Search in sources :

Example 31 with CertPathBuilderResult

use of java.security.cert.CertPathBuilderResult in project LinLong-Java by zhenwei1108.

the class PKIXCertPathBuilderSpi_8 method engineBuild.

/**
 * Build and validate a CertPath using the given parameter.
 *
 * @param params PKIXBuilderParameters object containing all information to build the CertPath
 */
public CertPathBuilderResult engineBuild(CertPathParameters params) throws CertPathBuilderException, InvalidAlgorithmParameterException {
    PKIXExtendedBuilderParameters paramsPKIX;
    if (params instanceof PKIXBuilderParameters) {
        PKIXExtendedParameters.Builder paramsPKIXBldr = new PKIXExtendedParameters.Builder((PKIXBuilderParameters) params);
        PKIXExtendedBuilderParameters.Builder paramsBldrPKIXBldr;
        if (params instanceof ExtendedPKIXParameters) {
            ExtendedPKIXBuilderParameters extPKIX = (ExtendedPKIXBuilderParameters) params;
            for (Iterator it = extPKIX.getAdditionalStores().iterator(); it.hasNext(); ) {
                paramsPKIXBldr.addCertificateStore((PKIXCertStore) it.next());
            }
            paramsBldrPKIXBldr = new PKIXExtendedBuilderParameters.Builder(paramsPKIXBldr.build());
            paramsBldrPKIXBldr.addExcludedCerts(extPKIX.getExcludedCerts());
            paramsBldrPKIXBldr.setMaxPathLength(extPKIX.getMaxPathLength());
        } else {
            paramsBldrPKIXBldr = new PKIXExtendedBuilderParameters.Builder((PKIXBuilderParameters) params);
        }
        paramsPKIX = paramsBldrPKIXBldr.build();
    } else if (params instanceof PKIXExtendedBuilderParameters) {
        paramsPKIX = (PKIXExtendedBuilderParameters) params;
    } else {
        throw new InvalidAlgorithmParameterException("Parameters must be an instance of " + PKIXBuilderParameters.class.getName() + " or " + PKIXExtendedBuilderParameters.class.getName() + ".");
    }
    Collection targets;
    Iterator targetIter;
    List certPathList = new ArrayList();
    X509Certificate cert;
    // search target certificates
    targets = CertPathValidatorUtilities.findTargets(paramsPKIX);
    CertPathBuilderResult result = null;
    // check all potential target certificates
    targetIter = targets.iterator();
    while (targetIter.hasNext() && result == null) {
        cert = (X509Certificate) targetIter.next();
        result = build(cert, paramsPKIX, certPathList);
    }
    if (result == null && certPathException != null) {
        if (certPathException instanceof AnnotatedException) {
            throw new CertPathBuilderException(certPathException.getMessage(), certPathException.getCause());
        }
        throw new CertPathBuilderException("Possible certificate chain could not be validated.", certPathException);
    }
    if (result == null && certPathException == null) {
        throw new CertPathBuilderException("Unable to find certificate chain.");
    }
    return result;
}
Also used : InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) ExtendedPKIXBuilderParameters(com.github.zhenwei.provider.x509.ExtendedPKIXBuilderParameters) ExtendedPKIXBuilderParameters(com.github.zhenwei.provider.x509.ExtendedPKIXBuilderParameters) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) CertPathBuilderResult(java.security.cert.CertPathBuilderResult) PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult) ArrayList(java.util.ArrayList) X509Certificate(java.security.cert.X509Certificate) PKIXExtendedParameters(com.github.zhenwei.provider.jcajce.PKIXExtendedParameters) ExtendedPKIXParameters(com.github.zhenwei.provider.x509.ExtendedPKIXParameters) PKIXExtendedBuilderParameters(com.github.zhenwei.provider.jcajce.PKIXExtendedBuilderParameters) CertPathBuilderException(java.security.cert.CertPathBuilderException) Iterator(java.util.Iterator) Collection(java.util.Collection) ArrayList(java.util.ArrayList) List(java.util.List)

Example 32 with CertPathBuilderResult

use of java.security.cert.CertPathBuilderResult in project security by opensearch-project.

the class CertificateValidator method validate.

public void validate(Certificate[] certChain) throws CertificateException {
    try {
        ArrayList<X509Certificate> certList = new ArrayList<X509Certificate>();
        for (Certificate item : certChain) {
            if (item == null)
                continue;
            if (!(item instanceof X509Certificate)) {
                throw new IllegalStateException("Invalid certificate type in chain");
            }
            certList.add((X509Certificate) item);
        }
        if (certList.isEmpty()) {
            throw new IllegalStateException("Invalid certificate chain");
        }
        X509CertSelector certSelect = new X509CertSelector();
        certSelect.setCertificate(certList.get(0));
        CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");
        PKIXRevocationChecker revocationChecker = (PKIXRevocationChecker) certPathBuilder.getRevocationChecker();
        Set<PKIXRevocationChecker.Option> opts = new HashSet<>();
        if (preferCrl) {
            opts.add(PKIXRevocationChecker.Option.PREFER_CRLS);
        }
        if (checkOnlyEndEntities) {
            opts.add(PKIXRevocationChecker.Option.ONLY_END_ENTITY);
        }
        revocationChecker.setOptions(opts);
        // Configure certification path builder parameters
        PKIXBuilderParameters pbParams = null;
        if (_trustStore != null) {
            pbParams = new PKIXBuilderParameters(_trustStore, certSelect);
        } else {
            Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
            for (int i = 0; i < _trustedCert.length; i++) {
                X509Certificate certificate = _trustedCert[i];
                TrustAnchor trustAnchor = new TrustAnchor(certificate, null);
                trustAnchors.add(trustAnchor);
            }
            pbParams = new PKIXBuilderParameters(trustAnchors, certSelect);
        }
        pbParams.addCertPathChecker(revocationChecker);
        pbParams.setDate(date);
        pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList)));
        // Set maximum certification path length
        pbParams.setMaxPathLength(_maxCertPathLength);
        // Enable revocation checking
        pbParams.setRevocationEnabled(true);
        // Set static Certificate Revocation List
        if (_crls != null && !_crls.isEmpty()) {
            pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(_crls)));
        }
        // Enable On-Line Certificate Status Protocol (OCSP) support
        if (_enableOCSP) {
            Security.setProperty("ocsp.enable", "true");
        }
        // Enable Certificate Revocation List Distribution Points (CRLDP) support
        if (_enableCRLDP) {
            System.setProperty("com.sun.security.enableCRLDP", "true");
        }
        // Build certification path
        CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams);
        // Validate certification path
        CertPathValidator.getInstance("PKIX").validate(buildResult.getCertPath(), pbParams);
    } catch (GeneralSecurityException gse) {
        throw new CertificateException("Unable to validate certificate: " + gse.getMessage(), gse);
    }
}
Also used : PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) CertPathBuilderResult(java.security.cert.CertPathBuilderResult) GeneralSecurityException(java.security.GeneralSecurityException) ArrayList(java.util.ArrayList) X509CertSelector(java.security.cert.X509CertSelector) TrustAnchor(java.security.cert.TrustAnchor) CertificateException(java.security.cert.CertificateException) X509Certificate(java.security.cert.X509Certificate) CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) PKIXRevocationChecker(java.security.cert.PKIXRevocationChecker) CertPathBuilder(java.security.cert.CertPathBuilder) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate) HashSet(java.util.HashSet)

Aggregations

CertPathBuilderResult (java.security.cert.CertPathBuilderResult)32 X509Certificate (java.security.cert.X509Certificate)18 CertPathBuilderException (java.security.cert.CertPathBuilderException)15 PKIXBuilderParameters (java.security.cert.PKIXBuilderParameters)15 CertPath (java.security.cert.CertPath)14 PKIXCertPathBuilderResult (java.security.cert.PKIXCertPathBuilderResult)14 InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)13 ArrayList (java.util.ArrayList)13 CertPathBuilder (java.security.cert.CertPathBuilder)12 X509CertSelector (java.security.cert.X509CertSelector)11 Iterator (java.util.Iterator)11 Collection (java.util.Collection)10 PKIXCertPathValidatorResult (java.security.cert.PKIXCertPathValidatorResult)8 List (java.util.List)8 CollectionCertStoreParameters (java.security.cert.CollectionCertStoreParameters)7 HashSet (java.util.HashSet)7 CertPathValidator (java.security.cert.CertPathValidator)6 CertificateException (java.security.cert.CertificateException)6 TrustAnchor (java.security.cert.TrustAnchor)6 PKIXExtendedParameters (com.github.zhenwei.provider.jcajce.PKIXExtendedParameters)5