Hi Milan,
Milan Tomic wrote:
Sorry, I know this is off the topic, but...
Hello Sean,
I've been just reading your "JavaTM Certification Path API Programmer's Guide" at:
http://java.sun.com/j2se/1.4.2/docs/guide/security/certpath/CertPathProgGuide.html
Well, there are few variables never declared like "trustAnchors"
and "certsAndCrls" in your samples. I've tried to use Google to search
for some examples of usage for CertPathBuilder. I've been using keywords
like "CertPathBuilder", "X509CertSelector" etc., but the only results I got were J2SDK javadoc generated html pages for those classes. Sometimes Google
returns less than 10 results (one page) It seems that nobody ever
asked/answered questions about this topic on some newsgroups/mailinglists.
Please, could you publish on the link above or send to me, few compilable examples of usage for JavaTM Certification Path?
It should be fairly trivial to get the samples to compile from the guide by adding the variable definitions, etc.
But I'm attaching a couple of programs that I use to validate and
build cert chains. They are pretty basic, but should give you an idea
of how to use the API. You can use them as a template to add more advanced features ...
HTH, Sean
/** * ValidateCertPath : validates a certification path * using a PKIX CertPathValidator * * Synopsis: java ValidateCertPath [trustAnchor] targetCert intCert ... * where each parameter is the name of a file containing the encoded * cert in DER or Base64 format or a PKCS7/base64 encoded cert chain. * PKCS7 files must end in "pkcs7" and base64 encoded DER chains in "cer". * * @author Sean Mullan */
import java.io.*;
import java.security.cert.*;
import java.util.*;
public class ValidateCertPath {
public static void main(String[] args) throws Exception {
if (args.length == 0)
throw new Exception("must specify at least trustAnchor");
PKIXParameters params = createParams(args[0]);
CertPath cp = null;
if (args.length == 2 && (args[1].endsWith("pkcs7") ||
args[1].endsWith("cer"))) {
cp = createPath(args[1]);
} else {
cp = createPath(args);
}
System.out.println("path: " + cp);
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
CertPathValidatorResult cpvr = cpv.validate(cp, params);
System.out.println(cpvr);
}
public static PKIXParameters createParams(String anchorFile) throws Exception {
TrustAnchor anchor = new TrustAnchor(getCertFromFile(anchorFile), null);
Set anchors = Collections.singleton(anchor);
PKIXParameters params = new PKIXParameters(anchors);
params.setRevocationEnabled(false);
return params;
}
public static CertPath createPath(String certPath) throws Exception {
File certPathFile = new File(certPath);
FileInputStream certPathInputStream = new FileInputStream(certPathFile);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
try {
return cf.generateCertPath(certPathInputStream, "PKCS7");
} catch (CertificateException ce) {
// try generateCertificates
Collection c = cf.generateCertificates(certPathInputStream);
return cf.generateCertPath(new ArrayList(c));
}
}
public static CertPath createPath(String[] certs) throws Exception {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
List list = new ArrayList();
for (int i = 1; i < certs.length; i++) {
list.add(getCertFromFile(certs[i]));
}
CertPath cp = cf.generateCertPath(list);
return cp;
}
/**
* Get a DER or BASE64-encoded X.509 certificate from a file.
*
* @param certFilePath path to file containing DER or BASE64-encoded certificate
* @return X509Certificate
* @throws Exception on error
*/
public static X509Certificate getCertFromFile(String certFilePath)
throws Exception {
X509Certificate cert = null;
File certFile = new File(certFilePath);
FileInputStream certFileInputStream = new FileInputStream(certFile);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
cert = (X509Certificate) cf.generateCertificate(certFileInputStream);
return cert;
}
}
/**
* BuildCertPath : builds a certification path
* using a PKIX CertPathBuilder
*
* Synopis: java BuildCertPath [trustAnchor] [cert1] [cert2] ...
* where each parameter is the name of a file containing the encoded
* cert in DER or Base64 format.
*
* @author Sean Mullan
*/
import java.io.*;
import java.security.cert.*;
import java.util.*;
import javax.security.auth.x500.X500Principal;
public class BuildCertPath {
public static void main(String[] args) throws Exception {
if (args.length == 0)
throw new Exception("must specify at least trustAnchor");
PKIXBuilderParameters params = createParams(args);
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
CertPathBuilderResult cpbr = cpb.build(params);
System.out.println(cpbr);
}
public static PKIXBuilderParameters createParams(String[] certs) throws Exception {
TrustAnchor anchor = new TrustAnchor(getCertFromFile(certs[0]), null);
Set anchors = Collections.singleton(anchor);
List list = new ArrayList();
for (int i = 1; i < certs.length; i++) {
list.add(getCertFromFile(certs[i]));
}
X509CertSelector sel = new X509CertSelector();
sel.setSubject(((X509Certificate)list.get(0)).getSubjectX500Principal().getName(X500Principal.RFC2253));
PKIXBuilderParameters params = new PKIXBuilderParameters(anchors, sel);
params.setRevocationEnabled(false);
CollectionCertStoreParameters ccsp =
new CollectionCertStoreParameters(list);
CertStore cs = CertStore.getInstance("Collection", ccsp);
params.addCertStore(cs);
return params;
}
/**
* Get a DER or BASE64-encoded X.509 certificate from a file.
*
* @param certFilePath path to file containing DER or BASE64-encoded certificate
* @return X509Certificate
* @throws Exception on error
*/
public static X509Certificate getCertFromFile(String certFilePath)
throws Exception {
X509Certificate cert = null;
File certFile = new File(certFilePath);
FileInputStream certFileInputStream = new FileInputStream(certFile);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
cert = (X509Certificate) cf.generateCertificate(certFileInputStream);
return cert;
}
}
