Search in sources :

Example 6 with PKIXCertPathBuilderResult

use of java.security.cert.PKIXCertPathBuilderResult in project jdk8u_jdk by JetBrains.

the class BuildEEBasicConstraints method main.

public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");
    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor(rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters(Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}
Also used : CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult) ArrayList(java.util.ArrayList) TrustAnchor(java.security.cert.TrustAnchor) X509CertSelector(java.security.cert.X509CertSelector) CertPath(java.security.cert.CertPath) CertStore(java.security.cert.CertStore) X509Certificate(java.security.cert.X509Certificate)

Example 7 with PKIXCertPathBuilderResult

use of java.security.cert.PKIXCertPathBuilderResult in project oxAuth by GluuFederation.

the class PathCertificateVerifier method verifyCertificate.

/**
	 * Attempts to build a certification chain for given certificate to verify
	 * it. Relies on a set of root CA certificates (trust anchors) and a set of
	 * intermediate certificates (to be used as part of the chain).
	 */
private PKIXCertPathBuilderResult verifyCertificate(X509Certificate certificate, Set<X509Certificate> trustedRootCerts, Set<X509Certificate> intermediateCerts) throws GeneralSecurityException {
    // Create the selector that specifies the starting certificate
    X509CertSelector selector = new X509CertSelector();
    selector.setBasicConstraints(-2);
    selector.setCertificate(certificate);
    // Create the trust anchors (set of root CA certificates)
    Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
    for (X509Certificate trustedRootCert : trustedRootCerts) {
        trustAnchors.add(new TrustAnchor(trustedRootCert, null));
    }
    // Configure the PKIX certificate builder algorithm parameters
    PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
    // Turn off default revocation-checking mechanism
    pkixParams.setRevocationEnabled(false);
    // Specify a list of intermediate certificates
    CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(intermediateCerts));
    pkixParams.addCertStore(intermediateCertStore);
    // Build and verify the certification chain
    CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME);
    PKIXCertPathBuilderResult certPathBuilderResult = (PKIXCertPathBuilderResult) builder.build(pkixParams);
    // Additional check to Verify cert path
    CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME);
    PKIXCertPathValidatorResult certPathValidationResult = (PKIXCertPathValidatorResult) certPathValidator.validate(certPathBuilderResult.getCertPath(), pkixParams);
    return certPathBuilderResult;
}
Also used : CertPathValidator(java.security.cert.CertPathValidator) CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult) PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult) X509CertSelector(java.security.cert.X509CertSelector) TrustAnchor(java.security.cert.TrustAnchor) CertPathBuilder(java.security.cert.CertPathBuilder) CertStore(java.security.cert.CertStore) X509Certificate(java.security.cert.X509Certificate) HashSet(java.util.HashSet)

Example 8 with PKIXCertPathBuilderResult

use of java.security.cert.PKIXCertPathBuilderResult in project gitblit by gitblit.

the class X509Utils method verifyChain.

/**
	 * Verifies a certificate's chain to ensure that it will function properly.
	 *
	 * @param testCert
	 * @param additionalCerts
	 * @return
	 */
public static PKIXCertPathBuilderResult verifyChain(X509Certificate testCert, X509Certificate... additionalCerts) {
    try {
        // Check for self-signed certificate
        if (isSelfSigned(testCert)) {
            throw new RuntimeException("The certificate is self-signed.  Nothing to verify.");
        }
        // Prepare a set of all certificates
        // chain builder must have all certs, including cert to validate
        // http://stackoverflow.com/a/10788392
        Set<X509Certificate> certs = new HashSet<X509Certificate>();
        certs.add(testCert);
        certs.addAll(Arrays.asList(additionalCerts));
        // Attempt to build the certification chain and verify it
        // Create the selector that specifies the starting certificate
        X509CertSelector selector = new X509CertSelector();
        selector.setCertificate(testCert);
        // Create the trust anchors (set of root CA certificates)
        Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
        for (X509Certificate cert : additionalCerts) {
            if (isSelfSigned(cert)) {
                trustAnchors.add(new TrustAnchor(cert, null));
            }
        }
        // Configure the PKIX certificate builder
        PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
        pkixParams.setRevocationEnabled(false);
        pkixParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certs), BC));
        // Build and verify the certification chain
        CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", BC);
        PKIXCertPathBuilderResult verifiedCertChain = (PKIXCertPathBuilderResult) builder.build(pkixParams);
        // The chain is built and verified
        return verifiedCertChain;
    } catch (CertPathBuilderException e) {
        throw new RuntimeException("Error building certification path: " + testCert.getSubjectX500Principal(), e);
    } catch (Exception e) {
        throw new RuntimeException("Error verifying the certificate: " + testCert.getSubjectX500Principal(), e);
    }
}
Also used : PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) X509CertSelector(java.security.cert.X509CertSelector) TrustAnchor(java.security.cert.TrustAnchor) X509Certificate(java.security.cert.X509Certificate) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) SignatureException(java.security.SignatureException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) InvalidKeyException(java.security.InvalidKeyException) CertificateEncodingException(java.security.cert.CertificateEncodingException) CertPathBuilderException(java.security.cert.CertPathBuilderException) IOException(java.io.IOException) CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) CertPathBuilderException(java.security.cert.CertPathBuilderException) PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult) CertPathBuilder(java.security.cert.CertPathBuilder) HashSet(java.util.HashSet)

Example 9 with PKIXCertPathBuilderResult

use of java.security.cert.PKIXCertPathBuilderResult in project Openfire by igniterealtime.

the class KeystoreTestUtils method testChain.

/**
     * This method will validate a chain of certificates. It is provided as an alternative to the certificate chain
     * validation mechanisms that are under test. This method is intended to be used as a comparative benchmark against
     * other validation methods.
     *
     * The first certificate in the chain is expected to be the end-entity certificate.
     *
     * The last certificate in the chain is expected to be the root CA certificate.
     *
     * @param chain A certificate chain (cannot be null or empty).
     * @return CertPathBuilderResult result of validation.
     * @throws Exception When the chain is not valid.
     */
public CertPathBuilderResult testChain(X509Certificate[] chain) throws Exception {
    // Create the selector that specifies the starting certificate
    X509CertSelector selector = new X509CertSelector();
    selector.setCertificate(chain[0]);
    // Create the trust anchors (set of root CA certificates)
    Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
    trustAnchors.add(new TrustAnchor(chain[chain.length - 1], null));
    // Configure the PKIX certificate builder algorithm parameters
    PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
    // Disable CRL checks (this is done manually as additional step)
    pkixParams.setRevocationEnabled(false);
    // Specify a list of intermediate certificates
    Set<java.security.cert.Certificate> intermediateCerts = new HashSet<>();
    for (int i = 1; i < chain.length - 1; i++) {
        intermediateCerts.add(chain[i]);
    }
    CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(intermediateCerts));
    pkixParams.addCertStore(intermediateCertStore);
    // Build and verify the certification chain
    CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
    PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) builder.build(pkixParams);
    return result;
}
Also used : PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) X509CertSelector(java.security.cert.X509CertSelector) TrustAnchor(java.security.cert.TrustAnchor) CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult) CertPathBuilder(java.security.cert.CertPathBuilder) CertStore(java.security.cert.CertStore) HashSet(java.util.HashSet) X509Certificate(java.security.cert.X509Certificate)

Example 10 with PKIXCertPathBuilderResult

use of java.security.cert.PKIXCertPathBuilderResult in project robovm by robovm.

the class X509CertSelectorTest method buildCertPath.

private CertPath buildCertPath() throws InvalidAlgorithmParameterException {
    PKIXCertPathBuilderResult result = null;
    PKIXBuilderParameters buildParams = new PKIXBuilderParameters(Collections.singleton(new TrustAnchor(rootCertificate, null)), theCertSelector);
    try {
        result = (PKIXCertPathBuilderResult) builder.build(buildParams);
    } catch (CertPathBuilderException e) {
        return null;
    }
    return result.getCertPath();
}
Also used : PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) CertPathBuilderException(java.security.cert.CertPathBuilderException) PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult) TrustAnchor(java.security.cert.TrustAnchor)

Aggregations

PKIXCertPathBuilderResult (java.security.cert.PKIXCertPathBuilderResult)17 TrustAnchor (java.security.cert.TrustAnchor)12 X509Certificate (java.security.cert.X509Certificate)8 MyCertPath (org.apache.harmony.security.tests.support.cert.MyCertPath)7 CertPathBuilderException (java.security.cert.CertPathBuilderException)6 CertPathBuilderResult (java.security.cert.CertPathBuilderResult)6 HashSet (java.util.HashSet)6 CertPath (java.security.cert.CertPath)5 PKIXBuilderParameters (java.security.cert.PKIXBuilderParameters)5 CollectionCertStoreParameters (java.security.cert.CollectionCertStoreParameters)4 X509CertSelector (java.security.cert.X509CertSelector)4 CertPathBuilder (java.security.cert.CertPathBuilder)3 CertPathValidator (java.security.cert.CertPathValidator)3 CertStore (java.security.cert.CertStore)3 PKIXCertPathValidatorResult (java.security.cert.PKIXCertPathValidatorResult)3 GeneralSecurityException (java.security.GeneralSecurityException)2 InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)2 InvalidKeyException (java.security.InvalidKeyException)2 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)2 SignatureException (java.security.SignatureException)2