Java Code Examples for java.security.cert.TrustAnchor#getCA()

The following examples show how to use java.security.cert.TrustAnchor#getCA() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: OCSPResponse.java    From jdk8u_jdk with GNU General Public License v2.0 6 votes vote down vote up
IssuerInfo(TrustAnchor anchor, X509Certificate issuerCert) {
    if (anchor == null && issuerCert == null) {
        throw new NullPointerException("TrustAnchor and issuerCert " +
                "cannot be null");
    }
    this.anchor = anchor;
    if (issuerCert != null) {
        name = issuerCert.getSubjectX500Principal();
        pubKey = issuerCert.getPublicKey();
        certificate = issuerCert;
    } else {
        name = anchor.getCA();
        pubKey = anchor.getCAPublicKey();
        certificate = anchor.getTrustedCert();
    }
}
 
Example 2
Source File: OCSPResponse.java    From openjdk-jdk9 with GNU General Public License v2.0 6 votes vote down vote up
IssuerInfo(TrustAnchor anchor, X509Certificate issuerCert) {
    if (anchor == null && issuerCert == null) {
        throw new NullPointerException("TrustAnchor and issuerCert " +
                "cannot be null");
    }
    this.anchor = anchor;
    if (issuerCert != null) {
        name = issuerCert.getSubjectX500Principal();
        pubKey = issuerCert.getPublicKey();
        certificate = issuerCert;
    } else {
        name = anchor.getCA();
        pubKey = anchor.getCAPublicKey();
        certificate = anchor.getTrustedCert();
    }
}
 
Example 3
Source File: OCSPResponse.java    From Bytecoder with Apache License 2.0 6 votes vote down vote up
IssuerInfo(TrustAnchor anchor, X509Certificate issuerCert) {
    if (anchor == null && issuerCert == null) {
        throw new NullPointerException("TrustAnchor and issuerCert " +
                "cannot be null");
    }
    this.anchor = anchor;
    if (issuerCert != null) {
        name = issuerCert.getSubjectX500Principal();
        pubKey = issuerCert.getPublicKey();
        certificate = issuerCert;
    } else {
        name = anchor.getCA();
        pubKey = anchor.getCAPublicKey();
        certificate = anchor.getTrustedCert();
    }
}
 
Example 4
Source File: CertPathPKIXTrustEvaluator.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Log information from the constructed cert path at level debug.
 * 
 * @param buildResult the PKIX cert path builder result containing the cert path and trust anchor
 * @param targetCert the cert untrusted certificate that was being evaluated
 */
private void logCertPathDebug(PKIXCertPathBuilderResult buildResult, X509Certificate targetCert) {
    log.debug("Built valid PKIX cert path");
    log.debug("Target certificate: {}", x500DNHandler.getName(targetCert.getSubjectX500Principal()));
    for (Certificate cert : buildResult.getCertPath().getCertificates()) {
        log.debug("CertPath certificate: {}", x500DNHandler.getName(((X509Certificate) cert)
                .getSubjectX500Principal()));
    }
    TrustAnchor ta = buildResult.getTrustAnchor();
    if (ta.getTrustedCert() != null) {
        log.debug("TrustAnchor: {}", x500DNHandler.getName(ta.getTrustedCert().getSubjectX500Principal()));
    } else if (ta.getCA() != null) {
        log.debug("TrustAnchor: {}", x500DNHandler.getName(ta.getCA()));
    } else {
        log.debug("TrustAnchor: {}", ta.getCAName());
    }
}
 
Example 5
Source File: OCSPResponse.java    From openjdk-jdk8u-backup with GNU General Public License v2.0 6 votes vote down vote up
IssuerInfo(TrustAnchor anchor, X509Certificate issuerCert) {
    if (anchor == null && issuerCert == null) {
        throw new NullPointerException("TrustAnchor and issuerCert " +
                "cannot be null");
    }
    this.anchor = anchor;
    if (issuerCert != null) {
        name = issuerCert.getSubjectX500Principal();
        pubKey = issuerCert.getPublicKey();
        certificate = issuerCert;
    } else {
        name = anchor.getCA();
        pubKey = anchor.getCAPublicKey();
        certificate = anchor.getTrustedCert();
    }
}
 
Example 6
Source File: BasicChecker.java    From openjdk-8-source with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Constructor that initializes the input parameters.
 *
 * @param anchor the anchor selected to validate the target certificate
 * @param testDate the time for which the validity of the certificate
 *        should be determined
 * @param sigProvider the name of the signature provider
 * @param sigOnly true if only signature checking is to be done;
 *        if false, all checks are done
 */
BasicChecker(TrustAnchor anchor, Date date, String sigProvider,
             boolean sigOnly) {
    if (anchor.getTrustedCert() != null) {
        this.trustedPubKey = anchor.getTrustedCert().getPublicKey();
        this.caName = anchor.getTrustedCert().getSubjectX500Principal();
    } else {
        this.trustedPubKey = anchor.getCAPublicKey();
        this.caName = anchor.getCA();
    }
    this.date = date;
    this.sigProvider = sigProvider;
    this.sigOnly = sigOnly;
    this.prevPubKey = trustedPubKey;
}
 
Example 7
Source File: BasicChecker.java    From jdk8u_jdk with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Constructor that initializes the input parameters.
 *
 * @param anchor the anchor selected to validate the target certificate
 * @param testDate the time for which the validity of the certificate
 *        should be determined
 * @param sigProvider the name of the signature provider
 * @param sigOnly true if only signature checking is to be done;
 *        if false, all checks are done
 */
BasicChecker(TrustAnchor anchor, Date date, String sigProvider,
             boolean sigOnly) {
    if (anchor.getTrustedCert() != null) {
        this.trustedPubKey = anchor.getTrustedCert().getPublicKey();
        this.caName = anchor.getTrustedCert().getSubjectX500Principal();
    } else {
        this.trustedPubKey = anchor.getCAPublicKey();
        this.caName = anchor.getCA();
    }
    this.date = date;
    this.sigProvider = sigProvider;
    this.sigOnly = sigOnly;
    this.prevPubKey = trustedPubKey;
}
 
Example 8
Source File: TrustedCertificateIndex.java    From cwac-netsecurity with Apache License 2.0 5 votes vote down vote up
public void index(TrustAnchor anchor) {
    X500Principal subject;
    X509Certificate cert = anchor.getTrustedCert();
    if (cert != null) {
        subject = cert.getSubjectX500Principal();
    } else {
        subject = anchor.getCA();
    }

    synchronized (subjectToTrustAnchors) {
        List<TrustAnchor> anchors = subjectToTrustAnchors.get(subject);
        if (anchors == null) {
            anchors = new ArrayList<TrustAnchor>(1);
            subjectToTrustAnchors.put(subject, anchors);
        } else {
            // Avoid indexing the same certificate multiple times
            if (cert != null) {
                for (TrustAnchor entry : anchors) {
                    if (cert.equals(entry.getTrustedCert())) {
                        return;
                    }
                }
            }
        }
        anchors.add(anchor);
    }
}
 
Example 9
Source File: BasicChecker.java    From jdk8u-jdk with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Constructor that initializes the input parameters.
 *
 * @param anchor the anchor selected to validate the target certificate
 * @param testDate the time for which the validity of the certificate
 *        should be determined
 * @param sigProvider the name of the signature provider
 * @param sigOnly true if only signature checking is to be done;
 *        if false, all checks are done
 */
BasicChecker(TrustAnchor anchor, Date date, String sigProvider,
             boolean sigOnly) {
    if (anchor.getTrustedCert() != null) {
        this.trustedPubKey = anchor.getTrustedCert().getPublicKey();
        this.caName = anchor.getTrustedCert().getSubjectX500Principal();
    } else {
        this.trustedPubKey = anchor.getCAPublicKey();
        this.caName = anchor.getCA();
    }
    this.date = date;
    this.sigProvider = sigProvider;
    this.sigOnly = sigOnly;
    this.prevPubKey = trustedPubKey;
}
 
Example 10
Source File: BasicChecker.java    From openjdk-jdk9 with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Constructor that initializes the input parameters.
 *
 * @param anchor the anchor selected to validate the target certificate
 * @param testDate the time for which the validity of the certificate
 *        should be determined
 * @param sigProvider the name of the signature provider
 * @param sigOnly true if only signature checking is to be done;
 *        if false, all checks are done
 */
BasicChecker(TrustAnchor anchor, Date date, String sigProvider,
             boolean sigOnly) {
    if (anchor.getTrustedCert() != null) {
        this.trustedPubKey = anchor.getTrustedCert().getPublicKey();
        this.caName = anchor.getTrustedCert().getSubjectX500Principal();
    } else {
        this.trustedPubKey = anchor.getCAPublicKey();
        this.caName = anchor.getCA();
    }
    this.date = date;
    this.sigProvider = sigProvider;
    this.sigOnly = sigOnly;
    this.prevPubKey = trustedPubKey;
}
 
Example 11
Source File: BasicChecker.java    From Bytecoder with Apache License 2.0 5 votes vote down vote up
/**
 * Constructor that initializes the input parameters.
 *
 * @param anchor the anchor selected to validate the target certificate
 * @param testDate the time for which the validity of the certificate
 *        should be determined
 * @param sigProvider the name of the signature provider
 * @param sigOnly true if only signature checking is to be done;
 *        if false, all checks are done
 */
BasicChecker(TrustAnchor anchor, Date date, String sigProvider,
             boolean sigOnly) {
    if (anchor.getTrustedCert() != null) {
        this.trustedPubKey = anchor.getTrustedCert().getPublicKey();
        this.caName = anchor.getTrustedCert().getSubjectX500Principal();
    } else {
        this.trustedPubKey = anchor.getCAPublicKey();
        this.caName = anchor.getCA();
    }
    this.date = date;
    this.sigProvider = sigProvider;
    this.sigOnly = sigOnly;
    this.prevPubKey = trustedPubKey;
}
 
Example 12
Source File: BasicChecker.java    From jdk8u60 with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Constructor that initializes the input parameters.
 *
 * @param anchor the anchor selected to validate the target certificate
 * @param testDate the time for which the validity of the certificate
 *        should be determined
 * @param sigProvider the name of the signature provider
 * @param sigOnly true if only signature checking is to be done;
 *        if false, all checks are done
 */
BasicChecker(TrustAnchor anchor, Date date, String sigProvider,
             boolean sigOnly) {
    if (anchor.getTrustedCert() != null) {
        this.trustedPubKey = anchor.getTrustedCert().getPublicKey();
        this.caName = anchor.getTrustedCert().getSubjectX500Principal();
    } else {
        this.trustedPubKey = anchor.getCAPublicKey();
        this.caName = anchor.getCA();
    }
    this.date = date;
    this.sigProvider = sigProvider;
    this.sigOnly = sigOnly;
    this.prevPubKey = trustedPubKey;
}
 
Example 13
Source File: BasicChecker.java    From j2objc with Apache License 2.0 5 votes vote down vote up
/**
 * Constructor that initializes the input parameters.
 *
 * @param anchor the anchor selected to validate the target certificate
 * @param testDate the time for which the validity of the certificate
 *        should be determined
 * @param sigProvider the name of the signature provider
 * @param sigOnly true if only signature checking is to be done;
 *        if false, all checks are done
 */
BasicChecker(TrustAnchor anchor, Date date, String sigProvider,
             boolean sigOnly) {
    if (anchor.getTrustedCert() != null) {
        this.trustedPubKey = anchor.getTrustedCert().getPublicKey();
        this.caName = anchor.getTrustedCert().getSubjectX500Principal();
    } else {
        this.trustedPubKey = anchor.getCAPublicKey();
        this.caName = anchor.getCA();
    }
    this.date = date;
    this.sigProvider = sigProvider;
    this.sigOnly = sigOnly;
    this.prevPubKey = trustedPubKey;
}
 
Example 14
Source File: ForwardBuilder.java    From jdk8u-jdk with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Verifies whether the input certificate completes the path.
 * Checks the cert against each trust anchor that was specified, in order,
 * and returns true as soon as it finds a valid anchor.
 * Returns true if the cert matches a trust anchor specified as a
 * certificate or if the cert verifies with a trust anchor that
 * was specified as a trusted {pubkey, caname} pair. Returns false if none
 * of the trust anchors are valid for this cert.
 *
 * @param cert the certificate to test
 * @return a boolean value indicating whether the cert completes the path.
 */
@Override
boolean isPathCompleted(X509Certificate cert) {
    for (TrustAnchor anchor : trustAnchors) {
        if (anchor.getTrustedCert() != null) {
            if (cert.equals(anchor.getTrustedCert())) {
                this.trustAnchor = anchor;
                return true;
            } else {
                continue;
            }
        }
        X500Principal principal = anchor.getCA();
        PublicKey publicKey = anchor.getCAPublicKey();

        if (principal != null && publicKey != null &&
                principal.equals(cert.getSubjectX500Principal())) {
            if (publicKey.equals(cert.getPublicKey())) {
                // the cert itself is a trust anchor
                this.trustAnchor = anchor;
                return true;
            }
            // else, it is a self-issued certificate of the anchor
        }

        // Check subject/issuer name chaining
        if (principal == null ||
                !principal.equals(cert.getIssuerX500Principal())) {
            continue;
        }

        // skip anchor if it contains a DSA key with no DSA params
        if (PKIX.isDSAPublicKeyWithoutParams(publicKey)) {
            continue;
        }

        /*
         * Check signature
         */
        try {
            cert.verify(publicKey, buildParams.sigProvider());
        } catch (InvalidKeyException ike) {
            if (debug != null) {
                debug.println("ForwardBuilder.isPathCompleted() invalid "
                              + "DSA key found");
            }
            continue;
        } catch (GeneralSecurityException e){
            if (debug != null) {
                debug.println("ForwardBuilder.isPathCompleted() " +
                              "unexpected exception");
                e.printStackTrace();
            }
            continue;
        }

        this.trustAnchor = anchor;
        return true;
    }

    return false;
}
 
Example 15
Source File: ReverseState.java    From openjdk-8-source with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Update the state with the specified trust anchor.
 *
 * @param anchor the most-trusted CA
 * @param buildParams builder parameters
 */
public void updateState(TrustAnchor anchor, BuilderParams buildParams)
    throws CertificateException, IOException, CertPathValidatorException
{
    trustAnchor = anchor;
    X509Certificate trustedCert = anchor.getTrustedCert();
    if (trustedCert != null) {
        updateState(trustedCert);
    } else {
        X500Principal caName = anchor.getCA();
        updateState(anchor.getCAPublicKey(), caName);
    }

    // The user specified AlgorithmChecker and RevocationChecker may not be
    // able to set the trust anchor until now.
    boolean revCheckerAdded = false;
    for (PKIXCertPathChecker checker : userCheckers) {
        if (checker instanceof AlgorithmChecker) {
            ((AlgorithmChecker)checker).trySetTrustAnchor(anchor);
        } else if (checker instanceof PKIXRevocationChecker) {
            if (revCheckerAdded) {
                throw new CertPathValidatorException(
                    "Only one PKIXRevocationChecker can be specified");
            }
            // if it's our own, initialize it
            if (checker instanceof RevocationChecker) {
                ((RevocationChecker)checker).init(anchor, buildParams);
            }
            ((PKIXRevocationChecker)checker).init(false);
            revCheckerAdded = true;
        }
    }

    // only create a RevocationChecker if revocation is enabled and
    // a PKIXRevocationChecker has not already been added
    if (buildParams.revocationEnabled() && !revCheckerAdded) {
        revChecker = new RevocationChecker(anchor, buildParams);
        revChecker.init(false);
    }

    init = false;
}
 
Example 16
Source File: ReverseState.java    From jdk8u-dev-jdk with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Update the state with the specified trust anchor.
 *
 * @param anchor the most-trusted CA
 * @param buildParams builder parameters
 */
public void updateState(TrustAnchor anchor, BuilderParams buildParams)
    throws CertificateException, IOException, CertPathValidatorException
{
    trustAnchor = anchor;
    X509Certificate trustedCert = anchor.getTrustedCert();
    if (trustedCert != null) {
        updateState(trustedCert);
    } else {
        X500Principal caName = anchor.getCA();
        updateState(anchor.getCAPublicKey(), caName);
    }

    // The user specified AlgorithmChecker and RevocationChecker may not be
    // able to set the trust anchor until now.
    boolean revCheckerAdded = false;
    for (PKIXCertPathChecker checker : userCheckers) {
        if (checker instanceof AlgorithmChecker) {
            ((AlgorithmChecker)checker).trySetTrustAnchor(anchor);
        } else if (checker instanceof PKIXRevocationChecker) {
            if (revCheckerAdded) {
                throw new CertPathValidatorException(
                    "Only one PKIXRevocationChecker can be specified");
            }
            // if it's our own, initialize it
            if (checker instanceof RevocationChecker) {
                ((RevocationChecker)checker).init(anchor, buildParams);
            }
            ((PKIXRevocationChecker)checker).init(false);
            revCheckerAdded = true;
        }
    }

    // only create a RevocationChecker if revocation is enabled and
    // a PKIXRevocationChecker has not already been added
    if (buildParams.revocationEnabled() && !revCheckerAdded) {
        revChecker = new RevocationChecker(anchor, buildParams);
        revChecker.init(false);
    }

    init = false;
}
 
Example 17
Source File: ForwardBuilder.java    From jdk8u60 with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Verifies whether the input certificate completes the path.
 * Checks the cert against each trust anchor that was specified, in order,
 * and returns true as soon as it finds a valid anchor.
 * Returns true if the cert matches a trust anchor specified as a
 * certificate or if the cert verifies with a trust anchor that
 * was specified as a trusted {pubkey, caname} pair. Returns false if none
 * of the trust anchors are valid for this cert.
 *
 * @param cert the certificate to test
 * @return a boolean value indicating whether the cert completes the path.
 */
@Override
boolean isPathCompleted(X509Certificate cert) {
    for (TrustAnchor anchor : trustAnchors) {
        if (anchor.getTrustedCert() != null) {
            if (cert.equals(anchor.getTrustedCert())) {
                this.trustAnchor = anchor;
                return true;
            } else {
                continue;
            }
        }
        X500Principal principal = anchor.getCA();
        PublicKey publicKey = anchor.getCAPublicKey();

        if (principal != null && publicKey != null &&
                principal.equals(cert.getSubjectX500Principal())) {
            if (publicKey.equals(cert.getPublicKey())) {
                // the cert itself is a trust anchor
                this.trustAnchor = anchor;
                return true;
            }
            // else, it is a self-issued certificate of the anchor
        }

        // Check subject/issuer name chaining
        if (principal == null ||
                !principal.equals(cert.getIssuerX500Principal())) {
            continue;
        }

        // skip anchor if it contains a DSA key with no DSA params
        if (PKIX.isDSAPublicKeyWithoutParams(publicKey)) {
            continue;
        }

        /*
         * Check signature
         */
        try {
            cert.verify(publicKey, buildParams.sigProvider());
        } catch (InvalidKeyException ike) {
            if (debug != null) {
                debug.println("ForwardBuilder.isPathCompleted() invalid "
                              + "DSA key found");
            }
            continue;
        } catch (GeneralSecurityException e){
            if (debug != null) {
                debug.println("ForwardBuilder.isPathCompleted() " +
                              "unexpected exception");
                e.printStackTrace();
            }
            continue;
        }

        this.trustAnchor = anchor;
        return true;
    }

    return false;
}
 
Example 18
Source File: ForwardBuilder.java    From j2objc with Apache License 2.0 4 votes vote down vote up
/**
 * Verifies whether the input certificate completes the path.
 * Checks the cert against each trust anchor that was specified, in order,
 * and returns true as soon as it finds a valid anchor.
 * Returns true if the cert matches a trust anchor specified as a
 * certificate or if the cert verifies with a trust anchor that
 * was specified as a trusted {pubkey, caname} pair. Returns false if none
 * of the trust anchors are valid for this cert.
 *
 * @param cert the certificate to test
 * @return a boolean value indicating whether the cert completes the path.
 */
@Override
boolean isPathCompleted(X509Certificate cert) {
    for (TrustAnchor anchor : trustAnchors) {
        if (anchor.getTrustedCert() != null) {
            if (cert.equals(anchor.getTrustedCert())) {
                this.trustAnchor = anchor;
                return true;
            } else {
                continue;
            }
        }
        X500Principal principal = anchor.getCA();
        PublicKey publicKey = anchor.getCAPublicKey();

        if (principal != null && publicKey != null &&
                principal.equals(cert.getSubjectX500Principal())) {
            if (publicKey.equals(cert.getPublicKey())) {
                // the cert itself is a trust anchor
                this.trustAnchor = anchor;
                return true;
            }
            // else, it is a self-issued certificate of the anchor
        }

        // Check subject/issuer name chaining
        if (principal == null ||
                !principal.equals(cert.getIssuerX500Principal())) {
            continue;
        }

        // skip anchor if it contains a DSA key with no DSA params
        if (PKIX.isDSAPublicKeyWithoutParams(publicKey)) {
            continue;
        }

        /*
         * Check signature
         */
        try {
            if (buildParams.sigProvider() != null) {
                cert.verify(publicKey, buildParams.sigProvider());
            } else {
                cert.verify(publicKey);
            }
        } catch (InvalidKeyException ike) {
            if (debug != null) {
                debug.println("ForwardBuilder.isPathCompleted() invalid "
                              + "DSA key found");
            }
            continue;
        } catch (GeneralSecurityException e){
            if (debug != null) {
                debug.println("ForwardBuilder.isPathCompleted() " +
                              "unexpected exception");
                e.printStackTrace();
            }
            continue;
        }

        this.trustAnchor = anchor;
        return true;
    }

    return false;
}
 
Example 19
Source File: ReverseState.java    From jdk8u-jdk with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Update the state with the specified trust anchor.
 *
 * @param anchor the most-trusted CA
 * @param buildParams builder parameters
 */
public void updateState(TrustAnchor anchor, BuilderParams buildParams)
    throws CertificateException, IOException, CertPathValidatorException
{
    trustAnchor = anchor;
    X509Certificate trustedCert = anchor.getTrustedCert();
    if (trustedCert != null) {
        updateState(trustedCert);
    } else {
        X500Principal caName = anchor.getCA();
        updateState(anchor.getCAPublicKey(), caName);
    }

    // The user specified AlgorithmChecker and RevocationChecker may not be
    // able to set the trust anchor until now.
    boolean revCheckerAdded = false;
    for (PKIXCertPathChecker checker : userCheckers) {
        if (checker instanceof AlgorithmChecker) {
            ((AlgorithmChecker)checker).trySetTrustAnchor(anchor);
        } else if (checker instanceof PKIXRevocationChecker) {
            if (revCheckerAdded) {
                throw new CertPathValidatorException(
                    "Only one PKIXRevocationChecker can be specified");
            }
            // if it's our own, initialize it
            if (checker instanceof RevocationChecker) {
                ((RevocationChecker)checker).init(anchor, buildParams);
            }
            ((PKIXRevocationChecker)checker).init(false);
            revCheckerAdded = true;
        }
    }

    // only create a RevocationChecker if revocation is enabled and
    // a PKIXRevocationChecker has not already been added
    if (buildParams.revocationEnabled() && !revCheckerAdded) {
        revChecker = new RevocationChecker(anchor, buildParams);
        revChecker.init(false);
    }

    init = false;
}
 
Example 20
Source File: ForwardBuilder.java    From jdk8u-dev-jdk with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Verifies whether the input certificate completes the path.
 * Checks the cert against each trust anchor that was specified, in order,
 * and returns true as soon as it finds a valid anchor.
 * Returns true if the cert matches a trust anchor specified as a
 * certificate or if the cert verifies with a trust anchor that
 * was specified as a trusted {pubkey, caname} pair. Returns false if none
 * of the trust anchors are valid for this cert.
 *
 * @param cert the certificate to test
 * @return a boolean value indicating whether the cert completes the path.
 */
@Override
boolean isPathCompleted(X509Certificate cert) {
    for (TrustAnchor anchor : trustAnchors) {
        if (anchor.getTrustedCert() != null) {
            if (cert.equals(anchor.getTrustedCert())) {
                this.trustAnchor = anchor;
                return true;
            } else {
                continue;
            }
        }
        X500Principal principal = anchor.getCA();
        PublicKey publicKey = anchor.getCAPublicKey();

        if (principal != null && publicKey != null &&
                principal.equals(cert.getSubjectX500Principal())) {
            if (publicKey.equals(cert.getPublicKey())) {
                // the cert itself is a trust anchor
                this.trustAnchor = anchor;
                return true;
            }
            // else, it is a self-issued certificate of the anchor
        }

        // Check subject/issuer name chaining
        if (principal == null ||
                !principal.equals(cert.getIssuerX500Principal())) {
            continue;
        }

        // skip anchor if it contains a DSA key with no DSA params
        if (PKIX.isDSAPublicKeyWithoutParams(publicKey)) {
            continue;
        }

        /*
         * Check signature
         */
        try {
            cert.verify(publicKey, buildParams.sigProvider());
        } catch (InvalidKeyException ike) {
            if (debug != null) {
                debug.println("ForwardBuilder.isPathCompleted() invalid "
                              + "DSA key found");
            }
            continue;
        } catch (GeneralSecurityException e){
            if (debug != null) {
                debug.println("ForwardBuilder.isPathCompleted() " +
                              "unexpected exception");
                e.printStackTrace();
            }
            continue;
        }

        this.trustAnchor = anchor;
        return true;
    }

    return false;
}