How to use BouncyCastle to get the certification path between a root CA and an end entity?

I have a root CA, a set of intermediate CAs and an end entity. All represented as org.bouncycastle.cert.X509CertificateHolder instances. How can I get the certification path (aka certificate chain) between the root and the end entity, or get an exception if no path was found?

Here's how to do it with pure Java code, but since I'm already using BouncyCastle, I think it'd be more performant and maintainable to use BouncyCastle for this too -- Also, I'd prefer to avoid converting between Java and BC certificates so that I can return a subset of the original certificate instances.

I've found the package org.bouncycastle.cert.path but I can't figure out if it'd help me or how to use it (I can't find any examples).

Note that the set of intermediate certificates can be empty or contain superfluous certificates that aren't part of the chain. Also, as a set, it won't be ordered.

It sounds like you need a CertPathBuilder since you don't have a proposed chain, just a "pile of certificates". The BC provider includes a CertPathBuilder implementation (e.g. CertPathBuilder.getInstance("PKIX", "BC")), used just as described at the link you gave.

BC's pkix jar, whilst having some suggestively-named packages, doesn't have the tools to replicate a CertPathBuilder (probably not even a complete CertPathValidator). A certain amount of certificate format conversions is a fact of life; there may be ways to minimise it. Perhaps take it up on the BC mailing list once you have a working example.