use of java.security.cert.CertPathBuilderResult in project LinLong-Java by zhenwei1108.
the class PKIXCertPathBuilderSpi_8 method engineBuild.
/**
* Build and validate a CertPath using the given parameter.
*
* @param params PKIXBuilderParameters object containing all information to build the CertPath
*/
public CertPathBuilderResult engineBuild(CertPathParameters params) throws CertPathBuilderException, InvalidAlgorithmParameterException {
PKIXExtendedBuilderParameters paramsPKIX;
if (params instanceof PKIXBuilderParameters) {
PKIXExtendedParameters.Builder paramsPKIXBldr = new PKIXExtendedParameters.Builder((PKIXBuilderParameters) params);
PKIXExtendedBuilderParameters.Builder paramsBldrPKIXBldr;
if (params instanceof ExtendedPKIXParameters) {
ExtendedPKIXBuilderParameters extPKIX = (ExtendedPKIXBuilderParameters) params;
for (Iterator it = extPKIX.getAdditionalStores().iterator(); it.hasNext(); ) {
paramsPKIXBldr.addCertificateStore((PKIXCertStore) it.next());
}
paramsBldrPKIXBldr = new PKIXExtendedBuilderParameters.Builder(paramsPKIXBldr.build());
paramsBldrPKIXBldr.addExcludedCerts(extPKIX.getExcludedCerts());
paramsBldrPKIXBldr.setMaxPathLength(extPKIX.getMaxPathLength());
} else {
paramsBldrPKIXBldr = new PKIXExtendedBuilderParameters.Builder((PKIXBuilderParameters) params);
}
paramsPKIX = paramsBldrPKIXBldr.build();
} else if (params instanceof PKIXExtendedBuilderParameters) {
paramsPKIX = (PKIXExtendedBuilderParameters) params;
} else {
throw new InvalidAlgorithmParameterException("Parameters must be an instance of " + PKIXBuilderParameters.class.getName() + " or " + PKIXExtendedBuilderParameters.class.getName() + ".");
}
Collection targets;
Iterator targetIter;
List certPathList = new ArrayList();
X509Certificate cert;
// search target certificates
targets = CertPathValidatorUtilities.findTargets(paramsPKIX);
CertPathBuilderResult result = null;
// check all potential target certificates
targetIter = targets.iterator();
while (targetIter.hasNext() && result == null) {
cert = (X509Certificate) targetIter.next();
result = build(cert, paramsPKIX, certPathList);
}
if (result == null && certPathException != null) {
if (certPathException instanceof AnnotatedException) {
throw new CertPathBuilderException(certPathException.getMessage(), certPathException.getCause());
}
throw new CertPathBuilderException("Possible certificate chain could not be validated.", certPathException);
}
if (result == null && certPathException == null) {
throw new CertPathBuilderException("Unable to find certificate chain.");
}
return result;
}
use of java.security.cert.CertPathBuilderResult in project security by opensearch-project.
the class CertificateValidator method validate.
public void validate(Certificate[] certChain) throws CertificateException {
try {
ArrayList<X509Certificate> certList = new ArrayList<X509Certificate>();
for (Certificate item : certChain) {
if (item == null)
continue;
if (!(item instanceof X509Certificate)) {
throw new IllegalStateException("Invalid certificate type in chain");
}
certList.add((X509Certificate) item);
}
if (certList.isEmpty()) {
throw new IllegalStateException("Invalid certificate chain");
}
X509CertSelector certSelect = new X509CertSelector();
certSelect.setCertificate(certList.get(0));
CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");
PKIXRevocationChecker revocationChecker = (PKIXRevocationChecker) certPathBuilder.getRevocationChecker();
Set<PKIXRevocationChecker.Option> opts = new HashSet<>();
if (preferCrl) {
opts.add(PKIXRevocationChecker.Option.PREFER_CRLS);
}
if (checkOnlyEndEntities) {
opts.add(PKIXRevocationChecker.Option.ONLY_END_ENTITY);
}
revocationChecker.setOptions(opts);
// Configure certification path builder parameters
PKIXBuilderParameters pbParams = null;
if (_trustStore != null) {
pbParams = new PKIXBuilderParameters(_trustStore, certSelect);
} else {
Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
for (int i = 0; i < _trustedCert.length; i++) {
X509Certificate certificate = _trustedCert[i];
TrustAnchor trustAnchor = new TrustAnchor(certificate, null);
trustAnchors.add(trustAnchor);
}
pbParams = new PKIXBuilderParameters(trustAnchors, certSelect);
}
pbParams.addCertPathChecker(revocationChecker);
pbParams.setDate(date);
pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList)));
// Set maximum certification path length
pbParams.setMaxPathLength(_maxCertPathLength);
// Enable revocation checking
pbParams.setRevocationEnabled(true);
// Set static Certificate Revocation List
if (_crls != null && !_crls.isEmpty()) {
pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(_crls)));
}
// Enable On-Line Certificate Status Protocol (OCSP) support
if (_enableOCSP) {
Security.setProperty("ocsp.enable", "true");
}
// Enable Certificate Revocation List Distribution Points (CRLDP) support
if (_enableCRLDP) {
System.setProperty("com.sun.security.enableCRLDP", "true");
}
// Build certification path
CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams);
// Validate certification path
CertPathValidator.getInstance("PKIX").validate(buildResult.getCertPath(), pbParams);
} catch (GeneralSecurityException gse) {
throw new CertificateException("Unable to validate certificate: " + gse.getMessage(), gse);
}
}
Aggregations