java.security.cert.PKIXBuilderParameters Java Examples

private static void validateCertificateChain(KeyStore ks, List<X509Certificate> inCerts, boolean enableRevocation) {
    // Initial chain validation, to be enhanced as needed
    try {
        X509CertSelector certSelect = new X509CertSelector();
        certSelect.setCertificate(inCerts.get(0));
        PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ks, certSelect);
        pbParams.addCertStore(CertStore.getInstance("Collection",
                                                    new CollectionCertStoreParameters(inCerts)));
        pbParams.setMaxPathLength(-1);
        pbParams.setRevocationEnabled(false);
        CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams);
        pbParams.setRevocationEnabled(enableRevocation);
        CertPath certPath = buildResult.getCertPath();
        CertPathValidator.getInstance("PKIX").validate(certPath, pbParams);
    } catch (Exception ex) {
        LOG.warning("Certificate path validation error");
        throw new JoseException(ex);
    }
}
 

/**
 * Return the initialization parameters for the TrustManager.
 * Currently, only the default <code>PKIX</code> is supported.
 *
 * @param crlf The path to the CRL file.
 * @param trustStore The configured TrustStore.
 * @param revocationEnabled Should the JSSE provider perform revocation
 *                          checks? Ignored if {@code crlf} is non-null.
 *                          Configuration of revocation checks are expected
 *                          to be via proprietary JSSE provider methods.
 * @return The parameters including the CRLs and TrustStore.
 * @throws Exception An error occurred
 */
protected CertPathParameters getParameters(String crlf, KeyStore trustStore,
        boolean revocationEnabled) throws Exception {

    PKIXBuilderParameters xparams =
            new PKIXBuilderParameters(trustStore, new X509CertSelector());
    if (crlf != null && crlf.length() > 0) {
        Collection<? extends CRL> crls = getCRLs(crlf);
        CertStoreParameters csp = new CollectionCertStoreParameters(crls);
        CertStore store = CertStore.getInstance("Collection", csp);
        xparams.addCertStore(store);
        xparams.setRevocationEnabled(true);
    } else {
        xparams.setRevocationEnabled(revocationEnabled);
    }
    xparams.setMaxPathLength(sslHostConfig.getCertificateVerificationDepth());
    return xparams;
}
 

private TrustManagerFactory createTrustManagerFactory(@Nullable final String trustedCertificates)
        throws NoSuchAlgorithmException, CertificateException, KeyStoreException,
        InvalidAlgorithmParameterException {
    final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(PKIX);
    if (trustedCertificates != null) {
        final KeyStore keystore = keyStoreFactory.newKeystore();
        final Collection<? extends Certificate> caCerts;
        final byte[] caCertsPem = trustedCertificates.getBytes(StandardCharsets.US_ASCII);
        caCerts = X509_CERTIFICATE_FACTORY.generateCertificates(new ByteArrayInputStream(caCertsPem));
        long cnt = 0;
        for (final Certificate caCert : caCerts) {
            keystore.setCertificateEntry("ca-" + cnt++, caCert);
        }
        trustManagerFactory.init(keystore);
    } else {
        // standard CAs; add revocation check
        final PKIXRevocationChecker revocationChecker =
                (PKIXRevocationChecker) CertPathBuilder.getInstance(PKIX).getRevocationChecker();
        final PKIXBuilderParameters parameters =
                new PKIXBuilderParameters(DEFAULT_CA_KEYSTORE, new X509CertSelector());
        parameters.addCertPathChecker(revocationChecker);
        trustManagerFactory.init(new CertPathTrustManagerParameters(parameters));
    }
    return trustManagerFactory;
}
 

/**
 * Return the initialization parameters for the TrustManager.
 * Currently, only the default <code>PKIX</code> is supported.
 *
 * @param algorithm The algorithm to get parameters for.
 * @param crlFilename The path to the CRL file.
 * @param maxCertificateChainLength Optional maximum cert chain length.
 * @param trustStore The configured TrustStore.
 *
 * @return The parameters including the TrustStore and any CRLs.
 *
 * @throws InvalidAlgorithmParameterException
 * @throws KeyStoreException
 * @throws IOException
 * @throws CertificateException
 * @throws CRLException
 * @throws NoSuchAlgorithmException
 */
protected static CertPathParameters getParameters(String algorithm,
                                                  String crlFilename,
                                                  Integer maxCertificateChainLength,
                                                  KeyStore trustStore)
    throws KeyStoreException, InvalidAlgorithmParameterException, CRLException, CertificateException, IOException, NoSuchAlgorithmException
{
    CertPathParameters params = null;
    if("PKIX".equalsIgnoreCase(algorithm)) {
        PKIXBuilderParameters xparams =
            new PKIXBuilderParameters(trustStore, new X509CertSelector());
        Collection<? extends CRL> crls = getCRLs(crlFilename);
        CertStoreParameters csp = new CollectionCertStoreParameters(crls);
        CertStore store = CertStore.getInstance("Collection", csp);
        xparams.addCertStore(store);
        xparams.setRevocationEnabled(true);

        if(maxCertificateChainLength != null)
            xparams.setMaxPathLength(maxCertificateChainLength.intValue());

        params = xparams;
    } else {
        throw new CRLException("CRLs not supported for type: " + algorithm);
    }
    return params;
}
 

/**
 * Perform a PKIX build.
 *
 * @param params PKIXBuilderParameters to use in building
 * @throws Exception on error
 */
public static void build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    CertPathBuilderResult cpbr = builder.build(params);
}
 

public static void validateTrustChain(X509Certificate certificate,
                                      List<X509Certificate> chain,
                                      Set<X509Certificate> trustedCertificates,
                                      Set<X509Certificate> authorityCertificates) throws UaException {

    boolean certificateTrusted = trustedCertificates.stream()
            .anyMatch(c -> Arrays.equals(certificate.getSignature(), c.getSignature()));

    if (certificateTrusted) return;

    try {
        Set<TrustAnchor> trustAnchors = new HashSet<>();
        authorityCertificates.forEach(ca -> trustAnchors.add(new TrustAnchor(ca, null)));

        X509CertSelector selector = new X509CertSelector();
        selector.setCertificate(certificate);

        PKIXBuilderParameters params = new PKIXBuilderParameters(trustAnchors, selector);

        params.setRevocationEnabled(false);

        CertStore intermediateCertStore =
                CertStore.getInstance("Collection", new CollectionCertStoreParameters(chain));

        params.addCertStore(intermediateCertStore);

        CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");

        PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) builder.build(params);

        LOGGER.debug("Validated certificate chain: {}", result.getCertPath());
    } catch (Throwable t) {
        throw new UaException(StatusCodes.Bad_SecurityChecksFailed);
    }
}
 

public static void createParams() throws Exception {
    TrustAnchor anchor = new TrustAnchor(getCertFromFile("sun.cer"), null);
    Set anchors = Collections.singleton(anchor);
    // Create odd CertSelector
    sel = new OddSel();
    params = new PKIXBuilderParameters(anchors, sel);
    params.setRevocationEnabled(false);
}
 

public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");

    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor
        (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters
        (Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp =
        new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}
 

private void doBuild(X509Certificate userCert) throws Exception {
        // get the set of trusted CA certificates (only one in this instance)
        HashSet trustAnchors = new HashSet();
        X509Certificate trustedCert = getTrustedCertificate();
        trustAnchors.add(new TrustAnchor(trustedCert, null));

        // put together a CertStore (repository of the certificates and CRLs)
        ArrayList certs = new ArrayList();
        certs.add(trustedCert);
        certs.add(userCert);
        CollectionCertStoreParameters certStoreParams = new CollectionCertStoreParameters(certs);
        CertStore certStore = CertStore.getInstance("Collection", certStoreParams);

        // specify the target certificate via a CertSelector
        X509CertSelector certSelector = new X509CertSelector();
        certSelector.setCertificate(userCert);
        certSelector.setSubject(userCert.getSubjectDN().getName()); // seems to be required

        // build a valid cerificate path
        CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX", "SUN");
        PKIXBuilderParameters certPathBuilderParams = new PKIXBuilderParameters(trustAnchors, certSelector);
        certPathBuilderParams.addCertStore(certStore);
        certPathBuilderParams.setRevocationEnabled(false);
        CertPathBuilderResult result = certPathBuilder.build(certPathBuilderParams);

        // get and show cert path
        CertPath certPath = result.getCertPath();
//        System.out.println(certPath.toString());
    }
 

/**
 * Perform a PKIX build.
 *
 * @param params PKIXBuilderParameters to use in the build
 * @throws Exception on error
 */
public static void build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX", "SUN");
    CertPathBuilderResult cpbr = builder.build(params);
}
 

public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");

    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor
        (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters
        (Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp =
        new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}
 

/**
 * Perform a PKIX build.
 *
 * @param params PKIXBuilderParameters to use in the build
 * @throws Exception on error
 */
public static void build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX", "SUN");
    CertPathBuilderResult cpbr = builder.build(params);
}
 

public static TrustManager[] getTrustManagers(TrustManagersType tmc, boolean enableRevocation)
    throws GeneralSecurityException,
           IOException {

    final KeyStore keyStore =
        tmc.isSetKeyStore()
            ? getKeyStore(tmc.getKeyStore(), true)
            : (tmc.isSetCertStore()
                ? getKeyStore(tmc.getCertStore())
                : null);

    String alg = tmc.isSetFactoryAlgorithm()
                 ? tmc.getFactoryAlgorithm()
                 : TrustManagerFactory.getDefaultAlgorithm();

    TrustManagerFactory fac =
                 tmc.isSetProvider()
                 ? TrustManagerFactory.getInstance(alg, tmc.getProvider())
                 : TrustManagerFactory.getInstance(alg);

    if (enableRevocation) {
        PKIXBuilderParameters param = new PKIXBuilderParameters(keyStore, new X509CertSelector());
        param.setRevocationEnabled(true);

        fac.init(new CertPathTrustManagerParameters(param));
    } else {
        fac.init(keyStore);
    }

    return fac.getTrustManagers();
}
 

private void doBuild(X509Certificate userCert) throws Exception {
        // get the set of trusted CA certificates (only one in this instance)
        HashSet trustAnchors = new HashSet();
        X509Certificate trustedCert = getTrustedCertificate();
        trustAnchors.add(new TrustAnchor(trustedCert, null));

        // put together a CertStore (repository of the certificates and CRLs)
        ArrayList certs = new ArrayList();
        certs.add(trustedCert);
        certs.add(userCert);
        CollectionCertStoreParameters certStoreParams = new CollectionCertStoreParameters(certs);
        CertStore certStore = CertStore.getInstance("Collection", certStoreParams);

        // specify the target certificate via a CertSelector
        X509CertSelector certSelector = new X509CertSelector();
        certSelector.setCertificate(userCert);
        certSelector.setSubject(userCert.getSubjectDN().getName()); // seems to be required

        // build a valid cerificate path
        CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX", "SUN");
        PKIXBuilderParameters certPathBuilderParams = new PKIXBuilderParameters(trustAnchors, certSelector);
        certPathBuilderParams.addCertStore(certStore);
        certPathBuilderParams.setRevocationEnabled(false);
        CertPathBuilderResult result = certPathBuilder.build(certPathBuilderParams);

        // get and show cert path
        CertPath certPath = result.getCertPath();
//        System.out.println(certPath.toString());
    }
 

/**
 * Perform a PKIX path build. On failure, throw an exception.
 *
 * @param params PKIXBuilderParameters to use in validation
 * @throws Exception on error
 */
public static PKIXCertPathBuilderResult build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    return (PKIXCertPathBuilderResult) builder.build(params);
}
 

/**
 * Perform a PKIX build.
 *
 * @param params PKIXBuilderParameters to use in the build
 * @throws Exception on error
 */
public static void build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX", "SUN");
    CertPathBuilderResult cpbr = builder.build(params);
}
 

public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");

    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor
        (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters
        (Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp =
        new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}
 

/**
 * This method will validate a chain of certificates. It is provided as an alternative to the certificate chain
 * validation mechanisms that are under test. This method is intended to be used as a comparative benchmark against
 * other validation methods.
 *
 * The first certificate in the chain is expected to be the end-entity certificate.
 *
 * The last certificate in the chain is expected to be the root CA certificate.
 *
 * @param chain A certificate chain (cannot be null or empty).
 * @return CertPathBuilderResult result of validation.
 * @throws Exception When the chain is not valid.
 */
public CertPathBuilderResult testChain( X509Certificate[] chain ) throws Exception
{
    // Create the selector that specifies the starting certificate
    X509CertSelector selector = new X509CertSelector();
    selector.setCertificate( chain[0] );

    // Create the trust anchors (set of root CA certificates)
    Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
    trustAnchors.add(new TrustAnchor(chain[ chain.length - 1], null));

    // Configure the PKIX certificate builder algorithm parameters
    PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(
            trustAnchors, selector);

    // Disable CRL checks (this is done manually as additional step)
    pkixParams.setRevocationEnabled(false);

    // Specify a list of intermediate certificates
    Set<java.security.cert.Certificate> intermediateCerts = new HashSet<>();
    for (int i=1; i<chain.length -1; i++)
    {
        intermediateCerts.add( chain[ i ] );
    }

    CertStore intermediateCertStore = CertStore.getInstance("Collection",
            new CollectionCertStoreParameters(intermediateCerts));
    pkixParams.addCertStore(intermediateCertStore);

    // Build and verify the certification chain
    CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
    PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) builder
            .build(pkixParams);

    return result;
}
 

private void createSSLEngines() throws Exception {
    // Initialize the KeyManager and TrustManager for the server
    KeyManagerFactory servKmf = KeyManagerFactory.getInstance("PKIX");
    servKmf.init(serverKeystore, passwd.toCharArray());
    TrustManagerFactory servTmf =
            TrustManagerFactory.getInstance("PKIX");
    servTmf.init(trustStore);

    // Initialize the TrustManager for the client with revocation checking
    PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustStore,
            new X509CertSelector());
    pkixParams.setRevocationEnabled(true);
    ManagerFactoryParameters mfp =
            new CertPathTrustManagerParameters(pkixParams);
    TrustManagerFactory cliTmf =
            TrustManagerFactory.getInstance("PKIX");
    cliTmf.init(mfp);

    // Create the SSLContexts from the factories
    SSLContext servCtx = SSLContext.getInstance("TLS");
    servCtx.init(servKmf.getKeyManagers(), servTmf.getTrustManagers(),
            null);
    SSLContext cliCtx = SSLContext.getInstance("TLS");
    cliCtx.init(null, cliTmf.getTrustManagers(), null);


    /*
     * Configure the serverEngine to act as a server in the SSL/TLS
     * handshake.
     */
    serverEngine = servCtx.createSSLEngine();
    serverEngine.setUseClientMode(false);
    serverEngine.setNeedClientAuth(false);

    /*
     * Similar to above, but using client mode instead.
     */
    clientEngine = cliCtx.createSSLEngine("client", 80);
    clientEngine.setUseClientMode(true);
}
 

/**
 * Perform a PKIX build.
 *
 * @param params PKIXBuilderParameters to use in the build
 * @throws Exception on error
 */
public static void build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX", "SUN");
    CertPathBuilderResult cpbr = builder.build(params);
}
 

/**
 * Perform a PKIX build.
 *
 * @param params PKIXBuilderParameters to use in the build
 * @throws Exception on error
 */
public static void build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX", "SUN");
    CertPathBuilderResult cpbr = builder.build(params);
}
 

public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");

    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor
        (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters
        (Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp =
        new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}
 

/**
 * Perform a PKIX build.
 *
 * @param params PKIXBuilderParameters to use in building
 * @throws Exception on error
 */
public static void build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    CertPathBuilderResult cpbr = builder.build(params);
}
 

public static void createParams() throws Exception {
    TrustAnchor anchor = new TrustAnchor(getCertFromFile("sun.cer"), null);
    Set anchors = Collections.singleton(anchor);
    // Create odd CertSelector
    sel = new OddSel();
    params = new PKIXBuilderParameters(anchors, sel);
    params.setRevocationEnabled(false);
}
 

private void doBuild(X509Certificate userCert) throws Exception {
        // get the set of trusted CA certificates (only one in this instance)
        HashSet trustAnchors = new HashSet();
        X509Certificate trustedCert = getTrustedCertificate();
        trustAnchors.add(new TrustAnchor(trustedCert, null));

        // put together a CertStore (repository of the certificates and CRLs)
        ArrayList certs = new ArrayList();
        certs.add(trustedCert);
        certs.add(userCert);
        CollectionCertStoreParameters certStoreParams = new CollectionCertStoreParameters(certs);
        CertStore certStore = CertStore.getInstance("Collection", certStoreParams);

        // specify the target certificate via a CertSelector
        X509CertSelector certSelector = new X509CertSelector();
        certSelector.setCertificate(userCert);
        certSelector.setSubject(userCert.getSubjectDN().getName()); // seems to be required

        // build a valid cerificate path
        CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX", "SUN");
        PKIXBuilderParameters certPathBuilderParams = new PKIXBuilderParameters(trustAnchors, certSelector);
        certPathBuilderParams.addCertStore(certStore);
        certPathBuilderParams.setRevocationEnabled(false);
        CertPathBuilderResult result = certPathBuilder.build(certPathBuilderParams);

        // get and show cert path
        CertPath certPath = result.getCertPath();
//        System.out.println(certPath.toString());
    }
 

public PKIXExtendedParameters(PKIXBuilderParameters params,
        Timestamp timestamp, String variant)
        throws InvalidAlgorithmParameterException {
    super(params.getTrustAnchors(), null);
    p = params;
    jarTimestamp = timestamp;
    this.variant = variant;
}
 

public PKIXExtendedParameters(PKIXBuilderParameters params,
        Timestamp timestamp, String variant)
        throws InvalidAlgorithmParameterException {
    super(params.getTrustAnchors(), null);
    p = params;
    jarTimestamp = timestamp;
    this.variant = variant;
}
 

/**
 * Perform a PKIX path build. On failure, throw an exception.
 *
 * @param params PKIXBuilderParameters to use in validation
 * @throws Exception on error
 */
public static PKIXCertPathBuilderResult build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    return (PKIXCertPathBuilderResult) builder.build(params);
}
 

public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");

    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor
        (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters
        (Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp =
        new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}
 

/**
 * Perform a PKIX build.
 *
 * @param params PKIXBuilderParameters to use in building
 * @throws Exception on error
 */
public static void build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    CertPathBuilderResult cpbr = builder.build(params);
}