Java Code Examples for java.security.cert.X509CertSelector#setCertificate()
The following examples show how to use
java.security.cert.X509CertSelector#setCertificate() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: KeyManagementUtils.java From cxf with Apache License 2.0 | 6 votes |
private static void validateCertificateChain(KeyStore ks, List<X509Certificate> inCerts, boolean enableRevocation) { // Initial chain validation, to be enhanced as needed try { X509CertSelector certSelect = new X509CertSelector(); certSelect.setCertificate(inCerts.get(0)); PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ks, certSelect); pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(inCerts))); pbParams.setMaxPathLength(-1); pbParams.setRevocationEnabled(false); CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams); pbParams.setRevocationEnabled(enableRevocation); CertPath certPath = buildResult.getCertPath(); CertPathValidator.getInstance("PKIX").validate(certPath, pbParams); } catch (Exception ex) { LOG.warning("Certificate path validation error"); throw new JoseException(ex); } }
Example 2
Source File: TrustAnchorValidatingTrustManager.java From qpid-broker-j with Apache License 2.0 | 5 votes |
private PKIXCertPathBuilderResult getPkixCertPathBuilderResult(final X509Certificate[] x509Certificates, final Set<TrustAnchor> trustAnchors, final Set<Certificate> otherCerts) throws GeneralSecurityException { Set<Certificate> storeCerts = new HashSet<>(); storeCerts.addAll(otherCerts); Iterator<X509Certificate> iterator = Arrays.asList(x509Certificates).iterator(); if (!iterator.hasNext()) { throw new IllegalArgumentException("Peer certificate not found"); } final X509Certificate peerCertificate = iterator.next(); while (iterator.hasNext()) { X509Certificate intermediate = iterator.next(); storeCerts.add(intermediate); } X509CertSelector selector = new X509CertSelector(); selector.setCertificate(peerCertificate); // IBM JDK seems to require that the peer's certficate exists in the Collection too storeCerts.add(peerCertificate); PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector); pkixParams.setRevocationEnabled(false); CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(storeCerts)); pkixParams.addCertStore(intermediateCertStore); CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); return (PKIXCertPathBuilderResult) builder.build(pkixParams); }
Example 3
Source File: NoExtensions.java From TencentKona-8 with GNU General Public License v2.0 | 5 votes |
private void doBuild(X509Certificate userCert) throws Exception { // get the set of trusted CA certificates (only one in this instance) HashSet trustAnchors = new HashSet(); X509Certificate trustedCert = getTrustedCertificate(); trustAnchors.add(new TrustAnchor(trustedCert, null)); // put together a CertStore (repository of the certificates and CRLs) ArrayList certs = new ArrayList(); certs.add(trustedCert); certs.add(userCert); CollectionCertStoreParameters certStoreParams = new CollectionCertStoreParameters(certs); CertStore certStore = CertStore.getInstance("Collection", certStoreParams); // specify the target certificate via a CertSelector X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(userCert); certSelector.setSubject(userCert.getSubjectDN().getName()); // seems to be required // build a valid cerificate path CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX", "SUN"); PKIXBuilderParameters certPathBuilderParams = new PKIXBuilderParameters(trustAnchors, certSelector); certPathBuilderParams.addCertStore(certStore); certPathBuilderParams.setRevocationEnabled(false); CertPathBuilderResult result = certPathBuilder.build(certPathBuilderParams); // get and show cert path CertPath certPath = result.getCertPath(); // System.out.println(certPath.toString()); }
Example 4
Source File: NoExtensions.java From jdk8u-dev-jdk with GNU General Public License v2.0 | 5 votes |
private void doBuild(X509Certificate userCert) throws Exception { // get the set of trusted CA certificates (only one in this instance) HashSet trustAnchors = new HashSet(); X509Certificate trustedCert = getTrustedCertificate(); trustAnchors.add(new TrustAnchor(trustedCert, null)); // put together a CertStore (repository of the certificates and CRLs) ArrayList certs = new ArrayList(); certs.add(trustedCert); certs.add(userCert); CollectionCertStoreParameters certStoreParams = new CollectionCertStoreParameters(certs); CertStore certStore = CertStore.getInstance("Collection", certStoreParams); // specify the target certificate via a CertSelector X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(userCert); certSelector.setSubject(userCert.getSubjectDN().getName()); // seems to be required // build a valid cerificate path CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX", "SUN"); PKIXBuilderParameters certPathBuilderParams = new PKIXBuilderParameters(trustAnchors, certSelector); certPathBuilderParams.addCertStore(certStore); certPathBuilderParams.setRevocationEnabled(false); CertPathBuilderResult result = certPathBuilder.build(certPathBuilderParams); // get and show cert path CertPath certPath = result.getCertPath(); // System.out.println(certPath.toString()); }
Example 5
Source File: PathCertificateVerifier.java From oxAuth with MIT License | 5 votes |
/** * Attempts to build a certification chain for given certificate to verify * it. Relies on a set of root CA certificates (trust anchors) and a set of * intermediate certificates (to be used as part of the chain). */ private PKIXCertPathBuilderResult verifyCertificate(X509Certificate certificate, Set<X509Certificate> trustedRootCerts, Set<X509Certificate> intermediateCerts) throws GeneralSecurityException { // Create the selector that specifies the starting certificate X509CertSelector selector = new X509CertSelector(); selector.setBasicConstraints(-2); selector.setCertificate(certificate); // Create the trust anchors (set of root CA certificates) Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>(); for (X509Certificate trustedRootCert : trustedRootCerts) { trustAnchors.add(new TrustAnchor(trustedRootCert, null)); } // Configure the PKIX certificate builder algorithm parameters PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector); // Turn off default revocation-checking mechanism pkixParams.setRevocationEnabled(false); // Specify a list of intermediate certificates CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(intermediateCerts)); pkixParams.addCertStore(intermediateCertStore); // Build and verify the certification chain CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME); PKIXCertPathBuilderResult certPathBuilderResult = (PKIXCertPathBuilderResult) builder.build(pkixParams); // Additional check to Verify cert path CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME); PKIXCertPathValidatorResult certPathValidationResult = (PKIXCertPathValidatorResult) certPathValidator.validate(certPathBuilderResult.getCertPath(), pkixParams); return certPathBuilderResult; }
Example 6
Source File: X509CertSelectorTest.java From jdk8u-jdk with GNU General Public License v2.0 | 5 votes |
private void testCertificate() { System.out.println("X.509 Certificate Match on certificateEquals criterion"); X509CertSelector selector = new X509CertSelector(); // good match selector.setCertificate(cert); checkMatch(selector, cert, true); }
Example 7
Source File: SparkExceptionsTrustManager.java From Spark with Apache License 2.0 | 5 votes |
/** * Validate certificate path. As it is exception, no checks against revocation or time validity are done but path * still have to be validated in order to find connection between certificate presented by server and root CA in * KeyStore * * @throws NoSuchAlgorithmException * @throws KeyStoreException * @throws InvalidAlgorithmParameterException * @throws CertPathValidatorException * @throws CertPathBuilderException * @throws CertificateException */ private void validatePath(X509Certificate[] chain) throws NoSuchAlgorithmException, KeyStoreException, InvalidAlgorithmParameterException, CertPathValidatorException, CertPathBuilderException, CertificateException { CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX"); CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX"); X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(chain[chain.length - 1]); // checks against time validity aren't done here as it exceptions list certSelector.setCertificateValid(null); PKIXBuilderParameters parameters = new PKIXBuilderParameters(allStore, certSelector); // no checks against revocation as it is exception parameters.setRevocationEnabled(false); CertPathBuilderResult pathResult = certPathBuilder.build(parameters); CertPath certPath = pathResult.getCertPath(); PKIXCertPathValidatorResult validationResult = (PKIXCertPathValidatorResult) certPathValidator .validate(certPath, parameters); X509Certificate trustedCert = validationResult.getTrustAnchor().getTrustedCert(); if (trustedCert == null) { throw new CertificateException("Certificate path failed"); } else { Log.debug("ClientTrustManager: Trusted CA: " + trustedCert.getSubjectDN()); } }
Example 8
Source File: NoExtensions.java From jdk8u-jdk with GNU General Public License v2.0 | 5 votes |
private void doBuild(X509Certificate userCert) throws Exception { // get the set of trusted CA certificates (only one in this instance) HashSet trustAnchors = new HashSet(); X509Certificate trustedCert = getTrustedCertificate(); trustAnchors.add(new TrustAnchor(trustedCert, null)); // put together a CertStore (repository of the certificates and CRLs) ArrayList certs = new ArrayList(); certs.add(trustedCert); certs.add(userCert); CollectionCertStoreParameters certStoreParams = new CollectionCertStoreParameters(certs); CertStore certStore = CertStore.getInstance("Collection", certStoreParams); // specify the target certificate via a CertSelector X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(userCert); certSelector.setSubject(userCert.getSubjectDN().getName()); // seems to be required // build a valid cerificate path CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX", "SUN"); PKIXBuilderParameters certPathBuilderParams = new PKIXBuilderParameters(trustAnchors, certSelector); certPathBuilderParams.addCertStore(certStore); certPathBuilderParams.setRevocationEnabled(false); CertPathBuilderResult result = certPathBuilder.build(certPathBuilderParams); // get and show cert path CertPath certPath = result.getCertPath(); // System.out.println(certPath.toString()); }
Example 9
Source File: ValidationDataFromCertValidationProvider.java From xades4j with GNU Lesser General Public License v3.0 | 5 votes |
@Override public ValidationData getValidationData( List<X509Certificate> certChainFragment) throws ValidationDataException { try { X509CertSelector cs = new X509CertSelector(); cs.setCertificate(certChainFragment.get(0)); return this.certificateValidationProvider.validate(cs, new Date(), certChainFragment); } catch (XAdES4jException ex) { throw new ValidationDataException("Cannot validate certificate to obtain validation data", ex); } }
Example 10
Source File: NoExtensions.java From jdk8u_jdk with GNU General Public License v2.0 | 5 votes |
private void doBuild(X509Certificate userCert) throws Exception { // get the set of trusted CA certificates (only one in this instance) HashSet trustAnchors = new HashSet(); X509Certificate trustedCert = getTrustedCertificate(); trustAnchors.add(new TrustAnchor(trustedCert, null)); // put together a CertStore (repository of the certificates and CRLs) ArrayList certs = new ArrayList(); certs.add(trustedCert); certs.add(userCert); CollectionCertStoreParameters certStoreParams = new CollectionCertStoreParameters(certs); CertStore certStore = CertStore.getInstance("Collection", certStoreParams); // specify the target certificate via a CertSelector X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(userCert); certSelector.setSubject(userCert.getSubjectDN().getName()); // seems to be required // build a valid cerificate path CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX", "SUN"); PKIXBuilderParameters certPathBuilderParams = new PKIXBuilderParameters(trustAnchors, certSelector); certPathBuilderParams.addCertStore(certStore); certPathBuilderParams.setRevocationEnabled(false); CertPathBuilderResult result = certPathBuilder.build(certPathBuilderParams); // get and show cert path CertPath certPath = result.getCertPath(); // System.out.println(certPath.toString()); }
Example 11
Source File: KeystoreTestUtils.java From Openfire with Apache License 2.0 | 5 votes |
/** * This method will validate a chain of certificates. It is provided as an alternative to the certificate chain * validation mechanisms that are under test. This method is intended to be used as a comparative benchmark against * other validation methods. * * The first certificate in the chain is expected to be the end-entity certificate. * * The last certificate in the chain is expected to be the root CA certificate. * * @param chain A certificate chain (cannot be null or empty). * @return CertPathBuilderResult result of validation. * @throws Exception When the chain is not valid. */ public CertPathBuilderResult testChain( X509Certificate[] chain ) throws Exception { // Create the selector that specifies the starting certificate X509CertSelector selector = new X509CertSelector(); selector.setCertificate( chain[0] ); // Create the trust anchors (set of root CA certificates) Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>(); trustAnchors.add(new TrustAnchor(chain[ chain.length - 1], null)); // Configure the PKIX certificate builder algorithm parameters PKIXBuilderParameters pkixParams = new PKIXBuilderParameters( trustAnchors, selector); // Disable CRL checks (this is done manually as additional step) pkixParams.setRevocationEnabled(false); // Specify a list of intermediate certificates Set<java.security.cert.Certificate> intermediateCerts = new HashSet<>(); for (int i=1; i<chain.length -1; i++) { intermediateCerts.add( chain[ i ] ); } CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(intermediateCerts)); pkixParams.addCertStore(intermediateCertStore); // Build and verify the certification chain CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) builder .build(pkixParams); return result; }
Example 12
Source File: NoExtensions.java From hottub with GNU General Public License v2.0 | 5 votes |
private void doBuild(X509Certificate userCert) throws Exception { // get the set of trusted CA certificates (only one in this instance) HashSet trustAnchors = new HashSet(); X509Certificate trustedCert = getTrustedCertificate(); trustAnchors.add(new TrustAnchor(trustedCert, null)); // put together a CertStore (repository of the certificates and CRLs) ArrayList certs = new ArrayList(); certs.add(trustedCert); certs.add(userCert); CollectionCertStoreParameters certStoreParams = new CollectionCertStoreParameters(certs); CertStore certStore = CertStore.getInstance("Collection", certStoreParams); // specify the target certificate via a CertSelector X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(userCert); certSelector.setSubject(userCert.getSubjectDN().getName()); // seems to be required // build a valid cerificate path CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX", "SUN"); PKIXBuilderParameters certPathBuilderParams = new PKIXBuilderParameters(trustAnchors, certSelector); certPathBuilderParams.addCertStore(certStore); certPathBuilderParams.setRevocationEnabled(false); CertPathBuilderResult result = certPathBuilder.build(certPathBuilderParams); // get and show cert path CertPath certPath = result.getCertPath(); // System.out.println(certPath.toString()); }
Example 13
Source File: NoExtensions.java From openjdk-jdk8u-backup with GNU General Public License v2.0 | 5 votes |
private void doBuild(X509Certificate userCert) throws Exception { // get the set of trusted CA certificates (only one in this instance) HashSet trustAnchors = new HashSet(); X509Certificate trustedCert = getTrustedCertificate(); trustAnchors.add(new TrustAnchor(trustedCert, null)); // put together a CertStore (repository of the certificates and CRLs) ArrayList certs = new ArrayList(); certs.add(trustedCert); certs.add(userCert); CollectionCertStoreParameters certStoreParams = new CollectionCertStoreParameters(certs); CertStore certStore = CertStore.getInstance("Collection", certStoreParams); // specify the target certificate via a CertSelector X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(userCert); certSelector.setSubject(userCert.getSubjectDN().getName()); // seems to be required // build a valid cerificate path CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX", "SUN"); PKIXBuilderParameters certPathBuilderParams = new PKIXBuilderParameters(trustAnchors, certSelector); certPathBuilderParams.addCertStore(certStore); certPathBuilderParams.setRevocationEnabled(false); CertPathBuilderResult result = certPathBuilder.build(certPathBuilderParams); // get and show cert path CertPath certPath = result.getCertPath(); // System.out.println(certPath.toString()); }
Example 14
Source File: SecurityInInterceptor.java From wildfly-camel with Apache License 2.0 | 5 votes |
/** * Based on https://svn.apache.org/repos/asf/cxf/tags/cxf-2.4.1/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CertificateVerifier.java * * @param cert * @throws CertificateException * @throws NoSuchAlgorithmException * @throws NoSuchProviderException * @throws InvalidAlgorithmParameterException * @throws CertPathBuilderException */ public void verifyCertificate(X509Certificate cert) throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException, CertPathBuilderException { // Prepare a set of trusted root CA certificates // and a set of intermediate certificates // Create the selector that specifies the starting certificate X509CertSelector selector = new X509CertSelector(); selector.setCertificate(cert); // Create the trust anchors (set of root CA certificates) Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>(); for (X509Certificate trustedRootCert : trustedRootCerts) { trustAnchors.add(new TrustAnchor(trustedRootCert, null)); } // Configure the PKIX certificate builder algorithm parameters PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector); // Disable CRL checks (this is done manually as additional step) pkixParams.setRevocationEnabled(false); // Specify a list of intermediate certificates CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(intermediateCerts)); pkixParams.addCertStore(intermediateCertStore); // Build and verify the certification chain CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); builder.build(pkixParams); // Attempt to build the certification chain and verify it // Check whether the certificate is revoked by the CRL // given in its CRL distribution point extension // CRLVerifier.verifyCertificateCRLs(cert); // The chain is verified. }
Example 15
Source File: CertificateValidator.java From IoTgo_Android_App with MIT License | 4 votes |
public void validate(Certificate[] certChain) throws CertificateException { try { ArrayList<X509Certificate> certList = new ArrayList<X509Certificate>(); for (Certificate item : certChain) { if (item == null) continue; if (!(item instanceof X509Certificate)) { throw new IllegalStateException("Invalid certificate type in chain"); } certList.add((X509Certificate)item); } if (certList.isEmpty()) { throw new IllegalStateException("Invalid certificate chain"); } X509CertSelector certSelect = new X509CertSelector(); certSelect.setCertificate(certList.get(0)); // Configure certification path builder parameters PKIXBuilderParameters pbParams = new PKIXBuilderParameters(_trustStore, certSelect); pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList))); // Set maximum certification path length pbParams.setMaxPathLength(_maxCertPathLength); // Enable revocation checking pbParams.setRevocationEnabled(true); // Set static Certificate Revocation List if (_crls != null && !_crls.isEmpty()) { pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(_crls))); } // Enable On-Line Certificate Status Protocol (OCSP) support if (_enableOCSP) { Security.setProperty("ocsp.enable","true"); } // Enable Certificate Revocation List Distribution Points (CRLDP) support if (_enableCRLDP) { System.setProperty("com.sun.security.enableCRLDP","true"); } // Build certification path CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams); // Validate certification path CertPathValidator.getInstance("PKIX").validate(buildResult.getCertPath(),pbParams); } catch (GeneralSecurityException gse) { LOG.debug(gse); throw new CertificateException("Unable to validate certificate: " + gse.getMessage(), gse); } }
Example 16
Source File: CertificateValidator.java From IoTgo_Android_App with MIT License | 4 votes |
public void validate(Certificate[] certChain) throws CertificateException { try { ArrayList<X509Certificate> certList = new ArrayList<X509Certificate>(); for (Certificate item : certChain) { if (item == null) continue; if (!(item instanceof X509Certificate)) { throw new IllegalStateException("Invalid certificate type in chain"); } certList.add((X509Certificate)item); } if (certList.isEmpty()) { throw new IllegalStateException("Invalid certificate chain"); } X509CertSelector certSelect = new X509CertSelector(); certSelect.setCertificate(certList.get(0)); // Configure certification path builder parameters PKIXBuilderParameters pbParams = new PKIXBuilderParameters(_trustStore, certSelect); pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList))); // Set maximum certification path length pbParams.setMaxPathLength(_maxCertPathLength); // Enable revocation checking pbParams.setRevocationEnabled(true); // Set static Certificate Revocation List if (_crls != null && !_crls.isEmpty()) { pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(_crls))); } // Enable On-Line Certificate Status Protocol (OCSP) support if (_enableOCSP) { Security.setProperty("ocsp.enable","true"); } // Enable Certificate Revocation List Distribution Points (CRLDP) support if (_enableCRLDP) { System.setProperty("com.sun.security.enableCRLDP","true"); } // Build certification path CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams); // Validate certification path CertPathValidator.getInstance("PKIX").validate(buildResult.getCertPath(),pbParams); } catch (GeneralSecurityException gse) { LOG.debug(gse); throw new CertificateException("Unable to validate certificate: " + gse.getMessage(), gse); } }
Example 17
Source File: SparkTrustManager.java From Spark with Apache License 2.0 | 4 votes |
/** * Validate certificate path * * @throws NoSuchAlgorithmException * @throws KeyStoreException * @throws InvalidAlgorithmParameterException * @throws CertPathValidatorException * @throws CertPathBuilderException * @throws CertificateException */ private void validatePath(X509Certificate[] chain) throws NoSuchAlgorithmException, KeyStoreException, InvalidAlgorithmParameterException, CertPathValidatorException, CertPathBuilderException, CertificateException { // PKIX algorithm is defined in rfc3280 CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX"); CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX"); X509CertSelector certSelector = new X509CertSelector(); // set last certificate (often root CA) from chain for CertSelector so trust store must contain it certSelector.setCertificate(chain[chain.length - 1]); // checks against time validity aren't done here as are already done in checkDateValidity (X509Certificate[] // chain) certSelector.setCertificateValid(null); // create parameters using trustStore as source of Trust Anchors and using X509CertSelector PKIXBuilderParameters parameters = new PKIXBuilderParameters(allStore, certSelector); // will use PKIXRevocationChecker (or nothing if revocation mechanisms are // disabled) instead of the default revocation checker parameters.setRevocationEnabled(false); // if revoked certificates aren't accepted, but no revocation checks then only // certificates from blacklist will be rejected if (acceptRevoked == false) { // OCSP checking is done according to Java PKI Programmer's Guide, PKIXRevocationChecker was added in Java 8: // https://docs.oracle.com/javase/8/docs/technotes/guides/security/certpath/CertPathProgGuide.html#PKIXRevocationChecker PKIXRevocationChecker checker = (PKIXRevocationChecker) certPathBuilder.getRevocationChecker(); EnumSet<PKIXRevocationChecker.Option> checkerOptions = EnumSet.noneOf(PKIXRevocationChecker.Option.class); // if soft fail isn't enabled then OCSP or CRL must pass validation, in case // when any of them cannot be validated verification will fail, if soft fail // is enabled then in case of network issues revocation checking is omitted if (allowSoftFail) { checkerOptions.add(PKIXRevocationChecker.Option.SOFT_FAIL); } // check OCSP, CRL serve as backup if (checkOCSP && checkCRL) { checker.setOptions(checkerOptions); parameters.addCertPathChecker(checker); } else if (!checkOCSP && checkCRL) { // check only CRL, if CRL fail then there is no fallback to OCSP checkerOptions.add(PKIXRevocationChecker.Option.PREFER_CRLS); checkerOptions.add(PKIXRevocationChecker.Option.NO_FALLBACK); checker.setOptions(checkerOptions); parameters.addCertPathChecker(checker); } } try { CertPathBuilderResult pathResult = certPathBuilder.build(parameters); CertPath certPath = pathResult.getCertPath(); PKIXCertPathValidatorResult validationResult = (PKIXCertPathValidatorResult) certPathValidator .validate(certPath, parameters); X509Certificate trustedCert = validationResult.getTrustAnchor().getTrustedCert(); if (trustedCert == null) { throw new CertificateException("certificate path failed: Trusted CA is NULL"); } // check if all certificates in path have Basic Constraints, only certificate that isn't required to have // this extension is last certificate: root CA for (int i = 0; i < chain.length - 1; i++) { checkBasicConstraints(chain[i]); } } catch (CertificateRevokedException e) { Log.warning("Certificate was revoked", e); for (X509Certificate cert : chain) { for (X509CRL crl : crlCollection) { if (crl.isRevoked(cert)) { try { addToBlackList(cert); } catch (IOException | HeadlessException | InvalidNameException e1) { Log.error("Couldn't move to the blacklist", e1); } break; } } } throw new CertificateException("Certificate was revoked"); } }
Example 18
Source File: TrustServiceStatusListSignatureVerifier.java From freehealth-connector with GNU Affero General Public License v3.0 | 4 votes |
private static X509CertSelector baseOnCert(X509Certificate cert) { LOG.debug("Matching based on cert [" + cert.getSubjectX500Principal().getName("RFC1779") + "]"); X509CertSelector selector = new X509CertSelector(); selector.setCertificate(cert); return selector; }
Example 19
Source File: TrustServiceStatusListSignatureVerifier.java From freehealth-connector with GNU Affero General Public License v3.0 | 4 votes |
private static X509CertSelector baseOnCert(X509Certificate cert) { LOG.debug("Matching based on cert [" + cert.getSubjectX500Principal().getName("RFC1779") + "]"); X509CertSelector selector = new X509CertSelector(); selector.setCertificate(cert); return selector; }
Example 20
Source File: KeyInfoProcessor.java From xades4j with GNU Lesser General Public License v3.0 | 4 votes |
static KeyInfoRes process( KeyInfo keyInfo, CertRef signingCertRef, X500NameStyleProvider x500NameStyleProvider) throws CertificateValidationException { if (null == keyInfo || !keyInfo.containsX509Data()) { return tryUseSigningCertificateReference(signingCertRef, x500NameStyleProvider); } List<X509Certificate> keyInfoCerts = new ArrayList<X509Certificate>(1); XMLX509IssuerSerial issuerSerial = null; X509CertSelector certSelector = new X509CertSelector(); // XML-DSIG 4.4.4: "Any X509IssuerSerial, X509SKI, and X509SubjectName elements // that appear MUST refer to the certificate or certificates containing the // validation key." // "All certificates appearing in an X509Data element MUST relate to the // validation key by either containing it or being part of a certification // chain that terminates in a certificate containing the validation key". // Scan ds:X509Data to find ds:IssuerSerial or ds:SubjectName elements. The // first to be found is used to select the leaf certificate. If none of those // elements is present, the first ds:X509Certificate is assumed as the signing // certificate. boolean hasSelectionCriteria = false; try { for (int i = 0; i < keyInfo.lengthX509Data(); ++i) { X509Data x509Data = keyInfo.itemX509Data(i); if (!hasSelectionCriteria) { if (x509Data.containsIssuerSerial()) { issuerSerial = x509Data.itemIssuerSerial(0); certSelector.setIssuer(x500NameStyleProvider.fromString(issuerSerial.getIssuerName())); certSelector.setSerialNumber(issuerSerial.getSerialNumber()); hasSelectionCriteria = true; } else if (x509Data.containsSubjectName()) { certSelector.setSubject(x500NameStyleProvider.fromString(x509Data.itemSubjectName(0).getSubjectName())); hasSelectionCriteria = true; } } // Collect all certificates as they may be needed to build the cert path. if (x509Data.containsCertificate()) { for (int j = 0; j < x509Data.lengthCertificate(); ++j) { keyInfoCerts.add(x509Data.itemCertificate(j).getX509Certificate()); } } } if (!hasSelectionCriteria) { if (keyInfoCerts.isEmpty()) { return tryUseSigningCertificateReference(signingCertRef, x500NameStyleProvider); } certSelector.setCertificate(keyInfoCerts.get(0)); } } catch (XMLSecurityException ex) { throw new InvalidKeyInfoDataException("Cannot process X509Data", ex); } return new KeyInfoRes(certSelector, keyInfoCerts, issuerSerial); }