Check certificate validity

I’m using the SSL lib 2.2.3 (ej.api).

I want to check a certificate validity. (date)

		// Create a CertificateFactory and generate the certificate
		certificateFactory = CertificateFactory.getInstance("X509");
		localCert = certificateFactory.generateCertificate(certStream);

		// Cast to X509Certificate for additional operations
		X509Certificate X509_localCert = (X509Certificate) localCert;

		// Check certificate validity (throws exception if expired or not yet valid)
		X509_localCert.checkValidity(); // Will throw an exception if not valid

		// If no exception is thrown, the certificate is valid
		System.out.println(certPath + " is valid: Issuer: " + X509_localCert.getIssuerX500Principal());

checkValidity return always this error

java.lang.IllegalStateException: Unexpected error, error code: -1
at java.lang.System.@M:0x1cbde0:0x1cbdea@
at java.lang.Throwable.@M:0x1db9c0:0x1db9d6@
at java.lang.Throwable.@M:0x1c158c:0x1c159e@
at java.lang.Exception.@M:0x1cb85c:0x1cb86e@
at java.lang.RuntimeException.@M:0x1db274:0x1db286@
at java.lang.IllegalStateException.@M:0x1be080:0x1be092@
at com.is2t.support.security.x509.X509CertSupport.@M:0x1b64c8:0x1b6568@
at com.is2t.support.security.x509.X509CertImpl.@M:0x1b9938:0x1b9948@
at com.bodet.terminalw.testsoft.network.NetworkAPI.@M:0x1bfe10:0x1bfec8@
at com.bodet.terminalw.testsoft.network.NetworkAPI.@M:0x1c988c:0x1c98d0@
at com.bodet.terminalw.testsoft.network.NetworkAPI.@M:0x1d6fcc:0x1d7054@
at com.bodet.terminalw.testsoft.main.MainThread.@M:0x1e7458:0x1e7ac0@
at java.lang.Thread.@M:0x1e9f44:0x1e9f50@
at java.lang.Thread.@M:0x1e9fb0:0x1e9fbb@

Is it normal ?

Hello Tom,

Looking at the implementation, the IllegalStateException is thrown when the native stack (the crypto engine backend) returns an unknown error code (in this case -1) on the call to X509CertSupportNatives.checkValidity().

Can you specify what crypto engine are you using? (OpenSSL? MbedTLS? WolfCrypt? …)
Can you take a look at the native implementation of checkValidity()?

For proper error handling, it should return: J_SEC_NO_ERROR (0), J_X509_CERT_EXPIRED_ERROR (-11) or J_X509_CERT_NOT_YET_VALID_ERROR (-12).
For other errors, it can return custom error ids or throw a custom exception (potentially with error message) to provide more information on the error.

Let us know if you are using a SECURITY abstraction layer implementation and/or VEE Port distributed by MicroEJ.

Also, a typical reason a certificate validity check is failing is because the system time was not updated (e.g. using NTP).

Notes:
a. This is unrelated to the SSL API. The certificate API you are using is provided by the SECURITY (crypto) foundation library. Also, the version of its implementation depends on the version of the NET pack integrated in your VEE Port.
b. You can decode your stack trace with the Stack Trace Reader.

Best regards,
Rémy