It seems that the PKIXParameters extracts the certification path automatically, so no need to do it manually.
All we have to do is uploading all certificates to the keystore.
Validate a certification path
Вопрос
I implement a SAML SP in Java.
In order to to validate the certificate of the SAML response,
I extract the X509Certificate element from the SAML response and validate it against a Java keystore file which I uploaded the IDP certificate to in advance.
I use the following code to validate the certificate:
X509Certificate certFromResponse = //extract from SAML response
KeyStore keyStore = getKS();
PKIXParameters params = new PKIXParameters(keyStore);
params.setRevocationEnabled(false);
CertPath certPath =
certificateFactory.generateCertPath(Arrays.asList(certFromResponse));
CertPathValidator certPathValidator = CertPathValidator.getInstance(CertPathValidator.getDefaultType());
CertPathValidatorResult result = certPathValidator.validate(certPath, params);
This works fine for certificates which are root CA.
When the certificate has a certification path, the validation fails.
A possible way to handle it is to manually upload all the certificates from the path into the JKS file
with different aliases, and then extract them into a list like this:
List<Certificate> certs = new ArrayList<Certificate>();
certs.add(certFromResponse);
if (keyStore.getCertificate("ALIAS_CA_1") != null) {
certs.add(keyStore.getCertificate("ALIAS_CA_1"));
}
if (keyStore.getCertificate("ALIAS_CA_2") != null) {
certs.add(keyStore.getCertificate("ALIAS_CA_2");
}
...
CertPath certPath = certificateFactory.generateCertPath(certs);
Is there a more straightforward way to do it?
Is it possible to extract the certification path from the certificate Itself?
Thanks!
Решение