Java 类java.security.cert.CertPathValidatorException 实例源码
项目:openjdk-jdk10
文件:HttpsUrlConnClient.java
/**
* Checks a validation failure to see if it failed for the reason we think
* it should. This comes in as an SSLException of some sort, but it
* encapsulates a ValidatorException which in turn encapsulates the
* CertPathValidatorException we are interested in.
*
* @param e the exception thrown at the top level
* @param reason the underlying CertPathValidatorException BasicReason
* we are expecting it to have.
*
* @return true if the reason matches up, false otherwise.
*/
static boolean checkClientValidationFailure(Exception e,
BasicReason reason) {
boolean result = false;
if (e instanceof SSLException) {
Throwable valExc = e.getCause();
if (valExc instanceof sun.security.validator.ValidatorException) {
Throwable cause = valExc.getCause();
if (cause instanceof CertPathValidatorException) {
CertPathValidatorException cpve =
(CertPathValidatorException)cause;
if (cpve.getReason() == reason) {
result = true;
}
}
}
}
return result;
}
项目:ipack
文件:RFC3280CertPathUtilities.java
protected static void processCertF(
CertPath certPath,
int index,
PKIXPolicyNode validPolicyTree,
int explicitPolicy)
throws CertPathValidatorException
{
//
// (f)
//
if (explicitPolicy <= 0 && validPolicyTree == null)
{
throw new ExtCertPathValidatorException("No valid policy tree found when one expected.", null, certPath,
index);
}
}
项目:ipack
文件:RFC3280CertPathUtilities.java
protected static int prepareNextCertL(
CertPath certPath,
int index,
int maxPathLength)
throws CertPathValidatorException
{
List certs = certPath.getCertificates();
X509Certificate cert = (X509Certificate)certs.get(index);
//
// (l)
//
if (!CertPathValidatorUtilities.isSelfIssued(cert))
{
if (maxPathLength <= 0)
{
throw new ExtCertPathValidatorException("Max path length not greater than zero", null, certPath, index);
}
return maxPathLength - 1;
}
return maxPathLength;
}
项目:verify-hub
文件:ConfigServiceKeyStoreTest.java
@Test
public void getVerificationKeyForEntity_shouldThrowExceptionIfCertificateIsInvalid() throws Exception {
final CertificateDto certOneDto = getX509Certificate(STUB_IDP_ONE);
when(certificatesConfigProxy.getSignatureVerificationCertificates(issuerId)).thenReturn(of(certOneDto));
when(x509CertificateFactory.createCertificate(certOneDto.getCertificate())).thenReturn(x509Certificate);
when(trustStoreForCertificateProvider.getTrustStoreFor(any(FederationEntityType.class))).thenReturn(trustStore);
CertPathValidatorException underlyingException = new CertPathValidatorException("Invalid Certificate");
when(certificateChainValidator.validate(x509Certificate, trustStore)).thenReturn(invalid(underlyingException));
try {
configServiceKeyStore.getVerifyingKeysForEntity(issuerId);
Assert.fail(String.format("Expected [%s]", CertificateChainValidationException.class.getSimpleName()));
} catch (CertificateChainValidationException success) {
assertThat(success.getMessage()).isEqualTo("Certificate is not valid: Unable to get DN");
assertThat(success.getCause()).isEqualTo(underlyingException);
}
}
项目:verify-hub
文件:ConfigServiceKeyStoreTest.java
@Test
public void getEncryptionKeyForEntity_shouldThrowExceptionIfCertificateIsInvalid() throws Exception {
final CertificateDto certOneDto = getX509Certificate(STUB_IDP_ONE);
when(certificatesConfigProxy.getEncryptionCertificate(issuerId)).thenReturn(certOneDto);
when(x509CertificateFactory.createCertificate(certOneDto.getCertificate())).thenReturn(x509Certificate);
when(trustStoreForCertificateProvider.getTrustStoreFor(any(FederationEntityType.class))).thenReturn(trustStore);
CertPathValidatorException underlyingException = new CertPathValidatorException("Invalid Certificate");
when(certificateChainValidator.validate(x509Certificate, trustStore)).thenReturn(invalid(underlyingException));
try {
configServiceKeyStore.getEncryptionKeyForEntity(issuerId);
Assert.fail(String.format("Expected [%s]", CertificateChainValidationException.class.getSimpleName()));
} catch (CertificateChainValidationException success) {
assertThat(success.getMessage()).isEqualTo("Certificate is not valid: Unable to get DN");
assertThat(success.getCause()).isEqualTo(underlyingException);
}
}
项目:verify-hub
文件:ConfigServiceKeyStoreTest.java
@Test
public void getVerificationKeyForEntity_shouldThrowExceptionIfCertificateIsInvalid() throws Exception {
final CertificateDto certOneDto = getX509Certificate(IDP_ENTITY_ID);
when(certificatesConfigProxy.getSignatureVerificationCertificates(issuerId)).thenReturn(of(certOneDto));
when(x509CertificateFactory.createCertificate(certOneDto.getCertificate())).thenReturn(x509Certificate);
when(trustStoreForCertificateProvider.getTrustStoreFor(any(FederationEntityType.class))).thenReturn(trustStore);
CertPathValidatorException underlyingException = new CertPathValidatorException("Invalid Certificate");
when(certificateChainValidator.validate(x509Certificate, trustStore)).thenReturn(invalid(underlyingException));
try {
configServiceKeyStore.getVerifyingKeysForEntity(issuerId);
Assert.fail(String.format("Expected [%s]", CertificateChainValidationException.class.getSimpleName()));
} catch (CertificateChainValidationException success) {
assertThat(success.getMessage()).isEqualTo("Certificate is not valid: Unable to get DN");
assertThat(success.getCause()).isEqualTo(underlyingException);
}
}
项目:verify-hub
文件:ConfigServiceKeyStoreTest.java
@Test
public void getEncryptionKeyForEntity_shouldThrowExceptionIfCertificateIsInvalid() throws Exception {
final CertificateDto certOneDto = getX509Certificate(IDP_ENTITY_ID);
when(certificatesConfigProxy.getEncryptionCertificate(issuerId)).thenReturn(certOneDto);
when(x509CertificateFactory.createCertificate(certOneDto.getCertificate())).thenReturn(x509Certificate);
when(trustStoreForCertificateProvider.getTrustStoreFor(any(FederationEntityType.class))).thenReturn(trustStore);
CertPathValidatorException underlyingException = new CertPathValidatorException("Invalid Certificate");
when(certificateChainValidator.validate(x509Certificate, trustStore)).thenReturn(invalid(underlyingException));
try {
configServiceKeyStore.getEncryptionKeyForEntity(issuerId);
Assert.fail(String.format("Expected [%s]", CertificateChainValidationException.class.getSimpleName()));
} catch (CertificateChainValidationException success) {
assertThat(success.getMessage()).isEqualTo("Certificate is not valid: Unable to get DN");
assertThat(success.getCause()).isEqualTo(underlyingException);
}
}
项目:verify-hub
文件:ConfigServiceKeyStoreTest.java
@Test
public void getEncryptionKeyForEntity_shouldThrowExceptionIfCertificateIsInvalid() throws Exception {
final CertificateDto certOneDto = buildCertificateDto(IDP_ENTITY_ID, idpSigningCertPrimary);
when(certificatesConfigProxy.getEncryptionCertificate(issuerId)).thenReturn(certOneDto);
when(x509CertificateFactory.createCertificate(certOneDto.getCertificate())).thenReturn(x509Certificate);
when(trustStoreForCertificateProvider.getTrustStoreFor(any(FederationEntityType.class))).thenReturn(trustStore);
CertPathValidatorException underlyingException = new CertPathValidatorException("Invalid Certificate");
when(certificateChainValidator.validate(x509Certificate, trustStore)).thenReturn(invalid(underlyingException));
try {
configServiceKeyStore.getEncryptionKeyForEntity(issuerId);
Assert.fail(String.format("Expected [%s]", CertificateChainValidationException.class.getSimpleName()));
} catch (CertificateChainValidationException success) {
assertThat(success.getMessage()).isEqualTo("Certificate is not valid: Unable to get DN");
assertThat(success.getCause()).isEqualTo(underlyingException);
}
}
项目:OpenJSharp
文件:OCSP.java
/**
* Obtains the revocation status of a certificate using OCSP using the most
* common defaults. The OCSP responder URI is retrieved from the
* certificate's AIA extension. The OCSP responder certificate is assumed
* to be the issuer's certificate (or issued by the issuer CA).
*
* @param cert the certificate to be checked
* @param issuerCert the issuer certificate
* @return the RevocationStatus
* @throws IOException if there is an exception connecting to or
* communicating with the OCSP responder
* @throws CertPathValidatorException if an exception occurs while
* encoding the OCSP Request or validating the OCSP Response
*/
public static RevocationStatus check(X509Certificate cert,
X509Certificate issuerCert)
throws IOException, CertPathValidatorException {
CertId certId = null;
URI responderURI = null;
try {
X509CertImpl certImpl = X509CertImpl.toImpl(cert);
responderURI = getResponderURI(certImpl);
if (responderURI == null) {
throw new CertPathValidatorException
("No OCSP Responder URI in certificate");
}
certId = new CertId(issuerCert, certImpl.getSerialNumberObject());
} catch (CertificateException | IOException e) {
throw new CertPathValidatorException
("Exception while encoding OCSPRequest", e);
}
OCSPResponse ocspResponse = check(Collections.singletonList(certId),
responderURI, issuerCert, null, null,
Collections.<Extension>emptyList());
return (RevocationStatus)ocspResponse.getSingleResponse(certId);
}
项目:OpenJSharp
文件:UntrustedChecker.java
@Override
public void check(Certificate cert,
Collection<String> unresolvedCritExts)
throws CertPathValidatorException {
X509Certificate currCert = (X509Certificate)cert;
if (UntrustedCertificates.isUntrusted(currCert)) {
if (debug != null) {
debug.println("UntrustedChecker: untrusted certificate " +
currCert.getSubjectX500Principal());
}
throw new CertPathValidatorException(
"Untrusted certificate: " + currCert.getSubjectX500Principal());
}
}
项目:OpenJSharp
文件:ConstraintsChecker.java
/**
* Performs the basic constraints and name constraints
* checks on the certificate using its internal state.
*
* @param cert the <code>Certificate</code> to be checked
* @param unresCritExts a <code>Collection</code> of OID strings
* representing the current set of unresolved critical extensions
* @throws CertPathValidatorException if the specified certificate
* does not pass the check
*/
@Override
public void check(Certificate cert, Collection<String> unresCritExts)
throws CertPathValidatorException
{
X509Certificate currCert = (X509Certificate)cert;
i++;
// MUST run NC check second, since it depends on BC check to
// update remainingCerts
checkBasicConstraints(currCert);
verifyNameConstraints(currCert);
if (unresCritExts != null && !unresCritExts.isEmpty()) {
unresCritExts.remove(BasicConstraints_Id.toString());
unresCritExts.remove(NameConstraints_Id.toString());
}
}
项目:openjdk-jdk10
文件:ConstraintsChecker.java
/**
* Performs the basic constraints and name constraints
* checks on the certificate using its internal state.
*
* @param cert the <code>Certificate</code> to be checked
* @param unresCritExts a <code>Collection</code> of OID strings
* representing the current set of unresolved critical extensions
* @throws CertPathValidatorException if the specified certificate
* does not pass the check
*/
@Override
public void check(Certificate cert, Collection<String> unresCritExts)
throws CertPathValidatorException
{
X509Certificate currCert = (X509Certificate)cert;
i++;
// MUST run NC check second, since it depends on BC check to
// update remainingCerts
checkBasicConstraints(currCert);
verifyNameConstraints(currCert);
if (unresCritExts != null && !unresCritExts.isEmpty()) {
unresCritExts.remove(BasicConstraints_Id.toString());
unresCritExts.remove(NameConstraints_Id.toString());
}
}
项目:OpenJSharp
文件:BasicChecker.java
/**
* Internal method to manage state information at each iteration
*/
private void updateState(X509Certificate currCert)
throws CertPathValidatorException
{
PublicKey cKey = currCert.getPublicKey();
if (debug != null) {
debug.println("BasicChecker.updateState issuer: " +
currCert.getIssuerX500Principal().toString() + "; subject: " +
currCert.getSubjectX500Principal() + "; serial#: " +
currCert.getSerialNumber().toString());
}
if (PKIX.isDSAPublicKeyWithoutParams(cKey)) {
// cKey needs to inherit DSA parameters from prev key
cKey = makeInheritedParamsKey(cKey, prevPubKey);
if (debug != null) debug.println("BasicChecker.updateState Made " +
"key with inherited params");
}
prevPubKey = cKey;
prevSubject = currCert.getSubjectX500Principal();
}
项目:OpenJSharp
文件:BasicChecker.java
/**
* Internal method to create a new key with inherited key parameters.
*
* @param keyValueKey key from which to obtain key value
* @param keyParamsKey key from which to obtain key parameters
* @return new public key having value and parameters
* @throws CertPathValidatorException if keys are not appropriate types
* for this operation
*/
static PublicKey makeInheritedParamsKey(PublicKey keyValueKey,
PublicKey keyParamsKey) throws CertPathValidatorException
{
if (!(keyValueKey instanceof DSAPublicKey) ||
!(keyParamsKey instanceof DSAPublicKey))
throw new CertPathValidatorException("Input key is not " +
"appropriate type for " +
"inheriting parameters");
DSAParams params = ((DSAPublicKey)keyParamsKey).getParams();
if (params == null)
throw new CertPathValidatorException("Key parameters missing");
try {
BigInteger y = ((DSAPublicKey)keyValueKey).getY();
KeyFactory kf = KeyFactory.getInstance("DSA");
DSAPublicKeySpec ks = new DSAPublicKeySpec(y,
params.getP(),
params.getQ(),
params.getG());
return kf.generatePublic(ks);
} catch (GeneralSecurityException e) {
throw new CertPathValidatorException("Unable to generate key with" +
" inherited parameters: " +
e.getMessage(), e);
}
}
项目:jdk8u-jdk
文件:OCSP.java
public static RevocationStatus check(X509Certificate cert,
X509Certificate issuerCert,
URI responderURI,
X509Certificate responderCert,
Date date, List<Extension> extensions)
throws IOException, CertPathValidatorException
{
CertId certId = null;
try {
X509CertImpl certImpl = X509CertImpl.toImpl(cert);
certId = new CertId(issuerCert, certImpl.getSerialNumberObject());
} catch (CertificateException | IOException e) {
throw new CertPathValidatorException
("Exception while encoding OCSPRequest", e);
}
OCSPResponse ocspResponse = check(Collections.singletonList(certId),
responderURI, issuerCert, responderCert, date, extensions);
return (RevocationStatus) ocspResponse.getSingleResponse(certId);
}
项目:openjdk-jdk10
文件:OCSP.java
public static RevocationStatus check(X509Certificate cert,
URI responderURI, TrustAnchor anchor, X509Certificate issuerCert,
X509Certificate responderCert, Date date,
List<Extension> extensions, String variant)
throws IOException, CertPathValidatorException
{
CertId certId;
try {
X509CertImpl certImpl = X509CertImpl.toImpl(cert);
certId = new CertId(issuerCert, certImpl.getSerialNumberObject());
} catch (CertificateException | IOException e) {
throw new CertPathValidatorException
("Exception while encoding OCSPRequest", e);
}
OCSPResponse ocspResponse = check(Collections.singletonList(certId),
responderURI, new OCSPResponse.IssuerInfo(anchor, issuerCert),
responderCert, date, extensions, variant);
return (RevocationStatus) ocspResponse.getSingleResponse(certId);
}
项目:jdk8u-jdk
文件:UntrustedChecker.java
@Override
public void check(Certificate cert,
Collection<String> unresolvedCritExts)
throws CertPathValidatorException {
X509Certificate currCert = (X509Certificate)cert;
if (UntrustedCertificates.isUntrusted(currCert)) {
if (debug != null) {
debug.println("UntrustedChecker: untrusted certificate " +
currCert.getSubjectX500Principal());
}
throw new CertPathValidatorException(
"Untrusted certificate: " + currCert.getSubjectX500Principal());
}
}
项目:jdk8u-jdk
文件:ForwardState.java
/**
* Initialize the state.
*
* @param certPathCheckers the list of user-defined PKIXCertPathCheckers
*/
public void initState(List<PKIXCertPathChecker> certPathCheckers)
throws CertPathValidatorException
{
subjectNamesTraversed = new HashSet<GeneralNameInterface>();
traversedCACerts = 0;
/*
* Populate forwardCheckers with every user-defined checker
* that supports forward checking and initialize the forwardCheckers
*/
forwardCheckers = new ArrayList<PKIXCertPathChecker>();
for (PKIXCertPathChecker checker : certPathCheckers) {
if (checker.isForwardCheckingSupported()) {
checker.init(true);
forwardCheckers.add(checker);
}
}
init = true;
}
项目:jdk8u-jdk
文件:ConstraintsChecker.java
/**
* Performs the basic constraints and name constraints
* checks on the certificate using its internal state.
*
* @param cert the <code>Certificate</code> to be checked
* @param unresCritExts a <code>Collection</code> of OID strings
* representing the current set of unresolved critical extensions
* @throws CertPathValidatorException if the specified certificate
* does not pass the check
*/
@Override
public void check(Certificate cert, Collection<String> unresCritExts)
throws CertPathValidatorException
{
X509Certificate currCert = (X509Certificate)cert;
i++;
// MUST run NC check second, since it depends on BC check to
// update remainingCerts
checkBasicConstraints(currCert);
verifyNameConstraints(currCert);
if (unresCritExts != null && !unresCritExts.isEmpty()) {
unresCritExts.remove(BasicConstraints_Id.toString());
unresCritExts.remove(NameConstraints_Id.toString());
}
}
项目:openjdk-jdk10
文件:UntrustedChecker.java
@Override
public void check(Certificate cert,
Collection<String> unresolvedCritExts)
throws CertPathValidatorException {
X509Certificate currCert = (X509Certificate)cert;
if (UntrustedCertificates.isUntrusted(currCert)) {
if (debug != null) {
debug.println("UntrustedChecker: untrusted certificate " +
currCert.getSubjectX500Principal());
}
throw new CertPathValidatorException(
"Untrusted certificate: " + currCert.getSubjectX500Principal());
}
}
项目:openjdk-jdk10
文件:BasicChecker.java
/**
* Initializes the internal state of the checker from parameters
* specified in the constructor.
*/
@Override
public void init(boolean forward) throws CertPathValidatorException {
if (!forward) {
prevPubKey = trustedPubKey;
if (PKIX.isDSAPublicKeyWithoutParams(prevPubKey)) {
// If TrustAnchor is a DSA public key and it has no params, it
// cannot be used to verify the signature of the first cert,
// so throw exception
throw new CertPathValidatorException("Key parameters missing");
}
prevSubject = caName;
} else {
throw new
CertPathValidatorException("forward checking not supported");
}
}
项目:jdk8u-jdk
文件:BasicChecker.java
/**
* Internal method to create a new key with inherited key parameters.
*
* @param keyValueKey key from which to obtain key value
* @param keyParamsKey key from which to obtain key parameters
* @return new public key having value and parameters
* @throws CertPathValidatorException if keys are not appropriate types
* for this operation
*/
static PublicKey makeInheritedParamsKey(PublicKey keyValueKey,
PublicKey keyParamsKey) throws CertPathValidatorException
{
if (!(keyValueKey instanceof DSAPublicKey) ||
!(keyParamsKey instanceof DSAPublicKey))
throw new CertPathValidatorException("Input key is not " +
"appropriate type for " +
"inheriting parameters");
DSAParams params = ((DSAPublicKey)keyParamsKey).getParams();
if (params == null)
throw new CertPathValidatorException("Key parameters missing");
try {
BigInteger y = ((DSAPublicKey)keyValueKey).getY();
KeyFactory kf = KeyFactory.getInstance("DSA");
DSAPublicKeySpec ks = new DSAPublicKeySpec(y,
params.getP(),
params.getQ(),
params.getG());
return kf.generatePublic(ks);
} catch (GeneralSecurityException e) {
throw new CertPathValidatorException("Unable to generate key with" +
" inherited parameters: " +
e.getMessage(), e);
}
}
项目:jdk8u-jdk
文件:DisabledAlgorithmConstraints.java
private void checkConstraints(Set<CryptoPrimitive> primitives,
CertConstraintParameters cp) throws CertPathValidatorException {
X509Certificate cert = cp.getCertificate();
String algorithm = cert.getSigAlgName();
// Check signature algorithm is not disabled
if (!permits(primitives, algorithm, null)) {
throw new CertPathValidatorException(
"Algorithm constraints check failed on disabled "+
"signature algorithm: " + algorithm,
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
// Check key algorithm is not disabled
if (!permits(primitives, cert.getPublicKey().getAlgorithm(), null)) {
throw new CertPathValidatorException(
"Algorithm constraints check failed on disabled "+
"public key algorithm: " + algorithm,
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
// Check the certificate and key constraints
algorithmConstraints.permits(cp);
}
项目:openjdk-jdk10
文件:SSLEngineWithStapling.java
/**
* Checks a validation failure to see if it failed for the reason we think
* it should. This comes in as an SSLException of some sort, but it
* encapsulates a ValidatorException which in turn encapsulates the
* CertPathValidatorException we are interested in.
*
* @param e the exception thrown at the top level
* @param reason the underlying CertPathValidatorException BasicReason
* we are expecting it to have.
*
* @return true if the reason matches up, false otherwise.
*/
static boolean checkClientValidationFailure(Exception e,
CertPathValidatorException.BasicReason reason) {
boolean result = false;
if (e instanceof SSLException) {
Throwable sslhe = e.getCause();
if (sslhe instanceof SSLHandshakeException) {
Throwable valExc = sslhe.getCause();
if (valExc instanceof sun.security.validator.ValidatorException) {
Throwable cause = valExc.getCause();
if (cause instanceof CertPathValidatorException) {
CertPathValidatorException cpve =
(CertPathValidatorException)cause;
if (cpve.getReason() == reason) {
result = true;
}
}
}
}
}
return result;
}
项目:openjdk-jdk10
文件:OCSP.java
public static RevocationStatus check(X509Certificate cert,
X509Certificate issuerCert, URI responderURI,
X509Certificate responderCert, Date date, List<Extension> extensions,
String variant)
throws IOException, CertPathValidatorException
{
return check(cert, responderURI, null, issuerCert, responderCert, date,
extensions, variant);
}
项目:openjdk-jdk10
文件:PolicyChecker.java
/**
* Merges the specified inhibitAnyPolicy value with the
* SkipCerts value of the InhibitAnyPolicy
* extension obtained from the certificate.
*
* @param inhibitAnyPolicy an integer which indicates whether
* "any-policy" is considered a match
* @param currCert the Certificate to be processed
* @return returns the new inhibitAnyPolicy value
* @exception CertPathValidatorException Exception thrown if an error
* occurs
*/
static int mergeInhibitAnyPolicy(int inhibitAnyPolicy,
X509CertImpl currCert) throws CertPathValidatorException
{
if ((inhibitAnyPolicy > 0) && !X509CertImpl.isSelfIssued(currCert)) {
inhibitAnyPolicy--;
}
try {
InhibitAnyPolicyExtension inhAnyPolExt = (InhibitAnyPolicyExtension)
currCert.getExtension(InhibitAnyPolicy_Id);
if (inhAnyPolExt == null)
return inhibitAnyPolicy;
int skipCerts =
inhAnyPolExt.get(InhibitAnyPolicyExtension.SKIP_CERTS).intValue();
if (debug != null)
debug.println("PolicyChecker.mergeInhibitAnyPolicy() "
+ "skipCerts Index from cert = " + skipCerts);
if (skipCerts != -1) {
if (skipCerts < inhibitAnyPolicy) {
inhibitAnyPolicy = skipCerts;
}
}
} catch (IOException e) {
if (debug != null) {
debug.println("PolicyChecker.mergeInhibitAnyPolicy "
+ "unexpected exception");
e.printStackTrace();
}
throw new CertPathValidatorException(e);
}
return inhibitAnyPolicy;
}
项目:ipack
文件:CertPathValidatorUtilities.java
protected static final Set getQualifierSet(ASN1Sequence qualifiers)
throws CertPathValidatorException
{
Set pq = new HashSet();
if (qualifiers == null)
{
return pq;
}
ByteArrayOutputStream bOut = new ByteArrayOutputStream();
ASN1OutputStream aOut = new ASN1OutputStream(bOut);
Enumeration e = qualifiers.getObjects();
while (e.hasMoreElements())
{
try
{
aOut.writeObject((ASN1Encodable)e.nextElement());
pq.add(new PolicyQualifierInfo(bOut.toByteArray()));
}
catch (IOException ex)
{
throw new ExtCertPathValidatorException("Policy qualifier info cannot be decoded.", ex);
}
bOut.reset();
}
return pq;
}
项目:openjdk-jdk10
文件:SSLEngineWithStapling.java
public static void main(String args[]) throws Exception {
if (debug) {
System.setProperty("javax.net.debug", "ssl");
}
// Create the PKI we will use for the test and start the OCSP servers
createPKI();
// Set the certificate entry in the intermediate OCSP responder
// with a revocation date of 8 hours ago.
X509Certificate sslCert =
(X509Certificate)serverKeystore.getCertificate(SSL_ALIAS);
Map<BigInteger, SimpleOCSPServer.CertStatusInfo> revInfo =
new HashMap<>();
revInfo.put(sslCert.getSerialNumber(),
new SimpleOCSPServer.CertStatusInfo(
SimpleOCSPServer.CertStatus.CERT_STATUS_REVOKED,
new Date(System.currentTimeMillis() -
TimeUnit.HOURS.toMillis(8))));
intOcsp.updateStatusDb(revInfo);
SSLEngineWithStapling test = new SSLEngineWithStapling();
try {
test.runTest();
throw new RuntimeException("Expected failure due to revocation " +
"did not occur");
} catch (Exception e) {
if (!checkClientValidationFailure(e,
CertPathValidatorException.BasicReason.REVOKED)) {
System.out.println("*** Didn't find the exception we wanted");
throw e;
}
}
System.out.println("Test Passed.");
}
项目:ipack
文件:RFC3280CertPathUtilities.java
protected static int prepareNextCertJ(
CertPath certPath,
int index,
int inhibitAnyPolicy)
throws CertPathValidatorException
{
List certs = certPath.getCertificates();
X509Certificate cert = (X509Certificate)certs.get(index);
//
// (j)
//
DERInteger iap = null;
try
{
iap = DERInteger.getInstance(CertPathValidatorUtilities.getExtensionValue(cert,
RFC3280CertPathUtilities.INHIBIT_ANY_POLICY));
}
catch (Exception e)
{
throw new ExtCertPathValidatorException("Inhibit any-policy extension cannot be decoded.", e, certPath,
index);
}
if (iap != null)
{
int _inhibitAnyPolicy = iap.getValue().intValue();
if (_inhibitAnyPolicy < inhibitAnyPolicy)
{
return _inhibitAnyPolicy;
}
}
return inhibitAnyPolicy;
}
项目:ipack
文件:RFC3280CertPathUtilities.java
protected static void prepareNextCertK(
CertPath certPath,
int index)
throws CertPathValidatorException
{
List certs = certPath.getCertificates();
X509Certificate cert = (X509Certificate)certs.get(index);
//
// (k)
//
BasicConstraints bc = null;
try
{
bc = BasicConstraints.getInstance(CertPathValidatorUtilities.getExtensionValue(cert,
RFC3280CertPathUtilities.BASIC_CONSTRAINTS));
}
catch (Exception e)
{
throw new ExtCertPathValidatorException("Basic constraints extension cannot be decoded.", e, certPath,
index);
}
if (bc != null)
{
if (!(bc.isCA()))
{
throw new CertPathValidatorException("Not a CA certificate");
}
}
else
{
throw new CertPathValidatorException("Intermediate certificate lacks BasicConstraints");
}
}
项目:openjdk-jdk10
文件:ConstraintsChecker.java
@Override
public void init(boolean forward) throws CertPathValidatorException {
if (!forward) {
i = 0;
maxPathLength = certPathLength;
prevNC = null;
} else {
throw new CertPathValidatorException
("forward checking not supported");
}
}
项目:ipack
文件:RFC3280CertPathUtilities.java
protected static void prepareNextCertO(
CertPath certPath,
int index,
Set criticalExtensions,
List pathCheckers)
throws CertPathValidatorException
{
List certs = certPath.getCertificates();
X509Certificate cert = (X509Certificate)certs.get(index);
//
// (o)
//
Iterator tmpIter;
tmpIter = pathCheckers.iterator();
while (tmpIter.hasNext())
{
try
{
((PKIXCertPathChecker)tmpIter.next()).check(cert, criticalExtensions);
}
catch (CertPathValidatorException e)
{
throw new CertPathValidatorException(e.getMessage(), e.getCause(), certPath, index);
}
}
if (!criticalExtensions.isEmpty())
{
throw new ExtCertPathValidatorException("Certificate has unsupported critical extension: " + criticalExtensions, null, certPath,
index);
}
}
项目:ipack
文件:RFC3280CertPathUtilities.java
protected static void wrapupCertF(
CertPath certPath,
int index,
List pathCheckers,
Set criticalExtensions)
throws CertPathValidatorException
{
List certs = certPath.getCertificates();
X509Certificate cert = (X509Certificate)certs.get(index);
Iterator tmpIter;
tmpIter = pathCheckers.iterator();
while (tmpIter.hasNext())
{
try
{
((PKIXCertPathChecker)tmpIter.next()).check(cert, criticalExtensions);
}
catch (CertPathValidatorException e)
{
throw new ExtCertPathValidatorException("Additional certificate path checker failed.", e, certPath,
index);
}
}
if (!criticalExtensions.isEmpty())
{
throw new ExtCertPathValidatorException("Certificate has unsupported critical extension: " + criticalExtensions, null, certPath,
index);
}
}
项目:openjdk-jdk10
文件:AlgorithmChecker.java
/**
* Check the signature algorithm with the specified public key.
*
* @param key the public key to verify the CRL signature
* @param algorithmId signature algorithm Algorithm ID
* @param variant is the Validator variants of the operation. A null value
* passed will set it to Validator.GENERIC.
*/
static void check(PublicKey key, AlgorithmId algorithmId, String variant)
throws CertPathValidatorException {
String sigAlgName = algorithmId.getName();
AlgorithmParameters sigAlgParams = algorithmId.getParameters();
certPathDefaultConstraints.permits(new ConstraintsParameters(
sigAlgName, sigAlgParams, key, variant));
}
项目:verify-hub
文件:CertificateValidityChecker.java
private Function<Map<CertificateDetails, CertificateValidity>, InvalidCertificateDto> toInvalidCertificates() {
return input -> {
CertificateDetails certificateDetail = getOnlyElement(input.keySet());
CertificateValidity certificateValidity = getOnlyElement(input.values());
CertPathValidatorException certPathValidatorException = certificateValidity.getException().get();
return new InvalidCertificateDto(
certificateDetail.getIssuerId(),
certPathValidatorException.getReason(),
certificateDetail.getKeyUse(),
certificateDetail.getFederationEntityType(),
certPathValidatorException.getMessage());
};
}
项目:openjdk-jdk10
文件:PolicyChecker.java
/**
* Initializes the internal state of the checker from parameters
* specified in the constructor
*
* @param forward a boolean indicating whether this checker should be
* initialized capable of building in the forward direction
* @throws CertPathValidatorException if user wants to enable forward
* checking and forward checking is not supported.
*/
@Override
public void init(boolean forward) throws CertPathValidatorException {
if (forward) {
throw new CertPathValidatorException
("forward checking not supported");
}
certIndex = 1;
explicitPolicy = (expPolicyRequired ? 0 : certPathLen + 1);
policyMapping = (polMappingInhibited ? 0 : certPathLen + 1);
inhibitAnyPolicy = (anyPolicyInhibited ? 0 : certPathLen + 1);
}
项目:verify-hub
文件:ConfigValidationExceptionTest.java
@Test
public void createInvalidCertificatesException() throws Exception {
InvalidCertificateDto invalidCertificateDto = new InvalidCertificateDto("entity-id", CertPathValidatorException.BasicReason.EXPIRED, CertificateType.ENCRYPTION, FederationEntityType.IDP, "description");
ConfigValidationException exception = ConfigValidationException.createInvalidCertificatesException(asList(invalidCertificateDto));
assertThat(exception.getMessage()).isEqualTo("Invalid certificate found.\n" +
"Entity Id: entity-id\n" +
"Certificate Type: ENCRYPTION\n" +
"Federation Type: IDP\n" +
"Reason: EXPIRED\n" +
"Description: description");
}
项目:openjdk-jdk10
文件:GetMessage.java
public static void main(String[] args) throws Exception {
Throwable[] causes = {
new Throwable(),
new Throwable("message"),
new Throwable("message", new Throwable()) };
for (Throwable cause: causes) {
CertPathValidatorException cpve =
new CertPathValidatorException(cause);
// from CertPathValidatorException(Throwable cause) spec:
// The detail message is set to (cause==null ? null : cause.toString() )
// (which typically contains the class and detail message of cause).
String expMsg = (cause == null ? null : cause.toString());
String actualMsg = cpve.getMessage();
boolean msgsEqual =
(expMsg == null ? actualMsg == null : expMsg.equals(actualMsg));
if (!msgsEqual) {
System.out.println("expected message:" + expMsg);
System.out.println("getMessage():" + actualMsg);
failed = true;
}
}
if (failed) {
throw new Exception("Some tests FAILED");
}
}
项目:OpenJSharp
文件:OCSPResponse.java
private boolean verifySignature(X509Certificate cert)
throws CertPathValidatorException {
try {
Signature respSignature = Signature.getInstance(sigAlgId.getName());
respSignature.initVerify(cert.getPublicKey());
respSignature.update(tbsResponseData);
if (respSignature.verify(signature)) {
if (debug != null) {
debug.println("Verified signature of OCSP Response");
}
return true;
} else {
if (debug != null) {
debug.println(
"Error verifying signature of OCSP Response");
}
return false;
}
} catch (InvalidKeyException | NoSuchAlgorithmException |
SignatureException e)
{
throw new CertPathValidatorException(e);
}
}
项目:openjdk-jdk10
文件:AlgorithmChecker.java
/**
* Check the signature algorithm with the specified public key.
*
* @param key the public key to verify the CRL signature
* @param crl the target CRL
* @param variant is the Validator variants of the operation. A null value
* passed will set it to Validator.GENERIC.
*/
static void check(PublicKey key, X509CRL crl, String variant)
throws CertPathValidatorException {
X509CRLImpl x509CRLImpl = null;
try {
x509CRLImpl = X509CRLImpl.toImpl(crl);
} catch (CRLException ce) {
throw new CertPathValidatorException(ce);
}
AlgorithmId algorithmId = x509CRLImpl.getSigAlgId();
check(key, algorithmId, variant);
}