Class PKIXCertPathReviewer


  • public class PKIXCertPathReviewer
    extends java.lang.Object
    PKIXCertPathReviewer
    Validation of X.509 Certificate Paths. Tries to find as much errors in the Path as possible.
    • Constructor Summary

      Constructors 
      Constructor Description
      PKIXCertPathReviewer()
      Creates an empty PKIXCertPathReviewer.
      PKIXCertPathReviewer​(java.security.cert.CertPath certPath, java.security.cert.PKIXParameters params)
      Creates a PKIXCertPathReviewer and initializes it with the given CertPath and PKIXParameters params
    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected void addError​(ErrorBundle msg)  
      protected void addError​(ErrorBundle msg, int index)  
      protected void addNotification​(ErrorBundle msg)  
      protected void addNotification​(ErrorBundle msg, int index)  
      protected void checkCRLs​(java.security.cert.PKIXParameters paramsPKIX, java.security.cert.X509Certificate cert, java.util.Date validDate, java.security.cert.X509Certificate sign, java.security.PublicKey workingPublicKey, java.util.Vector crlDistPointUrls, int index)  
      protected void checkRevocation​(java.security.cert.PKIXParameters paramsPKIX, java.security.cert.X509Certificate cert, java.util.Date validDate, java.security.cert.X509Certificate sign, java.security.PublicKey workingPublicKey, java.util.Vector crlDistPointUrls, java.util.Vector ocspUrls, int index)  
      protected void doChecks()  
      protected static java.util.Collection findCertificates​(org.bouncycastle.jcajce.PKIXCertStoreSelector certSelect, java.util.List certStores)  
      protected static java.util.Collection findCertificates​(org.bouncycastle.pkix.jcajce.X509CertStoreSelector certSelect, java.util.List certStores)
      Return a Collection of all certificates or attribute certificates found in the X509Store's that are matching the certSelect criteriums.
      protected static org.bouncycastle.asn1.x509.AlgorithmIdentifier getAlgorithmIdentifier​(java.security.PublicKey key)  
      java.security.cert.CertPath getCertPath()  
      int getCertPathSize()  
      protected static void getCertStatus​(java.util.Date validDate, java.security.cert.X509CRL crl, java.lang.Object cert, org.bouncycastle.pkix.jcajce.CertStatus certStatus)  
      protected java.util.Vector getCRLDistUrls​(org.bouncycastle.asn1.x509.CRLDistPoint crlDistPoints)  
      protected static javax.security.auth.x500.X500Principal getEncodedIssuerPrincipal​(java.lang.Object cert)
      Returns the issuer of an attribute certificate or certificate.
      java.util.List[] getErrors()
      Returns an Array of Lists which contains a List of global error messages and a List of error messages for each certificate in the path.
      java.util.List getErrors​(int index)
      Returns an List of error messages for the certificate at the given index in the CertPath.
      protected static org.bouncycastle.asn1.ASN1Primitive getExtensionValue​(java.security.cert.X509Extension ext, java.lang.String oid)
      Extract the value of the given extension, if it exists.
      protected static javax.security.auth.x500.X500Principal getIssuerPrincipal​(java.security.cert.X509CRL crl)  
      protected static java.security.PublicKey getNextWorkingKey​(java.util.List certs, int index)
      Return the next working key inheriting DSA parameters if necessary.
      java.util.List[] getNotifications()
      Returns an Array of Lists which contains a List of global notification messages and a List of botification messages for each certificate in the path.
      java.util.List getNotifications​(int index)
      Returns an List of notification messages for the certificate at the given index in the CertPath.
      protected java.util.Vector getOCSPUrls​(org.bouncycastle.asn1.x509.AuthorityInformationAccess authInfoAccess)  
      java.security.cert.PolicyNode getPolicyTree()  
      protected static java.util.Set getQualifierSet​(org.bouncycastle.asn1.ASN1Sequence qualifiers)  
      protected static javax.security.auth.x500.X500Principal getSubjectPrincipal​(java.security.cert.X509Certificate cert)  
      java.security.PublicKey getSubjectPublicKey()  
      java.security.cert.TrustAnchor getTrustAnchor()  
      protected java.util.Collection getTrustAnchors​(java.security.cert.X509Certificate cert, java.util.Set trustanchors)  
      protected static java.util.Date getValidDate​(java.security.cert.PKIXParameters paramsPKIX)  
      protected static java.util.Date getValidityDate​(java.security.cert.PKIXParameters paramsPKIX, java.util.Date currentDate)  
      void init​(java.security.cert.CertPath certPath, java.security.cert.PKIXParameters params)
      Initializes the PKIXCertPathReviewer with the given CertPath and PKIXParameters params
      protected static boolean isAnyPolicy​(java.util.Set policySet)  
      protected static boolean isSelfIssued​(java.security.cert.X509Certificate cert)  
      boolean isValidCertPath()  
      protected static void prepareNextCertB1​(int i, java.util.List[] policyNodes, java.lang.String id_p, java.util.Map m_idp, java.security.cert.X509Certificate cert)  
      protected static PKIXPolicyNode prepareNextCertB2​(int i, java.util.List[] policyNodes, java.lang.String id_p, PKIXPolicyNode validPolicyTree)  
      protected static boolean processCertD1i​(int index, java.util.List[] policyNodes, org.bouncycastle.asn1.ASN1ObjectIdentifier pOid, java.util.Set pq)  
      protected static void processCertD1ii​(int index, java.util.List[] policyNodes, org.bouncycastle.asn1.ASN1ObjectIdentifier _poid, java.util.Set _pq)  
      protected static PKIXPolicyNode removePolicyNode​(PKIXPolicyNode validPolicyTree, java.util.List[] policyNodes, PKIXPolicyNode _node)  
      protected static void verifyX509Certificate​(java.security.cert.X509Certificate cert, java.security.PublicKey publicKey, java.lang.String sigProvider)  
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Field Detail

      • certPath

        protected java.security.cert.CertPath certPath
      • pkixParams

        protected java.security.cert.PKIXParameters pkixParams
      • currentDate

        protected java.util.Date currentDate
      • validDate

        protected java.util.Date validDate
      • certs

        protected java.util.List certs
      • n

        protected int n
      • notifications

        protected java.util.List[] notifications
      • errors

        protected java.util.List[] errors
      • trustAnchor

        protected java.security.cert.TrustAnchor trustAnchor
      • subjectPublicKey

        protected java.security.PublicKey subjectPublicKey
      • policyTree

        protected java.security.cert.PolicyNode policyTree
      • CERTIFICATE_POLICIES

        protected static final java.lang.String CERTIFICATE_POLICIES
      • BASIC_CONSTRAINTS

        protected static final java.lang.String BASIC_CONSTRAINTS
      • POLICY_MAPPINGS

        protected static final java.lang.String POLICY_MAPPINGS
      • SUBJECT_ALTERNATIVE_NAME

        protected static final java.lang.String SUBJECT_ALTERNATIVE_NAME
      • NAME_CONSTRAINTS

        protected static final java.lang.String NAME_CONSTRAINTS
      • KEY_USAGE

        protected static final java.lang.String KEY_USAGE
      • INHIBIT_ANY_POLICY

        protected static final java.lang.String INHIBIT_ANY_POLICY
      • ISSUING_DISTRIBUTION_POINT

        protected static final java.lang.String ISSUING_DISTRIBUTION_POINT
      • DELTA_CRL_INDICATOR

        protected static final java.lang.String DELTA_CRL_INDICATOR
      • POLICY_CONSTRAINTS

        protected static final java.lang.String POLICY_CONSTRAINTS
      • FRESHEST_CRL

        protected static final java.lang.String FRESHEST_CRL
      • CRL_DISTRIBUTION_POINTS

        protected static final java.lang.String CRL_DISTRIBUTION_POINTS
      • AUTHORITY_KEY_IDENTIFIER

        protected static final java.lang.String AUTHORITY_KEY_IDENTIFIER
      • CRL_NUMBER

        protected static final java.lang.String CRL_NUMBER
      • crlReasons

        protected static final java.lang.String[] crlReasons
    • Constructor Detail

      • PKIXCertPathReviewer

        public PKIXCertPathReviewer​(java.security.cert.CertPath certPath,
                                    java.security.cert.PKIXParameters params)
                             throws CertPathReviewerException
        Creates a PKIXCertPathReviewer and initializes it with the given CertPath and PKIXParameters params
        Parameters:
        certPath - the CertPath to validate
        params - the PKIXParameters to use
        Throws:
        CertPathReviewerException - if the certPath is empty
      • PKIXCertPathReviewer

        public PKIXCertPathReviewer()
        Creates an empty PKIXCertPathReviewer. Don't forget to call init() to initialize the object.
    • Method Detail

      • init

        public void init​(java.security.cert.CertPath certPath,
                         java.security.cert.PKIXParameters params)
                  throws CertPathReviewerException
        Initializes the PKIXCertPathReviewer with the given CertPath and PKIXParameters params
        Parameters:
        certPath - the CertPath to validate
        params - the PKIXParameters to use
        Throws:
        CertPathReviewerException - if the certPath is empty
        java.lang.IllegalStateException - if the PKIXCertPathReviewer is already initialized
      • getCertPath

        public java.security.cert.CertPath getCertPath()
        Returns:
        the CertPath that was validated
      • getCertPathSize

        public int getCertPathSize()
        Returns:
        the size of the CertPath
      • getErrors

        public java.util.List[] getErrors()
        Returns an Array of Lists which contains a List of global error messages and a List of error messages for each certificate in the path. The global error List is at index 0. The error lists for each certificate at index 1 to n. The error messages are of type.
        Returns:
        the Array of Lists which contain the error messages
        Throws:
        java.lang.IllegalStateException - if the PKIXCertPathReviewer was not initialized
      • getErrors

        public java.util.List getErrors​(int index)
        Returns an List of error messages for the certificate at the given index in the CertPath. If index == -1 then the list of global errors is returned with errors not specific to a certificate.
        Parameters:
        index - the index of the certificate in the CertPath
        Returns:
        List of error messages for the certificate
        Throws:
        java.lang.IllegalStateException - if the PKIXCertPathReviewer was not initialized
      • getNotifications

        public java.util.List[] getNotifications()
        Returns an Array of Lists which contains a List of global notification messages and a List of botification messages for each certificate in the path. The global notificatio List is at index 0. The notification lists for each certificate at index 1 to n. The error messages are of type.
        Returns:
        the Array of Lists which contain the notification messages
        Throws:
        java.lang.IllegalStateException - if the PKIXCertPathReviewer was not initialized
      • getNotifications

        public java.util.List getNotifications​(int index)
        Returns an List of notification messages for the certificate at the given index in the CertPath. If index == -1 then the list of global notifications is returned with notifications not specific to a certificate.
        Parameters:
        index - the index of the certificate in the CertPath
        Returns:
        List of notification messages for the certificate
        Throws:
        java.lang.IllegalStateException - if the PKIXCertPathReviewer was not initialized
      • getPolicyTree

        public java.security.cert.PolicyNode getPolicyTree()
        Returns:
        the valid policy tree, null if no valid policy exists.
        Throws:
        java.lang.IllegalStateException - if the PKIXCertPathReviewer was not initialized
      • getSubjectPublicKey

        public java.security.PublicKey getSubjectPublicKey()
        Returns:
        the PublicKey if the last certificate in the CertPath
        Throws:
        java.lang.IllegalStateException - if the PKIXCertPathReviewer was not initialized
      • getTrustAnchor

        public java.security.cert.TrustAnchor getTrustAnchor()
        Returns:
        the TrustAnchor for the CertPath, null if no valid TrustAnchor was found.
        Throws:
        java.lang.IllegalStateException - if the PKIXCertPathReviewer was not initialized
      • isValidCertPath

        public boolean isValidCertPath()
        Returns:
        if the CertPath is valid
        Throws:
        java.lang.IllegalStateException - if the PKIXCertPathReviewer was not initialized
      • addNotification

        protected void addNotification​(ErrorBundle msg)
      • addNotification

        protected void addNotification​(ErrorBundle msg,
                                       int index)
      • addError

        protected void addError​(ErrorBundle msg)
      • addError

        protected void addError​(ErrorBundle msg,
                                int index)
      • doChecks

        protected void doChecks()
      • checkRevocation

        protected void checkRevocation​(java.security.cert.PKIXParameters paramsPKIX,
                                       java.security.cert.X509Certificate cert,
                                       java.util.Date validDate,
                                       java.security.cert.X509Certificate sign,
                                       java.security.PublicKey workingPublicKey,
                                       java.util.Vector crlDistPointUrls,
                                       java.util.Vector ocspUrls,
                                       int index)
                                throws CertPathReviewerException
        Throws:
        CertPathReviewerException
      • checkCRLs

        protected void checkCRLs​(java.security.cert.PKIXParameters paramsPKIX,
                                 java.security.cert.X509Certificate cert,
                                 java.util.Date validDate,
                                 java.security.cert.X509Certificate sign,
                                 java.security.PublicKey workingPublicKey,
                                 java.util.Vector crlDistPointUrls,
                                 int index)
                          throws CertPathReviewerException
        Throws:
        CertPathReviewerException
      • getCRLDistUrls

        protected java.util.Vector getCRLDistUrls​(org.bouncycastle.asn1.x509.CRLDistPoint crlDistPoints)
      • getOCSPUrls

        protected java.util.Vector getOCSPUrls​(org.bouncycastle.asn1.x509.AuthorityInformationAccess authInfoAccess)
      • getEncodedIssuerPrincipal

        protected static javax.security.auth.x500.X500Principal getEncodedIssuerPrincipal​(java.lang.Object cert)
        Returns the issuer of an attribute certificate or certificate.
        Parameters:
        cert - The attribute certificate or certificate.
        Returns:
        The issuer as X500Principal.
      • getValidDate

        protected static java.util.Date getValidDate​(java.security.cert.PKIXParameters paramsPKIX)
      • getSubjectPrincipal

        protected static javax.security.auth.x500.X500Principal getSubjectPrincipal​(java.security.cert.X509Certificate cert)
      • isSelfIssued

        protected static boolean isSelfIssued​(java.security.cert.X509Certificate cert)
      • getExtensionValue

        protected static org.bouncycastle.asn1.ASN1Primitive getExtensionValue​(java.security.cert.X509Extension ext,
                                                                               java.lang.String oid)
                                                                        throws org.bouncycastle.pkix.jcajce.AnnotatedException
        Extract the value of the given extension, if it exists.
        Parameters:
        ext - The extension object.
        oid - The object identifier to obtain.
        Throws:
        org.bouncycastle.pkix.jcajce.AnnotatedException - if the extension cannot be read.
      • getIssuerPrincipal

        protected static javax.security.auth.x500.X500Principal getIssuerPrincipal​(java.security.cert.X509CRL crl)
      • getAlgorithmIdentifier

        protected static org.bouncycastle.asn1.x509.AlgorithmIdentifier getAlgorithmIdentifier​(java.security.PublicKey key)
                                                                                        throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException
      • getQualifierSet

        protected static final java.util.Set getQualifierSet​(org.bouncycastle.asn1.ASN1Sequence qualifiers)
                                                      throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException
      • processCertD1i

        protected static boolean processCertD1i​(int index,
                                                java.util.List[] policyNodes,
                                                org.bouncycastle.asn1.ASN1ObjectIdentifier pOid,
                                                java.util.Set pq)
      • processCertD1ii

        protected static void processCertD1ii​(int index,
                                              java.util.List[] policyNodes,
                                              org.bouncycastle.asn1.ASN1ObjectIdentifier _poid,
                                              java.util.Set _pq)
      • prepareNextCertB1

        protected static void prepareNextCertB1​(int i,
                                                java.util.List[] policyNodes,
                                                java.lang.String id_p,
                                                java.util.Map m_idp,
                                                java.security.cert.X509Certificate cert)
                                         throws org.bouncycastle.pkix.jcajce.AnnotatedException,
                                                java.security.cert.CertPathValidatorException
        Throws:
        org.bouncycastle.pkix.jcajce.AnnotatedException
        java.security.cert.CertPathValidatorException
      • prepareNextCertB2

        protected static PKIXPolicyNode prepareNextCertB2​(int i,
                                                          java.util.List[] policyNodes,
                                                          java.lang.String id_p,
                                                          PKIXPolicyNode validPolicyTree)
      • isAnyPolicy

        protected static boolean isAnyPolicy​(java.util.Set policySet)
      • findCertificates

        protected static java.util.Collection findCertificates​(org.bouncycastle.pkix.jcajce.X509CertStoreSelector certSelect,
                                                               java.util.List certStores)
                                                        throws org.bouncycastle.pkix.jcajce.AnnotatedException
        Return a Collection of all certificates or attribute certificates found in the X509Store's that are matching the certSelect criteriums.
        Parameters:
        certSelect - a Selector object that will be used to select the certificates
        certStores - a List containing only Store objects. These are used to search for certificates.
        Returns:
        a Collection of all found X509Certificate May be empty but never null.
        Throws:
        org.bouncycastle.pkix.jcajce.AnnotatedException
      • findCertificates

        protected static java.util.Collection findCertificates​(org.bouncycastle.jcajce.PKIXCertStoreSelector certSelect,
                                                               java.util.List certStores)
                                                        throws org.bouncycastle.pkix.jcajce.AnnotatedException
        Throws:
        org.bouncycastle.pkix.jcajce.AnnotatedException
      • getCertStatus

        protected static void getCertStatus​(java.util.Date validDate,
                                            java.security.cert.X509CRL crl,
                                            java.lang.Object cert,
                                            org.bouncycastle.pkix.jcajce.CertStatus certStatus)
                                     throws org.bouncycastle.pkix.jcajce.AnnotatedException
        Throws:
        org.bouncycastle.pkix.jcajce.AnnotatedException
      • getNextWorkingKey

        protected static java.security.PublicKey getNextWorkingKey​(java.util.List certs,
                                                                   int index)
                                                            throws java.security.cert.CertPathValidatorException
        Return the next working key inheriting DSA parameters if necessary.

        This methods inherits DSA parameters from the indexed certificate or previous certificates in the certificate chain to the returned PublicKey. The list is searched upwards, meaning the end certificate is at position 0 and previous certificates are following.

        If the indexed certificate does not contain a DSA key this method simply returns the public key. If the DSA key already contains DSA parameters the key is also only returned.

        Parameters:
        certs - The certification path.
        index - The index of the certificate which contains the public key which should be extended with DSA parameters.
        Returns:
        The public key of the certificate in list position index extended with DSA parameters if applicable.
        Throws:
        java.security.cert.CertPathValidatorException - if DSA parameters cannot be inherited.
      • verifyX509Certificate

        protected static void verifyX509Certificate​(java.security.cert.X509Certificate cert,
                                                    java.security.PublicKey publicKey,
                                                    java.lang.String sigProvider)
                                             throws java.security.GeneralSecurityException
        Throws:
        java.security.GeneralSecurityException
      • getValidityDate

        protected static java.util.Date getValidityDate​(java.security.cert.PKIXParameters paramsPKIX,
                                                        java.util.Date currentDate)