Examples with CollectionCertStoreParameters java.security.cert.CollectionCertStoreParameters used on opensource projects

Search in sources :

Example 31 with CollectionCertStoreParameters

use of java.security.cert.CollectionCertStoreParameters in project cxf by apache.

the class TrustedAuthorityValidator method isCertificateChainValid.

/**
 * Checks if a certificate chain is signed by a trusted authority.
 *
 * @param certificates to check
 * @return the validity state of the certificate
 */
boolean isCertificateChainValid(List<X509Certificate> certificates) {
    X509Certificate targetCert = certificates.get(0);
    X509CertSelector selector = new X509CertSelector();
    selector.setCertificate(targetCert);
    try {
        List<X509Certificate> intermediateCerts = certRepo.getCaCerts();
        List<X509Certificate> trustedAuthorityCerts = certRepo.getTrustedCaCerts();
        Set<TrustAnchor> trustAnchors = asTrustAnchors(trustedAuthorityCerts);
        CertStoreParameters intermediateParams = new CollectionCertStoreParameters(intermediateCerts);
        CertStoreParameters certificateParams = new CollectionCertStoreParameters(certificates);
        PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
        pkixParams.addCertStore(CertStore.getInstance("Collection", intermediateParams));
        pkixParams.addCertStore(CertStore.getInstance("Collection", certificateParams));
        pkixParams.setRevocationEnabled(false);
        CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
        CertPath certPath = builder.build(pkixParams).getCertPath();
        // Now validate the CertPath (including CRL checking)
        pkixParams.setRevocationEnabled(enableRevocation);
        if (enableRevocation) {
            List<X509CRL> crls = certRepo.getCRLs();
            if (!crls.isEmpty()) {
                CertStoreParameters crlParams = new CollectionCertStoreParameters(crls);
                pkixParams.addCertStore(CertStore.getInstance("Collection", crlParams));
            }
        }
        CertPathValidator validator = CertPathValidator.getInstance("PKIX");
        validator.validate(certPath, pkixParams);
    } catch (InvalidAlgorithmParameterException e) {
        LOG.log(Level.WARNING, "Invalid algorithm parameter by certificate chain validation. " + "It is likely that issuer certificates are not found in XKMS trusted storage. " + e.getMessage(), e);
        return false;
    } catch (NoSuchAlgorithmException e) {
        LOG.log(Level.WARNING, "Unknown algorithm by trust chain validation: " + e.getMessage(), e);
        return false;
    } catch (CertPathBuilderException e) {
        LOG.log(Level.WARNING, "Cannot build certification path: " + e.getMessage(), e);
        return false;
    } catch (CertPathValidatorException e) {
        LOG.log(Level.WARNING, "Cannot vaidate certification path: " + e.getMessage(), e);
        return false;
    }
    return true;
}
Also used : X509CRL(java.security.cert.X509CRL) InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) X509CertSelector(java.security.cert.X509CertSelector) TrustAnchor(java.security.cert.TrustAnchor) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) X509Certificate(java.security.cert.X509Certificate) CertStoreParameters(java.security.cert.CertStoreParameters) CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) CertPathValidator(java.security.cert.CertPathValidator) CertPathValidatorException(java.security.cert.CertPathValidatorException) CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) CertPathBuilderException(java.security.cert.CertPathBuilderException) CertPathBuilder(java.security.cert.CertPathBuilder) CertPath(java.security.cert.CertPath)

Example 32 with CollectionCertStoreParameters

use of java.security.cert.CollectionCertStoreParameters in project cxf by apache.

the class KeyManagementUtils method validateCertificateChain.

private static void validateCertificateChain(KeyStore ks, List<X509Certificate> inCerts, boolean enableRevocation) {
    // Initial chain validation, to be enhanced as needed
    try {
        X509CertSelector certSelect = new X509CertSelector();
        certSelect.setCertificate(inCerts.get(0));
        PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ks, certSelect);
        pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(inCerts)));
        pbParams.setMaxPathLength(-1);
        pbParams.setRevocationEnabled(false);
        CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams);
        pbParams.setRevocationEnabled(enableRevocation);
        CertPath certPath = buildResult.getCertPath();
        CertPathValidator.getInstance("PKIX").validate(certPath, pbParams);
    } catch (Exception ex) {
        LOG.warning("Certificate path validation error");
        throw new JoseException(ex);
    }
}
Also used : CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) CertPathBuilderResult(java.security.cert.CertPathBuilderResult) X509CertSelector(java.security.cert.X509CertSelector) CertPath(java.security.cert.CertPath) KeyStoreException(java.security.KeyStoreException) JwkException(org.apache.cxf.rs.security.jose.jwk.JwkException) IOException(java.io.IOException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) Base64Exception(org.apache.cxf.common.util.Base64Exception) CertificateEncodingException(java.security.cert.CertificateEncodingException)

Example 33 with CollectionCertStoreParameters

use of java.security.cert.CollectionCertStoreParameters in project Payara by payara.

the class BaseContainerCallbackHandler method processCertStore.

private void processCertStore(CertStoreCallback certStoreCallback) {
    _logger.log(Level.FINE, "JASPIC: In CertStoreCallback Processor");
    KeyStore certStore = sslUtils.getMergedTrustStore();
    if (certStore == null) {
        // should never happen
        certStoreCallback.setCertStore(null);
    }
    List<Certificate> list = new ArrayList<Certificate>();
    CollectionCertStoreParameters ccsp;
    try {
        if (certStore != null) {
            Enumeration<String> enu = certStore.aliases();
            while (enu.hasMoreElements()) {
                String alias = enu.nextElement();
                if (certStore.isCertificateEntry(alias)) {
                    try {
                        Certificate cert = certStore.getCertificate(alias);
                        list.add(cert);
                    } catch (KeyStoreException kse) {
                        // ignore and move to next
                        if (_logger.isLoggable(FINE)) {
                            _logger.log(FINE, "JASPIC: Cannot retrieve certificate for alias " + alias);
                        }
                    }
                }
            }
        }
        ccsp = new CollectionCertStoreParameters(list);
        CertStore certstore = CertStore.getInstance("Collection", ccsp);
        certStoreCallback.setCertStore(certstore);
    } catch (KeyStoreException kse) {
        _logger.log(FINE, "JASPIC:  Cannot determine truststore aliases", kse);
    } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException iape) {
        _logger.log(FINE, "JASPIC:  Cannot instantiate CertStore", iape);
    }
}
Also used : CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) ArrayList(java.util.ArrayList) KeyStoreException(java.security.KeyStoreException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) KeyStore(java.security.KeyStore) CertStore(java.security.cert.CertStore) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate)

Example 34 with CollectionCertStoreParameters

use of java.security.cert.CollectionCertStoreParameters in project jetty.project by eclipse.

the class CertificateValidator method validate.

public void validate(Certificate[] certChain) throws CertificateException {
    try {
        ArrayList<X509Certificate> certList = new ArrayList<X509Certificate>();
        for (Certificate item : certChain) {
            if (item == null)
                continue;
            if (!(item instanceof X509Certificate)) {
                throw new IllegalStateException("Invalid certificate type in chain");
            }
            certList.add((X509Certificate) item);
        }
        if (certList.isEmpty()) {
            throw new IllegalStateException("Invalid certificate chain");
        }
        X509CertSelector certSelect = new X509CertSelector();
        certSelect.setCertificate(certList.get(0));
        // Configure certification path builder parameters
        PKIXBuilderParameters pbParams = new PKIXBuilderParameters(_trustStore, certSelect);
        pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList)));
        // Set maximum certification path length
        pbParams.setMaxPathLength(_maxCertPathLength);
        // Enable revocation checking
        pbParams.setRevocationEnabled(true);
        // Set static Certificate Revocation List
        if (_crls != null && !_crls.isEmpty()) {
            pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(_crls)));
        }
        // Enable On-Line Certificate Status Protocol (OCSP) support
        if (_enableOCSP) {
            Security.setProperty("ocsp.enable", "true");
        }
        // Enable Certificate Revocation List Distribution Points (CRLDP) support
        if (_enableCRLDP) {
            System.setProperty("com.sun.security.enableCRLDP", "true");
        }
        // Build certification path
        CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams);
        // Validate certification path
        CertPathValidator.getInstance("PKIX").validate(buildResult.getCertPath(), pbParams);
    } catch (GeneralSecurityException gse) {
        LOG.debug(gse);
        throw new CertificateException("Unable to validate certificate: " + gse.getMessage(), gse);
    }
}
Also used : CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) CertPathBuilderResult(java.security.cert.CertPathBuilderResult) GeneralSecurityException(java.security.GeneralSecurityException) ArrayList(java.util.ArrayList) X509CertSelector(java.security.cert.X509CertSelector) CertificateException(java.security.cert.CertificateException) X509Certificate(java.security.cert.X509Certificate) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate)

Example 35 with CollectionCertStoreParameters

use of java.security.cert.CollectionCertStoreParameters in project robovm by robovm.

the class CollectionCertStoreParametersTest method testClone02.

/**
     * Test #2 for <code>clone()</code> method<br>
     */
public final void testClone02() {
    Vector<Certificate> certificates = new Vector<Certificate>();
    certificates.add(new MyCertificate("TEST", new byte[] { (byte) 4 }));
    CollectionCertStoreParameters cp1 = new CollectionCertStoreParameters(certificates);
    CollectionCertStoreParameters cp2 = (CollectionCertStoreParameters) cp1.clone();
    // check that both objects hold the same reference
    assertTrue(cp1.getCollection() == cp2.getCollection());
}
Also used : MyCertificate(org.apache.harmony.security.tests.support.cert.MyCertificate) CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) Vector(java.util.Vector) Certificate(java.security.cert.Certificate) MyCertificate(org.apache.harmony.security.tests.support.cert.MyCertificate)

Aggregations

CollectionCertStoreParameters (java.security.cert.CollectionCertStoreParameters)64 X509CertSelector (java.security.cert.X509CertSelector)31 PKIXBuilderParameters (java.security.cert.PKIXBuilderParameters)30 X509Certificate (java.security.cert.X509Certificate)27 CertStore (java.security.cert.CertStore)23 Certificate (java.security.cert.Certificate)21 ArrayList (java.util.ArrayList)18 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)15 CertPathBuilder (java.security.cert.CertPathBuilder)15 HashSet (java.util.HashSet)14 TrustAnchor (java.security.cert.TrustAnchor)13 Vector (java.util.Vector)12 CertStoreParameters (java.security.cert.CertStoreParameters)11 IOException (java.io.IOException)10 InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)10 MyCertificate (org.apache.harmony.security.tests.support.cert.MyCertificate)10 KeyStoreException (java.security.KeyStoreException)8 PKIXCertPathBuilderResult (java.security.cert.PKIXCertPathBuilderResult)8 CertPath (java.security.cert.CertPath)7 CertPathBuilderException (java.security.cert.CertPathBuilderException)7
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial