Example 21 with CertPathBuilder
use of java.security.cert.CertPathBuilder in project Openfire by igniterealtime.
the class ClientTrustManager method checkClientTrusted.
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String string) throws CertificateException {
Log.debug("ClientTrustManager: checkClientTrusted(x509Certificates," + string + ") called");
loadCRL();
ArrayList<X509Certificate> certs = new ArrayList<>();
for (int i = 0; i < x509Certificates.length; i++) {
certs.add(x509Certificates[i]);
}
boolean verify = JiveGlobals.getBooleanProperty("xmpp.client.certificate.verify", true);
if (verify) {
int nSize = x509Certificates.length;
List<String> peerIdentities = CertificateManager.getClientIdentities(x509Certificates[0]);
if (JiveGlobals.getBooleanProperty("xmpp.client.certificate.verify.chain", true)) {
// Working down the chain, for every certificate in the chain,
// verify that the subject of the certificate is the issuer of the
// next certificate in the chain.
Principal principalLast = null;
for (int i = nSize - 1; i >= 0; i--) {
X509Certificate x509certificate = x509Certificates[i];
Principal principalIssuer = x509certificate.getIssuerDN();
Principal principalSubject = x509certificate.getSubjectDN();
if (principalLast != null) {
if (principalIssuer.equals(principalLast)) {
try {
PublicKey publickey = x509Certificates[i + 1].getPublicKey();
x509Certificates[i].verify(publickey);
} catch (GeneralSecurityException generalsecurityexception) {
throw new CertificateException("signature verification failed of " + peerIdentities);
}
} else {
throw new CertificateException("subject/issuer verification failed of " + peerIdentities);
}
}
principalLast = principalSubject;
}
}
if (JiveGlobals.getBooleanProperty("xmpp.client.certificate.verify.root", true)) {
// Verify that the the last certificate in the chain was issued
// by a third-party that the client trusts, or is trusted itself
boolean trusted = false;
try {
Enumeration<String> aliases = trustStore.aliases();
while (aliases.hasMoreElements()) {
String alias = aliases.nextElement();
X509Certificate tCert = (X509Certificate) trustStore.getCertificate(alias);
if (x509Certificates[nSize - 1].equals(tCert)) {
try {
PublicKey publickey = tCert.getPublicKey();
x509Certificates[nSize - 1].verify(publickey);
} catch (GeneralSecurityException generalsecurityexception) {
throw new CertificateException("signature verification failed of " + peerIdentities);
}
trusted = true;
break;
} else {
if (x509Certificates[nSize - 1].getIssuerDN().equals(tCert.getSubjectDN())) {
try {
PublicKey publickey = tCert.getPublicKey();
x509Certificates[nSize - 1].verify(publickey);
} catch (GeneralSecurityException generalsecurityexception) {
throw new CertificateException("signature verification failed of " + peerIdentities);
}
trusted = true;
break;
}
}
}
} catch (KeyStoreException e) {
Log.error(e.getMessage(), e);
}
if (!trusted) {
// Log.debug("certificate not trusted of "+peerIdentities);
throw new CertificateException("root certificate not trusted of " + peerIdentities);
}
}
if (JiveGlobals.getBooleanProperty("xmpp.client.certificate.verify.validity", true)) {
// For every certificate in the chain, verify that the certificate
// is valid at the current time.
Date date = new Date();
for (int i = 0; i < nSize; i++) {
try {
x509Certificates[i].checkValidity(date);
} catch (GeneralSecurityException generalsecurityexception) {
throw new CertificateException("invalid date of " + peerIdentities);
}
}
}
// Verify certificate path
try {
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
X509CertSelector certSelector = new X509CertSelector();
certSelector.setCertificate(x509Certificates[0]);
PKIXBuilderParameters params = new PKIXBuilderParameters(trustStore, certSelector);
if (useCRLs) {
params.addCertStore(crlStore);
} else {
Log.debug("ClientTrustManager: no CRL's found, so setRevocationEnabled(false)");
params.setRevocationEnabled(false);
}
CertPathBuilderResult cpbr = cpb.build(params);
CertPath cp = cpbr.getCertPath();
if (JiveGlobals.getBooleanProperty("ocsp.enable", false)) {
Log.debug("ClientTrustManager: OCSP requested");
OCSPChecker ocspChecker = new OCSPChecker(cp, params);
params.addCertPathChecker(ocspChecker);
}
PKIXCertPathValidatorResult cpvResult = (PKIXCertPathValidatorResult) cpv.validate(cp, params);
X509Certificate trustedCert = cpvResult.getTrustAnchor().getTrustedCert();
if (trustedCert == null) {
throw new CertificateException("certificate path failed: Trusted CA is NULL");
} else {
Log.debug("ClientTrustManager: Trusted CA: " + trustedCert.getSubjectDN());
}
} catch (CertPathBuilderException | CertPathValidatorException e) {
Log.debug("ClientTrustManager:", e);
throw new CertificateException("certificate path failed: " + e.getMessage());
} catch (Exception e) {
Log.debug("ClientTrustManager:", e);
throw new CertificateException("unexpected error: " + e.getMessage());
}
}
}
Also used :
CertPathBuilderResult(java.security.cert.CertPathBuilderResult)
ArrayList(java.util.ArrayList)
CertificateException(java.security.cert.CertificateException)
X509CertSelector(java.security.cert.X509CertSelector)
CertPathBuilderException(java.security.cert.CertPathBuilderException)
CertPathBuilder(java.security.cert.CertPathBuilder)
CertPath(java.security.cert.CertPath)
PublicKey(java.security.PublicKey)
PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters)
GeneralSecurityException(java.security.GeneralSecurityException)
KeyStoreException(java.security.KeyStoreException)
X509Certificate(java.security.cert.X509Certificate)
Date(java.util.Date)
KeyStoreException(java.security.KeyStoreException)
InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException)
CertPathBuilderException(java.security.cert.CertPathBuilderException)
GeneralSecurityException(java.security.GeneralSecurityException)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
FileNotFoundException(java.io.FileNotFoundException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
CRLException(java.security.cert.CRLException)
CertPathValidator(java.security.cert.CertPathValidator)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult)
Principal(java.security.Principal)
Example 22 with CertPathBuilder
use of java.security.cert.CertPathBuilder in project cxf by apache.
the class TrustedAuthorityValidator method isCertificateChainValid.
/**
* Checks if a certificate chain is signed by a trusted authority.
*
* @param certificates to check
* @return the validity state of the certificate
*/
boolean isCertificateChainValid(List<X509Certificate> certificates) {
X509Certificate targetCert = certificates.get(0);
X509CertSelector selector = new X509CertSelector();
selector.setCertificate(targetCert);
try {
List<X509Certificate> intermediateCerts = certRepo.getCaCerts();
List<X509Certificate> trustedAuthorityCerts = certRepo.getTrustedCaCerts();
Set<TrustAnchor> trustAnchors = asTrustAnchors(trustedAuthorityCerts);
CertStoreParameters intermediateParams = new CollectionCertStoreParameters(intermediateCerts);
CertStoreParameters certificateParams = new CollectionCertStoreParameters(certificates);
PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
pkixParams.addCertStore(CertStore.getInstance("Collection", intermediateParams));
pkixParams.addCertStore(CertStore.getInstance("Collection", certificateParams));
pkixParams.setRevocationEnabled(false);
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
CertPath certPath = builder.build(pkixParams).getCertPath();
// Now validate the CertPath (including CRL checking)
pkixParams.setRevocationEnabled(enableRevocation);
if (enableRevocation) {
List<X509CRL> crls = certRepo.getCRLs();
if (!crls.isEmpty()) {
CertStoreParameters crlParams = new CollectionCertStoreParameters(crls);
pkixParams.addCertStore(CertStore.getInstance("Collection", crlParams));
}
}
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
validator.validate(certPath, pkixParams);
} catch (InvalidAlgorithmParameterException e) {
LOG.log(Level.WARNING, "Invalid algorithm parameter by certificate chain validation. " + "It is likely that issuer certificates are not found in XKMS trusted storage. " + e.getMessage(), e);
return false;
} catch (NoSuchAlgorithmException e) {
LOG.log(Level.WARNING, "Unknown algorithm by trust chain validation: " + e.getMessage(), e);
return false;
} catch (CertPathBuilderException e) {
LOG.log(Level.WARNING, "Cannot build certification path: " + e.getMessage(), e);
return false;
} catch (CertPathValidatorException e) {
LOG.log(Level.WARNING, "Cannot vaidate certification path: " + e.getMessage(), e);
return false;
}
return true;
}
Also used :
X509CRL(java.security.cert.X509CRL)
InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException)
PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters)
X509CertSelector(java.security.cert.X509CertSelector)
TrustAnchor(java.security.cert.TrustAnchor)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
X509Certificate(java.security.cert.X509Certificate)
CertStoreParameters(java.security.cert.CertStoreParameters)
CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters)
CertPathValidator(java.security.cert.CertPathValidator)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters)
CertPathBuilderException(java.security.cert.CertPathBuilderException)
CertPathBuilder(java.security.cert.CertPathBuilder)
CertPath(java.security.cert.CertPath)
Example 23 with CertPathBuilder
use of java.security.cert.CertPathBuilder in project robovm by robovm.
the class myCertPathBuilder method testCertPathBuilder13.
/**
* Test for <code>getAlgorithm()</code> method Assertion: returns
* CertPathBuilder object
*/
public void testCertPathBuilder13() throws NoSuchAlgorithmException {
if (!PKIXSupport) {
fail(NotSupportMsg);
return;
}
for (int i = 0; i < validValues.length; i++) {
CertPathBuilder cpb = CertPathBuilder.getInstance(validValues[i]);
assertEquals("Incorrect algorithm", cpb.getAlgorithm(), validValues[i]);
try {
cpb = CertPathBuilder.getInstance(validValues[i], defaultProviderName);
assertEquals("Incorrect algorithm", cpb.getAlgorithm(), validValues[i]);
} catch (NoSuchProviderException e) {
fail("Unexpected NoSuchProviderException exeption " + e.getMessage());
}
try {
cpb = CertPathBuilder.getInstance(validValues[i], defaultProviderName);
assertEquals("Incorrect algorithm", cpb.getAlgorithm(), validValues[i]);
} catch (NoSuchProviderException e) {
fail("Unexpected NoSuchProviderException " + e.getMessage());
}
}
}
Also used :
CertPathBuilder(java.security.cert.CertPathBuilder)
NoSuchProviderException(java.security.NoSuchProviderException)
Example 24 with CertPathBuilder
use of java.security.cert.CertPathBuilder in project robovm by robovm.
the class myCertPathBuilder method testCertPathBuilder07.
/**
* Test for <code>getInstance(String algorithm, String provider)</code> method
* Assertion: returns CertPathBuilder object
*/
public void testCertPathBuilder07() throws NoSuchAlgorithmException, NoSuchProviderException {
if (!PKIXSupport) {
fail(NotSupportMsg);
return;
}
CertPathBuilder certPB;
for (int i = 0; i < validValues.length; i++) {
certPB = CertPathBuilder.getInstance(validValues[i], defaultProviderName);
assertEquals("Incorrect algorithm", certPB.getAlgorithm(), validValues[i]);
assertEquals("Incorrect provider name", certPB.getProvider().getName(), defaultProviderName);
}
}
Also used :
CertPathBuilder(java.security.cert.CertPathBuilder)
Example 25 with CertPathBuilder
use of java.security.cert.CertPathBuilder in project robovm by robovm.
the class myCertPathBuilder method testCertPathBuilder14.
/**
* Test for <code>getProvider()</code> method Assertion: returns
* CertPathBuilder object
*/
public void testCertPathBuilder14() throws NoSuchAlgorithmException {
if (!PKIXSupport) {
fail(NotSupportMsg);
return;
}
for (int i = 0; i < validValues.length; i++) {
CertPathBuilder cpb2 = CertPathBuilder.getInstance(validValues[i], defaultProvider);
assertEquals("Incorrect provider", cpb2.getProvider(), defaultProvider);
try {
CertPathBuilder cpb3 = CertPathBuilder.getInstance(validValues[i], defaultProviderName);
assertEquals("Incorrect provider", cpb3.getProvider(), defaultProvider);
} catch (NoSuchProviderException e) {
fail("Unexpected NoSuchProviderException " + e.getMessage());
}
}
}
Also used :
CertPathBuilder(java.security.cert.CertPathBuilder)
NoSuchProviderException(java.security.NoSuchProviderException)
Aggregations
CertPathBuilder (java.security.cert.CertPathBuilder)36
PKIXBuilderParameters (java.security.cert.PKIXBuilderParameters)20
X509CertSelector (java.security.cert.X509CertSelector)20
X509Certificate (java.security.cert.X509Certificate)19
CollectionCertStoreParameters (java.security.cert.CollectionCertStoreParameters)15
HashSet (java.util.HashSet)14
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)10
CertPathBuilderException (java.security.cert.CertPathBuilderException)10
CertPathBuilderResult (java.security.cert.CertPathBuilderResult)10
TrustAnchor (java.security.cert.TrustAnchor)10
ArrayList (java.util.ArrayList)9
CertPath (java.security.cert.CertPath)8
InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)7
NoSuchProviderException (java.security.NoSuchProviderException)7
CertPathValidator (java.security.cert.CertPathValidator)7
CertStore (java.security.cert.CertStore)7
GeneralSecurityException (java.security.GeneralSecurityException)6
Certificate (java.security.cert.Certificate)6
PKIXCertPathBuilderResult (java.security.cert.PKIXCertPathBuilderResult)6
IOException (java.io.IOException)5
