List of usage examples for java.security.cert CertPathValidatorException CertPathValidatorException
public CertPathValidatorException(Throwable cause)
From source file:org.cesecore.util.CertTools.java
/** * Method ordering a list of certificate into a certificate path with the root CA at the end. Does not check validity or verification of any kind, * just ordering by issuerdn./*from w w w. ja va2 s . c om*/ * * @param certlist list of certificates to order can be collection of Certificate or byte[] (der encoded certs). * @return Collection with certificatechain. */ private static Collection<Certificate> orderCertificateChain(Collection<?> certlist) throws CertPathValidatorException { ArrayList<Certificate> returnval = new ArrayList<Certificate>(); Certificate rootca = null; HashMap<String, Certificate> cacertmap = new HashMap<String, Certificate>(); Iterator<?> iter = certlist.iterator(); while (iter.hasNext()) { Certificate cert = null; Object o = iter.next(); try { cert = (Certificate) o; } catch (ClassCastException e) { // This was not a certificate, is it byte encoded? byte[] certBytes = (byte[]) o; try { cert = CertTools.getCertfromByteArray(certBytes); } catch (CertificateParsingException e1) { throw new CertPathValidatorException(e1); } } if (CertTools.isSelfSigned(cert)) { rootca = cert; } else { log.debug("Adding to cacertmap with index '" + CertTools.getIssuerDN(cert) + "'"); cacertmap.put(CertTools.getIssuerDN(cert), cert); } } if (rootca == null) { throw new CertPathValidatorException("No root CA certificate found in certificatelist"); } returnval.add(0, rootca); Certificate currentcert = rootca; int i = 0; while (certlist.size() != returnval.size() && i <= certlist.size()) { log.debug("Looking in cacertmap for '" + CertTools.getSubjectDN(currentcert) + "'"); Certificate nextcert = (Certificate) cacertmap.get(CertTools.getSubjectDN(currentcert)); if (nextcert == null) { throw new CertPathValidatorException("Error building certificate path"); } returnval.add(0, nextcert); currentcert = nextcert; i++; } if (i > certlist.size()) { throw new CertPathValidatorException("Error building certificate path"); } return returnval; }
From source file:org.cesecore.util.PKIXCertRevocationStatusChecker.java
/** * Checks the revocation status of 'cert'; first by sending on OCSP request. If that fails for any reason, then through a CRL *//*from w w w . j a va2 s . co m*/ @Override public void check(Certificate cert, Collection<String> unresolvedCritExts) throws CertPathValidatorException { clearResult(); Certificate cacert = getCaCert(cert); if (cacert == null) { final String msg = "No issuer CA certificate was found. An issuer CA certificate is needed to create an OCSP request and to get the right CRL"; log.info(msg); throw new CertPathValidatorException(msg); } ArrayList<String> ocspurls = getOcspUrls(cert); if (!ocspurls.isEmpty()) { BigInteger certSerialnumber = CertTools.getSerialNumber(cert); byte[] nonce = new byte[16]; final Random randomSource = new Random(); randomSource.nextBytes(nonce); OCSPReq req = null; try { req = getOcspRequest(cacert, certSerialnumber, nonce); } catch (CertificateEncodingException | OCSPException e) { if (log.isDebugEnabled()) { log.debug("Failed to create OCSP request. " + e.getLocalizedMessage()); } fallBackToCrl(cert, CertTools.getSubjectDN(cacert)); return; } SingleResp ocspResp = null; for (String url : ocspurls) { ocspResp = getOCSPResponse(url, req, cert, nonce, OCSPRespBuilder.SUCCESSFUL, 200); if (ocspResp != null) { log.info("Obtained OCSP response from " + url); break; } else { if (log.isDebugEnabled()) { log.debug("Failed to obtain an OCSP reponse from " + url); } } } if (ocspResp == null) { log.info( "Failed to check certificate revocation status using OCSP. Falling back to check using CRL"); fallBackToCrl(cert, CertTools.getSubjectDN(cacert)); } else { CertificateStatus status = ocspResp.getCertStatus(); this.ocspResponse = ocspResp; if (log.isDebugEnabled()) { log.debug("The certificate status is: " + (status == null ? "Good" : status.toString())); } if (status != null) { // status==null -> certificate OK throw new CertPathValidatorException("Certificate with serialnumber " + CertTools.getSerialNumberAsString(cert) + " was revoked"); } if (unresolvedCritExts != null) { unresolvedCritExts.remove(Extension.authorityInfoAccess.getId()); } } } else { fallBackToCrl(cert, CertTools.getSubjectDN(cacert)); if (unresolvedCritExts != null) { unresolvedCritExts.remove(Extension.cRLDistributionPoints.getId()); } } }
From source file:org.cesecore.util.PKIXCertRevocationStatusChecker.java
/** * Check the revocation status of 'cert' using a CRL * @param cert the certificate whose revocation status is to be checked * @throws CertPathValidatorException/*from w w w .ja va 2 s . com*/ */ private void fallBackToCrl(final Certificate cert, final String issuerDN) throws CertPathValidatorException { final ArrayList<URL> crlUrls = getCrlUrl(cert); if (crlUrls.isEmpty()) { final String errmsg = "Failed to verify certificate status using the fallback CRL method. Could not find a CRL URL"; log.info(errmsg); throw new CertPathValidatorException(errmsg); } if (log.isDebugEnabled()) { log.debug("Found " + crlUrls.size() + " CRL URLs"); } CRL crl = null; for (URL url : crlUrls) { crl = getCRL(url); if (crl != null) { if (isCorrectCRL(crl, issuerDN)) { final boolean isRevoked = crl.isRevoked(cert); this.crl = crl; if (isRevoked) { throw new CertPathValidatorException("Certificate with serialnumber " + CertTools.getSerialNumberAsString(cert) + " was revoked"); } break; } } } if (this.crl == null) { throw new CertPathValidatorException( "Failed to verify certificate status using CRL. Could not find a CRL issued by " + issuerDN + " reasonably lately"); } }
From source file:org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean.java
@Override public void receiveResponse(AuthenticationToken authenticationToken, int caid, ResponseMessage responsemessage, Collection<?> cachain, String nextKeyAlias) throws AuthorizationDeniedException, CertPathValidatorException, EjbcaException, CesecoreException { if (log.isTraceEnabled()) { log.trace(">receiveResponse: " + caid); }/*w w w . j a v a 2 s.c om*/ if (!accessSession.isAuthorizedNoLogging(authenticationToken, AccessRulesConstants.REGULAR_RENEWCA)) { final String detailsMsg = intres.getLocalizedMessage("caadmin.notauthorizedtocertresp", Integer.valueOf(caid)); auditSession.log(EventTypes.ACCESS_CONTROL, EventStatus.FAILURE, ModuleTypes.CA, ServiceTypes.CORE, authenticationToken.toString(), String.valueOf(caid), null, null, detailsMsg); } try { final CA ca = caSession.getCAForEdit(authenticationToken, caid); if (!(responsemessage instanceof X509ResponseMessage)) { String msg = intres.getLocalizedMessage("caadmin.errorcertrespillegalmsg", responsemessage != null ? responsemessage.getClass().getName() : "null"); log.info(msg); throw new EjbcaException(msg); } final Certificate cacert = ((X509ResponseMessage) responsemessage).getCertificate(); // Receiving a certificate for an internal CA will transform it into an externally signed CA if (ca.getSignedBy() != CAInfo.SIGNEDBYEXTERNALCA) { ca.setSignedBy(CAInfo.SIGNEDBYEXTERNALCA); } // Check that CA DN is equal to the certificate response. if (!CertTools.getSubjectDN(cacert).equals(CertTools.stringToBCDNString(ca.getSubjectDN()))) { String msg = intres.getLocalizedMessage("caadmin.errorcertrespwrongdn", CertTools.getSubjectDN(cacert), ca.getSubjectDN()); log.info(msg); throw new EjbcaException(msg); } List<Certificate> tmpchain = new ArrayList<Certificate>(); tmpchain.add(cacert); Collection<Certificate> reqchain = null; if (cachain != null && cachain.size() > 0) { // 1. If we have a chain given as parameter, we will use that. reqchain = CertTools.createCertChain(cachain); log.debug("Using CA certificate chain from parameter of size: " + reqchain.size()); } else { // 2. If no parameter is given we assume that the request chain was stored when the request was created. reqchain = ca.getRequestCertificateChain(); if (reqchain == null) { // 3. Lastly, if that failed we'll check if the certificate chain in it's entirety already exists in the database. reqchain = new ArrayList<Certificate>(); Certificate issuer = certificateStoreSession .findLatestX509CertificateBySubject(CertTools.getIssuerDN(cacert)); if (issuer != null) { reqchain.add(issuer); while (!CertTools.isSelfSigned(issuer)) { issuer = certificateStoreSession .findLatestX509CertificateBySubject(CertTools.getIssuerDN(issuer)); if (issuer != null) { reqchain.add(issuer); } else { String msg = intres.getLocalizedMessage("caadmin.errorincompleterequestchain", caid, ca.getSubjectDN()); log.info(msg); throw new CertPathValidatorException(msg); } } } if (reqchain.size() == 0) { String msg = intres.getLocalizedMessage("caadmin.errornorequestchain", caid, ca.getSubjectDN()); log.info(msg); throw new CertPathValidatorException(msg); } } else { if (log.isDebugEnabled()) { log.debug("Using pre-stored CA certificate chain."); } } } log.debug("Picked up request certificate chain of size: " + reqchain.size()); tmpchain.addAll(reqchain); final List<Certificate> chain = CertTools.createCertChain(tmpchain); log.debug("Storing certificate chain of size: " + chain.size()); // Before importing the certificate we want to make sure that the public key matches the CAs private key PublicKey caCertPublicKey = cacert.getPublicKey(); // If it is a DV certificate signed by a CVCA, enrich the public key for EC parameters from the CVCA's certificate if (StringUtils.equals(cacert.getType(), "CVC")) { if (caCertPublicKey.getAlgorithm().equals("ECDSA")) { CardVerifiableCertificate cvccert = (CardVerifiableCertificate) cacert; try { if (cvccert.getCVCertificate().getCertificateBody().getAuthorizationTemplate() .getAuthorizationField().getAuthRole().isDV()) { log.debug("Enriching DV public key with EC parameters from CVCA"); Certificate cvcacert = (Certificate) reqchain.iterator().next(); caCertPublicKey = KeyTools.getECPublicKeyWithParams(caCertPublicKey, cvcacert.getPublicKey()); } } catch (InvalidKeySpecException e) { log.debug("Strange CVCA certificate that we can't get the key from, continuing anyway...", e); } catch (NoSuchFieldException e) { log.debug("Strange DV certificate with no AutheorizationRole, continuing anyway...", e); } } else { log.debug("Key is not ECDSA, don't try to enrich with EC parameters."); } } else { log.debug("Cert is not CVC, no need to enrich with EC parameters."); } final CAToken catoken = ca.getCAToken(); final CryptoToken cryptoToken = cryptoTokenSession.getCryptoToken(catoken.getCryptoTokenId()); boolean activatedNextSignKey = false; if (nextKeyAlias != null) { try { if (log.isDebugEnabled()) { log.debug("SubjectKeyId for CA cert public key: " + new String( Hex.encode(KeyTools.createSubjectKeyId(caCertPublicKey).getKeyIdentifier()))); log.debug("SubjectKeyId for CA next public key: " + new String(Hex.encode(KeyTools .createSubjectKeyId(cryptoToken.getPublicKey(nextKeyAlias)).getKeyIdentifier()))); } KeyTools.testKey(cryptoToken.getPrivateKey(nextKeyAlias), caCertPublicKey, cryptoToken.getSignProviderName()); } catch (InvalidKeyException e) { throw new EjbcaException(ErrorCode.INVALID_KEY, e); } catoken.setNextCertSignKey(nextKeyAlias); catoken.activateNextSignKey(); activatedNextSignKey = true; } else { // Since we don't specified the nextSignKey, we will just try the current or next CA sign key try { KeyTools.testKey( cryptoToken.getPrivateKey( catoken.getAliasFromPurpose(CATokenConstants.CAKEYPURPOSE_CERTSIGN)), caCertPublicKey, cryptoToken.getSignProviderName()); } catch (Exception e1) { log.debug( "The received certificate response does not match the CAs private signing key for purpose CAKEYPURPOSE_CERTSIGN, trying CAKEYPURPOSE_CERTSIGN_NEXT..."); if (e1 instanceof InvalidKeyException) { log.trace(e1); } else { // If it's not invalid key, we want to see more of the error log.debug("Error: ", e1); } try { KeyTools.testKey( cryptoToken.getPrivateKey( catoken.getAliasFromPurpose(CATokenConstants.CAKEYPURPOSE_CERTSIGN_NEXT)), caCertPublicKey, cryptoToken.getSignProviderName()); // This was OK, so we must also activate the next signing key when importing this certificate catoken.activateNextSignKey(); activatedNextSignKey = true; } catch (Exception e2) { log.debug( "The received certificate response does not match the CAs private signing key for purpose CAKEYPURPOSE_CERTSIGN_NEXT either, giving up."); if ((e2 instanceof InvalidKeyException) || (e2 instanceof IllegalArgumentException)) { log.trace(e2); } else { // If it's not invalid key or missing authentication code, we want to see more of the error log.debug("Error: ", e2); } throw new EjbcaException(ErrorCode.INVALID_KEY, e2); } } } if (activatedNextSignKey) { // Activated the next signing key(s) so generate audit log final Map<String, Object> details = new LinkedHashMap<String, Object>(); details.put("msg", intres.getLocalizedMessage("catoken.activatednextkey", caid)); details.put("certSignKey", catoken.getAliasFromPurpose(CATokenConstants.CAKEYPURPOSE_CERTSIGN)); details.put("crlSignKey", catoken.getAliasFromPurpose(CATokenConstants.CAKEYPURPOSE_CRLSIGN)); details.put("sequence", catoken.getKeySequence()); auditSession.log(EventTypes.CA_KEYACTIVATE, EventStatus.SUCCESS, ModuleTypes.CA, ServiceTypes.CORE, authenticationToken.toString(), String.valueOf(caid), null, null, details); } ca.setCAToken(catoken); ca.setCertificateChain(chain); // Set status to active, so we can sign certificates for the external services below. ca.setStatus(CAConstants.CA_ACTIVE); // activate External CA Services for (int type : ca.getExternalCAServiceTypes()) { try { ca.initExtendedService(cryptoToken, type, ca); final ExtendedCAServiceInfo info = ca.getExtendedCAServiceInfo(type); if (info instanceof BaseSigningCAServiceInfo) { // Publish the extended service certificate, but only for active services if (info.getStatus() == ExtendedCAServiceInfo.STATUS_ACTIVE) { final List<Certificate> extcacertificate = new ArrayList<Certificate>(); extcacertificate.add(((BaseSigningCAServiceInfo) info).getCertificatePath().get(0)); publishCACertificate(authenticationToken, extcacertificate, ca.getCRLPublishers(), ca.getSubjectDN()); } } } catch (Exception fe) { final String detailsMsg = intres.getLocalizedMessage("caadmin.errorcreatecaservice", Integer.valueOf(caid)); auditSession.log(EventTypes.CA_EDITING, EventStatus.FAILURE, ModuleTypes.CA, ServiceTypes.CORE, authenticationToken.toString(), String.valueOf(caid), null, null, detailsMsg); throw new EJBException(fe); } } // Set expire time ca.setExpireTime(CertTools.getNotAfter(cacert)); // Save CA caSession.editCA(authenticationToken, ca, true); // Publish CA Certificate publishCACertificate(authenticationToken, chain, ca.getCRLPublishers(), ca.getSubjectDN()); // Create initial CRL publishingCrlSession.forceCRL(authenticationToken, caid); publishingCrlSession.forceDeltaCRL(authenticationToken, caid); // All OK String detailsMsg = intres.getLocalizedMessage("caadmin.certrespreceived", Integer.valueOf(caid)); auditSession.log(EventTypes.CA_EDITING, EventStatus.SUCCESS, ModuleTypes.CA, ServiceTypes.CORE, authenticationToken.toString(), String.valueOf(caid), null, null, detailsMsg); } catch (CryptoTokenOfflineException e) { String msg = intres.getLocalizedMessage("caadmin.errorcertresp", Integer.valueOf(caid)); log.info(msg); sessionContext.setRollbackOnly(); // This is an application exception so it wont trigger a roll-back automatically throw e; } catch (CADoesntExistsException e) { String msg = intres.getLocalizedMessage("caadmin.errorcertresp", Integer.valueOf(caid)); log.info(msg); sessionContext.setRollbackOnly(); // This is an application exception so it wont trigger a roll-back automatically throw e; } catch (CertificateEncodingException e) { String msg = intres.getLocalizedMessage("caadmin.errorcertresp", Integer.valueOf(caid)); log.info(msg); throw new EjbcaException(e.getMessage()); } catch (CertificateException e) { String msg = intres.getLocalizedMessage("caadmin.errorcertresp", Integer.valueOf(caid)); log.info(msg); throw new EjbcaException(e.getMessage()); } catch (InvalidAlgorithmParameterException e) { String msg = intres.getLocalizedMessage("caadmin.errorcertresp", Integer.valueOf(caid)); log.info(msg); throw new EjbcaException(e.getMessage()); } catch (NoSuchAlgorithmException e) { String msg = intres.getLocalizedMessage("caadmin.errorcertresp", Integer.valueOf(caid)); log.info(msg); throw new EjbcaException(e.getMessage()); } catch (NoSuchProviderException e) { String msg = intres.getLocalizedMessage("caadmin.errorcertresp", Integer.valueOf(caid)); log.info(msg); throw new EjbcaException(e.getMessage()); } if (log.isTraceEnabled()) { log.trace("<receiveResponse: " + caid); } }
From source file:org.ejbca.extra.db.ExtRAMsgHelper.java
/** * Method used to verify signed data./*w w w . j av a 2s. c o m*/ * * @param TrustedCACerts a Collection of trusted certificates, should contain the entire chains * @param TrustedCRLs a Collection of trusted CRLS, use null if no CRL check should be used. * @param signedData the data to verify * @param date the date used to check the validity against. * @return a ParsedSignatureResult. */ public static ParsedSignatureResult verifySignature(Collection cACertChain, Collection trustedCRLs, byte[] signedData, Date date) { boolean verifies = false; X509Certificate usercert = null; ParsedSignatureResult retval = new ParsedSignatureResult(false, null, null); byte[] content = null; try { // First verify the signature CMSSignedData sp = new CMSSignedData(signedData); CertStore certs = sp.getCertificatesAndCRLs("Collection", "BC"); SignerInformationStore signers = sp.getSignerInfos(); ByteArrayOutputStream baos = new ByteArrayOutputStream(); ((CMSProcessableByteArray) sp.getSignedContent()).write(baos); content = baos.toByteArray(); baos.close(); Collection c = signers.getSigners(); Iterator it = c.iterator(); while (it.hasNext()) { SignerInformation signer = (SignerInformation) it.next(); Collection certCollection = certs.getCertificates(signer.getSID()); Iterator certIt = certCollection.iterator(); usercert = (X509Certificate) certIt.next(); boolean validalg = signer.getDigestAlgOID().equals(signAlg); verifies = validalg && signer.verify(usercert.getPublicKey(), "BC"); } // Second validate the certificate X509Certificate rootCert = null; Iterator iter = cACertChain.iterator(); while (iter.hasNext()) { X509Certificate cert = (X509Certificate) iter.next(); if (cert.getIssuerDN().equals(cert.getSubjectDN())) { rootCert = cert; break; } } if (rootCert == null) { throw new CertPathValidatorException("Error Root CA cert not found in cACertChain"); } List list = new ArrayList(); list.add(usercert); list.add(cACertChain); if (trustedCRLs != null) { list.add(trustedCRLs); } CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(list); CertStore store = CertStore.getInstance("Collection", ccsp); //validating path List certchain = new ArrayList(); certchain.addAll(cACertChain); certchain.add(usercert); CertPath cp = CertificateFactory.getInstance("X.509", "BC").generateCertPath(certchain); Set trust = new HashSet(); trust.add(new TrustAnchor(rootCert, null)); CertPathValidator cpv = CertPathValidator.getInstance("PKIX", "BC"); PKIXParameters param = new PKIXParameters(trust); param.addCertStore(store); param.setDate(date); if (trustedCRLs == null) { param.setRevocationEnabled(false); } else { param.setRevocationEnabled(true); } cpv.validate(cp, param); retval = new ParsedSignatureResult(verifies, usercert, content); } catch (Exception e) { log.error("Error verifying data : ", e); } return retval; }
From source file:org.ejbca.util.CertTools.java
/** * Method to create certificate path and to check it's validity from a list of certificates. * The list of certificates should only contain one root certificate. * * @param certlist//from w w w.ja v a2s .com * @return the certificatepath with the root CA at the end, either collection of Certificate or byte[] (der encoded certs) * @throws CertPathValidatorException if the certificate chain can not be constructed * @throws InvalidAlgorithmParameterException * @throws NoSuchProviderException * @throws NoSuchAlgorithmException * @throws CertificateException */ public static Collection<Certificate> createCertChain(Collection<?> certlistin) throws CertPathValidatorException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, NoSuchProviderException, CertificateException { ArrayList<Certificate> returnval = new ArrayList<Certificate>(); Collection<Certificate> certlist = orderCertificateChain(certlistin); // set certificate chain Certificate rootcert = null; ArrayList<Certificate> calist = new ArrayList<Certificate>(); Iterator<Certificate> iter = certlist.iterator(); while (iter.hasNext()) { Certificate next = iter.next(); if (CertTools.isSelfSigned(next)) { rootcert = next; } else { calist.add(next); } } if (calist.isEmpty()) { // only one root cert, no certchain returnval.add(rootcert); } else { // We need a bit special handling for CV certificates because those can not be handled using a PKIX CertPathValidator Certificate test = calist.get(0); if (test.getType().equals("CVC")) { if (calist.size() == 1) { returnval.add(test); returnval.add(rootcert); } else { throw new CertPathValidatorException( "CVC certificate chain can not be of length longer than two."); } } else { // Normal X509 certificates HashSet<TrustAnchor> trustancors = new HashSet<TrustAnchor>(); TrustAnchor trustanchor = null; trustanchor = new TrustAnchor((X509Certificate) rootcert, null); trustancors.add(trustanchor); // Create the parameters for the validator PKIXParameters params = new PKIXParameters(trustancors); // Disable CRL checking since we are not supplying any CRLs params.setRevocationEnabled(false); params.setDate(new Date()); // Create the validator and validate the path CertPathValidator certPathValidator = CertPathValidator .getInstance(CertPathValidator.getDefaultType(), "BC"); CertificateFactory fact = CertTools.getCertificateFactory(); CertPath certpath = fact.generateCertPath(calist); CertPathValidatorResult result = certPathValidator.validate(certpath, params); // Get the certificates validate in the path PKIXCertPathValidatorResult pkixResult = (PKIXCertPathValidatorResult) result; returnval.addAll(certpath.getCertificates()); // Get the CA used to validate this path TrustAnchor ta = pkixResult.getTrustAnchor(); X509Certificate cert = ta.getTrustedCert(); returnval.add(cert); } } return returnval; }
From source file:org.ejbca.util.CertTools.java
/** * Method ordering a list of certificate into a certificate path with the root CA at the end. * Does not check validity or verification of any kind, just ordering by issuerdn. * @param certlist list of certificates to order can be collection of Certificate or byte[] (der encoded certs). * @return Collection with certificatechain. *///from w w w. j av a2s . c om private static Collection<Certificate> orderCertificateChain(Collection<?> certlist) throws CertPathValidatorException { ArrayList<Certificate> returnval = new ArrayList<Certificate>(); Certificate rootca = null; HashMap<String, Certificate> cacertmap = new HashMap<String, Certificate>(); Iterator<?> iter = certlist.iterator(); while (iter.hasNext()) { Certificate cert = null; Object o = iter.next(); try { cert = (Certificate) o; } catch (ClassCastException e) { // This was not a certificate, is it byte encoded? byte[] certBytes = (byte[]) o; try { cert = CertTools.getCertfromByteArray(certBytes); } catch (CertificateException e1) { throw new CertPathValidatorException(e1); } } if (CertTools.isSelfSigned(cert)) { rootca = cert; } else { log.debug("Adding to cacertmap with index '" + CertTools.getIssuerDN(cert) + "'"); cacertmap.put(CertTools.getIssuerDN(cert), cert); } } if (rootca == null) { throw new CertPathValidatorException("No root CA certificate found in certificatelist"); } returnval.add(0, rootca); Certificate currentcert = rootca; int i = 0; while (certlist.size() != returnval.size() && i <= certlist.size()) { log.debug("Looking in cacertmap for '" + CertTools.getSubjectDN(currentcert) + "'"); Certificate nextcert = (Certificate) cacertmap.get(CertTools.getSubjectDN(currentcert)); if (nextcert == null) { throw new CertPathValidatorException("Error building certificate path"); } returnval.add(0, nextcert); currentcert = nextcert; i++; } if (i > certlist.size()) { throw new CertPathValidatorException("Error building certificate path"); } return returnval; }
From source file:org.globus.gsi.trustmanager.TrustedCertPathFinder.java
/** * Method that validates the provided cert path to find a trusted certificate in the certificate store. * <p/>//from www . ja v a 2 s.c o m * For each certificate i in certPath, it is expected that the i+1 certificate is the issuer of the certificate * path. See CertPath. * <p/> * For each certificate i in certpath, validate signature of certificate i get issuer of certificate i get * certificate i+i ensure that the certificate i+1 is issuer of certificate i If not, throw an exception for * illegal argument validate signature of i+1 Throw exception if it does not validate check if i+1 is a trusted * certificate in the trust store. If so return certpath until i+1 If not, continue; If all certificates in the * certpath have been checked and none exisits in trust store, check if trust store has certificate of issuer of * last certificate in CertPath. If so, return certPath + trusted certificate from trust store If not, throw * an exception for lack of valid trust root. * * @param keyStore The key store containing CA trust root certificates * @param certPath The certpath from which to extract a valid cert path to a trusted certificate. * @return The valid CertPath. * @throws CertPathValidatorException If the CertPath is invalid. */ public static CertPath findTrustedCertPath(KeyStore keyStore, CertPath certPath) throws CertPathValidatorException { // This will be the cert path to return List<X509Certificate> trustedCertPath = new ArrayList<X509Certificate>(); // This is the certs to validate List<? extends Certificate> certs = certPath.getCertificates(); X509Certificate x509Certificate; int index = 0; int certsSize = certs.size(); Certificate certificate = certs.get(index); if (!(certificate instanceof X509Certificate)) { throw new CertPathValidatorException( "Certificate of type " + X509Certificate.class.getName() + " required"); } x509Certificate = (X509Certificate) certificate; while (index < certsSize) { CertPath finalCertPath = isTrustedCert(keyStore, x509Certificate, trustedCertPath); if (finalCertPath != null) { return finalCertPath; } if (index + 1 >= certsSize) { break; } index++; Certificate issuerCertificate = certs.get(index); x509Certificate = checkCertificate(trustedCertPath, x509Certificate, issuerCertificate); } X509CertSelector selector = new X509CertSelector(); selector.setSubject(x509Certificate.getIssuerX500Principal()); Collection<? extends Certificate> caCerts; try { caCerts = KeyStoreUtil.getTrustedCertificates(keyStore, selector); } catch (KeyStoreException e) { throw new CertPathValidatorException(e); } if (caCerts.size() < 1) { throw new CertPathValidatorException("No trusted path can be constructed"); } boolean foundTrustRoot = false; for (Certificate caCert : caCerts) { if (!(caCert instanceof X509Certificate)) { logger.warn("Skipped a certificate: not an X509Certificate"); continue; } try { trustedCertPath.add(checkCertificate(trustedCertPath, x509Certificate, caCert)); // currently the caCert self-signature is not checked // to be consistent with the isTrustedCert() method foundTrustRoot = true; // we found a CA cert that signed the certificate // so we don't need to check any more break; } catch (CertPathValidatorException e) { // fine, just move on to check the next potential CA cert // after the loop we'll check whether any were successful logger.warn("Failed to validate signature of certificate with " + "subject DN '" + x509Certificate.getSubjectDN() + "' against a CA certificate with issuer DN '" + ((X509Certificate) caCert).getSubjectDN() + "'"); } } if (!foundTrustRoot) { throw new CertPathValidatorException("No trusted path can be constructed"); } try { CertificateFactory certFac = CertificateFactory.getInstance("X.509"); return certFac.generateCertPath(trustedCertPath); } catch (CertificateException e) { throw new CertPathValidatorException("Error generating trusted certificate path", e); } }
From source file:org.viafirma.nucleo.validacion.OcspValidatorHandler.java
/** * Valida mediante ocsp RFC 2560, el certificado indicado. * //from ww w . j a v a 2s. c om * @param certificadoX509 * Certificado que deseamos validar. * @param certificadoX509Emisor * Certificado emisor del certificado a validar. * @return * @throws CertPathValidatorException */ private CodigoError validarOCSP(X509Certificate certificadoX509, X509Certificate certificadoX509Emisor) throws CertPathValidatorException { // Si la validacin esta desactivada consideramos el certificado // validado. if (validacionOnline) { try { // Generamos la peticin OCSP para el certificado. OCSPReq request = generateRequest(certificadoX509, certificadoX509Emisor); // Recuperamos la url desde la que realizar la validacin OCSP String url = getUrlOCSP(certificadoX509); // Bytes del request byte[] byteRequest = request.getEncoded(); // Enviamos la peticin y recuperamos la respuesta InputStream inResponse = sendRequest(url, byteRequest); OCSPResp ocspResponse = new OCSPResp(inResponse); // but why Response Status is 6(No Valid)..? if (OCSPResponseStatus.SUCCESSFUL == ocspResponse.getStatus()) { log.info("Obtenida respuesta correcta OCSP. Estado:" + ocspResponse.getStatus()); CertificateID certID = new CertificateID(CertificateID.HASH_SHA1, certificadoX509Emisor, certificadoX509.getSerialNumber()); BasicOCSPResp brep = (BasicOCSPResp) ocspResponse.getResponseObject(); // Comprobamos que la respuesta OCSP no ha sido manipulada y // ha sido firmada por un certificado de confianza. // Recupero el certificado con el que debe haber sido // firmado el ocsp checkOCSP(brep); SingleResp[] singleResp = brep.getResponses(); for (SingleResp resp : singleResp) { CertificateID respCertID = resp.getCertID(); if (respCertID.equals(certID)) { Object status = resp.getCertStatus(); if (status == CertificateStatus.GOOD) { log.debug("OCSPChecker: Status of certificate is: good"); break; } else if (status instanceof org.bouncycastle.ocsp.RevokedStatus) { log.debug("OCSPChecker: Status of certificate is: revoked"); throw new CertPathValidatorException("Certificate has been revoked"); } else if (status instanceof org.bouncycastle.ocsp.UnknownStatus) { log.debug("OCSPChecker: Status of certificate is: unknown"); throw new CertPathValidatorException("Certificate's revocation status is unknown"); } else { log.debug("Status of certificate is: not recognized"); throw new CertPathValidatorException("Unknown OCSP response for certificate"); } } } return CodigoError.OK_CERTIFICADO_VALIDADO; } else { /** * successful (0), --Response has valid confirmations * malformedRequest (1), --Illegal confirmation request * internalError (2), --Internal error in issuer tryLater * (3), --Try again later --(4) is not used sigRequired (5), * --Must sign the request unauthorized (6) --Request * unauthorized */ if (OCSPResponseStatus.MALFORMED_REQUEST == ocspResponse.getStatus()) { log.warn( "Obtenida respuesta Incorrecta OCSP: malformedRequest (1), --Illegal confirmation request. estatus: " + ocspResponse.getStatus()); return CodigoError.ERROR_OCSP_URL; } else if (OCSPResponseStatus.INTERNAL_ERROR == ocspResponse.getStatus()) { log.warn( "Obtenida respuesta Incorrecta OCSP: internalError (2),--Internal error in issuer. estatus: " + ocspResponse.getStatus()); return CodigoError.ERROR_OCSP_INTERNAL_ERROR; } else if (OCSPResponseStatus.TRY_LATER == ocspResponse.getStatus()) { log.warn("Obtenida respuesta Incorrecta OCSP: tryLater (3), --Try again later. estatus: " + ocspResponse.getStatus()); return CodigoError.ERROR_OCSP_TRY_LATER; } else if (OCSPResponseStatus.SIG_REQUIRED == ocspResponse.getStatus()) { log.warn( "Obtenida respuesta Incorrecta OCSP: sigRequired(5),--Must sign the request. estatus: " + ocspResponse.getStatus()); return CodigoError.ERROR_OCSP_INTERNAL_ERROR; } else if (OCSPResponseStatus.SIG_REQUIRED == ocspResponse.getStatus()) { log.warn( "Obtenida respuesta Incorrecta OCSP: unauthorized (6)--Request unauthorized. estatus: " + ocspResponse.getStatus()); return CodigoError.ERROR_OCSP_INTERNAL_ERROR; } else { log.warn( "Obtenida una respuesta incorrecta OCSP, probablemente el certificado este caducado."); return CodigoError.ERROR_VALIDACION_CERTIFICADO_CADUCADO; } } } catch (OCSPException e) { log.fatal(CodigoError.ERROR_OCSP_INTERNAL_ERROR, e); return CodigoError.ERROR_OCSP_INTERNAL_ERROR; } catch (ExcepcionErrorInterno e) { log.error("No se puede validar el certificado. ", e); return e.getCodError(); } catch (IOException e) { log.fatal(CodigoError.ERROR_INTERNO, e); return CodigoError.ERROR_INTERNO; } } else { log.info("La validacin online OCSP esta desactivada. Consideramos el certificado Vlido."); return CodigoError.OK_CERTIFICADO_VALIDADO; } }