import java.security.cert.CertificateParsingException;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.PKIXParameters;
+import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
private boolean pkixValidate(X509Certificate[] certChain, EntitiesDescriptor group) {
+ log.debug("Attemping to validate against parent group.");
if (group instanceof ExtendedEntitiesDescriptor) {
Iterator keyAuthorities = ((ExtendedEntitiesDescriptor) group).getKeyAuthorities();
// if we have any key authorities, construct a flat list of trust anchors representing each and attempt to
// If not, attempt to walk up the chain for validation
EntitiesDescriptor parent = group.getEntitiesDescriptor();
- if (group != null) {
- if (pkixValidate(certChain, group)) { return true; }
+ if (parent != null) {
+ if (pkixValidate(certChain, parent)) { return true; }
}
return false;
KeyInfo keyInfo = (KeyInfo) keyInfos.next();
if (keyInfo.containsX509Data()) {
try {
- anchors.add(keyInfo.getX509Certificate());
+ anchors.add(new TrustAnchor(keyInfo.getX509Certificate(), null));
} catch (KeyResolverException e) {
log.error("Encountered an error constructing trust list from shibboleth metadata: " + e);
}