Hubert Kario
Reputation: 22850
Can't build CertPath using CertPathBuilder
I'm trying to use Java CertPathBuilder to create CertPath from user certificate and CA certificates, but I receive
Exception in thread "main" sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at CertPathBuilderTest.main(CertPathBuilderTest.java:63)
when I have enabled revocation checking (using .setRevocationEnabled(true)).
So it looks like Java is rejecting certificates or CRLs even though I can validate them using OpenSSL and gnupg without problem.
The CA structure is simplest possible: just CA signing certificates and CRLs, no intermediate CAs.
Problematic certificates: cacerts.jks and private.jks
Example program:
import java.io.BufferedInputStream;
import java.io.FileInputStream;
import java.io.IOException;
import java.net.URL;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CRL;
import java.security.cert.CRLException;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathBuilderResult;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CRL;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
public class CertPathBuilderTest {
/**
* @param args
* @throws IOException
* @throws CertificateException
* @throws NoSuchAlgorithmException
* @throws KeyStoreException
* @throws CRLException
* @throws InvalidAlgorithmParameterException
* @throws UnexpectedJCAException
* @throws SigningCertChainException
* @throws CertPathBuilderException
*/
public static void main(String[] args)
throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, CRLException, InvalidAlgorithmParameterException, CertPathBuilderException
{
// TODO Auto-generated method stub
// keytool -importcert -file CA.pem -keystore cacerts.jks -storepass changeit
KeyStore trustAnchors = loadJKSKeyStore("cacerts.jks", "changeit");
KeyStore myKeyStore = loadJKSKeyStore("private.jks", "changeit");
String crlLocation = "http://crl.qbs.com.pl/QBSJanKuban.crl";
X509CRL crl = downloadCRL(crlLocation);
CertStore cs = otherCertificatesCertStore(trustAnchors, myKeyStore, crl);
///*
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
X509CertSelector certSelector = new X509CertSelector();
certSelector.setCertificate((X509Certificate) myKeyStore.getCertificate("mykey"));
PKIXBuilderParameters cpp = new PKIXBuilderParameters(trustAnchors, certSelector);
cpp.addCertStore(cs);
cpp.setRevocationEnabled(true);
cpp.setMaxPathLength(6);
cpp.setDate(new Date());
CertPathBuilderResult a = cpb.build(cpp);
CertPath certPath = a.getCertPath();
}
private static KeyStore loadJKSKeyStore(String path, String password)
throws KeyStoreException,
NoSuchAlgorithmException, CertificateException, IOException
{
FileInputStream fis = new FileInputStream(path);
KeyStore ks = KeyStore.getInstance("jks");
ks.load(fis, password.toCharArray());
fis.close();
return ks;
}
private static X509CRL downloadCRL(String crlLocation)
throws IOException, CertificateException, CRLException
{
URL crlURL = new URL(crlLocation);
BufferedInputStream in = new BufferedInputStream(crlURL.openStream());
CertificateFactory cf = CertificateFactory.getInstance("X.509");
CRL crl = cf.generateCRL(in);
return (X509CRL) crl;
}
private static CertStore otherCertificatesCertStore(KeyStore trustAnchors,
KeyStore myCerts, X509CRL... crl)
throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, KeyStoreException
{
CertStore cs;
Collection<Object> contentList = new ArrayList<Object>();
contentList.add(trustAnchors.getCertificate("qbsca"));
contentList.add(myCerts.getCertificate("mykey"));
for (int i=0; i < crl.length; i++) {
contentList.add(crl[i]);
}
cs = CertStore.getInstance("Collection", new CollectionCertStoreParameters(contentList));
return cs;
}
}
Upvotes: 2
Views: 4093
Answers (1)
Hubert Kario
Reputation: 22850
Problem was caused by a bug(?) in SUN and BC cryptographic providers.
When the user certificate has specified not only CRL Distribution Point in form of URI, but also CRL Issuer then CertPathBuilder isn't able to verify the validity of CRL and whole process fails.
The workaround is to create certificates lacking this extension.
Upvotes: 2
Related Questions
- PKIX path building failed : I added certificate to carcert still failing
- Generate x509certificate certpath in JAVA
- `Unable to find valid certification path...` while building own SSLContext (Java)
- Can't get trusted root CA when building certification path with CertPathBuilder
- CERTIFICATE_VERIFY_FAILED when trying to build java-cef
- PKIX path building failed. Should we be importing the certificate?
- PKIX path building failed, but the certificate is in cacerts
- Using CertPathBuilder and PKIX with non-X509 certificates
- Error while creating x.509 certificate
- Validating a certificate in java throws an exception - unable to find valid certificate path to requested target