0

When the checkServerTrusted method of classes implementing X509TrustManager is invoked, I need to get ALL validation errors that are associated with a certificate chain including

  1. Certificate path validation problems. e.g CA not trusted
  2. Certificate fields validation problems. e.g Expired certificate, Invalid extended key usage

The motivation behind this is so that I can present the user with the certificate validation issues before he adds it as an "exception" as Firefox does now. However, right now, as soon as a path validation issue is found, a CertPathValidatorException is thrown, but it gives me no information about the validity of the fields in the certificate. How can I implement this?

After some reading, I found the CertPath API provides such features, and found that the PKIX implementation is a wrapper around this, but just does not return the CertPathValidatorResult. I would like to make maximum use of existing JAVA functionality(without writing my own custom wrapper to the API) while returning all validation issues.

varrunr
  • 845
  • 1
  • 11
  • 19

1 Answers1

0

You won't even get to X509TrustManager.checkServerTrusted() if there was a certificate error. You would need to hook the certificate handling at an earlier point, and I don't believe there is one in JSSE.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • I don't believe thats true. From the stacktrace, The checkServerTrusted method is the one that is doing the validation of the certificate. By certificate error, if you mean that the certificate is not formatted right, maybe so, but not otherwise. – varrunr Jul 16 '13 at 03:44
  • checkServerTrusted() checks whether a valid peer certificate is trusted. If the certificate isn't valid it won't be called. This seems obvious to me. – user207421 Jul 16 '13 at 09:58
  • Have you actually tried testing your hypothesis like with an expired certificate? I have and AFAIK the validation is done by the PKIXValidator which in invoked by the checkServerTrustedMethod(). See the stacktrace at http://pastebin.com/TE0SwZ6B – varrunr Jul 16 '13 at 17:39