List of usage examples for java.security.cert CertPathValidatorException CertPathValidatorException
public CertPathValidatorException(Throwable cause)
From source file:Main.java
protected static void checkExcludedEmail(Set excluded, String email) throws CertPathValidatorException { if (excluded.isEmpty()) { return;//from ww w . j a v a2s . com } String sub = email.substring(email.indexOf('@') + 1); Iterator it = excluded.iterator(); while (it.hasNext()) { String str = (String) it.next(); if (sub.endsWith(str)) { throw new CertPathValidatorException("Subject email address is from an excluded subtree"); } } }
From source file:Main.java
protected static void checkPermittedEmail(Set permitted, String email) throws CertPathValidatorException { if (permitted.isEmpty()) { return;/*from w w w. ja v a2 s . c o m*/ } String sub = email.substring(email.indexOf('@') + 1); Iterator it = permitted.iterator(); while (it.hasNext()) { String str = (String) it.next(); if (sub.endsWith(str)) { return; } } throw new CertPathValidatorException("Subject email address is not from a permitted subtree"); }
From source file:be.fedict.trust.TrustValidator.java
/** * Validate the specified encoded {@link X509V2AttributeCertificate}'s. The * supplied certificate path will also be validated and used to validate the * attribute certificates.//from w w w . ja v a 2 s . c o m * * @param encodedAttributeCertificates * the encoded X509V2 attribute certificate. * * @param certificatePath * the certificate path. * @param validationDate * the validation date. * @throws CertPathValidatorException */ public void isTrusted(List<byte[]> encodedAttributeCertificates, List<X509Certificate> certificatePath, Date validationDate) throws CertPathValidatorException { try { /* * Validate the supplied certificate path */ isTrusted(certificatePath, validationDate); /* * Validate the attribute certificates */ for (byte[] encodedAttributeCertificate : encodedAttributeCertificates) { X509V2AttributeCertificate attributeCertificate = new X509V2AttributeCertificate( encodedAttributeCertificate); // check validity attributeCertificate.checkValidity(); if (certificatePath.size() < 2) { this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_TRUST, "Certificate path should at least contain 2 certificates"); throw new CertPathValidatorException(this.result.getMessage()); } // validate the signature on the attribute certificate against // the attribute certificate's holder X509Certificate issuerCertificate = certificatePath.get(1); attributeCertificate.verify(issuerCertificate.getPublicKey(), "BC"); } } catch (CertificateExpiredException e) { this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_VALIDITY_INTERVAL, "CertificateExpiredException: " + e.getMessage()); } catch (InvalidKeyException e) { this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_SIGNATURE, "InvalidKeyException: " + e.getMessage()); } catch (CertificateException e) { this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_SIGNATURE, "CertificateException: " + e.getMessage()); } catch (NoSuchAlgorithmException e) { this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_SIGNATURE, "NoSuchAlgorithmException: " + e.getMessage()); } catch (NoSuchProviderException e) { this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_SIGNATURE, "NoSuchProviderException: " + e.getMessage()); } catch (SignatureException e) { this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_SIGNATURE, "SignatureException: " + e.getMessage()); } catch (IOException e) { this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_SIGNATURE, "IOException: " + e.getMessage()); } }
From source file:be.fedict.trust.TrustValidator.java
/** * Validates whether the certificate path was valid at the given validation * date.// ww w . j av a 2s .c o m * * @param certificatePath * the X509 certificate path to be validated. * @param validationDate * the date at which the certificate path validation should be * verified. * @throws CertPathValidatorException * in case of an invalid certificate path. * @see #isTrusted(List) */ public void isTrusted(List<X509Certificate> certificatePath, Date validationDate) throws CertPathValidatorException { if (certificatePath.isEmpty()) { this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_TRUST, "certificate path is empty"); throw new CertPathValidatorException(this.result.getMessage()); } int certIdx = certificatePath.size() - 1; X509Certificate certificate = certificatePath.get(certIdx); LOG.debug("verifying root certificate: " + certificate.getSubjectX500Principal()); this.result = getSelfSignedResult(certificate); if (!this.result.isValid()) { LOG.debug("result: " + this.result.getMessage()); throw new CertPathValidatorException(this.result.getMessage()); } // check certificate signature this.result = checkSignatureAlgorithm(certificate.getSigAlgName()); if (!this.result.isValid()) { LOG.debug("result: " + this.result.getMessage()); throw new CertPathValidatorException(this.result.getMessage()); } checkSelfSignedTrust(certificate, validationDate); certIdx--; while (certIdx >= 0) { X509Certificate childCertificate = certificatePath.get(certIdx); LOG.debug("verifying certificate: " + childCertificate.getSubjectX500Principal()); certIdx--; checkTrustLink(childCertificate, certificate, validationDate); certificate = childCertificate; } for (CertificateConstraint certificateConstraint : this.certificateConstraints) { String certificateConstraintName = certificateConstraint.getClass().getSimpleName(); LOG.debug("certificate constraint check: " + certificateConstraintName); if (false == certificateConstraint.check(certificate)) { this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_TRUST, "certificate constraint failure: " + certificateConstraintName); throw new CertPathValidatorException(this.result.getMessage()); } } this.result = new TrustLinkerResult(true); }
From source file:be.fedict.trust.TrustValidator.java
private void checkTrustLink(X509Certificate childCertificate, X509Certificate certificate, Date validationDate) throws CertPathValidatorException { if (null == childCertificate) { return;/*from w w w . j av a2 s. c om*/ } // check certificate signature this.result = checkSignatureAlgorithm(childCertificate.getSigAlgName()); if (!this.result.isValid()) { throw new CertPathValidatorException(this.result.getMessage()); } boolean sometrustLinkerTrusts = false; for (TrustLinker trustLinker : this.trustLinkers) { LOG.debug("trying trust linker: " + trustLinker.getClass().getSimpleName()); this.result = trustLinker.hasTrustLink(childCertificate, certificate, validationDate, this.revocationData); if (null == this.result) { continue; } if (this.result.isValid()) { sometrustLinkerTrusts = true; } else { throw new CertPathValidatorException(this.result.getMessage()); } } if (false == sometrustLinkerTrusts) { this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_TRUST, "no trust between " + childCertificate.getSubjectX500Principal() + " and " + certificate.getSubjectX500Principal()); throw new CertPathValidatorException(this.result.getMessage()); } }
From source file:be.fedict.trust.TrustValidator.java
private void checkSelfSignedTrust(X509Certificate certificate, Date validationDate) throws CertPathValidatorException { try {/*w w w. j a v a2s.c om*/ certificate.checkValidity(validationDate); } catch (Exception e) { this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_VALIDITY_INTERVAL, "certificate validity error: " + e.getMessage()); throw new CertPathValidatorException(this.result.getMessage()); } if (this.certificateRepository.isTrustPoint(certificate)) { return; } this.result = new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_TRUST, "self-signed certificate not in repository: " + certificate.getSubjectX500Principal()); throw new CertPathValidatorException(this.result.getMessage()); }
From source file:org.apache.synapse.transport.certificatevalidation.pathvalidation.PathChecker.java
@Override public void init(boolean forward) throws CertPathValidatorException { if (forward) { throw new CertPathValidatorException("Forward checking is not supported"); }// www . j ava 2 s . co m }
From source file:org.apache.synapse.transport.certificatevalidation.pathvalidation.PathChecker.java
/** * Used by CertPathValidator to pass the certificates one by one from the certificate chain. * * @param cert the certificate passed to be checked. * @param unresolvedCritExts not used in this method. * @throws CertPathValidatorException//from www . j ava2 s.c o m */ @Override public void check(Certificate cert, Collection<String> unresolvedCritExts) throws CertPathValidatorException { RevocationStatus status; try { status = verifier.checkRevocationStatus((X509Certificate) cert, nextIssuer()); log.info("Certificate status is: " + status.getMessage()); if (status != RevocationStatus.GOOD) throw new CertPathValidatorException("Revocation Status is Not Good"); } catch (CertificateVerificationException e) { throw new CertPathValidatorException(e); } }
From source file:org.apache.synapse.transport.utils.sslcert.pathvalidation.PathChecker.java
/** * Used by CertPathValidator to pass the certificates one by one from the certificate chain. * * @param cert the certificate passed to be checked. * @param unresolvedCritExts not used in this method. * @throws CertPathValidatorException// www .j a v a2 s . c om */ @Override public void check(Certificate cert, Collection<String> unresolvedCritExts) throws CertPathValidatorException { RevocationStatus status; try { status = verifier.checkRevocationStatus((X509Certificate) cert, nextIssuer()); if (log.isDebugEnabled()) { log.debug("Certificate status is: " + status.getMessage()); } if (status != RevocationStatus.GOOD) { throw new CertPathValidatorException("Revocation Status is Not Good"); } } catch (CertificateVerificationException e) { throw new CertPathValidatorException(e); } }
From source file:org.cesecore.util.CertTools.java
/** * Method to create certificate path and to check it's validity from a list of certificates. The list of certificates should only contain one root * certificate./*from w ww . java2s . co m*/ * * @param certlist * @return the certificatepath with the root CA at the end * @throws CertPathValidatorException if the certificate chain can not be constructed * @throws InvalidAlgorithmParameterException * @throws NoSuchProviderException * @throws NoSuchAlgorithmException * @throws CertificateException */ public static List<Certificate> createCertChain(Collection<?> certlistin) throws CertPathValidatorException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, NoSuchProviderException, CertificateException { final List<Certificate> returnval = new ArrayList<Certificate>(); Collection<Certificate> certlist = orderCertificateChain(certlistin); // set certificate chain Certificate rootcert = null; ArrayList<Certificate> calist = new ArrayList<Certificate>(); for (Certificate next : certlist) { if (CertTools.isSelfSigned(next)) { rootcert = next; } else { calist.add(next); } } if (calist.isEmpty()) { // only one root cert, no certchain returnval.add(rootcert); } else { // We need a bit special handling for CV certificates because those can not be handled using a PKIX CertPathValidator Certificate test = calist.get(0); if (test.getType().equals("CVC")) { if (calist.size() == 1) { returnval.add(test); returnval.add(rootcert); } else { throw new CertPathValidatorException( "CVC certificate chain can not be of length longer than two."); } } else { // Normal X509 certificates HashSet<TrustAnchor> trustancors = new HashSet<TrustAnchor>(); TrustAnchor trustanchor = null; trustanchor = new TrustAnchor((X509Certificate) rootcert, null); trustancors.add(trustanchor); // Create the parameters for the validator PKIXParameters params = new PKIXParameters(trustancors); // Disable CRL checking since we are not supplying any CRLs params.setRevocationEnabled(false); params.setDate(new Date()); // Create the validator and validate the path CertPathValidator certPathValidator = CertPathValidator .getInstance(CertPathValidator.getDefaultType(), "BC"); CertificateFactory fact = CertTools.getCertificateFactory(); CertPath certpath = fact.generateCertPath(calist); CertPathValidatorResult result = certPathValidator.validate(certpath, params); // Get the certificates validate in the path PKIXCertPathValidatorResult pkixResult = (PKIXCertPathValidatorResult) result; returnval.addAll(certpath.getCertificates()); // Get the CA used to validate this path TrustAnchor ta = pkixResult.getTrustAnchor(); X509Certificate cert = ta.getTrustedCert(); returnval.add(cert); } } return returnval; }