I am trying to implement a X509TrustManager. In the code below the path is made from the certificates received from the server, and the TrustAnchor is generated from the root of this path (a Verisign certificate). In other words rootCert is identical to certs[1]. Yet, validation fails. I am not sure whether Verisign certificate should be in the pass or in which order the path must be set up (root first or last?). Could anyone give me a hint? I am assuming that the path is valid (Web browser seems to have no problem.)
Thanks.
@Override
public void checkServerTrusted(X509Certificate[] certs, String authType)
throws CertificateException {
try {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
List list = new ArrayList();
for (int i = certs.length - 1; i >= 0; i--) {
list.add(certs);
}
CertPath path = cf.generateCertPath(list);
TrustAnchor anchor = new TrustAnchor(rootCert, null);
Set anchors = Collections.singleton(anchor);
PKIXParameters params = new PKIXParameters(anchors);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// Activate OCSP
Security.setProperty("ocsp.enable", "true");
// Activate CRLDP
System.setProperty("com.sun.security.enableCRLDP", "true");
// Ensure that the ocsp.responderURL property is not set.
if (Security.getProperty("ocsp.responderURL") != null) {
throw new Exception("The ocsp.responderURL property must not be set");
}
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
System.out.println("provider = " + validator.getProvider());
System.out.println("path = " + path);
System.out.println("params = " + params);
validator.validate(path, params);
} catch (CertPathValidatorException ex) {
throw new CertificateException(ex.getMessage());
} catch (NoSuchAlgorithmException ex) {
ex.printStackTrace();
} catch (InvalidAlgorithmParameterException ex) {
ex.printStackTrace();
} catch (CertificateException ex) {
ex.printStackTrace();
} catch (Exception ex) {
ex.printStackTrace();
}
}