Java Code Examples for java.security.cert.PKIXBuilderParameters#setMaxPathLength()

The following examples show how to use java.security.cert.PKIXBuilderParameters#setMaxPathLength() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: SSLUtilBase.java    From Tomcat8-Source-Read with MIT License 6 votes vote down vote up
/**
 * Return the initialization parameters for the TrustManager.
 * Currently, only the default <code>PKIX</code> is supported.
 *
 * @param crlf The path to the CRL file.
 * @param trustStore The configured TrustStore.
 * @param revocationEnabled Should the JSSE provider perform revocation
 *                          checks? Ignored if {@code crlf} is non-null.
 *                          Configuration of revocation checks are expected
 *                          to be via proprietary JSSE provider methods.
 * @return The parameters including the CRLs and TrustStore.
 * @throws Exception An error occurred
 */
protected CertPathParameters getParameters(String crlf, KeyStore trustStore,
        boolean revocationEnabled) throws Exception {

    PKIXBuilderParameters xparams =
            new PKIXBuilderParameters(trustStore, new X509CertSelector());
    if (crlf != null && crlf.length() > 0) {
        Collection<? extends CRL> crls = getCRLs(crlf);
        CertStoreParameters csp = new CollectionCertStoreParameters(crls);
        CertStore store = CertStore.getInstance("Collection", csp);
        xparams.addCertStore(store);
        xparams.setRevocationEnabled(true);
    } else {
        xparams.setRevocationEnabled(revocationEnabled);
    }
    xparams.setMaxPathLength(sslHostConfig.getCertificateVerificationDepth());
    return xparams;
}
 
Example 2
Source File: SSLUtils.java    From ssltest with Apache License 2.0 6 votes vote down vote up
/**
 * Return the initialization parameters for the TrustManager.
 * Currently, only the default <code>PKIX</code> is supported.
 *
 * @param algorithm The algorithm to get parameters for.
 * @param crlFilename The path to the CRL file.
 * @param maxCertificateChainLength Optional maximum cert chain length.
 * @param trustStore The configured TrustStore.
 *
 * @return The parameters including the TrustStore and any CRLs.
 *
 * @throws InvalidAlgorithmParameterException
 * @throws KeyStoreException
 * @throws IOException
 * @throws CertificateException
 * @throws CRLException
 * @throws NoSuchAlgorithmException
 */
protected static CertPathParameters getParameters(String algorithm,
                                                  String crlFilename,
                                                  Integer maxCertificateChainLength,
                                                  KeyStore trustStore)
    throws KeyStoreException, InvalidAlgorithmParameterException, CRLException, CertificateException, IOException, NoSuchAlgorithmException
{
    CertPathParameters params = null;
    if("PKIX".equalsIgnoreCase(algorithm)) {
        PKIXBuilderParameters xparams =
            new PKIXBuilderParameters(trustStore, new X509CertSelector());
        Collection<? extends CRL> crls = getCRLs(crlFilename);
        CertStoreParameters csp = new CollectionCertStoreParameters(crls);
        CertStore store = CertStore.getInstance("Collection", csp);
        xparams.addCertStore(store);
        xparams.setRevocationEnabled(true);

        if(maxCertificateChainLength != null)
            xparams.setMaxPathLength(maxCertificateChainLength.intValue());

        params = xparams;
    } else {
        throw new CRLException("CRLs not supported for type: " + algorithm);
    }
    return params;
}
 
Example 3
Source File: KeyManagementUtils.java    From cxf with Apache License 2.0 6 votes vote down vote up
private static void validateCertificateChain(KeyStore ks, List<X509Certificate> inCerts, boolean enableRevocation) {
    // Initial chain validation, to be enhanced as needed
    try {
        X509CertSelector certSelect = new X509CertSelector();
        certSelect.setCertificate(inCerts.get(0));
        PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ks, certSelect);
        pbParams.addCertStore(CertStore.getInstance("Collection",
                                                    new CollectionCertStoreParameters(inCerts)));
        pbParams.setMaxPathLength(-1);
        pbParams.setRevocationEnabled(false);
        CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams);
        pbParams.setRevocationEnabled(enableRevocation);
        CertPath certPath = buildResult.getCertPath();
        CertPathValidator.getInstance("PKIX").validate(certPath, pbParams);
    } catch (Exception ex) {
        LOG.warning("Certificate path validation error");
        throw new JoseException(ex);
    }
}
 
Example 4
Source File: JSSESocketFactory.java    From Tomcat7.0.67 with Apache License 2.0 5 votes vote down vote up
/**
 * Return the initialization parameters for the TrustManager.
 * Currently, only the default <code>PKIX</code> is supported.
 *
 * @param algorithm The algorithm to get parameters for.
 * @param crlf The path to the CRL file.
 * @param trustStore The configured TrustStore.
 * @return The parameters including the CRLs and TrustStore.
 */
protected CertPathParameters getParameters(String algorithm,
                                            String crlf,
                                            KeyStore trustStore)
    throws Exception {
    CertPathParameters params = null;
    if("PKIX".equalsIgnoreCase(algorithm)) {
        PKIXBuilderParameters xparams =
            new PKIXBuilderParameters(trustStore, new X509CertSelector());
        Collection<? extends CRL> crls = getCRLs(crlf);
        CertStoreParameters csp = new CollectionCertStoreParameters(crls);
        CertStore store = CertStore.getInstance("Collection", csp);
        xparams.addCertStore(store);
        xparams.setRevocationEnabled(true);
        String trustLength = endpoint.getTrustMaxCertLength();
        if(trustLength != null) {
            try {
                xparams.setMaxPathLength(Integer.parseInt(trustLength));
            } catch(Exception ex) {
                log.warn("Bad maxCertLength: "+trustLength);
            }
        }

        params = xparams;
    } else {
        throw new CRLException("CRLs not supported for type: "+algorithm);
    }
    return params;
}
 
Example 5
Source File: JSSESocketFactory.java    From tomcatsrc with Apache License 2.0 5 votes vote down vote up
/**
 * Return the initialization parameters for the TrustManager.
 * Currently, only the default <code>PKIX</code> is supported.
 *
 * @param algorithm The algorithm to get parameters for.
 * @param crlf The path to the CRL file.
 * @param trustStore The configured TrustStore.
 * @return The parameters including the CRLs and TrustStore.
 */
protected CertPathParameters getParameters(String algorithm,
                                            String crlf,
                                            KeyStore trustStore)
    throws Exception {
    CertPathParameters params = null;
    if("PKIX".equalsIgnoreCase(algorithm)) {
        PKIXBuilderParameters xparams =
            new PKIXBuilderParameters(trustStore, new X509CertSelector());
        Collection<? extends CRL> crls = getCRLs(crlf);
        CertStoreParameters csp = new CollectionCertStoreParameters(crls);
        CertStore store = CertStore.getInstance("Collection", csp);
        xparams.addCertStore(store);
        xparams.setRevocationEnabled(true);
        String trustLength = endpoint.getTrustMaxCertLength();
        if(trustLength != null) {
            try {
                xparams.setMaxPathLength(Integer.parseInt(trustLength));
            } catch(Exception ex) {
                log.warn("Bad maxCertLength: "+trustLength);
            }
        }

        params = xparams;
    } else {
        throw new CRLException("CRLs not supported for type: "+algorithm);
    }
    return params;
}
 
Example 6
Source File: CertPathPKIXTrustEvaluator.java    From lams with GNU General Public License v2.0 4 votes vote down vote up
/**
 * Creates the set of PKIX builder parameters to use when building the cert path builder.
 * 
 * @param validationInfo PKIX validation information
 * @param untrustedCredential credential to be validated
 * 
 * @return PKIX builder params
 * 
 * @throws GeneralSecurityException thrown if the parameters can not be created
 */
protected PKIXBuilderParameters getPKIXBuilderParameters(PKIXValidationInformation validationInfo,
        X509Credential untrustedCredential) throws GeneralSecurityException {
    Set<TrustAnchor> trustAnchors = getTrustAnchors(validationInfo);
    if (trustAnchors == null || trustAnchors.isEmpty()) {
        throw new GeneralSecurityException(
                "Unable to validate X509 certificate, no trust anchors found in the PKIX validation information");
    }

    X509CertSelector selector = new X509CertSelector();
    selector.setCertificate(untrustedCredential.getEntityCertificate());

    log.trace("Adding trust anchors to PKIX validator parameters");
    PKIXBuilderParameters params = new PKIXBuilderParameters(trustAnchors, selector);

    Integer effectiveVerifyDepth = getEffectiveVerificationDepth(validationInfo);
    log.trace("Setting max verification depth to: {} ", effectiveVerifyDepth);
    params.setMaxPathLength(effectiveVerifyDepth);

    CertStore certStore = buildCertStore(validationInfo, untrustedCredential);
    params.addCertStore(certStore);

    boolean isForceRevocationEnabled = false;
    boolean forcedRevocation = false;
    boolean policyMappingInhibited = false;
    boolean anyPolicyInhibited = false;
    Set<String> initialPolicies = null;
    if (options instanceof CertPathPKIXValidationOptions) {
       CertPathPKIXValidationOptions certpathOptions = (CertPathPKIXValidationOptions) options;
       isForceRevocationEnabled = certpathOptions.isForceRevocationEnabled();
       forcedRevocation = certpathOptions.isRevocationEnabled();
       policyMappingInhibited = certpathOptions.isPolicyMappingInhibited();
       anyPolicyInhibited = certpathOptions.isAnyPolicyInhibited();
       initialPolicies = certpathOptions.getInitialPolicies();
    }
    
    if (isForceRevocationEnabled) {
        log.trace("PKIXBuilderParameters#setRevocationEnabled is being forced to: {}", forcedRevocation);
        params.setRevocationEnabled(forcedRevocation);
    } else {
        if (storeContainsCRLs(certStore)) {
            log.trace("At least one CRL was present in cert store, enabling revocation checking");
            params.setRevocationEnabled(true);
        } else {
            log.trace("No CRLs present in cert store, disabling revocation checking");
            params.setRevocationEnabled(false);
        }
    }

    params.setPolicyMappingInhibited(policyMappingInhibited);
    params.setAnyPolicyInhibited(anyPolicyInhibited);

    if (initialPolicies != null && !initialPolicies.isEmpty()) {
        log.debug("PKIXBuilderParameters#setInitialPolicies is being set to: {}", initialPolicies.toString());
        params.setInitialPolicies(initialPolicies);
        params.setExplicitPolicyRequired(true);
    }

    log.trace("PKIXBuilderParameters successfully created: {}", params.toString());

    return params;
}
 
Example 7
Source File: CertificateValidator.java    From IoTgo_Android_App with MIT License 4 votes vote down vote up
public void validate(Certificate[] certChain) throws CertificateException
{
    try
    {
        ArrayList<X509Certificate> certList = new ArrayList<X509Certificate>();
        for (Certificate item : certChain)
        {
            if (item == null)
                continue;
            
            if (!(item instanceof X509Certificate))
            {
                throw new IllegalStateException("Invalid certificate type in chain");
            }
            
            certList.add((X509Certificate)item);
        }

        if (certList.isEmpty())
        {
            throw new IllegalStateException("Invalid certificate chain");
            
        }

        X509CertSelector certSelect = new X509CertSelector();
        certSelect.setCertificate(certList.get(0));
        
        // Configure certification path builder parameters
        PKIXBuilderParameters pbParams = new PKIXBuilderParameters(_trustStore, certSelect);
        pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList)));

        // Set maximum certification path length
        pbParams.setMaxPathLength(_maxCertPathLength);

        // Enable revocation checking
        pbParams.setRevocationEnabled(true);

        // Set static Certificate Revocation List
        if (_crls != null && !_crls.isEmpty())
        {
            pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(_crls)));
        }

        // Enable On-Line Certificate Status Protocol (OCSP) support
        if (_enableOCSP)
        {
            Security.setProperty("ocsp.enable","true");
        }
        // Enable Certificate Revocation List Distribution Points (CRLDP) support
        if (_enableCRLDP)
        {
            System.setProperty("com.sun.security.enableCRLDP","true");
        }

        // Build certification path
        CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams);               
        
        // Validate certification path
        CertPathValidator.getInstance("PKIX").validate(buildResult.getCertPath(),pbParams);
    }
    catch (GeneralSecurityException gse)
    {
        LOG.debug(gse);
        throw new CertificateException("Unable to validate certificate: " + gse.getMessage(), gse);
    }
}
 
Example 8
Source File: CertificateValidator.java    From IoTgo_Android_App with MIT License 4 votes vote down vote up
public void validate(Certificate[] certChain) throws CertificateException
{
    try
    {
        ArrayList<X509Certificate> certList = new ArrayList<X509Certificate>();
        for (Certificate item : certChain)
        {
            if (item == null)
                continue;
            
            if (!(item instanceof X509Certificate))
            {
                throw new IllegalStateException("Invalid certificate type in chain");
            }
            
            certList.add((X509Certificate)item);
        }

        if (certList.isEmpty())
        {
            throw new IllegalStateException("Invalid certificate chain");
            
        }

        X509CertSelector certSelect = new X509CertSelector();
        certSelect.setCertificate(certList.get(0));
        
        // Configure certification path builder parameters
        PKIXBuilderParameters pbParams = new PKIXBuilderParameters(_trustStore, certSelect);
        pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList)));

        // Set maximum certification path length
        pbParams.setMaxPathLength(_maxCertPathLength);

        // Enable revocation checking
        pbParams.setRevocationEnabled(true);

        // Set static Certificate Revocation List
        if (_crls != null && !_crls.isEmpty())
        {
            pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(_crls)));
        }

        // Enable On-Line Certificate Status Protocol (OCSP) support
        if (_enableOCSP)
        {
            Security.setProperty("ocsp.enable","true");
        }
        // Enable Certificate Revocation List Distribution Points (CRLDP) support
        if (_enableCRLDP)
        {
            System.setProperty("com.sun.security.enableCRLDP","true");
        }

        // Build certification path
        CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams);               
        
        // Validate certification path
        CertPathValidator.getInstance("PKIX").validate(buildResult.getCertPath(),pbParams);
    }
    catch (GeneralSecurityException gse)
    {
        LOG.debug(gse);
        throw new CertificateException("Unable to validate certificate: " + gse.getMessage(), gse);
    }
}
 
Example 9
Source File: CertificateValidator.java    From WebSocket-for-Android with Apache License 2.0 4 votes vote down vote up
public void validate(Certificate[] certChain) throws CertificateException
{
    try
    {
        ArrayList<X509Certificate> certList = new ArrayList<X509Certificate>();
        for (Certificate item : certChain)
        {
            if (item == null)
                continue;

            if (!(item instanceof X509Certificate))
            {
                throw new IllegalStateException("Invalid certificate type in chain");
            }

            certList.add((X509Certificate)item);
        }

        if (certList.isEmpty())
        {
            throw new IllegalStateException("Invalid certificate chain");

        }

        X509CertSelector certSelect = new X509CertSelector();
        certSelect.setCertificate(certList.get(0));

        // Configure certification path builder parameters
        PKIXBuilderParameters pbParams = new PKIXBuilderParameters(_trustStore, certSelect);
        pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList)));

        // Set maximum certification path length
        pbParams.setMaxPathLength(_maxCertPathLength);

        // Enable revocation checking
        pbParams.setRevocationEnabled(true);

        // Set static Certificate Revocation List
        if (_crls != null && !_crls.isEmpty())
        {
            pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(_crls)));
        }

        // Enable On-Line Certificate Status Protocol (OCSP) support
        if (_enableOCSP)
        {
            Security.setProperty("ocsp.enable","true");
        }
        // Enable Certificate Revocation List Distribution Points (CRLDP) support
        if (_enableCRLDP)
        {
            System.setProperty("com.sun.security.enableCRLDP","true");
        }

        // Build certification path
        CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams);

        // Validate certification path
        CertPathValidator.getInstance("PKIX").validate(buildResult.getCertPath(),pbParams);
    }
    catch (GeneralSecurityException gse)
    {
        LOG.debug(gse);
        throw new CertificateException("Unable to validate certificate: " + gse.getMessage(), gse);
    }
}
 
Example 10
Source File: CertificateValidator.java    From cloudhopper-commons with Apache License 2.0 4 votes vote down vote up
public void validate(Certificate[] certChain) throws CertificateException {
    try {
        ArrayList<X509Certificate> certList = new ArrayList<X509Certificate>();
        for (Certificate item : certChain) {
            if (item == null) continue;
            if (!(item instanceof X509Certificate)) {
                throw new IllegalStateException("Invalid certificate type in chain");
            }
            certList.add((X509Certificate)item);
        }

        if (certList.isEmpty()) {
            throw new IllegalStateException("Invalid certificate chain");
        }

        X509CertSelector certSelect = new X509CertSelector();
        certSelect.setCertificate(certList.get(0));
        
        // Configure certification path builder parameters
        PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustStore, certSelect);
        pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList)));

        // Set maximum certification path length
        pbParams.setMaxPathLength(maxCertPathLength);

        // Enable revocation checking
        pbParams.setRevocationEnabled(true);

        // Set static Certificate Revocation List
        if (crls != null && !crls.isEmpty()) {
            pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crls)));
        }

        // Enable On-Line Certificate Status Protocol (OCSP) support
        if (enableOCSP) {
            Security.setProperty("ocsp.enable","true");
        }
        // Enable Certificate Revocation List Distribution Points (CRLDP) support
        if (enableCRLDP) {
            System.setProperty("com.sun.security.enableCRLDP","true");
        }

        // Build certification path
        CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams);               
        
        // Validate certification path
        CertPathValidator.getInstance("PKIX").validate(buildResult.getCertPath(),pbParams);
    } catch (GeneralSecurityException gse) {
        logger.debug("", gse);
        throw new CertificateException("Unable to validate certificate: " + gse.getMessage(), gse);
    }
}