Examples with CollectionCertStoreParameters java.security.cert.CollectionCertStoreParameters used on opensource projects

Example 16 with CollectionCertStoreParameters

use of java.security.cert.CollectionCertStoreParameters in project xades4j by luisgoncalves.

the class PKIXCertificateValidationProvider method validate.

@Override
public ValidationData validate(X509CertSelector certSelector, Date validationDate, Collection<X509Certificate> otherCerts) throws CertificateValidationException, UnexpectedJCAException {
    PKIXBuilderParameters builderParams;
    try {
        builderParams = new PKIXBuilderParameters(trustAnchors, certSelector);
    } catch (KeyStoreException ex) {
        throw new CannotBuildCertificationPathException(certSelector, "Trust anchors KeyStore is not initialized", ex);
    } catch (InvalidAlgorithmParameterException ex) {
        throw new CannotBuildCertificationPathException(certSelector, "Trust anchors KeyStore has no trusted certificate entries", ex);
    }
    PKIXCertPathBuilderResult builderRes;
    try {
        // - The other certificates from the signature (e.g. from KeyInfo).
        if (otherCerts != null) {
            CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(otherCerts);
            CertStore othersCertStore = CertStore.getInstance("Collection", ccsp);
            builderParams.addCertStore(othersCertStore);
        }
        // - The external certificates/CRLs.
        for (int i = 0; i < intermCertsAndCrls.length; i++) {
            builderParams.addCertStore(intermCertsAndCrls[i]);
        }
        builderParams.setRevocationEnabled(revocationEnabled);
        builderParams.setMaxPathLength(maxPathLength);
        builderParams.setDate(validationDate);
        builderParams.setSigProvider(this.signatureProvider);
        builderRes = (PKIXCertPathBuilderResult) certPathBuilder.build(builderParams);
    } catch (CertPathBuilderException ex) {
        throw new CannotBuildCertificationPathException(certSelector, ex.getMessage(), ex);
    } catch (InvalidAlgorithmParameterException ex) {
        // cannot be applied.
        throw new CannotSelectCertificateException(certSelector, ex);
    } catch (NoSuchAlgorithmException ex) {
        // SHOULD NOT be thrown.
        throw new UnexpectedJCAException("No provider for Collection CertStore", ex);
    }
    // The cert path returned by the builder ends in a certificate issued by
    // the trust anchor. However, the complete path may be needed for property
    // verification.
    List<X509Certificate> certPath = (List<X509Certificate>) builderRes.getCertPath().getCertificates();
    // - Create a new list since the previous is immutable.
    certPath = new ArrayList<X509Certificate>(certPath);
    // - Add the trust anchor certificate.
    certPath.add(builderRes.getTrustAnchor().getTrustedCert());
    if (revocationEnabled) {
        return new ValidationData(certPath, getCRLsForCertPath(certPath, validationDate));
    }
    return new ValidationData(certPath);
}

Example 17 with CollectionCertStoreParameters

use of java.security.cert.CollectionCertStoreParameters in project santuario-java by apache.

the class XMLX509SKITest method testGetSKIBytesFromCert.

@org.junit.Test
public void testGetSKIBytesFromCert() throws Exception {
    File f = null;
    if (BASEDIR != null && !"".equals(BASEDIR)) {
        f = new File(BASEDIR + SEP + "src/test/resources/ie/baltimore/merlin-examples/merlin-xmldsig-twenty-three/certs/lugh.crt");
    } else {
        f = new File("src/test/resources/ie/baltimore/merlin-examples/merlin-xmldsig-twenty-three/certs/lugh.crt");
    }
    FileInputStream fis = new FileInputStream(f);
    X509Certificate cert = (X509Certificate) cf.generateCertificate(fis);
    // Get subject key identifier from certificate
    byte[] skid = XMLX509SKI.getSKIBytesFromCert(cert);
    // Use X509CertSelector to match on certificate using the skid,
    // thereby testing that the returned skid was correct
    X509CertSelector xcs = new X509CertSelector();
    // DER-encode skid - required by X509CertSelector
    byte[] encodedSkid = new byte[skid.length + 2];
    // OCTET STRING tag value
    encodedSkid[0] = 0x04;
    // length
    encodedSkid[1] = (byte) skid.length;
    System.arraycopy(skid, 0, encodedSkid, 2, skid.length);
    xcs.setSubjectKeyIdentifier(encodedSkid);
    CertStore cs = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Collections.singleton(cert)));
    Collection<?> certs = cs.getCertificates(xcs);
    assertTrue(!certs.isEmpty());
}

Example 18 with CollectionCertStoreParameters

use of java.security.cert.CollectionCertStoreParameters in project i2p.i2p by i2p.

the class CertUtil method loadCRLs.

/**
 *  Load CRLs from standard locations.
 *
 *  @return non-null, possibly empty
 *  @since 0.9.25
 */
public static CertStore loadCRLs(I2PAppContext ctx) {
    Set<X509CRL> crls = new HashSet<X509CRL>(8);
    File dir = new File(ctx.getBaseDir(), CERT_DIR);
    dir = new File(dir, REVOCATION_DIR);
    loadCRLs(crls, dir);
    boolean diff = true;
    try {
        diff = !ctx.getBaseDir().getCanonicalPath().equals(ctx.getConfigDir().getCanonicalPath());
    } catch (IOException ioe) {
    }
    if (diff) {
        File dir2 = new File(ctx.getConfigDir(), CERT_DIR);
        dir2 = new File(dir2, REVOCATION_DIR);
        loadCRLs(crls, dir2);
    }
    // System.out.println("Loaded " + crls.size() + " CRLs");
    CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(crls);
    try {
        CertStore store = CertStore.getInstance("Collection", ccsp);
        return store;
    } catch (GeneralSecurityException gse) {
        // shouldn't happen
        error("CertStore", gse);
        throw new UnsupportedOperationException(gse);
    }
}

Example 19 with CollectionCertStoreParameters

use of java.security.cert.CollectionCertStoreParameters in project ovirt-engine by oVirt.

the class CertificateChain method buildCertPath.

/**
 * Builds CertsPath object out of chain candidate.
 * Throws CertPathBuilderException exception if fails among other exceptions.
 * @param chain chain candidate, first end certificate last issuer.
 * @param trustAnchors trust anchors to use.
 * @return CertPath
 */
public static CertPath buildCertPath(List<Certificate> chain, Set<TrustAnchor> trustAnchors) throws GeneralSecurityException {
    X509CertSelector selector = new X509CertSelector();
    selector.setCertificate((X509Certificate) chain.get(0));
    PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
    pkixParams.setRevocationEnabled(false);
    pkixParams.setMaxPathLength(-1);
    pkixParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(chain)));
    return CertPathBuilder.getInstance("PKIX").build(pkixParams).getCertPath();
}

Example 20 with CollectionCertStoreParameters

use of java.security.cert.CollectionCertStoreParameters in project oxAuth by GluuFederation.

the class PathCertificateVerifier method verifyCertificate.

/**
 * Attempts to build a certification chain for given certificate to verify
 * it. Relies on a set of root CA certificates (trust anchors) and a set of
 * intermediate certificates (to be used as part of the chain).
 */
private PKIXCertPathBuilderResult verifyCertificate(X509Certificate certificate, Set<X509Certificate> trustedRootCerts, Set<X509Certificate> intermediateCerts) throws GeneralSecurityException {
    // Create the selector that specifies the starting certificate
    X509CertSelector selector = new X509CertSelector();
    selector.setBasicConstraints(-2);
    selector.setCertificate(certificate);
    // Create the trust anchors (set of root CA certificates)
    Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
    for (X509Certificate trustedRootCert : trustedRootCerts) {
        trustAnchors.add(new TrustAnchor(trustedRootCert, null));
    }
    // Configure the PKIX certificate builder algorithm parameters
    PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
    // Turn off default revocation-checking mechanism
    pkixParams.setRevocationEnabled(false);
    // Specify a list of intermediate certificates
    CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(intermediateCerts));
    pkixParams.addCertStore(intermediateCertStore);
    // Build and verify the certification chain
    CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME);
    PKIXCertPathBuilderResult certPathBuilderResult = (PKIXCertPathBuilderResult) builder.build(pkixParams);
    // Additional check to Verify cert path
    CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME);
    PKIXCertPathValidatorResult certPathValidationResult = (PKIXCertPathValidatorResult) certPathValidator.validate(certPathBuilderResult.getCertPath(), pkixParams);
    return certPathBuilderResult;
}