/** * Reads an X.509 certificate from ASN.1 encoded data in the given stream. * * @param in Input stream containing PEM or DER encoded X.509 certificate. * * @return Certificate. * * @throws EncodingException on cert parsing errors. * @throws StreamException on IO errors. */ public static X509Certificate readCertificate(final InputStream in) throws EncodingException, StreamException { try { final CertificateFactory factory = CertificateFactory.getInstance("X.509"); return (X509Certificate) factory.generateCertificate(in); } catch (CertificateException e) { if (e.getCause() instanceof IOException) { throw new StreamException((IOException) e.getCause()); } throw new EncodingException("Cannot decode certificate", e); } }
/** * Reads an X.509 certificate chain from ASN.1 encoded data in the given stream. * * @param in Input stream containing a sequence of PEM or DER encoded certificates or PKCS#7 certificate chain. * * @return Certificate. * * @throws EncodingException on cert parsing errors. * @throws StreamException on IO errors. */ public static X509Certificate[] readCertificateChain(final InputStream in) throws EncodingException, StreamException { try { final CertificateFactory factory = CertificateFactory.getInstance("X.509"); final Collection<? extends Certificate> certs = factory.generateCertificates(in); return certs.toArray(new X509Certificate[certs.size()]); } catch (CertificateException e) { if (e.getCause() instanceof IOException) { throw new StreamException((IOException) e.getCause()); } throw new EncodingException("Cannot decode certificate", e); } }
@Override public void checkClientTrusted(X509Certificate[] chain, String s) throws CertificateException { try { if (mDefaultTrustManager != null) { mDefaultTrustManager.checkClientTrusted( chain, s ); return; } } catch (CertificateException e) { // If there is an exception we fall back to checking fingerprints if (mFingerprints == null || mFingerprints.size() == 0) { throw new UnrecognizedCertificateException(chain[0], Fingerprint.newSha256Fingerprint(chain[0]), e.getCause()); } } checkTrusted("client", chain); }
@Override public void checkServerTrusted(X509Certificate[] chain, String s) throws CertificateException { try { if (mDefaultTrustManager != null) { mDefaultTrustManager.checkServerTrusted( chain, s ); return; } } catch (CertificateException e) { // If there is an exception we fall back to checking fingerprints if (mFingerprints == null || mFingerprints.isEmpty()) { throw new UnrecognizedCertificateException(chain[0], Fingerprint.newSha256Fingerprint(chain[0]), e.getCause()); } } checkTrusted("server", chain); }
mStandardTrustManager.checkServerTrusted(certificates, authType); } catch (CertificateException c) { Throwable cause = c.getCause(); Throwable previousCause = null; while (cause != null && cause != previousCause && !(cause instanceof CertPathValidatorException)) { // getCause() is not funny
/** * @return {@link CertificateInfoServiceErrorResponse} for the untrusted certificate or {@code * null} if the resolver was not called or the certificate is trusted */ public CertificateInfoServiceErrorResponse getCertificateInfoServiceErrorResponse() { if (this.connectionCertificates.isEmpty()) { return null; } X509Certificate[] chain = getCertificateChain(); String certificate = CertificateUtil.toPEMformat(chain); Map<String, String> certProps = CertificateUtil.getCertificateInfoProperties(chain[0]); CertificateInfo certificateInfo = CertificateInfo.of(certificate, certProps); CertificateException certException = getCertificateException(); return CertificateInfoServiceErrorResponse.create( certificateInfo, Operation.STATUS_CODE_UNAVAILABLE, CertificateInfoServiceErrorResponse.ERROR_CODE_UNTRUSTED_CERTIFICATE, certException.getCause()); }
mStandardTrustManager.checkServerTrusted(certificates, authType); } catch (CertificateException c) { Throwable cause = c.getCause(); Throwable previousCause = null; while (cause != null && cause != previousCause && !(cause instanceof CertPathValidatorException)) { // getCause() is not funny
@Test public void testNoValidationPossible() throws Exception { //trust chain incl intermediate certificates (root + intermediates) Collection<? extends Certificate> rootCas; final File trustedCas = getAbsoluteFilePathFromClassPath("chain-ca.pem"); try(FileInputStream trin = new FileInputStream(trustedCas)) { rootCas = (Collection<? extends Certificate>) CertificateFactory.getInstance("X.509").generateCertificates(trin); } Assert.assertEquals(rootCas.size(), 2); //certificate chain to validate (client cert + intermediates but without root) Collection<? extends Certificate> certsToValidate; final File certs = getAbsoluteFilePathFromClassPath("crl/revoked.crt.pem"); try(FileInputStream trin = new FileInputStream(certs)) { certsToValidate = (Collection<? extends Certificate>) CertificateFactory.getInstance("X.509").generateCertificates(trin); } Assert.assertEquals(certsToValidate.size(), 2); CertificateValidator validator = new CertificateValidator(rootCas.toArray(new X509Certificate[0]), Collections.emptyList()); validator.setDate(CRL_DATE); try { validator.validate(certsToValidate.toArray(new X509Certificate[0])); Assert.fail(); } catch (CertificateException e) { Assert.assertTrue(e.getCause() instanceof CertPathBuilderException); Assert.assertTrue(e.getCause().getMessage().contains("unable to find valid certification path to requested target")); } }