Java 类java.security.cert.TrustAnchor 实例源码

项目:the-vigilantes    文件:ExportControlled.java   
public X509TrustManagerWrapper(X509TrustManager tm, boolean verifyServerCertificate) throws CertificateException {
    this.origTm = tm;
    this.verifyServerCert = verifyServerCertificate;

    if (verifyServerCertificate) {
        try {
            Set<TrustAnchor> anch = new HashSet<TrustAnchor>();
            for (X509Certificate cert : tm.getAcceptedIssuers()) {
                anch.add(new TrustAnchor(cert, null));
            }
            this.validatorParams = new PKIXParameters(anch);
            this.validatorParams.setRevocationEnabled(false);
            this.validator = CertPathValidator.getInstance("PKIX");
            this.certFactory = CertificateFactory.getInstance("X.509");
        } catch (Exception e) {
            throw new CertificateException(e);
        }
    }
}
项目:cwac-netsecurity    文件:TrustManagerImpl.java   
/**
 * Check the trustedCertificateIndex for the cert to see if it is
 * already trusted and failing that check the KeyStore if it is
 * available.
 */
private TrustAnchor findTrustAnchorBySubjectAndPublicKey(X509Certificate cert) {
    TrustAnchor trustAnchor = trustedCertificateIndex.findBySubjectAndPublicKey(cert);
    if (trustAnchor != null) {
        return trustAnchor;
    }
    if (trustedCertificateStore == null) {
        // not trusted and no TrustedCertificateStore to check
        return null;
    }
    // probe KeyStore for a cert. AndroidCAStore stores its
    // contents hashed by cert subject on the filesystem to make
    // this faster than scanning all key store entries.
    X509Certificate systemCert = trustedCertificateStore.getTrustAnchor(cert);
    if (systemCert != null) {
        // Don't index the system certificate here, that way the only place that adds anchors to
        // the index are findAllTrustAnchorsByIssuerAndSignature.
        // This allows findAllTrustAnchorsByIssuerAndSignature to avoid checking the
        // TrustedCertificateStore if the TrustedCertificateIndex contains any issuers for the
        // certificate because it will have cached all certificates contained in the
        // TrustedCertificateStore.
        return new TrustAnchor(systemCert, null);
    }
    return null;
}
项目:conscrypt    文件:TrustManagerImpl.java   
/**
 * Check the trustedCertificateIndex for the cert to see if it is
 * already trusted and failing that check the KeyStore if it is
 * available.
 */
private TrustAnchor findTrustAnchorBySubjectAndPublicKey(X509Certificate cert) {
    TrustAnchor trustAnchor = trustedCertificateIndex.findBySubjectAndPublicKey(cert);
    if (trustAnchor != null) {
        return trustAnchor;
    }
    if (trustedCertificateStore == null) {
        // not trusted and no TrustedCertificateStore to check
        return null;
    }
    // probe KeyStore for a cert. AndroidCAStore stores its
    // contents hashed by cert subject on the filesystem to make
    // this faster than scanning all key store entries.
    X509Certificate systemCert = trustedCertificateStore.getTrustAnchor(cert);
    if (systemCert != null) {
        // Don't index the system certificate here, that way the only place that adds anchors to
        // the index are findAllTrustAnchorsByIssuerAndSignature.
        // This allows findAllTrustAnchorsByIssuerAndSignature to avoid checking the
        // TrustedCertificateStore if the TrustedCertificateIndex contains any issuers for the
        // certificate because it will have cached all certificates contained in the
        // TrustedCertificateStore.
        return new TrustAnchor(systemCert, null);
    }
    return null;
}
项目:ipack    文件:ExtendedPKIXParameters.java   
/**
 * Sets the trusted attribute certificate issuers. If attribute certificates
 * is verified the trusted AC issuers must be set.
 * <p>
 * The <code>trustedACIssuers</code> must be a <code>Set</code> of
 * <code>TrustAnchor</code>
 * <p>
 * The given set is cloned.
 * 
 * @param trustedACIssuers The trusted AC issuers to set. Is never
 *            <code>null</code>.
 * @throws ClassCastException if an element of <code>stores</code> is not
 *             a <code>TrustAnchor</code>.
 */
public void setTrustedACIssuers(Set trustedACIssuers)
{
    if (trustedACIssuers == null)
    {
        this.trustedACIssuers.clear();
        return;
    }
    for (Iterator it = trustedACIssuers.iterator(); it.hasNext();)
    {
        if (!(it.next() instanceof TrustAnchor))
        {
            throw new ClassCastException("All elements of set must be "
                + "of type " + TrustAnchor.class.getName() + ".");
        }
    }
    this.trustedACIssuers.clear();
    this.trustedACIssuers.addAll(trustedACIssuers);
}
项目:ipack    文件:RFC3281CertPathUtilities.java   
protected static void processAttrCert4(X509Certificate acIssuerCert,
    ExtendedPKIXParameters pkixParams) throws CertPathValidatorException
{
    Set set = pkixParams.getTrustedACIssuers();
    boolean trusted = false;
    for (Iterator it = set.iterator(); it.hasNext();)
    {
        TrustAnchor anchor = (TrustAnchor) it.next();
        if (acIssuerCert.getSubjectX500Principal().getName("RFC2253")
            .equals(anchor.getCAName())
            || acIssuerCert.equals(anchor.getTrustedCert()))
        {
            trusted = true;
        }
    }
    if (!trusted)
    {
        throw new CertPathValidatorException(
            "Attribute certificate issuer is not directly trusted.");
    }
}
项目:OpenVertretung    文件:ExportControlled.java   
public X509TrustManagerWrapper(X509TrustManager tm, boolean verifyServerCertificate) throws CertificateException {
    this.origTm = tm;
    this.verifyServerCert = verifyServerCertificate;

    if (verifyServerCertificate) {
        try {
            Set<TrustAnchor> anch = new HashSet<TrustAnchor>();
            for (X509Certificate cert : tm.getAcceptedIssuers()) {
                anch.add(new TrustAnchor(cert, null));
            }
            this.validatorParams = new PKIXParameters(anch);
            this.validatorParams.setRevocationEnabled(false);
            this.validator = CertPathValidator.getInstance("PKIX");
            this.certFactory = CertificateFactory.getInstance("X.509");
        } catch (Exception e) {
            throw new CertificateException(e);
        }
    }
}
项目:lams    文件:CertPathPKIXTrustEvaluator.java   
/**
 * Creates the collection of trust anchors to use during validation.
 * 
 * @param validationInfo PKIX validation information
 * 
 * @return trust anchors to use during validation
 */
protected Set<TrustAnchor> getTrustAnchors(PKIXValidationInformation validationInfo) {
    Collection<X509Certificate> validationCertificates = validationInfo.getCertificates();

    log.trace("Constructing trust anchors for PKIX validation");
    Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
    for (X509Certificate cert : validationCertificates) {
        trustAnchors.add(buildTrustAnchor(cert));
    }

    if (log.isTraceEnabled()) {
        for (TrustAnchor anchor : trustAnchors) {
            log.trace("TrustAnchor: {}", anchor.toString());
        }
    }

    return trustAnchors;
}
项目:lams    文件:CertPathPKIXTrustEvaluator.java   
/**
 * Log information from the constructed cert path at level debug.
 * 
 * @param buildResult the PKIX cert path builder result containing the cert path and trust anchor
 * @param targetCert the cert untrusted certificate that was being evaluated
 */
private void logCertPathDebug(PKIXCertPathBuilderResult buildResult, X509Certificate targetCert) {
    log.debug("Built valid PKIX cert path");
    log.debug("Target certificate: {}", x500DNHandler.getName(targetCert.getSubjectX500Principal()));
    for (Certificate cert : buildResult.getCertPath().getCertificates()) {
        log.debug("CertPath certificate: {}", x500DNHandler.getName(((X509Certificate) cert)
                .getSubjectX500Principal()));
    }
    TrustAnchor ta = buildResult.getTrustAnchor();
    if (ta.getTrustedCert() != null) {
        log.debug("TrustAnchor: {}", x500DNHandler.getName(ta.getTrustedCert().getSubjectX500Principal()));
    } else if (ta.getCA() != null) {
        log.debug("TrustAnchor: {}", x500DNHandler.getName(ta.getCA()));
    } else {
        log.debug("TrustAnchor: {}", ta.getCAName());
    }
}
项目:ProyectoPacientes    文件:ExportControlled.java   
public X509TrustManagerWrapper(X509TrustManager tm, boolean verifyServerCertificate) throws CertificateException {
    this.origTm = tm;
    this.verifyServerCert = verifyServerCertificate;

    if (verifyServerCertificate) {
        try {
            Set<TrustAnchor> anch = new HashSet<TrustAnchor>();
            for (X509Certificate cert : tm.getAcceptedIssuers()) {
                anch.add(new TrustAnchor(cert, null));
            }
            this.validatorParams = new PKIXParameters(anch);
            this.validatorParams.setRevocationEnabled(false);
            this.validator = CertPathValidator.getInstance("PKIX");
            this.certFactory = CertificateFactory.getInstance("X.509");
        } catch (Exception e) {
            throw new CertificateException(e);
        }
    }
}
项目:OpenJSharp    文件:AlgorithmChecker.java   
/**
 * Create a new <code>AlgorithmChecker</code> with the
 * given <code>TrustAnchor</code> and <code>AlgorithmConstraints</code>.
 *
 * @param anchor the trust anchor selected to validate the target
 *     certificate
 * @param constraints the algorithm constraints (or null)
 *
 * @throws IllegalArgumentException if the <code>anchor</code> is null
 */
public AlgorithmChecker(TrustAnchor anchor,
        AlgorithmConstraints constraints) {

    if (anchor == null) {
        throw new IllegalArgumentException(
                    "The trust anchor cannot be null");
    }

    if (anchor.getTrustedCert() != null) {
        this.trustedPubKey = anchor.getTrustedCert().getPublicKey();
    } else {
        this.trustedPubKey = anchor.getCAPublicKey();
    }

    this.prevPubKey = trustedPubKey;
    this.constraints = constraints;
}
项目:OpenJSharp    文件:AlgorithmChecker.java   
/**
 * Try to set the trust anchor of the checker.
 * <p>
 * If there is no trust anchor specified and the checker has not started,
 * set the trust anchor.
 *
 * @param anchor the trust anchor selected to validate the target
 *     certificate
 */
void trySetTrustAnchor(TrustAnchor anchor) {
    // Don't bother if the check has started or trust anchor has already
    // specified.
    if (prevPubKey == null) {
        if (anchor == null) {
            throw new IllegalArgumentException(
                    "The trust anchor cannot be null");
        }

        // Don't bother to change the trustedPubKey.
        if (anchor.getTrustedCert() != null) {
            prevPubKey = anchor.getTrustedCert().getPublicKey();
        } else {
            prevPubKey = anchor.getCAPublicKey();
        }
    }
}
项目:OpenJSharp    文件:ForwardBuilder.java   
/**
 * Initialize the builder with the input parameters.
 *
 * @param params the parameter set used to build a certification path
 */
ForwardBuilder(BuilderParams buildParams, boolean searchAllCertStores) {
    super(buildParams);

    // populate sets of trusted certificates and subject DNs
    trustAnchors = buildParams.trustAnchors();
    trustedCerts = new HashSet<X509Certificate>(trustAnchors.size());
    trustedSubjectDNs = new HashSet<X500Principal>(trustAnchors.size());
    for (TrustAnchor anchor : trustAnchors) {
        X509Certificate trustedCert = anchor.getTrustedCert();
        if (trustedCert != null) {
            trustedCerts.add(trustedCert);
            trustedSubjectDNs.add(trustedCert.getSubjectX500Principal());
        } else {
            trustedSubjectDNs.add(anchor.getCA());
        }
    }
    comparator = new PKIXCertComparator(trustedSubjectDNs);
    this.searchAllCertStores = searchAllCertStores;
}
项目:BibliotecaPS    文件:ExportControlled.java   
public X509TrustManagerWrapper(X509TrustManager tm, boolean verifyServerCertificate) throws CertificateException {
    this.origTm = tm;
    this.verifyServerCert = verifyServerCertificate;

    if (verifyServerCertificate) {
        try {
            Set<TrustAnchor> anch = new HashSet<TrustAnchor>();
            for (X509Certificate cert : tm.getAcceptedIssuers()) {
                anch.add(new TrustAnchor(cert, null));
            }
            this.validatorParams = new PKIXParameters(anch);
            this.validatorParams.setRevocationEnabled(false);
            this.validator = CertPathValidator.getInstance("PKIX");
            this.certFactory = CertificateFactory.getInstance("X.509");
        } catch (Exception e) {
            throw new CertificateException(e);
        }
    }
}
项目:jdk8u-jdk    文件:AlgorithmChecker.java   
/**
 * Create a new <code>AlgorithmChecker</code> with the
 * given <code>TrustAnchor</code> and <code>AlgorithmConstraints</code>.
 *
 * @param anchor the trust anchor selected to validate the target
 *     certificate
 * @param constraints the algorithm constraints (or null)
 *
 * @throws IllegalArgumentException if the <code>anchor</code> is null
 */
public AlgorithmChecker(TrustAnchor anchor,
        AlgorithmConstraints constraints) {

    if (anchor == null) {
        throw new IllegalArgumentException(
                    "The trust anchor cannot be null");
    }

    if (anchor.getTrustedCert() != null) {
        this.trustedPubKey = anchor.getTrustedCert().getPublicKey();
        // Check for anchor certificate restrictions
        trustedMatch = checkFingerprint(anchor.getTrustedCert());
        if (trustedMatch && debug != null) {
            debug.println("trustedMatch = true");
        }
    } else {
        this.trustedPubKey = anchor.getCAPublicKey();
    }

    this.prevPubKey = trustedPubKey;
    this.constraints = constraints;
}
项目:jdk8u-jdk    文件:AlgorithmChecker.java   
/**
 * Try to set the trust anchor of the checker.
 * <p>
 * If there is no trust anchor specified and the checker has not started,
 * set the trust anchor.
 *
 * @param anchor the trust anchor selected to validate the target
 *     certificate
 */
void trySetTrustAnchor(TrustAnchor anchor) {
    // Don't bother if the check has started or trust anchor has already
    // specified.
    if (prevPubKey == null) {
        if (anchor == null) {
            throw new IllegalArgumentException(
                    "The trust anchor cannot be null");
        }

        // Don't bother to change the trustedPubKey.
        if (anchor.getTrustedCert() != null) {
            prevPubKey = anchor.getTrustedCert().getPublicKey();
            // Check for anchor certificate restrictions
            trustedMatch = checkFingerprint(anchor.getTrustedCert());
            if (trustedMatch && debug != null) {
                debug.println("trustedMatch = true");
            }
        } else {
            prevPubKey = anchor.getCAPublicKey();
        }
    }
}
项目:jdk8u-jdk    文件:ForwardBuilder.java   
/**
 * Initialize the builder with the input parameters.
 *
 * @param params the parameter set used to build a certification path
 */
ForwardBuilder(BuilderParams buildParams, boolean searchAllCertStores) {
    super(buildParams);

    // populate sets of trusted certificates and subject DNs
    trustAnchors = buildParams.trustAnchors();
    trustedCerts = new HashSet<X509Certificate>(trustAnchors.size());
    trustedSubjectDNs = new HashSet<X500Principal>(trustAnchors.size());
    for (TrustAnchor anchor : trustAnchors) {
        X509Certificate trustedCert = anchor.getTrustedCert();
        if (trustedCert != null) {
            trustedCerts.add(trustedCert);
            trustedSubjectDNs.add(trustedCert.getSubjectX500Principal());
        } else {
            trustedSubjectDNs.add(anchor.getCA());
        }
    }
    this.searchAllCertStores = searchAllCertStores;
}
项目:jdk8u-jdk    文件:ValidateTargetConstraints.java   
public static void createPath(String[] certs) throws Exception {
    TrustAnchor anchor = new TrustAnchor(getCertFromFile(certs[0]), null);
    List list = new ArrayList();
    for (int i = 1; i < certs.length; i++) {
        list.add(0, getCertFromFile(certs[i]));
    }
    CertificateFactory cf = CertificateFactory.getInstance("X509");
    path = cf.generateCertPath(list);

    Set anchors = Collections.singleton(anchor);
    params = new PKIXParameters(anchors);
    params.setRevocationEnabled(false);
    X509CertSelector sel = new X509CertSelector();
    sel.setSerialNumber(new BigInteger("1427"));
    params.setTargetCertConstraints(sel);
}
项目:jdk8u-jdk    文件:ValidateNC.java   
public static void createPath(String[] certs) throws Exception {

        X509Certificate anchorCert = getCertFromFile(certs[0]);
        byte [] nameConstraints = anchorCert.getExtensionValue("2.5.29.30");
        if (nameConstraints != null) {
            DerInputStream in = new DerInputStream(nameConstraints);
            nameConstraints = in.getOctetString();
        }
        TrustAnchor anchor = new TrustAnchor(anchorCert, nameConstraints);
        List list = new ArrayList();
        for (int i = 1; i < certs.length; i++) {
            list.add(0, getCertFromFile(certs[i]));
        }
        CertificateFactory cf = CertificateFactory.getInstance("X509");
        path = cf.generateCertPath(list);

        anchors = Collections.singleton(anchor);
        params = new PKIXParameters(anchors);
        params.setRevocationEnabled(false);
    }
项目:openjdk-jdk10    文件:OCSPResponse.java   
IssuerInfo(TrustAnchor anchor, X509Certificate issuerCert) {
    if (anchor == null && issuerCert == null) {
        throw new NullPointerException("TrustAnchor and issuerCert " +
                "cannot be null");
    }
    this.anchor = anchor;
    if (issuerCert != null) {
        name = issuerCert.getSubjectX500Principal();
        pubKey = issuerCert.getPublicKey();
        certificate = issuerCert;
    } else {
        name = anchor.getCA();
        pubKey = anchor.getCAPublicKey();
        certificate = anchor.getTrustedCert();
    }
}
项目:openjdk-jdk10    文件:OCSP.java   
public static RevocationStatus check(X509Certificate cert,
        URI responderURI, TrustAnchor anchor, X509Certificate issuerCert,
        X509Certificate responderCert, Date date,
        List<Extension> extensions, String variant)
        throws IOException, CertPathValidatorException
{
    CertId certId;
    try {
        X509CertImpl certImpl = X509CertImpl.toImpl(cert);
        certId = new CertId(issuerCert, certImpl.getSerialNumberObject());
    } catch (CertificateException | IOException e) {
        throw new CertPathValidatorException
            ("Exception while encoding OCSPRequest", e);
    }
    OCSPResponse ocspResponse = check(Collections.singletonList(certId),
            responderURI, new OCSPResponse.IssuerInfo(anchor, issuerCert),
            responderCert, date, extensions, variant);
    return (RevocationStatus) ocspResponse.getSingleResponse(certId);
}
项目:openjdk-jdk10    文件:AlgorithmChecker.java   
/**
 * Try to set the trust anchor of the checker.
 * <p>
 * If there is no trust anchor specified and the checker has not started,
 * set the trust anchor.
 *
 * @param anchor the trust anchor selected to validate the target
 *     certificate
 */
void trySetTrustAnchor(TrustAnchor anchor) {
    // Don't bother if the check has started or trust anchor has already
    // specified.
    if (prevPubKey == null) {
        if (anchor == null) {
            throw new IllegalArgumentException(
                    "The trust anchor cannot be null");
        }

        // Don't bother to change the trustedPubKey.
        if (anchor.getTrustedCert() != null) {
            prevPubKey = anchor.getTrustedCert().getPublicKey();
            // Check for anchor certificate restrictions
            trustedMatch = checkFingerprint(anchor.getTrustedCert());
            if (trustedMatch && debug != null) {
                debug.println("trustedMatch = true");
            }
        } else {
            prevPubKey = anchor.getCAPublicKey();
        }
    }
}
项目:openjdk-jdk10    文件:ForwardBuilder.java   
/**
 * Initialize the builder with the input parameters.
 *
 * @param params the parameter set used to build a certification path
 */
ForwardBuilder(BuilderParams buildParams, boolean searchAllCertStores) {
    super(buildParams);

    // populate sets of trusted certificates and subject DNs
    trustAnchors = buildParams.trustAnchors();
    trustedCerts = new HashSet<X509Certificate>(trustAnchors.size());
    trustedSubjectDNs = new HashSet<X500Principal>(trustAnchors.size());
    for (TrustAnchor anchor : trustAnchors) {
        X509Certificate trustedCert = anchor.getTrustedCert();
        if (trustedCert != null) {
            trustedCerts.add(trustedCert);
            trustedSubjectDNs.add(trustedCert.getSubjectX500Principal());
        } else {
            trustedSubjectDNs.add(anchor.getCA());
        }
    }
    this.searchAllCertStores = searchAllCertStores;
}
项目:openjdk-jdk10    文件:ValidateTargetConstraints.java   
public static void createPath(String[] certs) throws Exception {
    TrustAnchor anchor = new TrustAnchor(getCertFromFile(certs[0]), null);
    List list = new ArrayList();
    for (int i = 1; i < certs.length; i++) {
        list.add(0, getCertFromFile(certs[i]));
    }
    CertificateFactory cf = CertificateFactory.getInstance("X509");
    path = cf.generateCertPath(list);

    Set anchors = Collections.singleton(anchor);
    params = new PKIXParameters(anchors);
    params.setRevocationEnabled(false);
    X509CertSelector sel = new X509CertSelector();
    sel.setSerialNumber(new BigInteger("1427"));
    params.setTargetCertConstraints(sel);
}
项目:openjdk-jdk10    文件:ValidateNC.java   
public static void createPath(String[] certs) throws Exception {

        X509Certificate anchorCert = getCertFromFile(certs[0]);
        byte [] nameConstraints = anchorCert.getExtensionValue("2.5.29.30");
        if (nameConstraints != null) {
            DerInputStream in = new DerInputStream(nameConstraints);
            nameConstraints = in.getOctetString();
        }
        TrustAnchor anchor = new TrustAnchor(anchorCert, nameConstraints);
        List list = new ArrayList();
        for (int i = 1; i < certs.length; i++) {
            list.add(0, getCertFromFile(certs[i]));
        }
        CertificateFactory cf = CertificateFactory.getInstance("X509");
        path = cf.generateCertPath(list);

        anchors = Collections.singleton(anchor);
        params = new PKIXParameters(anchors);
        params.setRevocationEnabled(false);
    }
项目:openjdk-jdk10    文件:ValWithAnchorByName.java   
private static void runTest(CertificateFactory cf,
        List<X509Certificate> certList, TrustAnchor anchor)
        throws Exception {
    CertPath path = cf.generateCertPath(certList);
    CertPathValidator validator = CertPathValidator.getInstance("PKIX");

    System.out.println(anchor);

    // Attach the OCSP responses to a PKIXParameters object
    PKIXRevocationChecker pkrev =
            (PKIXRevocationChecker)validator.getRevocationChecker();
    Map<X509Certificate, byte[]> responseMap = new HashMap<>();
    responseMap.put(certList.get(0), DECODER.decode(EE_OCSP_RESP));
    responseMap.put(certList.get(1), DECODER.decode(INT_CA_OCSP_RESP));
    pkrev.setOcspResponses(responseMap);
    PKIXParameters params =
            new PKIXParameters(Collections.singleton(anchor));
    params.addCertPathChecker(pkrev);
    params.setDate(EVAL_DATE);

    validator.validate(path, params);
}
项目:openjdk9    文件:AlgorithmChecker.java   
/**
 * Create a new {@code AlgorithmChecker} with the
 * given {@code TrustAnchor} and {@code AlgorithmConstraints}.
 *
 * @param anchor the trust anchor selected to validate the target
 *     certificate
 * @param constraints the algorithm constraints (or null)
 * @param pkixdate Date the constraints are checked against. The value is
 *             either the PKIXParameter date or null for the current date.
 *
 * @throws IllegalArgumentException if the {@code anchor} is null
 */
public AlgorithmChecker(TrustAnchor anchor,
        AlgorithmConstraints constraints,
        Date pkixdate) {

    if (anchor == null) {
        throw new IllegalArgumentException(
                    "The trust anchor cannot be null");
    }

    if (anchor.getTrustedCert() != null) {
        this.trustedPubKey = anchor.getTrustedCert().getPublicKey();
        // Check for anchor certificate restrictions
        trustedMatch = checkFingerprint(anchor.getTrustedCert());
        if (trustedMatch && debug != null) {
            debug.println("trustedMatch = true");
        }
    } else {
        this.trustedPubKey = anchor.getCAPublicKey();
    }

    this.prevPubKey = trustedPubKey;
    this.constraints = constraints;
    this.pkixdate = pkixdate;
}
项目:openjdk9    文件:AlgorithmChecker.java   
/**
 * Try to set the trust anchor of the checker.
 * <p>
 * If there is no trust anchor specified and the checker has not started,
 * set the trust anchor.
 *
 * @param anchor the trust anchor selected to validate the target
 *     certificate
 */
void trySetTrustAnchor(TrustAnchor anchor) {
    // Don't bother if the check has started or trust anchor has already
    // specified.
    if (prevPubKey == null) {
        if (anchor == null) {
            throw new IllegalArgumentException(
                    "The trust anchor cannot be null");
        }

        // Don't bother to change the trustedPubKey.
        if (anchor.getTrustedCert() != null) {
            prevPubKey = anchor.getTrustedCert().getPublicKey();
            // Check for anchor certificate restrictions
            trustedMatch = checkFingerprint(anchor.getTrustedCert());
            if (trustedMatch && debug != null) {
                debug.println("trustedMatch = true");
            }
        } else {
            prevPubKey = anchor.getCAPublicKey();
        }
    }
}
项目:openjdk9    文件:ForwardBuilder.java   
/**
 * Initialize the builder with the input parameters.
 *
 * @param params the parameter set used to build a certification path
 */
ForwardBuilder(BuilderParams buildParams, boolean searchAllCertStores) {
    super(buildParams);

    // populate sets of trusted certificates and subject DNs
    trustAnchors = buildParams.trustAnchors();
    trustedCerts = new HashSet<X509Certificate>(trustAnchors.size());
    trustedSubjectDNs = new HashSet<X500Principal>(trustAnchors.size());
    for (TrustAnchor anchor : trustAnchors) {
        X509Certificate trustedCert = anchor.getTrustedCert();
        if (trustedCert != null) {
            trustedCerts.add(trustedCert);
            trustedSubjectDNs.add(trustedCert.getSubjectX500Principal());
        } else {
            trustedSubjectDNs.add(anchor.getCA());
        }
    }
    this.searchAllCertStores = searchAllCertStores;
}
项目:openjdk9    文件:ValidateNC.java   
public static void createPath(String[] certs) throws Exception {

        X509Certificate anchorCert = getCertFromFile(certs[0]);
        byte [] nameConstraints = anchorCert.getExtensionValue("2.5.29.30");
        if (nameConstraints != null) {
            DerInputStream in = new DerInputStream(nameConstraints);
            nameConstraints = in.getOctetString();
        }
        TrustAnchor anchor = new TrustAnchor(anchorCert, nameConstraints);
        List list = new ArrayList();
        for (int i = 1; i < certs.length; i++) {
            list.add(0, getCertFromFile(certs[i]));
        }
        CertificateFactory cf = CertificateFactory.getInstance("X509");
        path = cf.generateCertPath(list);

        anchors = Collections.singleton(anchor);
        params = new PKIXParameters(anchors);
        params.setRevocationEnabled(false);
    }
项目:cwac-netsecurity    文件:TrustManagerImpl.java   
private List<X509Certificate> checkTrusted(X509Certificate[] certs, String authType,
        String host, boolean clientAuth) throws CertificateException {
    if (certs == null || certs.length == 0 || authType == null || authType.length() == 0) {
        throw new IllegalArgumentException("null or zero-length parameter");
    }
    if (err != null) {
        throw new CertificateException(err);
    }
    Set<X509Certificate> used = new HashSet<X509Certificate>();
    ArrayList<X509Certificate> untrustedChain = new ArrayList<X509Certificate>();
    ArrayList<TrustAnchor> trustedChain = new ArrayList<TrustAnchor>();
    // Initialize the chain to contain the leaf certificate. This potentially could be a trust
    // anchor. If the leaf is a trust anchor we still continue with path building to build the
    // complete trusted chain for additional validation such as certificate pinning.
    X509Certificate leaf = certs[0];
    TrustAnchor leafAsAnchor = findTrustAnchorBySubjectAndPublicKey(leaf);
    if (leafAsAnchor != null) {
        trustedChain.add(leafAsAnchor);
        used.add(leafAsAnchor.getTrustedCert());
    } else {
        untrustedChain.add(leaf);
    }
    used.add(leaf);
    return checkTrustedRecursive(certs, host, clientAuth, untrustedChain, trustedChain, used);
}
项目:cwac-netsecurity    文件:TrustManagerImpl.java   
/**
 * Find all possible issuing trust anchors of {@code cert}.
 */
private Set<TrustAnchor> findAllTrustAnchorsByIssuerAndSignature(X509Certificate cert) {
    Set<TrustAnchor> indexedAnchors =
            trustedCertificateIndex.findAllByIssuerAndSignature(cert);
    if (!indexedAnchors.isEmpty() || trustedCertificateStore == null) {
        return indexedAnchors;
    }
    Set<X509Certificate> storeAnchors = trustedCertificateStore.findAllIssuers(cert);
    if (storeAnchors.isEmpty()) {
        return indexedAnchors;
    }
    Set<TrustAnchor> result = new HashSet<TrustAnchor>(storeAnchors.size());
    for (X509Certificate storeCert : storeAnchors) {
        result.add(trustedCertificateIndex.index(storeCert));
    }
    return result;
}
项目:cwac-netsecurity    文件:TrustedCertificateIndex.java   
public TrustAnchor findByIssuerAndSignature(X509Certificate cert) {
    X500Principal issuer = cert.getIssuerX500Principal();
    synchronized (subjectToTrustAnchors) {
        List<TrustAnchor> anchors = subjectToTrustAnchors.get(issuer);
        if (anchors == null) {
            return null;
        }

        for (TrustAnchor anchor : anchors) {
            PublicKey publicKey;
            try {
                X509Certificate caCert = anchor.getTrustedCert();
                if (caCert != null) {
                    publicKey = caCert.getPublicKey();
                } else {
                    publicKey = anchor.getCAPublicKey();
                }
                cert.verify(publicKey);
                return anchor;
            } catch (Exception ignored) {
            }
        }
    }
    return null;
}
项目:conscrypt    文件:TrustManagerImpl.java   
/**
 * Find all possible issuing trust anchors of {@code cert}.
 */
private Set<TrustAnchor> findAllTrustAnchorsByIssuerAndSignature(X509Certificate cert) {
    Set<TrustAnchor> indexedAnchors =
            trustedCertificateIndex.findAllByIssuerAndSignature(cert);
    if (!indexedAnchors.isEmpty() || trustedCertificateStore == null) {
        return indexedAnchors;
    }
    Set<X509Certificate> storeAnchors = trustedCertificateStore.findAllIssuers(cert);
    if (storeAnchors.isEmpty()) {
        return indexedAnchors;
    }
    Set<TrustAnchor> result = new HashSet<TrustAnchor>(storeAnchors.size());
    for (X509Certificate storeCert : storeAnchors) {
        result.add(trustedCertificateIndex.index(storeCert));
    }
    return result;
}
项目:conscrypt    文件:TrustedCertificateIndex.java   
public TrustAnchor findByIssuerAndSignature(X509Certificate cert) {
    X500Principal issuer = cert.getIssuerX500Principal();
    synchronized (subjectToTrustAnchors) {
        List<TrustAnchor> anchors = subjectToTrustAnchors.get(issuer);
        if (anchors == null) {
            return null;
        }

        for (TrustAnchor anchor : anchors) {
            PublicKey publicKey;
            try {
                X509Certificate caCert = anchor.getTrustedCert();
                if (caCert != null) {
                    publicKey = caCert.getPublicKey();
                } else {
                    publicKey = anchor.getCAPublicKey();
                }
                cert.verify(publicKey);
                return anchor;
            } catch (Exception ignored) {
            }
        }
    }
    return null;
}
项目:jdk8u_jdk    文件:OCSPResponse.java   
IssuerInfo(TrustAnchor anchor, X509Certificate issuerCert) {
    if (anchor == null && issuerCert == null) {
        throw new NullPointerException("TrustAnchor and issuerCert " +
                "cannot be null");
    }
    this.anchor = anchor;
    if (issuerCert != null) {
        name = issuerCert.getSubjectX500Principal();
        pubKey = issuerCert.getPublicKey();
        certificate = issuerCert;
    } else {
        name = anchor.getCA();
        pubKey = anchor.getCAPublicKey();
        certificate = anchor.getTrustedCert();
    }
}
项目:jdk8u_jdk    文件:OCSP.java   
public static RevocationStatus check(X509Certificate cert,
        URI responderURI, TrustAnchor anchor, X509Certificate issuerCert,
        X509Certificate responderCert, Date date,
        List<Extension> extensions, String variant)
        throws IOException, CertPathValidatorException
{
    CertId certId;
    try {
        X509CertImpl certImpl = X509CertImpl.toImpl(cert);
        certId = new CertId(issuerCert, certImpl.getSerialNumberObject());
    } catch (CertificateException | IOException e) {
        throw new CertPathValidatorException
            ("Exception while encoding OCSPRequest", e);
    }
    OCSPResponse ocspResponse = check(Collections.singletonList(certId),
            responderURI, new OCSPResponse.IssuerInfo(anchor, issuerCert),
            responderCert, date, extensions, variant);
    return (RevocationStatus) ocspResponse.getSingleResponse(certId);
}
项目:jdk8u_jdk    文件:AlgorithmChecker.java   
/**
 * Try to set the trust anchor of the checker.
 * <p>
 * If there is no trust anchor specified and the checker has not started,
 * set the trust anchor.
 *
 * @param anchor the trust anchor selected to validate the target
 *     certificate
 */
void trySetTrustAnchor(TrustAnchor anchor) {
    // Don't bother if the check has started or trust anchor has already
    // specified.
    if (prevPubKey == null) {
        if (anchor == null) {
            throw new IllegalArgumentException(
                    "The trust anchor cannot be null");
        }

        // Don't bother to change the trustedPubKey.
        if (anchor.getTrustedCert() != null) {
            prevPubKey = anchor.getTrustedCert().getPublicKey();
            // Check for anchor certificate restrictions
            trustedMatch = checkFingerprint(anchor.getTrustedCert());
            if (trustedMatch && debug != null) {
                debug.println("trustedMatch = true");
            }
        } else {
            prevPubKey = anchor.getCAPublicKey();
        }
    }
}
项目:jdk8u_jdk    文件:ForwardBuilder.java   
/**
 * Initialize the builder with the input parameters.
 *
 * @param params the parameter set used to build a certification path
 */
ForwardBuilder(BuilderParams buildParams, boolean searchAllCertStores) {
    super(buildParams);

    // populate sets of trusted certificates and subject DNs
    trustAnchors = buildParams.trustAnchors();
    trustedCerts = new HashSet<X509Certificate>(trustAnchors.size());
    trustedSubjectDNs = new HashSet<X500Principal>(trustAnchors.size());
    for (TrustAnchor anchor : trustAnchors) {
        X509Certificate trustedCert = anchor.getTrustedCert();
        if (trustedCert != null) {
            trustedCerts.add(trustedCert);
            trustedSubjectDNs.add(trustedCert.getSubjectX500Principal());
        } else {
            trustedSubjectDNs.add(anchor.getCA());
        }
    }
    this.searchAllCertStores = searchAllCertStores;
}
项目:jdk8u_jdk    文件:ValidateTargetConstraints.java   
public static void createPath(String[] certs) throws Exception {
    TrustAnchor anchor = new TrustAnchor(getCertFromFile(certs[0]), null);
    List list = new ArrayList();
    for (int i = 1; i < certs.length; i++) {
        list.add(0, getCertFromFile(certs[i]));
    }
    CertificateFactory cf = CertificateFactory.getInstance("X509");
    path = cf.generateCertPath(list);

    Set anchors = Collections.singleton(anchor);
    params = new PKIXParameters(anchors);
    params.setRevocationEnabled(false);
    X509CertSelector sel = new X509CertSelector();
    sel.setSerialNumber(new BigInteger("1427"));
    params.setTargetCertConstraints(sel);
}
项目:jdk8u_jdk    文件:ValidateNC.java   
public static void createPath(String[] certs) throws Exception {

        X509Certificate anchorCert = getCertFromFile(certs[0]);
        byte [] nameConstraints = anchorCert.getExtensionValue("2.5.29.30");
        if (nameConstraints != null) {
            DerInputStream in = new DerInputStream(nameConstraints);
            nameConstraints = in.getOctetString();
        }
        TrustAnchor anchor = new TrustAnchor(anchorCert, nameConstraints);
        List list = new ArrayList();
        for (int i = 1; i < certs.length; i++) {
            list.add(0, getCertFromFile(certs[i]));
        }
        CertificateFactory cf = CertificateFactory.getInstance("X509");
        path = cf.generateCertPath(list);

        anchors = Collections.singleton(anchor);
        params = new PKIXParameters(anchors);
        params.setRevocationEnabled(false);
    }