Example 6 with PKIXParameters
use of java.security.cert.PKIXParameters in project robovm by robovm.
the class PKIXParametersTest method testKeyStoreConstructor.
public void testKeyStoreConstructor() throws Exception {
TestKeyStore server = TestKeyStore.getServer();
KeyStore.PrivateKeyEntry pke = server.getPrivateKey("RSA", "RSA");
char[] password = "password".toCharArray();
// contains CA and server certificates
assertEquals(2, new PKIXParameters(server.keyStore).getTrustAnchors().size());
// just copy server certificates
KeyStore ks = TestKeyStore.createKeyStore();
ks.setKeyEntry("key", pke.getPrivateKey(), password, pke.getCertificateChain());
ks.setCertificateEntry("cert", pke.getCertificateChain()[0]);
assertEquals(1, new PKIXParameters(ks).getTrustAnchors().size());
// should fail with just key, even though cert is present in key entry
try {
KeyStore keyOnly = TestKeyStore.createKeyStore();
keyOnly.setKeyEntry("key", pke.getPrivateKey(), password, pke.getCertificateChain());
new PKIXParameters(keyOnly);
fail();
} catch (InvalidAlgorithmParameterException expected) {
}
// should fail with empty KeyStore
try {
new PKIXParameters(TestKeyStore.createKeyStore());
fail();
} catch (InvalidAlgorithmParameterException expected) {
}
}
Also used :
TestKeyStore(libcore.java.security.TestKeyStore)
InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException)
PKIXParameters(java.security.cert.PKIXParameters)
TestKeyStore(libcore.java.security.TestKeyStore)
KeyStore(java.security.KeyStore)
Example 7 with PKIXParameters
use of java.security.cert.PKIXParameters in project robovm by robovm.
the class TrustManagerImpl method checkTrusted.
private List<X509Certificate> checkTrusted(X509Certificate[] chain, String authType, String host, boolean clientAuth) throws CertificateException {
if (chain == null || chain.length == 0 || authType == null || authType.length() == 0) {
throw new IllegalArgumentException("null or zero-length parameter");
}
if (err != null) {
throw new CertificateException(err);
}
// get the cleaned up chain and trust anchor
// there can only be one!
Set<TrustAnchor> trustAnchor = new HashSet<TrustAnchor>();
X509Certificate[] newChain = cleanupCertChainAndFindTrustAnchors(chain, trustAnchor);
// add the first trust anchor to the chain, which may be an intermediate
List<X509Certificate> wholeChain = new ArrayList<X509Certificate>();
wholeChain.addAll(Arrays.asList(newChain));
// trustAnchor is actually just a single element
for (TrustAnchor trust : trustAnchor) {
wholeChain.add(trust.getTrustedCert());
}
// add all the cached certificates from the cert index, avoiding loops
// this gives us a full chain from leaf to root, which we use for cert pinning and pass
// back out to callers when we return.
X509Certificate last = wholeChain.get(wholeChain.size() - 1);
while (true) {
TrustAnchor cachedTrust = trustedCertificateIndex.findByIssuerAndSignature(last);
// trusted a non-self-signed cert.
if (cachedTrust == null) {
break;
}
// at this point we have a cached trust anchor, but don't know if its one we got from
// the server. Extract the cert, compare it to the last element in the chain, and add it
// if we haven't seen it before.
X509Certificate next = cachedTrust.getTrustedCert();
if (next != last) {
wholeChain.add(next);
last = next;
} else {
// if next == last then we found a self-signed cert and the chain is done
break;
}
}
// build the cert path from the array of certs sans trust anchors
CertPath certPath = factory.generateCertPath(Arrays.asList(newChain));
if (host != null) {
boolean chainIsNotPinned = true;
try {
chainIsNotPinned = pinManager.chainIsNotPinned(host, wholeChain);
} catch (PinManagerException e) {
throw new CertificateException(e);
}
if (chainIsNotPinned) {
throw new CertificateException(new CertPathValidatorException("Certificate path is not properly pinned.", null, certPath, -1));
}
}
if (newChain.length == 0) {
// chain was entirely trusted, skip the validator
return wholeChain;
}
if (trustAnchor.isEmpty()) {
throw new CertificateException(new CertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1));
}
// There's no point in checking trust anchors here, and it will throw off the MD5 check,
// so we just hand it the chain without anchors
ChainStrengthAnalyzer.check(newChain);
try {
PKIXParameters params = new PKIXParameters(trustAnchor);
params.setRevocationEnabled(false);
params.addCertPathChecker(new ExtendedKeyUsagePKIXCertPathChecker(clientAuth, newChain[0]));
validator.validate(certPath, params);
// cleanupCertChainAndFindTrustAnchors. http://b/3404902
for (int i = 1; i < newChain.length; i++) {
trustedCertificateIndex.index(newChain[i]);
}
} catch (InvalidAlgorithmParameterException e) {
throw new CertificateException(e);
} catch (CertPathValidatorException e) {
throw new CertificateException(e);
}
return wholeChain;
}
Also used :
InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException)
ArrayList(java.util.ArrayList)
CertificateException(java.security.cert.CertificateException)
TrustAnchor(java.security.cert.TrustAnchor)
X509Certificate(java.security.cert.X509Certificate)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
PKIXParameters(java.security.cert.PKIXParameters)
CertPath(java.security.cert.CertPath)
HashSet(java.util.HashSet)
Example 8 with PKIXParameters
use of java.security.cert.PKIXParameters in project robovm by robovm.
the class TrustManagerFactoryTest method test_TrustManagerFactory.
private void test_TrustManagerFactory(TrustManagerFactory tmf) throws Exception {
assertNotNull(tmf);
assertNotNull(tmf.getAlgorithm());
assertNotNull(tmf.getProvider());
// before init
try {
tmf.getTrustManagers();
fail();
} catch (IllegalStateException expected) {
}
// init with null ManagerFactoryParameters
try {
tmf.init((ManagerFactoryParameters) null);
fail();
} catch (InvalidAlgorithmParameterException expected) {
}
// init with useless ManagerFactoryParameters
try {
tmf.init(new UselessManagerFactoryParameters());
fail();
} catch (InvalidAlgorithmParameterException expected) {
}
// init with PKIXParameters ManagerFactoryParameters
try {
PKIXParameters pp = new PKIXParameters(getTestKeyStore().keyStore);
CertPathTrustManagerParameters cptmp = new CertPathTrustManagerParameters(pp);
tmf.init(cptmp);
fail();
} catch (InvalidAlgorithmParameterException expected) {
}
// init with PKIXBuilderParameters ManagerFactoryParameters
X509CertSelector xcs = new X509CertSelector();
PKIXBuilderParameters pbp = new PKIXBuilderParameters(getTestKeyStore().keyStore, xcs);
CertPathTrustManagerParameters cptmp = new CertPathTrustManagerParameters(pbp);
if (supportsManagerFactoryParameters(tmf.getAlgorithm())) {
tmf.init(cptmp);
test_TrustManagerFactory_getTrustManagers(tmf);
} else {
try {
tmf.init(cptmp);
fail();
} catch (InvalidAlgorithmParameterException expected) {
}
}
// init with null for default KeyStore
tmf.init((KeyStore) null);
test_TrustManagerFactory_getTrustManagers(tmf);
// init with specific key store
tmf.init(getTestKeyStore().keyStore);
test_TrustManagerFactory_getTrustManagers(tmf);
}
Also used :
InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException)
PKIXParameters(java.security.cert.PKIXParameters)
PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters)
CertPathTrustManagerParameters(javax.net.ssl.CertPathTrustManagerParameters)
X509CertSelector(java.security.cert.X509CertSelector)
Example 9 with PKIXParameters
use of java.security.cert.PKIXParameters in project jdk8u_jdk by JetBrains.
the class ValidateTargetConstraints method createPath.
public static void createPath(String[] certs) throws Exception {
TrustAnchor anchor = new TrustAnchor(getCertFromFile(certs[0]), null);
List list = new ArrayList();
for (int i = 1; i < certs.length; i++) {
list.add(0, getCertFromFile(certs[i]));
}
CertificateFactory cf = CertificateFactory.getInstance("X509");
path = cf.generateCertPath(list);
Set anchors = Collections.singleton(anchor);
params = new PKIXParameters(anchors);
params.setRevocationEnabled(false);
X509CertSelector sel = new X509CertSelector();
sel.setSerialNumber(new BigInteger("1427"));
params.setTargetCertConstraints(sel);
}
Also used :
Set(java.util.Set)
PKIXParameters(java.security.cert.PKIXParameters)
ArrayList(java.util.ArrayList)
BigInteger(java.math.BigInteger)
TrustAnchor(java.security.cert.TrustAnchor)
ArrayList(java.util.ArrayList)
List(java.util.List)
X509CertSelector(java.security.cert.X509CertSelector)
CertificateFactory(java.security.cert.CertificateFactory)
Example 10 with PKIXParameters
use of java.security.cert.PKIXParameters in project jdk8u_jdk by JetBrains.
the class ValidateNC method createPath.
public static void createPath(String[] certs) throws Exception {
X509Certificate anchorCert = getCertFromFile(certs[0]);
byte[] nameConstraints = anchorCert.getExtensionValue("2.5.29.30");
if (nameConstraints != null) {
DerInputStream in = new DerInputStream(nameConstraints);
nameConstraints = in.getOctetString();
}
TrustAnchor anchor = new TrustAnchor(anchorCert, nameConstraints);
List list = new ArrayList();
for (int i = 1; i < certs.length; i++) {
list.add(0, getCertFromFile(certs[i]));
}
CertificateFactory cf = CertificateFactory.getInstance("X509");
path = cf.generateCertPath(list);
anchors = Collections.singleton(anchor);
params = new PKIXParameters(anchors);
params.setRevocationEnabled(false);
}
Also used :
PKIXParameters(java.security.cert.PKIXParameters)
ArrayList(java.util.ArrayList)
DerInputStream(sun.security.util.DerInputStream)
TrustAnchor(java.security.cert.TrustAnchor)
ArrayList(java.util.ArrayList)
List(java.util.List)
CertificateFactory(java.security.cert.CertificateFactory)
X509Certificate(java.security.cert.X509Certificate)
Aggregations
PKIXParameters (java.security.cert.PKIXParameters)28
TrustAnchor (java.security.cert.TrustAnchor)17
InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)11
X509Certificate (java.security.cert.X509Certificate)11
CertificateFactory (java.security.cert.CertificateFactory)10
ArrayList (java.util.ArrayList)9
CertPath (java.security.cert.CertPath)7
KeyStore (java.security.KeyStore)6
CertPathValidator (java.security.cert.CertPathValidator)6
CertPathValidatorException (java.security.cert.CertPathValidatorException)6
HashSet (java.util.HashSet)6
PKIXCertPathValidatorResult (java.security.cert.PKIXCertPathValidatorResult)5
List (java.util.List)5
PKIXBuilderParameters (java.security.cert.PKIXBuilderParameters)4
X509CertSelector (java.security.cert.X509CertSelector)4
Set (java.util.Set)4
BigInteger (java.math.BigInteger)3
CertPathValidatorResult (java.security.cert.CertPathValidatorResult)3
CertificateException (java.security.cert.CertificateException)3
ByteArrayInputStream (java.io.ByteArrayInputStream)2
