All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.bouncycastle.est.jcajce.JcaJceUtils Maven / Gradle / Ivy

package org.bouncycastle.est.jcajce;

import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CRL;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Iterator;
import java.util.Set;

import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.X509TrustManager;

import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.cert.X509CertificateHolder;


/**
 * General utility methods for building common objects for supporting the JCA/JCE/JSSE.
 */
public class JcaJceUtils
{

    public static X509TrustManager getTrustAllTrustManager()
    {

        //
        // Trust manager signal distrust by throwing exceptions.
        // This one trust all by doing nothing.
        //

        return new X509TrustManager()
        {
            public void checkClientTrusted(java.security.cert.X509Certificate[] x509Certificates, String s)
                throws java.security.cert.CertificateException
            {
                throw new IllegalStateException("attempt to authenticate client connection");
            }

            public void checkServerTrusted(java.security.cert.X509Certificate[] x509Certificates, String s)
                throws java.security.cert.CertificateException
            {

            }

            public java.security.cert.X509Certificate[] getAcceptedIssuers()
            {
                return new java.security.cert.X509Certificate[0];
            }
        };

    }

    public static X509TrustManager[] getCertPathTrustManager(final Set anchors, final CRL[] revocationLists)
    {
        final X509Certificate[] x509CertificateTrustAnchors = new X509Certificate[anchors.size()];
        int c = 0;
        for (Iterator it = anchors.iterator(); it.hasNext();)
        {
            TrustAnchor ta = (TrustAnchor)it.next();

            x509CertificateTrustAnchors[c++] = ta.getTrustedCert();
        }

        return new X509TrustManager[]{new X509TrustManager()
        {
            public void checkClientTrusted(X509Certificate[] x509Certificates, String s)
                throws CertificateException
            {
                throw new IllegalStateException("attempt to authenticate client connection");
            }

            public void checkServerTrusted(X509Certificate[] x509Certificates, String s)
                throws CertificateException
            {
                try
                {
                    CertStore certStore = CertStore.getInstance("Collection",
                        new CollectionCertStoreParameters(Arrays.asList(x509Certificates)), "BC");

                    CertPathBuilder pathBuilder = CertPathBuilder.getInstance("PKIX", "BC");

                    X509CertSelector constraints = new X509CertSelector();

                    constraints.setCertificate(x509Certificates[0]);


                    PKIXBuilderParameters param = new PKIXBuilderParameters(anchors, constraints);
                    param.addCertStore(certStore);
                    if (revocationLists != null)
                    {
                        param.setRevocationEnabled(true);
                        param.addCertStore(
                            CertStore.getInstance(
                                "Collection",
                                new CollectionCertStoreParameters(Arrays.asList(revocationLists)
                                )));
                    }
                    else
                    {
                        param.setRevocationEnabled(false);
                    }

                    // Throws exception on failure, results ignored for now.
                    PKIXCertPathValidatorResult ignored = (PKIXCertPathValidatorResult)pathBuilder.build(param);

                    validateServerCertUsage(x509Certificates[0]);

                }
                catch (CertificateException e)
                {
                    throw e;
                }
                catch (GeneralSecurityException e)
                {
                    throw new CertificateException("unable to process certificates: " + e.getMessage(), e);
                }
            }

            public X509Certificate[] getAcceptedIssuers()
            {
                X509Certificate[] rv = new X509Certificate[x509CertificateTrustAnchors.length];

                System.arraycopy(x509CertificateTrustAnchors, 0, rv, 0, rv.length);

                return rv;
            }
        }
        };
    }

    public static void validateServerCertUsage(X509Certificate x509Certificate)
        throws CertificateException
    {
        try
        {
            X509CertificateHolder cert = new X509CertificateHolder(x509Certificate.getEncoded());

            KeyUsage keyUsage = KeyUsage.fromExtensions(cert.getExtensions());

            if (keyUsage != null)
            {
                if (keyUsage.hasUsages(KeyUsage.keyCertSign))
                {
                    throw new CertificateException("Key usage must not contain keyCertSign");
                }

                if (!(keyUsage.hasUsages(KeyUsage.digitalSignature) || keyUsage.hasUsages(KeyUsage.keyEncipherment)))
                {
                    throw new CertificateException("Key usage must be none, digitalSignature or keyEncipherment");
                }
            }

            //
            // Check extended key usage.
            //
            ExtendedKeyUsage extendedKeyUsage = ExtendedKeyUsage.fromExtensions(cert.getExtensions());

            if (extendedKeyUsage != null)
            {
                if (!(extendedKeyUsage.hasKeyPurposeId(KeyPurposeId.id_kp_serverAuth) ||
                    extendedKeyUsage.hasKeyPurposeId(KeyPurposeId.id_kp_msSGC) ||
                    extendedKeyUsage.hasKeyPurposeId(KeyPurposeId.id_kp_nsSGC)))
                {
                    throw new CertificateException("Certificate extended key usage must include serverAuth, msSGC or nsSGC");
                }
            }

        }
        catch (CertificateException c)
        {
            throw c;
        }
        catch (Exception e)
        {
            throw new CertificateException(e.getMessage(), e);
        }
    }


    public static KeyManagerFactory createKeyManagerFactory(
        String type,
        String provider,
        KeyStore clientKeyStore,
        char[] clientKeyStorePass)
        throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException, NoSuchProviderException
    {
        KeyManagerFactory keyManagerFactory = null;
        if (type == null && provider == null)
        {
            keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        }
        else if (provider == null)
        {
            keyManagerFactory = KeyManagerFactory.getInstance(type);
        }
        else
        {
            keyManagerFactory = KeyManagerFactory.getInstance(type, provider);
        }
        keyManagerFactory.init(clientKeyStore, clientKeyStorePass);
        return keyManagerFactory;
    }
}




© 2015 - 2025 Weber Informatics LLC | Privacy Policy