/** * Return the initialization parameters for the TrustManager. * Currently, only the default <code>PKIX</code> is supported. * * @param algorithm The algorithm to get parameters for. * @param crlf The path to the CRL file. * @param trustStore The configured TrustStore. * @return The parameters including the CRLs and TrustStore. */ protected CertPathParameters getParameters(String algorithm, String crlf, KeyStore trustStore) throws Exception { CertPathParameters params = null; if("PKIX".equalsIgnoreCase(algorithm)) { PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); Collection crls = getCRLs(crlf); CertStoreParameters csp = new CollectionCertStoreParameters(crls); CertStore store = CertStore.getInstance("Collection", csp); xparams.addCertStore(store); xparams.setRevocationEnabled(true); xparams.setMaxPathLength(listener.getSslTrustMaxCertLength()); params = xparams; } else { throw new CRLException("CRLs not supported for type: "+algorithm); } return params; }
/** * Return the initialization parameters for the TrustManager. Currently, * only the default <code>PKIX</code> is supported. * * @param algorithm * The algorithm to get parameters for. * @param crlf * The path to the CRL file. * @param trustStore * The configured TrustStore. * @return The parameters including the CRLs and TrustStore. */ protected CertPathParameters getParameters(String algorithm, String crlf, KeyStore trustStore) throws Exception { CertPathParameters params = null; if ("PKIX".equalsIgnoreCase(algorithm)) { PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); Collection<? extends CRL> crls = getCRLs(crlf); CertStoreParameters csp = new CollectionCertStoreParameters(crls); CertStore store = CertStore.getInstance("Collection", csp); xparams.addCertStore(store); xparams.setRevocationEnabled(true); String trustLength = endpoint.getTrustMaxCertLength(); if (trustLength != null) { try { xparams.setMaxPathLength(Integer.parseInt(trustLength)); } catch (Exception ex) { log.warn("Bad maxCertLength: " + trustLength); } } params = xparams; } else { throw new CRLException("CRLs not supported for type: " + algorithm); } return params; }
public static CertPathParameters getCertPathParameters() throws InvalidAlgorithmParameterException { if ((rootCertificateSS == null) || (theCertSelector == null) || (builder == null)) { throw new RuntimeException( "Call initCertPathSSCertChain prior to buildCertPath"); } PKIXBuilderParameters buildParams = new PKIXBuilderParameters( Collections.singleton(new TrustAnchor(rootCertificateSS, null)), theCertSelector); buildParams.addCertStore(store); buildParams.setRevocationEnabled(false); return buildParams; }
/** * Test #1 for <code>PKIXBuilderParameters(Set, CertSelector)</code> * constructor<br> * Assertion: creates an instance of <code>PKIXBuilderParameters</code> * @throws InvalidAlgorithmParameterException */ @TestTargetNew( level = TestLevel.PARTIAL_COMPLETE, notes = "Verifies positive case.", method = "PKIXBuilderParameters", args = {java.util.Set.class, java.security.cert.CertSelector.class} ) public final void testPKIXBuilderParametersSetCertSelector01() throws InvalidAlgorithmParameterException { Set<TrustAnchor> taSet = TestUtils.getTrustAnchorSet(); if (taSet == null) { fail(getName() + ": not performed (could not create test TrustAnchor set)"); } // both parameters are valid and non-null PKIXParameters p = new PKIXBuilderParameters(taSet, new X509CertSelector()); assertTrue("instanceOf", p instanceof PKIXBuilderParameters); assertNotNull("certSelector", p.getTargetCertConstraints()); }
/** * Test #2 for <code>PKIXBuilderParameters(Set, CertSelector)</code> * constructor<br> * Assertion: creates an instance of <code>PKIXBuilderParameters</code> * @throws InvalidAlgorithmParameterException */ @TestTargetNew( level = TestLevel.PARTIAL_COMPLETE, notes = "Verifies null as a CertSelector parameter.", method = "PKIXBuilderParameters", args = {java.util.Set.class, java.security.cert.CertSelector.class} ) public final void testPKIXBuilderParametersSetCertSelector02() throws InvalidAlgorithmParameterException { Set<TrustAnchor> taSet = TestUtils.getTrustAnchorSet(); if (taSet == null) { fail(getName() + ": not performed (could not create test TrustAnchor set)"); } // both parameters are valid but CertSelector is null PKIXParameters p = new PKIXBuilderParameters(taSet, null); assertTrue("instanceOf", p instanceof PKIXBuilderParameters); assertNull("certSelector", p.getTargetCertConstraints()); }
/** * Test #6 for <code>PKIXBuilderParameters(Set, CertSelector)</code> * constructor<br> * Assertion: <code>ClassCastException</code> - * if any of the elements in the <code>Set</code> are not of type * <code>java.security.cert.TrustAnchor</code> */ @TestTargetNew( level = TestLevel.PARTIAL_COMPLETE, notes = "Verifies ClassCastException.", method = "PKIXBuilderParameters", args = {java.util.Set.class, java.security.cert.CertSelector.class} ) @SuppressWarnings("unchecked") public final void testPKIXBuilderParametersSetCertSelector06() throws Exception { Set taSet = TestUtils.getTrustAnchorSet(); if (taSet == null) { fail(getName() + ": not performed (could not create test TrustAnchor set)"); } // add wrong object to valid set assertTrue(taSet.add(new Object())); try { new PKIXBuilderParameters(taSet, null); fail("ClassCastException expected"); } catch (ClassCastException e) { } }
/** * Test #1 for <code>PKIXBuilderParameters(KeyStore, CertSelector)</code> * constructor<br> * Assertion: <code>NullPointerException</code> - if the * <code>keystore</code> is <code>null</code> */ @TestTargetNew( level = TestLevel.PARTIAL_COMPLETE, notes = "Veirifies null as a KeyStore parameter.", method = "PKIXBuilderParameters", args = {java.security.KeyStore.class, java.security.cert.CertSelector.class} ) public final void testPKIXBuilderParametersKeyStoreCertSelector01() throws Exception { try { new PKIXBuilderParameters((KeyStore) null, new X509CertSelector()); fail("NullPointerException expected"); } catch (NullPointerException e) { // expected } }
/** * Test #2 for <code>PKIXBuilderParameters(KeyStore, CertSelector)</code> * constructor<br> * Assertion: <code>KeyStoreException</code> - if the * <code>keystore</code> has not been initialized */ @TestTargetNew( level = TestLevel.PARTIAL_COMPLETE, notes = "Veirifies null as a CertSelector parameter.", method = "PKIXBuilderParameters", args = {java.security.KeyStore.class, java.security.cert.CertSelector.class} ) public final void testPKIXBuilderParametersKeyStoreCertSelector02() throws Exception { KeyStore keyTest = KeyStore.getInstance(KeyStore.getDefaultType()); try { new PKIXBuilderParameters(keyTest, null); fail("KeyStoreException expected"); } catch (KeyStoreException e) { // expected } }
/** * Test #3 for <code>PKIXBuilderParameters(KeyStore, CertSelector)</code> * constructor<br> * Assertion: <code>InvalidAlgorithmParameterException</code> - if the * <code>keystore</code> does not contain at least one trusted certificate * entry */ @TestTargetNew( level = TestLevel.PARTIAL_COMPLETE, notes = "Verifies null as parameters.", method = "PKIXBuilderParameters", args = {java.security.KeyStore.class, java.security.cert.CertSelector.class} ) public final void testPKIXBuilderParametersKeyStoreCertSelector03() throws Exception { KeyStore keyTest = KeyStore.getInstance(KeyStore.getDefaultType()); keyTest.load(null, null); try { new PKIXBuilderParameters(keyTest, new X509CertSelector()); fail("InvalidAlgorithmParameterException expected"); } catch (InvalidAlgorithmParameterException e) { // expected } }
/** * Initialize the builder with the input parameters. * * @param params the parameter set used to build a certification path */ ReverseBuilder(PKIXBuilderParameters buildParams, X500Principal targetSubjectDN) { super(buildParams, targetSubjectDN); Set<String> initialPolicies = buildParams.getInitialPolicies(); initPolicies = new HashSet<String>(); if (initialPolicies.isEmpty()) { // if no initialPolicies are specified by user, set // initPolicies to be anyPolicy by default initPolicies.add(PolicyChecker.ANY_POLICY); } else { for (String policy : initialPolicies) { initPolicies.add(policy); } } }
/** * Initialize the builder with the input parameters. * * @param params the parameter set used to build a certification path */ ForwardBuilder(PKIXBuilderParameters buildParams, X500Principal targetSubjectDN, boolean searchAllCertStores, boolean onlyEECert) { super(buildParams, targetSubjectDN); // populate sets of trusted certificates and subject DNs trustAnchors = buildParams.getTrustAnchors(); trustedCerts = new HashSet<X509Certificate>(trustAnchors.size()); trustedSubjectDNs = new HashSet<X500Principal>(trustAnchors.size()); for (TrustAnchor anchor : trustAnchors) { X509Certificate trustedCert = anchor.getTrustedCert(); if (trustedCert != null) { trustedCerts.add(trustedCert); trustedSubjectDNs.add(trustedCert.getSubjectX500Principal()); } else { trustedSubjectDNs.add(anchor.getCA()); } } comparator = new PKIXCertComparator(trustedSubjectDNs); this.searchAllCertStores = searchAllCertStores; this.onlyEECert = onlyEECert; }
/** * Test #3 for <code>PKIXBuilderParameters(Set, CertSelector)</code> * constructor<br> * Assertion: ... the <code>Set</code> is copied to protect against * subsequent modifications * @throws InvalidAlgorithmParameterException */ public final void testPKIXBuilderParametersSetCertSelector03() throws InvalidAlgorithmParameterException { Set taSet = TestUtils.getTrustAnchorSet(); if (taSet == null) { fail(getName() + ": not performed (could not create test TrustAnchor set)"); } HashSet originalSet = (HashSet)taSet; HashSet originalSetCopy = (HashSet)originalSet.clone(); // create test object using originalSet PKIXBuilderParameters pp = new PKIXBuilderParameters(originalSetCopy, null); // modify originalSet originalSetCopy.clear(); // check that test object's internal state // has not been affected by the above modification Set returnedSet = pp.getTrustAnchors(); assertEquals(originalSet, returnedSet); }
/** * Test #6 for <code>PKIXBuilderParameters(Set, CertSelector)</code> * constructor<br> * Assertion: <code>ClassCastException</code> - * if any of the elements in the <code>Set</code> are not of type * <code>java.security.cert.TrustAnchor</code> */ public final void testPKIXBuilderParametersSetCertSelector06() throws Exception { Set taSet = TestUtils.getTrustAnchorSet(); if (taSet == null) { fail(getName() + ": not performed (could not create test TrustAnchor set)"); } // add wrong object to valid set assertTrue(taSet.add(new Object())); try { new PKIXBuilderParameters(taSet, null); fail("ClassCastException expected"); } catch (ClassCastException e) { } }
/** * Test #1 for <code>setMaxPathLength(int)</code> method<br> * Assertion: sets the maximum number of non-self-signed certificates * in the cert path * @throws KeyStoreException * @throws InvalidAlgorithmParameterException */ public final void testSetMaxPathLength01() throws KeyStoreException, InvalidAlgorithmParameterException { KeyStore ks = TestUtils.getKeyStore(true, TestUtils.TRUSTED); if (ks == null) { fail(getName() + ": not performed (could not create test KeyStore)"); } // all these VALID maxPathLength values must be // set (and get) without exceptions int[] testPathLength = new int[] {-1, 0, 1, 999, Integer.MAX_VALUE}; for (int i=0; i<testPathLength.length; i++) { PKIXBuilderParameters p = new PKIXBuilderParameters(ks, null); p.setMaxPathLength(testPathLength[i]); assertEquals("i="+i, testPathLength[i], p.getMaxPathLength()); } }
/** * Test #2 for <code>setMaxPathLength(int)</code> method<br> * Assertion: throws InvalidParameterException if parameter is * less than -1 * @throws InvalidAlgorithmParameterException * @throws KeyStoreException */ public final void testSetMaxPathLength02() throws KeyStoreException, InvalidAlgorithmParameterException { KeyStore ks = TestUtils.getKeyStore(true, TestUtils.TRUSTED); if (ks == null) { fail(getName() + ": not performed (could not create test KeyStore)"); } PKIXBuilderParameters p = new PKIXBuilderParameters(ks, null); try { // pass parameter less than -1 p.setMaxPathLength(Integer.MIN_VALUE); fail("InvalidParameterException expected"); } catch (InvalidParameterException e) { } }
private PKIXCertPathBuilderResult checkCertPath(SignerId signerId, Store certs) throws IOException, GeneralSecurityException { CertStore store = new JcaCertStoreBuilder().setProvider("BC").addCertificates(certs).build(); CertPathBuilder pathBuilder = CertPathBuilder.getInstance("PKIX","BC"); X509CertSelector targetConstraints = new X509CertSelector(); targetConstraints.setIssuer(signerId.getIssuer().getEncoded()); targetConstraints.setSerialNumber(signerId.getSerialNumber()); PKIXBuilderParameters params = new PKIXBuilderParameters(Collections.singleton(new TrustAnchor(trustAnchor, null)), targetConstraints); params.addCertStore(store); params.setRevocationEnabled(false); // TODO: CRLs? return (PKIXCertPathBuilderResult)pathBuilder.build(params); }
/** * Return the initialization parameters for the TrustManager. * Currently, only the default <code>PKIX</code> is supported. * * @param algorithm The algorithm to get parameters for. * @param crlf The path to the CRL file. * @param trustStore The configured TrustStore. * @return The parameters including the CRLs and TrustStore. */ protected CertPathParameters getParameters(String algorithm, String crlf, KeyStore trustStore) throws Exception { CertPathParameters params = null; if("PKIX".equalsIgnoreCase(algorithm)) { PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); Collection<? extends CRL> crls = getCRLs(crlf); CertStoreParameters csp = new CollectionCertStoreParameters(crls); CertStore store = CertStore.getInstance("Collection", csp); xparams.addCertStore(store); xparams.setRevocationEnabled(true); String trustLength = endpoint.getTrustMaxCertLength(); if(trustLength != null) { try { xparams.setMaxPathLength(Integer.parseInt(trustLength)); } catch(Exception ex) { log.warn("Bad maxCertLength: "+trustLength); } } params = xparams; } else { throw new CRLException("CRLs not supported for type: "+algorithm); } return params; }
/** * Return the initialization parameters for the TrustManager. * Currently, only the default <code>PKIX</code> is supported. * * @param algorithm The algorithm to get parameters for. * @param crlf The path to the CRL file. * @param trustStore The configured TrustStore. * @return The parameters including the CRLs and TrustStore. */ protected CertPathParameters getParameters(String algorithm, String crlf, KeyStore trustStore) throws Exception { CertPathParameters params = null; if("PKIX".equalsIgnoreCase(algorithm)) { PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); Collection crls = getCRLs(crlf); CertStoreParameters csp = new CollectionCertStoreParameters(crls); CertStore store = CertStore.getInstance("Collection", csp); xparams.addCertStore(store); xparams.setRevocationEnabled(true); String trustLength = (String)attributes.get("trustMaxCertLength"); if(trustLength != null) { try { xparams.setMaxPathLength(Integer.parseInt(trustLength)); } catch(Exception ex) { log.warn("Bad maxCertLength: "+trustLength); } } params = xparams; } else { throw new CRLException("CRLs not supported for type: "+algorithm); } return params; }
private void doBuild(X509Certificate userCert) throws Exception { // get the set of trusted CA certificates (only one in this instance) HashSet trustAnchors = new HashSet(); X509Certificate trustedCert = getTrustedCertificate(); trustAnchors.add(new TrustAnchor(trustedCert, null)); // put together a CertStore (repository of the certificates and CRLs) ArrayList certs = new ArrayList(); certs.add(trustedCert); certs.add(userCert); CollectionCertStoreParameters certStoreParams = new CollectionCertStoreParameters(certs); CertStore certStore = CertStore.getInstance("Collection", certStoreParams); // specify the target certificate via a CertSelector X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(userCert); certSelector.setSubject(userCert.getSubjectDN().getName()); // seems to be required // build a valid cerificate path CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX", "SUN"); PKIXBuilderParameters certPathBuilderParams = new PKIXBuilderParameters(trustAnchors, certSelector); certPathBuilderParams.addCertStore(certStore); certPathBuilderParams.setRevocationEnabled(false); CertPathBuilderResult result = certPathBuilder.build(certPathBuilderParams); // get and show cert path CertPath certPath = result.getCertPath(); // System.out.println(certPath.toString()); }
public static void createParams() throws Exception { TrustAnchor anchor = new TrustAnchor(getCertFromFile("sun.cer"), null); Set anchors = Collections.singleton(anchor); // Create odd CertSelector sel = new OddSel(); params = new PKIXBuilderParameters(anchors, sel); params.setRevocationEnabled(false); }
/** * Perform a PKIX build. * * @param params PKIXBuilderParameters to use in building * @throws Exception on error */ public static void build(PKIXBuilderParameters params) throws Exception { CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); CertPathBuilderResult cpbr = builder.build(params); }
public static void main(String[] args) throws Exception { // reset the security property to make sure that the algorithms // and keys used in this test are not disabled. Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2"); X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer"); TrustAnchor anchor = new TrustAnchor (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null); X509CertSelector sel = new X509CertSelector(); sel.setBasicConstraints(-2); PKIXBuilderParameters params = new PKIXBuilderParameters (Collections.singleton(anchor), sel); params.setRevocationEnabled(false); X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer"); X509Certificate caCert = CertUtils.getCertFromFile("ca.cer"); ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>(); certs.add(caCert); certs.add(eeCert); CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(certs); CertStore cs = CertStore.getInstance("Collection", ccsp); params.addCertStore(cs); PKIXCertPathBuilderResult res = CertUtils.build(params); CertPath cp = res.getCertPath(); // check that first certificate is an EE cert List<? extends Certificate> certList = cp.getCertificates(); X509Certificate cert = (X509Certificate) certList.get(0); if (cert.getBasicConstraints() != -1) { throw new Exception("Target certificate is not an EE certificate"); } }
/** * Perform a PKIX build. * * @param params PKIXBuilderParameters to use in the build * @throws Exception on error */ public static void build(PKIXBuilderParameters params) throws Exception { CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "SUN"); CertPathBuilderResult cpbr = builder.build(params); }
/** * Perform a PKIX path build. On failure, throw an exception. * * @param params PKIXBuilderParameters to use in validation * @throws Exception on error */ public static PKIXCertPathBuilderResult build(PKIXBuilderParameters params) throws Exception { CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); return (PKIXCertPathBuilderResult) builder.build(params); }
public PKIXExtendedParameters(PKIXBuilderParameters params, Timestamp timestamp, String variant) throws InvalidAlgorithmParameterException { super(params.getTrustAnchors(), null); p = params; jarTimestamp = timestamp; this.variant = variant; }
