sun.security.validator.ValidatorException Java Examples

private X509Certificate[] doValidate(X509Certificate[] chain,
        PKIXBuilderParameters params) throws CertificateException {
    try {
        setDate(params);

        // do the validation
        CertPathValidator validator = CertPathValidator.getInstance("PKIX");
        // JDK8 use custom X509CertImpl to validate RSASSA-PSS signed cert
        X509Certificate[] newChain = new X509Certificate[chain.length];
        for(int i=0; i<chain.length; i++) {
           newChain[i] = new X509CertImpl(chain[i].getEncoded());
        }
        CertPath path = factory.generateCertPath(Arrays.asList(newChain));
        certPathLength = chain.length;
        PKIXCertPathValidatorResult result =
            (PKIXCertPathValidatorResult)validator.validate(path, params);

        return toArray(path, result.getTrustAnchor());
    } catch (GeneralSecurityException e) {
        throw new ValidatorException
            ("PKIX path validation failed: " + e.toString(), e);
    }
}
 

@Test
public void checkServerTrustedSslSocket_untrustedServer_expectException()
    throws CertificateException, IOException, CertStoreException {
  TestSslSocket sslSocket = buildTrustManagerAndGetSslSocket();
  X509Certificate[] badServerCert =
      CertificateUtils.toX509Certificates(TestUtils.loadCert(BAD_SERVER_PEM_FILE));
  try {
    trustManager.checkServerTrusted(badServerCert, "ECDHE_ECDSA", sslSocket);
    fail("exception expected");
  } catch (ValidatorException expected) {
    assertThat(expected).hasMessageThat()
        .endsWith("unable to find valid certification path to requested target");
  }
  verify(sslSocket, times(1)).isConnected();
  verify(sslSocket, times(1)).getHandshakeSession();
}
 

/**
 * Checks a validation failure to see if it failed for the reason we think
 * it should.  This comes in as an SSLException of some sort, but it
 * encapsulates a ValidatorException which in turn encapsulates the
 * CertPathValidatorException we are interested in.
 *
 * @param e the exception thrown at the top level
 * @param reason the underlying CertPathValidatorException BasicReason
 * we are expecting it to have.
 *
 * @return true if the reason matches up, false otherwise.
 */
static boolean checkClientValidationFailure(Exception e,
        BasicReason reason) {
    boolean result = false;

    if (e instanceof SSLException) {
        Throwable valExc = e.getCause();
        if (valExc instanceof sun.security.validator.ValidatorException) {
            Throwable cause = valExc.getCause();
            if (cause instanceof CertPathValidatorException) {
                CertPathValidatorException cpve =
                        (CertPathValidatorException)cause;
                if (cpve.getReason() == reason) {
                    result = true;
                }
            }
        }
    }
    return result;
}
 

private static void postAsync(final String url, final JsonElement json) {
  EXECUTOR.submit(() -> {
    try {
      HttpResponse res = post(url, json);
      if (res.getStatusLine().getStatusCode() != 200) {
        throw new Error("got response code " + res.getStatusLine().getStatusCode());
      }
    } catch (Throwable t) {
      if (t.getCause() instanceof ValidatorException) {
        printError("Java JRE outdated. Change games to use the latest JRE.");
      } else {
        printError("Failed to send message to url: " + t.getMessage());
      }
      t.printStackTrace();
    }
  });
}
 

/**
 * Check whether this certificate can be used for TLS client
 * authentication.
 * @throws CertificateException if not.
 */
private void checkTLSClient(X509Certificate cert, Set<String> exts)
        throws CertificateException {
    if (checkKeyUsage(cert, KU_SIGNATURE) == false) {
        throw new ValidatorException
            ("KeyUsage does not allow digital signatures",
            ValidatorException.T_EE_EXTENSIONS, cert);
    }

    if (checkEKU(cert, exts, OID_EKU_TLS_CLIENT) == false) {
        throw new ValidatorException("Extended key usage does not "
            + "permit use for TLS client authentication",
            ValidatorException.T_EE_EXTENSIONS, cert);
    }

    if (!SimpleValidator.getNetscapeCertTypeBit(cert, NSCT_SSL_CLIENT)) {
        throw new ValidatorException
            ("Netscape cert type does not permit use for SSL client",
            ValidatorException.T_EE_EXTENSIONS, cert);
    }

    // remove extensions we checked
    exts.remove(SimpleValidator.OID_KEY_USAGE);
    exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE);
    exts.remove(SimpleValidator.OID_NETSCAPE_CERT_TYPE);
}
 

private static X509Certificate[] toArray(CertPath path, TrustAnchor anchor)
        throws CertificateException {
    X509Certificate trustedCert = anchor.getTrustedCert();
    if (trustedCert == null) {
        throw new ValidatorException
            ("TrustAnchor must be specified as certificate");
    }

    verifyTrustAnchor(trustedCert);

    List<? extends java.security.cert.Certificate> list =
                                            path.getCertificates();
    X509Certificate[] chain = new X509Certificate[list.size() + 1];
    list.toArray(chain);
    chain[chain.length - 1] = trustedCert;
    return chain;
}
 

/**
 * This method assumes the eeCert is a TLS Server Cert and chains back to
 * the anchor.
 *
 * @param chain the end-entity's certificate chain. The end entity cert
 *              is at index 0, the trust anchor at index n-1.
 * @throws ValidatorException if the certificate is distrusted
 */
static void checkDistrust(X509Certificate[] chain)
                          throws ValidatorException {
    X509Certificate anchor = chain[chain.length-1];
    if (FINGERPRINTS.contains(fingerprint(anchor))) {
        Date notBefore = chain[0].getNotBefore();
        LocalDate ldNotBefore = notBefore.toInstant().atZone(ZoneOffset.UTC).toLocalDate();

        // check if chain goes through one of the subCAs
        if (chain.length > 2) {
            X509Certificate subCA = chain[chain.length - 2];
            LocalDate distrustDate = EXEMPT_SUBCAS.get(fingerprint(subCA));
            if (distrustDate != null) {
                // reject if certificate is issued after specified date
                checkNotBefore(ldNotBefore, distrustDate, anchor);
                return; // success
            }
        }
        // reject if certificate is issued after April 16, 2019
        checkNotBefore(ldNotBefore, APRIL_16_2019, anchor);
    }
}
 

private void checkKeyUsage(X509Certificate cert, Set<String> critSet)
        throws CertificateException {

    critSet.remove(OID_KEY_USAGE);
    // EKU irrelevant in CA certificates
    critSet.remove(OID_EXTENDED_KEY_USAGE);

    // check key usage extension
    boolean[] keyUsageInfo = cert.getKeyUsage();
    if (keyUsageInfo != null) {
        // keyUsageInfo[5] is for keyCertSign.
        if ((keyUsageInfo.length < 6) || (keyUsageInfo[5] == false)) {
            throw new ValidatorException
                    ("Wrong key usage: expected keyCertSign",
                    ValidatorException.T_CA_EXTENSIONS, cert);
        }
    }
}
 

private void checkNetscapeCertType(X509Certificate cert,
        Set<String> critSet) throws CertificateException {
    if (variant.equals(VAR_GENERIC)) {
        // nothing
    } else if (variant.equals(VAR_TLS_CLIENT)
            || variant.equals(VAR_TLS_SERVER)) {
        if (getNetscapeCertTypeBit(cert, NSCT_SSL_CA) == false) {
            throw new ValidatorException
                    ("Invalid Netscape CertType extension for SSL CA "
                    + "certificate",
                    ValidatorException.T_CA_EXTENSIONS, cert);
        }
        critSet.remove(OID_NETSCAPE_CERT_TYPE);
    } else if (variant.equals(VAR_CODE_SIGNING)
            || variant.equals(VAR_JCE_SIGNING)) {
        if (getNetscapeCertTypeBit(cert, NSCT_CODE_SIGNING_CA) == false) {
            throw new ValidatorException
                    ("Invalid Netscape CertType extension for code "
                    + "signing CA certificate",
                    ValidatorException.T_CA_EXTENSIONS, cert);
        }
        critSet.remove(OID_NETSCAPE_CERT_TYPE);
    } else {
        throw new CertificateException("Unknown variant " + variant);
    }
}
 

private int checkExtensions(X509Certificate cert, int maxPathLen)
        throws CertificateException {
    Set<String> critSet = cert.getCriticalExtensionOIDs();
    if (critSet == null) {
        critSet = Collections.<String>emptySet();
    }

    // Check the basic constraints extension
    int pathLenConstraint =
            checkBasicConstraints(cert, critSet, maxPathLen);

    // Check the key usage and extended key usage extensions
    checkKeyUsage(cert, critSet);

    // check Netscape certificate type extension
    checkNetscapeCertType(cert, critSet);

    if (!critSet.isEmpty()) {
        throw new ValidatorException
            ("Certificate contains unknown critical extensions: " + critSet,
            ValidatorException.T_CA_EXTENSIONS, cert);
    }

    return pathLenConstraint;
}
 

/**
 * Check whether this certificate can be used by a time stamping authority
 * server (see RFC 3161, section 2.3).
 * @throws CertificateException if not.
 */
private void checkTSAServer(X509Certificate cert, Set<String> exts)
        throws CertificateException {
    if (checkKeyUsage(cert, KU_SIGNATURE) == false) {
        throw new ValidatorException
            ("KeyUsage does not allow digital signatures",
            ValidatorException.T_EE_EXTENSIONS, cert);
    }

    if (cert.getExtendedKeyUsage() == null) {
        throw new ValidatorException
            ("Certificate does not contain an extended key usage " +
            "extension required for a TSA server",
            ValidatorException.T_EE_EXTENSIONS, cert);
    }

    if (checkEKU(cert, exts, OID_EKU_TIME_STAMPING) == false) {
        throw new ValidatorException
            ("Extended key usage does not permit use for TSA server",
            ValidatorException.T_EE_EXTENSIONS, cert);
    }

    // remove extensions we checked
    exts.remove(SimpleValidator.OID_KEY_USAGE);
    exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE);
}
 

private int checkBasicConstraints(X509Certificate cert,
        Set<String> critSet, int maxPathLen) throws CertificateException {

    critSet.remove(OID_BASIC_CONSTRAINTS);
    int constraints = cert.getBasicConstraints();
    // reject, if extension missing or not a CA (constraints == -1)
    if (constraints < 0) {
        throw new ValidatorException("End user tried to act as a CA",
            ValidatorException.T_CA_EXTENSIONS, cert);
    }

    // if the certificate is self-issued, ignore the pathLenConstraint
    // checking.
    if (!X509CertImpl.isSelfIssued(cert)) {
        if (maxPathLen <= 0) {
            throw new ValidatorException("Violated path length constraints",
                ValidatorException.T_CA_EXTENSIONS, cert);
        }

        maxPathLen--;
    }

    if (maxPathLen > constraints) {
        maxPathLen = constraints;
    }

    return maxPathLen;
}
 

private static void checkNotBefore(LocalDate notBeforeDate,
        LocalDate distrustDate, X509Certificate anchor)
        throws ValidatorException {
    if (notBeforeDate.isAfter(distrustDate)) {
        throw new ValidatorException
                ("TLS Server certificate issued after " + distrustDate +
                 " and anchored by a distrusted legacy Symantec root CA: "
                 + anchor.getSubjectX500Principal(),
                 ValidatorException.T_UNTRUSTED_CERT, anchor);
    }
}
 

/**
 * Verify that a trust anchor certificate is a CA certificate.
 */
private static void verifyTrustAnchor(X509Certificate trustedCert)
    throws ValidatorException {

    // skip check if jdk.security.allowNonCAAnchor system property is set
    if (ALLOW_NON_CA_ANCHOR) {
        return;
    }

    // allow v1 trust anchor certificates
    if (trustedCert.getVersion() < 3) {
        return;
    }

    // check that the BasicConstraints cA field is not set to false
    if (trustedCert.getBasicConstraints() == -1) {
        throw new ValidatorException
            ("TrustAnchor with subject \"" +
             trustedCert.getSubjectX500Principal() +
             "\" is not a CA certificate");
    }

    // check that the KeyUsage extension, if included, asserts the
    // keyCertSign bit
    boolean[] keyUsageBits = trustedCert.getKeyUsage();
    if (keyUsageBits != null && !keyUsageBits[5]) {
        throw new ValidatorException
            ("TrustAnchor with subject \"" +
             trustedCert.getSubjectX500Principal() +
             "\" does not have keyCertSign bit set in KeyUsage extension");
    }
}
 

private X509Certificate[] doBuild(X509Certificate[] chain,
    Collection<X509Certificate> otherCerts,
    PKIXBuilderParameters params) throws CertificateException {

    try {
        setDate(params);

        // setup target constraints
        X509CertSelector selector = new X509CertSelector();
        selector.setCertificate(chain[0]);
        params.setTargetCertConstraints(selector);

        // setup CertStores
        Collection<X509Certificate> certs =
                                    new ArrayList<X509Certificate>();
        certs.addAll(Arrays.asList(chain));
        if (otherCerts != null) {
            certs.addAll(otherCerts);
        }
        CertStore store = CertStore.getInstance("Collection",
                            new CollectionCertStoreParameters(certs));
        params.addCertStore(store);

        // do the build
        CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
        PKIXCertPathBuilderResult result =
            (PKIXCertPathBuilderResult)builder.build(params);

        return toArray(result.getCertPath(), result.getTrustAnchor());
    } catch (GeneralSecurityException e) {
        throw new ValidatorException
            ("PKIX path building failed: " + e.toString(), e);
    }
}
 

private static void testTM(X509TrustManager xtm, X509Certificate[] chain,
                           Date notBefore, boolean valid) throws Exception {
    // Check if TLS Server certificate (the first element of the chain)
    // is issued after the specified notBefore date (should be rejected
    // unless distrust property is false). To do this, we need to
    // fake the notBefore date since none of the test certs are issued
    // after then.
    chain[0] = new DistrustedTLSServerCert(chain[0], notBefore);

    try {
        xtm.checkServerTrusted(chain, "ECDHE_RSA");
        if (!valid) {
            throw new Exception("chain should be invalid");
        }
    } catch (CertificateException ce) {
        if (valid) {
            throw new Exception("Unexpected exception, chain " +
                                "should be valid", ce);
        }
        if (ce instanceof ValidatorException) {
            ValidatorException ve = (ValidatorException)ce;
            if (ve.getErrorType() != ValidatorException.T_UNTRUSTED_CERT) {
                throw new Exception("Unexpected exception: " + ce);
            }
        } else {
            throw new Exception("Unexpected exception: " + ce);
        }
    }
}
 

private static void testTM(X509TrustManager xtm, X509Certificate[] chain,
                           Date notBefore, boolean valid) throws Exception {
    // Check if TLS Server certificate (the first element of the chain)
    // is issued after the specified notBefore date (should be rejected
    // unless distrust property is false). To do this, we need to
    // fake the notBefore date since none of the test certs are issued
    // after then.
    chain[0] = new DistrustedTLSServerCert(chain[0], notBefore);

    try {
        xtm.checkServerTrusted(chain, "ECDHE_RSA");
        if (!valid) {
            throw new Exception("chain should be invalid");
        }
    } catch (CertificateException ce) {
        if (valid) {
            throw new Exception("Unexpected exception, chain " +
                                "should be valid", ce);
        }
        if (ce instanceof ValidatorException) {
            ValidatorException ve = (ValidatorException)ce;
            if (ve.getErrorType() != ValidatorException.T_UNTRUSTED_CERT) {
                throw new Exception("Unexpected exception: " + ce);
            }
        } else {
            throw new Exception("Unexpected exception: " + ce);
        }
    }
}
 

private static void testTM(X509TrustManager xtm, X509Certificate[] chain,
                           Date notBefore, boolean valid) throws Exception {
    // Check if TLS Server certificate (the first element of the chain)
    // is issued after the specified notBefore date (should be rejected
    // unless distrust property is false). To do this, we need to
    // fake the notBefore date since none of the test certs are issued
    // after then.
    chain[0] = new DistrustedTLSServerCert(chain[0], notBefore);

    try {
        xtm.checkServerTrusted(chain, "ECDHE_RSA");
        if (!valid) {
            throw new Exception("chain should be invalid");
        }
    } catch (CertificateException ce) {
        if (valid) {
            throw new Exception("Unexpected exception, chain " +
                                "should be valid", ce);
        }
        if (ce instanceof ValidatorException) {
            ValidatorException ve = (ValidatorException)ce;
            if (ve.getErrorType() != ValidatorException.T_UNTRUSTED_CERT) {
                throw new Exception("Unexpected exception: " + ce);
            }
        } else {
            throw new Exception("Unexpected exception: " + ce);
        }
    }
}
 

void validateCertChain(List<? extends Certificate> certs) throws Exception {
    try {
        Validator.getInstance(Validator.TYPE_PKIX,
                Validator.VAR_CODE_SIGNING,
                pkixParameters)
                .validate(certs.toArray(new X509Certificate[certs.size()]));
    } catch (Exception e) {
        if (debug) {
            e.printStackTrace();
        }
        if (e instanceof ValidatorException) {
            // Throw cause if it's CertPathValidatorException,
            if (e.getCause() != null &&
                    e.getCause() instanceof CertPathValidatorException) {
                e = (Exception) e.getCause();
                Throwable t = e.getCause();
                if ((t instanceof CertificateExpiredException &&
                            hasExpiredCert) ||
                        (t instanceof CertificateNotYetValidException &&
                                notYetValidCert)) {
                    // we already have hasExpiredCert and notYetValidCert
                    return;
                }
            }
            if (e instanceof ValidatorException) {
                ValidatorException ve = (ValidatorException)e;
                if (ve.getErrorType() == ValidatorException.T_EE_EXTENSIONS &&
                        (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType)) {
                    // We already have badKeyUsage, badExtendedKeyUsage
                    // and badNetscapeCertType
                    return;
                }
            }
        }
        throw e;
    }
}
 

/**
 * Check whether this certificate can be used for code signing.
 * @throws CertificateException if not.
 */
private void checkCodeSigning(X509Certificate cert, Set<String> exts)
        throws CertificateException {
    if (checkKeyUsage(cert, KU_SIGNATURE) == false) {
        throw new ValidatorException
            ("KeyUsage does not allow digital signatures",
            ValidatorException.T_EE_EXTENSIONS, cert);
    }

    if (checkEKU(cert, exts, OID_EKU_CODE_SIGNING) == false) {
        throw new ValidatorException
            ("Extended key usage does not permit use for code signing",
            ValidatorException.T_EE_EXTENSIONS, cert);
    }

    // do not check Netscape cert type for JCE code signing checks
    // (some certs were issued with incorrect extensions)
    if (variant.equals(Validator.VAR_JCE_SIGNING) == false) {
        if (!SimpleValidator.getNetscapeCertTypeBit(cert, NSCT_CODE_SIGNING)) {
            throw new ValidatorException
                ("Netscape cert type does not permit use for code signing",
                ValidatorException.T_EE_EXTENSIONS, cert);
        }
        exts.remove(SimpleValidator.OID_NETSCAPE_CERT_TYPE);
    }

    // remove extensions we checked
    exts.remove(SimpleValidator.OID_KEY_USAGE);
    exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE);
}
 

private static void testTM(X509TrustManager xtm, X509Certificate[] chain,
                           Date notBefore, boolean valid) throws Exception {
    // Check if TLS Server certificate (the first element of the chain)
    // is issued after the specified notBefore date (should be rejected
    // unless distrust property is false). To do this, we need to
    // fake the notBefore date since none of the test certs are issued
    // after then.
    chain[0] = new DistrustedTLSServerCert(chain[0], notBefore);

    try {
        xtm.checkServerTrusted(chain, "ECDHE_RSA");
        if (!valid) {
            throw new Exception("chain should be invalid");
        }
    } catch (CertificateException ce) {
        if (valid) {
            throw new Exception("Unexpected exception, chain " +
                                "should be valid", ce);
        }
        if (ce instanceof ValidatorException) {
            ValidatorException ve = (ValidatorException)ce;
            if (ve.getErrorType() != ValidatorException.T_UNTRUSTED_CERT) {
                throw new Exception("Unexpected exception: " + ce);
            }
        } else {
            throw new Exception("Unexpected exception: " + ce);
        }
    }
}
 

@Test
public void checkServerTrustedSslEngine_untrustedServer_expectException()
    throws CertificateException, IOException, CertStoreException {
  TestSslEngine sslEngine = buildTrustManagerAndGetSslEngine();
  X509Certificate[] badServerCert =
      CertificateUtils.toX509Certificates(TestUtils.loadCert(BAD_SERVER_PEM_FILE));
  try {
    trustManager.checkServerTrusted(badServerCert, "ECDHE_ECDSA", sslEngine);
    fail("exception expected");
  } catch (ValidatorException expected) {
    assertThat(expected).hasMessageThat()
        .endsWith("unable to find valid certification path to requested target");
  }
  verify(sslEngine, times(1)).getHandshakeSession();
}
 

/**
 * Check whether this certificate can be used for TLS server authentication
 * using the specified authentication type parameter. See X509TrustManager
 * specification for details.
 * @throws CertificateException if not.
 */
private void checkTLSServer(X509Certificate cert, String parameter,
        Set<String> exts) throws CertificateException {
    if (KU_SERVER_ENCRYPTION.contains(parameter)) {
        if (checkKeyUsage(cert, KU_KEY_ENCIPHERMENT) == false) {
            throw new ValidatorException
                    ("KeyUsage does not allow key encipherment",
                    ValidatorException.T_EE_EXTENSIONS, cert);
        }
    } else if (KU_SERVER_SIGNATURE.contains(parameter)) {
        if (checkKeyUsage(cert, KU_SIGNATURE) == false) {
            throw new ValidatorException
                    ("KeyUsage does not allow digital signatures",
                    ValidatorException.T_EE_EXTENSIONS, cert);
        }
    } else if (KU_SERVER_KEY_AGREEMENT.contains(parameter)) {
        if (checkKeyUsage(cert, KU_KEY_AGREEMENT) == false) {
            throw new ValidatorException
                    ("KeyUsage does not allow key agreement",
                    ValidatorException.T_EE_EXTENSIONS, cert);
        }
    } else {
        throw new CertificateException("Unknown authType: " + parameter);
    }

    if (checkEKU(cert, exts, OID_EKU_TLS_SERVER) == false) {
        // check for equivalent but now obsolete Server-Gated-Cryptography
        // (aka Step-Up, 128 bit) EKU OIDs
        if ((checkEKU(cert, exts, OID_EKU_MS_SGC) == false) &&
            (checkEKU(cert, exts, OID_EKU_NS_SGC) == false)) {
            throw new ValidatorException
                ("Extended key usage does not permit use for TLS "
                + "server authentication",
                ValidatorException.T_EE_EXTENSIONS, cert);
        }
    }

    if (!SimpleValidator.getNetscapeCertTypeBit(cert, NSCT_SSL_SERVER)) {
        throw new ValidatorException
            ("Netscape cert type does not permit use for SSL server",
            ValidatorException.T_EE_EXTENSIONS, cert);
    }

    // remove extensions we checked
    exts.remove(SimpleValidator.OID_KEY_USAGE);
    exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE);
    exts.remove(SimpleValidator.OID_NETSCAPE_CERT_TYPE);
}