Examples of CertPath

• java.security.cert.CertPath
  An immutable sequence of certificates (a certification path).

  This is an abstract class that defines the methods common to all {@code CertPath}s. Subclasses can handle different kinds of certificates (X.509, PGP, etc.).

  All {@code CertPath} objects have a type, a list of{@code Certificate}s, and one or more supported encodings. Because the {@code CertPath} class is immutable, a {@code CertPath} cannotchange in any externally visible way after being constructed. This stipulation applies to all public fields and methods of this class and any added or overridden by subclasses.

  The type is a {@code String} that identifies the type of{@code Certificate}s in the certification path. For each certificate {@code cert} in a certification path {@code certPath}, {@code cert.getType().equals(certPath.getType())} must be{@code true}.

  The list of {@code Certificate}s is an ordered {@code List} ofzero or more {@code Certificate}s. This {@code List} and allof the {@code Certificate}s contained in it must be immutable.

  Each {@code CertPath} object must support one or more encodingsso that the object can be translated into a byte array for storage or transmission to other parties. Preferably, these encodings should be well-documented standards (such as PKCS#7). One of the encodings supported by a {@code CertPath} is considered the default encoding. Thisencoding is used if no encoding is explicitly requested (for the {@link #getEncoded() getEncoded()} method, for instance).

  All {@code CertPath} objects are also {@code Serializable}. {@code CertPath} objects are resolved into an alternate{@link CertPathRep CertPathRep} object during serialization. This allowsa {@code CertPath} object to be serialized into an equivalentrepresentation regardless of its underlying implementation.

  {@code CertPath} objects can be created with a{@code CertificateFactory} or they can be returned by other classes,such as a {@code CertPathBuilder}.

  By convention, X.509 {@code CertPath}s (consisting of {@code X509Certificate}s), are ordered starting with the target certificate and ending with a certificate issued by the trust anchor. That is, the issuer of one certificate is the subject of the following one. The certificate representing the {@link TrustAnchor TrustAnchor} should not beincluded in the certification path. Unvalidated X.509 {@code CertPath}s may not follow these conventions. PKIX {@code CertPathValidator}s will detect any departure from these conventions that cause the certification path to be invalid and throw a {@code CertPathValidatorException}.

  Every implementation of the Java platform is required to support the following standard {@code CertPath} encodings:

  • {@code PKCS7}
  • {@code PkiPath}

  These encodings are described in the CertPath Encodings section of the Java Cryptography Architecture Standard Algorithm Name Documentation. Consult the release documentation for your implementation to see if any other encodings are supported.

  Concurrent Access

  All {@code CertPath} objects must be thread-safe. That is, multiplethreads may concurrently invoke the methods defined in this class on a single {@code CertPath} object (or more than one) with noill effects. This is also true for the {@code List} returned by{@code CertPath.getCertificates}.

  Requiring {@code CertPath} objects to be immutable and thread-safeallows them to be passed around to various pieces of code without worrying about coordinating access. Providing this thread-safety is generally not difficult, since the {@code CertPath} and{@code List} objects in question are immutable. @see CertificateFactory @see CertPathBuilder @author Yassir Elley @since 1.4

Examples of java.security.cert.CertPath

      // perhaps by letting them pass in PKIXCertPathCheckers. This can also be
      // useful to check for Wave-specific certificate extensions.

      CertificateFactory certFactory = CertificateFactory.getInstance(
          CERTIFICATE_TYPE);
      CertPath certPath = certFactory.generateCertPath(certs);
      validator.validate(certPath, params);
    } catch (GeneralSecurityException e) {
      throw new SignatureException("Certificate validation failure", e);
    }
  }

Examples of java.security.cert.CertPath

        }

        try {
            // Generate cert path
            List<X509Certificate> certList = Arrays.asList(x509certs);
            CertPath path = getCertificateFactory().generateCertPath(certList);

            Set<TrustAnchor> set = new HashSet<TrustAnchor>();
            if (truststore != null) {
                Enumeration<String> truststoreAliases = truststore.aliases();
                while (truststoreAliases.hasMoreElements()) {

Examples of java.security.cert.CertPath

        }
        parameters.setRevocationEnabled(false);

        // Build a certificate path.
        CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
        CertPath path = builder.build(parameters).getCertPath();

        if (disableRevocationCheck) {
            // Disable revocatin check.
            parameters.setRevocationEnabled(false);
        } else {
            // Enable revocation check.
            parameters.setRevocationEnabled(true);

            // Select a method to check revocation status.
            boolean useOCSP = OCSPClient.getOCSPURLs(certificate).size() > 0;
            boolean useCRL = CRLDownloader.getCRLDistributionPoints(certificate).size() > 0;
            if (!useOCSP && !useCRL) {
                throw new NoRevocationStatusException(
                    String.format(messages.getString(
                    "Certificate_has_no_method_to_verify_revocation_status__%s"),
                    CertificateValidator.getCertificateName(certificate)));
            }

            // Select online or offline revocation check.
            if (date == null) {
                // Enable online revocation check.
                Security.setProperty("ocsp.enable", "true");

                // Correct problem with enableCRLDP system property.
                // Once enableCRLDP is true, it cannot be disabled.
                // Must manually download all CRLs.
                System.setProperty("com.sun.security.enableCRLDP", "false");

                // Download manually CRLs.
                Collection<? extends Certificate> certificates = path.getCertificates();
                ArrayList<X509CRL> crls = new ArrayList<X509CRL>();
                for (Certificate c : certificates) {
                    X509CRL crl = CRLDownloader.getCRL((X509Certificate) c);
                    if (crl != null) {
                        crls.add(crl);
                    }
                }
                parameters.addCertStore(CertStore.getInstance("Collection",
                    new CollectionCertStoreParameters(crls)));

            } else {
                // Enable validation on a previous date.
                parameters.setDate(date.getTime());

                // Disable online revocation check.
                Security.setProperty("ocsp.enable", "false");
                System.setProperty("com.sun.security.enableCRLDP", "false");

                // Determine the issuer certificate.
                X509Certificate issuerCertificate = null;
                if (path.getCertificates().size() > 1) {
                    // Assign the next certificate in chain as the issuer.
                    issuerCertificate = (X509Certificate) path.getCertificates().get(1);
                } else {
                    // Check if a root certificate is the issuer.
                    for (X509Certificate rootCertificate : rootCertificates) {
                        try {
                            certificate.verify(rootCertificate.getPublicKey());
                            issuerCertificate = rootCertificate;
                            break;
                        } catch (Exception exception) {
                            // Try the next root certificate.
                            continue;
                        }
                    }
                }

                // Perform offline revocation check using stored OCSP responses.
                if (useOCSP) {
                    // Check if offline OCSP responses were provided.
                    if (ocspResponses == null) {
                        throw new NoOCSPResponseException(
                            String.format(messages.getString(
                            "No_OCSP_response_was_provided_to_perform_offline_revocation_check_of_the_certificate__%s"),
                            CertificateValidator.getCertificateName(certificate)));
                    }

                    // Disable standard online revocation check.
                    parameters.setRevocationEnabled(false);

                    // Verify the certificate using OCSP responses.
                    OCSPVerifier verifier = new OCSPVerifier(null, (ArrayList<BasicOCSPResp>) ocspResponses);
                    verifier.setOnlineCheckingAllowed(false);
                    if (verifier.verify(certificate, issuerCertificate, date.getTime()).size() == 0) {
                        throw new NoOCSPResponseException(
                            String.format(messages.getString(
                            "Could_not_find_a_valid_OCSP_response_for_the_certificate__%s"),
                            CertificateValidator.getCertificateName(certificate)));
                    }

                // Enable offline revocation check using CRL.
                } else if (useCRL) {
                    // Check if CRLs were provided.
                    if (certificateRevocationLists == null) {
                        throw new NoCRLException(
                            String.format(messages.getString(
                            "No_certificate_revocation_list_was_provided_to_perform_offline_revocation_check_of_the_certificate__%s"),
                            CertificateValidator.getCertificateName(certificate)));
                    }

                    // Add CRLs to perform offline revocation check.
                    parameters.addCertStore(CertStore.getInstance("Collection",
                        new CollectionCertStoreParameters(certificateRevocationLists)));
                }

                // If it is necessary to verify OCSP responses offline,
                // validate recursively the certificate chain.
                if (ocspResponses != null && ocspResponses.size() > 0
                && path.getCertificates().size() > 1) {
                    validate(
                        issuerCertificate,
                        intermediateCertificates,
                        rootCertificates,
                        ocspResponses,

Examples of java.security.cert.CertPath

            ArrayList<X509Certificate> intermediateCertificates = new ArrayList<X509Certificate>();
            for (Certificate intermediateCertificate : chain) {
                intermediateCertificates.add((X509Certificate) factory.generateCertificate(
                    new ByteArrayInputStream(intermediateCertificate.getEncoded())));
            }
            CertPath path = CertificateValidator.validate(
                signingCertificate,
                intermediateCertificates,
                rootCertificates,
                null, null, null, true);

            // Prepare structures to store certificates, OCSP responses and CRLs for this signature.
            ArrayList<X509Certificate> certificates = new ArrayList<X509Certificate>();
            ArrayList<X509CRL> crls = new ArrayList<X509CRL>();
            ArrayList<BasicOCSPResp> ocspResponses = new ArrayList<BasicOCSPResp>();

            // Get OCSP response or CRL for each certificate.
            ArrayList<X509Certificate> pathCertificates = new ArrayList<X509Certificate>();
            for (Certificate certificate : path.getCertificates()) {
                pathCertificates.add((X509Certificate) certificate);
            }
            for (int i = 0; i < pathCertificates.size(); i++) {
                // Get current certificate.
                X509Certificate certificate = pathCertificates.get(i);

Examples of java.security.cert.CertPath

            pkixParams.addCertStore(CertStore.getInstance("Collection", intermediateParams));
            pkixParams.addCertStore(CertStore.getInstance("Collection", certificateParams));
            pkixParams.setRevocationEnabled(false);

            CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
            CertPath certPath = builder.build(pkixParams).getCertPath();

            // Now validate the CertPath (including CRL checking)
            if (enableRevocation) {
                List<X509CRL> crls = certRepo.getCRLs();
                if (!crls.isEmpty()) {

Examples of java.security.cert.CertPath

     * @throws WSSecurityException
     */
    public X509Certificate[] getX509Certificates(byte[] data, boolean reverse)
            throws WSSecurityException {
        InputStream in = new ByteArrayInputStream(data);
        CertPath path = null;
        try {
            path = getCertificateFactory().generateCertPath(in);
        } catch (CertificateException e) {
            throw new WSSecurityException(WSSecurityException.SECURITY_TOKEN_UNAVAILABLE,
                    "parseError");
        }
        List l = path.getCertificates();
        X509Certificate[] certs = new X509Certificate[l.size()];
        Iterator iterator = l.iterator();
        for (int i = 0; i < l.size(); i++) {
            certs[(reverse) ? (l.size() - 1 - i) : i] = (X509Certificate) iterator.next();
        }

Examples of java.security.cert.CertPath

            } else {
                list.add(certs[i]);
            }
        }
        try {
            CertPath path = getCertificateFactory().generateCertPath(list);
            return path.getEncoded();
        } catch (CertificateEncodingException e) {
            throw new WSSecurityException(WSSecurityException.SECURITY_TOKEN_UNAVAILABLE,
                    "encodeError");
        } catch (CertificateException e) {
            throw new WSSecurityException(WSSecurityException.SECURITY_TOKEN_UNAVAILABLE,

Examples of java.security.cert.CertPath

    public boolean validateCertPath(X509Certificate[] certs) throws WSSecurityException {

        try {
            // Generate cert path
            java.util.List certList = java.util.Arrays.asList(certs);
            CertPath path = this.getCertificateFactory().generateCertPath(certList);

            // Use the certificates in the keystore as TrustAnchors
            PKIXParameters param = new PKIXParameters(this.keystore);

            // Do not check a revocation list

Examples of java.security.cert.CertPath

      Subject subject = getSubject();
      X509Certificate cert = clientCredential.getCertificate();
      if (SubjectCredentials.getPrincipal(subject, cert) == null) {
    throw new UnsupportedConstraintException("Missing principal");
      }
      CertPath chain =
    SubjectCredentials.getCertificateChain(subject, cert);
      if (chain == null) {
    throw new UnsupportedConstraintException(
        "Missing public credentials");
      }

Examples of java.security.cert.CertPath

  Map serverKeyTypes = new HashMap();
  List certPaths =
      SubjectCredentials.getCertificateChains(serverSubject);
  if (certPaths != null) {
      for (int i = certPaths.size(); --i >= 0; ) {
    CertPath chain = (CertPath) certPaths.get(i);
    X509Certificate cert = SubjectCredentials.firstX509Cert(chain);
    X500Principal principal = SubjectCredentials.getPrincipal(
        serverSubject, cert);
    if (principal != null) {
        Collection keyTypes =