/*
* Copyright(c) 2002 Center for E-Commerce Infrastructure Development, The
* University of Hong Kong (HKU). All Rights Reserved.
*
* This software is licensed under the Academic Free License Version 1.0
*
* Academic Free License
* Version 1.0
*
* This Academic Free License applies to any software and associated
* documentation (the "Software") whose owner (the "Licensor") has placed the
* statement "Licensed under the Academic Free License Version 1.0" immediately
* after the copyright notice that applies to the Software.
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of the Software (1) to use, copy, modify, merge, publish, perform,
* distribute, sublicense, and/or sell copies of the Software, and to permit
* persons to whom the Software is furnished to do so, and (2) under patent
* claims owned or controlled by the Licensor that are embodied in the Software
* as furnished by the Licensor, to make, use, sell and offer for sale the
* Software and derivative works thereof, subject to the following conditions:
*
* - Redistributions of the Software in source code form must retain all
* copyright notices in the Software as furnished by the Licensor, this list
* of conditions, and the following disclaimers.
* - Redistributions of the Software in executable form must reproduce all
* copyright notices in the Software as furnished by the Licensor, this list
* of conditions, and the following disclaimers in the documentation and/or
* other materials provided with the distribution.
* - Neither the names of Licensor, nor the names of any contributors to the
* Software, nor any of their trademarks or service marks, may be used to
* endorse or promote products derived from this Software without express
* prior written permission of the Licensor.
*
* DISCLAIMERS: LICENSOR WARRANTS THAT THE COPYRIGHT IN AND TO THE SOFTWARE IS
* OWNED BY THE LICENSOR OR THAT THE SOFTWARE IS DISTRIBUTED BY LICENSOR UNDER
* A VALID CURRENT LICENSE. EXCEPT AS EXPRESSLY STATED IN THE IMMEDIATELY
* PRECEDING SENTENCE, THE SOFTWARE IS PROVIDED BY THE LICENSOR, CONTRIBUTORS
* AND COPYRIGHT OWNERS "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE
* LICENSOR, CONTRIBUTORS OR COPYRIGHT OWNERS BE LIABLE FOR ANY CLAIM, DAMAGES
* OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
* ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE.
*
* This license is Copyright (C) 2002 Lawrence E. Rosen. All rights reserved.
* Permission is hereby granted to copy and distribute this license without
* modification. This license may not be modified without the express written
* permission of its copyright owner.
*/
/* =====
*
* $Header: /home/cvsroot/ebxml-pkg/src/hk/hku/cecid/ebms/pkg/pki/CertPathVerifier.java,v 1.1 2005/07/28 09:36:24 dcmsze Exp $
*
* Code authored by:
*
* kcyee [2002-06-25]
*
* Code reviewed by:
*
* username [YYYY-MM-DD]
*
* Remarks:
*
* =====
*/
package hk.hku.cecid.ebms.pkg.pki;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertStore;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import org.apache.log4j.Logger;
/**
* This class wraps the certificate path verification routine into a
* separate static method. This is useful when JDK1.3 is used, the cert
* path verification is skipped. And the JDK1.4 specific classes will not
* be loaded, as they are all called in this class.
*
* @author kcyee
* @version $Revision: 1.1 $
*/
public class CertPathVerifier {
/**
* Logger
*/
protected static Logger logger = Logger.getLogger(CertPathVerifier.class);
/**
* Verifies the specified certificate chain against the trusted anchors.
* The trusted anchors contains all public certificate that is trusted.
* This method will make use of JDK1.4's utilities to verify the
* certificate chain.
*
* @param certs the certificate chain being verified
* @param trusted the keystore storing the trusted anchors.
* @return true if verification is succeeded; false otherwise
*/
public static boolean verify(java.security.cert.Certificate[] certs,
CompositeKeyStore trusted) {
try {
CertPathBuilder certPathBuilder =
CertPathBuilder.getInstance("PKIX");
X509CertSelector targetConstraints = new X509CertSelector();
for (int i=0; i < certs.length; i++) {
targetConstraints.setSubject(
((X509Certificate) certs[i])
.getSubjectX500Principal().getEncoded());
}
KeyStore trustAnchorsKS = trusted.getKeyStore();
if (trustAnchorsKS == null) {
logger.debug("trustAnchorsKS is null");
return false;
}
PKIXBuilderParameters params = new PKIXBuilderParameters(
trustAnchorsKS, targetConstraints);
ArrayList certsList = new ArrayList();
for (int i=0; i < certs.length; i++) {
certsList.add(certs[i]);
}
CollectionCertStoreParameters ccsp =
new CollectionCertStoreParameters();
CertStore store = CertStore.getInstance("Collection", ccsp);
params.addCertStore(store);
CertPath certPath =
certPathBuilder.build(params).getCertPath();
}
catch (NoSuchAlgorithmException e) {
String err = ErrorMessages.getMessage(
ErrorMessages.ERR_PKI_VERIFY_SIGNATURE_FAILED, e);
logger.debug(err);
return false;
}
catch (IOException e) {
String err = ErrorMessages.getMessage(
ErrorMessages.ERR_PKI_VERIFY_SIGNATURE_FAILED, e);
logger.debug(err);
return false;
}
catch (KeyStoreException e) {
String err = ErrorMessages.getMessage(
ErrorMessages.ERR_PKI_VERIFY_SIGNATURE_FAILED, e);
logger.debug(err);
return false;
}
catch (CertPathBuilderException e) {
String err = ErrorMessages.getMessage(
ErrorMessages.ERR_PKI_VERIFY_SIGNATURE_FAILED, e);
logger.debug(err);
return false;
}
catch (InvalidAlgorithmParameterException e) {
String err = ErrorMessages.getMessage(
ErrorMessages.ERR_PKI_VERIFY_SIGNATURE_FAILED, e);
logger.debug(err);
return false;
}
return true;
}
}