use of java.security.cert.CertPathBuilder in project Spark by igniterealtime.
the class SparkExceptionsTrustManager method validatePath.
/**
* Validate certificate path. As it is exception, no checks against revocation or time validity are done but path
* still have to be validated in order to find connection between certificate presented by server and root CA in
* KeyStore
*
* @throws NoSuchAlgorithmException
* @throws KeyStoreException
* @throws InvalidAlgorithmParameterException
* @throws CertPathValidatorException
* @throws CertPathBuilderException
* @throws CertificateException
*/
private void validatePath(X509Certificate[] chain) throws NoSuchAlgorithmException, KeyStoreException, InvalidAlgorithmParameterException, CertPathValidatorException, CertPathBuilderException, CertificateException {
CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");
X509CertSelector certSelector = new X509CertSelector();
certSelector.setCertificate(chain[chain.length - 1]);
// checks against time validity aren't done here as it exceptions list
certSelector.setCertificateValid(null);
PKIXBuilderParameters parameters = new PKIXBuilderParameters(allStore, certSelector);
// no checks against revocation as it is exception
parameters.setRevocationEnabled(false);
CertPathBuilderResult pathResult = certPathBuilder.build(parameters);
CertPath certPath = pathResult.getCertPath();
PKIXCertPathValidatorResult validationResult = (PKIXCertPathValidatorResult) certPathValidator.validate(certPath, parameters);
X509Certificate trustedCert = validationResult.getTrustAnchor().getTrustedCert();
if (trustedCert == null) {
throw new CertificateException("Certificate path failed");
} else {
Log.debug("ClientTrustManager: Trusted CA: " + trustedCert.getSubjectDN());
}
}
use of java.security.cert.CertPathBuilder in project qpid-broker-j by apache.
the class TrustAnchorValidatingTrustManager method getPkixCertPathBuilderResult.
private PKIXCertPathBuilderResult getPkixCertPathBuilderResult(final X509Certificate[] x509Certificates, final Set<TrustAnchor> trustAnchors, final Set<Certificate> otherCerts) throws GeneralSecurityException {
Set<Certificate> storeCerts = new HashSet<>();
storeCerts.addAll(otherCerts);
Iterator<X509Certificate> iterator = Arrays.asList(x509Certificates).iterator();
if (!iterator.hasNext()) {
throw new IllegalArgumentException("Peer certificate not found");
}
final X509Certificate peerCertificate = iterator.next();
while (iterator.hasNext()) {
X509Certificate intermediate = iterator.next();
storeCerts.add(intermediate);
}
X509CertSelector selector = new X509CertSelector();
selector.setCertificate(peerCertificate);
// IBM JDK seems to require that the peer's certficate exists in the Collection too
storeCerts.add(peerCertificate);
PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
pkixParams.setRevocationEnabled(false);
CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(storeCerts));
pkixParams.addCertStore(intermediateCertStore);
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
return (PKIXCertPathBuilderResult) builder.build(pkixParams);
}
use of java.security.cert.CertPathBuilder in project mule by mulesoft.
the class StandardRevocationCheck method configFor.
@Override
public ManagerFactoryParameters configFor(KeyStore trustStore, Set<TrustAnchor> defaultTrustAnchors) {
try {
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
PKIXRevocationChecker rc = (PKIXRevocationChecker) cpb.getRevocationChecker();
Set<PKIXRevocationChecker.Option> options = new HashSet<>();
if (onlyEndEntities) {
options.add(PKIXRevocationChecker.Option.ONLY_END_ENTITY);
}
if (preferCrls) {
options.add(PKIXRevocationChecker.Option.PREFER_CRLS);
}
if (noFallback) {
options.add(PKIXRevocationChecker.Option.NO_FALLBACK);
}
if (softFail) {
options.add(PKIXRevocationChecker.Option.SOFT_FAIL);
}
rc.setOptions(options);
PKIXBuilderParameters pkixParams;
if (trustStore != null) {
pkixParams = new PKIXBuilderParameters(trustStore, new X509CertSelector());
} else {
pkixParams = new PKIXBuilderParameters(defaultTrustAnchors, new X509CertSelector());
}
pkixParams.addCertPathChecker(rc);
return new CertPathTrustManagerParameters(pkixParams);
} catch (GeneralSecurityException e) {
throw new RuntimeException(e);
}
}
use of java.security.cert.CertPathBuilder in project mule by mulesoft.
the class CustomOcspResponder method configFor.
@Override
public ManagerFactoryParameters configFor(KeyStore trustStore, Set<TrustAnchor> defaultTrustAnchors) {
checkArgument(url != null, "tls:custom-ocsp-responder requires the 'url' attribute");
checkArgument(trustStore != null, "tls:custom-ocsp-responder requires a trust store");
try {
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
PKIXRevocationChecker rc = (PKIXRevocationChecker) cpb.getRevocationChecker();
rc.setOptions(EnumSet.of(PKIXRevocationChecker.Option.NO_FALLBACK));
if (url != null) {
rc.setOcspResponder(new URI(url));
}
if (certAlias != null) {
if (trustStore.isCertificateEntry(certAlias)) {
rc.setOcspResponderCert((X509Certificate) trustStore.getCertificate(certAlias));
} else {
throw new IllegalStateException("Key with alias \"" + certAlias + "\" was not found");
}
}
PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustStore, new X509CertSelector());
pkixParams.addCertPathChecker(rc);
return new CertPathTrustManagerParameters(pkixParams);
} catch (GeneralSecurityException | URISyntaxException e) {
throw new RuntimeException(e);
}
}
use of java.security.cert.CertPathBuilder in project Openfire by igniterealtime.
the class KeystoreTestUtils method testChain.
/**
* This method will validate a chain of certificates. It is provided as an alternative to the certificate chain
* validation mechanisms that are under test. This method is intended to be used as a comparative benchmark against
* other validation methods.
*
* The first certificate in the chain is expected to be the end-entity certificate.
*
* The last certificate in the chain is expected to be the root CA certificate.
*
* @param chain A certificate chain (cannot be null or empty).
* @return CertPathBuilderResult result of validation.
* @throws Exception When the chain is not valid.
*/
public CertPathBuilderResult testChain(X509Certificate[] chain) throws Exception {
// Create the selector that specifies the starting certificate
X509CertSelector selector = new X509CertSelector();
selector.setCertificate(chain[0]);
// Create the trust anchors (set of root CA certificates)
Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
trustAnchors.add(new TrustAnchor(chain[chain.length - 1], null));
// Configure the PKIX certificate builder algorithm parameters
PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
// Disable CRL checks (this is done manually as additional step)
pkixParams.setRevocationEnabled(false);
// Specify a list of intermediate certificates
Set<java.security.cert.Certificate> intermediateCerts = new HashSet<>();
for (int i = 1; i < chain.length - 1; i++) {
intermediateCerts.add(chain[i]);
}
CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(intermediateCerts));
pkixParams.addCertStore(intermediateCertStore);
// Build and verify the certification chain
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) builder.build(pkixParams);
return result;
}
Aggregations