Using CertPathBuilder and PKIX with non-X509 certificates

Question

I'm working with Card Verifiable Certificates in Java (using PrimeKey/EJBCA's cert-cvc library) which are non-X.509 certificates, yet they implement java.security.cert.Certificate.

I would like to use the existing chain building algorithms, i.e. using CertPathBuilder and its PKIX implementation (in either Oracle/Sun's security provider or Bouncy Castle's) to build chains of these CVC certs. I'm currently stuck in using PKIXBuilderParameters with my set of trustanchors, as it apparently expects X.509 certs.

Is there a way use non-X.509 certificates with PKIX? If not, is there a way to use CertPathBuilder with non-X.509 certificates without having to implement my own custom CertBuilderSpi?

Answer 1

I think that a PKIX certpath builder is not applicable for CVC. Verifying paths according to PKIX (rfc5280) is very x.509 specific including things like name constraints, certificate policy extensions etc. This is probably why the trustanchors requires x.509 certs.

The only option I could think of that does not require you to implement a custom CertBuilderSpi would be if BC had one for CVC, since it also implements other CVC certificates.

But a quick search:

find . -name "*.java" -exec grep -H "extends CertPathBuilderSpi" {} \;

reveals only the PKIX classes. And cert-cvc also does not implement a CertPathBuilder. Such an addition would be cool though.

Cheers, Tomas