nl.nikhef.slcshttps.trust
Class CertChainChecker

java.lang.Object
  nl.nikhef.slcshttps.trust.CertChainChecker

public class CertChainChecker
extends Object

Static class to validate a X509Certificate chain. It provides only one public (and static) method, validate(X509Certificate[]). The class is static for performance reasons, it's only initialized at startup. It uses either the Java truststore specified via the default security settings in $JAVA_HOME/lib/security/ or via an external truststore which can be specified by defining the system property javax.net.ssl.trustStore. See JSSE Reference Guide for details. The code to find the correct truststore is roughly taken over from the implementation dependent JDK1.6 class sun.security.ssl.TrustManagerFactoryImpl. The CertPathValidator uses BouncyCastle for stability and more human readable error messages. BouncyCastle follows mostly RFC3280 which is now superseded by RFC5280.

Version:

0.1

Author:

Mischa Sallé

Field Summary

private static CertificateFactory	certFactory certFactory is needed to make a CertPath object from a X509Certificate[].
private static CertPathValidator	certValidator certValidator is doing the actual validation, initialized at startup using initCertValidator().
private static PKIXBuilderParameters	pkixParameters PKIXParameters used by the certValidator, they use the trustStore and are initialized at startup using initPKIXParameters().
private static KeyStore	trustStore KeyStore with trusted certificates, initialized at class initialization using getCacertsKeyStore().

Constructor Summary

CertChainChecker()

Method Summary

static X509Certificate[]	getAcceptedIssuers() Method to get all the accepted issuers for certificate chain checking.
private static KeyStore	getCacertsKeyStore() Method to find the correct truststore with trusted CA certificates.
private static CertPath	getCertPath(X509Certificate[] x509Chain) Returns a CertPath object for the given array of X509Certificate.
private static FileInputStream	getFileInputStream(File file) Checks whether a file exists and can be opened.
private static CertificateFactory	initCertFactory() Static method creating a new CertificateFactory.
private static CertPathValidator	initCertValidator() Static method creating a new CertPathValidator.
private static PKIXBuilderParameters	initPKIXParameters() Static method to initialize the PKIXBuilderParameters for CertPathValidator.
static void	validate(X509Certificate[] x509Chain) Validates a X509Certificate chain.
static void	validate(X509Certificate[] x509Chain, Date date) Validates a X509Certificate chain for given date.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

trustStore

private static KeyStore trustStore

KeyStore with trusted certificates, initialized at class initialization using getCacertsKeyStore().

certValidator

private static CertPathValidator certValidator

certValidator is doing the actual validation, initialized at startup using initCertValidator().

certFactory

private static CertificateFactory certFactory

certFactory is needed to make a CertPath object from a X509Certificate[].

pkixParameters

private static PKIXBuilderParameters pkixParameters

PKIXParameters used by the certValidator, they use the trustStore and are initialized at startup using initPKIXParameters().

Constructor Detail

CertChainChecker

public CertChainChecker()

Method Detail

validate

public static void validate(X509Certificate[] x509Chain)
                     throws CertPathValidatorException,
                            CertificateException

Validates a X509Certificate chain.

Parameters:

x509Chain - array of certificates, they should be in the right order.

Throws:

CertPathValidatorException - when chain validation fails. Throwable.getMessage() gives the reason.

CertificateException - upon other error.

See Also:

validate(X509Certificate[],Date)

validate

public static void validate(X509Certificate[] x509Chain,
                            Date date)
                     throws CertPathValidatorException,
                            CertificateException

Validates a X509Certificate chain for given date.

Parameters:

x509Chain - array of certificates, they should be in the right order.

date - at which to check the certificate chain, when null use now.

Throws:

CertPathValidatorException - when chain validation fails. Throwable.getMessage() gives the reason.

CertificateException - upon other error

See Also:

validate(X509Certificate[])

getAcceptedIssuers

public static X509Certificate[] getAcceptedIssuers()

Method to get all the accepted issuers for certificate chain checking.

Returns:

X509Certificate[] array of accepted root signing certificates

getCertPath

private static CertPath getCertPath(X509Certificate[] x509Chain)
                             throws CertPathValidatorException

Returns a CertPath object for the given array of X509Certificate. It also strips off the root CA certificate, i.e. if the first certificate is self-signed it will be stripped, this is necessary to ensure that we don't get error messages from the validator if this is a Version 1 cert (like many root CA certificates are).

Parameters:

x509Chain - array of X509Certificate certificates, note that Java demands them to be in the correct order, see RFC 5246 page 48.

Returns:

CertPath as constructed, if a self-signed is at the beginning of the chain, it is stripped before creating the chain.

Throws:

CertPathValidatorException - when creation fails

initCertValidator

private static CertPathValidator initCertValidator()
                                            throws RuntimeException

Static method creating a new CertPathValidator. Since this method is intended to be called at class initialization it throws a RuntimeException since it cannot be caught.

Returns:

CertPathValidator

Throws:

RuntimeException - in case of error.

initCertFactory

private static CertificateFactory initCertFactory()
                                           throws RuntimeException

Static method creating a new CertificateFactory. Since this method is intended to be called at class initialization it throws a RuntimeException since it cannot be caught.

Returns:

CertificateFactory

Throws:

RuntimeException - in case of error.

initPKIXParameters

private static PKIXBuilderParameters initPKIXParameters()
                                                 throws RuntimeException

Static method to initialize the PKIXBuilderParameters for CertPathValidator. It uses PKIXBuilderParameters and not PKIXParameters since it allows us to raise the certificate chain length to be checked to infinity (-1). Since this method is intended to be called at class initialization it throws a RuntimeException since it cannot be caught.

Returns:

PKIXBuilderParameters

Throws:

RuntimeException - in case of error.

getCacertsKeyStore

private static KeyStore getCacertsKeyStore()
                                    throws RuntimeException

Method to find the correct truststore with trusted CA certificates. The code for this method is taken over roughly from the Java JDK 1.6 internal class sun.security.ssl.TrustManagerFactoryImpl. Since this method is intended to be called at class initialization it throws a RuntimeException since it cannot be caught.

Returns:

KeyStore containing the trusted CA certificates.

Throws:

RuntimeException - in case of error.

getFileInputStream

private static FileInputStream getFileInputStream(File file)

Checks whether a file exists and can be opened.

Parameters:

file - file to be checked.

Returns:

FileInputStream to the file or null when it could not be opened or didn't exist.