All Downloads are FREE. Search and download functionalities are using the official Maven repository.

com.fitbur.bouncycastle.jce.provider.PKIXAttrCertPathValidatorSpi Maven / Gradle / Ivy

package com.fitbur.bouncycastle.jce.provider;

import java.security.InvalidAlgorithmParameterException;
import java.security.cert.CertPath;
import java.security.cert.CertPathParameters;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertPathValidatorResult;
import java.security.cert.CertPathValidatorSpi;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.Set;

import com.fitbur.bouncycastle.jce.exception.ExtCertPathValidatorException;
import com.fitbur.bouncycastle.util.Selector;
import com.fitbur.bouncycastle.x509.ExtendedPKIXParameters;
import com.fitbur.bouncycastle.x509.X509AttributeCertStoreSelector;
import com.fitbur.bouncycastle.x509.X509AttributeCertificate;

/**
 * CertPathValidatorSpi implementation for X.509 Attribute Certificates la RFC 3281.
 * 
 * @see com.fitbur.bouncycastle.x509.ExtendedPKIXParameters
 */
public class PKIXAttrCertPathValidatorSpi
    extends CertPathValidatorSpi
{

    /**
     * Validates an attribute certificate with the given certificate path.
     * 
     * 

* params must be an instance of * ExtendedPKIXParameters. *

* The target constraints in the params must be an * X509AttributeCertStoreSelector with at least the attribute * certificate criterion set. Obey that also target informations may be * necessary to correctly validate this attribute certificate. *

* The attribute certificate issuer must be added to the trusted attribute * issuers with {@link ExtendedPKIXParameters#setTrustedACIssuers(Set)}. * * @param certPath The certificate path which belongs to the attribute * certificate issuer public key certificate. * @param params The PKIX parameters. * @return A PKIXCertPathValidatorResult of the result of * validating the certPath. * @throws InvalidAlgorithmParameterException if params is * inappropriate for this validator. * @throws CertPathValidatorException if the verification fails. */ public CertPathValidatorResult engineValidate(CertPath certPath, CertPathParameters params) throws CertPathValidatorException, InvalidAlgorithmParameterException { if (!(params instanceof ExtendedPKIXParameters)) { throw new InvalidAlgorithmParameterException( "Parameters must be a " + ExtendedPKIXParameters.class.getName() + " instance."); } ExtendedPKIXParameters pkixParams = (ExtendedPKIXParameters) params; Selector certSelect = pkixParams.getTargetConstraints(); if (!(certSelect instanceof X509AttributeCertStoreSelector)) { throw new InvalidAlgorithmParameterException( "TargetConstraints must be an instance of " + X509AttributeCertStoreSelector.class.getName() + " for " + this.getClass().getName() + " class."); } X509AttributeCertificate attrCert = ((X509AttributeCertStoreSelector) certSelect) .getAttributeCert(); CertPath holderCertPath = RFC3281CertPathUtilities.processAttrCert1(attrCert, pkixParams); CertPathValidatorResult result = RFC3281CertPathUtilities.processAttrCert2(certPath, pkixParams); X509Certificate issuerCert = (X509Certificate) certPath .getCertificates().get(0); RFC3281CertPathUtilities.processAttrCert3(issuerCert, pkixParams); RFC3281CertPathUtilities.processAttrCert4(issuerCert, pkixParams); RFC3281CertPathUtilities.processAttrCert5(attrCert, pkixParams); // 6 already done in X509AttributeCertStoreSelector RFC3281CertPathUtilities.processAttrCert7(attrCert, certPath, holderCertPath, pkixParams); RFC3281CertPathUtilities.additionalChecks(attrCert, pkixParams); Date date = null; try { date = CertPathValidatorUtilities .getValidCertDateFromValidityModel(pkixParams, null, -1); } catch (AnnotatedException e) { throw new ExtCertPathValidatorException( "Could not get validity date from attribute certificate.", e); } RFC3281CertPathUtilities.checkCRLs(attrCert, pkixParams, issuerCert, date, certPath.getCertificates()); return result; } }





© 2015 - 2025 Weber Informatics LLC | Privacy Policy