Examples with PKIXBuilderParameters java.security.cert.PKIXBuilderParameters used on opensource projects

Search in sources :

Example 51 with PKIXBuilderParameters

use of java.security.cert.PKIXBuilderParameters in project tomcat70 by apache.

the class JSSESocketFactory method getParameters.

/**
 * Return the initialization parameters for the TrustManager.
 * Currently, only the default <code>PKIX</code> is supported.
 *
 * @param algorithm The algorithm to get parameters for.
 * @param crlf The path to the CRL file.
 * @param trustStore The configured TrustStore.
 * @return The parameters including the CRLs and TrustStore.
 */
protected CertPathParameters getParameters(String algorithm, String crlf, KeyStore trustStore) throws Exception {
    CertPathParameters params = null;
    if ("PKIX".equalsIgnoreCase(algorithm)) {
        PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, new X509CertSelector());
        Collection<? extends CRL> crls = getCRLs(crlf);
        CertStoreParameters csp = new CollectionCertStoreParameters(crls);
        CertStore store = CertStore.getInstance("Collection", csp);
        xparams.addCertStore(store);
        xparams.setRevocationEnabled(true);
        String trustLength = endpoint.getTrustMaxCertLength();
        if (trustLength != null) {
            try {
                xparams.setMaxPathLength(Integer.parseInt(trustLength));
            } catch (Exception ex) {
                log.warn("Bad maxCertLength: " + trustLength);
            }
        }
        params = xparams;
    } else {
        throw new CRLException("CRLs not supported for type: " + algorithm);
    }
    return params;
}
Also used : CertStoreParameters(java.security.cert.CertStoreParameters) CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) CertPathParameters(java.security.cert.CertPathParameters) X509CertSelector(java.security.cert.X509CertSelector) CertStore(java.security.cert.CertStore) CRLException(java.security.cert.CRLException) SocketException(java.net.SocketException) UnrecoverableKeyException(java.security.UnrecoverableKeyException) IOException(java.io.IOException) KeyManagementException(java.security.KeyManagementException) CertificateException(java.security.cert.CertificateException) FileNotFoundException(java.io.FileNotFoundException) SSLException(javax.net.ssl.SSLException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) CRLException(java.security.cert.CRLException)

Example 52 with PKIXBuilderParameters

use of java.security.cert.PKIXBuilderParameters in project testcases by coheigea.

the class TLSOCSPCertTest method testTLSOCSPPass.

@org.junit.Test
public void testTLSOCSPPass() throws Exception {
    try {
        Security.setProperty("ocsp.responderURL", "http://localhost:12345");
        Security.setProperty("ocsp.enable", "true");
        Security.setProperty("ocsp.responderCertIssuerName", "CN=Werner, OU=Apache WSS4J, O=Home, L=Munich, ST=Bayern, C=DE");
        Security.setProperty("ocsp.responderCertSerialNumber", "1b");
        SpringBusFactory bf = new SpringBusFactory();
        URL busFile = TLSOCSPCertTest.class.getResource("cxf-client.xml");
        Bus bus = bf.createBus(busFile.toString());
        SpringBusFactory.setDefaultBus(bus);
        SpringBusFactory.setThreadDefaultBus(bus);
        URL wsdl = TLSOCSPCertTest.class.getResource("DoubleIt.wsdl");
        Service service = Service.create(wsdl, SERVICE_QNAME);
        QName portQName = new QName(NAMESPACE, "DoubleItTLSOCSPPort");
        DoubleItPortType transportPort = service.getPort(portQName, DoubleItPortType.class);
        updateAddressPort(transportPort, PORT);
        // Configure TLS
        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(ClassLoaderUtils.getResourceAsStream("clientstoreocsp.jks", this.getClass()), "cspass".toCharArray());
        PKIXBuilderParameters param = new PKIXBuilderParameters(keyStore, new X509CertSelector());
        param.setRevocationEnabled(true);
        tmf.init(new CertPathTrustManagerParameters(param));
        TLSClientParameters tlsParams = new TLSClientParameters();
        tlsParams.setTrustManagers(tmf.getTrustManagers());
        tlsParams.setDisableCNCheck(true);
        Client client = ClientProxy.getClient(transportPort);
        HTTPConduit http = (HTTPConduit) client.getConduit();
        http.setTlsClientParameters(tlsParams);
        doubleIt(transportPort, 25);
    } finally {
        Security.setProperty("ocsp.responderURL", "");
        Security.setProperty("ocsp.enable", "false");
        Security.setProperty("ocsp.responderCertIssuerName", "");
        Security.setProperty("ocsp.responderCertSerialNumber", "");
    }
}
Also used : Bus(org.apache.cxf.Bus) TLSClientParameters(org.apache.cxf.configuration.jsse.TLSClientParameters) QName(javax.xml.namespace.QName) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) CertPathTrustManagerParameters(javax.net.ssl.CertPathTrustManagerParameters) Service(javax.xml.ws.Service) X509CertSelector(java.security.cert.X509CertSelector) KeyStore(java.security.KeyStore) URL(java.net.URL) HTTPConduit(org.apache.cxf.transport.http.HTTPConduit) SpringBusFactory(org.apache.cxf.bus.spring.SpringBusFactory) TrustManagerFactory(javax.net.ssl.TrustManagerFactory) DoubleItPortType(org.example.contract.doubleit.DoubleItPortType) Client(org.apache.cxf.endpoint.Client)

Example 53 with PKIXBuilderParameters

use of java.security.cert.PKIXBuilderParameters in project testcases by coheigea.

the class TLSOCSPCertTest method testTLSOCSPFail.

@org.junit.Test
public void testTLSOCSPFail() throws Exception {
    try {
        Security.setProperty("ocsp.responderURL", "http://localhost:12345");
        Security.setProperty("ocsp.enable", "true");
        SpringBusFactory bf = new SpringBusFactory();
        URL busFile = TLSOCSPCertTest.class.getResource("cxf-client.xml");
        Bus bus = bf.createBus(busFile.toString());
        SpringBusFactory.setDefaultBus(bus);
        SpringBusFactory.setThreadDefaultBus(bus);
        URL wsdl = TLSOCSPCertTest.class.getResource("DoubleIt.wsdl");
        Service service = Service.create(wsdl, SERVICE_QNAME);
        QName portQName = new QName(NAMESPACE, "DoubleItTLSOCSPPort");
        DoubleItPortType transportPort = service.getPort(portQName, DoubleItPortType.class);
        updateAddressPort(transportPort, PORT);
        // Configure TLS
        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(ClassLoaderUtils.getResourceAsStream("clientstoreocsp.jks", this.getClass()), "cspass".toCharArray());
        PKIXBuilderParameters param = new PKIXBuilderParameters(keyStore, new X509CertSelector());
        param.setRevocationEnabled(true);
        tmf.init(new CertPathTrustManagerParameters(param));
        TLSClientParameters tlsParams = new TLSClientParameters();
        tlsParams.setTrustManagers(tmf.getTrustManagers());
        tlsParams.setDisableCNCheck(true);
        Client client = ClientProxy.getClient(transportPort);
        HTTPConduit http = (HTTPConduit) client.getConduit();
        http.setTlsClientParameters(tlsParams);
        doubleIt(transportPort, 25);
        fail("Failure expected due to unknown OCSP response certificate");
    } catch (Exception ex) {
    // expected
    } finally {
        Security.setProperty("ocsp.responderURL", "");
        Security.setProperty("ocsp.enable", "false");
    }
}
Also used : Bus(org.apache.cxf.Bus) TLSClientParameters(org.apache.cxf.configuration.jsse.TLSClientParameters) QName(javax.xml.namespace.QName) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) CertPathTrustManagerParameters(javax.net.ssl.CertPathTrustManagerParameters) Service(javax.xml.ws.Service) X509CertSelector(java.security.cert.X509CertSelector) KeyStore(java.security.KeyStore) URL(java.net.URL) HTTPConduit(org.apache.cxf.transport.http.HTTPConduit) SpringBusFactory(org.apache.cxf.bus.spring.SpringBusFactory) TrustManagerFactory(javax.net.ssl.TrustManagerFactory) DoubleItPortType(org.example.contract.doubleit.DoubleItPortType) Client(org.apache.cxf.endpoint.Client)

Example 54 with PKIXBuilderParameters

use of java.security.cert.PKIXBuilderParameters in project testcases by coheigea.

the class TLSOCSPTest method testTLSOCSPPass.

@org.junit.Test
public void testTLSOCSPPass() throws Exception {
    try {
        Security.setProperty("ocsp.responderURL", "http://localhost:12345");
        Security.setProperty("ocsp.enable", "true");
        SpringBusFactory bf = new SpringBusFactory();
        URL busFile = TLSOCSPTest.class.getResource("cxf-client.xml");
        Bus bus = bf.createBus(busFile.toString());
        SpringBusFactory.setDefaultBus(bus);
        SpringBusFactory.setThreadDefaultBus(bus);
        URL wsdl = TLSOCSPTest.class.getResource("DoubleIt.wsdl");
        Service service = Service.create(wsdl, SERVICE_QNAME);
        QName portQName = new QName(NAMESPACE, "DoubleItTLSOCSPPort");
        DoubleItPortType transportPort = service.getPort(portQName, DoubleItPortType.class);
        updateAddressPort(transportPort, PORT);
        // Configure TLS
        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(ClassLoaderUtils.getResourceAsStream("clientstore.jks", this.getClass()), "cspass".toCharArray());
        PKIXBuilderParameters param = new PKIXBuilderParameters(keyStore, new X509CertSelector());
        param.setRevocationEnabled(true);
        tmf.init(new CertPathTrustManagerParameters(param));
        TLSClientParameters tlsParams = new TLSClientParameters();
        tlsParams.setTrustManagers(tmf.getTrustManagers());
        tlsParams.setDisableCNCheck(true);
        Client client = ClientProxy.getClient(transportPort);
        HTTPConduit http = (HTTPConduit) client.getConduit();
        http.setTlsClientParameters(tlsParams);
        doubleIt(transportPort, 25);
    } finally {
        Security.setProperty("ocsp.responderURL", "");
        Security.setProperty("ocsp.enable", "false");
    }
}
Also used : Bus(org.apache.cxf.Bus) TLSClientParameters(org.apache.cxf.configuration.jsse.TLSClientParameters) QName(javax.xml.namespace.QName) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) CertPathTrustManagerParameters(javax.net.ssl.CertPathTrustManagerParameters) Service(javax.xml.ws.Service) X509CertSelector(java.security.cert.X509CertSelector) KeyStore(java.security.KeyStore) URL(java.net.URL) HTTPConduit(org.apache.cxf.transport.http.HTTPConduit) SpringBusFactory(org.apache.cxf.bus.spring.SpringBusFactory) TrustManagerFactory(javax.net.ssl.TrustManagerFactory) DoubleItPortType(org.example.contract.doubleit.DoubleItPortType) Client(org.apache.cxf.endpoint.Client)

Example 55 with PKIXBuilderParameters

use of java.security.cert.PKIXBuilderParameters in project zookeeper by apache.

the class X509Util method createTrustManager.

/**
 * Creates a trust manager by loading the trust store from the given file
 * of the given type, optionally decrypting it using the given password.
 * @param trustStoreLocation the location of the trust store file.
 * @param trustStorePassword optional password to decrypt the trust store
 *                           (only applies to JKS trust stores). If empty,
 *                           assumes the trust store is not encrypted.
 * @param trustStoreTypeProp must be JKS, PEM, PKCS12, BCFKS or null. If
 *                           null, attempts to autodetect the trust store
 *                           type from the file extension (e.g. .jks / .pem).
 * @param crlEnabled enable CRL (certificate revocation list) checks.
 * @param ocspEnabled enable OCSP (online certificate status protocol)
 *                    checks.
 * @param serverHostnameVerificationEnabled if true, verify hostnames of
 *                                          remote servers that client
 *                                          sockets created by this
 *                                          X509Util connect to.
 * @param clientHostnameVerificationEnabled if true, verify hostnames of
 *                                          remote clients that server
 *                                          sockets created by this
 *                                          X509Util accept connections
 *                                          from.
 * @return the trust manager.
 * @throws TrustManagerException if something goes wrong.
 */
public static X509TrustManager createTrustManager(String trustStoreLocation, String trustStorePassword, String trustStoreTypeProp, boolean crlEnabled, boolean ocspEnabled, final boolean serverHostnameVerificationEnabled, final boolean clientHostnameVerificationEnabled) throws TrustManagerException {
    if (trustStorePassword == null) {
        trustStorePassword = "";
    }
    try {
        KeyStore ts = loadTrustStore(trustStoreLocation, trustStorePassword, trustStoreTypeProp);
        PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ts, new X509CertSelector());
        if (crlEnabled || ocspEnabled) {
            pbParams.setRevocationEnabled(true);
            System.setProperty("com.sun.net.ssl.checkRevocation", "true");
            System.setProperty("com.sun.security.enableCRLDP", "true");
            if (ocspEnabled) {
                Security.setProperty("ocsp.enable", "true");
            }
        } else {
            pbParams.setRevocationEnabled(false);
        }
        // Revocation checking is only supported with the PKIX algorithm
        TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX");
        tmf.init(new CertPathTrustManagerParameters(pbParams));
        for (final TrustManager tm : tmf.getTrustManagers()) {
            if (tm instanceof X509ExtendedTrustManager) {
                return new ZKTrustManager((X509ExtendedTrustManager) tm, serverHostnameVerificationEnabled, clientHostnameVerificationEnabled);
            }
        }
        throw new TrustManagerException("Couldn't find X509TrustManager");
    } catch (IOException | GeneralSecurityException | IllegalArgumentException e) {
        throw new TrustManagerException(e);
    }
}
Also used : X509ExtendedTrustManager(javax.net.ssl.X509ExtendedTrustManager) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) CertPathTrustManagerParameters(javax.net.ssl.CertPathTrustManagerParameters) GeneralSecurityException(java.security.GeneralSecurityException) X509CertSelector(java.security.cert.X509CertSelector) IOException(java.io.IOException) KeyStore(java.security.KeyStore) TrustManager(javax.net.ssl.TrustManager) X509ExtendedTrustManager(javax.net.ssl.X509ExtendedTrustManager) X509TrustManager(javax.net.ssl.X509TrustManager) TrustManagerFactory(javax.net.ssl.TrustManagerFactory) TrustManagerException(org.apache.zookeeper.common.X509Exception.TrustManagerException)

Aggregations

PKIXBuilderParameters (java.security.cert.PKIXBuilderParameters)66 X509CertSelector (java.security.cert.X509CertSelector)55 CollectionCertStoreParameters (java.security.cert.CollectionCertStoreParameters)33 X509Certificate (java.security.cert.X509Certificate)29 CertPathBuilder (java.security.cert.CertPathBuilder)23 TrustAnchor (java.security.cert.TrustAnchor)21 HashSet (java.util.HashSet)19 KeyStore (java.security.KeyStore)17 CertStore (java.security.cert.CertStore)17 InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)16 CertPathTrustManagerParameters (javax.net.ssl.CertPathTrustManagerParameters)15 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)14 PKIXCertPathBuilderResult (java.security.cert.PKIXCertPathBuilderResult)13 ArrayList (java.util.ArrayList)13 CertPathBuilderException (java.security.cert.CertPathBuilderException)12 CertPathBuilderResult (java.security.cert.CertPathBuilderResult)11 TrustManagerFactory (javax.net.ssl.TrustManagerFactory)11 IOException (java.io.IOException)10 CertPath (java.security.cert.CertPath)10 CertificateException (java.security.cert.CertificateException)10
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial