Java Code Examples for java.security.cert.CertPath#getCertificates()

The following examples show how to use java.security.cert.CertPath#getCertificates() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: RFC3280CertPathUtilities.java    From ripple-lib-java with ISC License 6 votes vote down vote up
protected static int prepareNextCertH1(
    CertPath certPath,
    int index,
    int explicitPolicy)
{
    List certs = certPath.getCertificates();
    X509Certificate cert = (X509Certificate)certs.get(index);
    //
    // (h)
    //
    if (!CertPathValidatorUtilities.isSelfIssued(cert))
    {
        //
        // (1)
        //
        if (explicitPolicy != 0)
        {
            return explicitPolicy - 1;
        }
    }
    return explicitPolicy;
}
 
Example 2
Source File: RFC3280CertPathUtilities.java    From RipplePower with Apache License 2.0 6 votes vote down vote up
protected static void prepareNextCertN(
    CertPath certPath,
    int index)
    throws CertPathValidatorException
{
    List certs = certPath.getCertificates();
    X509Certificate cert = (X509Certificate)certs.get(index);

    //
    // (n)
    //
    boolean[] _usage = cert.getKeyUsage();

    if ((_usage != null) && !_usage[RFC3280CertPathUtilities.KEY_CERT_SIGN])
    {
        throw new ExtCertPathValidatorException(
            "Issuer certificate keyusage extension is critical and does not permit key signing.", null,
            certPath, index);
    }
}
 
Example 3
Source File: RFC3280CertPathUtilities.java    From ripple-lib-java with ISC License 6 votes vote down vote up
protected static int prepareNextCertH3(
    CertPath certPath,
    int index,
    int inhibitAnyPolicy)
{
    List certs = certPath.getCertificates();
    X509Certificate cert = (X509Certificate)certs.get(index);
    //
    // (h)
    //
    if (!CertPathValidatorUtilities.isSelfIssued(cert))
    {
        //
        // (3)
        //
        if (inhibitAnyPolicy != 0)
        {
            return inhibitAnyPolicy - 1;
        }
    }
    return inhibitAnyPolicy;
}
 
Example 4
Source File: RFC3280CertPathUtilities.java    From ripple-lib-java with ISC License 6 votes vote down vote up
protected static int prepareNextCertH2(
    CertPath certPath,
    int index,
    int policyMapping)
{
    List certs = certPath.getCertificates();
    X509Certificate cert = (X509Certificate)certs.get(index);
    //
    // (h)
    //
    if (!CertPathValidatorUtilities.isSelfIssued(cert))
    {
        //
        // (2)
        //
        if (policyMapping != 0)
        {
            return policyMapping - 1;
        }
    }
    return policyMapping;
}
 
Example 5
Source File: X509CertUtil.java    From keystore-explorer with GNU General Public License v3.0 6 votes vote down vote up
private static X509Certificate[] loadCertificatesPkiPath(InputStream is) throws CryptoException {
	try {
		CertificateFactory cf = CertificateFactory.getInstance(X509_CERT_TYPE, BOUNCY_CASTLE.jce());
		CertPath certPath = cf.generateCertPath(is, PKI_PATH_ENCODING);

		List<? extends Certificate> certs = certPath.getCertificates();

		ArrayList<X509Certificate> loadedCerts = new ArrayList<>();

		for (Iterator<? extends Certificate> itr = certs.iterator(); itr.hasNext();) {
			X509Certificate cert = (X509Certificate) itr.next();

			if (cert != null) {
				loadedCerts.add(cert);
			}
		}

		return loadedCerts.toArray(new X509Certificate[loadedCerts.size()]);
	} catch (CertificateException | NoSuchProviderException e) {
		throw new CryptoException(res.getString("NoLoadPkiPath.exception.message"), e);
	} finally {
		IOUtils.closeQuietly(is);
	}
}
 
Example 6
Source File: RFC3280CertPathUtilities.java    From RipplePower with Apache License 2.0 6 votes vote down vote up
protected static int prepareNextCertH3(
    CertPath certPath,
    int index,
    int inhibitAnyPolicy)
{
    List certs = certPath.getCertificates();
    X509Certificate cert = (X509Certificate)certs.get(index);
    //
    // (h)
    //
    if (!CertPathValidatorUtilities.isSelfIssued(cert))
    {
        //
        // (3)
        //
        if (inhibitAnyPolicy != 0)
        {
            return inhibitAnyPolicy - 1;
        }
    }
    return inhibitAnyPolicy;
}
 
Example 7
Source File: RFC3280CertPathUtilities.java    From ripple-lib-java with ISC License 6 votes vote down vote up
protected static void prepareNextCertN(
    CertPath certPath,
    int index)
    throws CertPathValidatorException
{
    List certs = certPath.getCertificates();
    X509Certificate cert = (X509Certificate)certs.get(index);

    //
    // (n)
    //
    boolean[] _usage = cert.getKeyUsage();

    if ((_usage != null) && !_usage[RFC3280CertPathUtilities.KEY_CERT_SIGN])
    {
        throw new ExtCertPathValidatorException(
            "Issuer certificate keyusage extension is critical and does not permit key signing.", null,
            certPath, index);
    }
}
 
Example 8
Source File: BuildEEBasicConstraints.java    From hottub with GNU General Public License v2.0 5 votes vote down vote up
public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");

    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor
        (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters
        (Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp =
        new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}
 
Example 9
Source File: CertificateFactory1Test.java    From j2objc with Apache License 2.0 5 votes vote down vote up
/**
 * Test for <code>generateCertPath(List certificates)</code> method
 * Assertion: returns empty CertPath if certificates is empty
 */
public void testCertificateFactory15() throws CertificateException {
    if (!X509Support) {
        fail(NotSupportMsg);
        return;
    }
    CertificateFactory[] certFs = initCertFs();
    assertNotNull("CertificateFactory objects were not created", certFs);
    List<Certificate> list = new Vector<Certificate>();
    for (int i = 0; i < certFs.length; i++) {
        CertPath cp = certFs[i].generateCertPath(list);
        List<? extends Certificate> list1 = cp.getCertificates();
        assertTrue("List should be empty", list1.isEmpty());
    }
}
 
Example 10
Source File: BuildEEBasicConstraints.java    From jdk8u_jdk with GNU General Public License v2.0 5 votes vote down vote up
public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");

    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor
        (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters
        (Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp =
        new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}
 
Example 11
Source File: BuildEEBasicConstraints.java    From jdk8u-jdk with GNU General Public License v2.0 5 votes vote down vote up
public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");

    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor
        (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters
        (Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp =
        new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}
 
Example 12
Source File: BuildEEBasicConstraints.java    From openjdk-jdk9 with GNU General Public License v2.0 5 votes vote down vote up
public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");

    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor
        (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters
        (Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp =
        new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}
 
Example 13
Source File: RFC3280CertPathUtilities.java    From ripple-lib-java with ISC License 5 votes vote down vote up
protected static PKIXPolicyNode processCertE(
    CertPath certPath,
    int index,
    PKIXPolicyNode validPolicyTree)
    throws CertPathValidatorException
{
    List certs = certPath.getCertificates();
    X509Certificate cert = (X509Certificate)certs.get(index);
    // 
    // (e)
    //
    ASN1Sequence certPolicies = null;
    try
    {
        certPolicies = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert,
            RFC3280CertPathUtilities.CERTIFICATE_POLICIES));
    }
    catch (AnnotatedException e)
    {
        throw new ExtCertPathValidatorException("Could not read certificate policies extension from certificate.",
            e, certPath, index);
    }
    if (certPolicies == null)
    {
        validPolicyTree = null;
    }
    return validPolicyTree;
}
 
Example 14
Source File: BuildEEBasicConstraints.java    From openjdk-jdk8u-backup with GNU General Public License v2.0 5 votes vote down vote up
public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");

    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor
        (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters
        (Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp =
        new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}
 
Example 15
Source File: RFC3280CertPathUtilities.java    From RipplePower with Apache License 2.0 5 votes vote down vote up
protected static void prepareNextCertK(
    CertPath certPath,
    int index)
    throws CertPathValidatorException
{
    List certs = certPath.getCertificates();
    X509Certificate cert = (X509Certificate)certs.get(index);
    //
    // (k)
    //
    BasicConstraints bc = null;
    try
    {
        bc = BasicConstraints.getInstance(CertPathValidatorUtilities.getExtensionValue(cert,
            RFC3280CertPathUtilities.BASIC_CONSTRAINTS));
    }
    catch (Exception e)
    {
        throw new ExtCertPathValidatorException("Basic constraints extension cannot be decoded.", e, certPath,
            index);
    }
    if (bc != null)
    {
        if (!(bc.isCA()))
        {
            throw new CertPathValidatorException("Not a CA certificate");
        }
    }
    else
    {
        throw new CertPathValidatorException("Intermediate certificate lacks BasicConstraints");
    }
}
 
Example 16
Source File: CertPathSerializer.java    From webauthn4j with Apache License 2.0 5 votes vote down vote up
/**
 * {@inheritDoc}
 */
@Override
public void serialize(CertPath value, JsonGenerator gen, SerializerProvider provider) throws IOException {
    try {
        gen.writeStartArray();
        for (Certificate certificate : value.getCertificates()) {
            gen.writeBinary(certificate.getEncoded());
        }
        gen.writeEndArray();
    } catch (CertificateEncodingException e) {
        throw new UnexpectedCheckedException(e);
    }
}
 
Example 17
Source File: BuildEEBasicConstraints.java    From jdk8u60 with GNU General Public License v2.0 5 votes vote down vote up
public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");

    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor
        (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters
        (Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp =
        new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}
 
Example 18
Source File: RFC3280CertPathUtilities.java    From RipplePower with Apache License 2.0 5 votes vote down vote up
protected static void wrapupCertF(
    CertPath certPath,
    int index,
    List pathCheckers,
    Set criticalExtensions)
    throws CertPathValidatorException
{
    List certs = certPath.getCertificates();
    X509Certificate cert = (X509Certificate)certs.get(index);
    Iterator tmpIter;
    tmpIter = pathCheckers.iterator();
    while (tmpIter.hasNext())
    {
        try
        {
            ((PKIXCertPathChecker)tmpIter.next()).check(cert, criticalExtensions);
        }
        catch (CertPathValidatorException e)
        {
            throw new ExtCertPathValidatorException("Additional certificate path checker failed.", e, certPath,
                index);
        }
    }

    if (!criticalExtensions.isEmpty())
    {
        throw new ExtCertPathValidatorException("Certificate has unsupported critical extension: " + criticalExtensions, null, certPath,
            index);
    }
}
 
Example 19
Source File: PKIXCertPathReviewer.java    From RipplePower with Apache License 2.0 4 votes vote down vote up
/** 
 * Initializes the PKIXCertPathReviewer with the given {@link CertPath} and {@link PKIXParameters} params
 * @param certPath the {@link CertPath} to validate
 * @param params the {@link PKIXParameters} to use
 * @throws CertPathReviewerException if the certPath is empty
 * @throws IllegalStateException if the {@link PKIXCertPathReviewer} is already initialized
 */
public void init(CertPath certPath, PKIXParameters params)
        throws CertPathReviewerException
{
    if (initialized)
    {
        throw new IllegalStateException("object is already initialized!");
    }
    initialized = true;
    
    // check input parameters
    if (certPath == null)
    {
        throw new NullPointerException("certPath was null");
    }
    this.certPath = certPath;

    certs = certPath.getCertificates();
    n = certs.size();
    if (certs.isEmpty())
    {
        throw new CertPathReviewerException(
                new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.emptyCertPath"));
    }

    pkixParams = (PKIXParameters) params.clone();

    // 6.1.1 - Inputs

    // a) done

    // b)

    validDate = getValidDate(pkixParams);

    // c) part of pkixParams

    // d) done at the beginning of checkSignatures

    // e) f) g) part of pkixParams
    
    // initialize output parameters
    
    notifications = null;
    errors = null;
    trustAnchor = null;
    subjectPublicKey = null;
    policyTree = null;
}
 
Example 20
Source File: RFC3280CertPathUtilities.java    From ripple-lib-java with ISC License 4 votes vote down vote up
protected static void prepareNextCertA(
    CertPath certPath,
    int index)
    throws CertPathValidatorException
{
    List certs = certPath.getCertificates();
    X509Certificate cert = (X509Certificate)certs.get(index);
    //
    //
    // (a) check the policy mappings
    //
    ASN1Sequence pm = null;
    try
    {
        pm = DERSequence.getInstance(CertPathValidatorUtilities.getExtensionValue(cert,
            RFC3280CertPathUtilities.POLICY_MAPPINGS));
    }
    catch (AnnotatedException ex)
    {
        throw new ExtCertPathValidatorException("Policy mappings extension could not be decoded.", ex, certPath,
            index);
    }
    if (pm != null)
    {
        ASN1Sequence mappings = pm;

        for (int j = 0; j < mappings.size(); j++)
        {
            ASN1ObjectIdentifier issuerDomainPolicy = null;
            ASN1ObjectIdentifier subjectDomainPolicy = null;
            try
            {
                ASN1Sequence mapping = DERSequence.getInstance(mappings.getObjectAt(j));

                issuerDomainPolicy = ASN1ObjectIdentifier.getInstance(mapping.getObjectAt(0));
                subjectDomainPolicy = ASN1ObjectIdentifier.getInstance(mapping.getObjectAt(1));
            }
            catch (Exception e)
            {
                throw new ExtCertPathValidatorException("Policy mappings extension contents could not be decoded.",
                    e, certPath, index);
            }

            if (RFC3280CertPathUtilities.ANY_POLICY.equals(issuerDomainPolicy.getId()))
            {

                throw new CertPathValidatorException("IssuerDomainPolicy is anyPolicy", null, certPath, index);
            }

            if (RFC3280CertPathUtilities.ANY_POLICY.equals(subjectDomainPolicy.getId()))
            {

                throw new CertPathValidatorException("SubjectDomainPolicy is anyPolicy,", null, certPath, index);
            }
        }
    }
}