sun.security.validator.ValidatorException Java Examples
The following examples show how to use
sun.security.validator.ValidatorException.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: PKIXValidator.java From openjsse with GNU General Public License v2.0 | 6 votes |
private X509Certificate[] doValidate(X509Certificate[] chain, PKIXBuilderParameters params) throws CertificateException { try { setDate(params); // do the validation CertPathValidator validator = CertPathValidator.getInstance("PKIX"); // JDK8 use custom X509CertImpl to validate RSASSA-PSS signed cert X509Certificate[] newChain = new X509Certificate[chain.length]; for(int i=0; i<chain.length; i++) { newChain[i] = new X509CertImpl(chain[i].getEncoded()); } CertPath path = factory.generateCertPath(Arrays.asList(newChain)); certPathLength = chain.length; PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult)validator.validate(path, params); return toArray(path, result.getTrustAnchor()); } catch (GeneralSecurityException e) { throw new ValidatorException ("PKIX path validation failed: " + e.toString(), e); } }
Example #2
Source File: SdsX509TrustManagerTest.java From grpc-java with Apache License 2.0 | 6 votes |
@Test public void checkServerTrustedSslSocket_untrustedServer_expectException() throws CertificateException, IOException, CertStoreException { TestSslSocket sslSocket = buildTrustManagerAndGetSslSocket(); X509Certificate[] badServerCert = CertificateUtils.toX509Certificates(TestUtils.loadCert(BAD_SERVER_PEM_FILE)); try { trustManager.checkServerTrusted(badServerCert, "ECDHE_ECDSA", sslSocket); fail("exception expected"); } catch (ValidatorException expected) { assertThat(expected).hasMessageThat() .endsWith("unable to find valid certification path to requested target"); } verify(sslSocket, times(1)).isConnected(); verify(sslSocket, times(1)).getHandshakeSession(); }
Example #3
Source File: HttpsUrlConnClient.java From openjdk-jdk9 with GNU General Public License v2.0 | 6 votes |
/** * Checks a validation failure to see if it failed for the reason we think * it should. This comes in as an SSLException of some sort, but it * encapsulates a ValidatorException which in turn encapsulates the * CertPathValidatorException we are interested in. * * @param e the exception thrown at the top level * @param reason the underlying CertPathValidatorException BasicReason * we are expecting it to have. * * @return true if the reason matches up, false otherwise. */ static boolean checkClientValidationFailure(Exception e, BasicReason reason) { boolean result = false; if (e instanceof SSLException) { Throwable valExc = e.getCause(); if (valExc instanceof sun.security.validator.ValidatorException) { Throwable cause = valExc.getCause(); if (cause instanceof CertPathValidatorException) { CertPathValidatorException cpve = (CertPathValidatorException)cause; if (cpve.getReason() == reason) { result = true; } } } } return result; }
Example #4
Source File: MatrixNotifications.java From ForgeHax with MIT License | 6 votes |
private static void postAsync(final String url, final JsonElement json) { EXECUTOR.submit(() -> { try { HttpResponse res = post(url, json); if (res.getStatusLine().getStatusCode() != 200) { throw new Error("got response code " + res.getStatusLine().getStatusCode()); } } catch (Throwable t) { if (t.getCause() instanceof ValidatorException) { printError("Java JRE outdated. Change games to use the latest JRE."); } else { printError("Failed to send message to url: " + t.getMessage()); } t.printStackTrace(); } }); }
Example #5
Source File: EndEntityChecker.java From openjsse with GNU General Public License v2.0 | 6 votes |
/** * Check whether this certificate can be used for TLS client * authentication. * @throws CertificateException if not. */ private void checkTLSClient(X509Certificate cert, Set<String> exts) throws CertificateException { if (checkKeyUsage(cert, KU_SIGNATURE) == false) { throw new ValidatorException ("KeyUsage does not allow digital signatures", ValidatorException.T_EE_EXTENSIONS, cert); } if (checkEKU(cert, exts, OID_EKU_TLS_CLIENT) == false) { throw new ValidatorException("Extended key usage does not " + "permit use for TLS client authentication", ValidatorException.T_EE_EXTENSIONS, cert); } if (!SimpleValidator.getNetscapeCertTypeBit(cert, NSCT_SSL_CLIENT)) { throw new ValidatorException ("Netscape cert type does not permit use for SSL client", ValidatorException.T_EE_EXTENSIONS, cert); } // remove extensions we checked exts.remove(SimpleValidator.OID_KEY_USAGE); exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE); exts.remove(SimpleValidator.OID_NETSCAPE_CERT_TYPE); }
Example #6
Source File: PKIXValidator.java From openjsse with GNU General Public License v2.0 | 6 votes |
private static X509Certificate[] toArray(CertPath path, TrustAnchor anchor) throws CertificateException { X509Certificate trustedCert = anchor.getTrustedCert(); if (trustedCert == null) { throw new ValidatorException ("TrustAnchor must be specified as certificate"); } verifyTrustAnchor(trustedCert); List<? extends java.security.cert.Certificate> list = path.getCertificates(); X509Certificate[] chain = new X509Certificate[list.size() + 1]; list.toArray(chain); chain[chain.length - 1] = trustedCert; return chain; }
Example #7
Source File: SymantecTLSPolicy.java From openjsse with GNU General Public License v2.0 | 6 votes |
/** * This method assumes the eeCert is a TLS Server Cert and chains back to * the anchor. * * @param chain the end-entity's certificate chain. The end entity cert * is at index 0, the trust anchor at index n-1. * @throws ValidatorException if the certificate is distrusted */ static void checkDistrust(X509Certificate[] chain) throws ValidatorException { X509Certificate anchor = chain[chain.length-1]; if (FINGERPRINTS.contains(fingerprint(anchor))) { Date notBefore = chain[0].getNotBefore(); LocalDate ldNotBefore = notBefore.toInstant().atZone(ZoneOffset.UTC).toLocalDate(); // check if chain goes through one of the subCAs if (chain.length > 2) { X509Certificate subCA = chain[chain.length - 2]; LocalDate distrustDate = EXEMPT_SUBCAS.get(fingerprint(subCA)); if (distrustDate != null) { // reject if certificate is issued after specified date checkNotBefore(ldNotBefore, distrustDate, anchor); return; // success } } // reject if certificate is issued after April 16, 2019 checkNotBefore(ldNotBefore, APRIL_16_2019, anchor); } }
Example #8
Source File: SimpleValidator.java From openjsse with GNU General Public License v2.0 | 6 votes |
private void checkKeyUsage(X509Certificate cert, Set<String> critSet) throws CertificateException { critSet.remove(OID_KEY_USAGE); // EKU irrelevant in CA certificates critSet.remove(OID_EXTENDED_KEY_USAGE); // check key usage extension boolean[] keyUsageInfo = cert.getKeyUsage(); if (keyUsageInfo != null) { // keyUsageInfo[5] is for keyCertSign. if ((keyUsageInfo.length < 6) || (keyUsageInfo[5] == false)) { throw new ValidatorException ("Wrong key usage: expected keyCertSign", ValidatorException.T_CA_EXTENSIONS, cert); } } }
Example #9
Source File: SimpleValidator.java From openjsse with GNU General Public License v2.0 | 6 votes |
private void checkNetscapeCertType(X509Certificate cert, Set<String> critSet) throws CertificateException { if (variant.equals(VAR_GENERIC)) { // nothing } else if (variant.equals(VAR_TLS_CLIENT) || variant.equals(VAR_TLS_SERVER)) { if (getNetscapeCertTypeBit(cert, NSCT_SSL_CA) == false) { throw new ValidatorException ("Invalid Netscape CertType extension for SSL CA " + "certificate", ValidatorException.T_CA_EXTENSIONS, cert); } critSet.remove(OID_NETSCAPE_CERT_TYPE); } else if (variant.equals(VAR_CODE_SIGNING) || variant.equals(VAR_JCE_SIGNING)) { if (getNetscapeCertTypeBit(cert, NSCT_CODE_SIGNING_CA) == false) { throw new ValidatorException ("Invalid Netscape CertType extension for code " + "signing CA certificate", ValidatorException.T_CA_EXTENSIONS, cert); } critSet.remove(OID_NETSCAPE_CERT_TYPE); } else { throw new CertificateException("Unknown variant " + variant); } }
Example #10
Source File: SimpleValidator.java From openjsse with GNU General Public License v2.0 | 6 votes |
private int checkExtensions(X509Certificate cert, int maxPathLen) throws CertificateException { Set<String> critSet = cert.getCriticalExtensionOIDs(); if (critSet == null) { critSet = Collections.<String>emptySet(); } // Check the basic constraints extension int pathLenConstraint = checkBasicConstraints(cert, critSet, maxPathLen); // Check the key usage and extended key usage extensions checkKeyUsage(cert, critSet); // check Netscape certificate type extension checkNetscapeCertType(cert, critSet); if (!critSet.isEmpty()) { throw new ValidatorException ("Certificate contains unknown critical extensions: " + critSet, ValidatorException.T_CA_EXTENSIONS, cert); } return pathLenConstraint; }
Example #11
Source File: EndEntityChecker.java From openjsse with GNU General Public License v2.0 | 6 votes |
/** * Check whether this certificate can be used by a time stamping authority * server (see RFC 3161, section 2.3). * @throws CertificateException if not. */ private void checkTSAServer(X509Certificate cert, Set<String> exts) throws CertificateException { if (checkKeyUsage(cert, KU_SIGNATURE) == false) { throw new ValidatorException ("KeyUsage does not allow digital signatures", ValidatorException.T_EE_EXTENSIONS, cert); } if (cert.getExtendedKeyUsage() == null) { throw new ValidatorException ("Certificate does not contain an extended key usage " + "extension required for a TSA server", ValidatorException.T_EE_EXTENSIONS, cert); } if (checkEKU(cert, exts, OID_EKU_TIME_STAMPING) == false) { throw new ValidatorException ("Extended key usage does not permit use for TSA server", ValidatorException.T_EE_EXTENSIONS, cert); } // remove extensions we checked exts.remove(SimpleValidator.OID_KEY_USAGE); exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE); }
Example #12
Source File: SimpleValidator.java From openjsse with GNU General Public License v2.0 | 5 votes |
private int checkBasicConstraints(X509Certificate cert, Set<String> critSet, int maxPathLen) throws CertificateException { critSet.remove(OID_BASIC_CONSTRAINTS); int constraints = cert.getBasicConstraints(); // reject, if extension missing or not a CA (constraints == -1) if (constraints < 0) { throw new ValidatorException("End user tried to act as a CA", ValidatorException.T_CA_EXTENSIONS, cert); } // if the certificate is self-issued, ignore the pathLenConstraint // checking. if (!X509CertImpl.isSelfIssued(cert)) { if (maxPathLen <= 0) { throw new ValidatorException("Violated path length constraints", ValidatorException.T_CA_EXTENSIONS, cert); } maxPathLen--; } if (maxPathLen > constraints) { maxPathLen = constraints; } return maxPathLen; }
Example #13
Source File: SymantecTLSPolicy.java From openjsse with GNU General Public License v2.0 | 5 votes |
private static void checkNotBefore(LocalDate notBeforeDate, LocalDate distrustDate, X509Certificate anchor) throws ValidatorException { if (notBeforeDate.isAfter(distrustDate)) { throw new ValidatorException ("TLS Server certificate issued after " + distrustDate + " and anchored by a distrusted legacy Symantec root CA: " + anchor.getSubjectX500Principal(), ValidatorException.T_UNTRUSTED_CERT, anchor); } }
Example #14
Source File: PKIXValidator.java From openjsse with GNU General Public License v2.0 | 5 votes |
/** * Verify that a trust anchor certificate is a CA certificate. */ private static void verifyTrustAnchor(X509Certificate trustedCert) throws ValidatorException { // skip check if jdk.security.allowNonCAAnchor system property is set if (ALLOW_NON_CA_ANCHOR) { return; } // allow v1 trust anchor certificates if (trustedCert.getVersion() < 3) { return; } // check that the BasicConstraints cA field is not set to false if (trustedCert.getBasicConstraints() == -1) { throw new ValidatorException ("TrustAnchor with subject \"" + trustedCert.getSubjectX500Principal() + "\" is not a CA certificate"); } // check that the KeyUsage extension, if included, asserts the // keyCertSign bit boolean[] keyUsageBits = trustedCert.getKeyUsage(); if (keyUsageBits != null && !keyUsageBits[5]) { throw new ValidatorException ("TrustAnchor with subject \"" + trustedCert.getSubjectX500Principal() + "\" does not have keyCertSign bit set in KeyUsage extension"); } }
Example #15
Source File: PKIXValidator.java From openjsse with GNU General Public License v2.0 | 5 votes |
private X509Certificate[] doBuild(X509Certificate[] chain, Collection<X509Certificate> otherCerts, PKIXBuilderParameters params) throws CertificateException { try { setDate(params); // setup target constraints X509CertSelector selector = new X509CertSelector(); selector.setCertificate(chain[0]); params.setTargetCertConstraints(selector); // setup CertStores Collection<X509Certificate> certs = new ArrayList<X509Certificate>(); certs.addAll(Arrays.asList(chain)); if (otherCerts != null) { certs.addAll(otherCerts); } CertStore store = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certs)); params.addCertStore(store); // do the build CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult)builder.build(params); return toArray(result.getCertPath(), result.getTrustAnchor()); } catch (GeneralSecurityException e) { throw new ValidatorException ("PKIX path building failed: " + e.toString(), e); } }
Example #16
Source File: Distrust.java From dragonwell8_jdk with GNU General Public License v2.0 | 5 votes |
private static void testTM(X509TrustManager xtm, X509Certificate[] chain, Date notBefore, boolean valid) throws Exception { // Check if TLS Server certificate (the first element of the chain) // is issued after the specified notBefore date (should be rejected // unless distrust property is false). To do this, we need to // fake the notBefore date since none of the test certs are issued // after then. chain[0] = new DistrustedTLSServerCert(chain[0], notBefore); try { xtm.checkServerTrusted(chain, "ECDHE_RSA"); if (!valid) { throw new Exception("chain should be invalid"); } } catch (CertificateException ce) { if (valid) { throw new Exception("Unexpected exception, chain " + "should be valid", ce); } if (ce instanceof ValidatorException) { ValidatorException ve = (ValidatorException)ce; if (ve.getErrorType() != ValidatorException.T_UNTRUSTED_CERT) { throw new Exception("Unexpected exception: " + ce); } } else { throw new Exception("Unexpected exception: " + ce); } } }
Example #17
Source File: Distrust.java From TencentKona-8 with GNU General Public License v2.0 | 5 votes |
private static void testTM(X509TrustManager xtm, X509Certificate[] chain, Date notBefore, boolean valid) throws Exception { // Check if TLS Server certificate (the first element of the chain) // is issued after the specified notBefore date (should be rejected // unless distrust property is false). To do this, we need to // fake the notBefore date since none of the test certs are issued // after then. chain[0] = new DistrustedTLSServerCert(chain[0], notBefore); try { xtm.checkServerTrusted(chain, "ECDHE_RSA"); if (!valid) { throw new Exception("chain should be invalid"); } } catch (CertificateException ce) { if (valid) { throw new Exception("Unexpected exception, chain " + "should be valid", ce); } if (ce instanceof ValidatorException) { ValidatorException ve = (ValidatorException)ce; if (ve.getErrorType() != ValidatorException.T_UNTRUSTED_CERT) { throw new Exception("Unexpected exception: " + ce); } } else { throw new Exception("Unexpected exception: " + ce); } } }
Example #18
Source File: Distrust.java From openjdk-jdk8u with GNU General Public License v2.0 | 5 votes |
private static void testTM(X509TrustManager xtm, X509Certificate[] chain, Date notBefore, boolean valid) throws Exception { // Check if TLS Server certificate (the first element of the chain) // is issued after the specified notBefore date (should be rejected // unless distrust property is false). To do this, we need to // fake the notBefore date since none of the test certs are issued // after then. chain[0] = new DistrustedTLSServerCert(chain[0], notBefore); try { xtm.checkServerTrusted(chain, "ECDHE_RSA"); if (!valid) { throw new Exception("chain should be invalid"); } } catch (CertificateException ce) { if (valid) { throw new Exception("Unexpected exception, chain " + "should be valid", ce); } if (ce instanceof ValidatorException) { ValidatorException ve = (ValidatorException)ce; if (ve.getErrorType() != ValidatorException.T_UNTRUSTED_CERT) { throw new Exception("Unexpected exception: " + ce); } } else { throw new Exception("Unexpected exception: " + ce); } } }
Example #19
Source File: Main.java From openjdk-jdk9 with GNU General Public License v2.0 | 5 votes |
void validateCertChain(List<? extends Certificate> certs) throws Exception { try { Validator.getInstance(Validator.TYPE_PKIX, Validator.VAR_CODE_SIGNING, pkixParameters) .validate(certs.toArray(new X509Certificate[certs.size()])); } catch (Exception e) { if (debug) { e.printStackTrace(); } if (e instanceof ValidatorException) { // Throw cause if it's CertPathValidatorException, if (e.getCause() != null && e.getCause() instanceof CertPathValidatorException) { e = (Exception) e.getCause(); Throwable t = e.getCause(); if ((t instanceof CertificateExpiredException && hasExpiredCert) || (t instanceof CertificateNotYetValidException && notYetValidCert)) { // we already have hasExpiredCert and notYetValidCert return; } } if (e instanceof ValidatorException) { ValidatorException ve = (ValidatorException)e; if (ve.getErrorType() == ValidatorException.T_EE_EXTENSIONS && (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType)) { // We already have badKeyUsage, badExtendedKeyUsage // and badNetscapeCertType return; } } } throw e; } }
Example #20
Source File: EndEntityChecker.java From openjsse with GNU General Public License v2.0 | 5 votes |
/** * Check whether this certificate can be used for code signing. * @throws CertificateException if not. */ private void checkCodeSigning(X509Certificate cert, Set<String> exts) throws CertificateException { if (checkKeyUsage(cert, KU_SIGNATURE) == false) { throw new ValidatorException ("KeyUsage does not allow digital signatures", ValidatorException.T_EE_EXTENSIONS, cert); } if (checkEKU(cert, exts, OID_EKU_CODE_SIGNING) == false) { throw new ValidatorException ("Extended key usage does not permit use for code signing", ValidatorException.T_EE_EXTENSIONS, cert); } // do not check Netscape cert type for JCE code signing checks // (some certs were issued with incorrect extensions) if (variant.equals(Validator.VAR_JCE_SIGNING) == false) { if (!SimpleValidator.getNetscapeCertTypeBit(cert, NSCT_CODE_SIGNING)) { throw new ValidatorException ("Netscape cert type does not permit use for code signing", ValidatorException.T_EE_EXTENSIONS, cert); } exts.remove(SimpleValidator.OID_NETSCAPE_CERT_TYPE); } // remove extensions we checked exts.remove(SimpleValidator.OID_KEY_USAGE); exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE); }
Example #21
Source File: Distrust.java From jdk8u_jdk with GNU General Public License v2.0 | 5 votes |
private static void testTM(X509TrustManager xtm, X509Certificate[] chain, Date notBefore, boolean valid) throws Exception { // Check if TLS Server certificate (the first element of the chain) // is issued after the specified notBefore date (should be rejected // unless distrust property is false). To do this, we need to // fake the notBefore date since none of the test certs are issued // after then. chain[0] = new DistrustedTLSServerCert(chain[0], notBefore); try { xtm.checkServerTrusted(chain, "ECDHE_RSA"); if (!valid) { throw new Exception("chain should be invalid"); } } catch (CertificateException ce) { if (valid) { throw new Exception("Unexpected exception, chain " + "should be valid", ce); } if (ce instanceof ValidatorException) { ValidatorException ve = (ValidatorException)ce; if (ve.getErrorType() != ValidatorException.T_UNTRUSTED_CERT) { throw new Exception("Unexpected exception: " + ce); } } else { throw new Exception("Unexpected exception: " + ce); } } }
Example #22
Source File: SdsX509TrustManagerTest.java From grpc-java with Apache License 2.0 | 5 votes |
@Test public void checkServerTrustedSslEngine_untrustedServer_expectException() throws CertificateException, IOException, CertStoreException { TestSslEngine sslEngine = buildTrustManagerAndGetSslEngine(); X509Certificate[] badServerCert = CertificateUtils.toX509Certificates(TestUtils.loadCert(BAD_SERVER_PEM_FILE)); try { trustManager.checkServerTrusted(badServerCert, "ECDHE_ECDSA", sslEngine); fail("exception expected"); } catch (ValidatorException expected) { assertThat(expected).hasMessageThat() .endsWith("unable to find valid certification path to requested target"); } verify(sslEngine, times(1)).getHandshakeSession(); }
Example #23
Source File: EndEntityChecker.java From openjsse with GNU General Public License v2.0 | 4 votes |
/** * Check whether this certificate can be used for TLS server authentication * using the specified authentication type parameter. See X509TrustManager * specification for details. * @throws CertificateException if not. */ private void checkTLSServer(X509Certificate cert, String parameter, Set<String> exts) throws CertificateException { if (KU_SERVER_ENCRYPTION.contains(parameter)) { if (checkKeyUsage(cert, KU_KEY_ENCIPHERMENT) == false) { throw new ValidatorException ("KeyUsage does not allow key encipherment", ValidatorException.T_EE_EXTENSIONS, cert); } } else if (KU_SERVER_SIGNATURE.contains(parameter)) { if (checkKeyUsage(cert, KU_SIGNATURE) == false) { throw new ValidatorException ("KeyUsage does not allow digital signatures", ValidatorException.T_EE_EXTENSIONS, cert); } } else if (KU_SERVER_KEY_AGREEMENT.contains(parameter)) { if (checkKeyUsage(cert, KU_KEY_AGREEMENT) == false) { throw new ValidatorException ("KeyUsage does not allow key agreement", ValidatorException.T_EE_EXTENSIONS, cert); } } else { throw new CertificateException("Unknown authType: " + parameter); } if (checkEKU(cert, exts, OID_EKU_TLS_SERVER) == false) { // check for equivalent but now obsolete Server-Gated-Cryptography // (aka Step-Up, 128 bit) EKU OIDs if ((checkEKU(cert, exts, OID_EKU_MS_SGC) == false) && (checkEKU(cert, exts, OID_EKU_NS_SGC) == false)) { throw new ValidatorException ("Extended key usage does not permit use for TLS " + "server authentication", ValidatorException.T_EE_EXTENSIONS, cert); } } if (!SimpleValidator.getNetscapeCertTypeBit(cert, NSCT_SSL_SERVER)) { throw new ValidatorException ("Netscape cert type does not permit use for SSL server", ValidatorException.T_EE_EXTENSIONS, cert); } // remove extensions we checked exts.remove(SimpleValidator.OID_KEY_USAGE); exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE); exts.remove(SimpleValidator.OID_NETSCAPE_CERT_TYPE); }