Using CertPath Building and Validation 10-3
Specify trusted CAs if you have them. Otherwise, the servers trusted CAs are used. These are just a hint to the configured CertPath builder and CertPath
validators which, depending on their lookupvalidation algorithm, may or may not use these trusted CAs.
ContextHandler is used to pass in an optional list of namevalue pairs that the configured CertPathBuilder and CertPathValidators may use to look up and
validate the chain. It is symmetrical with the context handler passed to other types of security providers. Setting context to null indicates that there are no context
parameters.
■
clone Object clone
This interface is not cloneable. Example 10–2
shows an example of passing an instance of CertPathBuilderParameters.
Example 10–2 Pass An Instance of CertPathBuilderParameters
make a cert chain selector CertPathSelector selector = new EndCertificateSelectorendCertificate;
String realm = _; create and populate a context handler if desired, or null
ContextHandler context = _; pass in a list of trusted CAs if desired, or null
X509Certificate[] trustedCAs = _; make the params
CertPathBuilderParams params = new CertPathBuilderParametersrealm, selector, context, trustedCAs;
10.1.3 Use the JDK CertPathBuilder Interface
The java.security.cert.CertPathBuilder interface is the API for the CertPathBuilder class. To use the JDK CertPathBuilder interface, do the following:
1.
Call the static CertPathBuilder.getInstance method to retrieve the CLV frameworks CertPathBuilder. You must specify WLSCertPathBuilder as the
algorithm name thats passed to the call.
2.
Once the CertPathBuilder object has been obtained, call the build method on the returned CertPathBuilder. This method takes one argument - a
CertPathParameters that indicates which chain to find and how it should be validated.
You must pass an instance of weblogic.security.pk.CertPathBuilderParameters as the
CertPathParameters object to the JDKs CertPathBuilder.build method, as described in
Section 10.1.2, Instantiate a CertPathBuilderParameters .
3.
If successful, the result including the CertPath that was built is returned in an object that implements the CertPathBuilderResult interface. The builder
determines how much of the CertPath is returned.
4.
If not successful, the CertPathBuilder build method throws InvalidAlgorithmParameterException if the params is not a WebLogic
CertPathBuilderParameters, if the configured CertPathBuilder does not support the selector, or if the realm name does not match the realm name of the default
realm from when the server was booted.
10-4 Programming Security for Oracle WebLogic Server
The CertPathBuilder build method throws CertPathBuilderException if the cert path could not be located or if the located cert path is not valid
10.1.4 Example Code Flow for Looking Up a Certificate Chain
Example 10–3 Looking up a Certificate Chain
import weblogic.security.pk.CertPathBuilderParameters; import weblogic.security.pk.CertPathSelector;
import weblogic.security.pk.EndCertificateSelector; import weblogic.security.service.ContextHandler;
import java.security.cert.CertPath; import java.security.cert.CertPathBuilder;
import java.security.cert.X509Certificate; you already have the end certificate
and want to use it to lookup and validate the corresponding chain
X509Certificate endCertificate = ...
make a cert chain selector CertPathSelector selector = new EndCertificateSelectorendCertificate;
String realm = _; create and populate a context handler if desired
ContextHandler context = _; pass in a list of trusted CAs if desired
X509Certificate[] trustedCAs = _; make the params
CertPathBuilderParams params = new CertPathBuilderParametersrealm, selector, context, trustedCAs;
get the WLS CertPathBuilder CertPathBuilder builder =
CertPathBuilder.getInstanceWLSCertPathBuilder;
use it to look up and validate the chain CertPath certpath = builder.buildparams.getCertPath;
X509Certificate[] chain = certpath.getCertificates.toArraynew X509Certificate[0];
10.2 CertPath Validation