New API to indicate the reason a certificate chain was invalid
In JDK 7, we have added a new method (getReason) to the java.security.cert.CertPathValidatorException class which returns an object indicating the reason a certificate chain, or CertPath, is invalid. Previously, there was no standard mechanism to determine the reason of failure, and applications had to depend on the exception message or the cause which could vary based on the underlying service provider implementation.
The getReason method returns an instance of CertPathValidatorException.Reason, which is an interface. There are 2 subclasses of this interface. One is BasicReason which is an enumeration of reasons which can apply to certificate chains of any type (X.509, PGP, etc). It contains reasons such as EXPIRED (certificate has expired) or INVALID_SIGNATURE. The other subclass is PKIXReason, and that enumerates the potential PKIX-specific reasons that an X.509 certification path may be invalid according to the PKIX (RFC 3280) standard, for example UNRECOGNIZED_CRIT_EXT . Here's an example of how you might use these new APIs in your application that validates certificate chains:
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
try {
CertPathValidatorResult cpvr = cpv.validate(path, params);
} catch (CertPathValidatorException cpve) {
CertPathValidator.Reason reason = cpve.getReason();
int index = cpve.getIndex();
System.err.println("Invalid certificate chain, certificate[" + index + "], reason: " + reason);⁞
}
Hi,
When the reason is REVOKED, where can I find the revocation reason and time ?
Add a RevokedInfo and a UnknownInfo structure in REASON ?
Posted by 124.254.59.228 on August 10, 2009 at 06:44 PM PDT #
It was a very nice idea! Just wanna say thank you for the information you have shared. Just continue writing this kind of post. I will be your loyal reader. Thanks again.
Posted by Abercrombie and Fitch on November 08, 2009 at 12:23 AM PST #