Examples with PKIXBuilderParameters java.security.cert.PKIXBuilderParameters used on opensource projects

Search in sources :

Example 16 with PKIXBuilderParameters

use of java.security.cert.PKIXBuilderParameters in project MonjaDB by Kanatoko.

the class MSecurityUtil method isValidChain.

//--------------------------------------------------------------------------------
public static boolean isValidChain(List chain) {
    //root, im, leaf�̏��Ԃ�chain�ł��邱�Ƃ�����
    if (chain.size() < 2) {
        return false;
    }
    try {
        X509Certificate root = null;
        X509Certificate leaf = null;
        List imList = new ArrayList();
        for (int i = 0; i < chain.size(); ++i) {
            if (i == 0) {
                //root
                root = (X509Certificate) chain.get(i);
            } else if (i == chain.size() - 1) {
                leaf = (X509Certificate) chain.get(i);
            } else {
                imList.add(chain.get(i));
            }
        }
        KeyStore ks = KeyStore.getInstance("JKS");
        ks.load(null, null);
        ks.setCertificateEntry("root", root);
        X509CertSelector target = new X509CertSelector();
        target.setCertificate(leaf);
        PKIXBuilderParameters params = new PKIXBuilderParameters(ks, target);
        CertStoreParameters intermediates = new CollectionCertStoreParameters(imList);
        params.addCertStore(CertStore.getInstance("Collection", intermediates));
        params.setRevocationEnabled(false);
        CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
        CertPathBuilderResult result = builder.build(params);
        return true;
    } catch (Exception e) {
        return false;
    }
}
Also used : CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) CertStoreParameters(java.security.cert.CertStoreParameters) CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) CertPathBuilderResult(java.security.cert.CertPathBuilderResult) X509CertSelector(java.security.cert.X509CertSelector) CertPathBuilder(java.security.cert.CertPathBuilder) X509Certificate(java.security.cert.X509Certificate) CertificateException(java.security.cert.CertificateException)

Example 17 with PKIXBuilderParameters

use of java.security.cert.PKIXBuilderParameters in project oxAuth by GluuFederation.

the class PathCertificateVerifier method verifyCertificate.

/**
	 * Attempts to build a certification chain for given certificate to verify
	 * it. Relies on a set of root CA certificates (trust anchors) and a set of
	 * intermediate certificates (to be used as part of the chain).
	 */
private PKIXCertPathBuilderResult verifyCertificate(X509Certificate certificate, Set<X509Certificate> trustedRootCerts, Set<X509Certificate> intermediateCerts) throws GeneralSecurityException {
    // Create the selector that specifies the starting certificate
    X509CertSelector selector = new X509CertSelector();
    selector.setBasicConstraints(-2);
    selector.setCertificate(certificate);
    // Create the trust anchors (set of root CA certificates)
    Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
    for (X509Certificate trustedRootCert : trustedRootCerts) {
        trustAnchors.add(new TrustAnchor(trustedRootCert, null));
    }
    // Configure the PKIX certificate builder algorithm parameters
    PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
    // Turn off default revocation-checking mechanism
    pkixParams.setRevocationEnabled(false);
    // Specify a list of intermediate certificates
    CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(intermediateCerts));
    pkixParams.addCertStore(intermediateCertStore);
    // Build and verify the certification chain
    CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME);
    PKIXCertPathBuilderResult certPathBuilderResult = (PKIXCertPathBuilderResult) builder.build(pkixParams);
    // Additional check to Verify cert path
    CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME);
    PKIXCertPathValidatorResult certPathValidationResult = (PKIXCertPathValidatorResult) certPathValidator.validate(certPathBuilderResult.getCertPath(), pkixParams);
    return certPathBuilderResult;
}
Also used : CertPathValidator(java.security.cert.CertPathValidator) CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult) PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult) X509CertSelector(java.security.cert.X509CertSelector) TrustAnchor(java.security.cert.TrustAnchor) CertPathBuilder(java.security.cert.CertPathBuilder) CertStore(java.security.cert.CertStore) X509Certificate(java.security.cert.X509Certificate) HashSet(java.util.HashSet)

Example 18 with PKIXBuilderParameters

use of java.security.cert.PKIXBuilderParameters in project jetty.project by eclipse.

the class CertificateValidator method validate.

public void validate(Certificate[] certChain) throws CertificateException {
    try {
        ArrayList<X509Certificate> certList = new ArrayList<X509Certificate>();
        for (Certificate item : certChain) {
            if (item == null)
                continue;
            if (!(item instanceof X509Certificate)) {
                throw new IllegalStateException("Invalid certificate type in chain");
            }
            certList.add((X509Certificate) item);
        }
        if (certList.isEmpty()) {
            throw new IllegalStateException("Invalid certificate chain");
        }
        X509CertSelector certSelect = new X509CertSelector();
        certSelect.setCertificate(certList.get(0));
        // Configure certification path builder parameters
        PKIXBuilderParameters pbParams = new PKIXBuilderParameters(_trustStore, certSelect);
        pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList)));
        // Set maximum certification path length
        pbParams.setMaxPathLength(_maxCertPathLength);
        // Enable revocation checking
        pbParams.setRevocationEnabled(true);
        // Set static Certificate Revocation List
        if (_crls != null && !_crls.isEmpty()) {
            pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(_crls)));
        }
        // Enable On-Line Certificate Status Protocol (OCSP) support
        if (_enableOCSP) {
            Security.setProperty("ocsp.enable", "true");
        }
        // Enable Certificate Revocation List Distribution Points (CRLDP) support
        if (_enableCRLDP) {
            System.setProperty("com.sun.security.enableCRLDP", "true");
        }
        // Build certification path
        CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams);
        // Validate certification path
        CertPathValidator.getInstance("PKIX").validate(buildResult.getCertPath(), pbParams);
    } catch (GeneralSecurityException gse) {
        LOG.debug(gse);
        throw new CertificateException("Unable to validate certificate: " + gse.getMessage(), gse);
    }
}
Also used : CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) CertPathBuilderResult(java.security.cert.CertPathBuilderResult) GeneralSecurityException(java.security.GeneralSecurityException) ArrayList(java.util.ArrayList) X509CertSelector(java.security.cert.X509CertSelector) CertificateException(java.security.cert.CertificateException) X509Certificate(java.security.cert.X509Certificate) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate)

Example 19 with PKIXBuilderParameters

use of java.security.cert.PKIXBuilderParameters in project gitblit by gitblit.

the class X509Utils method verifyChain.

/**
	 * Verifies a certificate's chain to ensure that it will function properly.
	 *
	 * @param testCert
	 * @param additionalCerts
	 * @return
	 */
public static PKIXCertPathBuilderResult verifyChain(X509Certificate testCert, X509Certificate... additionalCerts) {
    try {
        // Check for self-signed certificate
        if (isSelfSigned(testCert)) {
            throw new RuntimeException("The certificate is self-signed.  Nothing to verify.");
        }
        // Prepare a set of all certificates
        // chain builder must have all certs, including cert to validate
        // http://stackoverflow.com/a/10788392
        Set<X509Certificate> certs = new HashSet<X509Certificate>();
        certs.add(testCert);
        certs.addAll(Arrays.asList(additionalCerts));
        // Attempt to build the certification chain and verify it
        // Create the selector that specifies the starting certificate
        X509CertSelector selector = new X509CertSelector();
        selector.setCertificate(testCert);
        // Create the trust anchors (set of root CA certificates)
        Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
        for (X509Certificate cert : additionalCerts) {
            if (isSelfSigned(cert)) {
                trustAnchors.add(new TrustAnchor(cert, null));
            }
        }
        // Configure the PKIX certificate builder
        PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
        pkixParams.setRevocationEnabled(false);
        pkixParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certs), BC));
        // Build and verify the certification chain
        CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", BC);
        PKIXCertPathBuilderResult verifiedCertChain = (PKIXCertPathBuilderResult) builder.build(pkixParams);
        // The chain is built and verified
        return verifiedCertChain;
    } catch (CertPathBuilderException e) {
        throw new RuntimeException("Error building certification path: " + testCert.getSubjectX500Principal(), e);
    } catch (Exception e) {
        throw new RuntimeException("Error verifying the certificate: " + testCert.getSubjectX500Principal(), e);
    }
}
Also used : PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) X509CertSelector(java.security.cert.X509CertSelector) TrustAnchor(java.security.cert.TrustAnchor) X509Certificate(java.security.cert.X509Certificate) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) SignatureException(java.security.SignatureException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) InvalidKeyException(java.security.InvalidKeyException) CertificateEncodingException(java.security.cert.CertificateEncodingException) CertPathBuilderException(java.security.cert.CertPathBuilderException) IOException(java.io.IOException) CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) CertPathBuilderException(java.security.cert.CertPathBuilderException) PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult) CertPathBuilder(java.security.cert.CertPathBuilder) HashSet(java.util.HashSet)

Example 20 with PKIXBuilderParameters

use of java.security.cert.PKIXBuilderParameters in project Openfire by igniterealtime.

the class KeystoreTestUtils method testChain.

/**
     * This method will validate a chain of certificates. It is provided as an alternative to the certificate chain
     * validation mechanisms that are under test. This method is intended to be used as a comparative benchmark against
     * other validation methods.
     *
     * The first certificate in the chain is expected to be the end-entity certificate.
     *
     * The last certificate in the chain is expected to be the root CA certificate.
     *
     * @param chain A certificate chain (cannot be null or empty).
     * @return CertPathBuilderResult result of validation.
     * @throws Exception When the chain is not valid.
     */
public CertPathBuilderResult testChain(X509Certificate[] chain) throws Exception {
    // Create the selector that specifies the starting certificate
    X509CertSelector selector = new X509CertSelector();
    selector.setCertificate(chain[0]);
    // Create the trust anchors (set of root CA certificates)
    Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
    trustAnchors.add(new TrustAnchor(chain[chain.length - 1], null));
    // Configure the PKIX certificate builder algorithm parameters
    PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
    // Disable CRL checks (this is done manually as additional step)
    pkixParams.setRevocationEnabled(false);
    // Specify a list of intermediate certificates
    Set<java.security.cert.Certificate> intermediateCerts = new HashSet<>();
    for (int i = 1; i < chain.length - 1; i++) {
        intermediateCerts.add(chain[i]);
    }
    CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(intermediateCerts));
    pkixParams.addCertStore(intermediateCertStore);
    // Build and verify the certification chain
    CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
    PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) builder.build(pkixParams);
    return result;
}
Also used : PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) X509CertSelector(java.security.cert.X509CertSelector) TrustAnchor(java.security.cert.TrustAnchor) CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult) CertPathBuilder(java.security.cert.CertPathBuilder) CertStore(java.security.cert.CertStore) HashSet(java.util.HashSet) X509Certificate(java.security.cert.X509Certificate)

Aggregations

PKIXBuilderParameters (java.security.cert.PKIXBuilderParameters)34 X509CertSelector (java.security.cert.X509CertSelector)24 X509Certificate (java.security.cert.X509Certificate)18 CollectionCertStoreParameters (java.security.cert.CollectionCertStoreParameters)13 TrustAnchor (java.security.cert.TrustAnchor)13 ArrayList (java.util.ArrayList)10 InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)9 KeyStore (java.security.KeyStore)9 CertPathBuilder (java.security.cert.CertPathBuilder)9 HashSet (java.util.HashSet)9 CertStore (java.security.cert.CertStore)8 CertPathBuilderException (java.security.cert.CertPathBuilderException)7 CertPathBuilderResult (java.security.cert.CertPathBuilderResult)7 PKIXCertPathBuilderResult (java.security.cert.PKIXCertPathBuilderResult)7 ByteArrayInputStream (java.io.ByteArrayInputStream)6 CertificateFactory (java.security.cert.CertificateFactory)6 IOException (java.io.IOException)5 KeyStoreException (java.security.KeyStoreException)5 Certificate (java.security.cert.Certificate)5 CertificateException (java.security.cert.CertificateException)5
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial