Example 36 with CertificateExpiredException
use of java.security.cert.CertificateExpiredException in project Payara by payara.
the class KeystoreManager method getValidCertificateAliases.
protected Map<String, Certificate> getValidCertificateAliases(KeyStore keyStore, String keyStorePassword) throws RepositoryException {
Map<String, Certificate> validCerts = new HashMap<>();
try {
for (String alias : Collections.list(keyStore.aliases())) {
Certificate cert = keyStore.getCertificate(alias);
if (cert.getType().equals("X.509")) {
X509Certificate xCert = (X509Certificate) cert;
try {
xCert.checkValidity();
validCerts.put(alias, cert);
} catch (CertificateExpiredException | CertificateNotYetValidException e) {
// Ignore invalid certificates
}
}
}
} catch (KeyStoreException ex) {
throw new RepositoryException("Keystore hasn't been initialized.", ex);
}
return validCerts;
}
Also used :
CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException)
CertificateExpiredException(java.security.cert.CertificateExpiredException)
HashMap(java.util.HashMap)
KeyStoreException(java.security.KeyStoreException)
X509Certificate(java.security.cert.X509Certificate)
X509Certificate(java.security.cert.X509Certificate)
Certificate(java.security.cert.Certificate)
Example 37 with CertificateExpiredException
use of java.security.cert.CertificateExpiredException in project AppCenter-SDK-Android by Microsoft.
the class CryptoRsaHandler method encrypt.
@Override
public byte[] encrypt(CryptoUtils.ICryptoFactory cryptoFactory, int apiLevel, KeyStore.Entry keyStoreEntry, byte[] input) throws Exception {
CryptoUtils.ICipher cipher = getCipher(cryptoFactory, apiLevel);
KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry) keyStoreEntry;
X509Certificate certificate = (X509Certificate) privateKeyEntry.getCertificate();
try {
certificate.checkValidity();
} catch (CertificateExpiredException e) {
throw new InvalidKeyException(e);
}
cipher.init(ENCRYPT_MODE, certificate.getPublicKey());
return cipher.doFinal(input);
}
Also used :
CertificateExpiredException(java.security.cert.CertificateExpiredException)
InvalidKeyException(java.security.InvalidKeyException)
KeyStore(java.security.KeyStore)
X509Certificate(java.security.cert.X509Certificate)
Example 38 with CertificateExpiredException
use of java.security.cert.CertificateExpiredException in project netty by netty.
the class SslErrorTest method data.
static Collection<Object[]> data() {
List<SslProvider> serverProviders = new ArrayList<SslProvider>(2);
List<SslProvider> clientProviders = new ArrayList<SslProvider>(3);
if (OpenSsl.isAvailable()) {
serverProviders.add(SslProvider.OPENSSL);
serverProviders.add(SslProvider.OPENSSL_REFCNT);
clientProviders.add(SslProvider.OPENSSL);
clientProviders.add(SslProvider.OPENSSL_REFCNT);
}
// We not test with SslProvider.JDK on the server side as the JDK implementation currently just send the same
// alert all the time, sigh.....
clientProviders.add(SslProvider.JDK);
List<CertificateException> exceptions = new ArrayList<CertificateException>(6);
exceptions.add(new CertificateExpiredException());
exceptions.add(new CertificateNotYetValidException());
exceptions.add(new CertificateRevokedException(new Date(), CRLReason.AA_COMPROMISE, new X500Principal(""), Collections.<String, Extension>emptyMap()));
// Also use wrapped exceptions as this is what the JDK implementation of X509TrustManagerFactory is doing.
exceptions.add(newCertificateException(CertPathValidatorException.BasicReason.EXPIRED));
exceptions.add(newCertificateException(CertPathValidatorException.BasicReason.NOT_YET_VALID));
exceptions.add(newCertificateException(CertPathValidatorException.BasicReason.REVOKED));
List<Object[]> params = new ArrayList<Object[]>();
for (SslProvider serverProvider : serverProviders) {
for (SslProvider clientProvider : clientProviders) {
for (CertificateException exception : exceptions) {
params.add(new Object[] { serverProvider, clientProvider, exception, true });
params.add(new Object[] { serverProvider, clientProvider, exception, false });
}
}
}
return params;
}
Also used :
CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException)
CertificateExpiredException(java.security.cert.CertificateExpiredException)
CertificateRevokedException(java.security.cert.CertificateRevokedException)
ArrayList(java.util.ArrayList)
CertificateException(java.security.cert.CertificateException)
Date(java.util.Date)
Extension(java.security.cert.Extension)
X500Principal(javax.security.auth.x500.X500Principal)
Example 39 with CertificateExpiredException
use of java.security.cert.CertificateExpiredException in project netty by netty.
the class Http2MultiplexTransportTest method testSslException.
private void testSslException(SslProvider provider, final boolean tlsv13) throws Exception {
assumeTrue(SslProvider.isAlpnSupported(provider));
if (tlsv13) {
assumeTrue(SslProvider.isTlsv13Supported(provider));
}
final String protocol = tlsv13 ? "TLSv1.3" : "TLSv1.2";
SelfSignedCertificate ssc = null;
try {
ssc = new SelfSignedCertificate();
final SslContext sslCtx = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey()).trustManager(new X509TrustManager() {
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
throw new CertificateExpiredException();
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
throw new CertificateExpiredException();
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
}).sslProvider(provider).ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE).protocols(protocol).applicationProtocolConfig(new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN, // NO_ADVERTISE is currently the only mode supported by both OpenSsl and JDK providers.
ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE, // ACCEPT is currently the only mode supported by both OpenSsl and JDK providers.
ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, ApplicationProtocolNames.HTTP_2, ApplicationProtocolNames.HTTP_1_1)).clientAuth(ClientAuth.REQUIRE).build();
ServerBootstrap sb = new ServerBootstrap();
sb.group(eventLoopGroup);
sb.channel(NioServerSocketChannel.class);
sb.childHandler(new ChannelInitializer<Channel>() {
@Override
protected void initChannel(Channel ch) {
ch.pipeline().addLast(sslCtx.newHandler(ch.alloc()));
ch.pipeline().addLast(new Http2FrameCodecBuilder(true).build());
ch.pipeline().addLast(new Http2MultiplexHandler(DISCARD_HANDLER));
}
});
serverChannel = sb.bind(new InetSocketAddress(NetUtil.LOCALHOST, 0)).syncUninterruptibly().channel();
final SslContext clientCtx = SslContextBuilder.forClient().keyManager(ssc.key(), ssc.cert()).sslProvider(provider).ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE).trustManager(InsecureTrustManagerFactory.INSTANCE).protocols(protocol).applicationProtocolConfig(new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN, // NO_ADVERTISE is currently the only mode supported by both OpenSsl and JDK providers.
ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE, // ACCEPT is currently the only mode supported by both OpenSsl and JDK providers.
ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, ApplicationProtocolNames.HTTP_2, ApplicationProtocolNames.HTTP_1_1)).build();
final CountDownLatch latch = new CountDownLatch(2);
final AtomicReference<AssertionError> errorRef = new AtomicReference<AssertionError>();
Bootstrap bs = new Bootstrap();
bs.group(eventLoopGroup);
bs.channel(NioSocketChannel.class);
bs.handler(new ChannelInitializer<Channel>() {
@Override
protected void initChannel(Channel ch) {
ch.pipeline().addLast(clientCtx.newHandler(ch.alloc()));
ch.pipeline().addLast(new Http2FrameCodecBuilder(false).build());
ch.pipeline().addLast(new Http2MultiplexHandler(DISCARD_HANDLER));
ch.pipeline().addLast(new ChannelInboundHandlerAdapter() {
@Override
public void userEventTriggered(ChannelHandlerContext ctx, Object evt) {
if (evt instanceof SslHandshakeCompletionEvent) {
SslHandshakeCompletionEvent handshakeCompletionEvent = (SslHandshakeCompletionEvent) evt;
if (handshakeCompletionEvent.isSuccess()) {
// the mTLS failure will be send in the next round-trip.
if (!tlsv13) {
errorRef.set(new AssertionError("TLSv1.3 expected"));
}
Http2StreamChannelBootstrap h2Bootstrap = new Http2StreamChannelBootstrap(ctx.channel());
h2Bootstrap.handler(new ChannelInboundHandlerAdapter() {
@Override
public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) {
if (cause.getCause() instanceof SSLException) {
latch.countDown();
}
}
@Override
public void channelInactive(ChannelHandlerContext ctx) {
latch.countDown();
}
});
h2Bootstrap.open().addListener(new FutureListener<Channel>() {
@Override
public void operationComplete(Future<Channel> future) {
if (future.isSuccess()) {
future.getNow().writeAndFlush(new DefaultHttp2HeadersFrame(new DefaultHttp2Headers(), false));
}
}
});
} else if (handshakeCompletionEvent.cause() instanceof SSLException) {
// the mTLS failure will be send in the same round-trip.
if (tlsv13) {
errorRef.set(new AssertionError("TLSv1.2 expected"));
}
latch.countDown();
latch.countDown();
}
}
}
});
}
});
clientChannel = bs.connect(serverChannel.localAddress()).syncUninterruptibly().channel();
latch.await();
AssertionError error = errorRef.get();
if (error != null) {
throw error;
}
} finally {
if (ssc != null) {
ssc.delete();
}
}
}
Also used :
SelfSignedCertificate(io.netty.handler.ssl.util.SelfSignedCertificate)
SslHandshakeCompletionEvent(io.netty.handler.ssl.SslHandshakeCompletionEvent)
CertificateExpiredException(java.security.cert.CertificateExpiredException)
InetSocketAddress(java.net.InetSocketAddress)
CertificateException(java.security.cert.CertificateException)
ChannelHandlerContext(io.netty.channel.ChannelHandlerContext)
SSLException(javax.net.ssl.SSLException)
ApplicationProtocolConfig(io.netty.handler.ssl.ApplicationProtocolConfig)
Bootstrap(io.netty.bootstrap.Bootstrap)
ServerBootstrap(io.netty.bootstrap.ServerBootstrap)
SslContext(io.netty.handler.ssl.SslContext)
NioServerSocketChannel(io.netty.channel.socket.nio.NioServerSocketChannel)
NioSocketChannel(io.netty.channel.socket.nio.NioSocketChannel)
Channel(io.netty.channel.Channel)
AtomicReference(java.util.concurrent.atomic.AtomicReference)
CountDownLatch(java.util.concurrent.CountDownLatch)
X509Certificate(java.security.cert.X509Certificate)
ServerBootstrap(io.netty.bootstrap.ServerBootstrap)
X509TrustManager(javax.net.ssl.X509TrustManager)
ChannelInboundHandlerAdapter(io.netty.channel.ChannelInboundHandlerAdapter)
Example 40 with CertificateExpiredException
use of java.security.cert.CertificateExpiredException in project oxAuth by GluuFederation.
the class GenericCertificateVerifier method validate.
@Override
public ValidationStatus validate(X509Certificate certificate, List<X509Certificate> issuers, Date validationDate) {
X509Certificate issuer = issuers.get(0);
ValidationStatus status = new ValidationStatus(certificate, issuer, validationDate, ValidatorSourceType.APP, CertificateValidity.UNKNOWN);
try {
Principal subjectX500Principal = certificate.getSubjectX500Principal();
try {
log.debug("Validity status is valid for '" + subjectX500Principal + "'");
certificate.checkValidity(validationDate);
status.setValidity(CertificateValidity.VALID);
} catch (CertificateExpiredException ex) {
log.debug("Validity status is expied for '" + subjectX500Principal + "'");
} catch (CertificateNotYetValidException ex) {
log.warn("Validity status is not yet valid for '" + subjectX500Principal + "'");
}
} catch (Exception ex) {
log.error("CRL exception: ", ex);
}
return status;
}
Also used :
ValidationStatus(org.gluu.oxauth.cert.validation.model.ValidationStatus)
CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException)
CertificateExpiredException(java.security.cert.CertificateExpiredException)
X509Certificate(java.security.cert.X509Certificate)
Principal(java.security.Principal)
CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException)
CertificateExpiredException(java.security.cert.CertificateExpiredException)
Aggregations
CertificateExpiredException (java.security.cert.CertificateExpiredException)46
X509Certificate (java.security.cert.X509Certificate)32
CertificateNotYetValidException (java.security.cert.CertificateNotYetValidException)28
CertificateException (java.security.cert.CertificateException)15
ArrayList (java.util.ArrayList)7
GeneralSecurityException (java.security.GeneralSecurityException)6
InvalidKeyException (java.security.InvalidKeyException)6
KeyStore (java.security.KeyStore)6
Certificate (java.security.cert.Certificate)6
IOException (java.io.IOException)5
KeyStoreException (java.security.KeyStoreException)5
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)5
Date (java.util.Date)5
SuppressLint (android.annotation.SuppressLint)4
Principal (java.security.Principal)4
Calendar (java.util.Calendar)4
Test (org.junit.Test)4
FileNotFoundException (java.io.FileNotFoundException)3
CertificateFactory (java.security.cert.CertificateFactory)3
X509TrustManager (javax.net.ssl.X509TrustManager)3
