Search in sources :

Example 16 with CertPathBuilder

use of java.security.cert.CertPathBuilder in project MonjaDB by Kanatoko.

the class MSecurityUtil method isValidChain.

// --------------------------------------------------------------------------------
public static boolean isValidChain(List chain) {
    // root, im, leaf�̏��Ԃ�chain�ł��邱�Ƃ�����
    if (chain.size() < 2) {
        return false;
    }
    try {
        X509Certificate root = null;
        X509Certificate leaf = null;
        List imList = new ArrayList();
        for (int i = 0; i < chain.size(); ++i) {
            if (i == 0) {
                // root
                root = (X509Certificate) chain.get(i);
            } else if (i == chain.size() - 1) {
                leaf = (X509Certificate) chain.get(i);
            } else {
                imList.add(chain.get(i));
            }
        }
        KeyStore ks = KeyStore.getInstance("JKS");
        ks.load(null, null);
        ks.setCertificateEntry("root", root);
        X509CertSelector target = new X509CertSelector();
        target.setCertificate(leaf);
        PKIXBuilderParameters params = new PKIXBuilderParameters(ks, target);
        CertStoreParameters intermediates = new CollectionCertStoreParameters(imList);
        params.addCertStore(CertStore.getInstance("Collection", intermediates));
        params.setRevocationEnabled(false);
        CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
        CertPathBuilderResult result = builder.build(params);
        return true;
    } catch (Exception e) {
        return false;
    }
}
Also used : CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) CertStoreParameters(java.security.cert.CertStoreParameters) CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) CertPathBuilderResult(java.security.cert.CertPathBuilderResult) X509CertSelector(java.security.cert.X509CertSelector) CertPathBuilder(java.security.cert.CertPathBuilder) X509Certificate(java.security.cert.X509Certificate) CertificateException(java.security.cert.CertificateException)

Example 17 with CertPathBuilder

use of java.security.cert.CertPathBuilder in project SKMCLauncher by SKCraft.

the class X509KeyStore method verify.

/**
 * Verify that a given certificate is trusted.
 *
 * @param chain certificate chain
 * @throws CertPathBuilderException thrown on verification error
 * @throws CertificateVerificationException thrown on any error
 */
public void verify(X509Certificate[] chain) throws CertificateVerificationException, CertPathBuilderException {
    try {
        X509CertSelector selector = new X509CertSelector();
        selector.setCertificate(chain[0]);
        // Root certificates
        Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
        for (X509Certificate rootCert : rootCerts) {
            trustAnchors.add(new TrustAnchor(rootCert, null));
        }
        PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
        pkixParams.setRevocationEnabled(true);
        // Built-in intermediate certificates
        pkixParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(intermediateCerts)));
        // Additional intermediate certificates
        pkixParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(chain))));
        CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
        // Will error on failure to verify
        builder.build(pkixParams);
    } catch (InvalidAlgorithmParameterException e) {
        throw new CertificateVerificationException(e);
    } catch (NoSuchAlgorithmException e) {
        throw new CertificateVerificationException(e);
    }
}
Also used : CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) X509CertSelector(java.security.cert.X509CertSelector) TrustAnchor(java.security.cert.TrustAnchor) CertPathBuilder(java.security.cert.CertPathBuilder) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) X509Certificate(java.security.cert.X509Certificate) HashSet(java.util.HashSet)

Example 18 with CertPathBuilder

use of java.security.cert.CertPathBuilder in project cloudstack by apache.

the class CertServiceImpl method validateChain.

private void validateChain(final List<Certificate> chain, final Certificate cert, boolean revocationEnabled) {
    final List<Certificate> certs = new ArrayList<Certificate>();
    final Set<TrustAnchor> anchors = new HashSet<TrustAnchor>();
    // adding for self signed certs
    certs.add(cert);
    certs.addAll(chain);
    for (final Certificate c : certs) {
        if (!(c instanceof X509Certificate)) {
            throw new IllegalArgumentException("Invalid chain format. Expected X509 certificate");
        }
        final X509Certificate xCert = (X509Certificate) c;
        anchors.add(new TrustAnchor(xCert, null));
    }
    final X509CertSelector target = new X509CertSelector();
    target.setCertificate((X509Certificate) cert);
    PKIXBuilderParameters params = null;
    try {
        params = new PKIXBuilderParameters(anchors, target);
        params.setRevocationEnabled(revocationEnabled);
        params.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certs)));
        final CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC");
        builder.build(params);
    } catch (final InvalidAlgorithmParameterException | CertPathBuilderException | NoSuchAlgorithmException e) {
        throw new IllegalStateException("Invalid certificate chain", e);
    } catch (final NoSuchProviderException e) {
        throw new CloudRuntimeException("No provider for certificate validation", e);
    }
}
Also used : InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) ArrayList(java.util.ArrayList) TrustAnchor(java.security.cert.TrustAnchor) X509CertSelector(java.security.cert.X509CertSelector) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) X509Certificate(java.security.cert.X509Certificate) CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) CertPathBuilderException(java.security.cert.CertPathBuilderException) CloudRuntimeException(com.cloud.utils.exception.CloudRuntimeException) CertPathBuilder(java.security.cert.CertPathBuilder) NoSuchProviderException(java.security.NoSuchProviderException) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate) HashSet(java.util.HashSet)

Example 19 with CertPathBuilder

use of java.security.cert.CertPathBuilder in project open-ecard by ecsec.

the class SignatureVerifier method validatePath.

private PKIXCertPathBuilderResult validatePath(X509Certificate cert, Collection<X509Certificate> intermediateCerts, @Nullable Date checkDate) throws NoSuchAlgorithmException, KeyStoreException, InvalidAlgorithmParameterException, CertPathBuilderException {
    // enable downloading of missing certificates based on the AIA extension
    try {
        System.setProperty("com.sun.security.enableAIAcaIssuers", "true");
    } catch (SecurityException ex) {
        LOG.warn("Failed to enable AIA evaluation. Skipping downloads of missing certificates.");
    }
    CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
    // configure path building
    X509CertSelector target = new X509CertSelector();
    target.setCertificate(cert);
    PKIXBuilderParameters params = new PKIXBuilderParameters(trustStore, target);
    CertStoreParameters intermediates = new CollectionCertStoreParameters(intermediateCerts);
    params.addCertStore(CertStore.getInstance("Collection", intermediates));
    params.setDate(checkDate);
    params.setRevocationEnabled(false);
    if (ChipGatewayProperties.isRevocationCheck()) {
        PKIXRevocationChecker revChecker = (PKIXRevocationChecker) builder.getRevocationChecker();
        Set<PKIXRevocationChecker.Option> revOpts = new HashSet<>();
        // revOpts.add(PKIXRevocationChecker.Option.ONLY_END_ENTITY);
        revChecker.setOptions(revOpts);
        params.setCertPathCheckers(null);
        params.addCertPathChecker(revChecker);
    }
    // try to build the path
    PKIXCertPathBuilderResult r = (PKIXCertPathBuilderResult) builder.build(params);
    return r;
}
Also used : CertStoreParameters(java.security.cert.CertStoreParameters) CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult) PKIXRevocationChecker(java.security.cert.PKIXRevocationChecker) X509CertSelector(java.security.cert.X509CertSelector) CertPathBuilder(java.security.cert.CertPathBuilder) HashSet(java.util.HashSet)

Example 20 with CertPathBuilder

use of java.security.cert.CertPathBuilder in project cosmic by MissionCriticalCloud.

the class CertServiceImpl method validateChain.

private void validateChain(final List<Certificate> chain, final Certificate cert) {
    final List<Certificate> certs = new ArrayList<>();
    final Set<TrustAnchor> anchors = new HashSet<>();
    // adding for self signed certs
    certs.add(cert);
    certs.addAll(chain);
    for (final Certificate c : certs) {
        if (!(c instanceof X509Certificate)) {
            throw new IllegalArgumentException("Invalid chain format. Expected X509 certificate");
        }
        final X509Certificate xCert = (X509Certificate) c;
        final Principal subject = xCert.getSubjectDN();
        final Principal issuer = xCert.getIssuerDN();
        anchors.add(new TrustAnchor(xCert, null));
    }
    final X509CertSelector target = new X509CertSelector();
    target.setCertificate((X509Certificate) cert);
    PKIXBuilderParameters params = null;
    try {
        params = new PKIXBuilderParameters(anchors, target);
        params.setRevocationEnabled(false);
        params.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certs)));
        final CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC");
        builder.build(params);
    } catch (final InvalidAlgorithmParameterException e) {
        throw new IllegalArgumentException("Invalid certificate chain", e);
    } catch (final CertPathBuilderException e) {
        throw new IllegalArgumentException("Invalid certificate chain", e);
    } catch (final NoSuchAlgorithmException e) {
        throw new IllegalArgumentException("Invalid certificate chain", e);
    } catch (final NoSuchProviderException e) {
        throw new CloudRuntimeException("No provider for certificate validation", e);
    }
}
Also used : InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) ArrayList(java.util.ArrayList) TrustAnchor(java.security.cert.TrustAnchor) X509CertSelector(java.security.cert.X509CertSelector) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) X509Certificate(java.security.cert.X509Certificate) CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) CertPathBuilderException(java.security.cert.CertPathBuilderException) CloudRuntimeException(com.cloud.utils.exception.CloudRuntimeException) CertPathBuilder(java.security.cert.CertPathBuilder) NoSuchProviderException(java.security.NoSuchProviderException) Principal(java.security.Principal) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate) HashSet(java.util.HashSet)

Aggregations

CertPathBuilder (java.security.cert.CertPathBuilder)36 PKIXBuilderParameters (java.security.cert.PKIXBuilderParameters)20 X509CertSelector (java.security.cert.X509CertSelector)20 X509Certificate (java.security.cert.X509Certificate)19 CollectionCertStoreParameters (java.security.cert.CollectionCertStoreParameters)15 HashSet (java.util.HashSet)14 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)10 CertPathBuilderException (java.security.cert.CertPathBuilderException)10 CertPathBuilderResult (java.security.cert.CertPathBuilderResult)10 TrustAnchor (java.security.cert.TrustAnchor)10 ArrayList (java.util.ArrayList)9 CertPath (java.security.cert.CertPath)8 InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)7 NoSuchProviderException (java.security.NoSuchProviderException)7 CertPathValidator (java.security.cert.CertPathValidator)7 CertStore (java.security.cert.CertStore)7 GeneralSecurityException (java.security.GeneralSecurityException)6 Certificate (java.security.cert.Certificate)6 PKIXCertPathBuilderResult (java.security.cert.PKIXCertPathBuilderResult)6 IOException (java.io.IOException)5