Search in sources :

Example 31 with CertPathBuilder

use of java.security.cert.CertPathBuilder in project Spark by igniterealtime.

the class SparkExceptionsTrustManager method validatePath.

/**
 * Validate certificate path. As it is exception, no checks against revocation or time validity are done but path
 * still have to be validated in order to find connection between certificate presented by server and root CA in
 * KeyStore
 *
 * @throws NoSuchAlgorithmException
 * @throws KeyStoreException
 * @throws InvalidAlgorithmParameterException
 * @throws CertPathValidatorException
 * @throws CertPathBuilderException
 * @throws CertificateException
 */
private void validatePath(X509Certificate[] chain) throws NoSuchAlgorithmException, KeyStoreException, InvalidAlgorithmParameterException, CertPathValidatorException, CertPathBuilderException, CertificateException {
    CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
    CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");
    X509CertSelector certSelector = new X509CertSelector();
    certSelector.setCertificate(chain[chain.length - 1]);
    // checks against time validity aren't done here as it exceptions list
    certSelector.setCertificateValid(null);
    PKIXBuilderParameters parameters = new PKIXBuilderParameters(allStore, certSelector);
    // no checks against revocation as it is exception
    parameters.setRevocationEnabled(false);
    CertPathBuilderResult pathResult = certPathBuilder.build(parameters);
    CertPath certPath = pathResult.getCertPath();
    PKIXCertPathValidatorResult validationResult = (PKIXCertPathValidatorResult) certPathValidator.validate(certPath, parameters);
    X509Certificate trustedCert = validationResult.getTrustAnchor().getTrustedCert();
    if (trustedCert == null) {
        throw new CertificateException("Certificate path failed");
    } else {
        Log.debug("ClientTrustManager: Trusted CA: " + trustedCert.getSubjectDN());
    }
}
Also used : CertPathValidator(java.security.cert.CertPathValidator) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult) CertPathBuilderResult(java.security.cert.CertPathBuilderResult) X509CertSelector(java.security.cert.X509CertSelector) CertificateException(java.security.cert.CertificateException) CertPathBuilder(java.security.cert.CertPathBuilder) CertPath(java.security.cert.CertPath) X509Certificate(java.security.cert.X509Certificate)

Example 32 with CertPathBuilder

use of java.security.cert.CertPathBuilder in project qpid-broker-j by apache.

the class TrustAnchorValidatingTrustManager method getPkixCertPathBuilderResult.

private PKIXCertPathBuilderResult getPkixCertPathBuilderResult(final X509Certificate[] x509Certificates, final Set<TrustAnchor> trustAnchors, final Set<Certificate> otherCerts) throws GeneralSecurityException {
    Set<Certificate> storeCerts = new HashSet<>();
    storeCerts.addAll(otherCerts);
    Iterator<X509Certificate> iterator = Arrays.asList(x509Certificates).iterator();
    if (!iterator.hasNext()) {
        throw new IllegalArgumentException("Peer certificate not found");
    }
    final X509Certificate peerCertificate = iterator.next();
    while (iterator.hasNext()) {
        X509Certificate intermediate = iterator.next();
        storeCerts.add(intermediate);
    }
    X509CertSelector selector = new X509CertSelector();
    selector.setCertificate(peerCertificate);
    // IBM JDK seems to require that the peer's certficate exists in the Collection too
    storeCerts.add(peerCertificate);
    PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
    pkixParams.setRevocationEnabled(false);
    CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(storeCerts));
    pkixParams.addCertStore(intermediateCertStore);
    CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
    return (PKIXCertPathBuilderResult) builder.build(pkixParams);
}
Also used : CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult) X509CertSelector(java.security.cert.X509CertSelector) CertPathBuilder(java.security.cert.CertPathBuilder) CertStore(java.security.cert.CertStore) X509Certificate(java.security.cert.X509Certificate) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate) HashSet(java.util.HashSet)

Example 33 with CertPathBuilder

use of java.security.cert.CertPathBuilder in project mule by mulesoft.

the class StandardRevocationCheck method configFor.

@Override
public ManagerFactoryParameters configFor(KeyStore trustStore, Set<TrustAnchor> defaultTrustAnchors) {
    try {
        CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
        PKIXRevocationChecker rc = (PKIXRevocationChecker) cpb.getRevocationChecker();
        Set<PKIXRevocationChecker.Option> options = new HashSet<>();
        if (onlyEndEntities) {
            options.add(PKIXRevocationChecker.Option.ONLY_END_ENTITY);
        }
        if (preferCrls) {
            options.add(PKIXRevocationChecker.Option.PREFER_CRLS);
        }
        if (noFallback) {
            options.add(PKIXRevocationChecker.Option.NO_FALLBACK);
        }
        if (softFail) {
            options.add(PKIXRevocationChecker.Option.SOFT_FAIL);
        }
        rc.setOptions(options);
        PKIXBuilderParameters pkixParams;
        if (trustStore != null) {
            pkixParams = new PKIXBuilderParameters(trustStore, new X509CertSelector());
        } else {
            pkixParams = new PKIXBuilderParameters(defaultTrustAnchors, new X509CertSelector());
        }
        pkixParams.addCertPathChecker(rc);
        return new CertPathTrustManagerParameters(pkixParams);
    } catch (GeneralSecurityException e) {
        throw new RuntimeException(e);
    }
}
Also used : PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) CertPathTrustManagerParameters(javax.net.ssl.CertPathTrustManagerParameters) GeneralSecurityException(java.security.GeneralSecurityException) PKIXRevocationChecker(java.security.cert.PKIXRevocationChecker) X509CertSelector(java.security.cert.X509CertSelector) CertPathBuilder(java.security.cert.CertPathBuilder) HashSet(java.util.HashSet)

Example 34 with CertPathBuilder

use of java.security.cert.CertPathBuilder in project mule by mulesoft.

the class CustomOcspResponder method configFor.

@Override
public ManagerFactoryParameters configFor(KeyStore trustStore, Set<TrustAnchor> defaultTrustAnchors) {
    checkArgument(url != null, "tls:custom-ocsp-responder requires the 'url' attribute");
    checkArgument(trustStore != null, "tls:custom-ocsp-responder requires a trust store");
    try {
        CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
        PKIXRevocationChecker rc = (PKIXRevocationChecker) cpb.getRevocationChecker();
        rc.setOptions(EnumSet.of(PKIXRevocationChecker.Option.NO_FALLBACK));
        if (url != null) {
            rc.setOcspResponder(new URI(url));
        }
        if (certAlias != null) {
            if (trustStore.isCertificateEntry(certAlias)) {
                rc.setOcspResponderCert((X509Certificate) trustStore.getCertificate(certAlias));
            } else {
                throw new IllegalStateException("Key with alias \"" + certAlias + "\" was not found");
            }
        }
        PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustStore, new X509CertSelector());
        pkixParams.addCertPathChecker(rc);
        return new CertPathTrustManagerParameters(pkixParams);
    } catch (GeneralSecurityException | URISyntaxException e) {
        throw new RuntimeException(e);
    }
}
Also used : PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) CertPathTrustManagerParameters(javax.net.ssl.CertPathTrustManagerParameters) GeneralSecurityException(java.security.GeneralSecurityException) PKIXRevocationChecker(java.security.cert.PKIXRevocationChecker) X509CertSelector(java.security.cert.X509CertSelector) CertPathBuilder(java.security.cert.CertPathBuilder) URISyntaxException(java.net.URISyntaxException) URI(java.net.URI)

Example 35 with CertPathBuilder

use of java.security.cert.CertPathBuilder in project Openfire by igniterealtime.

the class KeystoreTestUtils method testChain.

/**
 * This method will validate a chain of certificates. It is provided as an alternative to the certificate chain
 * validation mechanisms that are under test. This method is intended to be used as a comparative benchmark against
 * other validation methods.
 *
 * The first certificate in the chain is expected to be the end-entity certificate.
 *
 * The last certificate in the chain is expected to be the root CA certificate.
 *
 * @param chain A certificate chain (cannot be null or empty).
 * @return CertPathBuilderResult result of validation.
 * @throws Exception When the chain is not valid.
 */
public CertPathBuilderResult testChain(X509Certificate[] chain) throws Exception {
    // Create the selector that specifies the starting certificate
    X509CertSelector selector = new X509CertSelector();
    selector.setCertificate(chain[0]);
    // Create the trust anchors (set of root CA certificates)
    Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
    trustAnchors.add(new TrustAnchor(chain[chain.length - 1], null));
    // Configure the PKIX certificate builder algorithm parameters
    PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
    // Disable CRL checks (this is done manually as additional step)
    pkixParams.setRevocationEnabled(false);
    // Specify a list of intermediate certificates
    Set<java.security.cert.Certificate> intermediateCerts = new HashSet<>();
    for (int i = 1; i < chain.length - 1; i++) {
        intermediateCerts.add(chain[i]);
    }
    CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(intermediateCerts));
    pkixParams.addCertStore(intermediateCertStore);
    // Build and verify the certification chain
    CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
    PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) builder.build(pkixParams);
    return result;
}
Also used : PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) X509CertSelector(java.security.cert.X509CertSelector) TrustAnchor(java.security.cert.TrustAnchor) CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult) CertPathBuilder(java.security.cert.CertPathBuilder) CertStore(java.security.cert.CertStore) HashSet(java.util.HashSet) X509Certificate(java.security.cert.X509Certificate)

Aggregations

CertPathBuilder (java.security.cert.CertPathBuilder)36 PKIXBuilderParameters (java.security.cert.PKIXBuilderParameters)20 X509CertSelector (java.security.cert.X509CertSelector)20 X509Certificate (java.security.cert.X509Certificate)19 CollectionCertStoreParameters (java.security.cert.CollectionCertStoreParameters)15 HashSet (java.util.HashSet)14 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)10 CertPathBuilderException (java.security.cert.CertPathBuilderException)10 CertPathBuilderResult (java.security.cert.CertPathBuilderResult)10 TrustAnchor (java.security.cert.TrustAnchor)10 ArrayList (java.util.ArrayList)9 CertPath (java.security.cert.CertPath)8 InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)7 NoSuchProviderException (java.security.NoSuchProviderException)7 CertPathValidator (java.security.cert.CertPathValidator)7 CertStore (java.security.cert.CertStore)7 GeneralSecurityException (java.security.GeneralSecurityException)6 Certificate (java.security.cert.Certificate)6 PKIXCertPathBuilderResult (java.security.cert.PKIXCertPathBuilderResult)6 IOException (java.io.IOException)5