Search in sources :

Example 46 with PKIXBuilderParameters

use of java.security.cert.PKIXBuilderParameters in project cloudstack by apache.

the class CertServiceImpl method validateChain.

private void validateChain(final List<Certificate> chain, final Certificate cert) {
    final List<Certificate> certs = new ArrayList<Certificate>();
    final Set<TrustAnchor> anchors = new HashSet<TrustAnchor>();
    // adding for self signed certs
    certs.add(cert);
    certs.addAll(chain);
    for (final Certificate c : certs) {
        if (!(c instanceof X509Certificate)) {
            throw new IllegalArgumentException("Invalid chain format. Expected X509 certificate");
        }
        final X509Certificate xCert = (X509Certificate) c;
        anchors.add(new TrustAnchor(xCert, null));
    }
    final X509CertSelector target = new X509CertSelector();
    target.setCertificate((X509Certificate) cert);
    PKIXBuilderParameters params = null;
    try {
        params = new PKIXBuilderParameters(anchors, target);
        params.setRevocationEnabled(false);
        params.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certs)));
        final CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC");
        builder.build(params);
    } catch (final InvalidAlgorithmParameterException | CertPathBuilderException | NoSuchAlgorithmException e) {
        throw new IllegalStateException("Invalid certificate chain", e);
    } catch (final NoSuchProviderException e) {
        throw new CloudRuntimeException("No provider for certificate validation", e);
    }
}
Also used : InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) ArrayList(java.util.ArrayList) TrustAnchor(java.security.cert.TrustAnchor) X509CertSelector(java.security.cert.X509CertSelector) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) X509Certificate(java.security.cert.X509Certificate) CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) CertPathBuilderException(java.security.cert.CertPathBuilderException) CloudRuntimeException(com.cloud.utils.exception.CloudRuntimeException) CertPathBuilder(java.security.cert.CertPathBuilder) NoSuchProviderException(java.security.NoSuchProviderException) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate) HashSet(java.util.HashSet)

Example 47 with PKIXBuilderParameters

use of java.security.cert.PKIXBuilderParameters in project jdk8u_jdk by JetBrains.

the class ValidateNC method main.

public static void main(String[] args) throws Exception {
    String[] certs = { "sun2labs2.cer", "labs2isrg2.cer" };
    createPath(certs);
    try {
        validate(path, params);
        throw new Exception("CertPathValidator should have thrown an " + "InvalidAlgorithmParameterException");
    } catch (InvalidAlgorithmParameterException iape) {
    // success!
    }
    try {
        X509CertSelector sel = new X509CertSelector();
        sel.setSubject("cn=sean");
        PKIXBuilderParameters bparams = new PKIXBuilderParameters(anchors, sel);
        build(bparams);
        throw new Exception("CertPathBuilder should have thrown an " + "InvalidAlgorithmParameterException");
    } catch (InvalidAlgorithmParameterException iape) {
    // success!
    }
}
Also used : InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) X509CertSelector(java.security.cert.X509CertSelector) IOException(java.io.IOException) InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException)

Example 48 with PKIXBuilderParameters

use of java.security.cert.PKIXBuilderParameters in project jdk8u_jdk by JetBrains.

the class NoExtensions method doBuild.

private void doBuild(X509Certificate userCert) throws Exception {
    // get the set of trusted CA certificates (only one in this instance)
    HashSet trustAnchors = new HashSet();
    X509Certificate trustedCert = getTrustedCertificate();
    trustAnchors.add(new TrustAnchor(trustedCert, null));
    // put together a CertStore (repository of the certificates and CRLs)
    ArrayList certs = new ArrayList();
    certs.add(trustedCert);
    certs.add(userCert);
    CollectionCertStoreParameters certStoreParams = new CollectionCertStoreParameters(certs);
    CertStore certStore = CertStore.getInstance("Collection", certStoreParams);
    // specify the target certificate via a CertSelector
    X509CertSelector certSelector = new X509CertSelector();
    certSelector.setCertificate(userCert);
    // seems to be required
    certSelector.setSubject(userCert.getSubjectDN().getName());
    // build a valid cerificate path
    CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX", "SUN");
    PKIXBuilderParameters certPathBuilderParams = new PKIXBuilderParameters(trustAnchors, certSelector);
    certPathBuilderParams.addCertStore(certStore);
    certPathBuilderParams.setRevocationEnabled(false);
    CertPathBuilderResult result = certPathBuilder.build(certPathBuilderParams);
    // get and show cert path
    CertPath certPath = result.getCertPath();
//        System.out.println(certPath.toString());
}
Also used : CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) CertPathBuilderResult(java.security.cert.CertPathBuilderResult) ArrayList(java.util.ArrayList) TrustAnchor(java.security.cert.TrustAnchor) X509CertSelector(java.security.cert.X509CertSelector) CertPathBuilder(java.security.cert.CertPathBuilder) CertPath(java.security.cert.CertPath) CertStore(java.security.cert.CertStore) X509Certificate(java.security.cert.X509Certificate) HashSet(java.util.HashSet)

Example 49 with PKIXBuilderParameters

use of java.security.cert.PKIXBuilderParameters in project jdk8u_jdk by JetBrains.

the class BuildOddSel method createParams.

public static void createParams() throws Exception {
    TrustAnchor anchor = new TrustAnchor(getCertFromFile("sun.cer"), null);
    Set anchors = Collections.singleton(anchor);
    // Create odd CertSelector
    sel = new OddSel();
    params = new PKIXBuilderParameters(anchors, sel);
    params.setRevocationEnabled(false);
}
Also used : Set(java.util.Set) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) TrustAnchor(java.security.cert.TrustAnchor)

Example 50 with PKIXBuilderParameters

use of java.security.cert.PKIXBuilderParameters in project Spark by igniterealtime.

the class SparkExceptionsTrustManager method validatePath.

/**
 * Validate certificate path. As it is exception, no checks against revocation or time validity are done but path
 * still have to be validated in order to find connection between certificate presented by server and root CA in
 * KeyStore
 *
 * @throws NoSuchAlgorithmException
 * @throws KeyStoreException
 * @throws InvalidAlgorithmParameterException
 * @throws CertPathValidatorException
 * @throws CertPathBuilderException
 * @throws CertificateException
 */
private void validatePath(X509Certificate[] chain) throws NoSuchAlgorithmException, KeyStoreException, InvalidAlgorithmParameterException, CertPathValidatorException, CertPathBuilderException, CertificateException {
    CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
    CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");
    X509CertSelector certSelector = new X509CertSelector();
    certSelector.setCertificate(chain[chain.length - 1]);
    // checks against time validity aren't done here as it exceptions list
    certSelector.setCertificateValid(null);
    PKIXBuilderParameters parameters = new PKIXBuilderParameters(allStore, certSelector);
    // no checks against revocation as it is exception
    parameters.setRevocationEnabled(false);
    CertPathBuilderResult pathResult = certPathBuilder.build(parameters);
    CertPath certPath = pathResult.getCertPath();
    PKIXCertPathValidatorResult validationResult = (PKIXCertPathValidatorResult) certPathValidator.validate(certPath, parameters);
    X509Certificate trustedCert = validationResult.getTrustAnchor().getTrustedCert();
    if (trustedCert == null) {
        throw new CertificateException("Certificate path failed");
    } else {
        Log.debug("ClientTrustManager: Trusted CA: " + trustedCert.getSubjectDN());
    }
}
Also used : CertPathValidator(java.security.cert.CertPathValidator) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult) CertPathBuilderResult(java.security.cert.CertPathBuilderResult) X509CertSelector(java.security.cert.X509CertSelector) CertificateException(java.security.cert.CertificateException) CertPathBuilder(java.security.cert.CertPathBuilder) CertPath(java.security.cert.CertPath) X509Certificate(java.security.cert.X509Certificate)

Aggregations

PKIXBuilderParameters (java.security.cert.PKIXBuilderParameters)66 X509CertSelector (java.security.cert.X509CertSelector)55 CollectionCertStoreParameters (java.security.cert.CollectionCertStoreParameters)33 X509Certificate (java.security.cert.X509Certificate)29 CertPathBuilder (java.security.cert.CertPathBuilder)23 TrustAnchor (java.security.cert.TrustAnchor)21 HashSet (java.util.HashSet)19 KeyStore (java.security.KeyStore)17 CertStore (java.security.cert.CertStore)17 InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)16 CertPathTrustManagerParameters (javax.net.ssl.CertPathTrustManagerParameters)15 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)14 PKIXCertPathBuilderResult (java.security.cert.PKIXCertPathBuilderResult)13 ArrayList (java.util.ArrayList)13 CertPathBuilderException (java.security.cert.CertPathBuilderException)12 CertPathBuilderResult (java.security.cert.CertPathBuilderResult)11 TrustManagerFactory (javax.net.ssl.TrustManagerFactory)11 IOException (java.io.IOException)10 CertPath (java.security.cert.CertPath)10 CertificateException (java.security.cert.CertificateException)10