Class BCCertPathValidator


  • public class BCCertPathValidator
    extends Object
    Low-level certificate validator based on the BC PKIXCertPathReviewer with additional support for proxy certificates.
    Author:
    K. Benedyczak
    • Field Detail

      • PROXY_VALIDATION_GRACE_PERIOD

        public static final long PROXY_VALIDATION_GRACE_PERIOD
        See Also:
        Constant Field Values
    • Constructor Detail

      • BCCertPathValidator

        public BCCertPathValidator()
    • Method Detail

      • validate

        public ValidationResult validate​(X509Certificate[] toCheck,
                                         boolean proxySupport,
                                         Set<TrustAnchor> trustAnchors,
                                         CertStore crlStore,
                                         RevocationParameters revocationParams,
                                         ObserversHandler observersHandler)
                                  throws CertificateException
        Performs validation. Expects correctly set up parameters.

        If the proxy support is turned off or the chain has no proxy certificate then normal X.509 path validation is performed (see below).

        If the proxy support is turned on and the chain has at least one proxy then the following checks are performed:

        • The chain is split into two chains A and B, where B ends with the first element of A and it is the first not proxy certificate in the original chain (i.e. the EEC which is the split point).
        • The chain A is validated using normal X.509 path validation.
        • The chain B is also validated with the X.509 path validation but PROXY extension OIDs are recognized, the only trust anchor is the EEC, the CRLs are ignored, the CA constraint is not required on any issuing certificate and the certificate sign bit is also not required.
        • The chain B is iterated over and on each pair additional checks from the RFC 3820 are verified, along with the proxy path limit.

        The normal path validation is performed as follows:

        • First all basically correct (i.e. fulfilling name chaining rules) certificate paths are tried to be constructed from the input chain. This step produces from zero to many paths (in 99%: 0 or 1). Those paths can differ from the input e.g. by having self-signed intermediary CA certificate removed.
        • If there were no path constructed, the input chain is used as-is, as the only possible path. At this step we already know it is invalid, but we anyway continue to establish complete and detailed list of errors.
        • All constructed paths are validated using PKIX rules, and errors found are recorded. If at least one path validates successfully the algorithm ends.
        • If all paths were invalid, the one with the least number of errors is selected and those errors are reported as the validation result.
        Parameters:
        toCheck - chain to check
        proxySupport - proxy support
        trustAnchors - trust anchors
        crlStore - crl store
        revocationParams - revocation params
        observersHandler - observers handler
        Returns:
        validation result
        Throws:
        CertificateException - if some of the certificates in the chain can not be parsed
      • getFirstProxy

        protected int getFirstProxy​(X509Certificate[] toCheck)
      • checkProxyChainWithBC

        protected void checkProxyChainWithBC​(X509Certificate[] proxyChain,
                                             Set<TrustAnchor> trustAnchor,
                                             List<ValidationError> errors,
                                             Set<String> unresolvedExtensions)
                                      throws CertificateException
        Checks chain with proxies, starting with the EEC using X.509 path validation. EEC issuer is used as the only trust anchor. CRLs are ignored, proxy extension OIDs are marked as handled. The error resulting from the missing CA extension is ignored as well as validity time errors. The latter are checked manually later on.
        Parameters:
        proxyChain - proxy chain
        trustAnchor - trust anchor
        errors - errors
        unresolvedExtensions - unresolved extensions
        Throws:
        CertificateException - certificate exception
      • checkProxyChainMain

        protected void checkProxyChainMain​(X509Certificate[] proxyChain,
                                           List<ValidationError> errors,
                                           Set<String> unresolvedExtensions,
                                           Date validDate)
                                    throws CertificateException
        Performs a validation loop of the proxy chain checking each pair in chain for the rules not otherwise verified by the base check. Additionally chain length restriction is verified.
        Parameters:
        proxyChain - proxy chain
        errors - errors
        unresolvedExtensions - unresolved extensions
        validDate - valid date
        Throws:
        CertificateException - certificate exception
      • checkPairWithProxy

        protected void checkPairWithProxy​(X509Certificate issuerCert,
                                          X509Certificate proxyCert,
                                          List<ValidationError> errors,
                                          int position,
                                          X509Certificate[] proxyChain,
                                          Date validationTime)
                                   throws CertPathValidatorException,
                                          CertificateParsingException
        Checks if the certificate passed as the 2nd argument is a correct proxy certificate including checks w.r.t. chain rules with the certificate passed as the 1st argument being its issuing certificate. The checks are:
        • proxyCert is a real proxy cert of any type
        • issuer may not be a CA (3.1)
        • issuer must have subject set (3.1)
        • proxy must have issuer equal to issuerCert subject (3.1)
        • If the Proxy Issuer certificate has the KeyUsage extension, the Digital Signature bit MUST be asserted. (3.1)
        • no issuer alternative name extension (3.2)
        • proxy subject must be the issuerCert subject with appended one CN component (3.4)
        • no subject alternative name extension (3.5)
        • no cA basic constraint (3.7)
        • time constraints for the proxy are checked here (as we allow for a grace time to work around clock skews)
        • proxy certificate type (RFC, draft RFC or legacy) must be the same for both certificates
        • if the issuerCert is restricted then proxyCert must be restricted too.
        The numbers in brackets refer to the RFC 3820 sections. The last two rules were added in the version 1.1.0 of the library.

        Parameters:
        issuerCert - certificate of the issuer
        proxyCert - certificate to be checked
        errors - out arg - list of errors found
        position - position in original chain to be used in error reporting
        proxyChain - proxy chain
        validationTime - validation time
        Throws:
        CertPathValidatorException - certificate path validator exception
        CertificateParsingException - certificate parsing exception
      • getUnresolvedExtensionons

        protected Set<String> getUnresolvedExtensionons​(List<?>[] bcErrorsA)