CertPathVerifier.java

/*
 * Copyright(c) 2002 Center for E-Commerce Infrastructure Development, The
 * University of Hong Kong (HKU). All Rights Reserved.
 *
 * This software is licensed under the Academic Free License Version 1.0
 *
 * Academic Free License
 * Version 1.0
 *
 * This Academic Free License applies to any software and associated 
 * documentation (the "Software") whose owner (the "Licensor") has placed the 
 * statement "Licensed under the Academic Free License Version 1.0" immediately 
 * after the copyright notice that applies to the Software. 
 *
 * Permission is hereby granted, free of charge, to any person obtaining a copy 
 * of the Software (1) to use, copy, modify, merge, publish, perform, 
 * distribute, sublicense, and/or sell copies of the Software, and to permit 
 * persons to whom the Software is furnished to do so, and (2) under patent 
 * claims owned or controlled by the Licensor that are embodied in the Software 
 * as furnished by the Licensor, to make, use, sell and offer for sale the 
 * Software and derivative works thereof, subject to the following conditions: 
 *
 * - Redistributions of the Software in source code form must retain all 
 *   copyright notices in the Software as furnished by the Licensor, this list 
 *   of conditions, and the following disclaimers. 
 * - Redistributions of the Software in executable form must reproduce all 
 *   copyright notices in the Software as furnished by the Licensor, this list 
 *   of conditions, and the following disclaimers in the documentation and/or 
 *   other materials provided with the distribution. 
 * - Neither the names of Licensor, nor the names of any contributors to the 
 *   Software, nor any of their trademarks or service marks, may be used to 
 *   endorse or promote products derived from this Software without express 
 *   prior written permission of the Licensor. 
 *
 * DISCLAIMERS: LICENSOR WARRANTS THAT THE COPYRIGHT IN AND TO THE SOFTWARE IS 
 * OWNED BY THE LICENSOR OR THAT THE SOFTWARE IS DISTRIBUTED BY LICENSOR UNDER 
 * A VALID CURRENT LICENSE. EXCEPT AS EXPRESSLY STATED IN THE IMMEDIATELY 
 * PRECEDING SENTENCE, THE SOFTWARE IS PROVIDED BY THE LICENSOR, CONTRIBUTORS 
 * AND COPYRIGHT OWNERS "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 
 * FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE 
 * LICENSOR, CONTRIBUTORS OR COPYRIGHT OWNERS BE LIABLE FOR ANY CLAIM, DAMAGES 
 * OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 
 * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE. 
 *
 * This license is Copyright (C) 2002 Lawrence E. Rosen. All rights reserved. 
 * Permission is hereby granted to copy and distribute this license without 
 * modification. This license may not be modified without the express written 
 * permission of its copyright owner. 
 */

/* ===== 
 *
 * $Header: /home/cvsroot/ebxml-pkg/src/hk/hku/cecid/ebms/pkg/pki/CertPathVerifier.java,v 1.1 2005/07/28 09:36:24 dcmsze Exp $
 *
 * Code authored by:
 *
 * kcyee [2002-06-25]
 *
 * Code reviewed by:
 *
 * username [YYYY-MM-DD]
 *
 * Remarks:
 *
 * =====
 */

package hk.hku.cecid.ebms.pkg.pki;

import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertStore;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;

import org.apache.log4j.Logger;
/**
 * This class wraps the certificate path verification routine into a 
 * separate static method. This is useful when JDK1.3 is used, the cert
 * path verification is skipped. And the JDK1.4 specific classes will not
 * be loaded, as they are all called in this class.
 *
 * @author kcyee
 * @version $Revision: 1.1 $
 */
public class CertPathVerifier {

    /**
     * Logger
     */
    protected static Logger logger = Logger.getLogger(CertPathVerifier.class);

    /**
     * Verifies the specified certificate chain against the trusted anchors.
     * The trusted anchors contains all public certificate that is trusted.
     * This method will make use of JDK1.4's utilities to verify the 
     * certificate chain.
     *
     * @param certs the certificate chain being verified
     * @param trusted the keystore storing the trusted anchors.
     * @return true if verification is succeeded; false otherwise
     */
    public static boolean verify(java.security.cert.Certificate[] certs,
            CompositeKeyStore trusted) {

        try {
            CertPathBuilder certPathBuilder = 
                CertPathBuilder.getInstance("PKIX");
    
            X509CertSelector targetConstraints = new X509CertSelector();
    
            for (int i=0; i < certs.length; i++) {
                targetConstraints.setSubject(
                    ((X509Certificate) certs[i])
                    .getSubjectX500Principal().getEncoded());
            } 

            KeyStore trustAnchorsKS = trusted.getKeyStore();
            if (trustAnchorsKS == null) {
                logger.debug("trustAnchorsKS is null");
                return false;
            }

            PKIXBuilderParameters params = new PKIXBuilderParameters(
                trustAnchorsKS, targetConstraints);
        
            ArrayList certsList = new ArrayList();
            for (int i=0; i < certs.length; i++) {
                certsList.add(certs[i]);
            }
            CollectionCertStoreParameters ccsp = 
                new CollectionCertStoreParameters();
            CertStore store = CertStore.getInstance("Collection", ccsp);
            params.addCertStore(store);

            CertPath certPath = 
                certPathBuilder.build(params).getCertPath();
        }
        catch (NoSuchAlgorithmException e) {
            String err = ErrorMessages.getMessage(
                ErrorMessages.ERR_PKI_VERIFY_SIGNATURE_FAILED, e);
            logger.debug(err);
            return false;
        }
        catch (IOException e) {
            String err = ErrorMessages.getMessage(
                ErrorMessages.ERR_PKI_VERIFY_SIGNATURE_FAILED, e);
            logger.debug(err);
            return false;
        }
        catch (KeyStoreException e) {
            String err = ErrorMessages.getMessage(
                ErrorMessages.ERR_PKI_VERIFY_SIGNATURE_FAILED, e);
            logger.debug(err);
            return false;
        }
        catch (CertPathBuilderException e) {
            String err = ErrorMessages.getMessage(
                ErrorMessages.ERR_PKI_VERIFY_SIGNATURE_FAILED, e);
            logger.debug(err);
            return false;
        }
        catch (InvalidAlgorithmParameterException e) {
            String err = ErrorMessages.getMessage(
                ErrorMessages.ERR_PKI_VERIFY_SIGNATURE_FAILED, e);
            logger.debug(err);
            return false;
        }

        return true;
    }
}