java.security.cert.CertPathValidatorException.BasicReason Java Examples

/**
 * When a failure happens during certificate checking from an
 * {@link X509TrustManager}, determine what TLS alert description
 * to use.
 *
 * @param cexc The exception thrown by the {@link X509TrustManager}
 *
 * @return A byte value corresponding to a TLS alert description number.
 */
private static Alert getCertificateAlert(
        ClientHandshakeContext chc, CertificateException cexc) {
    // The specific reason for the failure will determine how to
    // set the alert description value
    Alert alert = Alert.CERTIFICATE_UNKNOWN;

    Throwable baseCause = cexc.getCause();
    if (baseCause instanceof CertPathValidatorException) {
        CertPathValidatorException cpve =
                (CertPathValidatorException)baseCause;
        Reason reason = cpve.getReason();
        if (reason == BasicReason.REVOKED) {
            alert = chc.staplingActive ?
                    Alert.BAD_CERT_STATUS_RESPONSE :
                    Alert.CERTIFICATE_REVOKED;
        } else if (
                reason == BasicReason.UNDETERMINED_REVOCATION_STATUS) {
            alert = chc.staplingActive ?
                    Alert.BAD_CERT_STATUS_RESPONSE :
                    Alert.CERTIFICATE_UNKNOWN;
        }
    }

    return alert;
}
 

/**
 * When a failure happens during certificate checking from an
 * {@link X509TrustManager}, determine what TLS alert description
 * to use.
 *
 * @param cexc The exception thrown by the {@link X509TrustManager}
 *
 * @return A byte value corresponding to a TLS alert description number.
 */
private static Alert getCertificateAlert(
        ClientHandshakeContext chc, CertificateException cexc) {
    // The specific reason for the failure will determine how to
    // set the alert description value
    Alert alert = Alert.CERTIFICATE_UNKNOWN;

    Throwable baseCause = cexc.getCause();
    if (baseCause instanceof CertPathValidatorException) {
        CertPathValidatorException cpve =
                (CertPathValidatorException)baseCause;
        Reason reason = cpve.getReason();
        if (reason == BasicReason.REVOKED) {
            alert = chc.staplingActive ?
                    Alert.BAD_CERT_STATUS_RESPONSE :
                    Alert.CERTIFICATE_REVOKED;
        } else if (
                reason == BasicReason.UNDETERMINED_REVOCATION_STATUS) {
            alert = chc.staplingActive ?
                    Alert.BAD_CERT_STATUS_RESPONSE :
                    Alert.CERTIFICATE_UNKNOWN;
        }
    }

    return alert;
}
 

@Override
public void permits(ConstraintsParameters cp)
        throws CertPathValidatorException {
    Key key = null;
    if (cp.getPublicKey() != null) {
        key = cp.getPublicKey();
    } else if (cp.getCertificate() != null) {
        key = cp.getCertificate().getPublicKey();
    }
    if (key != null && !permitsImpl(key)) {
        if (nextConstraint != null) {
            nextConstraint.permits(cp);
            return;
        }
        throw new CertPathValidatorException(
                "Algorithm constraints check failed on keysize limits. " +
                algorithm + " " + KeyUtil.getKeySize(key) + "bit key" +
                extendedMsg(cp),
                null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
    }
}
 

@Override
public void permits(ConstraintsParameters cp)
        throws CertPathValidatorException {
    if (debug != null) {
        debug.println("jdkCAConstraints.permits(): " + algorithm);
    }

    // Check chain has a trust anchor in cacerts
    if (cp.isTrustedMatch()) {
        if (next(cp)) {
            return;
        }
        throw new CertPathValidatorException(
                "Algorithm constraints check failed on certificate " +
                "anchor limits. " + algorithm + extendedMsg(cp),
                null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
    }
}
 

@Override
public void permits(ConstraintsParameters cp)
        throws CertPathValidatorException {
    Key key = null;
    if (cp.getPublicKey() != null) {
        key = cp.getPublicKey();
    } else if (cp.getCertificate() != null) {
        key = cp.getCertificate().getPublicKey();
    }
    if (key != null && !permitsImpl(key)) {
        if (nextConstraint != null) {
            nextConstraint.permits(cp);
            return;
        }
        throw new CertPathValidatorException(
                "Algorithm constraints check failed on keysize limits. " +
                algorithm + " " + KeyUtil.getKeySize(key) + "bit key" +
                extendedMsg(cp),
                null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
    }
}
 

@Override
public void permits(ConstraintsParameters cp)
        throws CertPathValidatorException {
    if (debug != null) {
        debug.println("jdkCAConstraints.permits(): " + algorithm);
    }

    // Check chain has a trust anchor in cacerts
    if (cp.isTrustedMatch()) {
        if (next(cp)) {
            return;
        }
        throw new CertPathValidatorException(
                "Algorithm constraints check failed on certificate " +
                "anchor limits. " + algorithm + extendedMsg(cp),
                null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
    }
}
 

public final void permits(String algorithm, ConstraintsParameters cp)
        throws CertPathValidatorException {

    // Check if named curves in the ConstraintParameters are disabled.
    if (cp.getNamedCurve() != null) {
        for (String curve : cp.getNamedCurve()) {
            if (!checkAlgorithm(disabledAlgorithms, curve, decomposer)) {
                throw new CertPathValidatorException(
                        "Algorithm constraints check failed on disabled " +
                                "algorithm: " + curve,
                        null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
            }
        }
    }

    algorithmConstraints.permits(algorithm, cp);
}
 

public void permits(CertConstraintParameters cp)
        throws CertPathValidatorException {
    if (debug != null) {
        debug.println("jdkCAConstraints.permits(): " + algorithm);
    }

    // Return false if the chain has a trust anchor in cacerts
    if (cp.isTrustedMatch()) {
        if (nextConstraint != null) {
            nextConstraint.permits(cp);
            return;
        }
        throw new CertPathValidatorException(
                "Algorithm constraints check failed on certificate " +
                        "anchor limits",
                null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
    }
}
 

/**
 * Check the signature algorithm with the specified public key.
 *
 * @param key the public key to verify the CRL signature
 * @param crl the target CRL
 */
static void check(PublicKey key, AlgorithmId algorithmId)
                    throws CertPathValidatorException {
    String sigAlgName = algorithmId.getName();
    AlgorithmParameters sigAlgParams = algorithmId.getParameters();

    if (!certPathDefaultConstraints.permits(
            SIGNATURE_PRIMITIVE_SET, sigAlgName, key, sigAlgParams)) {
        throw new CertPathValidatorException(
            "algorithm check failed: " + sigAlgName + " is disabled",
            null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
    }
}
 

@Test
public void testClassifyCertPathValidatorException()
{
    LdapTlsHandshakeException e = new LdapTlsHandshakeException( "msg",
        new Exception( new Exception( new Exception( new Exception(
            new CertPathValidatorException( "foo", null, null, -1, BasicReason.ALGORITHM_CONSTRAINED ) ) ) ) ) );
    assertThat( e.getMessage(), equalTo( "msg, reason: Failed to verify certification path: foo" ) );
}
 

/**
 * We have a cert whose revocation status couldn't be verified by
 * a CRL issued by the cert that issued the CRL. See if we can
 * find a valid CRL issued by a separate key that can verify the
 * revocation status of this certificate.
 * <p>
 * Note that this does not provide support for indirect CRLs,
 * only CRLs signed with a different key (but the same issuer
 * name) as the certificate being checked.
 *
 * @param currCert the <code>X509Certificate</code> to be checked
 * @param prevKey the <code>PublicKey</code> that failed
 * @param signFlag <code>true</code> if that key was trusted to sign CRLs
 * @param stackedCerts a <code>Set</code> of <code>X509Certificate</code>s>
 *                     whose revocation status depends on the
 *                     non-revoked status of this cert. To avoid
 *                     circular dependencies, we assume they're
 *                     revoked while checking the revocation
 *                     status of this cert.
 * @throws CertPathValidatorException if the cert's revocation status
 *         cannot be verified successfully with another key
 */
private void verifyWithSeparateSigningKey(X509Certificate cert,
                                          PublicKey prevKey,
                                          boolean signFlag,
                                          Set<X509Certificate> stackedCerts)
    throws CertPathValidatorException
{
    String msg = "revocation status";
    if (debug != null) {
        debug.println(
            "RevocationChecker.verifyWithSeparateSigningKey()" +
            " ---checking " + msg + "...");
    }

    // Reject circular dependencies - RFC 5280 is not explicit on how
    // to handle this, but does suggest that they can be a security
    // risk and can create unresolvable dependencies
    if ((stackedCerts != null) && stackedCerts.contains(cert)) {
        if (debug != null) {
            debug.println(
                "RevocationChecker.verifyWithSeparateSigningKey()" +
                " circular dependency");
        }
        throw new CertPathValidatorException
            ("Could not determine revocation status", null, null, -1,
             BasicReason.UNDETERMINED_REVOCATION_STATUS);
    }

    // Try to find another key that might be able to sign
    // CRLs vouching for this cert.
    // If prevKey wasn't trusted, maybe we just didn't have the right
    // path to it. Don't rule that key out.
    if (!signFlag) {
        buildToNewKey(cert, null, stackedCerts);
    } else {
        buildToNewKey(cert, prevKey, stackedCerts);
    }
}
 

public static void main(String args[]) throws Exception {
    CertPath path = generateCertificatePath();
    Set<TrustAnchor> anchors = generateTrustAnchors();
    CertStore crls = generateCertificateStore();

    PKIXParameters params = new PKIXParameters(anchors);

    // add the CRL store
    params.addCertStore(crls);

    // Activate certificate revocation checking
    params.setRevocationEnabled(true);

    // set the validation time
    params.setDate(new Date(109, 5, 1));   // 2009-05-01

    // disable OCSP checker
    Security.setProperty("ocsp.enable", "false");

    // enable CRL checker
    System.setProperty("com.sun.security.enableCRLDP", "true");

    CertPathValidator validator = CertPathValidator.getInstance("PKIX");

    try {
        validator.validate(path, params);
        throw new Exception("unexpected status, should be REVOKED");
    } catch (CertPathValidatorException cpve) {
        if (cpve.getReason() != BasicReason.REVOKED) {
            throw new Exception(
                "unexpected exception, should be a REVOKED CPVE", cpve);
        }
    }

}
 

/**
 * Check the signature algorithm with the specified public key.
 *
 * @param key the public key to verify the CRL signature
 * @param crl the target CRL
 */
static void check(PublicKey key, AlgorithmId algorithmId)
                    throws CertPathValidatorException {
    String sigAlgName = algorithmId.getName();
    AlgorithmParameters sigAlgParams = algorithmId.getParameters();

    if (!certPathDefaultConstraints.permits(
            SIGNATURE_PRIMITIVE_SET, sigAlgName, key, sigAlgParams)) {
        throw new CertPathValidatorException(
            "algorithm check failed: " + sigAlgName + " is disabled",
            null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
    }
}
 

@Override
public void permits(ConstraintsParameters cp)
        throws CertPathValidatorException {
    throw new CertPathValidatorException(
            "Algorithm constraints check failed on disabled " +
                    "algorithm: " + algorithm + extendedMsg(cp),
            null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
 

public static void main(String args[]) throws Exception {
    // MD5 is used in this test case, don't disable MD5 algorithm.
    Security.setProperty(
            "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");

    CertPath path = generateCertificatePath();
    Set<TrustAnchor> anchors = generateTrustAnchors();
    CertStore crls = generateCertificateStore();

    PKIXParameters params = new PKIXParameters(anchors);

    // add the CRL store
    params.addCertStore(crls);

    // Activate certificate revocation checking
    params.setRevocationEnabled(true);

    // set the validation time
    params.setDate(new Date(109, 5, 1));   // 2009-05-01

    // disable OCSP checker
    Security.setProperty("ocsp.enable", "false");

    // enable CRL checker
    System.setProperty("com.sun.security.enableCRLDP", "true");

    CertPathValidator validator = CertPathValidator.getInstance("PKIX");

    try {
        validator.validate(path, params);
        throw new Exception("unexpected status, should be REVOKED");
    } catch (CertPathValidatorException cpve) {
        if (cpve.getReason() != BasicReason.REVOKED) {
            throw new Exception(
                "unexpected exception, should be a REVOKED CPVE", cpve);
        }
    }

}
 

public static void main(String args[]) throws Exception {
    // MD5 is used in this test case, don't disable MD5 algorithm.
    Security.setProperty(
            "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");

    CertPath path = generateCertificatePath();
    Set<TrustAnchor> anchors = generateTrustAnchors();
    CertStore crls = generateCertificateStore();

    PKIXParameters params = new PKIXParameters(anchors);

    // add the CRL store
    params.addCertStore(crls);

    // Activate certificate revocation checking
    params.setRevocationEnabled(true);

    // set the validation time
    params.setDate(new Date(109, 5, 1));   // 2009-05-01

    // disable OCSP checker
    Security.setProperty("ocsp.enable", "false");

    // enable CRL checker
    System.setProperty("com.sun.security.enableCRLDP", "true");

    CertPathValidator validator = CertPathValidator.getInstance("PKIX");

    try {
        validator.validate(path, params);
    } catch (CertPathValidatorException cpve) {
        if (cpve.getReason() != BasicReason.REVOKED) {
            throw new Exception(
                "unexpect exception, should be a REVOKED CPVE", cpve);
        }
    }
}
 

@Override
public void permits(ConstraintsParameters cp)
        throws CertPathValidatorException {
    throw new CertPathValidatorException(
            "Algorithm constraints check failed on disabled " +
                    "algorithm: " + algorithm + extendedMsg(cp),
            null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
 

private boolean isSoftFailException(CertPathValidatorException e) {
    if (softFail &&
        e.getReason() == BasicReason.UNDETERMINED_REVOCATION_STATUS)
    {
        // recreate exception with correct index
        CertPathValidatorException e2 = new CertPathValidatorException(
            e.getMessage(), e.getCause(), params.certPath(), certIndex,
            e.getReason());
        softFailExceptions.addFirst(e2);
        return true;
    }
    return false;
}
 

private boolean isSoftFailException(CertPathValidatorException e) {
    if (softFail &&
        e.getReason() == BasicReason.UNDETERMINED_REVOCATION_STATUS)
    {
        // recreate exception with correct index
        CertPathValidatorException e2 = new CertPathValidatorException(
            e.getMessage(), e.getCause(), params.certPath(), certIndex,
            e.getReason());
        softFailExceptions.addFirst(e2);
        return true;
    }
    return false;
}
 

public static void main(String args[]) throws Exception {
    // MD5 is used in this test case, don't disable MD5 algorithm.
    Security.setProperty(
            "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");

    CertPath path = generateCertificatePath();
    Set<TrustAnchor> anchors = generateTrustAnchors();
    CertStore crls = generateCertificateStore();

    PKIXParameters params = new PKIXParameters(anchors);

    // add the CRL store
    params.addCertStore(crls);

    // Activate certificate revocation checking
    params.setRevocationEnabled(true);

    // set the validation time
    params.setDate(new Date(109, 5, 1));   // 2009-05-01

    // disable OCSP checker
    Security.setProperty("ocsp.enable", "false");

    // enable CRL checker
    System.setProperty("com.sun.security.enableCRLDP", "true");

    CertPathValidator validator = CertPathValidator.getInstance("PKIX");

    try {
        validator.validate(path, params);
    } catch (CertPathValidatorException cpve) {
        if (cpve.getReason() != BasicReason.REVOKED) {
            throw new Exception(
                "unexpect exception, should be a REVOKED CPVE", cpve);
        }
    }
}
 

/**
 * Checks the revocation status of a list of certificates using OCSP.
 *
 * @param certIds the CertIds to be checked
 * @param responderURI the URI of the OCSP responder
 * @param issuerInfo the issuer's certificate and/or subject and public key
 * @param responderCert the OCSP responder's certificate
 * @param date the time the validity of the OCSP responder's certificate
 *    should be checked against. If null, the current time is used.
 * @param extensions zero or more OCSP extensions to be included in the
 *    request.  If no extensions are requested, an empty {@code List} must
 *    be used.  A {@code null} value is not allowed.
 * @return the OCSPResponse
 * @throws IOException if there is an exception connecting to or
 *    communicating with the OCSP responder
 * @throws CertPathValidatorException if an exception occurs while
 *    encoding the OCSP Request or validating the OCSP Response
 */
static OCSPResponse check(List<CertId> certIds, URI responderURI,
                          OCSPResponse.IssuerInfo issuerInfo,
                          X509Certificate responderCert, Date date,
                          List<Extension> extensions, String variant)
    throws IOException, CertPathValidatorException
{
    byte[] nonce = null;
    for (Extension ext : extensions) {
        if (ext.getId().equals(PKIXExtensions.OCSPNonce_Id.toString())) {
            nonce = ext.getValue();
        }
    }

    OCSPResponse ocspResponse = null;
    try {
        byte[] response = getOCSPBytes(certIds, responderURI, extensions);
        ocspResponse = new OCSPResponse(response);

        // verify the response
        ocspResponse.verify(certIds, issuerInfo, responderCert, date,
                nonce, variant);
    } catch (IOException ioe) {
        throw new CertPathValidatorException(
            "Unable to determine revocation status due to network error",
            ioe, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
    }

    return ocspResponse;
}
 

public static void main(String args[]) throws Exception {
    CertPath path = generateCertificatePath();
    Set<TrustAnchor> anchors = generateTrustAnchors();
    CertStore crls = generateCertificateStore();

    PKIXParameters params = new PKIXParameters(anchors);

    // add the CRL store
    params.addCertStore(crls);

    // Activate certificate revocation checking
    params.setRevocationEnabled(true);

    // set the validation time
    params.setDate(new Date(109, 5, 1));   // 2009-05-01

    // disable OCSP checker
    Security.setProperty("ocsp.enable", "false");

    // enable CRL checker
    System.setProperty("com.sun.security.enableCRLDP", "true");

    CertPathValidator validator = CertPathValidator.getInstance("PKIX");

    try {
        validator.validate(path, params);
    } catch (CertPathValidatorException cpve) {
        if (cpve.getReason() != BasicReason.REVOKED) {
            throw new Exception(
                "unexpect exception, should be a REVOKED CPVE", cpve);
        }
    }
}
 

@Override
public void permits(ConstraintsParameters cp)
        throws CertPathValidatorException {
    throw new CertPathValidatorException(
            "Algorithm constraints check failed on disabled " +
                    "algorithm: " + algorithm + extendedMsg(cp),
            null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
 

public static void main(String args[]) throws Exception {
    // MD5 is used in this test case, don't disable MD5 algorithm.
    Security.setProperty(
            "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");

    CertPath path = generateCertificatePath();
    Set<TrustAnchor> anchors = generateTrustAnchors();
    CertStore crls = generateCertificateStore();

    PKIXParameters params = new PKIXParameters(anchors);

    // add the CRL store
    params.addCertStore(crls);

    // Activate certificate revocation checking
    params.setRevocationEnabled(true);

    // Activate OCSP
    Security.setProperty("ocsp.enable", "true");
    System.setProperty("com.sun.security.enableCRLDP", "true");

    // Ensure that the ocsp.responderURL property is not set.
    if (Security.getProperty("ocsp.responderURL") != null) {
        throw new
            Exception("The ocsp.responderURL property must not be set");
    }

    CertPathValidator validator = CertPathValidator.getInstance("PKIX");

    try {
        validator.validate(path, params);
    } catch (CertPathValidatorException cpve) {
        if (cpve.getReason() != BasicReason.REVOKED) {
            throw new Exception(
                "unexpected exception, should be a REVOKED CPVE", cpve);
        }
    }
}
 

@Override
public void permits(ConstraintsParameters cp)
        throws CertPathValidatorException {
    for (String usage : usages) {

        String v = null;
        if (usage.compareToIgnoreCase("TLSServer") == 0) {
            v = Validator.VAR_TLS_SERVER;
        } else if (usage.compareToIgnoreCase("TLSClient") == 0) {
            v = Validator.VAR_TLS_CLIENT;
        } else if (usage.compareToIgnoreCase("SignedJAR") == 0) {
            v = Validator.VAR_PLUGIN_CODE_SIGNING;
        }

        if (debug != null) {
            debug.println("Checking if usage constraint \"" + v +
                    "\" matches \"" + cp.getVariant() + "\"");
            // Because usage checking can come from many places
            // a stack trace is very helpful.
            ByteArrayOutputStream ba = new ByteArrayOutputStream();
            PrintStream ps = new PrintStream(ba);
            (new Exception()).printStackTrace(ps);
            debug.println(ba.toString());
        }
        if (cp.getVariant().compareTo(v) == 0) {
            if (next(cp)) {
                return;
            }
            throw new CertPathValidatorException("Usage constraint " +
                    usage + " check failed: " + algorithm +
                    extendedMsg(cp),
                    null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
        }
    }
}
 

/**
 * We have a cert whose revocation status couldn't be verified by
 * a CRL issued by the cert that issued the CRL. See if we can
 * find a valid CRL issued by a separate key that can verify the
 * revocation status of this certificate.
 * <p>
 * Note that this does not provide support for indirect CRLs,
 * only CRLs signed with a different key (but the same issuer
 * name) as the certificate being checked.
 *
 * @param currCert the <code>X509Certificate</code> to be checked
 * @param prevKey the <code>PublicKey</code> that failed
 * @param signFlag <code>true</code> if that key was trusted to sign CRLs
 * @param stackedCerts a <code>Set</code> of <code>X509Certificate</code>s>
 *                     whose revocation status depends on the
 *                     non-revoked status of this cert. To avoid
 *                     circular dependencies, we assume they're
 *                     revoked while checking the revocation
 *                     status of this cert.
 * @throws CertPathValidatorException if the cert's revocation status
 *         cannot be verified successfully with another key
 */
private void verifyWithSeparateSigningKey(X509Certificate cert,
                                          PublicKey prevKey,
                                          boolean signFlag,
                                          Set<X509Certificate> stackedCerts)
    throws CertPathValidatorException
{
    String msg = "revocation status";
    if (debug != null) {
        debug.println(
            "RevocationChecker.verifyWithSeparateSigningKey()" +
            " ---checking " + msg + "...");
    }

    // Reject circular dependencies - RFC 5280 is not explicit on how
    // to handle this, but does suggest that they can be a security
    // risk and can create unresolvable dependencies
    if ((stackedCerts != null) && stackedCerts.contains(cert)) {
        if (debug != null) {
            debug.println(
                "RevocationChecker.verifyWithSeparateSigningKey()" +
                " circular dependency");
        }
        throw new CertPathValidatorException
            ("Could not determine revocation status", null, null, -1,
             BasicReason.UNDETERMINED_REVOCATION_STATUS);
    }

    // Try to find another key that might be able to sign
    // CRLs vouching for this cert.
    // If prevKey wasn't trusted, maybe we just didn't have the right
    // path to it. Don't rule that key out.
    if (!signFlag) {
        buildToNewKey(cert, null, stackedCerts);
    } else {
        buildToNewKey(cert, prevKey, stackedCerts);
    }
}
 

public static void main(String args[]) throws Exception {
    CertPath path = generateCertificatePath();
    Set<TrustAnchor> anchors = generateTrustAnchors();
    CertStore crls = generateCertificateStore();

    PKIXParameters params = new PKIXParameters(anchors);

    // add the CRL store
    params.addCertStore(crls);

    // Activate certificate revocation checking
    params.setRevocationEnabled(true);

    // Activate OCSP
    Security.setProperty("ocsp.enable", "true");
    System.setProperty("com.sun.security.enableCRLDP", "true");

    // Ensure that the ocsp.responderURL property is not set.
    if (Security.getProperty("ocsp.responderURL") != null) {
        throw new
            Exception("The ocsp.responderURL property must not be set");
    }

    CertPathValidator validator = CertPathValidator.getInstance("PKIX");

    try {
        validator.validate(path, params);
    } catch (CertPathValidatorException cpve) {
        if (cpve.getReason() != BasicReason.REVOKED) {
            throw new Exception(
                "unexpected exception, should be a REVOKED CPVE", cpve);
        }
    }
}
 

private boolean isSoftFailException(CertPathValidatorException e) {
    if (softFail &&
        e.getReason() == BasicReason.UNDETERMINED_REVOCATION_STATUS)
    {
        // recreate exception with correct index
        CertPathValidatorException e2 = new CertPathValidatorException(
            e.getMessage(), e.getCause(), params.certPath(), certIndex,
            e.getReason());
        softFailExceptions.addFirst(e2);
        return true;
    }
    return false;
}
 

private boolean isSoftFailException(CertPathValidatorException e) {
    if (softFail &&
        e.getReason() == BasicReason.UNDETERMINED_REVOCATION_STATUS)
    {
        // recreate exception with correct index
        CertPathValidatorException e2 = new CertPathValidatorException(
            e.getMessage(), e.getCause(), params.certPath(), certIndex,
            e.getReason());
        softFailExceptions.addFirst(e2);
        return true;
    }
    return false;
}
 

/**
 * Check the signature algorithm with the specified public key.
 *
 * @param key the public key to verify the CRL signature
 * @param crl the target CRL
 */
static void check(PublicKey key, AlgorithmId algorithmId)
                    throws CertPathValidatorException {
    String sigAlgName = algorithmId.getName();
    AlgorithmParameters sigAlgParams = algorithmId.getParameters();

    if (!certPathDefaultConstraints.permits(
            SIGNATURE_PRIMITIVE_SET, sigAlgName, key, sigAlgParams)) {
        throw new CertPathValidatorException(
            "algorithm check failed: " + sigAlgName + " is disabled",
            null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
    }
}