Using CertPath Building and Validation 10-3 Specify trusted CAs if you have them. Otherwise, the servers trusted CAs are used. These are just a hint to the configured CertPath builder and CertPath validators which, depending on their lookupvalidation algorithm, may or may not use these trusted CAs. ContextHandler is used to pass in an optional list of namevalue pairs that the configured CertPathBuilder and CertPathValidators may use to look up and validate the chain. It is symmetrical with the context handler passed to other types of security providers. Setting context to null indicates that there are no context parameters. ■ clone Object clone This interface is not cloneable. Example 10–2 shows an example of passing an instance of CertPathBuilderParameters. Example 10–2 Pass An Instance of CertPathBuilderParameters make a cert chain selector CertPathSelector selector = new EndCertificateSelectorendCertificate; String realm = _; create and populate a context handler if desired, or null ContextHandler context = _; pass in a list of trusted CAs if desired, or null X509Certificate[] trustedCAs = _; make the params CertPathBuilderParams params = new CertPathBuilderParametersrealm, selector, context, trustedCAs;

10.1.3 Use the JDK CertPathBuilder Interface

The java.security.cert.CertPathBuilder interface is the API for the CertPathBuilder class. To use the JDK CertPathBuilder interface, do the following: 1. Call the static CertPathBuilder.getInstance method to retrieve the CLV frameworks CertPathBuilder. You must specify WLSCertPathBuilder as the algorithm name thats passed to the call. 2. Once the CertPathBuilder object has been obtained, call the build method on the returned CertPathBuilder. This method takes one argument - a CertPathParameters that indicates which chain to find and how it should be validated. You must pass an instance of weblogic.security.pk.CertPathBuilderParameters as the CertPathParameters object to the JDKs CertPathBuilder.build method, as described in Section 10.1.2, Instantiate a CertPathBuilderParameters . 3. If successful, the result including the CertPath that was built is returned in an object that implements the CertPathBuilderResult interface. The builder determines how much of the CertPath is returned. 4. If not successful, the CertPathBuilder build method throws InvalidAlgorithmParameterException if the params is not a WebLogic CertPathBuilderParameters, if the configured CertPathBuilder does not support the selector, or if the realm name does not match the realm name of the default realm from when the server was booted. 10-4 Programming Security for Oracle WebLogic Server The CertPathBuilder build method throws CertPathBuilderException if the cert path could not be located or if the located cert path is not valid

10.1.4 Example Code Flow for Looking Up a Certificate Chain

Example 10–3 Looking up a Certificate Chain import weblogic.security.pk.CertPathBuilderParameters; import weblogic.security.pk.CertPathSelector; import weblogic.security.pk.EndCertificateSelector; import weblogic.security.service.ContextHandler; import java.security.cert.CertPath; import java.security.cert.CertPathBuilder; import java.security.cert.X509Certificate; you already have the end certificate and want to use it to lookup and validate the corresponding chain X509Certificate endCertificate = ... make a cert chain selector CertPathSelector selector = new EndCertificateSelectorendCertificate; String realm = _; create and populate a context handler if desired ContextHandler context = _; pass in a list of trusted CAs if desired X509Certificate[] trustedCAs = _; make the params CertPathBuilderParams params = new CertPathBuilderParametersrealm, selector, context, trustedCAs; get the WLS CertPathBuilder CertPathBuilder builder = CertPathBuilder.getInstanceWLSCertPathBuilder; use it to look up and validate the chain CertPath certpath = builder.buildparams.getCertPath; X509Certificate[] chain = certpath.getCertificates.toArraynew X509Certificate[0];

10.2 CertPath Validation