Java Code Examples for java.security.cert.X509CertSelector#setCertificateValid()
The following examples show how to use
java.security.cert.X509CertSelector#setCertificateValid() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: X509CertSelectorTest.java From TencentKona-8 with GNU General Public License v2.0 | 5 votes |
private void testCertificateValid() { System.out.println("X.509 Certificate Match on certificateValid"); // bad match X509CertSelector selector = new X509CertSelector(); Calendar cal = Calendar.getInstance(); cal.set(1968, 12, 31); selector.setCertificateValid(cal.getTime()); checkMatch(selector, cert, false); // good match selector.setCertificateValid(cert.getNotBefore()); checkMatch(selector, cert, true); }
Example 2
Source File: X509CertSelectorTest.java From dragonwell8_jdk with GNU General Public License v2.0 | 5 votes |
private void testCertificateValid() { System.out.println("X.509 Certificate Match on certificateValid"); // bad match X509CertSelector selector = new X509CertSelector(); Calendar cal = Calendar.getInstance(); cal.set(1968, 12, 31); selector.setCertificateValid(cal.getTime()); checkMatch(selector, cert, false); // good match selector.setCertificateValid(cert.getNotBefore()); checkMatch(selector, cert, true); }
Example 3
Source File: X509CertSelectorTest.java From openjdk-jdk8u with GNU General Public License v2.0 | 5 votes |
private void testCertificateValid() { System.out.println("X.509 Certificate Match on certificateValid"); // bad match X509CertSelector selector = new X509CertSelector(); Calendar cal = Calendar.getInstance(); cal.set(1968, 12, 31); selector.setCertificateValid(cal.getTime()); checkMatch(selector, cert, false); // good match selector.setCertificateValid(cert.getNotBefore()); checkMatch(selector, cert, true); }
Example 4
Source File: X509CertSelectorTest.java From openjdk-jdk8u-backup with GNU General Public License v2.0 | 5 votes |
private void testCertificateValid() { System.out.println("X.509 Certificate Match on certificateValid"); // bad match X509CertSelector selector = new X509CertSelector(); Calendar cal = Calendar.getInstance(); cal.set(1968, 12, 31); selector.setCertificateValid(cal.getTime()); checkMatch(selector, cert, false); // good match selector.setCertificateValid(cert.getNotBefore()); checkMatch(selector, cert, true); }
Example 5
Source File: X509CertSelectorTest.java From openjdk-jdk9 with GNU General Public License v2.0 | 5 votes |
private void testCertificateValid() { System.out.println("X.509 Certificate Match on certificateValid"); // bad match X509CertSelector selector = new X509CertSelector(); Calendar cal = Calendar.getInstance(); cal.set(1968, 12, 31); selector.setCertificateValid(cal.getTime()); checkMatch(selector, cert, false); // good match selector.setCertificateValid(cert.getNotBefore()); checkMatch(selector, cert, true); }
Example 6
Source File: X509CertSelectorTest.java From jdk8u-jdk with GNU General Public License v2.0 | 5 votes |
private void testCertificateValid() { System.out.println("X.509 Certificate Match on certificateValid"); // bad match X509CertSelector selector = new X509CertSelector(); Calendar cal = Calendar.getInstance(); cal.set(1968, 12, 31); selector.setCertificateValid(cal.getTime()); checkMatch(selector, cert, false); // good match selector.setCertificateValid(cert.getNotBefore()); checkMatch(selector, cert, true); }
Example 7
Source File: SparkExceptionsTrustManager.java From Spark with Apache License 2.0 | 5 votes |
/** * Validate certificate path. As it is exception, no checks against revocation or time validity are done but path * still have to be validated in order to find connection between certificate presented by server and root CA in * KeyStore * * @throws NoSuchAlgorithmException * @throws KeyStoreException * @throws InvalidAlgorithmParameterException * @throws CertPathValidatorException * @throws CertPathBuilderException * @throws CertificateException */ private void validatePath(X509Certificate[] chain) throws NoSuchAlgorithmException, KeyStoreException, InvalidAlgorithmParameterException, CertPathValidatorException, CertPathBuilderException, CertificateException { CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX"); CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX"); X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(chain[chain.length - 1]); // checks against time validity aren't done here as it exceptions list certSelector.setCertificateValid(null); PKIXBuilderParameters parameters = new PKIXBuilderParameters(allStore, certSelector); // no checks against revocation as it is exception parameters.setRevocationEnabled(false); CertPathBuilderResult pathResult = certPathBuilder.build(parameters); CertPath certPath = pathResult.getCertPath(); PKIXCertPathValidatorResult validationResult = (PKIXCertPathValidatorResult) certPathValidator .validate(certPath, parameters); X509Certificate trustedCert = validationResult.getTrustAnchor().getTrustedCert(); if (trustedCert == null) { throw new CertificateException("Certificate path failed"); } else { Log.debug("ClientTrustManager: Trusted CA: " + trustedCert.getSubjectDN()); } }
Example 8
Source File: X509CertSelectorTest.java From jdk8u_jdk with GNU General Public License v2.0 | 5 votes |
private void testCertificateValid() { System.out.println("X.509 Certificate Match on certificateValid"); // bad match X509CertSelector selector = new X509CertSelector(); Calendar cal = Calendar.getInstance(); cal.set(1968, 12, 31); selector.setCertificateValid(cal.getTime()); checkMatch(selector, cert, false); // good match selector.setCertificateValid(cert.getNotBefore()); checkMatch(selector, cert, true); }
Example 9
Source File: SparkTrustManager.java From Spark with Apache License 2.0 | 4 votes |
/** * Validate certificate path * * @throws NoSuchAlgorithmException * @throws KeyStoreException * @throws InvalidAlgorithmParameterException * @throws CertPathValidatorException * @throws CertPathBuilderException * @throws CertificateException */ private void validatePath(X509Certificate[] chain) throws NoSuchAlgorithmException, KeyStoreException, InvalidAlgorithmParameterException, CertPathValidatorException, CertPathBuilderException, CertificateException { // PKIX algorithm is defined in rfc3280 CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX"); CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX"); X509CertSelector certSelector = new X509CertSelector(); // set last certificate (often root CA) from chain for CertSelector so trust store must contain it certSelector.setCertificate(chain[chain.length - 1]); // checks against time validity aren't done here as are already done in checkDateValidity (X509Certificate[] // chain) certSelector.setCertificateValid(null); // create parameters using trustStore as source of Trust Anchors and using X509CertSelector PKIXBuilderParameters parameters = new PKIXBuilderParameters(allStore, certSelector); // will use PKIXRevocationChecker (or nothing if revocation mechanisms are // disabled) instead of the default revocation checker parameters.setRevocationEnabled(false); // if revoked certificates aren't accepted, but no revocation checks then only // certificates from blacklist will be rejected if (acceptRevoked == false) { // OCSP checking is done according to Java PKI Programmer's Guide, PKIXRevocationChecker was added in Java 8: // https://docs.oracle.com/javase/8/docs/technotes/guides/security/certpath/CertPathProgGuide.html#PKIXRevocationChecker PKIXRevocationChecker checker = (PKIXRevocationChecker) certPathBuilder.getRevocationChecker(); EnumSet<PKIXRevocationChecker.Option> checkerOptions = EnumSet.noneOf(PKIXRevocationChecker.Option.class); // if soft fail isn't enabled then OCSP or CRL must pass validation, in case // when any of them cannot be validated verification will fail, if soft fail // is enabled then in case of network issues revocation checking is omitted if (allowSoftFail) { checkerOptions.add(PKIXRevocationChecker.Option.SOFT_FAIL); } // check OCSP, CRL serve as backup if (checkOCSP && checkCRL) { checker.setOptions(checkerOptions); parameters.addCertPathChecker(checker); } else if (!checkOCSP && checkCRL) { // check only CRL, if CRL fail then there is no fallback to OCSP checkerOptions.add(PKIXRevocationChecker.Option.PREFER_CRLS); checkerOptions.add(PKIXRevocationChecker.Option.NO_FALLBACK); checker.setOptions(checkerOptions); parameters.addCertPathChecker(checker); } } try { CertPathBuilderResult pathResult = certPathBuilder.build(parameters); CertPath certPath = pathResult.getCertPath(); PKIXCertPathValidatorResult validationResult = (PKIXCertPathValidatorResult) certPathValidator .validate(certPath, parameters); X509Certificate trustedCert = validationResult.getTrustAnchor().getTrustedCert(); if (trustedCert == null) { throw new CertificateException("certificate path failed: Trusted CA is NULL"); } // check if all certificates in path have Basic Constraints, only certificate that isn't required to have // this extension is last certificate: root CA for (int i = 0; i < chain.length - 1; i++) { checkBasicConstraints(chain[i]); } } catch (CertificateRevokedException e) { Log.warning("Certificate was revoked", e); for (X509Certificate cert : chain) { for (X509CRL crl : crlCollection) { if (crl.isRevoked(cert)) { try { addToBlackList(cert); } catch (IOException | HeadlessException | InvalidNameException e1) { Log.error("Couldn't move to the blacklist", e1); } break; } } } throw new CertificateException("Certificate was revoked"); } }
Example 10
Source File: ReverseBuilder.java From j2objc with Apache License 2.0 | 4 votes |
private Collection<X509Certificate> getMatchingCACerts (ReverseState currentState, List<CertStore> certStores) throws CertificateException, CertStoreException, IOException { /* * Compose a CertSelector to filter out * certs which do not satisfy requirements. */ X509CertSelector sel = new X509CertSelector(); /* * Match on issuer (subject of previous cert) */ sel.setIssuer(currentState.subjectDN); /* * Match on certificate validity date. */ sel.setCertificateValid(buildParams.date()); /* * Match on target subject name (checks that current cert's * name constraints permit it to certify target). * (4 is the integer type for DIRECTORY name). */ byte[] subject = targetCertConstraints.getSubjectAsBytes(); if (subject != null) { sel.addPathToName(4, subject); } else { X509Certificate cert = targetCertConstraints.getCertificate(); if (cert != null) { sel.addPathToName(4, cert.getSubjectX500Principal().getEncoded()); } } /* * Policy processing optimizations */ if (currentState.explicitPolicy == 0) sel.setPolicy(getMatchingPolicies()); /* * If previous cert has a subject key identifier extension, * use it to match on authority key identifier extension. */ /*if (currentState.subjKeyId != null) { AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension( (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID), null, null); sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue()); }*/ /* * Require CA certs */ sel.setBasicConstraints(0); /* Retrieve matching certs from CertStores */ ArrayList<X509Certificate> reverseCerts = new ArrayList<>(); addMatchingCerts(sel, certStores, reverseCerts, true); /* Sort remaining certs using name constraints */ Collections.sort(reverseCerts, new PKIXCertComparator()); if (debug != null) debug.println("ReverseBuilder.getMatchingCACerts got " + reverseCerts.size() + " certs."); return reverseCerts; }
Example 11
Source File: ReverseBuilder.java From j2objc with Apache License 2.0 | 4 votes |
private Collection<X509Certificate> getMatchingEECerts (ReverseState currentState, List<CertStore> certStores) throws CertStoreException, CertificateException, IOException { /* * Compose a CertSelector to filter out * certs which do not satisfy requirements. * * First, retrieve clone of current target cert constraints, and * then add more selection criteria based on current validation state. */ X509CertSelector sel = (X509CertSelector) targetCertConstraints.clone(); /* * Match on issuer (subject of previous cert) */ sel.setIssuer(currentState.subjectDN); /* * Match on certificate validity date. */ sel.setCertificateValid(buildParams.date()); /* * Policy processing optimizations */ if (currentState.explicitPolicy == 0) sel.setPolicy(getMatchingPolicies()); /* * If previous cert has a subject key identifier extension, * use it to match on authority key identifier extension. */ /*if (currentState.subjKeyId != null) { AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension( (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID), null, null); sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue()); }*/ /* * Require EE certs */ sel.setBasicConstraints(-2); /* Retrieve matching certs from CertStores */ HashSet<X509Certificate> eeCerts = new HashSet<>(); addMatchingCerts(sel, certStores, eeCerts, true); if (debug != null) { debug.println("ReverseBuilder.getMatchingEECerts got " + eeCerts.size() + " certs."); } return eeCerts; }
Example 12
Source File: ReverseBuilder.java From jdk8u-dev-jdk with GNU General Public License v2.0 | 4 votes |
private Collection<X509Certificate> getMatchingCACerts (ReverseState currentState, List<CertStore> certStores) throws CertificateException, CertStoreException, IOException { /* * Compose a CertSelector to filter out * certs which do not satisfy requirements. */ X509CertSelector sel = new X509CertSelector(); /* * Match on issuer (subject of previous cert) */ sel.setIssuer(currentState.subjectDN); /* * Match on certificate validity date. */ sel.setCertificateValid(buildParams.date()); /* * Match on target subject name (checks that current cert's * name constraints permit it to certify target). * (4 is the integer type for DIRECTORY name). */ byte[] subject = targetCertConstraints.getSubjectAsBytes(); if (subject != null) { sel.addPathToName(4, subject); } else { X509Certificate cert = targetCertConstraints.getCertificate(); if (cert != null) { sel.addPathToName(4, cert.getSubjectX500Principal().getEncoded()); } } /* * Policy processing optimizations */ if (currentState.explicitPolicy == 0) sel.setPolicy(getMatchingPolicies()); /* * If previous cert has a subject key identifier extension, * use it to match on authority key identifier extension. */ /*if (currentState.subjKeyId != null) { AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension( (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID), null, null); sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue()); }*/ /* * Require CA certs */ sel.setBasicConstraints(0); /* Retrieve matching certs from CertStores */ ArrayList<X509Certificate> reverseCerts = new ArrayList<>(); addMatchingCerts(sel, certStores, reverseCerts, true); /* Sort remaining certs using name constraints */ Collections.sort(reverseCerts, new PKIXCertComparator()); if (debug != null) debug.println("ReverseBuilder.getMatchingCACerts got " + reverseCerts.size() + " certs."); return reverseCerts; }
Example 13
Source File: ReverseBuilder.java From jdk8u-jdk with GNU General Public License v2.0 | 4 votes |
private Collection<X509Certificate> getMatchingCACerts (ReverseState currentState, List<CertStore> certStores) throws CertificateException, CertStoreException, IOException { /* * Compose a CertSelector to filter out * certs which do not satisfy requirements. */ X509CertSelector sel = new X509CertSelector(); /* * Match on issuer (subject of previous cert) */ sel.setIssuer(currentState.subjectDN); /* * Match on certificate validity date. */ sel.setCertificateValid(buildParams.date()); /* * Match on target subject name (checks that current cert's * name constraints permit it to certify target). * (4 is the integer type for DIRECTORY name). */ byte[] subject = targetCertConstraints.getSubjectAsBytes(); if (subject != null) { sel.addPathToName(4, subject); } else { X509Certificate cert = targetCertConstraints.getCertificate(); if (cert != null) { sel.addPathToName(4, cert.getSubjectX500Principal().getEncoded()); } } /* * Policy processing optimizations */ if (currentState.explicitPolicy == 0) sel.setPolicy(getMatchingPolicies()); /* * If previous cert has a subject key identifier extension, * use it to match on authority key identifier extension. */ /*if (currentState.subjKeyId != null) { AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension( (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID), null, null); sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue()); }*/ /* * Require CA certs */ sel.setBasicConstraints(0); /* Retrieve matching certs from CertStores */ ArrayList<X509Certificate> reverseCerts = new ArrayList<>(); addMatchingCerts(sel, certStores, reverseCerts, true); /* Sort remaining certs using name constraints */ Collections.sort(reverseCerts, new PKIXCertComparator()); if (debug != null) debug.println("ReverseBuilder.getMatchingCACerts got " + reverseCerts.size() + " certs."); return reverseCerts; }
Example 14
Source File: ReverseBuilder.java From jdk8u-jdk with GNU General Public License v2.0 | 4 votes |
private Collection<X509Certificate> getMatchingEECerts (ReverseState currentState, List<CertStore> certStores) throws CertStoreException, CertificateException, IOException { /* * Compose a CertSelector to filter out * certs which do not satisfy requirements. * * First, retrieve clone of current target cert constraints, and * then add more selection criteria based on current validation state. */ X509CertSelector sel = (X509CertSelector) targetCertConstraints.clone(); /* * Match on issuer (subject of previous cert) */ sel.setIssuer(currentState.subjectDN); /* * Match on certificate validity date. */ sel.setCertificateValid(buildParams.date()); /* * Policy processing optimizations */ if (currentState.explicitPolicy == 0) sel.setPolicy(getMatchingPolicies()); /* * If previous cert has a subject key identifier extension, * use it to match on authority key identifier extension. */ /*if (currentState.subjKeyId != null) { AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension( (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID), null, null); sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue()); }*/ /* * Require EE certs */ sel.setBasicConstraints(-2); /* Retrieve matching certs from CertStores */ HashSet<X509Certificate> eeCerts = new HashSet<>(); addMatchingCerts(sel, certStores, eeCerts, true); if (debug != null) { debug.println("ReverseBuilder.getMatchingEECerts got " + eeCerts.size() + " certs."); } return eeCerts; }
Example 15
Source File: ReverseBuilder.java From openjdk-8 with GNU General Public License v2.0 | 4 votes |
private Collection<X509Certificate> getMatchingCACerts (ReverseState currentState, List<CertStore> certStores) throws CertificateException, CertStoreException, IOException { /* * Compose a CertSelector to filter out * certs which do not satisfy requirements. */ X509CertSelector sel = new X509CertSelector(); /* * Match on issuer (subject of previous cert) */ sel.setIssuer(currentState.subjectDN); /* * Match on certificate validity date. */ sel.setCertificateValid(buildParams.date()); /* * Match on target subject name (checks that current cert's * name constraints permit it to certify target). * (4 is the integer type for DIRECTORY name). */ byte[] subject = targetCertConstraints.getSubjectAsBytes(); if (subject != null) { sel.addPathToName(4, subject); } else { X509Certificate cert = targetCertConstraints.getCertificate(); if (cert != null) { sel.addPathToName(4, cert.getSubjectX500Principal().getEncoded()); } } /* * Policy processing optimizations */ if (currentState.explicitPolicy == 0) sel.setPolicy(getMatchingPolicies()); /* * If previous cert has a subject key identifier extension, * use it to match on authority key identifier extension. */ /*if (currentState.subjKeyId != null) { AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension( (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID), null, null); sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue()); }*/ /* * Require CA certs */ sel.setBasicConstraints(0); /* Retrieve matching certs from CertStores */ ArrayList<X509Certificate> reverseCerts = new ArrayList<>(); addMatchingCerts(sel, certStores, reverseCerts, true); /* Sort remaining certs using name constraints */ Collections.sort(reverseCerts, new PKIXCertComparator()); if (debug != null) debug.println("ReverseBuilder.getMatchingCACerts got " + reverseCerts.size() + " certs."); return reverseCerts; }
Example 16
Source File: ReverseBuilder.java From openjdk-8 with GNU General Public License v2.0 | 4 votes |
private Collection<X509Certificate> getMatchingEECerts (ReverseState currentState, List<CertStore> certStores) throws CertStoreException, CertificateException, IOException { /* * Compose a CertSelector to filter out * certs which do not satisfy requirements. * * First, retrieve clone of current target cert constraints, and * then add more selection criteria based on current validation state. */ X509CertSelector sel = (X509CertSelector) targetCertConstraints.clone(); /* * Match on issuer (subject of previous cert) */ sel.setIssuer(currentState.subjectDN); /* * Match on certificate validity date. */ sel.setCertificateValid(buildParams.date()); /* * Policy processing optimizations */ if (currentState.explicitPolicy == 0) sel.setPolicy(getMatchingPolicies()); /* * If previous cert has a subject key identifier extension, * use it to match on authority key identifier extension. */ /*if (currentState.subjKeyId != null) { AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension( (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID), null, null); sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue()); }*/ /* * Require EE certs */ sel.setBasicConstraints(-2); /* Retrieve matching certs from CertStores */ HashSet<X509Certificate> eeCerts = new HashSet<>(); addMatchingCerts(sel, certStores, eeCerts, true); if (debug != null) { debug.println("ReverseBuilder.getMatchingEECerts got " + eeCerts.size() + " certs."); } return eeCerts; }
Example 17
Source File: ReverseBuilder.java From openjdk-8-source with GNU General Public License v2.0 | 4 votes |
private Collection<X509Certificate> getMatchingCACerts (ReverseState currentState, List<CertStore> certStores) throws CertificateException, CertStoreException, IOException { /* * Compose a CertSelector to filter out * certs which do not satisfy requirements. */ X509CertSelector sel = new X509CertSelector(); /* * Match on issuer (subject of previous cert) */ sel.setIssuer(currentState.subjectDN); /* * Match on certificate validity date. */ sel.setCertificateValid(buildParams.date()); /* * Match on target subject name (checks that current cert's * name constraints permit it to certify target). * (4 is the integer type for DIRECTORY name). */ byte[] subject = targetCertConstraints.getSubjectAsBytes(); if (subject != null) { sel.addPathToName(4, subject); } else { X509Certificate cert = targetCertConstraints.getCertificate(); if (cert != null) { sel.addPathToName(4, cert.getSubjectX500Principal().getEncoded()); } } /* * Policy processing optimizations */ if (currentState.explicitPolicy == 0) sel.setPolicy(getMatchingPolicies()); /* * If previous cert has a subject key identifier extension, * use it to match on authority key identifier extension. */ /*if (currentState.subjKeyId != null) { AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension( (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID), null, null); sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue()); }*/ /* * Require CA certs */ sel.setBasicConstraints(0); /* Retrieve matching certs from CertStores */ ArrayList<X509Certificate> reverseCerts = new ArrayList<>(); addMatchingCerts(sel, certStores, reverseCerts, true); /* Sort remaining certs using name constraints */ Collections.sort(reverseCerts, new PKIXCertComparator()); if (debug != null) debug.println("ReverseBuilder.getMatchingCACerts got " + reverseCerts.size() + " certs."); return reverseCerts; }
Example 18
Source File: ReverseBuilder.java From openjdk-8-source with GNU General Public License v2.0 | 4 votes |
private Collection<X509Certificate> getMatchingEECerts (ReverseState currentState, List<CertStore> certStores) throws CertStoreException, CertificateException, IOException { /* * Compose a CertSelector to filter out * certs which do not satisfy requirements. * * First, retrieve clone of current target cert constraints, and * then add more selection criteria based on current validation state. */ X509CertSelector sel = (X509CertSelector) targetCertConstraints.clone(); /* * Match on issuer (subject of previous cert) */ sel.setIssuer(currentState.subjectDN); /* * Match on certificate validity date. */ sel.setCertificateValid(buildParams.date()); /* * Policy processing optimizations */ if (currentState.explicitPolicy == 0) sel.setPolicy(getMatchingPolicies()); /* * If previous cert has a subject key identifier extension, * use it to match on authority key identifier extension. */ /*if (currentState.subjKeyId != null) { AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension( (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID), null, null); sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue()); }*/ /* * Require EE certs */ sel.setBasicConstraints(-2); /* Retrieve matching certs from CertStores */ HashSet<X509Certificate> eeCerts = new HashSet<>(); addMatchingCerts(sel, certStores, eeCerts, true); if (debug != null) { debug.println("ReverseBuilder.getMatchingEECerts got " + eeCerts.size() + " certs."); } return eeCerts; }
Example 19
Source File: ReverseBuilder.java From jdk8u60 with GNU General Public License v2.0 | 4 votes |
private Collection<X509Certificate> getMatchingCACerts (ReverseState currentState, List<CertStore> certStores) throws CertificateException, CertStoreException, IOException { /* * Compose a CertSelector to filter out * certs which do not satisfy requirements. */ X509CertSelector sel = new X509CertSelector(); /* * Match on issuer (subject of previous cert) */ sel.setIssuer(currentState.subjectDN); /* * Match on certificate validity date. */ sel.setCertificateValid(buildParams.date()); /* * Match on target subject name (checks that current cert's * name constraints permit it to certify target). * (4 is the integer type for DIRECTORY name). */ byte[] subject = targetCertConstraints.getSubjectAsBytes(); if (subject != null) { sel.addPathToName(4, subject); } else { X509Certificate cert = targetCertConstraints.getCertificate(); if (cert != null) { sel.addPathToName(4, cert.getSubjectX500Principal().getEncoded()); } } /* * Policy processing optimizations */ if (currentState.explicitPolicy == 0) sel.setPolicy(getMatchingPolicies()); /* * If previous cert has a subject key identifier extension, * use it to match on authority key identifier extension. */ /*if (currentState.subjKeyId != null) { AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension( (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID), null, null); sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue()); }*/ /* * Require CA certs */ sel.setBasicConstraints(0); /* Retrieve matching certs from CertStores */ ArrayList<X509Certificate> reverseCerts = new ArrayList<>(); addMatchingCerts(sel, certStores, reverseCerts, true); /* Sort remaining certs using name constraints */ Collections.sort(reverseCerts, new PKIXCertComparator()); if (debug != null) debug.println("ReverseBuilder.getMatchingCACerts got " + reverseCerts.size() + " certs."); return reverseCerts; }
Example 20
Source File: ReverseBuilder.java From jdk8u60 with GNU General Public License v2.0 | 4 votes |
private Collection<X509Certificate> getMatchingEECerts (ReverseState currentState, List<CertStore> certStores) throws CertStoreException, CertificateException, IOException { /* * Compose a CertSelector to filter out * certs which do not satisfy requirements. * * First, retrieve clone of current target cert constraints, and * then add more selection criteria based on current validation state. */ X509CertSelector sel = (X509CertSelector) targetCertConstraints.clone(); /* * Match on issuer (subject of previous cert) */ sel.setIssuer(currentState.subjectDN); /* * Match on certificate validity date. */ sel.setCertificateValid(buildParams.date()); /* * Policy processing optimizations */ if (currentState.explicitPolicy == 0) sel.setPolicy(getMatchingPolicies()); /* * If previous cert has a subject key identifier extension, * use it to match on authority key identifier extension. */ /*if (currentState.subjKeyId != null) { AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension( (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID), null, null); sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue()); }*/ /* * Require EE certs */ sel.setBasicConstraints(-2); /* Retrieve matching certs from CertStores */ HashSet<X509Certificate> eeCerts = new HashSet<>(); addMatchingCerts(sel, certStores, eeCerts, true); if (debug != null) { debug.println("ReverseBuilder.getMatchingEECerts got " + eeCerts.size() + " certs."); } return eeCerts; }