java.security.cert.PKIXCertPathBuilderResult Java Examples

/**
 * Log information from the constructed cert path at level debug.
 * 
 * @param buildResult the PKIX cert path builder result containing the cert path and trust anchor
 * @param targetCert the cert untrusted certificate that was being evaluated
 */
private void logCertPathDebug(PKIXCertPathBuilderResult buildResult, X509Certificate targetCert) {
    log.debug("Built valid PKIX cert path");
    log.debug("Target certificate: {}", x500DNHandler.getName(targetCert.getSubjectX500Principal()));
    for (Certificate cert : buildResult.getCertPath().getCertificates()) {
        log.debug("CertPath certificate: {}", x500DNHandler.getName(((X509Certificate) cert)
                .getSubjectX500Principal()));
    }
    TrustAnchor ta = buildResult.getTrustAnchor();
    if (ta.getTrustedCert() != null) {
        log.debug("TrustAnchor: {}", x500DNHandler.getName(ta.getTrustedCert().getSubjectX500Principal()));
    } else if (ta.getCA() != null) {
        log.debug("TrustAnchor: {}", x500DNHandler.getName(ta.getCA()));
    } else {
        log.debug("TrustAnchor: {}", ta.getCAName());
    }
}
 

/**
 * Perform a PKIX path build. On failure, throw an exception.
 *
 * @param params PKIXBuilderParameters to use in validation
 * @throws Exception on error
 */
public static PKIXCertPathBuilderResult build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    return (PKIXCertPathBuilderResult) builder.build(params);
}
 

public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");

    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor
        (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters
        (Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp =
        new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}
 

public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");

    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor
        (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters
        (Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp =
        new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}
 

/**
 * Perform a PKIX path build. On failure, throw an exception.
 *
 * @param params PKIXBuilderParameters to use in validation
 * @throws Exception on error
 */
public static PKIXCertPathBuilderResult build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    return (PKIXCertPathBuilderResult) builder.build(params);
}
 

public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");

    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor
        (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters
        (Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp =
        new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}
 

/**
 * Perform a PKIX path build. On failure, throw an exception.
 *
 * @param params PKIXBuilderParameters to use in validation
 * @throws Exception on error
 */
public static PKIXCertPathBuilderResult build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    return (PKIXCertPathBuilderResult) builder.build(params);
}
 

public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");

    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor
        (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters
        (Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp =
        new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}
 

/**
 * Perform a PKIX path build. On failure, throw an exception.
 *
 * @param params PKIXBuilderParameters to use in validation
 * @throws Exception on error
 */
public static PKIXCertPathBuilderResult build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    return (PKIXCertPathBuilderResult) builder.build(params);
}
 

public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");

    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor
        (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters
        (Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp =
        new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}
 

/**
 * Perform a PKIX path build. On failure, throw an exception.
 *
 * @param params PKIXBuilderParameters to use in validation
 * @throws Exception on error
 */
public static PKIXCertPathBuilderResult build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    return (PKIXCertPathBuilderResult) builder.build(params);
}
 

public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");

    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor
        (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters
        (Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp =
        new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}
 

/**
 * Perform a PKIX path build. On failure, throw an exception.
 *
 * @param params PKIXBuilderParameters to use in validation
 * @throws Exception on error
 */
public static PKIXCertPathBuilderResult build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    return (PKIXCertPathBuilderResult) builder.build(params);
}
 

public static void validateTrustChain(X509Certificate certificate,
                                      List<X509Certificate> chain,
                                      Set<X509Certificate> trustedCertificates,
                                      Set<X509Certificate> authorityCertificates) throws UaException {

    boolean certificateTrusted = trustedCertificates.stream()
            .anyMatch(c -> Arrays.equals(certificate.getSignature(), c.getSignature()));

    if (certificateTrusted) return;

    try {
        Set<TrustAnchor> trustAnchors = new HashSet<>();
        authorityCertificates.forEach(ca -> trustAnchors.add(new TrustAnchor(ca, null)));

        X509CertSelector selector = new X509CertSelector();
        selector.setCertificate(certificate);

        PKIXBuilderParameters params = new PKIXBuilderParameters(trustAnchors, selector);

        params.setRevocationEnabled(false);

        CertStore intermediateCertStore =
                CertStore.getInstance("Collection", new CollectionCertStoreParameters(chain));

        params.addCertStore(intermediateCertStore);

        CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");

        PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) builder.build(params);

        LOGGER.debug("Validated certificate chain: {}", result.getCertPath());
    } catch (Throwable t) {
        throw new UaException(StatusCodes.Bad_SecurityChecksFailed);
    }
}
 

/**
 * This method will validate a chain of certificates. It is provided as an alternative to the certificate chain
 * validation mechanisms that are under test. This method is intended to be used as a comparative benchmark against
 * other validation methods.
 *
 * The first certificate in the chain is expected to be the end-entity certificate.
 *
 * The last certificate in the chain is expected to be the root CA certificate.
 *
 * @param chain A certificate chain (cannot be null or empty).
 * @return CertPathBuilderResult result of validation.
 * @throws Exception When the chain is not valid.
 */
public CertPathBuilderResult testChain( X509Certificate[] chain ) throws Exception
{
    // Create the selector that specifies the starting certificate
    X509CertSelector selector = new X509CertSelector();
    selector.setCertificate( chain[0] );

    // Create the trust anchors (set of root CA certificates)
    Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
    trustAnchors.add(new TrustAnchor(chain[ chain.length - 1], null));

    // Configure the PKIX certificate builder algorithm parameters
    PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(
            trustAnchors, selector);

    // Disable CRL checks (this is done manually as additional step)
    pkixParams.setRevocationEnabled(false);

    // Specify a list of intermediate certificates
    Set<java.security.cert.Certificate> intermediateCerts = new HashSet<>();
    for (int i=1; i<chain.length -1; i++)
    {
        intermediateCerts.add( chain[ i ] );
    }

    CertStore intermediateCertStore = CertStore.getInstance("Collection",
            new CollectionCertStoreParameters(intermediateCerts));
    pkixParams.addCertStore(intermediateCertStore);

    // Build and verify the certification chain
    CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
    PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) builder
            .build(pkixParams);

    return result;
}
 

@Override
public ValidationStatus validate(X509Certificate certificate, List<X509Certificate> issuers, Date validationDate) {
	X509Certificate issuer = issuers.get(0);
	ValidationStatus status = new ValidationStatus(certificate, issuer, validationDate, ValidatorSourceType.CHAIN, CertificateValidity.UNKNOWN);

	try {
		ArrayList<X509Certificate> chains = new ArrayList<X509Certificate>();
		chains.add(certificate);
		chains.addAll(issuers);

		Principal subjectX500Principal = certificate.getSubjectX500Principal();

		PKIXCertPathBuilderResult certPathResult = verifyCertificate(certificate, chains);
		if (certPathResult == null) {
			log.warn("Chain status is not valid for '" + subjectX500Principal + "'");
			status.setValidity(CertificateValidity.INVALID);
			return status;
		}

		log.debug("Chain status is valid for '" + subjectX500Principal + "'");
		status.setValidity(CertificateValidity.VALID);
	} catch (Exception ex) {
		log.error("OCSP exception: ", ex);
	}

	return status;
}
 

/**
 * Attempts to build a certification chain for given certificate to verify
 * it. Relies on a set of root CA certificates (trust anchors) and a set of
 * intermediate certificates (to be used as part of the chain).
 */
private PKIXCertPathBuilderResult verifyCertificate(X509Certificate certificate, Set<X509Certificate> trustedRootCerts, Set<X509Certificate> intermediateCerts)
		throws GeneralSecurityException {

	// Create the selector that specifies the starting certificate
	X509CertSelector selector = new X509CertSelector();
	selector.setBasicConstraints(-2);
	selector.setCertificate(certificate);

	// Create the trust anchors (set of root CA certificates)
	Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
	for (X509Certificate trustedRootCert : trustedRootCerts) {
		trustAnchors.add(new TrustAnchor(trustedRootCert, null));
	}

	// Configure the PKIX certificate builder algorithm parameters
	PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);

	// Turn off default revocation-checking mechanism
	pkixParams.setRevocationEnabled(false);

	// Specify a list of intermediate certificates
	CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(intermediateCerts));
	pkixParams.addCertStore(intermediateCertStore);

	// Build and verify the certification chain
	CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME);
	PKIXCertPathBuilderResult certPathBuilderResult = (PKIXCertPathBuilderResult) builder.build(pkixParams);

	// Additional check to Verify cert path
	CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME);
	PKIXCertPathValidatorResult certPathValidationResult = (PKIXCertPathValidatorResult) certPathValidator.validate(certPathBuilderResult.getCertPath(), pkixParams);

	return certPathBuilderResult;
}
 

public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");

    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor
        (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters
        (Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp =
        new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}
 

private PKIXCertPathBuilderResult getPkixCertPathBuilderResult(final X509Certificate[] x509Certificates,
                                                               final Set<TrustAnchor> trustAnchors,
                                                               final Set<Certificate> otherCerts)
        throws GeneralSecurityException
{
    Set<Certificate> storeCerts = new HashSet<>();
    storeCerts.addAll(otherCerts);

    Iterator<X509Certificate> iterator = Arrays.asList(x509Certificates).iterator();

    if (!iterator.hasNext())
    {
        throw new IllegalArgumentException("Peer certificate not found");
    }

    final X509Certificate peerCertificate = iterator.next();
    while (iterator.hasNext())
    {
        X509Certificate intermediate = iterator.next();
        storeCerts.add(intermediate);
    }


    X509CertSelector selector = new X509CertSelector();
    selector.setCertificate(peerCertificate);
    // IBM JDK seems to require that the peer's certficate exists in the Collection too
    storeCerts.add(peerCertificate);

    PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
    pkixParams.setRevocationEnabled(false);

    CertStore intermediateCertStore = CertStore.getInstance("Collection",
                                                            new CollectionCertStoreParameters(storeCerts));
    pkixParams.addCertStore(intermediateCertStore);

    CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");

    return (PKIXCertPathBuilderResult) builder.build(pkixParams);
}
 

/**
 * Perform a PKIX path build. On failure, throw an exception.
 *
 * @param params PKIXBuilderParameters to use in validation
 * @throws Exception on error
 */
public static PKIXCertPathBuilderResult build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    return (PKIXCertPathBuilderResult) builder.build(params);
}
 

public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");

    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor
        (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters
        (Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp =
        new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}
 

/**
 * Perform a PKIX path build. On failure, throw an exception.
 *
 * @param params PKIXBuilderParameters to use in validation
 * @throws Exception on error
 */
public static PKIXCertPathBuilderResult build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    return (PKIXCertPathBuilderResult) builder.build(params);
}
 

public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");

    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor
        (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters
        (Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp =
        new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}
 

/**
 * Perform a PKIX path build. On failure, throw an exception.
 *
 * @param params PKIXBuilderParameters to use in validation
 * @throws Exception on error
 */
public static PKIXCertPathBuilderResult build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    return (PKIXCertPathBuilderResult) builder.build(params);
}
 

public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");

    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor
        (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters
        (Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp =
        new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}
 

/**
 * Perform a PKIX path build. On failure, throw an exception.
 *
 * @param params PKIXBuilderParameters to use in validation
 * @throws Exception on error
 */
public static PKIXCertPathBuilderResult build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    return (PKIXCertPathBuilderResult) builder.build(params);
}
 

public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");

    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor
        (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters
        (Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp =
        new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}
 

/**
 * Perform a PKIX path build. On failure, throw an exception.
 *
 * @param params PKIXBuilderParameters to use in validation
 * @throws Exception on error
 */
public static PKIXCertPathBuilderResult build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    return (PKIXCertPathBuilderResult) builder.build(params);
}
 

public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");

    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor
        (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters
        (Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp =
        new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}
 

/**
 * Perform a PKIX path build. On failure, throw an exception.
 *
 * @param params PKIXBuilderParameters to use in validation
 * @throws Exception on error
 */
public static PKIXCertPathBuilderResult build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    return (PKIXCertPathBuilderResult) builder.build(params);
}