Example 6 with CertPath
use of java.security.cert.CertPath in project OpenAM by OpenRock.
the class AMCertPath method verify.
/**
* It does cert path validation together with CRL check and ocsp checking
* if they are properly configured.
* @param certs
**/
public boolean verify(X509Certificate[] certs, boolean crlEnabled, boolean ocspEnabled) {
/*
The entire contents of this method must be synchronized for the following reasons:
1. The CertPathValidator#validate method is not thread-safe
2. even if a non-static CertPathValidator instance were obtained in this method, each instance references
the ocsp-related properties in the Security class. Thus the state set in Security.setProperty("ocsp.enable", true/false)
will affect all CertPathValidator instances.
Note that despite the synchronized block, the fact that static Security properties are being set and referenced
exposes the code below to data races in the context of these Security properties. Currently, Security.setProperties
is not being called from anywhere in the OpenAM code base. If this were to change, and the "ocsp.enable" property
were manipulated, the OCSP-based checking below would be susceptible to data races. There does not seem to
be an alternative however: the section on PKIXParameters here:
http://docs.oracle.com/javase/6/docs/technotes/guides/security/certpath/CertPathProgGuide.html#Introduction
mentions setting PKIXCertPathChecker implementations to do CRL or OCSP based checking, but there is no remove
method, and the state returned from getCertPathCheckers is immutable.
*/
synchronized (AMCertPath.class) {
if (debug.messageEnabled()) {
debug.message("AMCertPath.verify: invoked !");
}
try {
final List<X509Certificate> certList = Arrays.asList(certs);
final CertPath cp = (CertPath) cf.generateCertPath(certList);
// init PKIXParameters
Class<?> trustMgrClass = Class.forName("com.sun.identity.security.keystore.AMX509TrustManager");
Object trustMgr = (Object) trustMgrClass.newInstance();
Method method = trustMgrClass.getMethod("getKeyStore");
KeyStore keystore = (KeyStore) method.invoke(trustMgr);
PKIXParameters pkixparams = new PKIXParameters(keystore);
if (debug.messageEnabled()) {
debug.message("AMCertPath.verify: crlEnabled ---> " + crlEnabled);
debug.message("AMCertPath.verify: ocspEnabled ---> " + ocspEnabled);
}
pkixparams.setRevocationEnabled(crlEnabled || ocspEnabled);
if (ocspEnabled) {
final String responderURLString = getResponderURLString();
if (!StringUtils.isBlank(responderURLString)) {
Security.setProperty(OCSP_ENABLE, TRUE);
Security.setProperty(OCSP_RESPONDER_URL, responderURLString);
if (debug.messageEnabled()) {
debug.message("AMCertPath.verify: pkixparams.setRevocationEnabled " + "set to true, and ocsp.enabled set to true with a OCSP responder url of " + responderURLString);
}
} else {
//OCSP revocation checking not configured properly. Disable the check if crl-based checking not enabled
pkixparams.setRevocationEnabled(crlEnabled);
Security.setProperty(OCSP_ENABLE, FALSE);
debug.error("AMCertPath.verify: OCSP is enabled, but the " + "com.sun.identity.authentication.ocsp.responder.url property does not specify a OCSP " + "responder. OCSP checking will NOT be performed.");
}
} else {
//the Security properties are static - if we are doing crl validation, insure that the property
//is not present which will toggle OCSP checking.
Security.setProperty(OCSP_ENABLE, FALSE);
if (debug.messageEnabled()) {
debug.message("AMCertPath.verify: pkixparams Security property ocsp.enabled set to false.");
}
}
if (store != null) {
pkixparams.addCertStore(store);
}
if (debug.messageEnabled()) {
StringBuilder sb = new StringBuilder("The policy-related state in the PKIXParameters passed to the PKIX CertPathValidator: \n");
sb.append("\tgetInitialPolicies: ").append(pkixparams.getInitialPolicies()).append('\n');
sb.append("\tisExplicitPolicyRequired: ").append(pkixparams.isExplicitPolicyRequired()).append('\n');
sb.append("\tisPolicyMappingInhibited: ").append(pkixparams.isPolicyMappingInhibited()).append('\n');
debug.message(sb.toString());
}
// validate
CertPathValidatorResult cpvResult = cpv.validate(cp, pkixparams);
if (debug.messageEnabled()) {
debug.message("AMCertPath.verify: PASS " + cpvResult.toString());
}
} catch (java.security.cert.CertPathValidatorException e) {
debug.error("AMCertPath.verify: FAILED - " + e.getMessage());
if (debug.messageEnabled()) {
debug.message("AMCertPath.verify: FAILED", e);
}
return false;
} catch (Throwable t) {
debug.error("AMCertPath.verify: FAILED", t);
return false;
}
return true;
}
}
Also used :
Method(java.lang.reflect.Method)
KeyStore(java.security.KeyStore)
X509Certificate(java.security.cert.X509Certificate)
PKIXParameters(java.security.cert.PKIXParameters)
CertPath(java.security.cert.CertPath)
CertPathValidatorResult(java.security.cert.CertPathValidatorResult)
Example 7 with CertPath
use of java.security.cert.CertPath in project jdk8u_jdk by JetBrains.
the class BuildEEBasicConstraints method main.
public static void main(String[] args) throws Exception {
// reset the security property to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");
X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
TrustAnchor anchor = new TrustAnchor(rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
X509CertSelector sel = new X509CertSelector();
sel.setBasicConstraints(-2);
PKIXBuilderParameters params = new PKIXBuilderParameters(Collections.singleton(anchor), sel);
params.setRevocationEnabled(false);
X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
certs.add(caCert);
certs.add(eeCert);
CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(certs);
CertStore cs = CertStore.getInstance("Collection", ccsp);
params.addCertStore(cs);
PKIXCertPathBuilderResult res = CertUtils.build(params);
CertPath cp = res.getCertPath();
// check that first certificate is an EE cert
List<? extends Certificate> certList = cp.getCertificates();
X509Certificate cert = (X509Certificate) certList.get(0);
if (cert.getBasicConstraints() != -1) {
throw new Exception("Target certificate is not an EE certificate");
}
}
Also used :
CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters)
PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters)
PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult)
ArrayList(java.util.ArrayList)
TrustAnchor(java.security.cert.TrustAnchor)
X509CertSelector(java.security.cert.X509CertSelector)
CertPath(java.security.cert.CertPath)
CertStore(java.security.cert.CertStore)
X509Certificate(java.security.cert.X509Certificate)
Example 8 with CertPath
use of java.security.cert.CertPath in project robovm by robovm.
the class CertificateFactory3Test method testGenerateCertPath01.
/**
* Test for <code>generateCertPath(List certificates)</code> method
* Assertion: returns CertPath with 1 Certificate
*/
public void testGenerateCertPath01() throws Exception {
CertificateFactory[] certFs = initCertFs();
assertNotNull("CertificateFactory objects were not created", certFs);
// create list of certificates with one certificate
Certificate cert = certFs[0].generateCertificate(new ByteArrayInputStream(TestUtils.getEncodedX509Certificate()));
List<Certificate> list = new Vector<Certificate>();
list.add(cert);
for (int i = 0; i < certFs.length; i++) {
CertPath certPath = null;
certPath = certFs[i].generateCertPath(list);
assertEquals(cert.getType(), certPath.getType());
List<? extends Certificate> list1 = certPath.getCertificates();
assertFalse("Result list is empty", list1.isEmpty());
Iterator<? extends Certificate> it = list1.iterator();
assertEquals("Incorrect Certificate in CertPath", cert, it.next());
}
}
Also used :
ByteArrayInputStream(java.io.ByteArrayInputStream)
CertPath(java.security.cert.CertPath)
CertificateFactory(java.security.cert.CertificateFactory)
Vector(java.util.Vector)
Certificate(java.security.cert.Certificate)
Example 9 with CertPath
use of java.security.cert.CertPath in project robovm by robovm.
the class CertPathValidatorExceptionTest method testCertPathValidatorException14.
/**
* Test for
* <code>CertPathValidatorException(String, Throwable, CertPath, int)</code>
* constructor Assertion: constructs CertPathValidatorException when
* <code>cause</code> not null <code>msg</code> not null
* <code>certPath</code> not null <code>index</code><
* certPath.getCertificates().size()
*/
public void testCertPathValidatorException14() {
CertPathValidatorException tE;
myCertPath mcp = new myCertPath("X.509", "");
CertPath cp = mcp.get("X.509");
for (int i = 0; i < msgs.length; i++) {
try {
tE = new CertPathValidatorException(msgs[i], tCause, cp, -1);
String getM = tE.getMessage();
String toS = tCause.toString();
if (msgs[i].length() > 0) {
assertTrue("getMessage() must contain ".concat(msgs[i]), getM.indexOf(msgs[i]) != -1);
if (!getM.equals(msgs[i])) {
assertTrue("getMessage() should contain ".concat(toS), getM.indexOf(toS) != -1);
}
}
assertNotNull("getCause() must not return null", tE.getCause());
assertEquals("getCause() must return ".concat(tCause.toString()), tE.getCause(), tCause);
assertNotNull("getCertPath() must not return null", tE.getCertPath());
assertEquals("getCertPath() must return ".concat(cp.toString()), tE.getCertPath(), cp);
assertEquals("getIndex() must return -1", tE.getIndex(), -1);
} catch (IndexOutOfBoundsException e) {
fail("Unexpected IndexOutOfBoundsException was thrown. " + e.toString());
}
}
}
Also used :
CertPathValidatorException(java.security.cert.CertPathValidatorException)
CertPath(java.security.cert.CertPath)
Example 10 with CertPath
use of java.security.cert.CertPath in project robovm by robovm.
the class CertPathValidatorExceptionTest method testCertPathValidatorException15.
/**
* Test for <code>getCertPath()</code>. Returns the certification path
* that was being validated when the exception was thrown.
*/
public void testCertPathValidatorException15() {
CertPathValidatorException tE = new CertPathValidatorException();
assertNull("getCertPath() must return null.", tE.getCertPath());
for (int i = 0; i < msgs.length; i++) {
tE = new CertPathValidatorException(msgs[i]);
assertNull("getCertPath() must return null ", tE.getCertPath());
}
Throwable cause = null;
tE = new CertPathValidatorException(cause);
assertNull("getCertPath() must return null.", tE.getCertPath());
tE = new CertPathValidatorException(tCause);
assertNull("getCertPath() must return null.", tE.getCertPath());
for (int i = 0; i < msgs.length; i++) {
tE = new CertPathValidatorException(msgs[i], tCause);
assertNull("getCertPath() must return null", tE.getCertPath());
}
tE = new CertPathValidatorException(null, null, null, -1);
assertNull("getCertPath() must return null", tE.getCertPath());
for (int i = 0; i < msgs.length; i++) {
try {
tE = new CertPathValidatorException(msgs[i], tCause, null, -1);
assertNull("getCertPath() must return null", tE.getCertPath());
} catch (IndexOutOfBoundsException e) {
fail("Unexpected exception: " + e.getMessage());
}
}
myCertPath mcp = new myCertPath("X.509", "");
CertPath cp = mcp.get("X.509");
for (int i = 0; i < msgs.length; i++) {
try {
tE = new CertPathValidatorException(msgs[i], tCause, cp, -1);
assertNotNull("getCertPath() must not return null", tE.getCertPath());
assertEquals("getCertPath() must return ".concat(cp.toString()), tE.getCertPath(), cp);
} catch (IndexOutOfBoundsException e) {
fail("Unexpected IndexOutOfBoundsException was thrown. " + e.toString());
}
}
}
Also used :
CertPathValidatorException(java.security.cert.CertPathValidatorException)
CertPath(java.security.cert.CertPath)
Aggregations
CertPath (java.security.cert.CertPath)55
X509Certificate (java.security.cert.X509Certificate)17
MyCertPath (org.apache.harmony.security.tests.support.cert.MyCertPath)16
CertificateFactory (java.security.cert.CertificateFactory)15
MyFailingCertPath (org.apache.harmony.security.tests.support.cert.MyFailingCertPath)14
CertPathValidatorException (java.security.cert.CertPathValidatorException)13
ArrayList (java.util.ArrayList)10
InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)9
CertPathValidator (java.security.cert.CertPathValidator)9
CertPathBuilderResult (java.security.cert.CertPathBuilderResult)8
TrustAnchor (java.security.cert.TrustAnchor)8
ByteArrayInputStream (java.io.ByteArrayInputStream)7
Certificate (java.security.cert.Certificate)7
PKIXCertPathValidatorResult (java.security.cert.PKIXCertPathValidatorResult)7
PKIXParameters (java.security.cert.PKIXParameters)7
HashSet (java.util.HashSet)7
CertPathBuilder (java.security.cert.CertPathBuilder)6
CertPathBuilderException (java.security.cert.CertPathBuilderException)6
CertificateException (java.security.cert.CertificateException)6
PKIXBuilderParameters (java.security.cert.PKIXBuilderParameters)6
