private X509Certificate[] doBuild(X509Certificate[] chain, Collection otherCerts) throws CertificateException { try { PKIXBuilderParameters params = (PKIXBuilderParameters) parameterTemplate.clone(); setDate(params); // setup target constraints X509CertSelector selector = new X509CertSelector(); selector.setCertificate(chain[0]); params.setTargetCertConstraints(selector); // setup CertStores Collection certs = new ArrayList(); certs.addAll(Arrays.asList(chain)); if (otherCerts != null) { certs.addAll(otherCerts); } CertStore store = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certs)); params.addCertStore(store); // do the build CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) builder.build(params); return toArray(result.getCertPath(), result.getTrustAnchor()); } catch (GeneralSecurityException e) { throw new ValidatorException("PKIX path building failed: " + e.toString(), e); } }
private void testExceptions() throws Exception { byte[] enc = {(byte) 0, (byte) 2, (byte) 3, (byte) 4, (byte) 5}; MyCertPath mc = new MyCertPath(enc); ByteArrayOutputStream os = new ByteArrayOutputStream(); ByteArrayInputStream is; byte[] arr; ObjectOutputStream oOut = new ObjectOutputStream(os); oOut.writeObject(mc); oOut.flush(); oOut.close(); try { CertificateFactory cFac = CertificateFactory.getInstance("X.509", "BC"); arr = os.toByteArray(); is = new ByteArrayInputStream(arr); cFac.generateCertPath(is); } catch (CertificateException e) { // ignore okay } CertificateFactory cf = CertificateFactory.getInstance("X.509"); List certCol = new ArrayList(); certCol.add(cf.generateCertificate(new ByteArrayInputStream(certA))); certCol.add(cf.generateCertificate(new ByteArrayInputStream(certB))); certCol.add(cf.generateCertificate(new ByteArrayInputStream(certC))); certCol.add(cf.generateCertificate(new ByteArrayInputStream(certD))); CertPathBuilder pathBuilder = CertPathBuilder.getInstance("PKIX", "BC"); X509CertSelector select = new X509CertSelector(); select.setSubject(((X509Certificate) certCol.get(0)).getSubjectX500Principal().getEncoded()); Set trustanchors = new HashSet(); trustanchors.add( new TrustAnchor( (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(rootCertBin)), null)); CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certCol)); PKIXBuilderParameters params = new PKIXBuilderParameters(trustanchors, select); params.addCertStore(certStore); try { CertPathBuilderResult result = pathBuilder.build(params); CertPath path = result.getCertPath(); fail("found cert path in circular set"); } catch (CertPathBuilderException e) { // expected } }
/** * Build a path using the given root as the trust anchor, and the passed in end constraints and * certificate store. * * <p>Note: the path is built with revocation checking turned off. */ public static PKIXCertPathBuilderResult buildPath( X509Certificate rootCert, X509CertSelector endConstraints, CertStore certsAndCRLs) throws Exception { CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC"); PKIXBuilderParameters buildParams = new PKIXBuilderParameters( Collections.singleton(new TrustAnchor(rootCert, null)), endConstraints); buildParams.addCertStore(certsAndCRLs); buildParams.setRevocationEnabled(false); return (PKIXCertPathBuilderResult) builder.build(buildParams); }
private void validateChain(List<Certificate> chain, Certificate cert) { List<Certificate> certs = new ArrayList<Certificate>(); List<Certificate> root = new ArrayList<Certificate>(); Set<TrustAnchor> anchors = new HashSet<TrustAnchor>(); certs.add(cert); // adding for self signed certs certs.addAll(chain); for (Certificate c : certs) { if (!(c instanceof X509Certificate)) throw new IllegalArgumentException("Invalid chain format. Expected X509 certificate"); X509Certificate xCert = (X509Certificate) c; Principal subject = xCert.getSubjectDN(); Principal issuer = xCert.getIssuerDN(); if (issuer != null && subject.equals(issuer)) { root.add(c); anchors.add(new TrustAnchor(xCert, null)); } } if (root.size() == 0) throw new IllegalArgumentException("No root certificates found for certificate chain", null); X509CertSelector target = new X509CertSelector(); target.setCertificate((X509Certificate) cert); PKIXBuilderParameters params = null; try { params = new PKIXBuilderParameters(anchors, target); params.setRevocationEnabled(false); params.addCertStore( CertStore.getInstance("Collection", new CollectionCertStoreParameters(certs))); CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC"); builder.build(params); } catch (InvalidAlgorithmParameterException e) { throw new IllegalArgumentException("Invalid certificate chain", e); } catch (CertPathBuilderException e) { throw new IllegalArgumentException("Invalid certificate chain", e); } catch (NoSuchAlgorithmException e) { throw new IllegalArgumentException("Invalid certificate chain", e); } catch (NoSuchProviderException e) { throw new CloudRuntimeException("No provider for certificate validation", e); } }
/** * Searches for a holder public key certificate and verifies its certification path. * * @param attrCert the attribute certificate. * @param pkixParams The PKIX parameters. * @return The certificate path of the holder certificate. * @throws AnnotatedException if * <ul> * <li>no public key certificate can be found although holder information is given by an * entity name or a base certificate ID * <li>support classes cannot be created * <li>no certification path for the public key certificate can be built * </ul> */ protected static CertPath processAttrCert1( X509AttributeCertificate attrCert, ExtendedPKIXParameters pkixParams) throws CertPathValidatorException { CertPathBuilderResult result = null; // find holder PKCs Set holderPKCs = new HashSet(); if (attrCert.getHolder().getIssuer() != null) { X509CertStoreSelector selector = new X509CertStoreSelector(); selector.setSerialNumber(attrCert.getHolder().getSerialNumber()); Principal[] principals = attrCert.getHolder().getIssuer(); for (int i = 0; i < principals.length; i++) { try { if (principals[i] instanceof X500Principal) { selector.setIssuer(((X500Principal) principals[i]).getEncoded()); } holderPKCs.addAll( CertPathValidatorUtilities.findCertificates(selector, pkixParams.getStores())); } catch (AnnotatedException e) { throw new ExtCertPathValidatorException( "Public key certificate for attribute certificate cannot be searched.", e); } catch (IOException e) { throw new ExtCertPathValidatorException("Unable to encode X500 principal.", e); } } if (holderPKCs.isEmpty()) { throw new CertPathValidatorException( "Public key certificate specified in base certificate ID for attribute certificate cannot be found."); } } if (attrCert.getHolder().getEntityNames() != null) { X509CertStoreSelector selector = new X509CertStoreSelector(); Principal[] principals = attrCert.getHolder().getEntityNames(); for (int i = 0; i < principals.length; i++) { try { if (principals[i] instanceof X500Principal) { selector.setIssuer(((X500Principal) principals[i]).getEncoded()); } holderPKCs.addAll( CertPathValidatorUtilities.findCertificates(selector, pkixParams.getStores())); } catch (AnnotatedException e) { throw new ExtCertPathValidatorException( "Public key certificate for attribute certificate cannot be searched.", e); } catch (IOException e) { throw new ExtCertPathValidatorException("Unable to encode X500 principal.", e); } } if (holderPKCs.isEmpty()) { throw new CertPathValidatorException( "Public key certificate specified in entity name for attribute certificate cannot be found."); } } // verify cert paths for PKCs ExtendedPKIXBuilderParameters params = (ExtendedPKIXBuilderParameters) ExtendedPKIXBuilderParameters.getInstance(pkixParams); CertPathValidatorException lastException = null; for (Iterator it = holderPKCs.iterator(); it.hasNext(); ) { X509CertStoreSelector selector = new X509CertStoreSelector(); selector.setCertificate((X509Certificate) it.next()); params.setTargetConstraints(selector); CertPathBuilder builder = null; try { builder = CertPathBuilder.getInstance("PKIX", "BC"); } catch (NoSuchProviderException e) { throw new ExtCertPathValidatorException("Support class could not be created.", e); } catch (NoSuchAlgorithmException e) { throw new ExtCertPathValidatorException("Support class could not be created.", e); } try { result = builder.build(ExtendedPKIXBuilderParameters.getInstance(params)); } catch (CertPathBuilderException e) { lastException = new ExtCertPathValidatorException( "Certification path for public key certificate of attribute certificate could not be build.", e); } catch (InvalidAlgorithmParameterException e) { // must be a programming error throw new RuntimeException(e.getMessage()); } } if (lastException != null) { throw lastException; } return result.getCertPath(); }
// controlla che il certificato del firmatario sia affidabile controllando la sua catena di // certificati // valida il certificato X509 del firmatario usando il built-in PKIX support messo a disposizione // da java // caricando il keystore contenente i certificati degli enti certificatori autorizzati dallo stato // italiano private PKIXCertPathBuilderResult isTrustedSigner(SignerInformation signer) throws FirmapiuException { // genera la lista di certificati da controllare per generare la catena dei certificati del // firmatario // TODO quali certificati carica esattamente? Collection<?> certCollection = certStore.getMatches(signer.getSID()); Iterator<?> certIt = certCollection.iterator(); X509CertificateHolder cert = (X509CertificateHolder) certIt.next(); List<X509Certificate> chain = new LinkedList<X509Certificate>(); JcaX509CertificateConverter certConverter = new JcaX509CertificateConverter().setProvider(this.bcProvName); try { X509Certificate x509cert = certConverter.getCertificate(cert); chain.add(x509cert); while (certIt.hasNext()) { x509cert = certConverter.getCertificate((X509CertificateHolder) certIt.next()); chain.add(x509cert); } } catch (CertificateException e) { new FirmapiuException(CERT_DEFAULT_ERROR, e); } // carica i certificati presenti nel token crittografico passato come parametro KeyStore anchors = this.token.loadKeyStore(null); X509CertSelector target = new X509CertSelector(); target.setCertificate(chain.get(0)); PKIXBuilderParameters params; CertPathBuilder builder; try { params = new PKIXBuilderParameters(anchors, target); // disabilita il controllo delle CRL params.setRevocationEnabled(false); // se il certificato รจ scaduto cerca di generare lo stesso la catena dei certificati try { X509Certificate x509cert = certConverter.getCertificate(cert); // long before=x509cert.getNotBefore().getTime(); long after = x509cert.getNotAfter().getTime(); after -= 10; params.setDate(new Date(after)); } catch (CertificateException e) { throw new FirmapiuException(CERT_KEYSTORE_DEFAULT_ERROR, e); } CertStoreParameters intermediates = new CollectionCertStoreParameters(chain); params.addCertStore(CertStore.getInstance("Collection", intermediates)); params.setSigProvider(this.bcProvName); builder = CertPathBuilder.getInstance("PKIX", this.bcProvName); } catch (KeyStoreException | InvalidAlgorithmParameterException e) { throw new FirmapiuException(CERT_KEYSTORE_DEFAULT_ERROR, e); } catch (NoSuchAlgorithmException | NoSuchProviderException e) { throw new FirmapiuException(DEFAULT_ERROR, e); } /* * If build() returns successfully, the certificate is valid. More details * about the valid path can be obtained through the PKIXBuilderResult. * If no valid path can be found, a CertPathBuilderException is thrown. */ try { return (PKIXCertPathBuilderResult) builder.build(params); } catch (CertPathBuilderException e) { throw new FirmapiuException(VERIFY_SIGNER_CERTPATH_ERROR, e); } catch (InvalidAlgorithmParameterException e) { throw new FirmapiuException(DEFAULT_ERROR, e); } } // fine metodo