/*
* This file is part of rockframework.
*
* rockframework is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* rockframework is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>;.
*/
package br.net.woodstock.rockframework.security.cert.impl;
import java.io.Serializable;
import java.security.GeneralSecurityException;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathValidator;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import br.net.woodstock.rockframework.core.RockFrameworkLogger;
import br.net.woodstock.rockframework.core.RockFrameworkVersion;
import br.net.woodstock.rockframework.core.util.Assert;
import br.net.woodstock.rockframework.core.utils.Conditions;
import br.net.woodstock.rockframework.security.cert.CertificateException;
import br.net.woodstock.rockframework.security.cert.CertificateValidator;
import br.net.woodstock.rockframework.security.cert.ValidationError;
import br.net.woodstock.rockframework.security.cert.util.Certificates;
import br.net.woodstock.rockframework.security.util.BouncyCastleProviderHelper;
public class PKIXCertificateValidator implements CertificateValidator, Serializable {
private static final long serialVersionUID = RockFrameworkVersion.VERSION;
public static final String VALIDATOR_NAME = "PKIX Validator";
private static final String CERTSTORE_TYPE = "Collection";
private static final String CERTPATH_TYPE = "PKIX";
private Certificate[] trustCerts;
// http://docs.oracle.com/javase/1.5.0/docs/guide/security/pki-tiger.html
// private static final String OSCP_ENABLE_PROPERTY = "ocsp.enable";
// private static final String OSCP_ENABLE_VALUE = "true";
public PKIXCertificateValidator() {
super();
}
public PKIXCertificateValidator(final Certificate[] trustCerts) {
super();
this.trustCerts = trustCerts;
}
@Override
public ValidationError[] validate(final Certificate[] chain) {
Assert.notEmpty(chain, "chain");
if (chain.length < 2) {
return new ValidationError[] { new ValidationError(PKIXCertificateValidator.VALIDATOR_NAME, "Certificate chain must be greater than 1(certificate and issuer certificate") };
}
try {
PKIXCertPathValidatorResult validatorResult = this.getValidatorResult(chain);
RockFrameworkLogger.getLogger().debug("Result: " + validatorResult);
return new ValidationError[0];
} catch (CertPathBuilderException e) {
RockFrameworkLogger.getLogger().info(e.getMessage(), e);
RockFrameworkLogger.getLogger().info("Validation error: " + e.getMessage());
return new ValidationError[] { new ValidationError(PKIXCertificateValidator.VALIDATOR_NAME, "Invalid certificate infrastructure") };
} catch (Exception e) {
throw new CertificateException(e);
}
}
protected PKIXCertPathValidatorResult getValidatorResult(final Certificate[] chain) throws GeneralSecurityException {
X509Certificate certificate = (X509Certificate) chain[0];
X509CertSelector selector = new X509CertSelector();
selector.setCertificate(certificate);
Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
boolean localCA = Conditions.isEmpty(this.trustCerts);
if (!localCA) {
for (int i = 1; i < this.trustCerts.length; i++) {
trustAnchors.add(new TrustAnchor((X509Certificate) this.trustCerts[i], null));
}
} else if (chain.length > 1) {
for (int i = 1; i < chain.length; i++) {
if (Certificates.isSelfSigned(chain[i])) {
trustAnchors.add(new TrustAnchor((X509Certificate) chain[i], null));
}
}
}
PKIXBuilderParameters pkixParameters = new PKIXBuilderParameters(trustAnchors, selector);
pkixParameters.setRevocationEnabled(false);
List<Certificate> list = new ArrayList<Certificate>();
for (int i = 0; i < chain.length; i++) {
if ((!localCA) || ((localCA) && (!Certificates.isSelfSigned(chain[i])))) {
list.add(chain[i]);
}
}
if (!Conditions.isEmpty(list)) {
CertStore intermediateCertStore = CertStore.getInstance(PKIXCertificateValidator.CERTSTORE_TYPE, new CollectionCertStoreParameters(list), BouncyCastleProviderHelper.PROVIDER_NAME);
pkixParameters.addCertStore(intermediateCertStore);
}
CertPathBuilder builder = CertPathBuilder.getInstance(PKIXCertificateValidator.CERTPATH_TYPE, BouncyCastleProviderHelper.PROVIDER_NAME);
PKIXCertPathBuilderResult builderResult = (PKIXCertPathBuilderResult) builder.build(pkixParameters);
CertPathValidator validator = CertPathValidator.getInstance(PKIXCertificateValidator.CERTPATH_TYPE, BouncyCastleProviderHelper.PROVIDER_NAME);
PKIXCertPathValidatorResult validatorResult = (PKIXCertPathValidatorResult) validator.validate(builderResult.getCertPath(), pkixParameters);
return validatorResult;
}
}