Examples with PKIXRevocationChecker java.security.cert.PKIXRevocationChecker used on opensource projects

Search in sources :

Example 1 with PKIXRevocationChecker

use of java.security.cert.PKIXRevocationChecker in project Spark by igniterealtime.

the class SparkTrustManager method validatePath.

/**
 * Validate certificate path
 *
 * @throws NoSuchAlgorithmException
 * @throws KeyStoreException
 * @throws InvalidAlgorithmParameterException
 * @throws CertPathValidatorException
 * @throws CertPathBuilderException
 * @throws CertificateException
 */
private void validatePath(X509Certificate[] chain) throws NoSuchAlgorithmException, KeyStoreException, InvalidAlgorithmParameterException, CertPathValidatorException, CertPathBuilderException, CertificateException {
    // PKIX algorithm is defined in rfc3280
    CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
    CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");
    X509CertSelector certSelector = new X509CertSelector();
    // set last certificate (often root CA) from chain for CertSelector so trust store must contain it
    certSelector.setCertificate(chain[chain.length - 1]);
    // checks against time validity aren't done here as are already done in checkDateValidity (X509Certificate[]
    // chain)
    certSelector.setCertificateValid(null);
    // create parameters using trustStore as source of Trust Anchors and using X509CertSelector
    PKIXBuilderParameters parameters = new PKIXBuilderParameters(allStore, certSelector);
    // will use PKIXRevocationChecker (or nothing if revocation mechanisms are
    // disabled) instead of the default revocation checker
    parameters.setRevocationEnabled(false);
    // certificates from blacklist will be rejected
    if (acceptRevoked == false) {
        // OCSP checking is done according to Java PKI Programmer's Guide, PKIXRevocationChecker was added in Java 8:
        // https://docs.oracle.com/javase/8/docs/technotes/guides/security/certpath/CertPathProgGuide.html#PKIXRevocationChecker
        PKIXRevocationChecker checker = (PKIXRevocationChecker) certPathBuilder.getRevocationChecker();
        EnumSet<PKIXRevocationChecker.Option> checkerOptions = EnumSet.noneOf(PKIXRevocationChecker.Option.class);
        // is enabled then in case of network issues revocation checking is omitted
        if (allowSoftFail) {
            checkerOptions.add(PKIXRevocationChecker.Option.SOFT_FAIL);
        }
        // check OCSP, CRL serve as backup
        if (checkOCSP && checkCRL) {
            checker.setOptions(checkerOptions);
            parameters.addCertPathChecker(checker);
        } else if (!checkOCSP && checkCRL) {
            // check only CRL, if CRL fail then there is no fallback to OCSP
            checkerOptions.add(PKIXRevocationChecker.Option.PREFER_CRLS);
            checkerOptions.add(PKIXRevocationChecker.Option.NO_FALLBACK);
            checker.setOptions(checkerOptions);
            parameters.addCertPathChecker(checker);
        }
    }
    try {
        CertPathBuilderResult pathResult = certPathBuilder.build(parameters);
        CertPath certPath = pathResult.getCertPath();
        PKIXCertPathValidatorResult validationResult = (PKIXCertPathValidatorResult) certPathValidator.validate(certPath, parameters);
        X509Certificate trustedCert = validationResult.getTrustAnchor().getTrustedCert();
        if (trustedCert == null) {
            throw new CertificateException("certificate path failed: Trusted CA is NULL");
        }
        // this extension is last certificate: root CA
        for (int i = 0; i < chain.length - 1; i++) {
            checkBasicConstraints(chain[i]);
        }
    } catch (CertificateRevokedException e) {
        Log.warning("Certificate was revoked", e);
        for (X509Certificate cert : chain) {
            for (X509CRL crl : crlCollection) {
                if (crl.isRevoked(cert)) {
                    try {
                        addToBlackList(cert);
                    } catch (IOException | HeadlessException | InvalidNameException e1) {
                        Log.error("Couldn't move to the blacklist", e1);
                    }
                    break;
                }
            }
        }
        throw new CertificateException("Certificate was revoked");
    }
}
Also used : X509CRL(java.security.cert.X509CRL) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) CertificateRevokedException(java.security.cert.CertificateRevokedException) CertPathBuilderResult(java.security.cert.CertPathBuilderResult) X509CertSelector(java.security.cert.X509CertSelector) CertificateException(java.security.cert.CertificateException) X509Certificate(java.security.cert.X509Certificate) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) CertPathValidator(java.security.cert.CertPathValidator) PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult) PKIXRevocationChecker(java.security.cert.PKIXRevocationChecker) CertPathBuilder(java.security.cert.CertPathBuilder) CertPath(java.security.cert.CertPath)

Example 2 with PKIXRevocationChecker

use of java.security.cert.PKIXRevocationChecker in project open-ecard by ecsec.

the class SignatureVerifier method validatePath.

private PKIXCertPathBuilderResult validatePath(X509Certificate cert, Collection<X509Certificate> intermediateCerts, @Nullable Date checkDate) throws NoSuchAlgorithmException, KeyStoreException, InvalidAlgorithmParameterException, CertPathBuilderException {
    // enable downloading of missing certificates based on the AIA extension
    try {
        System.setProperty("com.sun.security.enableAIAcaIssuers", "true");
    } catch (SecurityException ex) {
        LOG.warn("Failed to enable AIA evaluation. Skipping downloads of missing certificates.");
    }
    CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
    // configure path building
    X509CertSelector target = new X509CertSelector();
    target.setCertificate(cert);
    PKIXBuilderParameters params = new PKIXBuilderParameters(trustStore, target);
    CertStoreParameters intermediates = new CollectionCertStoreParameters(intermediateCerts);
    params.addCertStore(CertStore.getInstance("Collection", intermediates));
    params.setDate(checkDate);
    params.setRevocationEnabled(false);
    if (ChipGatewayProperties.isRevocationCheck()) {
        PKIXRevocationChecker revChecker = (PKIXRevocationChecker) builder.getRevocationChecker();
        Set<PKIXRevocationChecker.Option> revOpts = new HashSet<>();
        // revOpts.add(PKIXRevocationChecker.Option.ONLY_END_ENTITY);
        revChecker.setOptions(revOpts);
        params.setCertPathCheckers(null);
        params.addCertPathChecker(revChecker);
    }
    // try to build the path
    PKIXCertPathBuilderResult r = (PKIXCertPathBuilderResult) builder.build(params);
    return r;
}
Also used : CertStoreParameters(java.security.cert.CertStoreParameters) CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult) PKIXRevocationChecker(java.security.cert.PKIXRevocationChecker) X509CertSelector(java.security.cert.X509CertSelector) CertPathBuilder(java.security.cert.CertPathBuilder) HashSet(java.util.HashSet)

Example 3 with PKIXRevocationChecker

use of java.security.cert.PKIXRevocationChecker in project open-ecard by ecsec.

the class CGJavaSecVerifier method isValid.

@Override
public void isValid(TlsServerCertificate chain, String hostname) throws CertificateVerificationException {
    try {
        CertPath certPath = convertChain(chain);
        // create the parameters for the validator
        PKIXParameters params = new PKIXParameters(getTrustStore());
        params.setRevocationEnabled(false);
        if (checkRevocation) {
            PKIXRevocationChecker revChecker = (PKIXRevocationChecker) certPathValidator.getRevocationChecker();
            Set<PKIXRevocationChecker.Option> revOpts = new HashSet<>();
            // revOpts.add(PKIXRevocationChecker.Option.ONLY_END_ENTITY);
            revChecker.setOptions(revOpts);
            // TODO: add OCSP responses
            // revChecker.setOcspResponses(responses);
            params.setCertPathCheckers(null);
            params.addCertPathChecker(revChecker);
        }
        // validate - exception marks failure
        PKIXCertPathValidatorResult r = (PKIXCertPathValidatorResult) certPathValidator.validate(certPath, params);
        if (ChipGatewayProperties.isUseApiEndpointWhitelist()) {
            X509Certificate cert = (X509Certificate) certPath.getCertificates().get(0);
            X500Principal subj = cert.getSubjectX500Principal();
            if (!AllowedApiEndpoints.instance().isInSubjects(subj)) {
                String msg = "The certificate used in the signature has an invalid subject: " + subj.getName();
                throw new CertificateVerificationException(msg);
            }
        }
    } catch (CertPathValidatorException ex) {
        throw new CertificateVerificationException(ex.getMessage());
    } catch (GeneralSecurityException ex) {
        throw new CertificateVerificationException(ex.getMessage());
    } catch (IOException ex) {
        if (ex instanceof CertificateVerificationException) {
            throw (CertificateVerificationException) ex;
        }
        throw new CertificateVerificationException("Error converting certificate chain to java.security format.");
    }
}
Also used : GeneralSecurityException(java.security.GeneralSecurityException) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) CertPathValidatorException(java.security.cert.CertPathValidatorException) CertificateVerificationException(org.openecard.crypto.tls.CertificateVerificationException) PKIXParameters(java.security.cert.PKIXParameters) PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult) PKIXRevocationChecker(java.security.cert.PKIXRevocationChecker) X500Principal(javax.security.auth.x500.X500Principal) CertPath(java.security.cert.CertPath) HashSet(java.util.HashSet)

Example 4 with PKIXRevocationChecker

use of java.security.cert.PKIXRevocationChecker in project mule by mulesoft.

the class StandardRevocationCheck method configFor.

@Override
public ManagerFactoryParameters configFor(KeyStore trustStore, Set<TrustAnchor> defaultTrustAnchors) {
    try {
        CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
        PKIXRevocationChecker rc = (PKIXRevocationChecker) cpb.getRevocationChecker();
        Set<PKIXRevocationChecker.Option> options = new HashSet<>();
        if (onlyEndEntities) {
            options.add(PKIXRevocationChecker.Option.ONLY_END_ENTITY);
        }
        if (preferCrls) {
            options.add(PKIXRevocationChecker.Option.PREFER_CRLS);
        }
        if (noFallback) {
            options.add(PKIXRevocationChecker.Option.NO_FALLBACK);
        }
        if (softFail) {
            options.add(PKIXRevocationChecker.Option.SOFT_FAIL);
        }
        rc.setOptions(options);
        PKIXBuilderParameters pkixParams;
        if (trustStore != null) {
            pkixParams = new PKIXBuilderParameters(trustStore, new X509CertSelector());
        } else {
            pkixParams = new PKIXBuilderParameters(defaultTrustAnchors, new X509CertSelector());
        }
        pkixParams.addCertPathChecker(rc);
        return new CertPathTrustManagerParameters(pkixParams);
    } catch (GeneralSecurityException e) {
        throw new RuntimeException(e);
    }
}
Also used : PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) CertPathTrustManagerParameters(javax.net.ssl.CertPathTrustManagerParameters) GeneralSecurityException(java.security.GeneralSecurityException) PKIXRevocationChecker(java.security.cert.PKIXRevocationChecker) X509CertSelector(java.security.cert.X509CertSelector) CertPathBuilder(java.security.cert.CertPathBuilder) HashSet(java.util.HashSet)

Example 5 with PKIXRevocationChecker

use of java.security.cert.PKIXRevocationChecker in project mule by mulesoft.

the class CustomOcspResponder method configFor.

@Override
public ManagerFactoryParameters configFor(KeyStore trustStore, Set<TrustAnchor> defaultTrustAnchors) {
    checkArgument(url != null, "tls:custom-ocsp-responder requires the 'url' attribute");
    checkArgument(trustStore != null, "tls:custom-ocsp-responder requires a trust store");
    try {
        CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
        PKIXRevocationChecker rc = (PKIXRevocationChecker) cpb.getRevocationChecker();
        rc.setOptions(EnumSet.of(PKIXRevocationChecker.Option.NO_FALLBACK));
        if (url != null) {
            rc.setOcspResponder(new URI(url));
        }
        if (certAlias != null) {
            if (trustStore.isCertificateEntry(certAlias)) {
                rc.setOcspResponderCert((X509Certificate) trustStore.getCertificate(certAlias));
            } else {
                throw new IllegalStateException("Key with alias \"" + certAlias + "\" was not found");
            }
        }
        PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustStore, new X509CertSelector());
        pkixParams.addCertPathChecker(rc);
        return new CertPathTrustManagerParameters(pkixParams);
    } catch (GeneralSecurityException | URISyntaxException e) {
        throw new RuntimeException(e);
    }
}
Also used : PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) CertPathTrustManagerParameters(javax.net.ssl.CertPathTrustManagerParameters) GeneralSecurityException(java.security.GeneralSecurityException) PKIXRevocationChecker(java.security.cert.PKIXRevocationChecker) X509CertSelector(java.security.cert.X509CertSelector) CertPathBuilder(java.security.cert.CertPathBuilder) URISyntaxException(java.net.URISyntaxException) URI(java.net.URI)

Aggregations

PKIXRevocationChecker (java.security.cert.PKIXRevocationChecker)5 CertPathBuilder (java.security.cert.CertPathBuilder)4 PKIXBuilderParameters (java.security.cert.PKIXBuilderParameters)4 X509CertSelector (java.security.cert.X509CertSelector)4 GeneralSecurityException (java.security.GeneralSecurityException)3 HashSet (java.util.HashSet)3 CertPath (java.security.cert.CertPath)2 PKIXCertPathValidatorResult (java.security.cert.PKIXCertPathValidatorResult)2 X509Certificate (java.security.cert.X509Certificate)2 CertPathTrustManagerParameters (javax.net.ssl.CertPathTrustManagerParameters)2 IOException (java.io.IOException)1 URI (java.net.URI)1 URISyntaxException (java.net.URISyntaxException)1 CertPathBuilderResult (java.security.cert.CertPathBuilderResult)1 CertPathValidator (java.security.cert.CertPathValidator)1 CertPathValidatorException (java.security.cert.CertPathValidatorException)1 CertStoreParameters (java.security.cert.CertStoreParameters)1 CertificateException (java.security.cert.CertificateException)1 CertificateRevokedException (java.security.cert.CertificateRevokedException)1 CollectionCertStoreParameters (java.security.cert.CollectionCertStoreParameters)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial