10 Using CertPath Building and Validation 10-1 10 Using CertPath Building and Validation The WebLogic Security service provides the Certificate Lookup and Validation CLV API that finds and validates X509 certificate chains. A CertPath is a JDK class that stores a certificate chain in memory. The term CertPath is also used to refer to the JDK architecture and framework that is used to locate and validate certificate chains. The CLV framework extends and completes the JDK CertPath functionality. CertPath providers rely on a tightly-coupled integration of WebLogic and JDK interfaces. Your application code can use the default CertPath providers provided by WebLogic Server to build and validate certificate chains, or any custom CertPath providers. The following topics are covered in this section: ■ Section 10.1, CertPath Building ■ Section 10.2, CertPath Validation ■ Section 10.1.1, Instantiate a CertPathSelector ■ Section 10.1.2, Instantiate a CertPathBuilderParameters ■ Section 10.1.3, Use the JDK CertPathBuilder Interface ■ Section 10.2.1, Instantiate a CertPathValidatorParameters ■ Section 10.2.2, Use the JDK CertPathValidator Interface

10.1 CertPath Building

To use a CertPath Builder in your application, follow these steps: 1. Section 10.1.1, Instantiate a CertPathSelector 2. Section 10.1.2, Instantiate a CertPathBuilderParameters 3. Section 10.1.3, Use the JDK CertPathBuilder Interface

10.1.1 Instantiate a CertPathSelector

The CertPathSelector interface weblogic.security.pk.CertPathSelector contains the selection criteria for locating and validating a certification path. Because there are many ways to look up certification paths, a derived class is implemented for each type of selection criteria. Each selector class has one or more methods to retrieve the selection data and a constructor. 10-2 Programming Security for Oracle WebLogic Server The classes in weblogic.security.pk that implement the CertPathSelector interface, one for each supported type of certificate chain lookup, are as follows: ■ EndCertificateSelector – used to find and validate a certificate chain given its end certificate. ■ IssuerDNSerialNumberSelector – used to find and validate a certificate chain from its end certificates issuer DN and serial number. ■ SubjectDNSelector – used to find and validate a certificate chain from its end certificates subject DN. ■ SubjectKeyIdentifierSelector – used to find and validate a certificate chain from its end certificates subject key identifier an optional field in X509 certificates. Example 10–1 shows an example of choosing a selector. Example 10–1 Make a certificate chain selector you already have the end certificate and want to use it to lookup and validate the corresponding chain X509Certificate endCertificate = ... make a cert chain selector CertPathSelector selector = new EndCertificateSelectorendCertificate;

10.1.2 Instantiate a CertPathBuilderParameters