public void checkCertTrusted(
X509Certificate[] chain, String authType, boolean isServer, boolean interactive)
throws CertificateException {
LOGGER.log(Level.FINE, "checkCertTrusted(" + chain + ", " + authType + ", " + isServer + ")");
try {
LOGGER.log(Level.FINE, "checkCertTrusted: trying appTrustManager");
if (isServer) appTrustManager.checkServerTrusted(chain, authType);
else appTrustManager.checkClientTrusted(chain, authType);
} catch (CertificateException ae) {
LOGGER.log(Level.FINER, "checkCertTrusted: appTrustManager failed", ae);
// if the cert is stored in our appTrustManager, we ignore expiredness
if (isExpiredException(ae)) {
LOGGER.log(Level.INFO, "checkCertTrusted: accepting expired certificate from keystore");
return;
}
if (isCertKnown(chain[0])) {
LOGGER.log(Level.INFO, "checkCertTrusted: accepting cert already stored in keystore");
return;
}
try {
if (defaultTrustManager == null) throw ae;
LOGGER.log(Level.FINE, "checkCertTrusted: trying defaultTrustManager");
if (isServer) defaultTrustManager.checkServerTrusted(chain, authType);
else defaultTrustManager.checkClientTrusted(chain, authType);
} catch (CertificateException e) {
e.printStackTrace();
if (interactive) {
interactCert(chain, authType, e);
} else {
throw e;
}
}
}
}
public void checkServerTrusted(X509Certificate[] certs, String authType)
throws CertificateException {
// verify the cert chain
verify(certs, authType);
final TrustEngine[] engines = getTrustEngines();
Certificate foundCert = null;
for (int i = 0; i < engines.length; i++) {
try {
foundCert = engines[i].findTrustAnchor(certs);
if (null != foundCert) return; // cert chain is trust
} catch (final IOException e) {
final CertificateException ce =
new ECFCertificateException(
"Error occurs when finding trust anchor in the cert chain",
certs,
authType); //$NON-NLS-1$
ce.initCause(ce);
throw ce;
}
}
if (null == foundCert)
throw new ECFCertificateException(
"Valid cert chain, but no trust certificate found!", certs, authType); // $NON-NLS-1$
}
public void checkCertTrusted(X509Certificate[] chain, String authType, boolean isServer)
throws CertificateException {
Log.d(TAG, "checkCertTrusted(" + chain + ", " + authType + ", " + isServer + ")");
try {
Log.d(TAG, "checkCertTrusted: trying appTrustManager");
if (isServer) appTrustManager.checkServerTrusted(chain, authType);
else appTrustManager.checkClientTrusted(chain, authType);
} catch (CertificateException ae) {
// if the cert is stored in our appTrustManager, we ignore expiredness
ae.printStackTrace();
if (isExpiredException(ae)) {
Log.i(TAG, "checkCertTrusted: accepting expired certificate from keystore");
return;
}
if (isCertKnown(chain[0])) {
Log.i(TAG, "checkCertTrusted: accepting cert already stored in keystore");
return;
}
try {
Log.d(TAG, "checkCertTrusted: trying defaultTrustManager");
if (isServer) defaultTrustManager.checkServerTrusted(chain, authType);
else defaultTrustManager.checkClientTrusted(chain, authType);
} catch (CertificateException e) {
e.printStackTrace();
interact(chain, authType, e);
}
}
}
public void verifySignature(Certificate caCert) throws SignatureException {
String[] args;
if (caCert != null) {
try {
Certificate.loadCertificateFromBuffer(caCert.getBlob());
} catch (CertificateException e) {
throw new SignatureException("Invalid certificate (" + e.getMessage() + ")");
}
args =
new String[] {
"python",
"scripts/pkcs7_verifyier.py",
"-in",
getContentsFilename(),
"-ca",
caCert.getFilename()
};
} else {
args = new String[] {"python", "scripts/pkcs7_verifyier.py", "-in", getContentsFilename()};
}
BashReader br = BashReader.read(args);
if (br == null) {
throw new SignatureException("Invalid command.");
}
if (br.getExitValue() == 0) {
return;
}
throw new SignatureException("The signature verification has failed.");
}
private PKIXCertPathBuilderResult buildCertPath(
boolean searchAllCertStores, List<List<Vertex>> adjList) throws CertPathBuilderException {
// Init shared variables and build certification path
pathCompleted = false;
trustAnchor = null;
finalPublicKey = null;
policyTreeResult = null;
LinkedList<X509Certificate> certPathList = new LinkedList<>();
try {
buildForward(adjList, certPathList, searchAllCertStores);
} catch (GeneralSecurityException | IOException e) {
if (debug != null) {
debug.println("SunCertPathBuilder.engineBuild() exception in " + "build");
e.printStackTrace();
}
throw new SunCertPathBuilderException(
"unable to find valid " + "certification path to requested target",
e,
new AdjacencyList(adjList));
}
// construct SunCertPathBuilderResult
try {
if (pathCompleted) {
if (debug != null) debug.println("SunCertPathBuilder.engineBuild() " + "pathCompleted");
// we must return a certpath which has the target
// as the first cert in the certpath - i.e. reverse
// the certPathList
Collections.reverse(certPathList);
return new SunCertPathBuilderResult(
cf.generateCertPath(certPathList),
trustAnchor,
policyTreeResult,
finalPublicKey,
new AdjacencyList(adjList));
}
} catch (CertificateException e) {
if (debug != null) {
debug.println("SunCertPathBuilder.engineBuild() exception " + "in wrap-up");
e.printStackTrace();
}
throw new SunCertPathBuilderException(
"unable to find valid " + "certification path to requested target",
e,
new AdjacencyList(adjList));
}
return null;
}
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
try {
tm.checkServerTrusted(chain, authType);
} catch (CertificateException e) {
Object[] answer = {"Proceed", "Exit"};
int ret =
JOptionPane.showOptionDialog(
null,
e.getCause().getLocalizedMessage() + "\n" + "Continue connecting to this host?",
"Confirm certificate exception?",
JOptionPane.YES_NO_OPTION,
JOptionPane.WARNING_MESSAGE,
null,
answer,
answer[0]);
if (ret == JOptionPane.NO_OPTION) System.exit(1);
} catch (java.lang.Exception e) {
throw new Exception(e.toString());
}
}
private void verify(X509Certificate[] certs, String authType) throws CertificateException {
final int len = certs.length;
for (int i = 0; i < len; i++) {
final X509Certificate currentX509Cert = certs[i];
try {
if (i == len - 1) {
if (currentX509Cert.getSubjectDN().equals(currentX509Cert.getIssuerDN()))
currentX509Cert.verify(currentX509Cert.getPublicKey());
} else {
final X509Certificate nextX509Cert = certs[i + 1];
currentX509Cert.verify(nextX509Cert.getPublicKey());
}
} catch (final Exception e) {
final CertificateException ce =
new ECFCertificateException(
"Certificate chain is not valid", certs, authType); // $NON-NLS-1$
ce.initCause(e);
throw ce;
}
}
}
/**
* Callback method from _scanKeychain. If an identity is found, this method will be called to
* create Java certificate and private key objects from the keychain data.
*/
private void createKeyEntry(
String alias,
long creationDate,
long secKeyRef,
long[] secCertificateRefs,
byte[][] rawCertData)
throws IOException, NoSuchAlgorithmException, UnrecoverableKeyException {
KeyEntry ke = new KeyEntry();
// First, store off the private key information. This is the easy part.
ke.protectedPrivKey = null;
ke.keyRef = secKeyRef;
// Make a creation date.
if (creationDate != 0) ke.date = new Date(creationDate);
else ke.date = new Date();
// Next, create X.509 Certificate objects from the raw data. This is complicated
// because a certificate's public key may be too long for Java's default encryption strength.
List<CertKeychainItemPair> createdCerts = new ArrayList<>();
try {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
for (int i = 0; i < rawCertData.length; i++) {
try {
InputStream input = new ByteArrayInputStream(rawCertData[i]);
X509Certificate cert = (X509Certificate) cf.generateCertificate(input);
input.close();
// We successfully created the certificate, so track it and its corresponding
// SecCertificateRef.
createdCerts.add(new CertKeychainItemPair(secCertificateRefs[i], cert));
} catch (CertificateException e) {
// The certificate will be skipped.
System.err.println("KeychainStore Ignored Exception: " + e);
}
}
} catch (CertificateException e) {
e.printStackTrace();
} catch (IOException ioe) {
ioe.printStackTrace(); // How would this happen?
}
// We have our certificates in the List, so now extract them into an array of
// Certificates and SecCertificateRefs.
CertKeychainItemPair[] objArray = createdCerts.toArray(new CertKeychainItemPair[0]);
Certificate[] certArray = new Certificate[objArray.length];
long[] certRefArray = new long[objArray.length];
for (int i = 0; i < objArray.length; i++) {
CertKeychainItemPair addedItem = objArray[i];
certArray[i] = addedItem.mCert;
certRefArray[i] = addedItem.mCertificateRef;
}
ke.chain = certArray;
ke.chainRefs = certRefArray;
// If we don't have already have an item with this item's alias
// create a new one for it.
int uniqueVal = 1;
String originalAlias = alias;
while (entries.containsKey(alias.toLowerCase())) {
alias = originalAlias + " " + uniqueVal;
uniqueVal++;
}
entries.put(alias.toLowerCase(), ke);
}
