Björn Kautler
2014-08-27 17:59:41 UTC
Hi there,
I have a question.
I wanted to get rid of three deprecated BC things in my code.
Unfortunately the deprecated JavaDoc is not too extensive, so I
thought I ask here quickly for a helping hand.
The three deprecated things I use are:
1) X509Store certStore =
X509Store.getInstance("Certificate/Collection", new
X509CollectionStoreParameters(certs),
BouncyCastleProvider.PROVIDER_NAME);
This one is easy, I *thought*, as the deprecated JavaDoc tells to use
CollectionStore instead.
The transition was rather easy:
CollectionStore certStore = new CollectionStore(certs);
But as it turns out it is not that easy, because with this I get the
following StackTrace:
java.lang.ClassCastException: org.bouncycastle.util.CollectionStore
cannot be cast to java.security.cert.CertStore
at org.bouncycastle.jce.provider.CertPathValidatorUtilities.findCertificates(CertPathValidatorUtilities.java:742)
at org.bouncycastle.jce.provider.PKIXCertPathBuilderSpi.engineBuild(PKIXCertPathBuilderSpi.java:83)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at ...
2) X509LDAPCertStoreParameters.Builder builder = new
X509LDAPCertStoreParameters.Builder("ldap://ldap.company.com",
"ou=certification department,o=company,c=com");
builder.setCertificateRevocationListAttribute("certificateRevocationList;binary");
builder.setDeltaRevocationListAttribute("deltaRevocationList;binary");
X509Store cRLStore = X509Store.getInstance("CRL/LDAP",
builder.build(), BouncyCastleProvider.PROVIDER_NAME);
Here the deprecated message says the same as for 1) of course, but
that is not really helpful as I'm not producing a Collection based
CertStore here, but an LDAP based one.
I cannot find an obvious replacement.
Or am I supposed to use X509StoreLDAPCRLs or LDAPStoreHelper directly
as those are not deprecated?
(Btw. should I really need to set the ListAttributes myself? Isn't
this standardised to the ones I set manually?)
3a) X509CertStoreSelector certSelector = new X509CertStoreSelector();
certSelector.setKeyUsage(new boolean[] { false, false, false,
false, false, false, true, false, false });
X509Store cRLIssuersCertStore =
X509Store.getInstance("Certificate/Collection", new
X509CollectionStoreParameters(issuersCertStore.getMatches(certSelector)),
BouncyCastleProvider.PROVIDER_NAME);
3b) Collection rootCertificates =
certIssuersCertStore.getMatches(new X509CertStoreSelector() {
@Override
public boolean match(Object obj) {
if (!(obj instanceof X509Certificate)) {
return false;
}
X509Certificate x509Certificate = (X509Certificate) obj;
return
x509Certificate.getIssuerDN().equals(x509Certificate.getSubjectDN())
&& super.match(obj);
}
});
Set<TrustAnchor> trustAnchors = new HashSet<>();
for (Object certificate : rootCertificates) {
trustAnchors.add(new TrustAnchor((X509Certificate)
certificate, null));
}
3c) X509CertStoreSelector targetConstraints = new X509CertStoreSelector();
targetConstraints.setCertificate(authenticationCertificate);
ExtendedPKIXBuilderParameters extendedPKIXBuilderParameters =
new ExtendedPKIXBuilderParameters(trustAnchors, targetConstraints);
For this the deprecated message was even less helpful. It says to "use
the classes under org.bouncycastle.cert.selector".
Does that mean I need to add bc-pkix just for that?
Even then, I'm not sure how to achieve what I need.
It would be great if someone could help me out on these things.
Regards
Bjoern
I have a question.
I wanted to get rid of three deprecated BC things in my code.
Unfortunately the deprecated JavaDoc is not too extensive, so I
thought I ask here quickly for a helping hand.
The three deprecated things I use are:
1) X509Store certStore =
X509Store.getInstance("Certificate/Collection", new
X509CollectionStoreParameters(certs),
BouncyCastleProvider.PROVIDER_NAME);
This one is easy, I *thought*, as the deprecated JavaDoc tells to use
CollectionStore instead.
The transition was rather easy:
CollectionStore certStore = new CollectionStore(certs);
But as it turns out it is not that easy, because with this I get the
following StackTrace:
java.lang.ClassCastException: org.bouncycastle.util.CollectionStore
cannot be cast to java.security.cert.CertStore
at org.bouncycastle.jce.provider.CertPathValidatorUtilities.findCertificates(CertPathValidatorUtilities.java:742)
at org.bouncycastle.jce.provider.PKIXCertPathBuilderSpi.engineBuild(PKIXCertPathBuilderSpi.java:83)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at ...
2) X509LDAPCertStoreParameters.Builder builder = new
X509LDAPCertStoreParameters.Builder("ldap://ldap.company.com",
"ou=certification department,o=company,c=com");
builder.setCertificateRevocationListAttribute("certificateRevocationList;binary");
builder.setDeltaRevocationListAttribute("deltaRevocationList;binary");
X509Store cRLStore = X509Store.getInstance("CRL/LDAP",
builder.build(), BouncyCastleProvider.PROVIDER_NAME);
Here the deprecated message says the same as for 1) of course, but
that is not really helpful as I'm not producing a Collection based
CertStore here, but an LDAP based one.
I cannot find an obvious replacement.
Or am I supposed to use X509StoreLDAPCRLs or LDAPStoreHelper directly
as those are not deprecated?
(Btw. should I really need to set the ListAttributes myself? Isn't
this standardised to the ones I set manually?)
3a) X509CertStoreSelector certSelector = new X509CertStoreSelector();
certSelector.setKeyUsage(new boolean[] { false, false, false,
false, false, false, true, false, false });
X509Store cRLIssuersCertStore =
X509Store.getInstance("Certificate/Collection", new
X509CollectionStoreParameters(issuersCertStore.getMatches(certSelector)),
BouncyCastleProvider.PROVIDER_NAME);
3b) Collection rootCertificates =
certIssuersCertStore.getMatches(new X509CertStoreSelector() {
@Override
public boolean match(Object obj) {
if (!(obj instanceof X509Certificate)) {
return false;
}
X509Certificate x509Certificate = (X509Certificate) obj;
return
x509Certificate.getIssuerDN().equals(x509Certificate.getSubjectDN())
&& super.match(obj);
}
});
Set<TrustAnchor> trustAnchors = new HashSet<>();
for (Object certificate : rootCertificates) {
trustAnchors.add(new TrustAnchor((X509Certificate)
certificate, null));
}
3c) X509CertStoreSelector targetConstraints = new X509CertStoreSelector();
targetConstraints.setCertificate(authenticationCertificate);
ExtendedPKIXBuilderParameters extendedPKIXBuilderParameters =
new ExtendedPKIXBuilderParameters(trustAnchors, targetConstraints);
For this the deprecated message was even less helpful. It says to "use
the classes under org.bouncycastle.cert.selector".
Does that mean I need to add bc-pkix just for that?
Even then, I'm not sure how to achieve what I need.
It would be great if someone could help me out on these things.
Regards
Bjoern