Examples with PKIXParameters java.security.cert.PKIXParameters used on opensource projects

Example 11 with PKIXParameters

use of java.security.cert.PKIXParameters in project jdk8u_jdk by JetBrains.

the class VerifyNameConstraints method createPath.

public static void createPath(String[] certs) throws Exception {
    TrustAnchor anchor = new TrustAnchor(getCertFromFile(certs[0]), null);
    List list = new ArrayList();
    for (int i = 1; i < certs.length; i++) {
        list.add(0, getCertFromFile(certs[i]));
    }
    CertificateFactory cf = CertificateFactory.getInstance("X509");
    path = cf.generateCertPath(list);
    Set anchors = Collections.singleton(anchor);
    params = new PKIXParameters(anchors);
    params.setRevocationEnabled(false);
}

Example 12 with PKIXParameters

use of java.security.cert.PKIXParameters in project OpenAM by OpenRock.

the class AMCertPath method verify.

/**
     * It does cert path validation together with CRL check and ocsp checking 
     * if they are properly configured.
     * @param certs
     **/
public boolean verify(X509Certificate[] certs, boolean crlEnabled, boolean ocspEnabled) {
    /*
        The entire contents of this method must be synchronized for the following reasons:
        1. The CertPathValidator#validate method is not thread-safe
        2. even if a non-static CertPathValidator instance were obtained in this method, each instance references
        the ocsp-related properties in the Security class. Thus the state set in Security.setProperty("ocsp.enable", true/false)
        will affect all CertPathValidator instances.
        Note that despite the synchronized block, the fact that static Security properties are being set and referenced
        exposes the code below to data races in the context of these Security properties. Currently, Security.setProperties
        is not being called from anywhere in the OpenAM code base. If this were to change, and the "ocsp.enable" property
        were manipulated, the OCSP-based checking below would be susceptible to data races. There does not seem to
        be an alternative however: the section on PKIXParameters here:
        http://docs.oracle.com/javase/6/docs/technotes/guides/security/certpath/CertPathProgGuide.html#Introduction
        mentions setting PKIXCertPathChecker implementations to do CRL or OCSP based checking, but there is no remove
        method, and the state returned from getCertPathCheckers is immutable.
         */
    synchronized (AMCertPath.class) {
        if (debug.messageEnabled()) {
            debug.message("AMCertPath.verify: invoked !");
        }
        try {
            final List<X509Certificate> certList = Arrays.asList(certs);
            final CertPath cp = (CertPath) cf.generateCertPath(certList);
            // init PKIXParameters
            Class<?> trustMgrClass = Class.forName("com.sun.identity.security.keystore.AMX509TrustManager");
            Object trustMgr = (Object) trustMgrClass.newInstance();
            Method method = trustMgrClass.getMethod("getKeyStore");
            KeyStore keystore = (KeyStore) method.invoke(trustMgr);
            PKIXParameters pkixparams = new PKIXParameters(keystore);
            if (debug.messageEnabled()) {
                debug.message("AMCertPath.verify: crlEnabled ---> " + crlEnabled);
                debug.message("AMCertPath.verify: ocspEnabled ---> " + ocspEnabled);
            }
            pkixparams.setRevocationEnabled(crlEnabled || ocspEnabled);
            if (ocspEnabled) {
                final String responderURLString = getResponderURLString();
                if (!StringUtils.isBlank(responderURLString)) {
                    Security.setProperty(OCSP_ENABLE, TRUE);
                    Security.setProperty(OCSP_RESPONDER_URL, responderURLString);
                    if (debug.messageEnabled()) {
                        debug.message("AMCertPath.verify: pkixparams.setRevocationEnabled " + "set to true, and ocsp.enabled set to true with a OCSP responder url of " + responderURLString);
                    }
                } else {
                    //OCSP revocation checking not configured properly. Disable the check if crl-based checking not enabled
                    pkixparams.setRevocationEnabled(crlEnabled);
                    Security.setProperty(OCSP_ENABLE, FALSE);
                    debug.error("AMCertPath.verify: OCSP is enabled, but the " + "com.sun.identity.authentication.ocsp.responder.url property does not specify a OCSP " + "responder. OCSP checking will NOT be performed.");
                }
            } else {
                //the Security properties are static - if we are doing crl validation, insure that the property
                //is not present which will toggle OCSP checking.
                Security.setProperty(OCSP_ENABLE, FALSE);
                if (debug.messageEnabled()) {
                    debug.message("AMCertPath.verify: pkixparams Security property ocsp.enabled set to false.");
                }
            }
            if (store != null) {
                pkixparams.addCertStore(store);
            }
            if (debug.messageEnabled()) {
                StringBuilder sb = new StringBuilder("The policy-related state in the PKIXParameters passed to the PKIX CertPathValidator: \n");
                sb.append("\tgetInitialPolicies: ").append(pkixparams.getInitialPolicies()).append('\n');
                sb.append("\tisExplicitPolicyRequired: ").append(pkixparams.isExplicitPolicyRequired()).append('\n');
                sb.append("\tisPolicyMappingInhibited: ").append(pkixparams.isPolicyMappingInhibited()).append('\n');
                debug.message(sb.toString());
            }
            // validate
            CertPathValidatorResult cpvResult = cpv.validate(cp, pkixparams);
            if (debug.messageEnabled()) {
                debug.message("AMCertPath.verify: PASS " + cpvResult.toString());
            }
        } catch (java.security.cert.CertPathValidatorException e) {
            debug.error("AMCertPath.verify: FAILED - " + e.getMessage());
            if (debug.messageEnabled()) {
                debug.message("AMCertPath.verify: FAILED", e);
            }
            return false;
        } catch (Throwable t) {
            debug.error("AMCertPath.verify: FAILED", t);
            return false;
        }
        return true;
    }
}

Example 13 with PKIXParameters

use of java.security.cert.PKIXParameters in project scdl by passy.

the class SystemKeyStore method getPkixParameters.

private PKIXParameters getPkixParameters() {
    try {
        final KeyStore trustStore = this.getTrustStore();
        final Set<TrustAnchor> trusted = new HashSet<TrustAnchor>();
        for (final Enumeration<String> aliases = trustStore.aliases(); aliases.hasMoreElements(); ) {
            final String alias = aliases.nextElement();
            final X509Certificate cert = (X509Certificate) trustStore.getCertificate(alias);
            if (cert != null) {
                trusted.add(new TrustAnchor(cert, null));
            }
        }
        final PKIXParameters parameters = new PKIXParameters(trusted);
        parameters.setRevocationEnabled(false);
        return parameters;
    } catch (final InvalidAlgorithmParameterException e) {
        throw new AssertionError(e);
    } catch (final KeyStoreException e) {
        throw new AssertionError(e);
    }
}

Example 14 with PKIXParameters

use of java.security.cert.PKIXParameters in project robovm by robovm.

the class CertPathValidator2Test method testValidate.

public void testValidate() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException {
    MyCertPath mCP = new MyCertPath(new byte[0]);
    CertPathParameters params = new PKIXParameters(TestUtils.getTrustAnchorSet());
    CertPathValidator certPV = CertPathValidator.getInstance(defaultAlg);
    try {
        certPV.validate(mCP, params);
    } catch (InvalidAlgorithmParameterException e) {
        fail("unexpected exception: " + e);
    } catch (CertPathValidatorException e) {
        fail("unexpected exception: " + e);
    }
    try {
        certPV.validate(null, params);
        fail("NullPointerException must be thrown");
    } catch (InvalidAlgorithmParameterException e) {
        fail("unexpected exception: " + e);
    } catch (CertPathValidatorException e) {
    // ok
    }
    try {
        certPV.validate(mCP, null);
        fail("InvalidAlgorithmParameterException must be thrown");
    } catch (InvalidAlgorithmParameterException e) {
    // ok
    } catch (CertPathValidatorException e) {
        fail("unexpected exception");
    }
}

Example 15 with PKIXParameters

use of java.security.cert.PKIXParameters in project robovm by robovm.

the class CertPathValidator3Test method testValidate01.

/**
     * Test for <code>validate(CertPath certpath, CertPathParameters params)</code> method
     * Assertion: throws InvalidAlgorithmParameterException
     * when params is instance of PKIXParameters and
     * certpath is not X.509 type
     *
     */
public void testValidate01() throws InvalidAlgorithmParameterException, CertPathValidatorException {
    if (!PKIXSupport) {
        fail(NotSupportMsg);
        return;
    }
    MyCertPath mCP = new MyCertPath(new byte[0]);
    CertPathParameters params = new PKIXParameters(TestUtils.getTrustAnchorSet());
    CertPathValidator[] certPV = createCPVs();
    assertNotNull("CertPathValidator objects were not created", certPV);
    for (int i = 0; i < certPV.length; i++) {
        try {
            certPV[i].validate(mCP, null);
            fail("InvalidAlgorithmParameterException must be thrown");
        } catch (InvalidAlgorithmParameterException e) {
        }
        try {
            certPV[i].validate(null, params);
            fail("NullPointerException must be thrown");
        } catch (NullPointerException e) {
        }
    }
}