/** * Log information from the constructed cert path at level debug. * * @param buildResult the PKIX cert path builder result containing the cert path and trust anchor * @param targetCert the cert untrusted certificate that was being evaluated */ private void logCertPathDebug(PKIXCertPathBuilderResult buildResult, X509Certificate targetCert) { log.debug("Built valid PKIX cert path"); log.debug("Target certificate: {}", x500DNHandler.getName(targetCert.getSubjectX500Principal())); for (Certificate cert : buildResult.getCertPath().getCertificates()) { log.debug("CertPath certificate: {}", x500DNHandler.getName(((X509Certificate) cert) .getSubjectX500Principal())); } TrustAnchor ta = buildResult.getTrustAnchor(); if (ta.getTrustedCert() != null) { log.debug("TrustAnchor: {}", x500DNHandler.getName(ta.getTrustedCert().getSubjectX500Principal())); } else if (ta.getCA() != null) { log.debug("TrustAnchor: {}", x500DNHandler.getName(ta.getCA())); } else { log.debug("TrustAnchor: {}", ta.getCAName()); } }
/** * Test #1 for <code>PKIXCertPathBuilderResult(CertPath, TrustAnchor, * PolicyNode, PublicKey)</code> constructor<br> * Assertion: Creates an instance of <code>PKIXCertPathBuilderResult</code> * @throws NoSuchAlgorithmException * @throws InvalidKeySpecException */ @TestTargetNew( level = TestLevel.PARTIAL_COMPLETE, method = "PKIXCertPathBuilderResult", args = {java.security.cert.CertPath.class, java.security.cert.TrustAnchor.class, java.security.cert.PolicyNode.class, java.security.PublicKey.class} ) public final void testPKIXCertPathBuilderResult01() throws InvalidKeySpecException, NoSuchAlgorithmException { TrustAnchor ta = TestUtils.getTrustAnchor(); if (ta == null) { fail(getName() + ": not performed (could not create test TrustAnchor)"); } CertPathBuilderResult r = new PKIXCertPathBuilderResult( new MyCertPath(testEncoding), ta, TestUtils.getPolicyTree(), testPublicKey); assertTrue(r instanceof PKIXCertPathBuilderResult); }
/** * Test #2 for <code>PKIXCertPathBuilderResult(CertPath, TrustAnchor, * PolicyNode, PublicKey)</code> constructor<br> * Assertion: policy tree parameter may be <code>null</code> * @throws NoSuchAlgorithmException * @throws InvalidKeySpecException */ @TestTargetNew( level = TestLevel.PARTIAL_COMPLETE, method = "PKIXCertPathBuilderResult", args = {java.security.cert.CertPath.class, java.security.cert.TrustAnchor.class, java.security.cert.PolicyNode.class, java.security.PublicKey.class} ) public final void testPKIXCertPathBuilderResult02() throws InvalidKeySpecException, NoSuchAlgorithmException { TrustAnchor ta = TestUtils.getTrustAnchor(); if (ta == null) { fail(getName() + ": not performed (could not create test TrustAnchor)"); } CertPathBuilderResult r = new PKIXCertPathBuilderResult( new MyCertPath(testEncoding), ta, null, testPublicKey); assertTrue(r instanceof PKIXCertPathBuilderResult); }
/** * Test #3 for <code>PKIXCertPathBuilderResult(CertPath, TrustAnchor, * PolicyNode, PublicKey)</code> constructor<br> * Assertion: <code>NullPointerException</code> * if certPath is <code>null</code> */ @TestTargetNew( level = TestLevel.PARTIAL_COMPLETE, method = "PKIXCertPathBuilderResult", args = {java.security.cert.CertPath.class, java.security.cert.TrustAnchor.class, java.security.cert.PolicyNode.class, java.security.PublicKey.class} ) public final void testPKIXCertPathBuilderResult03() { TrustAnchor ta = TestUtils.getTrustAnchor(); if (ta == null) { fail(getName() + ": not performed (could not create test TrustAnchor)"); } try { // pass null new PKIXCertPathBuilderResult( null, ta, TestUtils.getPolicyTree(), testPublicKey); fail("NPE expected"); } catch (NullPointerException e) { } }
/** * Test #4 for <code>PKIXCertPathBuilderResult(CertPath, TrustAnchor, * PolicyNode, PublicKey)</code> constructor<br> * Assertion: <code>NullPointerException</code> * if trustAnchor is <code>null</code> */ @TestTargetNew( level = TestLevel.PARTIAL_COMPLETE, method = "PKIXCertPathBuilderResult", args = {java.security.cert.CertPath.class, java.security.cert.TrustAnchor.class, java.security.cert.PolicyNode.class, java.security.PublicKey.class} ) public final void testPKIXCertPathBuilderResult04() { try { // pass null new PKIXCertPathBuilderResult( new MyCertPath(testEncoding), null, TestUtils.getPolicyTree(), testPublicKey); fail("NPE expected"); } catch (NullPointerException e) { } }
/** * Test #5 for <code>PKIXCertPathBuilderResult(CertPath, TrustAnchor, * PolicyNode, PublicKey)</code> constructor<br> * Assertion: <code>NullPointerException</code> * if publicKey is <code>null</code> */ @TestTargetNew( level = TestLevel.PARTIAL_COMPLETE, method = "PKIXCertPathBuilderResult", args = {java.security.cert.CertPath.class, java.security.cert.TrustAnchor.class, java.security.cert.PolicyNode.class, java.security.PublicKey.class} ) public final void testPKIXCertPathBuilderResult05() { TrustAnchor ta = TestUtils.getTrustAnchor(); if (ta == null) { fail(getName() + ": not performed (could not create test TrustAnchor)"); } try { // pass null new PKIXCertPathBuilderResult( new MyCertPath(testEncoding), ta, TestUtils.getPolicyTree(), null); fail("NPE expected"); } catch (NullPointerException e) { } }
@TestTargetNew( level = TestLevel.COMPLETE, notes = "", method = "clone", args = {} ) public final void test_clone() { // Regression for HARMONY-2786. TrustAnchor ta = TestUtils.getTrustAnchor(); assertNotNull(getName() + ": not performed (could not create test TrustAnchor)", ta); PKIXCertPathBuilderResult init = new PKIXCertPathBuilderResult( new MyCertPath(testEncoding), ta, TestUtils.getPolicyTree(), testPublicKey); PKIXCertPathBuilderResult clone = (PKIXCertPathBuilderResult) init .clone(); assertSame(init.getCertPath(), clone.getCertPath()); assertSame(init.getPolicyTree(), clone.getPolicyTree()); assertSame(init.getPublicKey(), clone.getPublicKey()); assertSame(init.getTrustAnchor(), clone.getTrustAnchor()); }
/** * Test for <code>getCertPath()</code> method<br> * Assertion: the built and validated <code>CertPath</code> * (never <code>null</code>) * @throws NoSuchAlgorithmException * @throws InvalidKeySpecException */ @TestTargetNew( level = TestLevel.COMPLETE, notes = "", method = "getCertPath", args = {} ) public final void testGetCertPath() throws Exception { TrustAnchor ta = TestUtils.getTrustAnchor(); if (ta == null) { fail(getName() + ": not performed (could not create test TrustAnchor)"); } CertPath cp = new MyCertPath(testEncoding); CertPathBuilderResult r = new PKIXCertPathBuilderResult( cp, ta, TestUtils.getPolicyTree(), testPublicKey); // must return the same reference // as passed to the constructor assertSame(cp, r.getCertPath()); }
/** * Test for <code>toString()</code> method<br> * Assertion: the printable representation of this object * @throws NoSuchAlgorithmException * @throws InvalidKeySpecException */ @TestTargetNew( level = TestLevel.COMPLETE, notes = "", method = "toString", args = {} ) public final void testToString() throws InvalidKeySpecException, NoSuchAlgorithmException { TrustAnchor ta = TestUtils.getTrustAnchor(); if (ta == null) { fail(getName() + ": not performed (could not create test TrustAnchor)"); } CertPathBuilderResult r = new PKIXCertPathBuilderResult( new MyCertPath(testEncoding), ta, TestUtils.getPolicyTree(), testPublicKey); assertNotNull(r.toString()); }
/** * Test #1 for <code>PKIXCertPathBuilderResult(CertPath, TrustAnchor, * PolicyNode, PublicKey)</code> constructor<br> * Assertion: Creates an instance of <code>PKIXCertPathBuilderResult</code> * @throws NoSuchAlgorithmException * @throws InvalidKeySpecException */ public final void testPKIXCertPathBuilderResult01() throws InvalidKeySpecException, NoSuchAlgorithmException { TrustAnchor ta = TestUtils.getTrustAnchor(); if (ta == null) { fail(getName() + ": not performed (could not create test TrustAnchor)"); } CertPathBuilderResult r = new PKIXCertPathBuilderResult( new MyCertPath(testEncoding), ta, TestUtils.getPolicyTree(), testPublicKey); assertTrue(r instanceof PKIXCertPathBuilderResult); }
/** * Test #2 for <code>PKIXCertPathBuilderResult(CertPath, TrustAnchor, * PolicyNode, PublicKey)</code> constructor<br> * Assertion: policy tree parameter may be <code>null</code> * @throws NoSuchAlgorithmException * @throws InvalidKeySpecException */ public final void testPKIXCertPathBuilderResult02() throws InvalidKeySpecException, NoSuchAlgorithmException { TrustAnchor ta = TestUtils.getTrustAnchor(); if (ta == null) { fail(getName() + ": not performed (could not create test TrustAnchor)"); } CertPathBuilderResult r = new PKIXCertPathBuilderResult( new MyCertPath(testEncoding), ta, null, testPublicKey); assertTrue(r instanceof PKIXCertPathBuilderResult); }
/** * Test #3 for <code>PKIXCertPathBuilderResult(CertPath, TrustAnchor, * PolicyNode, PublicKey)</code> constructor<br> * Assertion: <code>NullPointerException</code> * if certPath is <code>null</code> */ public final void testPKIXCertPathBuilderResult03() { TrustAnchor ta = TestUtils.getTrustAnchor(); if (ta == null) { fail(getName() + ": not performed (could not create test TrustAnchor)"); } try { // pass null new PKIXCertPathBuilderResult( null, ta, TestUtils.getPolicyTree(), testPublicKey); fail("NPE expected"); } catch (NullPointerException e) { } }
/** * Test #5 for <code>PKIXCertPathBuilderResult(CertPath, TrustAnchor, * PolicyNode, PublicKey)</code> constructor<br> * Assertion: <code>NullPointerException</code> * if publicKey is <code>null</code> */ public final void testPKIXCertPathBuilderResult05() { TrustAnchor ta = TestUtils.getTrustAnchor(); if (ta == null) { fail(getName() + ": not performed (could not create test TrustAnchor)"); } try { // pass null new PKIXCertPathBuilderResult( new MyCertPath(testEncoding), ta, TestUtils.getPolicyTree(), null); fail("NPE expected"); } catch (NullPointerException e) { } }
public final void test_clone() { // Regression for HARMONY-2786. TrustAnchor ta = TestUtils.getTrustAnchor(); assertNotNull(getName() + ": not performed (could not create test TrustAnchor)", ta); PKIXCertPathBuilderResult init = new PKIXCertPathBuilderResult( new MyCertPath(testEncoding), ta, TestUtils.getPolicyTree(), testPublicKey); PKIXCertPathBuilderResult clone = (PKIXCertPathBuilderResult) init .clone(); assertSame(init.getCertPath(), clone.getCertPath()); assertSame(init.getPolicyTree(), clone.getPolicyTree()); assertSame(init.getPublicKey(), clone.getPublicKey()); assertSame(init.getTrustAnchor(), clone.getTrustAnchor()); }
/** * Test for <code>getCertPath()</code> method<br> * Assertion: the built and validated <code>CertPath</code> * (never <code>null</code>) * @throws NoSuchAlgorithmException * @throws InvalidKeySpecException */ public final void testGetCertPath() throws Exception { TrustAnchor ta = TestUtils.getTrustAnchor(); if (ta == null) { fail(getName() + ": not performed (could not create test TrustAnchor)"); } CertPath cp = new MyCertPath(testEncoding); CertPathBuilderResult r = new PKIXCertPathBuilderResult( cp, ta, TestUtils.getPolicyTree(), testPublicKey); // must return the same reference // as passed to the constructor assertSame(cp, r.getCertPath()); }
/** * Test for <code>toString()</code> method<br> * Assertion: the printable representation of this object * @throws NoSuchAlgorithmException * @throws InvalidKeySpecException */ public final void testToString() throws InvalidKeySpecException, NoSuchAlgorithmException { TrustAnchor ta = TestUtils.getTrustAnchor(); if (ta == null) { fail(getName() + ": not performed (could not create test TrustAnchor)"); } CertPathBuilderResult r = new PKIXCertPathBuilderResult( new MyCertPath(testEncoding), ta, TestUtils.getPolicyTree(), testPublicKey); assertNotNull(r.toString()); }
/** * Verify the passed in CMS signed data, return false on failure. * * @param cmsData a CMSSignedData object. * @return true if signature checks out, false if there is a problem with the signature or the path to its verifying certificate. */ public boolean signatureVerified(CMSSignedData cmsData) { Store certs = cmsData.getCertificates(); SignerInformationStore signers = cmsData.getSignerInfos(); Collection c = signers.getSigners(); Iterator it = c.iterator(); SignerInformation signer = (SignerInformation)it.next(); try { PKIXCertPathBuilderResult result = checkCertPath(signer.getSID(), certs); X509Certificate cert = (X509Certificate)result.getCertPath().getCertificates().get(0); return signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(cert)); } catch (Exception e) { return false; } }
private PKIXCertPathBuilderResult checkCertPath(SignerId signerId, Store certs) throws IOException, GeneralSecurityException { CertStore store = new JcaCertStoreBuilder().setProvider("BC").addCertificates(certs).build(); CertPathBuilder pathBuilder = CertPathBuilder.getInstance("PKIX","BC"); X509CertSelector targetConstraints = new X509CertSelector(); targetConstraints.setIssuer(signerId.getIssuer().getEncoded()); targetConstraints.setSerialNumber(signerId.getSerialNumber()); PKIXBuilderParameters params = new PKIXBuilderParameters(Collections.singleton(new TrustAnchor(trustAnchor, null)), targetConstraints); params.addCertStore(store); params.setRevocationEnabled(false); // TODO: CRLs? return (PKIXCertPathBuilderResult)pathBuilder.build(params); }
/** * Take a CMS SignedData message and a trust anchor and determine if * the message is signed with a valid signature from a end entity * certificate recognized by the trust anchor rootCert. */ public static boolean isValid(CMSSignedData signedData, X509Certificate rootCert) throws Exception { CertStore certsAndCRLs = signedData.getCertificatesAndCRLs("Collection", "BC"); SignerInformationStore signers = signedData.getSignerInfos(); Iterator<?> it = signers.getSigners().iterator(); while (it.hasNext()) { SignerInformation signer = (SignerInformation)it.next(); X509CertSelector signerConstraints = signer.getSID(); signerConstraints.setKeyUsage(getKeyUsageForSignature()); PKIXCertPathBuilderResult result = buildPath(rootCert, signer.getSID(), certsAndCRLs); if (signer.verify(result.getPublicKey(), "BC")) return true; } return false; }
public static void main(String[] args) throws Exception { // reset the security property to make sure that the algorithms // and keys used in this test are not disabled. Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2"); X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer"); TrustAnchor anchor = new TrustAnchor (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null); X509CertSelector sel = new X509CertSelector(); sel.setBasicConstraints(-2); PKIXBuilderParameters params = new PKIXBuilderParameters (Collections.singleton(anchor), sel); params.setRevocationEnabled(false); X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer"); X509Certificate caCert = CertUtils.getCertFromFile("ca.cer"); ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>(); certs.add(caCert); certs.add(eeCert); CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(certs); CertStore cs = CertStore.getInstance("Collection", ccsp); params.addCertStore(cs); PKIXCertPathBuilderResult res = CertUtils.build(params); CertPath cp = res.getCertPath(); // check that first certificate is an EE cert List<? extends Certificate> certList = cp.getCertificates(); X509Certificate cert = (X509Certificate) certList.get(0); if (cert.getBasicConstraints() != -1) { throw new Exception("Target certificate is not an EE certificate"); } }
/** * Perform a PKIX path build. On failure, throw an exception. * * @param params PKIXBuilderParameters to use in validation * @throws Exception on error */ public static PKIXCertPathBuilderResult build(PKIXBuilderParameters params) throws Exception { CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); return (PKIXCertPathBuilderResult) builder.build(params); }
