package org.bouncycastle.jce.provider;

import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.Principal;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathBuilderResult;
import java.security.cert.CertPathBuilderSpi;
import java.security.cert.CertPathParameters;
import java.security.cert.CertPathValidator;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateParsingException;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;

import javax.security.auth.x500.X500Principal;

import org.bouncycastle.jce.exception.ExtCertPathBuilderException;
import org.bouncycastle.util.Selector;
import org.bouncycastle.x509.ExtendedPKIXBuilderParameters;
import org.bouncycastle.x509.X509AttributeCertStoreSelector;
import org.bouncycastle.x509.X509AttributeCertificate;
import org.bouncycastle.x509.X509CertStoreSelector;

public class PKIXAttrCertPathBuilderSpi
    extends CertPathBuilderSpi
{

    
Build and validate a CertPath using the given parameter.
Params:
  • params – PKIXBuilderParameters object containing all information to build the CertPath
/** * Build and validate a CertPath using the given parameter. * * @param params PKIXBuilderParameters object containing all information to * build the CertPath */
public CertPathBuilderResult engineBuild(CertPathParameters params) throws CertPathBuilderException, InvalidAlgorithmParameterException { if (!(params instanceof PKIXBuilderParameters) && !(params instanceof ExtendedPKIXBuilderParameters)) { throw new InvalidAlgorithmParameterException( "Parameters must be an instance of " + PKIXBuilderParameters.class.getName() + " or " + ExtendedPKIXBuilderParameters.class.getName() + "."); } ExtendedPKIXBuilderParameters pkixParams; if (params instanceof ExtendedPKIXBuilderParameters) { pkixParams = (ExtendedPKIXBuilderParameters) params; } else { pkixParams = (ExtendedPKIXBuilderParameters) ExtendedPKIXBuilderParameters .getInstance((PKIXBuilderParameters) params); } Collection targets; Iterator targetIter; List certPathList = new ArrayList(); X509AttributeCertificate cert; // search target certificates Selector certSelect = pkixParams.getTargetConstraints(); if (!(certSelect instanceof X509AttributeCertStoreSelector)) { throw new CertPathBuilderException( "TargetConstraints must be an instance of " + X509AttributeCertStoreSelector.class.getName() + " for "+this.getClass().getName()+" class."); } try { targets = CertPathValidatorUtilities.findCertificates((X509AttributeCertStoreSelector)certSelect, pkixParams.getStores()); } catch (AnnotatedException e) { throw new ExtCertPathBuilderException("Error finding target attribute certificate.", e); } if (targets.isEmpty()) { throw new CertPathBuilderException( "No attribute certificate found matching targetContraints."); } CertPathBuilderResult result = null; // check all potential target certificates targetIter = targets.iterator(); while (targetIter.hasNext() && result == null) { cert = (X509AttributeCertificate) targetIter.next(); X509CertStoreSelector selector = new X509CertStoreSelector(); Principal[] principals = cert.getIssuer().getPrincipals(); Set issuers = new HashSet(); for (int i = 0; i < principals.length; i++) { try { if (principals[i] instanceof X500Principal) { selector.setSubject(((X500Principal)principals[i]).getEncoded()); } issuers.addAll(CertPathValidatorUtilities.findCertificates(selector, pkixParams.getStores())); issuers.addAll(CertPathValidatorUtilities.findCertificates(selector, pkixParams.getCertStores())); } catch (AnnotatedException e) { throw new ExtCertPathBuilderException( "Public key certificate for attribute certificate cannot be searched.", e); } catch (IOException e) { throw new ExtCertPathBuilderException( "cannot encode X500Principal.", e); } } if (issuers.isEmpty()) { throw new CertPathBuilderException( "Public key certificate for attribute certificate cannot be found."); } Iterator it = issuers.iterator(); while (it.hasNext() && result == null) { result = build(cert, (X509Certificate)it.next(), pkixParams, certPathList); } } if (result == null && certPathException != null) { throw new ExtCertPathBuilderException( "Possible certificate chain could not be validated.", certPathException); } if (result == null && certPathException == null) { throw new CertPathBuilderException( "Unable to find certificate chain."); } return result; } private Exception certPathException; private CertPathBuilderResult build(X509AttributeCertificate attrCert, X509Certificate tbvCert, ExtendedPKIXBuilderParameters pkixParams, List tbvPath) { // If tbvCert is readily present in tbvPath, it indicates having run // into a cycle in the // PKI graph. if (tbvPath.contains(tbvCert)) { return null; } // step out, the certificate is not allowed to appear in a certification // chain if (pkixParams.getExcludedCerts().contains(tbvCert)) { return null; } // test if certificate path exceeds maximum length if (pkixParams.getMaxPathLength() != -1) { if (tbvPath.size() - 1 > pkixParams.getMaxPathLength()) { return null; } } tbvPath.add(tbvCert); CertificateFactory cFact; CertPathValidator validator; CertPathBuilderResult builderResult = null; try { cFact = CertificateFactory.getInstance("X.509", BouncyCastleProvider.PROVIDER_NAME); validator = CertPathValidator.getInstance("RFC3281", BouncyCastleProvider.PROVIDER_NAME); } catch (Exception e) { // cannot happen throw new RuntimeException( "Exception creating support classes."); } try { // check whether the issuer of <tbvCert> is a TrustAnchor if (CertPathValidatorUtilities.findTrustAnchor(tbvCert, pkixParams.getTrustAnchors(), pkixParams.getSigProvider()) != null) { CertPath certPath; PKIXCertPathValidatorResult result; try { certPath = cFact.generateCertPath(tbvPath); } catch (Exception e) { throw new AnnotatedException( "Certification path could not be constructed from certificate list.", e); } try { result = (PKIXCertPathValidatorResult) validator.validate( certPath, pkixParams); } catch (Exception e) { throw new AnnotatedException( "Certification path could not be validated.", e); } return new PKIXCertPathBuilderResult(certPath, result .getTrustAnchor(), result.getPolicyTree(), result .getPublicKey()); } else { // add additional X.509 stores from locations in certificate try { CertPathValidatorUtilities.addAdditionalStoresFromAltNames(tbvCert, pkixParams); } catch (CertificateParsingException e) { throw new AnnotatedException( "No additional X.509 stores can be added from certificate locations.", e); } Collection issuers = new HashSet(); // try to get the issuer certificate from one // of the stores try { issuers.addAll(CertPathValidatorUtilities.findIssuerCerts(tbvCert, pkixParams)); } catch (AnnotatedException e) { throw new AnnotatedException( "Cannot find issuer certificate for certificate in certification path.", e); } if (issuers.isEmpty()) { throw new AnnotatedException( "No issuer certificate for certificate in certification path found."); } Iterator it = issuers.iterator(); while (it.hasNext() && builderResult == null) { X509Certificate issuer = (X509Certificate) it.next(); // TODO Use CertPathValidatorUtilities.isSelfIssued(issuer)? // if untrusted self signed certificate continue if (issuer.getIssuerX500Principal().equals( issuer.getSubjectX500Principal())) { continue; } builderResult = build(attrCert, issuer, pkixParams, tbvPath); } } } catch (AnnotatedException e) { certPathException = new AnnotatedException( "No valid certification path could be build.", e); } if (builderResult == null) { tbvPath.remove(tbvCert); } return builderResult; } }