in src/main/java/com/company/license/CheckLicense.java [231:274]
private static X509Certificate createCertificate(byte[] certBytes, Collection<byte[]> intermediateCertsBytes, boolean checkValidityAtCurrentDate) throws Exception {
final CertificateFactory x509factory = CertificateFactory.getInstance("X.509");
final X509Certificate cert = (X509Certificate) x509factory.generateCertificate(new ByteArrayInputStream(certBytes));
final Collection<Certificate> allCerts = new HashSet<>();
allCerts.add(cert);
for (byte[] bytes : intermediateCertsBytes) {
allCerts.add(x509factory.generateCertificate(new ByteArrayInputStream(bytes)));
}
try {
// Create the selector that specifies the starting certificate
final X509CertSelector selector = new X509CertSelector();
selector.setCertificate(cert);
// Configure the PKIX certificate builder algorithm parameters
final Set<TrustAnchor> trustAchors = new HashSet<>();
for (String rc : ROOT_CERTIFICATES) {
trustAchors.add(new TrustAnchor(
(X509Certificate) x509factory.generateCertificate(new ByteArrayInputStream(rc.getBytes(StandardCharsets.UTF_8))), null
));
}
final PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAchors, selector);
pkixParams.setRevocationEnabled(false);
if (!checkValidityAtCurrentDate) {
// deliberately check validity on the start date of cert validity period, so that we do not depend on
// the actual moment when the check is performed
pkixParams.setDate(cert.getNotBefore());
}
pkixParams.addCertStore(
CertStore.getInstance("Collection", new CollectionCertStoreParameters(allCerts))
);
// Build and verify the certification chain
final CertPath path = CertPathBuilder.getInstance("PKIX").build(pkixParams).getCertPath();
if (path != null) {
CertPathValidator.getInstance("PKIX").validate(path, pkixParams);
return cert;
}
}
catch (Exception e) {
// debug the reason here
}
throw new Exception ("Certificate used to sign the license is not signed by JetBrains root certificate");
}