/** * Callback method from _scanKeychain. If a trusted certificate is found, this method will be * called. */ private void createTrustedCertEntry( String alias, long keychainItemRef, long creationDate, byte[] derStream) { TrustedCertEntry tce = new TrustedCertEntry(); try { CertificateFactory cf = CertificateFactory.getInstance("X.509"); InputStream input = new ByteArrayInputStream(derStream); X509Certificate cert = (X509Certificate) cf.generateCertificate(input); input.close(); tce.cert = cert; tce.certRef = keychainItemRef; // Make a creation date. if (creationDate != 0) tce.date = new Date(creationDate); else tce.date = new Date(); int uniqueVal = 1; String originalAlias = alias; while (entries.containsKey(alias.toLowerCase())) { alias = originalAlias + " " + uniqueVal; uniqueVal++; } entries.put(alias.toLowerCase(), tce); } catch (Exception e) { // The certificate will be skipped. System.err.println("KeychainStore Ignored Exception: " + e); } }
private void initCommon() { if (TRY_VALIDATOR == false) { return; } trustedSubjects = new HashMap<X500Principal, List<PublicKey>>(); for (Iterator t = trustedCerts.iterator(); t.hasNext(); ) { X509Certificate cert = (X509Certificate) t.next(); X500Principal dn = cert.getSubjectX500Principal(); List<PublicKey> keys; if (trustedSubjects.containsKey(dn)) { keys = trustedSubjects.get(dn); } else { keys = new ArrayList<PublicKey>(); trustedSubjects.put(dn, keys); } keys.add(cert.getPublicKey()); } try { factory = CertificateFactory.getInstance("X.509"); } catch (CertificateException e) { throw new RuntimeException("Internal error", e); } plugin = variant.equals(VAR_PLUGIN_CODE_SIGNING); }
private X509Certificate[] doValidate(X509Certificate[] chain, PKIXBuilderParameters params) throws CertificateException { try { setDate(params); // do the validation CertPathValidator validator = CertPathValidator.getInstance("PKIX"); CertPath path = factory.generateCertPath(Arrays.asList(chain)); certPathLength = chain.length; PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) validator.validate(path, params); return toArray(path, result.getTrustAnchor()); } catch (GeneralSecurityException e) { if (e instanceof CertPathValidatorException) { // check cause Throwable cause = e.getCause(); if (cause != null && cause instanceof OCSPResponse.UnreliableException) { throw new ValidatorException(ValidatorException.T_OCSP_RESPONSE_UNRELIABLE); } } throw new ValidatorException("PKIX path validation failed: " + e.toString(), e); } }
/** * Callback method from _scanKeychain. If an identity is found, this method will be called to * create Java certificate and private key objects from the keychain data. */ private void createKeyEntry( String alias, long creationDate, long secKeyRef, long[] secCertificateRefs, byte[][] rawCertData) throws IOException, NoSuchAlgorithmException, UnrecoverableKeyException { KeyEntry ke = new KeyEntry(); // First, store off the private key information. This is the easy part. ke.protectedPrivKey = null; ke.keyRef = secKeyRef; // Make a creation date. if (creationDate != 0) ke.date = new Date(creationDate); else ke.date = new Date(); // Next, create X.509 Certificate objects from the raw data. This is complicated // because a certificate's public key may be too long for Java's default encryption strength. List<CertKeychainItemPair> createdCerts = new ArrayList<>(); try { CertificateFactory cf = CertificateFactory.getInstance("X.509"); for (int i = 0; i < rawCertData.length; i++) { try { InputStream input = new ByteArrayInputStream(rawCertData[i]); X509Certificate cert = (X509Certificate) cf.generateCertificate(input); input.close(); // We successfully created the certificate, so track it and its corresponding // SecCertificateRef. createdCerts.add(new CertKeychainItemPair(secCertificateRefs[i], cert)); } catch (CertificateException e) { // The certificate will be skipped. System.err.println("KeychainStore Ignored Exception: " + e); } } } catch (CertificateException e) { e.printStackTrace(); } catch (IOException ioe) { ioe.printStackTrace(); // How would this happen? } // We have our certificates in the List, so now extract them into an array of // Certificates and SecCertificateRefs. CertKeychainItemPair[] objArray = createdCerts.toArray(new CertKeychainItemPair[0]); Certificate[] certArray = new Certificate[objArray.length]; long[] certRefArray = new long[objArray.length]; for (int i = 0; i < objArray.length; i++) { CertKeychainItemPair addedItem = objArray[i]; certArray[i] = addedItem.mCert; certRefArray[i] = addedItem.mCertificateRef; } ke.chain = certArray; ke.chainRefs = certRefArray; // If we don't have already have an item with this item's alias // create a new one for it. int uniqueVal = 1; String originalAlias = alias; while (entries.containsKey(alias.toLowerCase())) { alias = originalAlias + " " + uniqueVal; uniqueVal++; } entries.put(alias.toLowerCase(), ke); }
public static void main(String[] args) throws Exception { // Get a CertificateFactory for various tests CF = CertificateFactory.getInstance("X509"); ByteArrayInputStream bais = new ByteArrayInputStream(readFile("int.crt").getBytes()); X509Certificate intCA = (X509Certificate) CF.generateCertificate(bais); System.out.println( "Successfully instantiated CA cert \"" + intCA.getSubjectX500Principal() + "\""); CertId cid0x1500 = new CertId(intCA, new SerialNumber(0x1500)); boolean noFailures = true; OCSPResponse.SingleResponse sr = getSRByFilename("ocsp-good-nonext.resp", cid0x1500); noFailures &= checkSingleExts(sr, 0); if (sr.getRevocationTime() != null) { throw new RuntimeException("Oops. revocationTime is non-null " + sr.getRevocationTime()); } else if (sr.getRevocationReason() != null) { throw new RuntimeException("Oops. revocationReason is non-null " + sr.getRevocationReason()); } sr = getSRByFilename("ocsp-good-withnext.resp", cid0x1500); noFailures &= checkSingleExts(sr, 0); sr = getSRByFilename("ocsp-good-witharchcut.resp", cid0x1500); noFailures &= checkSingleExts(sr, 1); sr = getSRByFilename("ocsp-rev-nocerts.resp", cid0x1500); noFailures &= checkSingleExts(sr, 1); sr = getSRByFilename("ocsp-rev-nonext-noinv.resp", cid0x1500); noFailures &= checkSingleExts(sr, 0); sr = getSRByFilename("ocsp-rev-withnext-noinv.resp", cid0x1500); noFailures &= checkSingleExts(sr, 0); sr = getSRByFilename("ocsp-rev-nonext-withinv.resp", cid0x1500); noFailures &= checkSingleExts(sr, 1); sr = getSRByFilename("ocsp-rev-withnext-withinv.resp", cid0x1500); noFailures &= checkSingleExts(sr, 1); try { sr = getSRByFilename("ocsp-rev-twonext.resp", cid0x1500); System.out.println("FAIL: Allowed two nextUpdate fields"); noFailures = false; } catch (IOException ioe) { System.out.println("Caught expected exception: " + ioe); } try { sr = getSRByFilename("ocsp-rev-bad-sr-tag.resp", cid0x1500); System.out.println("FAIL: Allowed invalid singleResponse item"); noFailures = false; } catch (IOException ioe) { System.out.println("Caught expected exception: " + ioe); } try { sr = getSRByFilename("ocsp-rev-sr-cont-reverse.resp", cid0x1500); System.out.println("FAIL: Allowed reversed " + "nextUpdate/singleExtensions"); noFailures = false; } catch (IOException ioe) { System.out.println("Caught expected exception: " + ioe); } if (!noFailures) { throw new RuntimeException("One or more tests failed"); } }