Example #1
Source File: From localization_nifi with Apache License 2.0 | 7 votes |
private SSLContext createSSLContext(final SSLContextService service)
throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, KeyManagementException, UnrecoverableKeyException {
SSLContextBuilder builder = SSLContexts.custom();
final String trustFilename = service.getTrustStoreFile();
if (trustFilename != null) {
final KeyStore truststore = KeyStoreUtils.getTrustStore(service.getTrustStoreType());
try (final InputStream in = new FileInputStream(new File(service.getTrustStoreFile()))) {
truststore.load(in, service.getTrustStorePassword().toCharArray());
builder = builder.loadTrustMaterial(truststore, new TrustSelfSignedStrategy());
final String keyFilename = service.getKeyStoreFile();
if (keyFilename != null) {
final KeyStore keystore = KeyStoreUtils.getKeyStore(service.getKeyStoreType());
try (final InputStream in = new FileInputStream(new File(service.getKeyStoreFile()))) {
keystore.load(in, service.getKeyStorePassword().toCharArray());
builder = builder.loadKeyMaterial(keystore, service.getKeyStorePassword().toCharArray());
builder = builder.useProtocol(service.getSslAlgorithm());
final SSLContext sslContext =;
return sslContext;
Example #2
Source File: From GlobalPlatformPro with GNU Lesser General Public License v3.0 | 6 votes |
public static PublicKey pem2PublicKey(InputStream in) throws IOException {
try (PEMParser pem = new PEMParser(new InputStreamReader(in, StandardCharsets.US_ASCII))) {
Object ohh = pem.readObject();
if (ohh instanceof PEMKeyPair) {
PEMKeyPair kp = (PEMKeyPair) ohh;
return new JcaPEMKeyConverter().getKeyPair(kp).getPublic();
} else if (ohh instanceof SubjectPublicKeyInfo) {
return new JcaPEMKeyConverter().getPublicKey((SubjectPublicKeyInfo) ohh);
} else if (ohh instanceof X509CertificateHolder) {
X509CertificateHolder certHolder = (X509CertificateHolder) ohh;
try {
return new JcaX509CertificateConverter().getCertificate(certHolder).getPublicKey();
} catch (CertificateException ce) {
throw new IllegalArgumentException("Can not read PEM: " + ce.getMessage());
} else throw new IllegalArgumentException("Can not read PEM");
Example #3
Source File: From jdk8u-dev-jdk with GNU General Public License v2.0 | 6 votes |
/** * Add a name to lookup table. * * @param name the name of the attr * @param oid the string representation of the object identifier for * the class. * @param clazz the Class object associated with this attribute * @exception CertificateException on errors. */ public static void addAttribute(String name, String oid, Class<?> clazz) throws CertificateException { ObjectIdentifier objId; try { objId = new ObjectIdentifier(oid); } catch (IOException ioe) { throw new CertificateException ("Invalid Object identifier: " + oid); } OIDInfo info = new OIDInfo(name, objId, clazz); if (oidMap.put(objId, info) != null) { throw new CertificateException ("Object identifier already exists: " + oid); } if (nameMap.put(name, info) != null) { throw new CertificateException("Name already exists: " + name); } }
Example #4
Source File: From haven-platform with Apache License 2.0 | 6 votes |
private void checkTrusted(Func func) throws CertificateException { CertificateException ex = null; for (int i =0; i < list.size(); ++i) { X509TrustManager tm = list.get(i); try { func.apply(tm); // accepted return; } catch (CertificateException e) { if(ex == null || Throwables.has(e, CertPathValidatorException.class)) { ex = e; } } } if(ex != null) { throw ex; } }
Example #5
Source File: From openjdk-8 with GNU General Public License v2.0 | 6 votes |
* process the signature block file. Goes through the .SF file
* and adds code signers for each section where the .SF section
* hash was verified against the Manifest section.
public void process(Hashtable<String, CodeSigner[]> signers,
List<Object> manifestDigests)
throws IOException, SignatureException, NoSuchAlgorithmException,
JarException, CertificateException
// calls Signature.getInstance() and MessageDigest.getInstance()
// need to use local providers here, see Providers class
Object obj = null;
try {
obj = Providers.startJarVerification();
processImpl(signers, manifestDigests);
} finally {
Example #6
Source File: From cyberduck with GNU General Public License v3.0 | 6 votes |
public void testTrustChain() throws Exception {
final Host host = new Host(new S3Protocol(), new S3Protocol().getDefaultHostname(), new Credentials(
System.getProperties().getProperty("s3.key"), System.getProperties().getProperty("s3.secret")
final AtomicBoolean verified = new AtomicBoolean();
final S3Session session = new S3Session(host, new DefaultX509TrustManager() {
public void verify(final String hostname, final X509Certificate[] certs, final String cipher) throws CertificateException {
super.verify(hostname, certs, cipher);
new KeychainX509KeyManager(new DisabledCertificateIdentityCallback(), host, new DisabledCertificateStore()));
final LoginConnectionService c = new LoginConnectionService(
new DisabledLoginCallback(),
new DisabledHostKeyCallback(),
new DisabledPasswordStore(),
new DisabledProgressListener()
c.connect(session, PathCache.empty(), new DisabledCancelCallback());
Example #7
Source File: From reader with MIT License | 6 votes |
private Certificate[] readCertArray(StrictLineReader reader) throws IOException {
int length = reader.readInt();
if (length == -1) {
return null;
try {
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
Certificate[] result = new Certificate[length];
for (int i = 0; i < result.length; i++) {
String line = reader.readLine();
byte[] bytes = Base64.decode(line.getBytes("US-ASCII"));
result[i] = certificateFactory.generateCertificate(new ByteArrayInputStream(bytes));
return result;
} catch (CertificateException e) {
throw new IOException(e.getMessage());
Example #8
Source File: From nifi with Apache License 2.0 | 6 votes |
public RSAPublicKey getKnoxPublicKey() {
// get the path to the public key
final Path knoxPublicKeyPath = properties.getKnoxPublicKeyPath();
// ensure the file exists
if (Files.isRegularFile(knoxPublicKeyPath) && Files.exists(knoxPublicKeyPath)) {
try (final InputStream publicKeyStream = Files.newInputStream(knoxPublicKeyPath)) {
final CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
final X509Certificate certificate = (X509Certificate) certificateFactory.generateCertificate(publicKeyStream);
return (RSAPublicKey) certificate.getPublicKey();
} catch (final IOException | CertificateException e) {
throw new RuntimeException(e.getMessage(), e);
} else {
throw new RuntimeException(String.format("The specified Knox public key path does not exist '%s'", knoxPublicKeyPath.toString()));
Example #9
Source File: From ofdrw with Apache License 2.0 | 6 votes |
public void verify() throws IOException, NoSuchAlgorithmException, CertificateException, InvalidKeyException, SignatureException {
Path path = Paths.get("target", "UserV1.esl");
// Path path = Paths.get("target", "");
SESeal seal = SESeal.getInstance(Files.readAllBytes(path));
SES_SignInfo signInfo = seal.getSignInfo();
ASN1OctetString cert = signInfo.getCert();
CertificateFactory factory = new CertificateFactory();
X509Certificate certificate = (X509Certificate) factory.engineGenerateCertificate(cert.getOctetStream());
ASN1EncodableVector v = new ASN1EncodableVector(3);
Signature sg = Signature.getInstance("SM3WithSM2", new BouncyCastleProvider());
sg.update(new DERSequence(v).getEncoded("DER"));
byte[] sigVal = signInfo.getSignData().getBytes();
Example #10
Source File: From flashback with BSD 2-Clause "Simplified" License | 6 votes |
* Create a certificate using key pair and signing certificate with CA certificate, common name and a list of subjective alternate name
* @return signed sever identity certificate
* */
public X509Certificate createSignedCertificate(PublicKey publicKey, PrivateKey privateKey, String commonName,
List<ASN1Encodable> sans)
throws CertificateException, IOException, OperatorCreationException, NoSuchProviderException,
NoSuchAlgorithmException, InvalidKeyException, SignatureException {
X500Name issuer = new X509CertificateHolder(_issuerCertificate.getEncoded()).getSubject();
BigInteger serial = getSerial();
X500Name subject = getSubject(commonName);
X509v3CertificateBuilder x509v3CertificateBuilder =
new JcaX509v3CertificateBuilder(issuer, serial, getValidDateFrom(), getValidDateTo(), subject, publicKey);
buildExtensions(x509v3CertificateBuilder, publicKey);
fillSans(sans, x509v3CertificateBuilder);
X509Certificate signedCertificate = createCertificate(_issuerPrivateKey, x509v3CertificateBuilder);
return signedCertificate;
Example #11
Source File: From android-key-attestation with Apache License 2.0 | 6 votes |
public void testParseAttestationRecord() throws CertificateException, IOException {
X509Certificate x509Certificate = getAttestationRecord(CERT);
ParsedAttestationRecord attestationRecord =
Example #12
Source File: From webarchive-commons with Apache License 2.0 | 6 votes |
public void checkServerTrusted(X509Certificate[] certificates, String type) throws CertificateException { if (this.trustLevel.equals(TrustLevel.OPEN)) { return; } try { this.standardTrustManager.checkServerTrusted(certificates, type); if (this.trustLevel.equals(TrustLevel.STRICT)) { logger.severe(TrustLevel.STRICT + " not implemented."); } } catch (CertificateException e) { if (this.trustLevel.equals(TrustLevel.LOOSE) && certificates != null && certificates.length == 1) { // If only one cert and its valid and it caused a // CertificateException, assume its selfsigned. X509Certificate certificate = certificates[0]; certificate.checkValidity(); } else { // If we got to here, then we're probably NORMAL. Rethrow. throw e; } } }
Example #13
Source File: From openjdk-jdk9 with GNU General Public License v2.0 | 6 votes |
/** * Add a name to lookup table. * * @param name the name of the attr * @param oid the string representation of the object identifier for * the class. * @param clazz the Class object associated with this attribute * @exception CertificateException on errors. */ public static void addAttribute(String name, String oid, Class<?> clazz) throws CertificateException { ObjectIdentifier objId; try { objId = new ObjectIdentifier(oid); } catch (IOException ioe) { throw new CertificateException ("Invalid Object identifier: " + oid); } OIDInfo info = new OIDInfo(name, objId, clazz); if (oidMap.put(objId, info) != null) { throw new CertificateException ("Object identifier already exists: " + oid); } if (nameMap.put(name, info) != null) { throw new CertificateException("Name already exists: " + name); } }
Example #14
Source File: From TencentKona-8 with GNU General Public License v2.0 | 6 votes |
/** * Set the attribute value. * @exception CertificateException on attribute handling errors. */ public void set(String name, Object obj) throws CertificateException, IOException { if (!(obj instanceof Date)) { throw new CertificateException("Attribute must be of type Date."); } if (name.equalsIgnoreCase(NOT_BEFORE)) { notBefore = (Date)obj; } else if (name.equalsIgnoreCase(NOT_AFTER)) { notAfter = (Date)obj; } else { throw new CertificateException("Attribute name not recognized by" + " CertAttrSet:PrivateKeyUsage."); } encodeThis(); }
Example #15
Source File: From strimzi-kafka-operator with Apache License 2.0 | 6 votes |
* Validate the cluster CA certificate(s) passed in the given Secret
* and return the PemTrustOptions for trusting them.
protected PemTrustOptions trustOptions(Secret clusterCaCertificateSecret) {
Base64.Decoder decoder = Base64.getDecoder();
CertificateFactory x509 = x509Factory();
PemTrustOptions pto = new PemTrustOptions();
for (Map.Entry<String, String> entry : clusterCaCertificateSecret.getData().entrySet()) {
String entryName = entry.getKey();
if (entryName.endsWith(".crt")) {"Trusting certificate {} from Secret {}", entryName, clusterCaCertificateSecret.getMetadata().getName());
byte[] certBytes = decoder.decode(entry.getValue());
try {
x509.generateCertificate(new ByteArrayInputStream(certBytes));
} catch (CertificateException e) {
throw corruptCertificate(clusterCaCertificateSecret, entryName, e);
} else {
log.warn("Ignoring non-certificate {} in Secret {}", entryName, clusterCaCertificateSecret.getMetadata().getName());
return pto;
Example #16
Source File: From webauthn4j with Apache License 2.0 | 6 votes |
* {@inheritDoc}
protected Map<AAGUID, Set<TrustAnchor>> loadTrustAnchors() {
Path keystore = getKeyStore();
try (InputStream inputStream = Files.newInputStream(keystore)) {
KeyStore keyStoreObject = loadKeyStoreFromStream(inputStream, getPassword());
List<String> aliases = Collections.list(keyStoreObject.aliases());
Set<TrustAnchor> trustAnchors = new HashSet<>();
for (String alias : aliases) {
X509Certificate certificate = (X509Certificate) keyStoreObject.getCertificate(alias);
trustAnchors.add(new TrustAnchor(certificate, null));
return Collections.singletonMap(AAGUID.NULL, trustAnchors);
} catch ( | IOException | NoSuchAlgorithmException | CertificateException e) {
throw new KeyStoreException("Failed to load TrustAnchor from keystore", e);
Example #17
Source File: From java-client-api with Apache License 2.0 | 6 votes |
public static DatabaseClient getDatabaseClient(String user, String password, ConnectionType connType)
throws KeyManagementException, NoSuchAlgorithmException, IOException {
DatabaseClient client = null;
SSLContext sslcontext = null;
SecurityContext secContext = new DatabaseClientFactory.DigestAuthContext(user,password);
if (IsSecurityEnabled()) {
try {
sslcontext = getSslContext();
} catch (UnrecoverableKeyException | KeyStoreException | CertificateException e) {
secContext = secContext.withSSLContext(sslcontext).withSSLHostnameVerifier(SSLHostnameVerifier.ANY);
client = DatabaseClientFactory.newClient(getRestServerHostName(), getRestServerPort(),
secContext, connType);
return client;
Example #18
Source File: From ditto with Eclipse Public License 2.0 | 6 votes |
private TrustManagerFactory createTrustManagerFactory(@Nullable final String trustedCertificates)
throws NoSuchAlgorithmException, CertificateException, KeyStoreException,
InvalidAlgorithmParameterException {
final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(PKIX);
if (trustedCertificates != null) {
final KeyStore keystore = keyStoreFactory.newKeystore();
final Collection<? extends Certificate> caCerts;
final byte[] caCertsPem = trustedCertificates.getBytes(StandardCharsets.US_ASCII);
caCerts = X509_CERTIFICATE_FACTORY.generateCertificates(new ByteArrayInputStream(caCertsPem));
long cnt = 0;
for (final Certificate caCert : caCerts) {
keystore.setCertificateEntry("ca-" + cnt++, caCert);
} else {
// standard CAs; add revocation check
final PKIXRevocationChecker revocationChecker =
(PKIXRevocationChecker) CertPathBuilder.getInstance(PKIX).getRevocationChecker();
final PKIXBuilderParameters parameters =
new PKIXBuilderParameters(DEFAULT_CA_KEYSTORE, new X509CertSelector());
trustManagerFactory.init(new CertPathTrustManagerParameters(parameters));
return trustManagerFactory;
Example #19
Source File: From buck with Apache License 2.0 | 6 votes |
protected PrivateKeyAndCertificate createKeystoreProperties()
throws IOException, KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException {
KeyStore keystore = KeyStore.getInstance(JARSIGNER_KEY_STORE_TYPE);
KeystoreProperties keystoreProperties = keystorePropertiesSupplier.get();
char[] keystorePassword = keystoreProperties.getStorepass().toCharArray();
try {
keystore.load(filesystem.getInputStreamForRelativePath(pathToKeystore), keystorePassword);
} catch (NoSuchAlgorithmException | CertificateException e) {
throw new HumanReadableException(e, "%s is an invalid keystore.", pathToKeystore);
String alias = keystoreProperties.getAlias();
char[] keyPassword = keystoreProperties.getKeypass().toCharArray();
Key key = keystore.getKey(alias, keyPassword);
// key can be null if alias/password is incorrect.
if (key == null) {
throw new HumanReadableException(
"The keystore [%s] key.alias [%s] does not exist or does not identify a key-related "
+ "entry",
pathToKeystore, alias);
Certificate certificate = keystore.getCertificate(alias);
return new PrivateKeyAndCertificate((PrivateKey) key, (X509Certificate) certificate);
Example #20
Source File: From hottub with GNU General Public License v2.0 | 5 votes |
public static void main(String[] args) throws Exception {
String ks = System.getProperty("test.src", ".")
+ "/../../ssl/etc/keystore";
String pass = "passphrase";
String alias = "dummy";
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(new FileInputStream(ks), pass.toCharArray());
byte[] cert = keyStore.getCertificate(alias).getEncoded();
ByteArrayOutputStream bout = new ByteArrayOutputStream();
PrintStream pout = new PrintStream(bout);
byte[] CRLF = new byte[] {'\r', '\n'};
for (int i=0; i<cert.length; i += 48) {
int blockLen = (cert.length > i + 48) ? 48 : (cert.length - i);
pout.println("!" + Base64.getEncoder()
.encodeToString(Arrays.copyOfRange(cert, i, i + blockLen)));
CertificateFactory cf = CertificateFactory.getInstance("X.509");
try {
cf.generateCertificate(new ByteArrayInputStream(bout.toByteArray()));
throw new Exception("Should fail");
} catch (CertificateException e) {
// Good
Example #21
Source File: From j2objc with Apache License 2.0 | 5 votes |
/** * Test for <code>CertificateException(Throwable)</code> constructor * Assertion: constructs CertificateException when <code>cause</code> is * null */ public void testCertificateException04() { Throwable cause = null; CertificateException tE = new CertificateException(cause); assertNull("getMessage() must return null.", tE.getMessage()); assertNull("getCause() must return null", tE.getCause()); }
Example #22
Source File: From carbon-identity with Apache License 2.0 | 5 votes |
private boolean validateCertPath(KeyStore ks, Certificate[] certs) throws WSSecurityException {
try {
// Generate cert path
java.util.List certList = java.util.Arrays.asList(certs);
CertPath path = this.getCertificateFactory().generateCertPath(certList);
// Use the certificates in the keystore as TrustAnchors
PKIXParameters param = new PKIXParameters(ks);
// Do not check a revocation list
// Verify the trust path using the above settings
String provider = properties
CertPathValidator certPathValidator;
if (provider == null || provider.length() == 0) {
certPathValidator = CertPathValidator.getInstance("PKIX");
} else {
certPathValidator = CertPathValidator.getInstance("PKIX", provider);
certPathValidator.validate(path, param);
} catch (NoSuchProviderException | NoSuchAlgorithmException | CertificateException |
InvalidAlgorithmParameterException | CertPathValidatorException | KeyStoreException ex) {
throw new WSSecurityException(WSSecurityException.FAILURE, "certpath",
new Object[]{ex.getMessage()}, ex);
return true;
Example #23
Source File: From javasdk with GNU Lesser General Public License v3.0 | 5 votes |
@Override public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { try { defaultTrustManager.checkServerTrusted(chain, authType); } catch (CertificateException ce) { localTrustManager.checkServerTrusted(chain, authType); } }
Example #24
Source File: From protect with MIT License | 5 votes |
public static void main(String[] args) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException,
IOException, CertificateException, NoSuchProviderException {
// Key generation
KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
KeyPair rsaKeyPair = generator.generateKeyPair();
RSAPrivateKey rsaPrivateKey = (RSAPrivateKey) rsaKeyPair.getPrivate();
RSAPublicKey rsaPublicKey = (RSAPublicKey) rsaKeyPair.getPublic();
// Generate certificate without a signature
final X509CertInfo certInfo = createCertificateInfo("CN=test", null, null, rsaKeyPair.getPublic(), 365, true,
final X509CertImpl certificate = new X509CertImpl(certInfo);
final byte[] toBeSigned = certificate.getTBSCertificate();
// Manually sign it
final BigInteger toBeSignedRaw = EMSA_PKCS1_V1_5_ENCODE(toBeSigned, rsaPublicKey.getModulus());
final byte[] signature = Exponentiation
.modPow(toBeSignedRaw, rsaPrivateKey.getPrivateExponent(), rsaPrivateKey.getModulus()).toByteArray();
// Create the certificate passing in the signature
final X509Certificate cert = createCertificateFromTbsAndSignature(certInfo, signature);
System.out.println("Certificate is valid!");
Example #25
Source File: From xipki with Apache License 2.0 | 5 votes |
public List<X509Cert> scepGetCert(PrivateKey identityKey, X509Cert identityCert,
X500Name issuer, BigInteger serialNumber) throws ScepClientException {
Args.notNull(identityKey, "identityKey");
Args.notNull(identityCert, "identityCert");
Args.notNull(issuer, "issuer");
Args.notNull(serialNumber, "serialNumber");
PkiMessage request = new PkiMessage(TransactionId.randomTransactionId(), MessageType.GetCert);
IssuerAndSerialNumber isn = new IssuerAndSerialNumber(issuer, serialNumber);
ContentInfo envRequest = encryptThenSign(request, identityKey, identityCert);
ScepHttpResponse httpResp = httpSend(Operation.PKIOperation, envRequest);
CMSSignedData cmsSignedData = parsePkiMessage(httpResp.getContentBytes());
DecodedPkiMessage response = decode(cmsSignedData, identityKey, identityCert);
if (response.getPkiStatus() != PkiStatus.SUCCESS) {
throw new ScepClientException("server returned " + response.getPkiStatus());
ContentInfo messageData = ContentInfo.getInstance(response.getMessageData());
try {
return ScepUtil.getCertsFromSignedData(SignedData.getInstance(messageData.getContent()));
} catch (CertificateException ex) {
throw new ScepClientException(ex.getMessage(), ex);
Example #26
Source File: From freehealth-connector with GNU Affero General Public License v3.0 | 5 votes |
public boolean isCertificateRevoked(File certFile, DateTime validOn) throws TechnicalConnectorException {
try {
CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate)certFactory.generateCertificate(new FileInputStream(certFile));
return this.isCertificateRevoked(cert, validOn);
} catch (FileNotFoundException var5) {
throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.ERROR_GENERAL, var5, new Object[]{var5.getMessage()});
} catch (CertificateException var6) {
throw new CertificateVerificationException(var6.getMessage(), var6);
Example #27
Source File: From vertx-auth with Apache License 2.0 | 5 votes |
public PackedAttestation() {
try {
sha256 = MessageDigest.getInstance("SHA-256");
x509 = CertificateFactory.getInstance("X.509");
sig = Signature.getInstance("SHA256withECDSA");
} catch (NoSuchAlgorithmException | CertificateException e) {
throw new AttestationException(e);
Example #28
Source File: From cwac-netsecurity with Apache License 2.0 | 5 votes |
public void checkServerTrusted(X509Certificate[] certs, String authType, Socket socket)
throws CertificateException {
List<X509Certificate> trustedChain =
mDelegate.getTrustedChainForServer(certs, authType, socket);
Example #29
Source File: From okhttp-OkGo with Apache License 2.0 | 5 votes |
@Override public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { try { for (X509Certificate certificate : chain) { certificate.checkValidity(); //检查证书是否过期,签名是否通过等 } } catch (Exception e) { throw new CertificateException(e); } }
Example #30
Source File: From j2objc with Apache License 2.0 | 5 votes |
* Test for <code>generateCertPath(List certificates)</code> method
* Assertion: returns empty CertPath if certificates is empty
public void testCertificateFactory15() throws CertificateException {
if (!X509Support) {
CertificateFactory[] certFs = initCertFs();
assertNotNull("CertificateFactory objects were not created", certFs);
List<Certificate> list = new Vector<Certificate>();
for (int i = 0; i < certFs.length; i++) {
CertPath cp = certFs[i].generateCertPath(list);
List<? extends Certificate> list1 = cp.getCertificates();
assertTrue("List should be empty", list1.isEmpty());