Examples with TrustAnchor java.security.cert.TrustAnchor used on opensource projects

Example 1 with TrustAnchor

use of java.security.cert.TrustAnchor in project jdk8u_jdk by JetBrains.

the class BuildEEBasicConstraints method main.

public static void main(String[] args) throws Exception {
    // reset the security property to make sure that the algorithms
    // and keys used in this test are not disabled.
    Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");
    X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
    TrustAnchor anchor = new TrustAnchor(rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
    X509CertSelector sel = new X509CertSelector();
    sel.setBasicConstraints(-2);
    PKIXBuilderParameters params = new PKIXBuilderParameters(Collections.singleton(anchor), sel);
    params.setRevocationEnabled(false);
    X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
    X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
    ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
    certs.add(caCert);
    certs.add(eeCert);
    CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(certs);
    CertStore cs = CertStore.getInstance("Collection", ccsp);
    params.addCertStore(cs);
    PKIXCertPathBuilderResult res = CertUtils.build(params);
    CertPath cp = res.getCertPath();
    // check that first certificate is an EE cert
    List<? extends Certificate> certList = cp.getCertificates();
    X509Certificate cert = (X509Certificate) certList.get(0);
    if (cert.getBasicConstraints() != -1) {
        throw new Exception("Target certificate is not an EE certificate");
    }
}

Example 2 with TrustAnchor

use of java.security.cert.TrustAnchor in project jdk8u_jdk by JetBrains.

the class ValidateTargetConstraints method createPath.

public static void createPath(String[] certs) throws Exception {
    TrustAnchor anchor = new TrustAnchor(getCertFromFile(certs[0]), null);
    List list = new ArrayList();
    for (int i = 1; i < certs.length; i++) {
        list.add(0, getCertFromFile(certs[i]));
    }
    CertificateFactory cf = CertificateFactory.getInstance("X509");
    path = cf.generateCertPath(list);
    Set anchors = Collections.singleton(anchor);
    params = new PKIXParameters(anchors);
    params.setRevocationEnabled(false);
    X509CertSelector sel = new X509CertSelector();
    sel.setSerialNumber(new BigInteger("1427"));
    params.setTargetCertConstraints(sel);
}

Example 3 with TrustAnchor

use of java.security.cert.TrustAnchor in project jdk8u_jdk by JetBrains.

the class ValidateNC method createPath.

public static void createPath(String[] certs) throws Exception {
    X509Certificate anchorCert = getCertFromFile(certs[0]);
    byte[] nameConstraints = anchorCert.getExtensionValue("2.5.29.30");
    if (nameConstraints != null) {
        DerInputStream in = new DerInputStream(nameConstraints);
        nameConstraints = in.getOctetString();
    }
    TrustAnchor anchor = new TrustAnchor(anchorCert, nameConstraints);
    List list = new ArrayList();
    for (int i = 1; i < certs.length; i++) {
        list.add(0, getCertFromFile(certs[i]));
    }
    CertificateFactory cf = CertificateFactory.getInstance("X509");
    path = cf.generateCertPath(list);
    anchors = Collections.singleton(anchor);
    params = new PKIXParameters(anchors);
    params.setRevocationEnabled(false);
}

Example 4 with TrustAnchor

use of java.security.cert.TrustAnchor in project oxAuth by GluuFederation.

the class PathCertificateVerifier method verifyCertificate.

/**
	 * Attempts to build a certification chain for given certificate to verify
	 * it. Relies on a set of root CA certificates (trust anchors) and a set of
	 * intermediate certificates (to be used as part of the chain).
	 */
private PKIXCertPathBuilderResult verifyCertificate(X509Certificate certificate, Set<X509Certificate> trustedRootCerts, Set<X509Certificate> intermediateCerts) throws GeneralSecurityException {
    // Create the selector that specifies the starting certificate
    X509CertSelector selector = new X509CertSelector();
    selector.setBasicConstraints(-2);
    selector.setCertificate(certificate);
    // Create the trust anchors (set of root CA certificates)
    Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
    for (X509Certificate trustedRootCert : trustedRootCerts) {
        trustAnchors.add(new TrustAnchor(trustedRootCert, null));
    }
    // Configure the PKIX certificate builder algorithm parameters
    PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
    // Turn off default revocation-checking mechanism
    pkixParams.setRevocationEnabled(false);
    // Specify a list of intermediate certificates
    CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(intermediateCerts));
    pkixParams.addCertStore(intermediateCertStore);
    // Build and verify the certification chain
    CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME);
    PKIXCertPathBuilderResult certPathBuilderResult = (PKIXCertPathBuilderResult) builder.build(pkixParams);
    // Additional check to Verify cert path
    CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME);
    PKIXCertPathValidatorResult certPathValidationResult = (PKIXCertPathValidatorResult) certPathValidator.validate(certPathBuilderResult.getCertPath(), pkixParams);
    return certPathBuilderResult;
}

Example 5 with TrustAnchor

use of java.security.cert.TrustAnchor in project robovm by robovm.

the class TrustManagerImpl method checkTrusted.

private List<X509Certificate> checkTrusted(X509Certificate[] chain, String authType, String host, boolean clientAuth) throws CertificateException {
    if (chain == null || chain.length == 0 || authType == null || authType.length() == 0) {
        throw new IllegalArgumentException("null or zero-length parameter");
    }
    if (err != null) {
        throw new CertificateException(err);
    }
    // get the cleaned up chain and trust anchor
    // there can only be one!
    Set<TrustAnchor> trustAnchor = new HashSet<TrustAnchor>();
    X509Certificate[] newChain = cleanupCertChainAndFindTrustAnchors(chain, trustAnchor);
    // add the first trust anchor to the chain, which may be an intermediate
    List<X509Certificate> wholeChain = new ArrayList<X509Certificate>();
    wholeChain.addAll(Arrays.asList(newChain));
    // trustAnchor is actually just a single element
    for (TrustAnchor trust : trustAnchor) {
        wholeChain.add(trust.getTrustedCert());
    }
    // add all the cached certificates from the cert index, avoiding loops
    // this gives us a full chain from leaf to root, which we use for cert pinning and pass
    // back out to callers when we return.
    X509Certificate last = wholeChain.get(wholeChain.size() - 1);
    while (true) {
        TrustAnchor cachedTrust = trustedCertificateIndex.findByIssuerAndSignature(last);
        // trusted a non-self-signed cert.
        if (cachedTrust == null) {
            break;
        }
        // at this point we have a cached trust anchor, but don't know if its one we got from
        // the server. Extract the cert, compare it to the last element in the chain, and add it
        // if we haven't seen it before.
        X509Certificate next = cachedTrust.getTrustedCert();
        if (next != last) {
            wholeChain.add(next);
            last = next;
        } else {
            // if next == last then we found a self-signed cert and the chain is done
            break;
        }
    }
    // build the cert path from the array of certs sans trust anchors
    CertPath certPath = factory.generateCertPath(Arrays.asList(newChain));
    if (host != null) {
        boolean chainIsNotPinned = true;
        try {
            chainIsNotPinned = pinManager.chainIsNotPinned(host, wholeChain);
        } catch (PinManagerException e) {
            throw new CertificateException(e);
        }
        if (chainIsNotPinned) {
            throw new CertificateException(new CertPathValidatorException("Certificate path is not properly pinned.", null, certPath, -1));
        }
    }
    if (newChain.length == 0) {
        // chain was entirely trusted, skip the validator
        return wholeChain;
    }
    if (trustAnchor.isEmpty()) {
        throw new CertificateException(new CertPathValidatorException("Trust anchor for certification path not found.", null, certPath, -1));
    }
    // There's no point in checking trust anchors here, and it will throw off the MD5 check,
    // so we just hand it the chain without anchors
    ChainStrengthAnalyzer.check(newChain);
    try {
        PKIXParameters params = new PKIXParameters(trustAnchor);
        params.setRevocationEnabled(false);
        params.addCertPathChecker(new ExtendedKeyUsagePKIXCertPathChecker(clientAuth, newChain[0]));
        validator.validate(certPath, params);
        // cleanupCertChainAndFindTrustAnchors.  http://b/3404902
        for (int i = 1; i < newChain.length; i++) {
            trustedCertificateIndex.index(newChain[i]);
        }
    } catch (InvalidAlgorithmParameterException e) {
        throw new CertificateException(e);
    } catch (CertPathValidatorException e) {
        throw new CertificateException(e);
    }
    return wholeChain;
}