Example 56 with X509CertSelector
use of java.security.cert.X509CertSelector in project jdk8u_jdk by JetBrains.
the class X509CertSelectorTest method testSubjectAltName.
/*
* Tests matching on the subject alternative name extension contained in the
* certificate.
*/
private void testSubjectAltName() throws IOException {
System.out.println("X.509 Certificate Match on subjectAltName");
// bad match
X509CertSelector selector = new X509CertSelector();
GeneralNameInterface dnsName = new DNSName("foo.com");
DerOutputStream tmp = new DerOutputStream();
dnsName.encode(tmp);
selector.addSubjectAlternativeName(2, tmp.toByteArray());
checkMatch(selector, cert, false);
// good match
DerInputStream in = new DerInputStream(cert.getExtensionValue("2.5.29.17"));
byte[] encoded = in.getOctetString();
SubjectAlternativeNameExtension ext = new SubjectAlternativeNameExtension(false, encoded);
GeneralNames names = (GeneralNames) ext.get(SubjectAlternativeNameExtension.SUBJECT_NAME);
GeneralName name = (GeneralName) names.get(0);
selector.setSubjectAlternativeNames(null);
DerOutputStream tmp2 = new DerOutputStream();
name.getName().encode(tmp2);
selector.addSubjectAlternativeName(name.getType(), tmp2.toByteArray());
checkMatch(selector, cert, true);
// good match 2 (matches at least one)
selector.setMatchAllSubjectAltNames(false);
selector.addSubjectAlternativeName(2, "foo.com");
checkMatch(selector, cert, true);
}
Also used :
GeneralNameInterface(sun.security.x509.GeneralNameInterface)
GeneralNames(sun.security.x509.GeneralNames)
DerOutputStream(sun.security.util.DerOutputStream)
SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension)
X509CertSelector(java.security.cert.X509CertSelector)
DerInputStream(sun.security.util.DerInputStream)
GeneralName(sun.security.x509.GeneralName)
DNSName(sun.security.x509.DNSName)
Example 57 with X509CertSelector
use of java.security.cert.X509CertSelector in project jdk8u_jdk by JetBrains.
the class X509CertSelectorTest method testSubjectPublicKey.
// Tests matching on the subject public key contained in the certificate.
private void testSubjectPublicKey() throws IOException, GeneralSecurityException {
System.out.println("X.509 Certificate Match on subject public key");
// bad match
X509CertSelector selector = new X509CertSelector();
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(Base64.getMimeDecoder().decode(testKey.getBytes()));
KeyFactory keyFactory = KeyFactory.getInstance("DSA");
PublicKey pubKey = keyFactory.generatePublic(keySpec);
selector.setSubjectPublicKey(pubKey);
checkMatch(selector, cert, false);
// good match
selector.setSubjectPublicKey(cert.getPublicKey());
checkMatch(selector, cert, true);
}
Also used :
PublicKey(java.security.PublicKey)
X509CertSelector(java.security.cert.X509CertSelector)
X509EncodedKeySpec(java.security.spec.X509EncodedKeySpec)
KeyFactory(java.security.KeyFactory)
Example 58 with X509CertSelector
use of java.security.cert.X509CertSelector in project jdk8u_jdk by JetBrains.
the class X509CertSelectorTest method testSubject.
// Tests matching on the subject name contained in the certificate.
private void testSubject() throws IOException {
System.out.println("X.509 Certificate Match on subject");
// bad match
X509CertSelector selector = new X509CertSelector();
selector.setSubject("ou=bogus,ou=east,o=sun,c=us");
checkMatch(selector, cert, false);
// good match
selector.setSubject(cert.getSubjectX500Principal().getName("RFC2253"));
checkMatch(selector, cert, true);
}
Also used :
X509CertSelector(java.security.cert.X509CertSelector)
Example 59 with X509CertSelector
use of java.security.cert.X509CertSelector in project cxf by apache.
the class KeyManagementUtils method validateCertificateChain.
public static void validateCertificateChain(KeyStore ks, List<X509Certificate> inCerts) {
// Initial chain validation, to be enhanced as needed
try {
X509CertSelector certSelect = new X509CertSelector();
certSelect.setCertificate(inCerts.get(0));
PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ks, certSelect);
pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(inCerts)));
pbParams.setMaxPathLength(-1);
pbParams.setRevocationEnabled(false);
CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams);
CertPath certPath = buildResult.getCertPath();
CertPathValidator.getInstance("PKIX").validate(certPath, pbParams);
} catch (Exception ex) {
LOG.warning("Certificate path validation error");
throw new JoseException(ex);
}
}
Also used :
CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters)
PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters)
CertPathBuilderResult(java.security.cert.CertPathBuilderResult)
X509CertSelector(java.security.cert.X509CertSelector)
CertPath(java.security.cert.CertPath)
KeyStoreException(java.security.KeyStoreException)
JwkException(org.apache.cxf.rs.security.jose.jwk.JwkException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
Base64Exception(org.apache.cxf.common.util.Base64Exception)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
Example 60 with X509CertSelector
use of java.security.cert.X509CertSelector in project cxf by apache.
the class TrustedAuthorityValidator method isCertificateChainValid.
/**
* Checks if a certificate is signed by a trusted authority.
*
* @param x509Certificate to check
* @return the validity state of the certificate
*/
boolean isCertificateChainValid(List<X509Certificate> certificates) {
X509Certificate targetCert = certificates.get(0);
X509CertSelector selector = new X509CertSelector();
selector.setCertificate(targetCert);
try {
List<X509Certificate> intermediateCerts = certRepo.getCaCerts();
List<X509Certificate> trustedAuthorityCerts = certRepo.getTrustedCaCerts();
Set<TrustAnchor> trustAnchors = asTrustAnchors(trustedAuthorityCerts);
CertStoreParameters intermediateParams = new CollectionCertStoreParameters(intermediateCerts);
CertStoreParameters certificateParams = new CollectionCertStoreParameters(certificates);
PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
pkixParams.addCertStore(CertStore.getInstance("Collection", intermediateParams));
pkixParams.addCertStore(CertStore.getInstance("Collection", certificateParams));
pkixParams.setRevocationEnabled(false);
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
CertPath certPath = builder.build(pkixParams).getCertPath();
// Now validate the CertPath (including CRL checking)
if (enableRevocation) {
List<X509CRL> crls = certRepo.getCRLs();
if (!crls.isEmpty()) {
pkixParams.setRevocationEnabled(true);
CertStoreParameters crlParams = new CollectionCertStoreParameters(crls);
pkixParams.addCertStore(CertStore.getInstance("Collection", crlParams));
}
}
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
validator.validate(certPath, pkixParams);
} catch (InvalidAlgorithmParameterException e) {
LOG.log(Level.WARNING, "Invalid algorithm parameter by certificate chain validation. " + "It is likely that issuer certificates are not found in XKMS trusted storage. " + e.getMessage(), e);
return false;
} catch (NoSuchAlgorithmException e) {
LOG.log(Level.WARNING, "Unknown algorithm by trust chain validation: " + e.getMessage(), e);
return false;
} catch (CertPathBuilderException e) {
LOG.log(Level.WARNING, "Cannot build certification path: " + e.getMessage(), e);
return false;
} catch (CertPathValidatorException e) {
LOG.log(Level.WARNING, "Cannot vaidate certification path: " + e.getMessage(), e);
return false;
}
return true;
}
Also used :
X509CRL(java.security.cert.X509CRL)
InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException)
PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters)
X509CertSelector(java.security.cert.X509CertSelector)
TrustAnchor(java.security.cert.TrustAnchor)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
X509Certificate(java.security.cert.X509Certificate)
CertStoreParameters(java.security.cert.CertStoreParameters)
CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters)
CertPathValidator(java.security.cert.CertPathValidator)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters)
CertPathBuilderException(java.security.cert.CertPathBuilderException)
CertPathBuilder(java.security.cert.CertPathBuilder)
CertPath(java.security.cert.CertPath)
Aggregations
X509CertSelector (java.security.cert.X509CertSelector)116
PKIXBuilderParameters (java.security.cert.PKIXBuilderParameters)29
X509Certificate (java.security.cert.X509Certificate)23
IOException (java.io.IOException)18
CollectionCertStoreParameters (java.security.cert.CollectionCertStoreParameters)17
X500Principal (javax.security.auth.x500.X500Principal)16
ArrayList (java.util.ArrayList)14
TrustAnchor (java.security.cert.TrustAnchor)13
CertificateFactory (java.security.cert.CertificateFactory)11
HashSet (java.util.HashSet)11
ByteArrayInputStream (java.io.ByteArrayInputStream)10
KeyStore (java.security.KeyStore)10
CertPathBuilder (java.security.cert.CertPathBuilder)10
CertStore (java.security.cert.CertStore)10
PublicKey (java.security.PublicKey)9
InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)8
CertificateException (java.security.cert.CertificateException)8
ASN1OctetString (org.apache.harmony.security.asn1.ASN1OctetString)8
BigInteger (java.math.BigInteger)7
Date (java.util.Date)7
