Example 61 with PKIXBuilderParameters
use of java.security.cert.PKIXBuilderParameters in project mule by mulesoft.
the class CrlFile method configFor.
@Override
public ManagerFactoryParameters configFor(KeyStore trustStore, Set<TrustAnchor> defaultTrustAnchors) {
checkArgument(path != null, "tls:crl-file requires the 'path' attribute");
checkArgument(trustStore != null, "tls:crl-file requires a trust store");
try {
Set<TrustAnchor> trustAnchors = getTrustAnchorsFromKeyStore(trustStore);
PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustAnchors, new X509CertSelector());
// Make sure revocation checking is enabled (com.sun.net.ssl.checkRevocation)
pbParams.setRevocationEnabled(true);
Collection<? extends CRL> crls = loadCRL(path);
if (crls != null && !crls.isEmpty()) {
pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crls)));
}
return new CertPathTrustManagerParameters(pbParams);
} catch (IOException | GeneralSecurityException e) {
throw new RuntimeException(e);
}
}
Also used :
CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters)
PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters)
CertPathTrustManagerParameters(javax.net.ssl.CertPathTrustManagerParameters)
GeneralSecurityException(java.security.GeneralSecurityException)
TrustAnchor(java.security.cert.TrustAnchor)
X509CertSelector(java.security.cert.X509CertSelector)
IOException(java.io.IOException)
Example 62 with PKIXBuilderParameters
use of java.security.cert.PKIXBuilderParameters in project mule by mulesoft.
the class CustomOcspResponder method configFor.
@Override
public ManagerFactoryParameters configFor(KeyStore trustStore, Set<TrustAnchor> defaultTrustAnchors) {
checkArgument(url != null, "tls:custom-ocsp-responder requires the 'url' attribute");
checkArgument(trustStore != null, "tls:custom-ocsp-responder requires a trust store");
try {
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
PKIXRevocationChecker rc = (PKIXRevocationChecker) cpb.getRevocationChecker();
rc.setOptions(EnumSet.of(PKIXRevocationChecker.Option.NO_FALLBACK));
if (url != null) {
rc.setOcspResponder(new URI(url));
}
if (certAlias != null) {
if (trustStore.isCertificateEntry(certAlias)) {
rc.setOcspResponderCert((X509Certificate) trustStore.getCertificate(certAlias));
} else {
throw new IllegalStateException("Key with alias \"" + certAlias + "\" was not found");
}
}
PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustStore, new X509CertSelector());
pkixParams.addCertPathChecker(rc);
return new CertPathTrustManagerParameters(pkixParams);
} catch (GeneralSecurityException | URISyntaxException e) {
throw new RuntimeException(e);
}
}
Also used :
PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters)
CertPathTrustManagerParameters(javax.net.ssl.CertPathTrustManagerParameters)
GeneralSecurityException(java.security.GeneralSecurityException)
PKIXRevocationChecker(java.security.cert.PKIXRevocationChecker)
X509CertSelector(java.security.cert.X509CertSelector)
CertPathBuilder(java.security.cert.CertPathBuilder)
URISyntaxException(java.net.URISyntaxException)
URI(java.net.URI)
Example 63 with PKIXBuilderParameters
use of java.security.cert.PKIXBuilderParameters in project Openfire by igniterealtime.
the class KeystoreTestUtils method testChain.
/**
* This method will validate a chain of certificates. It is provided as an alternative to the certificate chain
* validation mechanisms that are under test. This method is intended to be used as a comparative benchmark against
* other validation methods.
*
* The first certificate in the chain is expected to be the end-entity certificate.
*
* The last certificate in the chain is expected to be the root CA certificate.
*
* @param chain A certificate chain (cannot be null or empty).
* @return CertPathBuilderResult result of validation.
* @throws Exception When the chain is not valid.
*/
public CertPathBuilderResult testChain(X509Certificate[] chain) throws Exception {
// Create the selector that specifies the starting certificate
X509CertSelector selector = new X509CertSelector();
selector.setCertificate(chain[0]);
// Create the trust anchors (set of root CA certificates)
Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
trustAnchors.add(new TrustAnchor(chain[chain.length - 1], null));
// Configure the PKIX certificate builder algorithm parameters
PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
// Disable CRL checks (this is done manually as additional step)
pkixParams.setRevocationEnabled(false);
// Specify a list of intermediate certificates
Set<java.security.cert.Certificate> intermediateCerts = new HashSet<>();
for (int i = 1; i < chain.length - 1; i++) {
intermediateCerts.add(chain[i]);
}
CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(intermediateCerts));
pkixParams.addCertStore(intermediateCertStore);
// Build and verify the certification chain
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) builder.build(pkixParams);
return result;
}
Also used :
PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters)
X509CertSelector(java.security.cert.X509CertSelector)
TrustAnchor(java.security.cert.TrustAnchor)
CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters)
PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult)
CertPathBuilder(java.security.cert.CertPathBuilder)
CertStore(java.security.cert.CertStore)
HashSet(java.util.HashSet)
X509Certificate(java.security.cert.X509Certificate)
Example 64 with PKIXBuilderParameters
use of java.security.cert.PKIXBuilderParameters in project neo4j by neo4j.
the class SslPolicyLoader method createTrustManagerFactory.
private static TrustManagerFactory createTrustManagerFactory(boolean trustAll, Collection<X509CRL> crls, KeyStore trustStore) throws Exception {
if (trustAll) {
return InsecureTrustManagerFactory.INSTANCE;
}
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
if (!crls.isEmpty()) {
PKIXBuilderParameters pkixParamsBuilder = new PKIXBuilderParameters(trustStore, new X509CertSelector());
pkixParamsBuilder.setRevocationEnabled(true);
pkixParamsBuilder.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crls)));
trustManagerFactory.init(new CertPathTrustManagerParameters(pkixParamsBuilder));
} else {
trustManagerFactory.init(trustStore);
}
return trustManagerFactory;
}
Also used :
CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters)
PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters)
InsecureTrustManagerFactory(io.netty.handler.ssl.util.InsecureTrustManagerFactory)
TrustManagerFactory(javax.net.ssl.TrustManagerFactory)
CertPathTrustManagerParameters(javax.net.ssl.CertPathTrustManagerParameters)
X509CertSelector(java.security.cert.X509CertSelector)
Example 65 with PKIXBuilderParameters
use of java.security.cert.PKIXBuilderParameters in project gitblit by gitblit.
the class X509Utils method verifyChain.
/**
* Verifies a certificate's chain to ensure that it will function properly.
*
* @param testCert
* @param additionalCerts
* @return
*/
public static PKIXCertPathBuilderResult verifyChain(X509Certificate testCert, X509Certificate... additionalCerts) {
try {
// Check for self-signed certificate
if (isSelfSigned(testCert)) {
throw new RuntimeException("The certificate is self-signed. Nothing to verify.");
}
// Prepare a set of all certificates
// chain builder must have all certs, including cert to validate
// http://stackoverflow.com/a/10788392
Set<X509Certificate> certs = new HashSet<X509Certificate>();
certs.add(testCert);
certs.addAll(Arrays.asList(additionalCerts));
// Attempt to build the certification chain and verify it
// Create the selector that specifies the starting certificate
X509CertSelector selector = new X509CertSelector();
selector.setCertificate(testCert);
// Create the trust anchors (set of root CA certificates)
Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
for (X509Certificate cert : additionalCerts) {
if (isSelfSigned(cert)) {
trustAnchors.add(new TrustAnchor(cert, null));
}
}
// Configure the PKIX certificate builder
PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
pkixParams.setRevocationEnabled(false);
pkixParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certs), BC));
// Build and verify the certification chain
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", BC);
PKIXCertPathBuilderResult verifiedCertChain = (PKIXCertPathBuilderResult) builder.build(pkixParams);
// The chain is built and verified
return verifiedCertChain;
} catch (CertPathBuilderException e) {
throw new RuntimeException("Error building certification path: " + testCert.getSubjectX500Principal(), e);
} catch (Exception e) {
throw new RuntimeException("Error verifying the certificate: " + testCert.getSubjectX500Principal(), e);
}
}
Also used :
PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters)
X509CertSelector(java.security.cert.X509CertSelector)
TrustAnchor(java.security.cert.TrustAnchor)
X509Certificate(java.security.cert.X509Certificate)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
SignatureException(java.security.SignatureException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
InvalidKeyException(java.security.InvalidKeyException)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
CertPathBuilderException(java.security.cert.CertPathBuilderException)
IOException(java.io.IOException)
CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters)
CertPathBuilderException(java.security.cert.CertPathBuilderException)
PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult)
CertPathBuilder(java.security.cert.CertPathBuilder)
HashSet(java.util.HashSet)
Aggregations
PKIXBuilderParameters (java.security.cert.PKIXBuilderParameters)66
X509CertSelector (java.security.cert.X509CertSelector)55
CollectionCertStoreParameters (java.security.cert.CollectionCertStoreParameters)33
X509Certificate (java.security.cert.X509Certificate)29
CertPathBuilder (java.security.cert.CertPathBuilder)23
TrustAnchor (java.security.cert.TrustAnchor)21
HashSet (java.util.HashSet)19
KeyStore (java.security.KeyStore)17
CertStore (java.security.cert.CertStore)17
InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)16
CertPathTrustManagerParameters (javax.net.ssl.CertPathTrustManagerParameters)15
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)14
PKIXCertPathBuilderResult (java.security.cert.PKIXCertPathBuilderResult)13
ArrayList (java.util.ArrayList)13
CertPathBuilderException (java.security.cert.CertPathBuilderException)12
CertPathBuilderResult (java.security.cert.CertPathBuilderResult)11
TrustManagerFactory (javax.net.ssl.TrustManagerFactory)11
IOException (java.io.IOException)10
CertPath (java.security.cert.CertPath)10
CertificateException (java.security.cert.CertificateException)10
