Examples of java.security.cert.CertPathValidatorException$Reason

java.security.cert.CertPathValidatorException
The reason the validation algorithm failed. @since 1.7

           break;
         }
       }
       
       if(rootCert == null){
         throw new CertPathValidatorException("Error Root CA cert not found in cACertChain"); 
       }
       
       List list = new ArrayList();
       list.add(usercert);
       list.addAll(cACertChain);

View Full Code Here

              break;
            }
          }
          
          if(rootCert == null){
            throw new CertPathValidatorException("Error Root CA cert not found in cACertChain"); 
          }
          
          List list = new ArrayList();
          list.add(usercert);
          list.add(cACertChain);

View Full Code Here

                        reqchain = ca.getRequestCertificateChain();
                        log.debug("Using pre-stored CA certificate chain.");
                        if (reqchain == null) {
                            String msg = intres.getLocalizedMessage("caadmin.errornorequestchain", caid, ca.getSubjectDN());
                            log.info(msg);
                            throw new CertPathValidatorException(msg);
                        }
                    }
                    log.debug("Picked up request certificate chain of size: " + reqchain.size());
                    tmpchain.addAll(reqchain);
                    Collection<Certificate> chain = CertTools.createCertChain(tmpchain);

View Full Code Here


      log.info("Checking the cert against the CRL");
      
        if (!(certificate instanceof X509Certificate)) { // accept only X509Certificates
            log.error("Error: non-X509 certificate given as an argument");
            throw new CertPathValidatorException("Error: non-X509 certificate given as an argument");
        }




        List<X509CRL> crlList = new ArrayList<X509CRL>();
        
        InputStream inStream = null;
        CertificateFactory cf = null;
        
        try
        {
      inStream = new FileInputStream(x509CRLLocation);


      cf = CertificateFactory.getInstance("X.509");
            crlList = (List<X509CRL>)cf.generateCRLs(inStream); 
            
            inStream.close();
        }
        catch (FileNotFoundException e1)
        {
      throw new CertPathValidatorException("The CRL could not be opened");
    }
    catch (CertificateException e1)
        {
      throw new CertPathValidatorException("The certificate factory for the CRL could not be created");
    }
    catch (CRLException e1)
        {
      throw new CertPathValidatorException("The CRL could not be generated");
    }
    catch (IOException e1)
        {
      throw new CertPathValidatorException("The CRL file stream could not be closed");
    }
        
        Principal certIssuer = certificate.getIssuerDN();
        BigInteger serial = certificate.getSerialNumber();


        try {
            log.info("Checking certificate "
                    + certificate.getSubjectDN().getName() + " with serial "
                    + serial);


            
                for(X509CRL crlInstance : crlList)
                {
                    if (crlInstance.getIssuerDN().equals(certIssuer)) { // if there is a CRL from the issuer in the CRL list
                        log.debug("CRL found from " + certIssuer.getName());


                        X509CRLEntry crlEntry = crlInstance.getRevokedCertificate(serial); // check it the serial number is in the list


                        if (crlEntry != null) { // the certificate is in the CRL list
                            log.info("The certificate is revoked by " + certIssuer.getName());
                            throw new CertPathValidatorException("The certificate "
                                + certificate.getSubjectDN().getName()
                                + " is revoked by " + certIssuer.getName());
                        }


                        // do not check other CRLs, as we already found the issuer and the certificate was not revoked
                        // comment the following return out if it is possible to have several CRLs from one issuer
                        log.debug("CRLCertChecker.check: certificate OK, cheked against CRL");


                        return;
                    }
                    
                }    


            if (crlRequired) {
                log.warn("No crl (even though it is required) found for the CA " + certIssuer.toString());
                throw new CertPathValidatorException("No crl (even though it is required) found for the CA " + certIssuer.toString());
            }
        } catch (Exception e) {
            log.error("Certificate revocation checking failed",e);
            throw new java.security.cert.CertPathValidatorException(e.getMessage());
        }

View Full Code Here

                }


                // Extract the anchor certs
                Iterator anchors = pkixParams.getTrustAnchors().iterator();
                if (!anchors.hasNext()) {
                    throw new CertPathValidatorException(
                            "Must specify at least one trust anchor");
                }


                X500Principal certIssuerName =
                        currCert.getIssuerX500Principal();
                while (anchors.hasNext() &&
                        (!haveIssuerCert || !haveResponderCert)) {


                    TrustAnchor anchor = (TrustAnchor) anchors.next();
                    X509Certificate anchorCert = anchor.getTrustedCert();
                    X500Principal anchorSubjectName =
                            anchorCert.getSubjectX500Principal();


                    // Check if this anchor cert is the issuer cert
                    if (!haveIssuerCert && certIssuerName.equals(anchorSubjectName)) {


                        issuerCert = anchorCert;
                        haveIssuerCert = true;


                        //If we have not set the responderCert at this point, set it to the issuer
                        if (haveResponderCert && responderCert == null) {
                            responderCert = anchorCert;
                            Log.debug("OCSPChecker: Responder's certificate = issuer certificate");
                        }
                    }


                    // Check if this anchor cert is the responder cert
                    if (!haveResponderCert) {
                        if (responderSubjectName != null &&
                                responderSubjectName.equals(anchorSubjectName)) {


                            responderCert = anchorCert;
                            haveResponderCert = true;
                        }
                    }
                }
                
                if (issuerCert == null) {
                    //No trust anchor was found matching the issuer
                    throw new CertPathValidatorException("No trusted certificate for " + currCert.getIssuerDN());
                }


                // Check cert stores if responder cert has not yet been found
                if (!haveResponderCert) {
                    Log.debug("OCSPChecker: Searching cert stores for responder's certificate");
                    
                    if (responderSubjectName != null) {
                        X509CertSelector filter = new X509CertSelector();
                        filter.setSubject(responderSubjectName.getName());
                    
                        List<CertStore> certStores = pkixParams.getCertStores();
                        for (CertStore certStore : certStores) {
                            Iterator i = certStore.getCertificates(filter).iterator();
                            if (i.hasNext()) {
                                responderCert = (X509Certificate) i.next();
                                haveResponderCert = true;
                                break;
                            }
                        }
                    }
                }
            }


            // Could not find the responder cert
            if (!haveResponderCert) {
                throw new CertPathValidatorException("Cannot find the responder's certificate.");
            }


            // Construct an OCSP Request
            OCSPReqGenerator gen = new OCSPReqGenerator();


            CertificateID certID = new CertificateID(CertificateID.HASH_SHA1, issuerCert, currCert.getSerialNumber());
            gen.addRequest(certID);
            OCSPReq ocspRequest = gen.generate();




            URL url;
            if (ocspServerUrl != null) {
                try {
                    url = new URL(ocspServerUrl);
                } catch (MalformedURLException e) {
                    throw new CertPathValidatorException(e);
                }
            } else {
                throw new CertPathValidatorException("Must set OCSP Server URL");
            }
            HttpURLConnection con = (HttpURLConnection) url.openConnection();
            Log.debug("OCSPChecker: connecting to OCSP service at: " + url);


            con.setDoOutput(true);
            con.setDoInput(true);
            con.setRequestMethod("POST");
            con.setRequestProperty("Content-type", "application/ocsp-request");
            con.setRequestProperty("Accept","application/ocsp-response");
            byte[] bytes = ocspRequest.getEncoded();




            con.setRequestProperty("Content-length", String.valueOf(bytes.length));
            out = con.getOutputStream();
            out.write(bytes);
            out.flush();


            // Check the response
            if (con.getResponseCode() != HttpURLConnection.HTTP_OK) {
                Log.debug("OCSPChecker: Received HTTP error: " + con.getResponseCode() +
                        " - " + con.getResponseMessage());
            }
            in = con.getInputStream();
            OCSPResp ocspResponse = new OCSPResp(in);
            BigInteger serialNumber = currCert.getSerialNumber();
            BasicOCSPResp brep = (BasicOCSPResp) ocspResponse.getResponseObject();
            try {
                if( ! brep.verify(responderCert.getPublicKey(),"BC")) {
                    throw new CertPathValidatorException("OCSP response is not verified");
                }
            } catch (NoSuchProviderException e) {
                throw new CertPathValidatorException("OCSP response could not be verified ("+e.getMessage()+")" ,null, cp, certIndex);
            }
            SingleResp[] singleResp = brep.getResponses();
            boolean foundResponse = false;
            for (SingleResp resp : singleResp) {
                CertificateID respCertID = resp.getCertID();
                if (respCertID.equals(certID)) {
                    Object status = resp.getCertStatus();
                    if (status == CertificateStatus.GOOD) {
                        Log.debug("OCSPChecker: Status of certificate (with serial number " +
                                serialNumber.toString() + ") is: good");
                        foundResponse = true;
                        break;
                    } else if (status instanceof org.bouncycastle.ocsp.RevokedStatus) {
                        Log.debug("OCSPChecker: Status of certificate (with serial number " +
                                serialNumber.toString() + ") is: revoked");
                        throw new CertPathValidatorException("Certificate has been revoked", null, cp, certIndex);
                    } else if (status instanceof org.bouncycastle.ocsp.UnknownStatus) {
                        Log.debug("OCSPChecker: Status of certificate (with serial number " +
                                serialNumber.toString() + ") is: unknown");
                        throw new CertPathValidatorException("Certificate's revocation status is unknown", null, cp, certIndex);
                    } else {
                        Log.debug("Status of certificate (with serial number " +
                                serialNumber.toString() + ") is: not recognized");
                        throw new CertPathValidatorException("Unknown OCSP response for certificate", null, cp, certIndex);
                    }
                }
            }


            // Check that response applies to the cert that was supplied
            if (!foundResponse) {
                throw new CertPathValidatorException(
                        "No certificates in the OCSP response match the " +
                        "certificate supplied in the OCSP request.");
            }
        } catch (CertPathValidatorException cpve) {
            throw cpve;
        } catch (Exception e) {
            throw new CertPathValidatorException(e);
        } finally {
            if (in != null) {
                try {
                    in.close();
                } catch (IOException ioe) {
                    throw new CertPathValidatorException(ioe);
                }
            }
            if (out != null) {
                try {
                    out.close();
                } catch (IOException ioe) {
                    throw new CertPathValidatorException(ioe);
                }
            }
        }
    }

View Full Code Here

                                    {
                                        pinfo = PolicyInformation.getInstance(e.nextElement());
                                    }
                                    catch (Exception ex)
                                    {
                                        throw new CertPathValidatorException(
                                            "Policy information could not be decoded.", ex, certPath, index);
                                    }
                                    if (RFC3280CertPathUtilities.ANY_POLICY.equals(pinfo.getPolicyIdentifier().getId()))
                                    {
                                        try

View Full Code Here

                }


                if (RFC3280CertPathUtilities.ANY_POLICY.equals(issuerDomainPolicy.getId()))
                {


                    throw new CertPathValidatorException("IssuerDomainPolicy is anyPolicy", null, certPath, index);
                }


                if (RFC3280CertPathUtilities.ANY_POLICY.equals(subjectDomainPolicy.getId()))
                {


                    throw new CertPathValidatorException("SubjectDomainPolicy is anyPolicy,", null, certPath, index);
                }
            }
        }
    }

View Full Code Here

            {
                dns = DERSequence.getInstance(aIn.readObject());
            }
            catch (Exception e)
            {
                throw new CertPathValidatorException("Exception extracting subject name when checking subtrees.", e,
                    certPath, index);
            }


            try
            {
                nameConstraintValidator.checkPermittedDN(dns);
                nameConstraintValidator.checkExcludedDN(dns);
            }
            catch (PKIXNameConstraintValidatorException e)
            {
                throw new CertPathValidatorException("Subtree check for certificate subject failed.", e, certPath,
                    index);
            }


            GeneralNames altName = null;
            try
            {
                altName = GeneralNames.getInstance(CertPathValidatorUtilities.getExtensionValue(cert,
                    RFC3280CertPathUtilities.SUBJECT_ALTERNATIVE_NAME));
            }
            catch (Exception e)
            {
                throw new CertPathValidatorException("Subject alternative name extension could not be decoded.", e,
                    certPath, index);
            }
            Vector emails = new X509Name(dns).getValues(X509Name.EmailAddress);
            for (Enumeration e = emails.elements(); e.hasMoreElements();)
            {
                String email = (String)e.nextElement();
                GeneralName emailAsGeneralName = new GeneralName(GeneralName.rfc822Name, email);
                try
                {
                    nameConstraintValidator.checkPermitted(emailAsGeneralName);
                    nameConstraintValidator.checkExcluded(emailAsGeneralName);
                }
                catch (PKIXNameConstraintValidatorException ex)
                {
                    throw new CertPathValidatorException(
                        "Subtree check for certificate subject alternative email failed.", ex, certPath, index);
                }
            }
            if (altName != null)
            {
                GeneralName[] genNames = null;
                try
                {
                    genNames = altName.getNames();
                }
                catch (Exception e)
                {
                    throw new CertPathValidatorException("Subject alternative name contents could not be decoded.", e,
                        certPath, index);
                }
                for (int j = 0; j < genNames.length; j++)
                {


                    try
                    {
                        nameConstraintValidator.checkPermitted(genNames[j]);
                        nameConstraintValidator.checkExcluded(genNames[j]);
                    }
                    catch (PKIXNameConstraintValidatorException e)
                    {
                        throw new CertPathValidatorException(
                            "Subtree check for certificate subject alternative name failed.", e, certPath, index);
                    }
                }
            }
        }

View Full Code Here

        }
        if (bc != null)
        {
            if (!(bc.isCA()))
            {
                throw new CertPathValidatorException("Not a CA certificate");
            }
        }
        else
        {
            throw new CertPathValidatorException("Intermediate certificate lacks BasicConstraints");
        }
    }

View Full Code Here

            {
                ((PKIXCertPathChecker)tmpIter.next()).check(cert, criticalExtensions);
            }
            catch (CertPathValidatorException e)
            {
                throw new CertPathValidatorException(e.getMessage(), e.getCause(), certPath, index);
            }
        }
        if (!criticalExtensions.isEmpty())
        {
            throw new ExtCertPathValidatorException("Certificate has unsupported critical extension.", null, certPath,

View Full Code Here

0 1 2 3 4 5 6 7 8 9

TOP

Related Classes of java.security.cert.CertPathValidatorException$Reason

gnu.java.security.provider.PKIXCertPathValidatorImpl

org.apache.harmony.security.tests.java.security.cert.CertPathValidatorExceptionTest

org.apache.harmony.security.tests.java.security.cert.serialization.CertPathValidatorExceptionTest

org.apache.harmony.security.tests.support.cert.MyCertPathValidatorSpi

org.bouncycastle.jce.provider.CertPathValidatorUtilities

org.bouncycastle.jce.provider.PKIXCertPathBuilderSpi

org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi

org.bouncycastle.jce.provider.PKIXNameConstraints

org.bouncycastle.jce.provider.RFC3280CertPathUtilities

org.bouncycastle.jce.provider.RFC3281CertPathUtilities

All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.