Example usage for java.security.cert CertPathValidatorException CertPathValidatorException

List of usage examples for java.security.cert CertPathValidatorException CertPathValidatorException

Introduction

In this page you can find the example usage for java.security.cert CertPathValidatorException CertPathValidatorException.

Prototype

public CertPathValidatorException(Throwable cause) 

Source Link

Document

Creates a CertPathValidatorException that wraps the specified throwable.

Usage

From source file:org.cesecore.util.CertTools.java

/**
 * Method ordering a list of certificate into a certificate path with the root CA at the end. Does not check validity or verification of any kind,
 * just ordering by issuerdn./*from w w  w.  ja va2 s  .  c  om*/
 * 
 * @param certlist list of certificates to order can be collection of Certificate or byte[] (der encoded certs).
 * @return Collection with certificatechain.
 */
private static Collection<Certificate> orderCertificateChain(Collection<?> certlist)
        throws CertPathValidatorException {
    ArrayList<Certificate> returnval = new ArrayList<Certificate>();
    Certificate rootca = null;
    HashMap<String, Certificate> cacertmap = new HashMap<String, Certificate>();
    Iterator<?> iter = certlist.iterator();
    while (iter.hasNext()) {
        Certificate cert = null;
        Object o = iter.next();
        try {
            cert = (Certificate) o;
        } catch (ClassCastException e) {
            // This was not a certificate, is it byte encoded?
            byte[] certBytes = (byte[]) o;
            try {
                cert = CertTools.getCertfromByteArray(certBytes);
            } catch (CertificateParsingException e1) {
                throw new CertPathValidatorException(e1);
            }
        }
        if (CertTools.isSelfSigned(cert)) {
            rootca = cert;
        } else {
            log.debug("Adding to cacertmap with index '" + CertTools.getIssuerDN(cert) + "'");
            cacertmap.put(CertTools.getIssuerDN(cert), cert);
        }
    }

    if (rootca == null) {
        throw new CertPathValidatorException("No root CA certificate found in certificatelist");
    }
    returnval.add(0, rootca);
    Certificate currentcert = rootca;
    int i = 0;
    while (certlist.size() != returnval.size() && i <= certlist.size()) {
        log.debug("Looking in cacertmap for '" + CertTools.getSubjectDN(currentcert) + "'");
        Certificate nextcert = (Certificate) cacertmap.get(CertTools.getSubjectDN(currentcert));
        if (nextcert == null) {
            throw new CertPathValidatorException("Error building certificate path");
        }
        returnval.add(0, nextcert);
        currentcert = nextcert;
        i++;
    }

    if (i > certlist.size()) {
        throw new CertPathValidatorException("Error building certificate path");
    }

    return returnval;
}

From source file:org.cesecore.util.PKIXCertRevocationStatusChecker.java

/**
 * Checks the revocation status of 'cert'; first by sending on OCSP request. If that fails for any reason, then through a CRL
 *//*from   w  w  w  .  j  a va2  s  .  co  m*/
@Override
public void check(Certificate cert, Collection<String> unresolvedCritExts) throws CertPathValidatorException {

    clearResult();
    Certificate cacert = getCaCert(cert);
    if (cacert == null) {
        final String msg = "No issuer CA certificate was found. An issuer CA certificate is needed to create an OCSP request and to get the right CRL";
        log.info(msg);
        throw new CertPathValidatorException(msg);
    }

    ArrayList<String> ocspurls = getOcspUrls(cert);
    if (!ocspurls.isEmpty()) {
        BigInteger certSerialnumber = CertTools.getSerialNumber(cert);
        byte[] nonce = new byte[16];
        final Random randomSource = new Random();
        randomSource.nextBytes(nonce);
        OCSPReq req = null;
        try {
            req = getOcspRequest(cacert, certSerialnumber, nonce);
        } catch (CertificateEncodingException | OCSPException e) {
            if (log.isDebugEnabled()) {
                log.debug("Failed to create OCSP request. " + e.getLocalizedMessage());
            }
            fallBackToCrl(cert, CertTools.getSubjectDN(cacert));
            return;

        }

        SingleResp ocspResp = null;
        for (String url : ocspurls) {
            ocspResp = getOCSPResponse(url, req, cert, nonce, OCSPRespBuilder.SUCCESSFUL, 200);
            if (ocspResp != null) {
                log.info("Obtained OCSP response from " + url);
                break;
            } else {
                if (log.isDebugEnabled()) {
                    log.debug("Failed to obtain an OCSP reponse from " + url);
                }
            }
        }

        if (ocspResp == null) {
            log.info(
                    "Failed to check certificate revocation status using OCSP. Falling back to check using CRL");
            fallBackToCrl(cert, CertTools.getSubjectDN(cacert));
        } else {
            CertificateStatus status = ocspResp.getCertStatus();
            this.ocspResponse = ocspResp;
            if (log.isDebugEnabled()) {
                log.debug("The certificate status is: " + (status == null ? "Good" : status.toString()));
            }
            if (status != null) { // status==null -> certificate OK
                throw new CertPathValidatorException("Certificate with serialnumber "
                        + CertTools.getSerialNumberAsString(cert) + " was revoked");
            }

            if (unresolvedCritExts != null) {
                unresolvedCritExts.remove(Extension.authorityInfoAccess.getId());
            }
        }

    } else {
        fallBackToCrl(cert, CertTools.getSubjectDN(cacert));

        if (unresolvedCritExts != null) {
            unresolvedCritExts.remove(Extension.cRLDistributionPoints.getId());
        }
    }

}

From source file:org.cesecore.util.PKIXCertRevocationStatusChecker.java

/**
 * Check the revocation status of 'cert' using a CRL
 * @param cert the certificate whose revocation status is to be checked
 * @throws CertPathValidatorException/*from w  w w .ja va 2  s .  com*/
 */
private void fallBackToCrl(final Certificate cert, final String issuerDN) throws CertPathValidatorException {
    final ArrayList<URL> crlUrls = getCrlUrl(cert);
    if (crlUrls.isEmpty()) {
        final String errmsg = "Failed to verify certificate status using the fallback CRL method. Could not find a CRL URL";
        log.info(errmsg);
        throw new CertPathValidatorException(errmsg);
    }
    if (log.isDebugEnabled()) {
        log.debug("Found " + crlUrls.size() + " CRL URLs");
    }

    CRL crl = null;
    for (URL url : crlUrls) {
        crl = getCRL(url);
        if (crl != null) {
            if (isCorrectCRL(crl, issuerDN)) {
                final boolean isRevoked = crl.isRevoked(cert);
                this.crl = crl;
                if (isRevoked) {
                    throw new CertPathValidatorException("Certificate with serialnumber "
                            + CertTools.getSerialNumberAsString(cert) + " was revoked");
                }
                break;
            }
        }
    }
    if (this.crl == null) {
        throw new CertPathValidatorException(
                "Failed to verify certificate status using CRL. Could not find a CRL issued by " + issuerDN
                        + " reasonably lately");
    }
}

From source file:org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean.java

@Override
public void receiveResponse(AuthenticationToken authenticationToken, int caid, ResponseMessage responsemessage,
        Collection<?> cachain, String nextKeyAlias)
        throws AuthorizationDeniedException, CertPathValidatorException, EjbcaException, CesecoreException {
    if (log.isTraceEnabled()) {
        log.trace(">receiveResponse: " + caid);
    }/*w  w w .  j  a  v  a 2  s.c  om*/
    if (!accessSession.isAuthorizedNoLogging(authenticationToken, AccessRulesConstants.REGULAR_RENEWCA)) {
        final String detailsMsg = intres.getLocalizedMessage("caadmin.notauthorizedtocertresp",
                Integer.valueOf(caid));
        auditSession.log(EventTypes.ACCESS_CONTROL, EventStatus.FAILURE, ModuleTypes.CA, ServiceTypes.CORE,
                authenticationToken.toString(), String.valueOf(caid), null, null, detailsMsg);
    }
    try {
        final CA ca = caSession.getCAForEdit(authenticationToken, caid);
        if (!(responsemessage instanceof X509ResponseMessage)) {
            String msg = intres.getLocalizedMessage("caadmin.errorcertrespillegalmsg",
                    responsemessage != null ? responsemessage.getClass().getName() : "null");
            log.info(msg);
            throw new EjbcaException(msg);
        }
        final Certificate cacert = ((X509ResponseMessage) responsemessage).getCertificate();
        // Receiving a certificate for an internal CA will transform it into an externally signed CA
        if (ca.getSignedBy() != CAInfo.SIGNEDBYEXTERNALCA) {
            ca.setSignedBy(CAInfo.SIGNEDBYEXTERNALCA);
        }
        // Check that CA DN is equal to the certificate response.
        if (!CertTools.getSubjectDN(cacert).equals(CertTools.stringToBCDNString(ca.getSubjectDN()))) {
            String msg = intres.getLocalizedMessage("caadmin.errorcertrespwrongdn",
                    CertTools.getSubjectDN(cacert), ca.getSubjectDN());
            log.info(msg);
            throw new EjbcaException(msg);
        }
        List<Certificate> tmpchain = new ArrayList<Certificate>();
        tmpchain.add(cacert);

        Collection<Certificate> reqchain = null;
        if (cachain != null && cachain.size() > 0) {
            //  1. If we have a chain given as parameter, we will use that.
            reqchain = CertTools.createCertChain(cachain);
            log.debug("Using CA certificate chain from parameter of size: " + reqchain.size());
        } else {
            // 2. If no parameter is given we assume that the request chain was stored when the request was created.
            reqchain = ca.getRequestCertificateChain();
            if (reqchain == null) {
                // 3. Lastly, if that failed we'll check if the certificate chain in it's entirety already exists in the database. 
                reqchain = new ArrayList<Certificate>();
                Certificate issuer = certificateStoreSession
                        .findLatestX509CertificateBySubject(CertTools.getIssuerDN(cacert));
                if (issuer != null) {
                    reqchain.add(issuer);
                    while (!CertTools.isSelfSigned(issuer)) {
                        issuer = certificateStoreSession
                                .findLatestX509CertificateBySubject(CertTools.getIssuerDN(issuer));
                        if (issuer != null) {
                            reqchain.add(issuer);
                        } else {
                            String msg = intres.getLocalizedMessage("caadmin.errorincompleterequestchain", caid,
                                    ca.getSubjectDN());
                            log.info(msg);
                            throw new CertPathValidatorException(msg);
                        }
                    }
                }
                if (reqchain.size() == 0) {
                    String msg = intres.getLocalizedMessage("caadmin.errornorequestchain", caid,
                            ca.getSubjectDN());
                    log.info(msg);
                    throw new CertPathValidatorException(msg);
                }

            } else {
                if (log.isDebugEnabled()) {
                    log.debug("Using pre-stored CA certificate chain.");
                }
            }
        }
        log.debug("Picked up request certificate chain of size: " + reqchain.size());
        tmpchain.addAll(reqchain);
        final List<Certificate> chain = CertTools.createCertChain(tmpchain);
        log.debug("Storing certificate chain of size: " + chain.size());
        // Before importing the certificate we want to make sure that the public key matches the CAs private key
        PublicKey caCertPublicKey = cacert.getPublicKey();
        // If it is a DV certificate signed by a CVCA, enrich the public key for EC parameters from the CVCA's certificate
        if (StringUtils.equals(cacert.getType(), "CVC")) {
            if (caCertPublicKey.getAlgorithm().equals("ECDSA")) {
                CardVerifiableCertificate cvccert = (CardVerifiableCertificate) cacert;
                try {
                    if (cvccert.getCVCertificate().getCertificateBody().getAuthorizationTemplate()
                            .getAuthorizationField().getAuthRole().isDV()) {
                        log.debug("Enriching DV public key with EC parameters from CVCA");
                        Certificate cvcacert = (Certificate) reqchain.iterator().next();
                        caCertPublicKey = KeyTools.getECPublicKeyWithParams(caCertPublicKey,
                                cvcacert.getPublicKey());
                    }
                } catch (InvalidKeySpecException e) {
                    log.debug("Strange CVCA certificate that we can't get the key from, continuing anyway...",
                            e);
                } catch (NoSuchFieldException e) {
                    log.debug("Strange DV certificate with no AutheorizationRole, continuing anyway...", e);
                }
            } else {
                log.debug("Key is not ECDSA, don't try to enrich with EC parameters.");
            }
        } else {
            log.debug("Cert is not CVC, no need to enrich with EC parameters.");
        }

        final CAToken catoken = ca.getCAToken();
        final CryptoToken cryptoToken = cryptoTokenSession.getCryptoToken(catoken.getCryptoTokenId());
        boolean activatedNextSignKey = false;
        if (nextKeyAlias != null) {
            try {
                if (log.isDebugEnabled()) {
                    log.debug("SubjectKeyId for CA cert public key: " + new String(
                            Hex.encode(KeyTools.createSubjectKeyId(caCertPublicKey).getKeyIdentifier())));
                    log.debug("SubjectKeyId for CA next public key: " + new String(Hex.encode(KeyTools
                            .createSubjectKeyId(cryptoToken.getPublicKey(nextKeyAlias)).getKeyIdentifier())));
                }
                KeyTools.testKey(cryptoToken.getPrivateKey(nextKeyAlias), caCertPublicKey,
                        cryptoToken.getSignProviderName());
            } catch (InvalidKeyException e) {
                throw new EjbcaException(ErrorCode.INVALID_KEY, e);
            }
            catoken.setNextCertSignKey(nextKeyAlias);
            catoken.activateNextSignKey();
            activatedNextSignKey = true;
        } else {
            // Since we don't specified the nextSignKey, we will just try the current or next CA sign key
            try {
                KeyTools.testKey(
                        cryptoToken.getPrivateKey(
                                catoken.getAliasFromPurpose(CATokenConstants.CAKEYPURPOSE_CERTSIGN)),
                        caCertPublicKey, cryptoToken.getSignProviderName());
            } catch (Exception e1) {
                log.debug(
                        "The received certificate response does not match the CAs private signing key for purpose CAKEYPURPOSE_CERTSIGN, trying CAKEYPURPOSE_CERTSIGN_NEXT...");
                if (e1 instanceof InvalidKeyException) {
                    log.trace(e1);
                } else {
                    // If it's not invalid key, we want to see more of the error
                    log.debug("Error: ", e1);
                }
                try {
                    KeyTools.testKey(
                            cryptoToken.getPrivateKey(
                                    catoken.getAliasFromPurpose(CATokenConstants.CAKEYPURPOSE_CERTSIGN_NEXT)),
                            caCertPublicKey, cryptoToken.getSignProviderName());
                    // This was OK, so we must also activate the next signing key when importing this certificate
                    catoken.activateNextSignKey();
                    activatedNextSignKey = true;
                } catch (Exception e2) {
                    log.debug(
                            "The received certificate response does not match the CAs private signing key for purpose CAKEYPURPOSE_CERTSIGN_NEXT either, giving up.");
                    if ((e2 instanceof InvalidKeyException) || (e2 instanceof IllegalArgumentException)) {
                        log.trace(e2);
                    } else {
                        // If it's not invalid key or missing authentication code, we want to see more of the error
                        log.debug("Error: ", e2);
                    }
                    throw new EjbcaException(ErrorCode.INVALID_KEY, e2);
                }
            }
        }
        if (activatedNextSignKey) {
            // Activated the next signing key(s) so generate audit log
            final Map<String, Object> details = new LinkedHashMap<String, Object>();
            details.put("msg", intres.getLocalizedMessage("catoken.activatednextkey", caid));
            details.put("certSignKey", catoken.getAliasFromPurpose(CATokenConstants.CAKEYPURPOSE_CERTSIGN));
            details.put("crlSignKey", catoken.getAliasFromPurpose(CATokenConstants.CAKEYPURPOSE_CRLSIGN));
            details.put("sequence", catoken.getKeySequence());
            auditSession.log(EventTypes.CA_KEYACTIVATE, EventStatus.SUCCESS, ModuleTypes.CA, ServiceTypes.CORE,
                    authenticationToken.toString(), String.valueOf(caid), null, null, details);
        }
        ca.setCAToken(catoken);
        ca.setCertificateChain(chain);

        // Set status to active, so we can sign certificates for the external services below.
        ca.setStatus(CAConstants.CA_ACTIVE);

        // activate External CA Services
        for (int type : ca.getExternalCAServiceTypes()) {
            try {
                ca.initExtendedService(cryptoToken, type, ca);
                final ExtendedCAServiceInfo info = ca.getExtendedCAServiceInfo(type);
                if (info instanceof BaseSigningCAServiceInfo) {
                    // Publish the extended service certificate, but only for active services
                    if (info.getStatus() == ExtendedCAServiceInfo.STATUS_ACTIVE) {
                        final List<Certificate> extcacertificate = new ArrayList<Certificate>();
                        extcacertificate.add(((BaseSigningCAServiceInfo) info).getCertificatePath().get(0));
                        publishCACertificate(authenticationToken, extcacertificate, ca.getCRLPublishers(),
                                ca.getSubjectDN());
                    }
                }
            } catch (Exception fe) {
                final String detailsMsg = intres.getLocalizedMessage("caadmin.errorcreatecaservice",
                        Integer.valueOf(caid));
                auditSession.log(EventTypes.CA_EDITING, EventStatus.FAILURE, ModuleTypes.CA, ServiceTypes.CORE,
                        authenticationToken.toString(), String.valueOf(caid), null, null, detailsMsg);
                throw new EJBException(fe);
            }
        }
        // Set expire time
        ca.setExpireTime(CertTools.getNotAfter(cacert));
        // Save CA
        caSession.editCA(authenticationToken, ca, true);
        // Publish CA Certificate
        publishCACertificate(authenticationToken, chain, ca.getCRLPublishers(), ca.getSubjectDN());
        // Create initial CRL
        publishingCrlSession.forceCRL(authenticationToken, caid);
        publishingCrlSession.forceDeltaCRL(authenticationToken, caid);
        // All OK
        String detailsMsg = intres.getLocalizedMessage("caadmin.certrespreceived", Integer.valueOf(caid));
        auditSession.log(EventTypes.CA_EDITING, EventStatus.SUCCESS, ModuleTypes.CA, ServiceTypes.CORE,
                authenticationToken.toString(), String.valueOf(caid), null, null, detailsMsg);
    } catch (CryptoTokenOfflineException e) {
        String msg = intres.getLocalizedMessage("caadmin.errorcertresp", Integer.valueOf(caid));
        log.info(msg);
        sessionContext.setRollbackOnly(); // This is an application exception so it wont trigger a roll-back automatically
        throw e;
    } catch (CADoesntExistsException e) {
        String msg = intres.getLocalizedMessage("caadmin.errorcertresp", Integer.valueOf(caid));
        log.info(msg);
        sessionContext.setRollbackOnly(); // This is an application exception so it wont trigger a roll-back automatically
        throw e;
    } catch (CertificateEncodingException e) {
        String msg = intres.getLocalizedMessage("caadmin.errorcertresp", Integer.valueOf(caid));
        log.info(msg);
        throw new EjbcaException(e.getMessage());
    } catch (CertificateException e) {
        String msg = intres.getLocalizedMessage("caadmin.errorcertresp", Integer.valueOf(caid));
        log.info(msg);
        throw new EjbcaException(e.getMessage());
    } catch (InvalidAlgorithmParameterException e) {
        String msg = intres.getLocalizedMessage("caadmin.errorcertresp", Integer.valueOf(caid));
        log.info(msg);
        throw new EjbcaException(e.getMessage());
    } catch (NoSuchAlgorithmException e) {
        String msg = intres.getLocalizedMessage("caadmin.errorcertresp", Integer.valueOf(caid));
        log.info(msg);
        throw new EjbcaException(e.getMessage());
    } catch (NoSuchProviderException e) {
        String msg = intres.getLocalizedMessage("caadmin.errorcertresp", Integer.valueOf(caid));
        log.info(msg);
        throw new EjbcaException(e.getMessage());
    }
    if (log.isTraceEnabled()) {
        log.trace("<receiveResponse: " + caid);
    }
}

From source file:org.ejbca.extra.db.ExtRAMsgHelper.java

/**
 * Method used to verify signed data./*w  w  w  .  j  av a  2s. c  o  m*/
 * 
 * @param TrustedCACerts a Collection of trusted certificates, should contain the entire chains
 * @param TrustedCRLs a Collection of trusted CRLS, use null if no CRL check should be used.
 * @param signedData the data to verify
 * @param date the date used to check the validity against.
 * @return a ParsedSignatureResult.
 */
public static ParsedSignatureResult verifySignature(Collection cACertChain, Collection trustedCRLs,
        byte[] signedData, Date date) {
    boolean verifies = false;
    X509Certificate usercert = null;
    ParsedSignatureResult retval = new ParsedSignatureResult(false, null, null);
    byte[] content = null;

    try {
        // First verify the signature
        CMSSignedData sp = new CMSSignedData(signedData);

        CertStore certs = sp.getCertificatesAndCRLs("Collection", "BC");
        SignerInformationStore signers = sp.getSignerInfos();

        ByteArrayOutputStream baos = new ByteArrayOutputStream();
        ((CMSProcessableByteArray) sp.getSignedContent()).write(baos);
        content = baos.toByteArray();
        baos.close();

        Collection c = signers.getSigners();
        Iterator it = c.iterator();

        while (it.hasNext()) {
            SignerInformation signer = (SignerInformation) it.next();
            Collection certCollection = certs.getCertificates(signer.getSID());

            Iterator certIt = certCollection.iterator();
            usercert = (X509Certificate) certIt.next();

            boolean validalg = signer.getDigestAlgOID().equals(signAlg);

            verifies = validalg && signer.verify(usercert.getPublicKey(), "BC");

        }

        // Second validate the certificate           
        X509Certificate rootCert = null;
        Iterator iter = cACertChain.iterator();
        while (iter.hasNext()) {
            X509Certificate cert = (X509Certificate) iter.next();
            if (cert.getIssuerDN().equals(cert.getSubjectDN())) {
                rootCert = cert;
                break;
            }
        }

        if (rootCert == null) {
            throw new CertPathValidatorException("Error Root CA cert not found in cACertChain");
        }

        List list = new ArrayList();
        list.add(usercert);
        list.add(cACertChain);
        if (trustedCRLs != null) {
            list.add(trustedCRLs);
        }

        CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(list);
        CertStore store = CertStore.getInstance("Collection", ccsp);

        //validating path
        List certchain = new ArrayList();
        certchain.addAll(cACertChain);
        certchain.add(usercert);
        CertPath cp = CertificateFactory.getInstance("X.509", "BC").generateCertPath(certchain);

        Set trust = new HashSet();
        trust.add(new TrustAnchor(rootCert, null));

        CertPathValidator cpv = CertPathValidator.getInstance("PKIX", "BC");
        PKIXParameters param = new PKIXParameters(trust);
        param.addCertStore(store);
        param.setDate(date);
        if (trustedCRLs == null) {
            param.setRevocationEnabled(false);
        } else {
            param.setRevocationEnabled(true);
        }
        cpv.validate(cp, param);
        retval = new ParsedSignatureResult(verifies, usercert, content);
    } catch (Exception e) {
        log.error("Error verifying data : ", e);
    }

    return retval;
}

From source file:org.ejbca.util.CertTools.java

/**
 * Method to create certificate path and to check it's validity from a list of certificates.
 * The list of certificates should only contain one root certificate.
 *
 * @param certlist//from w  w  w.ja v  a2s  .com
 * @return the certificatepath with the root CA at the end, either collection of Certificate or byte[] (der encoded certs)
 * @throws CertPathValidatorException if the certificate chain can not be constructed
 * @throws InvalidAlgorithmParameterException 
 * @throws NoSuchProviderException 
 * @throws NoSuchAlgorithmException 
 * @throws CertificateException 
 */
public static Collection<Certificate> createCertChain(Collection<?> certlistin)
        throws CertPathValidatorException, InvalidAlgorithmParameterException, NoSuchAlgorithmException,
        NoSuchProviderException, CertificateException {
    ArrayList<Certificate> returnval = new ArrayList<Certificate>();

    Collection<Certificate> certlist = orderCertificateChain(certlistin);

    // set certificate chain
    Certificate rootcert = null;
    ArrayList<Certificate> calist = new ArrayList<Certificate>();
    Iterator<Certificate> iter = certlist.iterator();
    while (iter.hasNext()) {
        Certificate next = iter.next();
        if (CertTools.isSelfSigned(next)) {
            rootcert = next;
        } else {
            calist.add(next);
        }
    }

    if (calist.isEmpty()) {
        // only one root cert, no certchain
        returnval.add(rootcert);
    } else {
        // We need a bit special handling for CV certificates because those can not be handled using a PKIX CertPathValidator
        Certificate test = calist.get(0);
        if (test.getType().equals("CVC")) {
            if (calist.size() == 1) {
                returnval.add(test);
                returnval.add(rootcert);
            } else {
                throw new CertPathValidatorException(
                        "CVC certificate chain can not be of length longer than two.");
            }
        } else {
            // Normal X509 certificates
            HashSet<TrustAnchor> trustancors = new HashSet<TrustAnchor>();
            TrustAnchor trustanchor = null;
            trustanchor = new TrustAnchor((X509Certificate) rootcert, null);
            trustancors.add(trustanchor);

            // Create the parameters for the validator
            PKIXParameters params = new PKIXParameters(trustancors);

            // Disable CRL checking since we are not supplying any CRLs
            params.setRevocationEnabled(false);
            params.setDate(new Date());

            // Create the validator and validate the path
            CertPathValidator certPathValidator = CertPathValidator
                    .getInstance(CertPathValidator.getDefaultType(), "BC");
            CertificateFactory fact = CertTools.getCertificateFactory();
            CertPath certpath = fact.generateCertPath(calist);

            CertPathValidatorResult result = certPathValidator.validate(certpath, params);

            // Get the certificates validate in the path
            PKIXCertPathValidatorResult pkixResult = (PKIXCertPathValidatorResult) result;
            returnval.addAll(certpath.getCertificates());

            // Get the CA used to validate this path
            TrustAnchor ta = pkixResult.getTrustAnchor();
            X509Certificate cert = ta.getTrustedCert();
            returnval.add(cert);
        }
    }
    return returnval;
}

From source file:org.ejbca.util.CertTools.java

/**
 * Method ordering a list of certificate into a certificate path with the root CA at the end.
 * Does not check validity or verification of any kind, just ordering by issuerdn.
 * @param certlist list of certificates to order can be collection of Certificate or byte[] (der encoded certs).
 * @return Collection with certificatechain.
 *///from   w  w w. j  av a2s .  c om
private static Collection<Certificate> orderCertificateChain(Collection<?> certlist)
        throws CertPathValidatorException {
    ArrayList<Certificate> returnval = new ArrayList<Certificate>();
    Certificate rootca = null;
    HashMap<String, Certificate> cacertmap = new HashMap<String, Certificate>();
    Iterator<?> iter = certlist.iterator();
    while (iter.hasNext()) {
        Certificate cert = null;
        Object o = iter.next();
        try {
            cert = (Certificate) o;
        } catch (ClassCastException e) {
            // This was not a certificate, is it byte encoded?
            byte[] certBytes = (byte[]) o;
            try {
                cert = CertTools.getCertfromByteArray(certBytes);
            } catch (CertificateException e1) {
                throw new CertPathValidatorException(e1);
            }
        }
        if (CertTools.isSelfSigned(cert)) {
            rootca = cert;
        } else {
            log.debug("Adding to cacertmap with index '" + CertTools.getIssuerDN(cert) + "'");
            cacertmap.put(CertTools.getIssuerDN(cert), cert);
        }
    }

    if (rootca == null) {
        throw new CertPathValidatorException("No root CA certificate found in certificatelist");
    }
    returnval.add(0, rootca);
    Certificate currentcert = rootca;
    int i = 0;
    while (certlist.size() != returnval.size() && i <= certlist.size()) {
        log.debug("Looking in cacertmap for '" + CertTools.getSubjectDN(currentcert) + "'");
        Certificate nextcert = (Certificate) cacertmap.get(CertTools.getSubjectDN(currentcert));
        if (nextcert == null) {
            throw new CertPathValidatorException("Error building certificate path");
        }
        returnval.add(0, nextcert);
        currentcert = nextcert;
        i++;
    }

    if (i > certlist.size()) {
        throw new CertPathValidatorException("Error building certificate path");
    }

    return returnval;
}

From source file:org.globus.gsi.trustmanager.TrustedCertPathFinder.java

/**
 * Method that validates the provided cert path to find a trusted certificate in the certificate store.
 * <p/>//from  www . ja  v a 2 s.c o  m
 * For each certificate i in certPath, it is expected that the i+1 certificate is the issuer of the certificate
 * path. See CertPath.
 * <p/>
 * For each certificate i in certpath, validate signature of certificate i get issuer of certificate i get
 * certificate i+i ensure that the certificate i+1 is issuer of certificate i If not, throw an exception for
 * illegal argument validate signature of i+1 Throw exception if it does not validate check if i+1 is a trusted
 * certificate in the trust store. If so return certpath until i+1 If not, continue; If all certificates in the
 * certpath have been checked and none exisits in trust store, check if trust store has certificate of issuer of
 * last certificate in CertPath. If so, return certPath + trusted certificate from trust store If not, throw
 * an exception for lack of valid trust root.
 *
 * @param keyStore The key store containing CA trust root certificates
 * @param certPath The certpath from which to extract a valid cert path to a trusted certificate.
 * @return The valid CertPath.
 * @throws CertPathValidatorException If the CertPath is invalid.
 */
public static CertPath findTrustedCertPath(KeyStore keyStore, CertPath certPath)
        throws CertPathValidatorException {

    // This will be the cert path to return
    List<X509Certificate> trustedCertPath = new ArrayList<X509Certificate>();
    // This is the certs to validate
    List<? extends Certificate> certs = certPath.getCertificates();

    X509Certificate x509Certificate;
    int index = 0;
    int certsSize = certs.size();

    Certificate certificate = certs.get(index);
    if (!(certificate instanceof X509Certificate)) {
        throw new CertPathValidatorException(
                "Certificate of type " + X509Certificate.class.getName() + " required");
    }
    x509Certificate = (X509Certificate) certificate;

    while (index < certsSize) {
        CertPath finalCertPath = isTrustedCert(keyStore, x509Certificate, trustedCertPath);
        if (finalCertPath != null) {
            return finalCertPath;
        }

        if (index + 1 >= certsSize) {
            break;
        }

        index++;
        Certificate issuerCertificate = certs.get(index);
        x509Certificate = checkCertificate(trustedCertPath, x509Certificate, issuerCertificate);
    }

    X509CertSelector selector = new X509CertSelector();
    selector.setSubject(x509Certificate.getIssuerX500Principal());
    Collection<? extends Certificate> caCerts;
    try {
        caCerts = KeyStoreUtil.getTrustedCertificates(keyStore, selector);
    } catch (KeyStoreException e) {
        throw new CertPathValidatorException(e);
    }
    if (caCerts.size() < 1) {
        throw new CertPathValidatorException("No trusted path can be constructed");
    }

    boolean foundTrustRoot = false;

    for (Certificate caCert : caCerts) {
        if (!(caCert instanceof X509Certificate)) {
            logger.warn("Skipped a certificate: not an X509Certificate");
            continue;
        }
        try {
            trustedCertPath.add(checkCertificate(trustedCertPath, x509Certificate, caCert));
            // currently the caCert self-signature is not checked
            // to be consistent with the isTrustedCert() method
            foundTrustRoot = true;
            // we found a CA cert that signed the certificate
            // so we don't need to check any more
            break;
        } catch (CertPathValidatorException e) {
            // fine, just move on to check the next potential CA cert
            // after the loop we'll check whether any were successful
            logger.warn("Failed to validate signature of certificate with " + "subject DN '"
                    + x509Certificate.getSubjectDN() + "' against a CA certificate with issuer DN '"
                    + ((X509Certificate) caCert).getSubjectDN() + "'");
        }
    }

    if (!foundTrustRoot) {
        throw new CertPathValidatorException("No trusted path can be constructed");
    }

    try {
        CertificateFactory certFac = CertificateFactory.getInstance("X.509");
        return certFac.generateCertPath(trustedCertPath);
    } catch (CertificateException e) {
        throw new CertPathValidatorException("Error generating trusted certificate path", e);
    }
}

From source file:org.viafirma.nucleo.validacion.OcspValidatorHandler.java

/**
 * Valida mediante ocsp RFC 2560, el certificado indicado.
 * //from   ww w . j a v  a 2s. c om
 * @param certificadoX509
 *            Certificado que deseamos validar.
 * @param certificadoX509Emisor
 *            Certificado emisor del certificado a validar.
 * @return
 * @throws CertPathValidatorException
 */
private CodigoError validarOCSP(X509Certificate certificadoX509, X509Certificate certificadoX509Emisor)
        throws CertPathValidatorException {
    // Si la validacin esta desactivada consideramos el certificado
    // validado.
    if (validacionOnline) {
        try {
            // Generamos la peticin OCSP para el certificado.
            OCSPReq request = generateRequest(certificadoX509, certificadoX509Emisor);

            // Recuperamos la url desde la que realizar la validacin OCSP
            String url = getUrlOCSP(certificadoX509);

            // Bytes del request
            byte[] byteRequest = request.getEncoded();

            // Enviamos la peticin y recuperamos la respuesta
            InputStream inResponse = sendRequest(url, byteRequest);
            OCSPResp ocspResponse = new OCSPResp(inResponse);

            // but why Response Status is 6(No Valid)..?
            if (OCSPResponseStatus.SUCCESSFUL == ocspResponse.getStatus()) {
                log.info("Obtenida respuesta correcta OCSP.  Estado:" + ocspResponse.getStatus());
                CertificateID certID = new CertificateID(CertificateID.HASH_SHA1, certificadoX509Emisor,
                        certificadoX509.getSerialNumber());
                BasicOCSPResp brep = (BasicOCSPResp) ocspResponse.getResponseObject();

                // Comprobamos que la respuesta OCSP no ha sido manipulada y
                // ha sido firmada por un certificado de confianza.
                // Recupero el certificado con el que debe haber sido
                // firmado el ocsp
                checkOCSP(brep);
                SingleResp[] singleResp = brep.getResponses();

                for (SingleResp resp : singleResp) {
                    CertificateID respCertID = resp.getCertID();
                    if (respCertID.equals(certID)) {
                        Object status = resp.getCertStatus();
                        if (status == CertificateStatus.GOOD) {
                            log.debug("OCSPChecker: Status of certificate is: good");
                            break;
                        } else if (status instanceof org.bouncycastle.ocsp.RevokedStatus) {
                            log.debug("OCSPChecker: Status of certificate is: revoked");
                            throw new CertPathValidatorException("Certificate has been revoked");
                        } else if (status instanceof org.bouncycastle.ocsp.UnknownStatus) {
                            log.debug("OCSPChecker: Status of certificate is: unknown");
                            throw new CertPathValidatorException("Certificate's revocation status is unknown");
                        } else {
                            log.debug("Status of certificate is: not recognized");
                            throw new CertPathValidatorException("Unknown OCSP response for certificate");
                        }
                    }

                }

                return CodigoError.OK_CERTIFICADO_VALIDADO;
            } else {
                /**
                 * successful (0), --Response has valid confirmations
                 * malformedRequest (1), --Illegal confirmation request
                 * internalError (2), --Internal error in issuer tryLater
                 * (3), --Try again later --(4) is not used sigRequired (5),
                 * --Must sign the request unauthorized (6) --Request
                 * unauthorized
                 */
                if (OCSPResponseStatus.MALFORMED_REQUEST == ocspResponse.getStatus()) {
                    log.warn(
                            "Obtenida respuesta Incorrecta OCSP: malformedRequest (1), --Illegal confirmation request. estatus: "
                                    + ocspResponse.getStatus());
                    return CodigoError.ERROR_OCSP_URL;
                } else if (OCSPResponseStatus.INTERNAL_ERROR == ocspResponse.getStatus()) {
                    log.warn(
                            "Obtenida respuesta Incorrecta OCSP: internalError (2),--Internal error in issuer. estatus: "
                                    + ocspResponse.getStatus());
                    return CodigoError.ERROR_OCSP_INTERNAL_ERROR;
                } else if (OCSPResponseStatus.TRY_LATER == ocspResponse.getStatus()) {
                    log.warn("Obtenida respuesta Incorrecta OCSP: tryLater (3), --Try again later. estatus: "
                            + ocspResponse.getStatus());
                    return CodigoError.ERROR_OCSP_TRY_LATER;
                } else if (OCSPResponseStatus.SIG_REQUIRED == ocspResponse.getStatus()) {
                    log.warn(
                            "Obtenida respuesta Incorrecta OCSP: sigRequired(5),--Must sign the request. estatus: "
                                    + ocspResponse.getStatus());
                    return CodigoError.ERROR_OCSP_INTERNAL_ERROR;
                } else if (OCSPResponseStatus.SIG_REQUIRED == ocspResponse.getStatus()) {
                    log.warn(
                            "Obtenida respuesta Incorrecta OCSP: unauthorized (6)--Request unauthorized. estatus: "
                                    + ocspResponse.getStatus());
                    return CodigoError.ERROR_OCSP_INTERNAL_ERROR;
                } else {
                    log.warn(
                            "Obtenida una respuesta incorrecta OCSP, probablemente el certificado este caducado.");
                    return CodigoError.ERROR_VALIDACION_CERTIFICADO_CADUCADO;
                }

            }

        } catch (OCSPException e) {
            log.fatal(CodigoError.ERROR_OCSP_INTERNAL_ERROR, e);
            return CodigoError.ERROR_OCSP_INTERNAL_ERROR;
        } catch (ExcepcionErrorInterno e) {
            log.error("No se puede validar el certificado. ", e);
            return e.getCodError();
        } catch (IOException e) {
            log.fatal(CodigoError.ERROR_INTERNO, e);
            return CodigoError.ERROR_INTERNO;
        }
    } else {
        log.info("La validacin online OCSP esta desactivada. Consideramos el certificado Vlido.");
        return CodigoError.OK_CERTIFICADO_VALIDADO;
    }
}