Java Code Examples for java.security.cert.X509CertSelector#setBasicConstraints()
The following examples show how to use
java.security.cert.X509CertSelector#setBasicConstraints() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: PathCertificateVerifier.java From oxAuth with MIT License | 5 votes |
/** * Attempts to build a certification chain for given certificate to verify * it. Relies on a set of root CA certificates (trust anchors) and a set of * intermediate certificates (to be used as part of the chain). */ private PKIXCertPathBuilderResult verifyCertificate(X509Certificate certificate, Set<X509Certificate> trustedRootCerts, Set<X509Certificate> intermediateCerts) throws GeneralSecurityException { // Create the selector that specifies the starting certificate X509CertSelector selector = new X509CertSelector(); selector.setBasicConstraints(-2); selector.setCertificate(certificate); // Create the trust anchors (set of root CA certificates) Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>(); for (X509Certificate trustedRootCert : trustedRootCerts) { trustAnchors.add(new TrustAnchor(trustedRootCert, null)); } // Configure the PKIX certificate builder algorithm parameters PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector); // Turn off default revocation-checking mechanism pkixParams.setRevocationEnabled(false); // Specify a list of intermediate certificates CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(intermediateCerts)); pkixParams.addCertStore(intermediateCertStore); // Build and verify the certification chain CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME); PKIXCertPathBuilderResult certPathBuilderResult = (PKIXCertPathBuilderResult) builder.build(pkixParams); // Additional check to Verify cert path CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME); PKIXCertPathValidatorResult certPathValidationResult = (PKIXCertPathValidatorResult) certPathValidator.validate(certPathBuilderResult.getCertPath(), pkixParams); return certPathBuilderResult; }
Example 2
Source File: X509CertSelectorTest.java From jdk8u_jdk with GNU General Public License v2.0 | 5 votes |
private void testBasicConstraints() { System.out.println("X.509 Certificate Match on basic constraints"); // bad match X509CertSelector selector = new X509CertSelector(); int mpl = cert.getBasicConstraints(); selector.setBasicConstraints(0); checkMatch(selector, cert, false); // good match selector.setBasicConstraints(mpl); checkMatch(selector, cert, true); }
Example 3
Source File: X509CertSelectorTest.java From TencentKona-8 with GNU General Public License v2.0 | 5 votes |
private void testBasicConstraints() { System.out.println("X.509 Certificate Match on basic constraints"); // bad match X509CertSelector selector = new X509CertSelector(); int mpl = cert.getBasicConstraints(); selector.setBasicConstraints(0); checkMatch(selector, cert, false); // good match selector.setBasicConstraints(mpl); checkMatch(selector, cert, true); }
Example 4
Source File: BuildEEBasicConstraints.java From openjdk-8-source with GNU General Public License v2.0 | 5 votes |
public static void main(String[] args) throws Exception { // reset the security property to make sure that the algorithms // and keys used in this test are not disabled. Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2"); X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer"); TrustAnchor anchor = new TrustAnchor (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null); X509CertSelector sel = new X509CertSelector(); sel.setBasicConstraints(-2); PKIXBuilderParameters params = new PKIXBuilderParameters (Collections.singleton(anchor), sel); params.setRevocationEnabled(false); X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer"); X509Certificate caCert = CertUtils.getCertFromFile("ca.cer"); ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>(); certs.add(caCert); certs.add(eeCert); CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(certs); CertStore cs = CertStore.getInstance("Collection", ccsp); params.addCertStore(cs); PKIXCertPathBuilderResult res = CertUtils.build(params); CertPath cp = res.getCertPath(); // check that first certificate is an EE cert List<? extends Certificate> certList = cp.getCertificates(); X509Certificate cert = (X509Certificate) certList.get(0); if (cert.getBasicConstraints() != -1) { throw new Exception("Target certificate is not an EE certificate"); } }
Example 5
Source File: BuildEEBasicConstraints.java From openjdk-8 with GNU General Public License v2.0 | 5 votes |
public static void main(String[] args) throws Exception { // reset the security property to make sure that the algorithms // and keys used in this test are not disabled. Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2"); X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer"); TrustAnchor anchor = new TrustAnchor (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null); X509CertSelector sel = new X509CertSelector(); sel.setBasicConstraints(-2); PKIXBuilderParameters params = new PKIXBuilderParameters (Collections.singleton(anchor), sel); params.setRevocationEnabled(false); X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer"); X509Certificate caCert = CertUtils.getCertFromFile("ca.cer"); ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>(); certs.add(caCert); certs.add(eeCert); CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(certs); CertStore cs = CertStore.getInstance("Collection", ccsp); params.addCertStore(cs); PKIXCertPathBuilderResult res = CertUtils.build(params); CertPath cp = res.getCertPath(); // check that first certificate is an EE cert List<? extends Certificate> certList = cp.getCertificates(); X509Certificate cert = (X509Certificate) certList.get(0); if (cert.getBasicConstraints() != -1) { throw new Exception("Target certificate is not an EE certificate"); } }
Example 6
Source File: BuildEEBasicConstraints.java From jdk8u60 with GNU General Public License v2.0 | 5 votes |
public static void main(String[] args) throws Exception { // reset the security property to make sure that the algorithms // and keys used in this test are not disabled. Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2"); X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer"); TrustAnchor anchor = new TrustAnchor (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null); X509CertSelector sel = new X509CertSelector(); sel.setBasicConstraints(-2); PKIXBuilderParameters params = new PKIXBuilderParameters (Collections.singleton(anchor), sel); params.setRevocationEnabled(false); X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer"); X509Certificate caCert = CertUtils.getCertFromFile("ca.cer"); ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>(); certs.add(caCert); certs.add(eeCert); CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(certs); CertStore cs = CertStore.getInstance("Collection", ccsp); params.addCertStore(cs); PKIXCertPathBuilderResult res = CertUtils.build(params); CertPath cp = res.getCertPath(); // check that first certificate is an EE cert List<? extends Certificate> certList = cp.getCertificates(); X509Certificate cert = (X509Certificate) certList.get(0); if (cert.getBasicConstraints() != -1) { throw new Exception("Target certificate is not an EE certificate"); } }
Example 7
Source File: BuildEEBasicConstraints.java From openjdk-jdk8u with GNU General Public License v2.0 | 5 votes |
public static void main(String[] args) throws Exception { // reset the security property to make sure that the algorithms // and keys used in this test are not disabled. Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2"); X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer"); TrustAnchor anchor = new TrustAnchor (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null); X509CertSelector sel = new X509CertSelector(); sel.setBasicConstraints(-2); PKIXBuilderParameters params = new PKIXBuilderParameters (Collections.singleton(anchor), sel); params.setRevocationEnabled(false); X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer"); X509Certificate caCert = CertUtils.getCertFromFile("ca.cer"); ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>(); certs.add(caCert); certs.add(eeCert); CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(certs); CertStore cs = CertStore.getInstance("Collection", ccsp); params.addCertStore(cs); PKIXCertPathBuilderResult res = CertUtils.build(params); CertPath cp = res.getCertPath(); // check that first certificate is an EE cert List<? extends Certificate> certList = cp.getCertificates(); X509Certificate cert = (X509Certificate) certList.get(0); if (cert.getBasicConstraints() != -1) { throw new Exception("Target certificate is not an EE certificate"); } }
Example 8
Source File: X509CertSelectorTest.java From openjdk-jdk8u with GNU General Public License v2.0 | 5 votes |
private void testBasicConstraints() { System.out.println("X.509 Certificate Match on basic constraints"); // bad match X509CertSelector selector = new X509CertSelector(); int mpl = cert.getBasicConstraints(); selector.setBasicConstraints(0); checkMatch(selector, cert, false); // good match selector.setBasicConstraints(mpl); checkMatch(selector, cert, true); }
Example 9
Source File: BuildEEBasicConstraints.java From jdk8u_jdk with GNU General Public License v2.0 | 5 votes |
public static void main(String[] args) throws Exception { // reset the security property to make sure that the algorithms // and keys used in this test are not disabled. Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2"); X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer"); TrustAnchor anchor = new TrustAnchor (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null); X509CertSelector sel = new X509CertSelector(); sel.setBasicConstraints(-2); PKIXBuilderParameters params = new PKIXBuilderParameters (Collections.singleton(anchor), sel); params.setRevocationEnabled(false); X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer"); X509Certificate caCert = CertUtils.getCertFromFile("ca.cer"); ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>(); certs.add(caCert); certs.add(eeCert); CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(certs); CertStore cs = CertStore.getInstance("Collection", ccsp); params.addCertStore(cs); PKIXCertPathBuilderResult res = CertUtils.build(params); CertPath cp = res.getCertPath(); // check that first certificate is an EE cert List<? extends Certificate> certList = cp.getCertificates(); X509Certificate cert = (X509Certificate) certList.get(0); if (cert.getBasicConstraints() != -1) { throw new Exception("Target certificate is not an EE certificate"); } }
Example 10
Source File: X509CertSelectorTest.java From openjdk-jdk8u-backup with GNU General Public License v2.0 | 5 votes |
private void testBasicConstraints() { System.out.println("X.509 Certificate Match on basic constraints"); // bad match X509CertSelector selector = new X509CertSelector(); int mpl = cert.getBasicConstraints(); selector.setBasicConstraints(0); checkMatch(selector, cert, false); // good match selector.setBasicConstraints(mpl); checkMatch(selector, cert, true); }
Example 11
Source File: X509CertSelectorTest.java From openjdk-jdk9 with GNU General Public License v2.0 | 5 votes |
private void testBasicConstraints() { System.out.println("X.509 Certificate Match on basic constraints"); // bad match X509CertSelector selector = new X509CertSelector(); int mpl = cert.getBasicConstraints(); selector.setBasicConstraints(0); checkMatch(selector, cert, false); // good match selector.setBasicConstraints(mpl); checkMatch(selector, cert, true); }
Example 12
Source File: BuildEEBasicConstraints.java From jdk8u-jdk with GNU General Public License v2.0 | 5 votes |
public static void main(String[] args) throws Exception { // reset the security property to make sure that the algorithms // and keys used in this test are not disabled. Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2"); X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer"); TrustAnchor anchor = new TrustAnchor (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null); X509CertSelector sel = new X509CertSelector(); sel.setBasicConstraints(-2); PKIXBuilderParameters params = new PKIXBuilderParameters (Collections.singleton(anchor), sel); params.setRevocationEnabled(false); X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer"); X509Certificate caCert = CertUtils.getCertFromFile("ca.cer"); ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>(); certs.add(caCert); certs.add(eeCert); CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(certs); CertStore cs = CertStore.getInstance("Collection", ccsp); params.addCertStore(cs); PKIXCertPathBuilderResult res = CertUtils.build(params); CertPath cp = res.getCertPath(); // check that first certificate is an EE cert List<? extends Certificate> certList = cp.getCertificates(); X509Certificate cert = (X509Certificate) certList.get(0); if (cert.getBasicConstraints() != -1) { throw new Exception("Target certificate is not an EE certificate"); } }
Example 13
Source File: X509CertSelectorTest.java From jdk8u-jdk with GNU General Public License v2.0 | 5 votes |
private void testBasicConstraints() { System.out.println("X.509 Certificate Match on basic constraints"); // bad match X509CertSelector selector = new X509CertSelector(); int mpl = cert.getBasicConstraints(); selector.setBasicConstraints(0); checkMatch(selector, cert, false); // good match selector.setBasicConstraints(mpl); checkMatch(selector, cert, true); }
Example 14
Source File: ReverseBuilder.java From openjdk-8 with GNU General Public License v2.0 | 4 votes |
private Collection<X509Certificate> getMatchingEECerts (ReverseState currentState, List<CertStore> certStores) throws CertStoreException, CertificateException, IOException { /* * Compose a CertSelector to filter out * certs which do not satisfy requirements. * * First, retrieve clone of current target cert constraints, and * then add more selection criteria based on current validation state. */ X509CertSelector sel = (X509CertSelector) targetCertConstraints.clone(); /* * Match on issuer (subject of previous cert) */ sel.setIssuer(currentState.subjectDN); /* * Match on certificate validity date. */ sel.setCertificateValid(buildParams.date()); /* * Policy processing optimizations */ if (currentState.explicitPolicy == 0) sel.setPolicy(getMatchingPolicies()); /* * If previous cert has a subject key identifier extension, * use it to match on authority key identifier extension. */ /*if (currentState.subjKeyId != null) { AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension( (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID), null, null); sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue()); }*/ /* * Require EE certs */ sel.setBasicConstraints(-2); /* Retrieve matching certs from CertStores */ HashSet<X509Certificate> eeCerts = new HashSet<>(); addMatchingCerts(sel, certStores, eeCerts, true); if (debug != null) { debug.println("ReverseBuilder.getMatchingEECerts got " + eeCerts.size() + " certs."); } return eeCerts; }
Example 15
Source File: ReverseBuilder.java From openjdk-8-source with GNU General Public License v2.0 | 4 votes |
private Collection<X509Certificate> getMatchingCACerts (ReverseState currentState, List<CertStore> certStores) throws CertificateException, CertStoreException, IOException { /* * Compose a CertSelector to filter out * certs which do not satisfy requirements. */ X509CertSelector sel = new X509CertSelector(); /* * Match on issuer (subject of previous cert) */ sel.setIssuer(currentState.subjectDN); /* * Match on certificate validity date. */ sel.setCertificateValid(buildParams.date()); /* * Match on target subject name (checks that current cert's * name constraints permit it to certify target). * (4 is the integer type for DIRECTORY name). */ byte[] subject = targetCertConstraints.getSubjectAsBytes(); if (subject != null) { sel.addPathToName(4, subject); } else { X509Certificate cert = targetCertConstraints.getCertificate(); if (cert != null) { sel.addPathToName(4, cert.getSubjectX500Principal().getEncoded()); } } /* * Policy processing optimizations */ if (currentState.explicitPolicy == 0) sel.setPolicy(getMatchingPolicies()); /* * If previous cert has a subject key identifier extension, * use it to match on authority key identifier extension. */ /*if (currentState.subjKeyId != null) { AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension( (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID), null, null); sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue()); }*/ /* * Require CA certs */ sel.setBasicConstraints(0); /* Retrieve matching certs from CertStores */ ArrayList<X509Certificate> reverseCerts = new ArrayList<>(); addMatchingCerts(sel, certStores, reverseCerts, true); /* Sort remaining certs using name constraints */ Collections.sort(reverseCerts, new PKIXCertComparator()); if (debug != null) debug.println("ReverseBuilder.getMatchingCACerts got " + reverseCerts.size() + " certs."); return reverseCerts; }
Example 16
Source File: ReverseBuilder.java From openjdk-8-source with GNU General Public License v2.0 | 4 votes |
private Collection<X509Certificate> getMatchingEECerts (ReverseState currentState, List<CertStore> certStores) throws CertStoreException, CertificateException, IOException { /* * Compose a CertSelector to filter out * certs which do not satisfy requirements. * * First, retrieve clone of current target cert constraints, and * then add more selection criteria based on current validation state. */ X509CertSelector sel = (X509CertSelector) targetCertConstraints.clone(); /* * Match on issuer (subject of previous cert) */ sel.setIssuer(currentState.subjectDN); /* * Match on certificate validity date. */ sel.setCertificateValid(buildParams.date()); /* * Policy processing optimizations */ if (currentState.explicitPolicy == 0) sel.setPolicy(getMatchingPolicies()); /* * If previous cert has a subject key identifier extension, * use it to match on authority key identifier extension. */ /*if (currentState.subjKeyId != null) { AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension( (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID), null, null); sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue()); }*/ /* * Require EE certs */ sel.setBasicConstraints(-2); /* Retrieve matching certs from CertStores */ HashSet<X509Certificate> eeCerts = new HashSet<>(); addMatchingCerts(sel, certStores, eeCerts, true); if (debug != null) { debug.println("ReverseBuilder.getMatchingEECerts got " + eeCerts.size() + " certs."); } return eeCerts; }
Example 17
Source File: ReverseBuilder.java From j2objc with Apache License 2.0 | 4 votes |
private Collection<X509Certificate> getMatchingCACerts (ReverseState currentState, List<CertStore> certStores) throws CertificateException, CertStoreException, IOException { /* * Compose a CertSelector to filter out * certs which do not satisfy requirements. */ X509CertSelector sel = new X509CertSelector(); /* * Match on issuer (subject of previous cert) */ sel.setIssuer(currentState.subjectDN); /* * Match on certificate validity date. */ sel.setCertificateValid(buildParams.date()); /* * Match on target subject name (checks that current cert's * name constraints permit it to certify target). * (4 is the integer type for DIRECTORY name). */ byte[] subject = targetCertConstraints.getSubjectAsBytes(); if (subject != null) { sel.addPathToName(4, subject); } else { X509Certificate cert = targetCertConstraints.getCertificate(); if (cert != null) { sel.addPathToName(4, cert.getSubjectX500Principal().getEncoded()); } } /* * Policy processing optimizations */ if (currentState.explicitPolicy == 0) sel.setPolicy(getMatchingPolicies()); /* * If previous cert has a subject key identifier extension, * use it to match on authority key identifier extension. */ /*if (currentState.subjKeyId != null) { AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension( (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID), null, null); sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue()); }*/ /* * Require CA certs */ sel.setBasicConstraints(0); /* Retrieve matching certs from CertStores */ ArrayList<X509Certificate> reverseCerts = new ArrayList<>(); addMatchingCerts(sel, certStores, reverseCerts, true); /* Sort remaining certs using name constraints */ Collections.sort(reverseCerts, new PKIXCertComparator()); if (debug != null) debug.println("ReverseBuilder.getMatchingCACerts got " + reverseCerts.size() + " certs."); return reverseCerts; }
Example 18
Source File: ReverseBuilder.java From jdk8u-jdk with GNU General Public License v2.0 | 4 votes |
private Collection<X509Certificate> getMatchingEECerts (ReverseState currentState, List<CertStore> certStores) throws CertStoreException, CertificateException, IOException { /* * Compose a CertSelector to filter out * certs which do not satisfy requirements. * * First, retrieve clone of current target cert constraints, and * then add more selection criteria based on current validation state. */ X509CertSelector sel = (X509CertSelector) targetCertConstraints.clone(); /* * Match on issuer (subject of previous cert) */ sel.setIssuer(currentState.subjectDN); /* * Match on certificate validity date. */ sel.setCertificateValid(buildParams.date()); /* * Policy processing optimizations */ if (currentState.explicitPolicy == 0) sel.setPolicy(getMatchingPolicies()); /* * If previous cert has a subject key identifier extension, * use it to match on authority key identifier extension. */ /*if (currentState.subjKeyId != null) { AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension( (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID), null, null); sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue()); }*/ /* * Require EE certs */ sel.setBasicConstraints(-2); /* Retrieve matching certs from CertStores */ HashSet<X509Certificate> eeCerts = new HashSet<>(); addMatchingCerts(sel, certStores, eeCerts, true); if (debug != null) { debug.println("ReverseBuilder.getMatchingEECerts got " + eeCerts.size() + " certs."); } return eeCerts; }
Example 19
Source File: ReverseBuilder.java From jdk8u60 with GNU General Public License v2.0 | 4 votes |
private Collection<X509Certificate> getMatchingEECerts (ReverseState currentState, List<CertStore> certStores) throws CertStoreException, CertificateException, IOException { /* * Compose a CertSelector to filter out * certs which do not satisfy requirements. * * First, retrieve clone of current target cert constraints, and * then add more selection criteria based on current validation state. */ X509CertSelector sel = (X509CertSelector) targetCertConstraints.clone(); /* * Match on issuer (subject of previous cert) */ sel.setIssuer(currentState.subjectDN); /* * Match on certificate validity date. */ sel.setCertificateValid(buildParams.date()); /* * Policy processing optimizations */ if (currentState.explicitPolicy == 0) sel.setPolicy(getMatchingPolicies()); /* * If previous cert has a subject key identifier extension, * use it to match on authority key identifier extension. */ /*if (currentState.subjKeyId != null) { AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension( (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID), null, null); sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue()); }*/ /* * Require EE certs */ sel.setBasicConstraints(-2); /* Retrieve matching certs from CertStores */ HashSet<X509Certificate> eeCerts = new HashSet<>(); addMatchingCerts(sel, certStores, eeCerts, true); if (debug != null) { debug.println("ReverseBuilder.getMatchingEECerts got " + eeCerts.size() + " certs."); } return eeCerts; }
Example 20
Source File: ReverseBuilder.java From j2objc with Apache License 2.0 | 4 votes |
private Collection<X509Certificate> getMatchingEECerts (ReverseState currentState, List<CertStore> certStores) throws CertStoreException, CertificateException, IOException { /* * Compose a CertSelector to filter out * certs which do not satisfy requirements. * * First, retrieve clone of current target cert constraints, and * then add more selection criteria based on current validation state. */ X509CertSelector sel = (X509CertSelector) targetCertConstraints.clone(); /* * Match on issuer (subject of previous cert) */ sel.setIssuer(currentState.subjectDN); /* * Match on certificate validity date. */ sel.setCertificateValid(buildParams.date()); /* * Policy processing optimizations */ if (currentState.explicitPolicy == 0) sel.setPolicy(getMatchingPolicies()); /* * If previous cert has a subject key identifier extension, * use it to match on authority key identifier extension. */ /*if (currentState.subjKeyId != null) { AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension( (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID), null, null); sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue()); }*/ /* * Require EE certs */ sel.setBasicConstraints(-2); /* Retrieve matching certs from CertStores */ HashSet<X509Certificate> eeCerts = new HashSet<>(); addMatchingCerts(sel, certStores, eeCerts, true); if (debug != null) { debug.println("ReverseBuilder.getMatchingEECerts got " + eeCerts.size() + " certs."); } return eeCerts; }