use of javax.net.ssl.CertPathTrustManagerParameters in project zookeeper by apache.
the class X509Util method createTrustManager.
/**
* Creates a trust manager by loading the trust store from the given file
* of the given type, optionally decrypting it using the given password.
* @param trustStoreLocation the location of the trust store file.
* @param trustStorePassword optional password to decrypt the trust store
* (only applies to JKS trust stores). If empty,
* assumes the trust store is not encrypted.
* @param trustStoreTypeProp must be JKS, PEM, PKCS12, BCFKS or null. If
* null, attempts to autodetect the trust store
* type from the file extension (e.g. .jks / .pem).
* @param crlEnabled enable CRL (certificate revocation list) checks.
* @param ocspEnabled enable OCSP (online certificate status protocol)
* checks.
* @param serverHostnameVerificationEnabled if true, verify hostnames of
* remote servers that client
* sockets created by this
* X509Util connect to.
* @param clientHostnameVerificationEnabled if true, verify hostnames of
* remote clients that server
* sockets created by this
* X509Util accept connections
* from.
* @return the trust manager.
* @throws TrustManagerException if something goes wrong.
*/
public static X509TrustManager createTrustManager(String trustStoreLocation, String trustStorePassword, String trustStoreTypeProp, boolean crlEnabled, boolean ocspEnabled, final boolean serverHostnameVerificationEnabled, final boolean clientHostnameVerificationEnabled) throws TrustManagerException {
if (trustStorePassword == null) {
trustStorePassword = "";
}
try {
KeyStore ts = loadTrustStore(trustStoreLocation, trustStorePassword, trustStoreTypeProp);
PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ts, new X509CertSelector());
if (crlEnabled || ocspEnabled) {
pbParams.setRevocationEnabled(true);
System.setProperty("com.sun.net.ssl.checkRevocation", "true");
System.setProperty("com.sun.security.enableCRLDP", "true");
if (ocspEnabled) {
Security.setProperty("ocsp.enable", "true");
}
} else {
pbParams.setRevocationEnabled(false);
}
// Revocation checking is only supported with the PKIX algorithm
TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX");
tmf.init(new CertPathTrustManagerParameters(pbParams));
for (final TrustManager tm : tmf.getTrustManagers()) {
if (tm instanceof X509ExtendedTrustManager) {
return new ZKTrustManager((X509ExtendedTrustManager) tm, serverHostnameVerificationEnabled, clientHostnameVerificationEnabled);
}
}
throw new TrustManagerException("Couldn't find X509TrustManager");
} catch (IOException | GeneralSecurityException | IllegalArgumentException e) {
throw new TrustManagerException(e);
}
}
use of javax.net.ssl.CertPathTrustManagerParameters in project cxf by apache.
the class TLSParameterJaxBUtils method getTrustManagers.
public static TrustManager[] getTrustManagers(TrustManagersType tmc, boolean enableRevocation) throws GeneralSecurityException, IOException {
final KeyStore keyStore = tmc.isSetKeyStore() ? getKeyStore(tmc.getKeyStore(), true) : (tmc.isSetCertStore() ? getKeyStore(tmc.getCertStore()) : null);
String alg = tmc.isSetFactoryAlgorithm() ? tmc.getFactoryAlgorithm() : TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory fac = tmc.isSetProvider() ? TrustManagerFactory.getInstance(alg, tmc.getProvider()) : TrustManagerFactory.getInstance(alg);
if (enableRevocation) {
PKIXBuilderParameters param = new PKIXBuilderParameters(keyStore, new X509CertSelector());
param.setRevocationEnabled(true);
fac.init(new CertPathTrustManagerParameters(param));
} else {
fac.init(keyStore);
}
return fac.getTrustManagers();
}
use of javax.net.ssl.CertPathTrustManagerParameters in project mule by mulesoft.
the class StandardRevocationCheck method configFor.
@Override
public ManagerFactoryParameters configFor(KeyStore trustStore, Set<TrustAnchor> defaultTrustAnchors) {
try {
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
PKIXRevocationChecker rc = (PKIXRevocationChecker) cpb.getRevocationChecker();
Set<PKIXRevocationChecker.Option> options = new HashSet<>();
if (onlyEndEntities) {
options.add(PKIXRevocationChecker.Option.ONLY_END_ENTITY);
}
if (preferCrls) {
options.add(PKIXRevocationChecker.Option.PREFER_CRLS);
}
if (noFallback) {
options.add(PKIXRevocationChecker.Option.NO_FALLBACK);
}
if (softFail) {
options.add(PKIXRevocationChecker.Option.SOFT_FAIL);
}
rc.setOptions(options);
PKIXBuilderParameters pkixParams;
if (trustStore != null) {
pkixParams = new PKIXBuilderParameters(trustStore, new X509CertSelector());
} else {
pkixParams = new PKIXBuilderParameters(defaultTrustAnchors, new X509CertSelector());
}
pkixParams.addCertPathChecker(rc);
return new CertPathTrustManagerParameters(pkixParams);
} catch (GeneralSecurityException e) {
throw new RuntimeException(e);
}
}
use of javax.net.ssl.CertPathTrustManagerParameters in project mule by mulesoft.
the class CrlFile method configFor.
@Override
public ManagerFactoryParameters configFor(KeyStore trustStore, Set<TrustAnchor> defaultTrustAnchors) {
checkArgument(path != null, "tls:crl-file requires the 'path' attribute");
checkArgument(trustStore != null, "tls:crl-file requires a trust store");
try {
Set<TrustAnchor> trustAnchors = getTrustAnchorsFromKeyStore(trustStore);
PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustAnchors, new X509CertSelector());
// Make sure revocation checking is enabled (com.sun.net.ssl.checkRevocation)
pbParams.setRevocationEnabled(true);
Collection<? extends CRL> crls = loadCRL(path);
if (crls != null && !crls.isEmpty()) {
pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crls)));
}
return new CertPathTrustManagerParameters(pbParams);
} catch (IOException | GeneralSecurityException e) {
throw new RuntimeException(e);
}
}
use of javax.net.ssl.CertPathTrustManagerParameters in project mule by mulesoft.
the class CustomOcspResponder method configFor.
@Override
public ManagerFactoryParameters configFor(KeyStore trustStore, Set<TrustAnchor> defaultTrustAnchors) {
checkArgument(url != null, "tls:custom-ocsp-responder requires the 'url' attribute");
checkArgument(trustStore != null, "tls:custom-ocsp-responder requires a trust store");
try {
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
PKIXRevocationChecker rc = (PKIXRevocationChecker) cpb.getRevocationChecker();
rc.setOptions(EnumSet.of(PKIXRevocationChecker.Option.NO_FALLBACK));
if (url != null) {
rc.setOcspResponder(new URI(url));
}
if (certAlias != null) {
if (trustStore.isCertificateEntry(certAlias)) {
rc.setOcspResponderCert((X509Certificate) trustStore.getCertificate(certAlias));
} else {
throw new IllegalStateException("Key with alias \"" + certAlias + "\" was not found");
}
}
PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustStore, new X509CertSelector());
pkixParams.addCertPathChecker(rc);
return new CertPathTrustManagerParameters(pkixParams);
} catch (GeneralSecurityException | URISyntaxException e) {
throw new RuntimeException(e);
}
}
Aggregations