Search in sources :

Example 16 with CertPathTrustManagerParameters

use of javax.net.ssl.CertPathTrustManagerParameters in project zookeeper by apache.

the class X509Util method createTrustManager.

/**
 * Creates a trust manager by loading the trust store from the given file
 * of the given type, optionally decrypting it using the given password.
 * @param trustStoreLocation the location of the trust store file.
 * @param trustStorePassword optional password to decrypt the trust store
 *                           (only applies to JKS trust stores). If empty,
 *                           assumes the trust store is not encrypted.
 * @param trustStoreTypeProp must be JKS, PEM, PKCS12, BCFKS or null. If
 *                           null, attempts to autodetect the trust store
 *                           type from the file extension (e.g. .jks / .pem).
 * @param crlEnabled enable CRL (certificate revocation list) checks.
 * @param ocspEnabled enable OCSP (online certificate status protocol)
 *                    checks.
 * @param serverHostnameVerificationEnabled if true, verify hostnames of
 *                                          remote servers that client
 *                                          sockets created by this
 *                                          X509Util connect to.
 * @param clientHostnameVerificationEnabled if true, verify hostnames of
 *                                          remote clients that server
 *                                          sockets created by this
 *                                          X509Util accept connections
 *                                          from.
 * @return the trust manager.
 * @throws TrustManagerException if something goes wrong.
 */
public static X509TrustManager createTrustManager(String trustStoreLocation, String trustStorePassword, String trustStoreTypeProp, boolean crlEnabled, boolean ocspEnabled, final boolean serverHostnameVerificationEnabled, final boolean clientHostnameVerificationEnabled) throws TrustManagerException {
    if (trustStorePassword == null) {
        trustStorePassword = "";
    }
    try {
        KeyStore ts = loadTrustStore(trustStoreLocation, trustStorePassword, trustStoreTypeProp);
        PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ts, new X509CertSelector());
        if (crlEnabled || ocspEnabled) {
            pbParams.setRevocationEnabled(true);
            System.setProperty("com.sun.net.ssl.checkRevocation", "true");
            System.setProperty("com.sun.security.enableCRLDP", "true");
            if (ocspEnabled) {
                Security.setProperty("ocsp.enable", "true");
            }
        } else {
            pbParams.setRevocationEnabled(false);
        }
        // Revocation checking is only supported with the PKIX algorithm
        TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX");
        tmf.init(new CertPathTrustManagerParameters(pbParams));
        for (final TrustManager tm : tmf.getTrustManagers()) {
            if (tm instanceof X509ExtendedTrustManager) {
                return new ZKTrustManager((X509ExtendedTrustManager) tm, serverHostnameVerificationEnabled, clientHostnameVerificationEnabled);
            }
        }
        throw new TrustManagerException("Couldn't find X509TrustManager");
    } catch (IOException | GeneralSecurityException | IllegalArgumentException e) {
        throw new TrustManagerException(e);
    }
}
Also used : X509ExtendedTrustManager(javax.net.ssl.X509ExtendedTrustManager) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) CertPathTrustManagerParameters(javax.net.ssl.CertPathTrustManagerParameters) GeneralSecurityException(java.security.GeneralSecurityException) X509CertSelector(java.security.cert.X509CertSelector) IOException(java.io.IOException) KeyStore(java.security.KeyStore) TrustManager(javax.net.ssl.TrustManager) X509ExtendedTrustManager(javax.net.ssl.X509ExtendedTrustManager) X509TrustManager(javax.net.ssl.X509TrustManager) TrustManagerFactory(javax.net.ssl.TrustManagerFactory) TrustManagerException(org.apache.zookeeper.common.X509Exception.TrustManagerException)

Example 17 with CertPathTrustManagerParameters

use of javax.net.ssl.CertPathTrustManagerParameters in project cxf by apache.

the class TLSParameterJaxBUtils method getTrustManagers.

public static TrustManager[] getTrustManagers(TrustManagersType tmc, boolean enableRevocation) throws GeneralSecurityException, IOException {
    final KeyStore keyStore = tmc.isSetKeyStore() ? getKeyStore(tmc.getKeyStore(), true) : (tmc.isSetCertStore() ? getKeyStore(tmc.getCertStore()) : null);
    String alg = tmc.isSetFactoryAlgorithm() ? tmc.getFactoryAlgorithm() : TrustManagerFactory.getDefaultAlgorithm();
    TrustManagerFactory fac = tmc.isSetProvider() ? TrustManagerFactory.getInstance(alg, tmc.getProvider()) : TrustManagerFactory.getInstance(alg);
    if (enableRevocation) {
        PKIXBuilderParameters param = new PKIXBuilderParameters(keyStore, new X509CertSelector());
        param.setRevocationEnabled(true);
        fac.init(new CertPathTrustManagerParameters(param));
    } else {
        fac.init(keyStore);
    }
    return fac.getTrustManagers();
}
Also used : PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) TrustManagerFactory(javax.net.ssl.TrustManagerFactory) CertPathTrustManagerParameters(javax.net.ssl.CertPathTrustManagerParameters) X509CertSelector(java.security.cert.X509CertSelector) KeyStore(java.security.KeyStore)

Example 18 with CertPathTrustManagerParameters

use of javax.net.ssl.CertPathTrustManagerParameters in project mule by mulesoft.

the class StandardRevocationCheck method configFor.

@Override
public ManagerFactoryParameters configFor(KeyStore trustStore, Set<TrustAnchor> defaultTrustAnchors) {
    try {
        CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
        PKIXRevocationChecker rc = (PKIXRevocationChecker) cpb.getRevocationChecker();
        Set<PKIXRevocationChecker.Option> options = new HashSet<>();
        if (onlyEndEntities) {
            options.add(PKIXRevocationChecker.Option.ONLY_END_ENTITY);
        }
        if (preferCrls) {
            options.add(PKIXRevocationChecker.Option.PREFER_CRLS);
        }
        if (noFallback) {
            options.add(PKIXRevocationChecker.Option.NO_FALLBACK);
        }
        if (softFail) {
            options.add(PKIXRevocationChecker.Option.SOFT_FAIL);
        }
        rc.setOptions(options);
        PKIXBuilderParameters pkixParams;
        if (trustStore != null) {
            pkixParams = new PKIXBuilderParameters(trustStore, new X509CertSelector());
        } else {
            pkixParams = new PKIXBuilderParameters(defaultTrustAnchors, new X509CertSelector());
        }
        pkixParams.addCertPathChecker(rc);
        return new CertPathTrustManagerParameters(pkixParams);
    } catch (GeneralSecurityException e) {
        throw new RuntimeException(e);
    }
}
Also used : PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) CertPathTrustManagerParameters(javax.net.ssl.CertPathTrustManagerParameters) GeneralSecurityException(java.security.GeneralSecurityException) PKIXRevocationChecker(java.security.cert.PKIXRevocationChecker) X509CertSelector(java.security.cert.X509CertSelector) CertPathBuilder(java.security.cert.CertPathBuilder) HashSet(java.util.HashSet)

Example 19 with CertPathTrustManagerParameters

use of javax.net.ssl.CertPathTrustManagerParameters in project mule by mulesoft.

the class CrlFile method configFor.

@Override
public ManagerFactoryParameters configFor(KeyStore trustStore, Set<TrustAnchor> defaultTrustAnchors) {
    checkArgument(path != null, "tls:crl-file requires the 'path' attribute");
    checkArgument(trustStore != null, "tls:crl-file requires a trust store");
    try {
        Set<TrustAnchor> trustAnchors = getTrustAnchorsFromKeyStore(trustStore);
        PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustAnchors, new X509CertSelector());
        // Make sure revocation checking is enabled (com.sun.net.ssl.checkRevocation)
        pbParams.setRevocationEnabled(true);
        Collection<? extends CRL> crls = loadCRL(path);
        if (crls != null && !crls.isEmpty()) {
            pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crls)));
        }
        return new CertPathTrustManagerParameters(pbParams);
    } catch (IOException | GeneralSecurityException e) {
        throw new RuntimeException(e);
    }
}
Also used : CollectionCertStoreParameters(java.security.cert.CollectionCertStoreParameters) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) CertPathTrustManagerParameters(javax.net.ssl.CertPathTrustManagerParameters) GeneralSecurityException(java.security.GeneralSecurityException) TrustAnchor(java.security.cert.TrustAnchor) X509CertSelector(java.security.cert.X509CertSelector) IOException(java.io.IOException)

Example 20 with CertPathTrustManagerParameters

use of javax.net.ssl.CertPathTrustManagerParameters in project mule by mulesoft.

the class CustomOcspResponder method configFor.

@Override
public ManagerFactoryParameters configFor(KeyStore trustStore, Set<TrustAnchor> defaultTrustAnchors) {
    checkArgument(url != null, "tls:custom-ocsp-responder requires the 'url' attribute");
    checkArgument(trustStore != null, "tls:custom-ocsp-responder requires a trust store");
    try {
        CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
        PKIXRevocationChecker rc = (PKIXRevocationChecker) cpb.getRevocationChecker();
        rc.setOptions(EnumSet.of(PKIXRevocationChecker.Option.NO_FALLBACK));
        if (url != null) {
            rc.setOcspResponder(new URI(url));
        }
        if (certAlias != null) {
            if (trustStore.isCertificateEntry(certAlias)) {
                rc.setOcspResponderCert((X509Certificate) trustStore.getCertificate(certAlias));
            } else {
                throw new IllegalStateException("Key with alias \"" + certAlias + "\" was not found");
            }
        }
        PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustStore, new X509CertSelector());
        pkixParams.addCertPathChecker(rc);
        return new CertPathTrustManagerParameters(pkixParams);
    } catch (GeneralSecurityException | URISyntaxException e) {
        throw new RuntimeException(e);
    }
}
Also used : PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) CertPathTrustManagerParameters(javax.net.ssl.CertPathTrustManagerParameters) GeneralSecurityException(java.security.GeneralSecurityException) PKIXRevocationChecker(java.security.cert.PKIXRevocationChecker) X509CertSelector(java.security.cert.X509CertSelector) CertPathBuilder(java.security.cert.CertPathBuilder) URISyntaxException(java.net.URISyntaxException) URI(java.net.URI)

Aggregations

CertPathTrustManagerParameters (javax.net.ssl.CertPathTrustManagerParameters)22 TrustManagerFactory (javax.net.ssl.TrustManagerFactory)16 PKIXBuilderParameters (java.security.cert.PKIXBuilderParameters)15 X509CertSelector (java.security.cert.X509CertSelector)15 KeyStore (java.security.KeyStore)13 CertPathParameters (java.security.cert.CertPathParameters)6 TrustManager (javax.net.ssl.TrustManager)6 ManagerFactoryParameters (javax.net.ssl.ManagerFactoryParameters)5 Bus (org.apache.cxf.Bus)5 URL (java.net.URL)4 GeneralSecurityException (java.security.GeneralSecurityException)4 SpringBusFactory (org.apache.cxf.bus.spring.SpringBusFactory)4 TLSClientParameters (org.apache.cxf.configuration.jsse.TLSClientParameters)4 Client (org.apache.cxf.endpoint.Client)4 HTTPConduit (org.apache.cxf.transport.http.HTTPConduit)4 IOException (java.io.IOException)3 InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)3 CollectionCertStoreParameters (java.security.cert.CollectionCertStoreParameters)3 QName (javax.xml.namespace.QName)3 Service (javax.xml.ws.Service)3