java.security.cert.CertPathParameters Java Examples
The following examples show how to use
java.security.cert.CertPathParameters.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: MyCertPathValidatorSpi.java From j2objc with Apache License 2.0 | 6 votes |
public CertPathValidatorResult engineValidate(CertPath certPath, CertPathParameters params) throws CertPathValidatorException, InvalidAlgorithmParameterException { ++sw; if (certPath == null) { if ((sw % 2) == 0) { throw new CertPathValidatorException("certPath null"); } } if (params == null) { if ((sw % 3) == 0) { throw new InvalidAlgorithmParameterException("params null"); } } return null; }
Example #2
Source File: SSLUtilBase.java From Tomcat8-Source-Read with MIT License | 6 votes |
/** * Return the initialization parameters for the TrustManager. * Currently, only the default <code>PKIX</code> is supported. * * @param crlf The path to the CRL file. * @param trustStore The configured TrustStore. * @param revocationEnabled Should the JSSE provider perform revocation * checks? Ignored if {@code crlf} is non-null. * Configuration of revocation checks are expected * to be via proprietary JSSE provider methods. * @return The parameters including the CRLs and TrustStore. * @throws Exception An error occurred */ protected CertPathParameters getParameters(String crlf, KeyStore trustStore, boolean revocationEnabled) throws Exception { PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); if (crlf != null && crlf.length() > 0) { Collection<? extends CRL> crls = getCRLs(crlf); CertStoreParameters csp = new CollectionCertStoreParameters(crls); CertStore store = CertStore.getInstance("Collection", csp); xparams.addCertStore(store); xparams.setRevocationEnabled(true); } else { xparams.setRevocationEnabled(revocationEnabled); } xparams.setMaxPathLength(sslHostConfig.getCertificateVerificationDepth()); return xparams; }
Example #3
Source File: JKSValidator.java From knopflerfish.org with BSD 3-Clause "New" or "Revised" License | 6 votes |
/** * */ private CertPathParameters getCertPathParameters(KeyStore keystore) throws GeneralSecurityException { HashSet<TrustAnchor> tas = new HashSet<TrustAnchor>(); for (Enumeration<String> e = keystore.aliases(); e.hasMoreElements(); ) { String name = e.nextElement(); Certificate c = keystore.getCertificate(name); if (c != null) { if (trustKeys || keystore.isCertificateEntry(name)) { tas.add(new TrustAnchor((X509Certificate)c, null)); } } } PKIXParameters p = new PKIXParameters(tas); // NYI! Handle CRLs p.setRevocationEnabled(false); if (validationDate != null) { p.setDate(validationDate); } return p; }
Example #4
Source File: JKSValidator.java From knopflerfish.org with BSD 3-Clause "New" or "Revised" License | 6 votes |
/** * Check if a certificate chain is to be trusted. * * @return true, if validator trusts certificate chain, otherwise false. */ public boolean validateCertificateChain(List<X509Certificate> chain) { if (keystore == null) { return false; } try { CertPath c = getCertificateFactory().generateCertPath(chain); CertPathValidator cpv = getCertPathValidator(); CertPathParameters params = getCertPathParameters(keystore); cpv.validate(c, params); } catch (GeneralSecurityException gse) { if (debug.certificates) { debug.printStackTrace("Failed to validate cert", gse); } // NYI! Log this? return false; } return true; }
Example #5
Source File: SSLUtils.java From ssltest with Apache License 2.0 | 6 votes |
/** * Return the initialization parameters for the TrustManager. * Currently, only the default <code>PKIX</code> is supported. * * @param algorithm The algorithm to get parameters for. * @param crlFilename The path to the CRL file. * @param maxCertificateChainLength Optional maximum cert chain length. * @param trustStore The configured TrustStore. * * @return The parameters including the TrustStore and any CRLs. * * @throws InvalidAlgorithmParameterException * @throws KeyStoreException * @throws IOException * @throws CertificateException * @throws CRLException * @throws NoSuchAlgorithmException */ protected static CertPathParameters getParameters(String algorithm, String crlFilename, Integer maxCertificateChainLength, KeyStore trustStore) throws KeyStoreException, InvalidAlgorithmParameterException, CRLException, CertificateException, IOException, NoSuchAlgorithmException { CertPathParameters params = null; if("PKIX".equalsIgnoreCase(algorithm)) { PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); Collection<? extends CRL> crls = getCRLs(crlFilename); CertStoreParameters csp = new CollectionCertStoreParameters(crls); CertStore store = CertStore.getInstance("Collection", csp); xparams.addCertStore(store); xparams.setRevocationEnabled(true); if(maxCertificateChainLength != null) xparams.setMaxPathLength(maxCertificateChainLength.intValue()); params = xparams; } else { throw new CRLException("CRLs not supported for type: " + algorithm); } return params; }
Example #6
Source File: CertPathBuilderSpiTest.java From j2objc with Apache License 2.0 | 5 votes |
/** * Test for <code>CertPathBuilderSpi</code> constructor Assertion: * constructs CertPathBuilderSpi */ public void testCertPathBuilderSpi01() throws CertPathBuilderException, InvalidAlgorithmParameterException { CertPathBuilderSpi certPathBuilder = new MyCertPathBuilderSpi(); CertPathParameters cpp = null; try { certPathBuilder.engineBuild(cpp); fail("CertPathBuilderException must be thrown"); } catch (CertPathBuilderException e) { } CertPathBuilderResult cpbResult = certPathBuilder.engineBuild(cpp); assertNull("Not null CertPathBuilderResult", cpbResult); }
Example #7
Source File: MyCertPathBuilderSpi.java From j2objc with Apache License 2.0 | 5 votes |
public CertPathBuilderResult engineBuild(CertPathParameters params) throws CertPathBuilderException, InvalidAlgorithmParameterException { swi++; if ((params == null) && ((swi %2 ) != 0)) { throw new CertPathBuilderException("Null parameter"); } return null; }
Example #8
Source File: JSSESocketFactory.java From tomcatsrc with Apache License 2.0 | 5 votes |
/** * Return the initialization parameters for the TrustManager. * Currently, only the default <code>PKIX</code> is supported. * * @param algorithm The algorithm to get parameters for. * @param crlf The path to the CRL file. * @param trustStore The configured TrustStore. * @return The parameters including the CRLs and TrustStore. */ protected CertPathParameters getParameters(String algorithm, String crlf, KeyStore trustStore) throws Exception { CertPathParameters params = null; if("PKIX".equalsIgnoreCase(algorithm)) { PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); Collection<? extends CRL> crls = getCRLs(crlf); CertStoreParameters csp = new CollectionCertStoreParameters(crls); CertStore store = CertStore.getInstance("Collection", csp); xparams.addCertStore(store); xparams.setRevocationEnabled(true); String trustLength = endpoint.getTrustMaxCertLength(); if(trustLength != null) { try { xparams.setMaxPathLength(Integer.parseInt(trustLength)); } catch(Exception ex) { log.warn("Bad maxCertLength: "+trustLength); } } params = xparams; } else { throw new CRLException("CRLs not supported for type: "+algorithm); } return params; }
Example #9
Source File: JSSESocketFactory.java From Tomcat7.0.67 with Apache License 2.0 | 5 votes |
/** * Return the initialization parameters for the TrustManager. * Currently, only the default <code>PKIX</code> is supported. * * @param algorithm The algorithm to get parameters for. * @param crlf The path to the CRL file. * @param trustStore The configured TrustStore. * @return The parameters including the CRLs and TrustStore. */ protected CertPathParameters getParameters(String algorithm, String crlf, KeyStore trustStore) throws Exception { CertPathParameters params = null; if("PKIX".equalsIgnoreCase(algorithm)) { PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); Collection<? extends CRL> crls = getCRLs(crlf); CertStoreParameters csp = new CollectionCertStoreParameters(crls); CertStore store = CertStore.getInstance("Collection", csp); xparams.addCertStore(store); xparams.setRevocationEnabled(true); String trustLength = endpoint.getTrustMaxCertLength(); if(trustLength != null) { try { xparams.setMaxPathLength(Integer.parseInt(trustLength)); } catch(Exception ex) { log.warn("Bad maxCertLength: "+trustLength); } } params = xparams; } else { throw new CRLException("CRLs not supported for type: "+algorithm); } return params; }
Example #10
Source File: SSLUtils.java From ssltest with Apache License 2.0 | 5 votes |
/** * Gets an array of TrustManagers for the specified trust store * and optional CRL file. * * @param trustStoreFilename * @param trustStorePassword * @param trustStoreType * @param trustStoreProvider * @param trustStoreAlgorithm * @param maxCertificatePathLength * @param crlFilename * * @return An array of TrustManagers * * @throws IOException * @throws KeyStoreException * @throws NoSuchProviderException * @throws NoSuchAlgorithmException * @throws CertificateException * @throws InvalidAlgorithmParameterException * @throws CRLException */ protected static TrustManager[] getTrustManagers(String trustStoreFilename, String trustStorePassword, String trustStoreType, String trustStoreProvider, String trustStoreAlgorithm, Integer maxCertificatePathLength, String crlFilename) throws IOException, KeyStoreException, NoSuchProviderException, NoSuchAlgorithmException, CertificateException, InvalidAlgorithmParameterException, CRLException { KeyStore trustStore = getStore(trustStoreFilename, trustStorePassword, trustStoreType, trustStoreProvider); if(null == trustStoreAlgorithm) trustStoreAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); TrustManagerFactory tmf = TrustManagerFactory.getInstance(trustStoreAlgorithm); if (null == crlFilename) { tmf.init(trustStore); } else { CertPathParameters params = getParameters(trustStoreAlgorithm, crlFilename, maxCertificatePathLength, trustStore); ManagerFactoryParameters mfp = new CertPathTrustManagerParameters(params); tmf.init(mfp); } return tmf.getTrustManagers(); }
Example #11
Source File: StubProviderImpl.java From openjdk-jdk9 with GNU General Public License v2.0 | 4 votes |
public CertPathBuilderResult engineBuild(CertPathParameters params) { called = true; return null; }
Example #12
Source File: AbstractTrustStore.java From qpid-broker-j with Apache License 2.0 | 4 votes |
private CertPathParameters getParameters(KeyStore trustStore) { try { final PKIXBuilderParameters parameters = new PKIXBuilderParameters(trustStore, new X509CertSelector()); parameters.setRevocationEnabled(_certificateRevocationCheckEnabled); if (_certificateRevocationCheckEnabled) { if (_certificateRevocationListUrl != null) { parameters.addCertStore( CertStore.getInstance("Collection", new CollectionCertStoreParameters(getCRLs()))); } final PKIXRevocationChecker revocationChecker = (PKIXRevocationChecker) CertPathBuilder .getInstance(TrustManagerFactory.getDefaultAlgorithm()).getRevocationChecker(); final Set<PKIXRevocationChecker.Option> options = new HashSet<>(); if (_certificateRevocationCheckOfOnlyEndEntityCertificates) { options.add(PKIXRevocationChecker.Option.ONLY_END_ENTITY); } if (_certificateRevocationCheckWithPreferringCertificateRevocationList) { options.add(PKIXRevocationChecker.Option.PREFER_CRLS); } if (_certificateRevocationCheckWithNoFallback) { options.add(PKIXRevocationChecker.Option.NO_FALLBACK); } if (_certificateRevocationCheckWithIgnoringSoftFailures) { options.add(PKIXRevocationChecker.Option.SOFT_FAIL); } revocationChecker.setOptions(options); parameters.addCertPathChecker(revocationChecker); } return parameters; } catch (NoSuchAlgorithmException | KeyStoreException | InvalidAlgorithmParameterException e) { throw new IllegalConfigurationException("Cannot create trust manager factory parameters for truststore '" + getName() + "' :" + e, e); } }
Example #13
Source File: StubProviderImpl.java From jdk8u-jdk with GNU General Public License v2.0 | 4 votes |
public CertPathBuilderResult engineBuild(CertPathParameters params) { called = true; return null; }
Example #14
Source File: StubProviderImpl.java From hottub with GNU General Public License v2.0 | 4 votes |
public CertPathBuilderResult engineBuild(CertPathParameters params) { called = true; return null; }
Example #15
Source File: StubProviderImpl.java From openjdk-8-source with GNU General Public License v2.0 | 4 votes |
public CertPathBuilderResult engineBuild(CertPathParameters params) { called = true; return null; }
Example #16
Source File: StubProviderImpl.java From openjdk-8 with GNU General Public License v2.0 | 4 votes |
public CertPathBuilderResult engineBuild(CertPathParameters params) { called = true; return null; }
Example #17
Source File: StubProviderImpl.java From jdk8u_jdk with GNU General Public License v2.0 | 4 votes |
public CertPathBuilderResult engineBuild(CertPathParameters params) { called = true; return null; }
Example #18
Source File: StubProviderImpl.java From jdk8u-jdk with GNU General Public License v2.0 | 4 votes |
public CertPathBuilderResult engineBuild(CertPathParameters params) { called = true; return null; }
Example #19
Source File: StubProviderImpl.java From jdk8u-dev-jdk with GNU General Public License v2.0 | 4 votes |
public CertPathBuilderResult engineBuild(CertPathParameters params) { called = true; return null; }
Example #20
Source File: PKIXAttrCertPathValidatorSpi.java From RipplePower with Apache License 2.0 | 4 votes |
/** * Validates an attribute certificate with the given certificate path. * * <p> * <code>params</code> must be an instance of * <code>ExtendedPKIXParameters</code>. * <p> * The target constraints in the <code>params</code> must be an * <code>X509AttributeCertStoreSelector</code> with at least the attribute * certificate criterion set. Obey that also target informations may be * necessary to correctly validate this attribute certificate. * <p> * The attribute certificate issuer must be added to the trusted attribute * issuers with {@link org.ripple.bouncycastle.x509.ExtendedPKIXParameters#setTrustedACIssuers(java.util.Set)}. * * @param certPath The certificate path which belongs to the attribute * certificate issuer public key certificate. * @param params The PKIX parameters. * @return A <code>PKIXCertPathValidatorResult</code> of the result of * validating the <code>certPath</code>. * @throws java.security.InvalidAlgorithmParameterException if <code>params</code> is * inappropriate for this validator. * @throws java.security.cert.CertPathValidatorException if the verification fails. */ public CertPathValidatorResult engineValidate(CertPath certPath, CertPathParameters params) throws CertPathValidatorException, InvalidAlgorithmParameterException { if (!(params instanceof ExtendedPKIXParameters || params instanceof PKIXExtendedParameters)) { throw new InvalidAlgorithmParameterException( "Parameters must be a " + ExtendedPKIXParameters.class.getName() + " instance."); } Set attrCertCheckers = new HashSet(); Set prohibitedACAttrbiutes = new HashSet(); Set necessaryACAttributes = new HashSet(); Set trustedACIssuers = new HashSet(); PKIXExtendedParameters paramsPKIX; if (params instanceof PKIXParameters) { PKIXExtendedParameters.Builder paramsPKIXBldr = new PKIXExtendedParameters.Builder((PKIXParameters)params); if (params instanceof ExtendedPKIXParameters) { ExtendedPKIXParameters extPKIX = (ExtendedPKIXParameters)params; paramsPKIXBldr.setUseDeltasEnabled(extPKIX.isUseDeltasEnabled()); paramsPKIXBldr.setValidityModel(extPKIX.getValidityModel()); attrCertCheckers = extPKIX.getAttrCertCheckers(); prohibitedACAttrbiutes = extPKIX.getProhibitedACAttributes(); necessaryACAttributes = extPKIX.getNecessaryACAttributes(); } paramsPKIX = paramsPKIXBldr.build(); } else { paramsPKIX = (PKIXExtendedParameters)params; } Selector certSelect = paramsPKIX.getTargetConstraints(); if (!(certSelect instanceof X509AttributeCertStoreSelector)) { throw new InvalidAlgorithmParameterException( "TargetConstraints must be an instance of " + X509AttributeCertStoreSelector.class.getName() + " for " + this.getClass().getName() + " class."); } X509AttributeCertificate attrCert = ((X509AttributeCertStoreSelector) certSelect) .getAttributeCert(); CertPath holderCertPath = RFC3281CertPathUtilities.processAttrCert1(attrCert, paramsPKIX); CertPathValidatorResult result = RFC3281CertPathUtilities.processAttrCert2(certPath, paramsPKIX); X509Certificate issuerCert = (X509Certificate) certPath .getCertificates().get(0); RFC3281CertPathUtilities.processAttrCert3(issuerCert, paramsPKIX); RFC3281CertPathUtilities.processAttrCert4(issuerCert, trustedACIssuers); RFC3281CertPathUtilities.processAttrCert5(attrCert, paramsPKIX); // 6 already done in X509AttributeCertStoreSelector RFC3281CertPathUtilities.processAttrCert7(attrCert, certPath, holderCertPath, paramsPKIX, attrCertCheckers); RFC3281CertPathUtilities.additionalChecks(attrCert, prohibitedACAttrbiutes, necessaryACAttributes); Date date = null; try { date = CertPathValidatorUtilities.getValidCertDateFromValidityModel(paramsPKIX, null, -1); } catch (AnnotatedException e) { throw new ExtCertPathValidatorException( "Could not get validity date from attribute certificate.", e); } RFC3281CertPathUtilities.checkCRLs(attrCert, paramsPKIX, issuerCert, date, certPath.getCertificates(), helper); return result; }
Example #21
Source File: PKIXAttrCertPathValidatorSpi.java From ripple-lib-java with ISC License | 4 votes |
/** * Validates an attribute certificate with the given certificate path. * * <p> * <code>params</code> must be an instance of * <code>ExtendedPKIXParameters</code>. * <p> * The target constraints in the <code>params</code> must be an * <code>X509AttributeCertStoreSelector</code> with at least the attribute * certificate criterion set. Obey that also target informations may be * necessary to correctly validate this attribute certificate. * <p> * The attribute certificate issuer must be added to the trusted attribute * issuers with {@link org.ripple.bouncycastle.x509.ExtendedPKIXParameters#setTrustedACIssuers(java.util.Set)}. * * @param certPath The certificate path which belongs to the attribute * certificate issuer public key certificate. * @param params The PKIX parameters. * @return A <code>PKIXCertPathValidatorResult</code> of the result of * validating the <code>certPath</code>. * @throws java.security.InvalidAlgorithmParameterException if <code>params</code> is * inappropriate for this validator. * @throws java.security.cert.CertPathValidatorException if the verification fails. */ public CertPathValidatorResult engineValidate(CertPath certPath, CertPathParameters params) throws CertPathValidatorException, InvalidAlgorithmParameterException { if (!(params instanceof ExtendedPKIXParameters || params instanceof PKIXExtendedParameters)) { throw new InvalidAlgorithmParameterException( "Parameters must be a " + ExtendedPKIXParameters.class.getName() + " instance."); } Set attrCertCheckers = new HashSet(); Set prohibitedACAttrbiutes = new HashSet(); Set necessaryACAttributes = new HashSet(); Set trustedACIssuers = new HashSet(); PKIXExtendedParameters paramsPKIX; if (params instanceof PKIXParameters) { PKIXExtendedParameters.Builder paramsPKIXBldr = new PKIXExtendedParameters.Builder((PKIXParameters)params); if (params instanceof ExtendedPKIXParameters) { ExtendedPKIXParameters extPKIX = (ExtendedPKIXParameters)params; paramsPKIXBldr.setUseDeltasEnabled(extPKIX.isUseDeltasEnabled()); paramsPKIXBldr.setValidityModel(extPKIX.getValidityModel()); attrCertCheckers = extPKIX.getAttrCertCheckers(); prohibitedACAttrbiutes = extPKIX.getProhibitedACAttributes(); necessaryACAttributes = extPKIX.getNecessaryACAttributes(); } paramsPKIX = paramsPKIXBldr.build(); } else { paramsPKIX = (PKIXExtendedParameters)params; } Selector certSelect = paramsPKIX.getTargetConstraints(); if (!(certSelect instanceof X509AttributeCertStoreSelector)) { throw new InvalidAlgorithmParameterException( "TargetConstraints must be an instance of " + X509AttributeCertStoreSelector.class.getName() + " for " + this.getClass().getName() + " class."); } X509AttributeCertificate attrCert = ((X509AttributeCertStoreSelector) certSelect) .getAttributeCert(); CertPath holderCertPath = RFC3281CertPathUtilities.processAttrCert1(attrCert, paramsPKIX); CertPathValidatorResult result = RFC3281CertPathUtilities.processAttrCert2(certPath, paramsPKIX); X509Certificate issuerCert = (X509Certificate) certPath .getCertificates().get(0); RFC3281CertPathUtilities.processAttrCert3(issuerCert, paramsPKIX); RFC3281CertPathUtilities.processAttrCert4(issuerCert, trustedACIssuers); RFC3281CertPathUtilities.processAttrCert5(attrCert, paramsPKIX); // 6 already done in X509AttributeCertStoreSelector RFC3281CertPathUtilities.processAttrCert7(attrCert, certPath, holderCertPath, paramsPKIX, attrCertCheckers); RFC3281CertPathUtilities.additionalChecks(attrCert, prohibitedACAttrbiutes, necessaryACAttributes); Date date = null; try { date = CertPathValidatorUtilities.getValidCertDateFromValidityModel(paramsPKIX, null, -1); } catch (AnnotatedException e) { throw new ExtCertPathValidatorException( "Could not get validity date from attribute certificate.", e); } RFC3281CertPathUtilities.checkCRLs(attrCert, paramsPKIX, issuerCert, date, certPath.getCertificates(), helper); return result; }
Example #22
Source File: StubProviderImpl.java From dragonwell8_jdk with GNU General Public License v2.0 | 4 votes |
public CertPathBuilderResult engineBuild(CertPathParameters params) { called = true; return null; }
Example #23
Source File: StubProviderImpl.java From openjdk-jdk8u with GNU General Public License v2.0 | 4 votes |
public CertPathBuilderResult engineBuild(CertPathParameters params) { called = true; return null; }
Example #24
Source File: StubProviderImpl.java From jdk8u60 with GNU General Public License v2.0 | 4 votes |
public CertPathBuilderResult engineBuild(CertPathParameters params) { called = true; return null; }
Example #25
Source File: StubProviderImpl.java From openjdk-jdk8u-backup with GNU General Public License v2.0 | 4 votes |
public CertPathBuilderResult engineBuild(CertPathParameters params) { called = true; return null; }
Example #26
Source File: StubProviderImpl.java From TencentKona-8 with GNU General Public License v2.0 | 4 votes |
public CertPathBuilderResult engineBuild(CertPathParameters params) { called = true; return null; }
Example #27
Source File: CertPathTrustManagerParameters.java From jdk8u-dev-jdk with GNU General Public License v2.0 | 2 votes |
/** * Construct new CertPathTrustManagerParameters from the specified * parameters. The parameters are cloned to protect against subsequent * modification. * * @param parameters the CertPathParameters to be used * * @throws NullPointerException if parameters is null */ public CertPathTrustManagerParameters(CertPathParameters parameters) { this.parameters = (CertPathParameters)parameters.clone(); }
Example #28
Source File: CertPathTrustManagerParameters.java From openjdk-jdk8u with GNU General Public License v2.0 | 2 votes |
/** * Return a clone of the CertPathParameters encapsulated by this class. * * @return a clone of the CertPathParameters encapsulated by this class. */ public CertPathParameters getParameters() { return (CertPathParameters)parameters.clone(); }
Example #29
Source File: CertPathTrustManagerParameters.java From openjdk-jdk8u with GNU General Public License v2.0 | 2 votes |
/** * Construct new CertPathTrustManagerParameters from the specified * parameters. The parameters are cloned to protect against subsequent * modification. * * @param parameters the CertPathParameters to be used * * @throws NullPointerException if parameters is null */ public CertPathTrustManagerParameters(CertPathParameters parameters) { this.parameters = (CertPathParameters)parameters.clone(); }
Example #30
Source File: CertPathTrustManagerParameters.java From jdk8u60 with GNU General Public License v2.0 | 2 votes |
/** * Return a clone of the CertPathParameters encapsulated by this class. * * @return a clone of the CertPathParameters encapsulated by this class. */ public CertPathParameters getParameters() { return (CertPathParameters)parameters.clone(); }