Example 6 with CertPathValidatorResult
use of java.security.cert.CertPathValidatorResult in project OpenAM by OpenRock.
the class AMCertPath method verify.
/**
* It does cert path validation together with CRL check and ocsp checking
* if they are properly configured.
* @param certs
**/
public boolean verify(X509Certificate[] certs, boolean crlEnabled, boolean ocspEnabled) {
/*
The entire contents of this method must be synchronized for the following reasons:
1. The CertPathValidator#validate method is not thread-safe
2. even if a non-static CertPathValidator instance were obtained in this method, each instance references
the ocsp-related properties in the Security class. Thus the state set in Security.setProperty("ocsp.enable", true/false)
will affect all CertPathValidator instances.
Note that despite the synchronized block, the fact that static Security properties are being set and referenced
exposes the code below to data races in the context of these Security properties. Currently, Security.setProperties
is not being called from anywhere in the OpenAM code base. If this were to change, and the "ocsp.enable" property
were manipulated, the OCSP-based checking below would be susceptible to data races. There does not seem to
be an alternative however: the section on PKIXParameters here:
http://docs.oracle.com/javase/6/docs/technotes/guides/security/certpath/CertPathProgGuide.html#Introduction
mentions setting PKIXCertPathChecker implementations to do CRL or OCSP based checking, but there is no remove
method, and the state returned from getCertPathCheckers is immutable.
*/
synchronized (AMCertPath.class) {
if (debug.messageEnabled()) {
debug.message("AMCertPath.verify: invoked !");
}
try {
final List<X509Certificate> certList = Arrays.asList(certs);
final CertPath cp = (CertPath) cf.generateCertPath(certList);
// init PKIXParameters
Class<?> trustMgrClass = Class.forName("com.sun.identity.security.keystore.AMX509TrustManager");
Object trustMgr = (Object) trustMgrClass.newInstance();
Method method = trustMgrClass.getMethod("getKeyStore");
KeyStore keystore = (KeyStore) method.invoke(trustMgr);
PKIXParameters pkixparams = new PKIXParameters(keystore);
if (debug.messageEnabled()) {
debug.message("AMCertPath.verify: crlEnabled ---> " + crlEnabled);
debug.message("AMCertPath.verify: ocspEnabled ---> " + ocspEnabled);
}
pkixparams.setRevocationEnabled(crlEnabled || ocspEnabled);
if (ocspEnabled) {
final String responderURLString = getResponderURLString();
if (!StringUtils.isBlank(responderURLString)) {
Security.setProperty(OCSP_ENABLE, TRUE);
Security.setProperty(OCSP_RESPONDER_URL, responderURLString);
if (debug.messageEnabled()) {
debug.message("AMCertPath.verify: pkixparams.setRevocationEnabled " + "set to true, and ocsp.enabled set to true with a OCSP responder url of " + responderURLString);
}
} else {
//OCSP revocation checking not configured properly. Disable the check if crl-based checking not enabled
pkixparams.setRevocationEnabled(crlEnabled);
Security.setProperty(OCSP_ENABLE, FALSE);
debug.error("AMCertPath.verify: OCSP is enabled, but the " + "com.sun.identity.authentication.ocsp.responder.url property does not specify a OCSP " + "responder. OCSP checking will NOT be performed.");
}
} else {
//the Security properties are static - if we are doing crl validation, insure that the property
//is not present which will toggle OCSP checking.
Security.setProperty(OCSP_ENABLE, FALSE);
if (debug.messageEnabled()) {
debug.message("AMCertPath.verify: pkixparams Security property ocsp.enabled set to false.");
}
}
if (store != null) {
pkixparams.addCertStore(store);
}
if (debug.messageEnabled()) {
StringBuilder sb = new StringBuilder("The policy-related state in the PKIXParameters passed to the PKIX CertPathValidator: \n");
sb.append("\tgetInitialPolicies: ").append(pkixparams.getInitialPolicies()).append('\n');
sb.append("\tisExplicitPolicyRequired: ").append(pkixparams.isExplicitPolicyRequired()).append('\n');
sb.append("\tisPolicyMappingInhibited: ").append(pkixparams.isPolicyMappingInhibited()).append('\n');
debug.message(sb.toString());
}
// validate
CertPathValidatorResult cpvResult = cpv.validate(cp, pkixparams);
if (debug.messageEnabled()) {
debug.message("AMCertPath.verify: PASS " + cpvResult.toString());
}
} catch (java.security.cert.CertPathValidatorException e) {
debug.error("AMCertPath.verify: FAILED - " + e.getMessage());
if (debug.messageEnabled()) {
debug.message("AMCertPath.verify: FAILED", e);
}
return false;
} catch (Throwable t) {
debug.error("AMCertPath.verify: FAILED", t);
return false;
}
return true;
}
}
Also used :
Method(java.lang.reflect.Method)
KeyStore(java.security.KeyStore)
X509Certificate(java.security.cert.X509Certificate)
PKIXParameters(java.security.cert.PKIXParameters)
CertPath(java.security.cert.CertPath)
CertPathValidatorResult(java.security.cert.CertPathValidatorResult)
Example 7 with CertPathValidatorResult
use of java.security.cert.CertPathValidatorResult in project robovm by robovm.
the class CertificateTest method testVerifyMD2_chain.
public void testVerifyMD2_chain() throws Exception {
CertificateFactory certificateFactory = CertificateFactory.getInstance("X509");
// First check with the trust anchor not included in the chain
CertPath path = certificateFactory.generateCertPath(getCertList(true, false));
CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
PKIXParameters params = createPKIXParams();
CertPathValidatorResult res = certPathValidator.validate(path, params);
assertTrue("wrong result type", res instanceof PKIXCertPathValidatorResult);
PKIXCertPathValidatorResult r = (PKIXCertPathValidatorResult) res;
assertTrue("Wrong trust anchor returned", params.getTrustAnchors().contains(r.getTrustAnchor()));
// Now check with the trust anchor included in the chain
path = certificateFactory.generateCertPath(getCertList(true, true));
certPathValidator = CertPathValidator.getInstance("PKIX");
params = createPKIXParams();
if (StandardNames.IS_RI) {
res = certPathValidator.validate(path, params);
assertTrue("wrong result type", res instanceof PKIXCertPathValidatorResult);
r = (PKIXCertPathValidatorResult) res;
assertTrue("Wrong trust anchor returned", params.getTrustAnchors().contains(r.getTrustAnchor()));
} else {
try {
certPathValidator.validate(path, params);
fail();
} catch (CertPathValidatorException expected) {
}
}
}
Also used :
CertPathValidator(java.security.cert.CertPathValidator)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
PKIXParameters(java.security.cert.PKIXParameters)
PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult)
CertPath(java.security.cert.CertPath)
CertPathValidatorResult(java.security.cert.CertPathValidatorResult)
PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult)
CertificateFactory(java.security.cert.CertificateFactory)
Example 8 with CertPathValidatorResult
use of java.security.cert.CertPathValidatorResult in project robovm by robovm.
the class CertificateTest method testVerifyMD5_chain.
public void testVerifyMD5_chain() throws Exception {
CertificateFactory certificateFactory = CertificateFactory.getInstance("X509");
// First check with the trust anchor not included in the chain
CertPath path = certificateFactory.generateCertPath(getCertList(false, false));
CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
PKIXParameters params = createPKIXParams();
CertPathValidatorResult res = certPathValidator.validate(path, params);
assertTrue("wrong result type", res instanceof PKIXCertPathValidatorResult);
PKIXCertPathValidatorResult r = (PKIXCertPathValidatorResult) res;
assertTrue("Wrong trust anchor returned", params.getTrustAnchors().contains(r.getTrustAnchor()));
// Now check with the trust anchor included in the chain
path = certificateFactory.generateCertPath(getCertList(false, true));
certPathValidator = CertPathValidator.getInstance("PKIX");
params = createPKIXParams();
res = certPathValidator.validate(path, params);
assertTrue("wrong result type", res instanceof PKIXCertPathValidatorResult);
r = (PKIXCertPathValidatorResult) res;
assertTrue("Wrong trust anchor returned", params.getTrustAnchors().contains(r.getTrustAnchor()));
}
Also used :
CertPathValidator(java.security.cert.CertPathValidator)
PKIXParameters(java.security.cert.PKIXParameters)
PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult)
CertPath(java.security.cert.CertPath)
CertPathValidatorResult(java.security.cert.CertPathValidatorResult)
PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult)
CertificateFactory(java.security.cert.CertificateFactory)
Aggregations
CertPathValidatorResult (java.security.cert.CertPathValidatorResult)8
CertPathValidator (java.security.cert.CertPathValidator)6
CertPath (java.security.cert.CertPath)4
PKIXParameters (java.security.cert.PKIXParameters)3
CertPathValidatorException (java.security.cert.CertPathValidatorException)2
CertificateFactory (java.security.cert.CertificateFactory)2
PKIXCertPathValidatorResult (java.security.cert.PKIXCertPathValidatorResult)2
Method (java.lang.reflect.Method)1
InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)1
KeyStore (java.security.KeyStore)1
CertPathParameters (java.security.cert.CertPathParameters)1
CertPathValidatorSpi (java.security.cert.CertPathValidatorSpi)1
X509Certificate (java.security.cert.X509Certificate)1
MyCertPathValidatorSpi (org.apache.harmony.security.tests.support.cert.MyCertPathValidatorSpi)1
