use of java.security.cert.CertPathBuilder in project MonjaDB by Kanatoko.
the class MSecurityUtil method isValidChain.
// --------------------------------------------------------------------------------
public static boolean isValidChain(List chain) {
// root, im, leaf�̏��Ԃ�chain�ł��邱�Ƃ�����
if (chain.size() < 2) {
return false;
}
try {
X509Certificate root = null;
X509Certificate leaf = null;
List imList = new ArrayList();
for (int i = 0; i < chain.size(); ++i) {
if (i == 0) {
// root
root = (X509Certificate) chain.get(i);
} else if (i == chain.size() - 1) {
leaf = (X509Certificate) chain.get(i);
} else {
imList.add(chain.get(i));
}
}
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(null, null);
ks.setCertificateEntry("root", root);
X509CertSelector target = new X509CertSelector();
target.setCertificate(leaf);
PKIXBuilderParameters params = new PKIXBuilderParameters(ks, target);
CertStoreParameters intermediates = new CollectionCertStoreParameters(imList);
params.addCertStore(CertStore.getInstance("Collection", intermediates));
params.setRevocationEnabled(false);
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
CertPathBuilderResult result = builder.build(params);
return true;
} catch (Exception e) {
return false;
}
}
use of java.security.cert.CertPathBuilder in project SKMCLauncher by SKCraft.
the class X509KeyStore method verify.
/**
* Verify that a given certificate is trusted.
*
* @param chain certificate chain
* @throws CertPathBuilderException thrown on verification error
* @throws CertificateVerificationException thrown on any error
*/
public void verify(X509Certificate[] chain) throws CertificateVerificationException, CertPathBuilderException {
try {
X509CertSelector selector = new X509CertSelector();
selector.setCertificate(chain[0]);
// Root certificates
Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
for (X509Certificate rootCert : rootCerts) {
trustAnchors.add(new TrustAnchor(rootCert, null));
}
PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
pkixParams.setRevocationEnabled(true);
// Built-in intermediate certificates
pkixParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(intermediateCerts)));
// Additional intermediate certificates
pkixParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(chain))));
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
// Will error on failure to verify
builder.build(pkixParams);
} catch (InvalidAlgorithmParameterException e) {
throw new CertificateVerificationException(e);
} catch (NoSuchAlgorithmException e) {
throw new CertificateVerificationException(e);
}
}
use of java.security.cert.CertPathBuilder in project cloudstack by apache.
the class CertServiceImpl method validateChain.
private void validateChain(final List<Certificate> chain, final Certificate cert, boolean revocationEnabled) {
final List<Certificate> certs = new ArrayList<Certificate>();
final Set<TrustAnchor> anchors = new HashSet<TrustAnchor>();
// adding for self signed certs
certs.add(cert);
certs.addAll(chain);
for (final Certificate c : certs) {
if (!(c instanceof X509Certificate)) {
throw new IllegalArgumentException("Invalid chain format. Expected X509 certificate");
}
final X509Certificate xCert = (X509Certificate) c;
anchors.add(new TrustAnchor(xCert, null));
}
final X509CertSelector target = new X509CertSelector();
target.setCertificate((X509Certificate) cert);
PKIXBuilderParameters params = null;
try {
params = new PKIXBuilderParameters(anchors, target);
params.setRevocationEnabled(revocationEnabled);
params.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certs)));
final CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC");
builder.build(params);
} catch (final InvalidAlgorithmParameterException | CertPathBuilderException | NoSuchAlgorithmException e) {
throw new IllegalStateException("Invalid certificate chain", e);
} catch (final NoSuchProviderException e) {
throw new CloudRuntimeException("No provider for certificate validation", e);
}
}
use of java.security.cert.CertPathBuilder in project open-ecard by ecsec.
the class SignatureVerifier method validatePath.
private PKIXCertPathBuilderResult validatePath(X509Certificate cert, Collection<X509Certificate> intermediateCerts, @Nullable Date checkDate) throws NoSuchAlgorithmException, KeyStoreException, InvalidAlgorithmParameterException, CertPathBuilderException {
// enable downloading of missing certificates based on the AIA extension
try {
System.setProperty("com.sun.security.enableAIAcaIssuers", "true");
} catch (SecurityException ex) {
LOG.warn("Failed to enable AIA evaluation. Skipping downloads of missing certificates.");
}
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
// configure path building
X509CertSelector target = new X509CertSelector();
target.setCertificate(cert);
PKIXBuilderParameters params = new PKIXBuilderParameters(trustStore, target);
CertStoreParameters intermediates = new CollectionCertStoreParameters(intermediateCerts);
params.addCertStore(CertStore.getInstance("Collection", intermediates));
params.setDate(checkDate);
params.setRevocationEnabled(false);
if (ChipGatewayProperties.isRevocationCheck()) {
PKIXRevocationChecker revChecker = (PKIXRevocationChecker) builder.getRevocationChecker();
Set<PKIXRevocationChecker.Option> revOpts = new HashSet<>();
// revOpts.add(PKIXRevocationChecker.Option.ONLY_END_ENTITY);
revChecker.setOptions(revOpts);
params.setCertPathCheckers(null);
params.addCertPathChecker(revChecker);
}
// try to build the path
PKIXCertPathBuilderResult r = (PKIXCertPathBuilderResult) builder.build(params);
return r;
}
use of java.security.cert.CertPathBuilder in project cosmic by MissionCriticalCloud.
the class CertServiceImpl method validateChain.
private void validateChain(final List<Certificate> chain, final Certificate cert) {
final List<Certificate> certs = new ArrayList<>();
final Set<TrustAnchor> anchors = new HashSet<>();
// adding for self signed certs
certs.add(cert);
certs.addAll(chain);
for (final Certificate c : certs) {
if (!(c instanceof X509Certificate)) {
throw new IllegalArgumentException("Invalid chain format. Expected X509 certificate");
}
final X509Certificate xCert = (X509Certificate) c;
final Principal subject = xCert.getSubjectDN();
final Principal issuer = xCert.getIssuerDN();
anchors.add(new TrustAnchor(xCert, null));
}
final X509CertSelector target = new X509CertSelector();
target.setCertificate((X509Certificate) cert);
PKIXBuilderParameters params = null;
try {
params = new PKIXBuilderParameters(anchors, target);
params.setRevocationEnabled(false);
params.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certs)));
final CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC");
builder.build(params);
} catch (final InvalidAlgorithmParameterException e) {
throw new IllegalArgumentException("Invalid certificate chain", e);
} catch (final CertPathBuilderException e) {
throw new IllegalArgumentException("Invalid certificate chain", e);
} catch (final NoSuchAlgorithmException e) {
throw new IllegalArgumentException("Invalid certificate chain", e);
} catch (final NoSuchProviderException e) {
throw new CloudRuntimeException("No provider for certificate validation", e);
}
}
Aggregations