List of usage examples for org.bouncycastle.x509 ExtendedPKIXBuilderParameters getExcludedCerts
public Set getExcludedCerts()
From source file:eu.emi.security.authn.x509.helpers.pkipath.NonValidatingCertPathBuilder.java
License:Open Source License
protected void build(X509Certificate tbvCert, ExtendedPKIXBuilderParameters pkixParams, List<X509Certificate> tbvPath, final X509Certificate[] origChain) { // If tbvCert is readily present in tbvPath, it indicates having // run into a cycle in the PKI graph. if (tbvPath.contains(tbvCert)) { return;//w w w .ja v a 2 s .c om } // step out, the certificate is not allowed to appear in a // certification chain. if (pkixParams.getExcludedCerts().contains(tbvCert)) { return; } // test if certificate path exceeds maximum length if (pkixParams.getMaxPathLength() != -1) { if (tbvPath.size() - 1 > pkixParams.getMaxPathLength()) { return; } } tbvPath.add(tbvCert); CertificateFactory cFact; try { cFact = CertificateFactory.getInstance("X.509", BouncyCastleProvider.PROVIDER_NAME); } catch (Exception e) { // cannot happen throw new RuntimeException("Exception creating support classes."); } try { // check whether the issuer of <tbvCert> is a TrustAnchor TrustAnchor ta; try { ta = CertPathValidatorUtilities.findTrustAnchor2(tbvCert, pkixParams.getTrustAnchors(), pkixParams.getSigProvider()); } catch (AnnotatedException e1) { throw new ValidationErrorException( new ValidationError(origChain, -1, ValidationErrorCode.noTrustAnchorFound)); } if (ta != null) { try { CertPath generated = cFact.generateCertPath(tbvPath); result.add(generated); tbvPath.remove(tbvCert); return; } catch (Exception e) { throw new ValidationErrorException( new ValidationError(origChain, -1, ValidationErrorCode.unknownMsg, "Certification path could not be constructed from certificate list: " + e)); } } else { // add additional X.509 stores from locations in // certificate try { CertPathValidatorUtilities.addAdditionalStoresFromAltNames(tbvCert, pkixParams); } catch (CertificateParsingException e) { throw new ValidationErrorException( new ValidationError(origChain, -1, ValidationErrorCode.inputError, "No additiontal X.509 stores can be added from certificate locations as " + "issuer alternative name extension can not be parsed: " + e.toString())); } Collection<Object> issuers = new HashSet<Object>(); // try to get the issuer certificate from one // of the stores try { issuers.addAll(CertPathValidatorUtilities.findIssuerCerts(tbvCert, pkixParams)); } catch (org.bouncycastle.jce.provider.AnnotatedException e) { throw new ValidationErrorException( new ValidationError(origChain, -1, ValidationErrorCode.unknownMsg, "Low level error occured: Cannot find issuer certificate " + "for certificate in certification path: " + e)); } if (issuers.isEmpty()) { throw new ValidationErrorException( new ValidationError(origChain, -1, ValidationErrorCode.invalidCertificatePath, CertificateUtils.format(tbvCert, FormatMode.COMPACT_ONE_LINE))); } Iterator<?> it = issuers.iterator(); while (it.hasNext()) { X509Certificate issuer = (X509Certificate) it.next(); build(issuer, pkixParams, tbvPath, origChain); } } } catch (ValidationErrorException e) { if (certPathException == null) certPathException = new ValidationErrorException(); certPathException.addErrors(e.getErrors()); } tbvPath.remove(tbvCert); }