java.security.cert.TrustAnchor Java Examples

public static void createPath(String[] certs) throws Exception {
    TrustAnchor anchor = new TrustAnchor(getCertFromFile(certs[0]), null);
    List list = new ArrayList();
    for (int i = 1; i < certs.length; i++) {
        list.add(0, getCertFromFile(certs[i]));
    }
    CertificateFactory cf = CertificateFactory.getInstance("X509");
    path = cf.generateCertPath(list);

    Set anchors = Collections.singleton(anchor);
    params = new PKIXParameters(anchors);
    params.setRevocationEnabled(false);
    X509CertSelector sel = new X509CertSelector();
    sel.setSerialNumber(new BigInteger("1427"));
    params.setTargetCertConstraints(sel);
}
 

/**
 * Try to set the trust anchor of the checker.
 * <p>
 * If there is no trust anchor specified and the checker has not started,
 * set the trust anchor.
 *
 * @param anchor the trust anchor selected to validate the target
 *     certificate
 */
void trySetTrustAnchor(TrustAnchor anchor) {
    // Don't bother if the check has started or trust anchor has already
    // specified.
    if (prevPubKey == null) {
        if (anchor == null) {
            throw new IllegalArgumentException(
                    "The trust anchor cannot be null");
        }

        // Don't bother to change the trustedPubKey.
        if (anchor.getTrustedCert() != null) {
            prevPubKey = anchor.getTrustedCert().getPublicKey();
            // Check for anchor certificate restrictions
            trustedMatch = checkFingerprint(anchor.getTrustedCert());
            if (trustedMatch && debug != null) {
                debug.println("trustedMatch = true");
            }
        } else {
            prevPubKey = anchor.getCAPublicKey();
        }
    }
}
 

public static void createPath(String[] certs) throws Exception {

        X509Certificate anchorCert = getCertFromFile(certs[0]);
        byte [] nameConstraints = anchorCert.getExtensionValue("2.5.29.30");
        if (nameConstraints != null) {
            DerInputStream in = new DerInputStream(nameConstraints);
            nameConstraints = in.getOctetString();
        }
        TrustAnchor anchor = new TrustAnchor(anchorCert, nameConstraints);
        List list = new ArrayList();
        for (int i = 1; i < certs.length; i++) {
            list.add(0, getCertFromFile(certs[i]));
        }
        CertificateFactory cf = CertificateFactory.getInstance("X509");
        path = cf.generateCertPath(list);

        anchors = Collections.singleton(anchor);
        params = new PKIXParameters(anchors);
        params.setRevocationEnabled(false);
    }
 

/**
 * Create a new <code>AlgorithmChecker</code> with the
 * given <code>TrustAnchor</code> and <code>AlgorithmConstraints</code>.
 *
 * @param anchor the trust anchor selected to validate the target
 *     certificate
 * @param constraints the algorithm constraints (or null)
 *
 * @throws IllegalArgumentException if the <code>anchor</code> is null
 */
public AlgorithmChecker(TrustAnchor anchor,
        AlgorithmConstraints constraints) {

    if (anchor == null) {
        throw new IllegalArgumentException(
                    "The trust anchor cannot be null");
    }

    if (anchor.getTrustedCert() != null) {
        this.trustedPubKey = anchor.getTrustedCert().getPublicKey();
    } else {
        this.trustedPubKey = anchor.getCAPublicKey();
    }

    this.prevPubKey = trustedPubKey;
    this.constraints = constraints;
}
 

/**
 * Try to set the trust anchor of the checker.
 * <p>
 * If there is no trust anchor specified and the checker has not started,
 * set the trust anchor.
 *
 * @param anchor the trust anchor selected to validate the target
 *     certificate
 */
void trySetTrustAnchor(TrustAnchor anchor) {
    // Don't bother if the check has started or trust anchor has already
    // specified.
    if (prevPubKey == null) {
        if (anchor == null) {
            throw new IllegalArgumentException(
                    "The trust anchor cannot be null");
        }

        // Don't bother to change the trustedPubKey.
        if (anchor.getTrustedCert() != null) {
            prevPubKey = anchor.getTrustedCert().getPublicKey();
            // Check for anchor certificate restrictions
            trustedMatch = checkFingerprint(anchor.getTrustedCert());
            if (trustedMatch && debug != null) {
                debug.println("trustedMatch = true");
            }
        } else {
            prevPubKey = anchor.getCAPublicKey();
        }
    }
}
 

public X509TrustManagerWrapper(X509TrustManager tm, boolean verifyServerCertificate, String hostName) throws CertificateException {
    this.origTm = tm;
    this.verifyServerCert = verifyServerCertificate;
    this.hostName = hostName;

    if (verifyServerCertificate) {
        try {
            Set<TrustAnchor> anch = Arrays.stream(tm.getAcceptedIssuers()).map(c -> new TrustAnchor(c, null)).collect(Collectors.toSet());
            this.validatorParams = new PKIXParameters(anch);
            this.validatorParams.setRevocationEnabled(false);
            this.validator = CertPathValidator.getInstance("PKIX");
            this.certFactory = CertificateFactory.getInstance("X.509");
        } catch (Exception e) {
            throw new CertificateException(e);
        }
    }

}
 

public X509TrustManagerWrapper(X509TrustManager tm, boolean verifyServerCertificate) throws CertificateException {
    this.origTm = tm;
    this.verifyServerCert = verifyServerCertificate;

    if (verifyServerCertificate) {
        try {
            Set<TrustAnchor> anch = new HashSet<TrustAnchor>();
            for (X509Certificate cert : tm.getAcceptedIssuers()) {
                anch.add(new TrustAnchor(cert, null));
            }
            this.validatorParams = new PKIXParameters(anch);
            this.validatorParams.setRevocationEnabled(false);
            this.validator = CertPathValidator.getInstance("PKIX");
            this.certFactory = CertificateFactory.getInstance("X.509");
        } catch (Exception e) {
            throw new CertificateException(e);
        }
    }
}
 

public static Collection<TrustAnchor> getTrustAnchor (KeyStore keyStore) throws KeyStoreException {
    Set<TrustAnchor> certs = new HashSet<> ();
    for (String alias: Collections.list (keyStore.aliases ())) {
        Certificate[] certificateChain = keyStore.getCertificateChain(alias);
        if (certificateChain != null) {
            for(Certificate cert: certificateChain) {
                if(cert instanceof X509Certificate) {
                    certs.add(new TrustAnchor((X509Certificate) cert, null));
                }
            }
        }
        Certificate aliasCert = keyStore.getCertificate(alias);
        if(aliasCert instanceof X509Certificate) {
            certs.add(new TrustAnchor((X509Certificate) aliasCert, null));
        }
    }
    return certs;
}
 

public static RevocationStatus check(X509Certificate cert,
        URI responderURI, TrustAnchor anchor, X509Certificate issuerCert,
        X509Certificate responderCert, Date date,
        List<Extension> extensions, String variant)
        throws IOException, CertPathValidatorException
{
    CertId certId;
    try {
        X509CertImpl certImpl = X509CertImpl.toImpl(cert);
        certId = new CertId(issuerCert, certImpl.getSerialNumberObject());
    } catch (CertificateException | IOException e) {
        throw new CertPathValidatorException
            ("Exception while encoding OCSPRequest", e);
    }
    OCSPResponse ocspResponse = check(Collections.singletonList(certId),
            responderURI, new OCSPResponse.IssuerInfo(anchor, issuerCert),
            responderCert, date, extensions, variant);
    return (RevocationStatus) ocspResponse.getSingleResponse(certId);
}
 

/**
 * Initialize the builder with the input parameters.
 *
 * @param params the parameter set used to build a certification path
 */
ForwardBuilder(BuilderParams buildParams, boolean searchAllCertStores) {
    super(buildParams);

    // populate sets of trusted certificates and subject DNs
    trustAnchors = buildParams.trustAnchors();
    trustedCerts = new HashSet<X509Certificate>(trustAnchors.size());
    trustedSubjectDNs = new HashSet<X500Principal>(trustAnchors.size());
    for (TrustAnchor anchor : trustAnchors) {
        X509Certificate trustedCert = anchor.getTrustedCert();
        if (trustedCert != null) {
            trustedCerts.add(trustedCert);
            trustedSubjectDNs.add(trustedCert.getSubjectX500Principal());
        } else {
            trustedSubjectDNs.add(anchor.getCA());
        }
    }
    comparator = new PKIXCertComparator(trustedSubjectDNs);
    this.searchAllCertStores = searchAllCertStores;
}
 

/**
 * Initialize the builder with the input parameters.
 *
 * @param params the parameter set used to build a certification path
 */
ForwardBuilder(BuilderParams buildParams, boolean searchAllCertStores) {
    super(buildParams);

    // populate sets of trusted certificates and subject DNs
    trustAnchors = buildParams.trustAnchors();
    trustedCerts = new HashSet<X509Certificate>(trustAnchors.size());
    trustedSubjectDNs = new HashSet<X500Principal>(trustAnchors.size());
    for (TrustAnchor anchor : trustAnchors) {
        X509Certificate trustedCert = anchor.getTrustedCert();
        if (trustedCert != null) {
            trustedCerts.add(trustedCert);
            trustedSubjectDNs.add(trustedCert.getSubjectX500Principal());
        } else {
            trustedSubjectDNs.add(anchor.getCA());
        }
    }
    comparator = new PKIXCertComparator(trustedSubjectDNs);
    this.searchAllCertStores = searchAllCertStores;
}
 

public static void createPath(String[] certs) throws Exception {

        X509Certificate anchorCert = getCertFromFile(certs[0]);
        byte [] nameConstraints = anchorCert.getExtensionValue("2.5.29.30");
        if (nameConstraints != null) {
            DerInputStream in = new DerInputStream(nameConstraints);
            nameConstraints = in.getOctetString();
        }
        TrustAnchor anchor = new TrustAnchor(anchorCert, nameConstraints);
        List list = new ArrayList();
        for (int i = 1; i < certs.length; i++) {
            list.add(0, getCertFromFile(certs[i]));
        }
        CertificateFactory cf = CertificateFactory.getInstance("X509");
        path = cf.generateCertPath(list);

        anchors = Collections.singleton(anchor);
        params = new PKIXParameters(anchors);
        params.setRevocationEnabled(false);
    }
 

public static void createPath(String[] certs) throws Exception {
    TrustAnchor anchor = new TrustAnchor(getCertFromFile(certs[0]), null);
    List list = new ArrayList();
    for (int i = 1; i < certs.length; i++) {
        list.add(0, getCertFromFile(certs[i]));
    }
    CertificateFactory cf = CertificateFactory.getInstance("X509");
    path = cf.generateCertPath(list);

    Set anchors = Collections.singleton(anchor);
    params = new PKIXParameters(anchors);
    params.setRevocationEnabled(false);
    X509CertSelector sel = new X509CertSelector();
    sel.setSerialNumber(new BigInteger("1427"));
    params.setTargetCertConstraints(sel);
}
 

/**
 * Initialize the builder with the input parameters.
 *
 * @param params the parameter set used to build a certification path
 */
ForwardBuilder(BuilderParams buildParams, boolean searchAllCertStores) {
    super(buildParams);

    // populate sets of trusted certificates and subject DNs
    trustAnchors = buildParams.trustAnchors();
    trustedCerts = new HashSet<X509Certificate>(trustAnchors.size());
    trustedSubjectDNs = new HashSet<X500Principal>(trustAnchors.size());
    for (TrustAnchor anchor : trustAnchors) {
        X509Certificate trustedCert = anchor.getTrustedCert();
        if (trustedCert != null) {
            trustedCerts.add(trustedCert);
            trustedSubjectDNs.add(trustedCert.getSubjectX500Principal());
        } else {
            trustedSubjectDNs.add(anchor.getCA());
        }
    }
    comparator = new PKIXCertComparator(trustedSubjectDNs);
    this.searchAllCertStores = searchAllCertStores;
}
 

public static void createPath(String[] certs) throws Exception {

        X509Certificate anchorCert = getCertFromFile(certs[0]);
        byte [] nameConstraints = anchorCert.getExtensionValue("2.5.29.30");
        if (nameConstraints != null) {
            DerInputStream in = new DerInputStream(nameConstraints);
            nameConstraints = in.getOctetString();
        }
        TrustAnchor anchor = new TrustAnchor(anchorCert, nameConstraints);
        List list = new ArrayList();
        for (int i = 1; i < certs.length; i++) {
            list.add(0, getCertFromFile(certs[i]));
        }
        CertificateFactory cf = CertificateFactory.getInstance("X509");
        path = cf.generateCertPath(list);

        anchors = Collections.singleton(anchor);
        params = new PKIXParameters(anchors);
        params.setRevocationEnabled(false);
    }
 

/**
 * Create a new <code>AlgorithmChecker</code> with the
 * given <code>TrustAnchor</code> and <code>AlgorithmConstraints</code>.
 *
 * @param anchor the trust anchor selected to validate the target
 *     certificate
 * @param constraints the algorithm constraints (or null)
 *
 * @throws IllegalArgumentException if the <code>anchor</code> is null
 */
public AlgorithmChecker(TrustAnchor anchor,
        AlgorithmConstraints constraints) {

    if (anchor == null) {
        throw new IllegalArgumentException(
                    "The trust anchor cannot be null");
    }

    if (anchor.getTrustedCert() != null) {
        this.trustedPubKey = anchor.getTrustedCert().getPublicKey();
    } else {
        this.trustedPubKey = anchor.getCAPublicKey();
    }

    this.prevPubKey = trustedPubKey;
    this.constraints = constraints;
}
 

/**
 * Initialize the builder with the input parameters.
 *
 * @param params the parameter set used to build a certification path
 */
ForwardBuilder(BuilderParams buildParams, boolean searchAllCertStores) {
    super(buildParams);

    // populate sets of trusted certificates and subject DNs
    trustAnchors = buildParams.trustAnchors();
    trustedCerts = new HashSet<X509Certificate>(trustAnchors.size());
    trustedSubjectDNs = new HashSet<X500Principal>(trustAnchors.size());
    for (TrustAnchor anchor : trustAnchors) {
        X509Certificate trustedCert = anchor.getTrustedCert();
        if (trustedCert != null) {
            trustedCerts.add(trustedCert);
            trustedSubjectDNs.add(trustedCert.getSubjectX500Principal());
        } else {
            trustedSubjectDNs.add(anchor.getCA());
        }
    }
    this.searchAllCertStores = searchAllCertStores;
}
 

/**
 * Try to set the trust anchor of the checker.
 * <p>
 * If there is no trust anchor specified and the checker has not started,
 * set the trust anchor.
 *
 * @param anchor the trust anchor selected to validate the target
 *     certificate
 */
void trySetTrustAnchor(TrustAnchor anchor) {
    // Don't bother if the check has started or trust anchor has already
    // specified.
    if (prevPubKey == null) {
        if (anchor == null) {
            throw new IllegalArgumentException(
                    "The trust anchor cannot be null");
        }

        // Don't bother to change the trustedPubKey.
        if (anchor.getTrustedCert() != null) {
            prevPubKey = anchor.getTrustedCert().getPublicKey();
            // Check for anchor certificate restrictions
            trustedMatch = checkFingerprint(anchor.getTrustedCert());
            if (trustedMatch && debug != null) {
                debug.println("trustedMatch = true");
            }
        } else {
            prevPubKey = anchor.getCAPublicKey();
        }
    }
}
 

/**
 * Create a new <code>AlgorithmChecker</code> with the
 * given <code>TrustAnchor</code> and <code>AlgorithmConstraints</code>.
 *
 * @param anchor the trust anchor selected to validate the target
 *     certificate
 * @param constraints the algorithm constraints (or null)
 *
 * @throws IllegalArgumentException if the <code>anchor</code> is null
 */
public AlgorithmChecker(TrustAnchor anchor,
        AlgorithmConstraints constraints) {

    if (anchor == null) {
        throw new IllegalArgumentException(
                    "The trust anchor cannot be null");
    }

    if (anchor.getTrustedCert() != null) {
        this.trustedPubKey = anchor.getTrustedCert().getPublicKey();
    } else {
        this.trustedPubKey = anchor.getCAPublicKey();
    }

    this.prevPubKey = trustedPubKey;
    this.constraints = constraints;
}
 

public TrustAnchor findByIssuerAndSignature(X509Certificate cert) {
    X500Principal issuer = cert.getIssuerX500Principal();
    synchronized (subjectToTrustAnchors) {
        List<TrustAnchor> anchors = subjectToTrustAnchors.get(issuer);
        if (anchors == null) {
            return null;
        }

        for (TrustAnchor anchor : anchors) {
            PublicKey publicKey;
            try {
                X509Certificate caCert = anchor.getTrustedCert();
                if (caCert != null) {
                    publicKey = caCert.getPublicKey();
                } else {
                    publicKey = anchor.getCAPublicKey();
                }
                cert.verify(publicKey);
                return anchor;
            } catch (Exception ignored) {
            }
        }
    }
    return null;
}
 

/**
 * Initialize the builder with the input parameters.
 *
 * @param params the parameter set used to build a certification path
 */
ForwardBuilder(BuilderParams buildParams, boolean searchAllCertStores) {
    super(buildParams);

    // populate sets of trusted certificates and subject DNs
    trustAnchors = buildParams.trustAnchors();
    trustedCerts = new HashSet<X509Certificate>(trustAnchors.size());
    trustedSubjectDNs = new HashSet<X500Principal>(trustAnchors.size());
    for (TrustAnchor anchor : trustAnchors) {
        X509Certificate trustedCert = anchor.getTrustedCert();
        if (trustedCert != null) {
            trustedCerts.add(trustedCert);
            trustedSubjectDNs.add(trustedCert.getSubjectX500Principal());
        } else {
            trustedSubjectDNs.add(anchor.getCA());
        }
    }
    comparator = new PKIXCertComparator(trustedSubjectDNs);
    this.searchAllCertStores = searchAllCertStores;
}
 

public static void createPath(String[] certs) throws Exception {
    TrustAnchor anchor = new TrustAnchor(getCertFromFile(certs[0]), null);
    List list = new ArrayList();
    for (int i = 1; i < certs.length; i++) {
        list.add(0, getCertFromFile(certs[i]));
    }
    CertificateFactory cf = CertificateFactory.getInstance("X509");
    path = cf.generateCertPath(list);

    Set anchors = Collections.singleton(anchor);
    params = new PKIXParameters(anchors);
    params.setRevocationEnabled(false);
    X509CertSelector sel = new X509CertSelector();
    sel.setSerialNumber(new BigInteger("1427"));
    params.setTargetCertConstraints(sel);
}
 

void validateCertChain(List<? extends Certificate> certs) throws Exception {
    int cpLen = 0;
    out: for (; cpLen<certs.size(); cpLen++) {
        for (TrustAnchor ta: pkixParameters.getTrustAnchors()) {
            if (ta.getTrustedCert().equals(certs.get(cpLen))) {
                break out;
            }
        }
    }
    if (cpLen > 0) {
        CertPath cp = certificateFactory.generateCertPath(
                (cpLen == certs.size())? certs: certs.subList(0, cpLen));
        validator.validate(cp, pkixParameters);
    }
}
 

public static void createParams() throws Exception {
    TrustAnchor anchor = new TrustAnchor(getCertFromFile("sun.cer"), null);
    Set anchors = Collections.singleton(anchor);
    // Create odd CertSelector
    sel = new OddSel();
    params = new PKIXBuilderParameters(anchors, sel);
    params.setRevocationEnabled(false);
}
 

@Override
public void setTrustAnchors(Set<TrustAnchor> trustAnchors)
        throws InvalidAlgorithmParameterException {
    // To avoid problems with PKIXBuilderParameter's constructors
    if (p == null) {
        return;
    }
    p.setTrustAnchors(trustAnchors);
}
 

public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");

    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor
        (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters
        (Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp =
        new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}
 

/**
 * Constructor that initializes the input parameters.
 *
 * @param anchor the anchor selected to validate the target certificate
 * @param testDate the time for which the validity of the certificate
 *        should be determined
 * @param sigProvider the name of the signature provider
 * @param sigOnly true if only signature checking is to be done;
 *        if false, all checks are done
 */
BasicChecker(TrustAnchor anchor, Date date, String sigProvider,
             boolean sigOnly) {
    if (anchor.getTrustedCert() != null) {
        this.trustedPubKey = anchor.getTrustedCert().getPublicKey();
        this.caName = anchor.getTrustedCert().getSubjectX500Principal();
    } else {
        this.trustedPubKey = anchor.getCAPublicKey();
        this.caName = anchor.getCA();
    }
    this.date = date;
    this.sigProvider = sigProvider;
    this.sigOnly = sigOnly;
    this.prevPubKey = trustedPubKey;
}
 

private void doBuild(X509Certificate userCert) throws Exception {
        // get the set of trusted CA certificates (only one in this instance)
        HashSet trustAnchors = new HashSet();
        X509Certificate trustedCert = getTrustedCertificate();
        trustAnchors.add(new TrustAnchor(trustedCert, null));

        // put together a CertStore (repository of the certificates and CRLs)
        ArrayList certs = new ArrayList();
        certs.add(trustedCert);
        certs.add(userCert);
        CollectionCertStoreParameters certStoreParams = new CollectionCertStoreParameters(certs);
        CertStore certStore = CertStore.getInstance("Collection", certStoreParams);

        // specify the target certificate via a CertSelector
        X509CertSelector certSelector = new X509CertSelector();
        certSelector.setCertificate(userCert);
        certSelector.setSubject(userCert.getSubjectDN().getName()); // seems to be required

        // build a valid cerificate path
        CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX", "SUN");
        PKIXBuilderParameters certPathBuilderParams = new PKIXBuilderParameters(trustAnchors, certSelector);
        certPathBuilderParams.addCertStore(certStore);
        certPathBuilderParams.setRevocationEnabled(false);
        CertPathBuilderResult result = certPathBuilder.build(certPathBuilderParams);

        // get and show cert path
        CertPath certPath = result.getCertPath();
//        System.out.println(certPath.toString());
    }
 

@Test
void provide_test() {
    MetadataStatementsProvider metadataStatementsProvider = mock(MetadataStatementsProvider.class);
    AAGUID aaguid = new AAGUID("49e25c43-a6d1-49f0-bcfa-23e23a7c0e52");
    when(metadataStatementsProvider.provide()).thenReturn(Collections.singletonMap(aaguid, Collections.singleton(TestDataUtil.createMetadataStatement())));
    MetadataStatementsTrustAnchorsProvider metadataStatementsTrustAnchorsProvider = new MetadataStatementsTrustAnchorsProvider(metadataStatementsProvider);
    Map<AAGUID, Set<TrustAnchor>> result = metadataStatementsTrustAnchorsProvider.provide();
    assertThat(result.get(aaguid).stream().map(TrustAnchor::getTrustedCert)).contains(TestAttestationUtil.load3tierTestAuthenticatorAttestationCertificate());
}
 

void validateCertChain(List<? extends Certificate> certs) throws Exception {
    int cpLen = 0;
    out: for (; cpLen<certs.size(); cpLen++) {
        for (TrustAnchor ta: pkixParameters.getTrustAnchors()) {
            if (ta.getTrustedCert().equals(certs.get(cpLen))) {
                break out;
            }
        }
    }
    if (cpLen > 0) {
        CertPath cp = certificateFactory.generateCertPath(
                (cpLen == certs.size())? certs: certs.subList(0, cpLen));
        validator.validate(cp, pkixParameters);
    }
}