          X509Certificate[] newChain = new X509Certificate[chain.length - 1];
          System.arraycopy(chain, 0, newChain, 0, newChain.length);
          // temporarily set last cert as sole trust anchor
          PKIXBuilderParameters params = (PKIXBuilderParameters) parameterTemplate.clone();
          try {
            params.setTrustAnchors(
                Collections.singleton(new TrustAnchor(chain[chain.length - 1], null)));
          } catch (InvalidAlgorithmParameterException iape) {
            // should never occur, but ...
            throw new CertificateException(iape);
          }
          doValidate(newChain, params);
        }
        // if the rest of the chain is valid, throw exception
        // indicating no trust anchor was found
        throw new ValidatorException(ValidatorException.T_NO_TRUST_ANCHOR);
      }
      // otherwise, fall back to builder
    }

    return doBuild(chain, otherCerts);
  }
Beispiel #7
0
 /**
  * Set J2SE global default PKIX parameters. Currently, hardcoded to disable revocation checking.
  * In the future, this should be configurable.
  */
 private void setDefaultParameters(String variant) {
   parameterTemplate.setRevocationEnabled(false);
 }