/** * Build the CertStore from the current inputs. * * @return a CertStore. * @throws GeneralSecurityException */ public CertStore build() throws GeneralSecurityException { CollectionCertStoreParameters params = convertHolders(certificateConverter, crlConverter); if (provider instanceof String) { return CertStore.getInstance(type, params, (String)provider); } if (provider instanceof Provider) { return CertStore.getInstance(type, params, (Provider)provider); } return CertStore.getInstance(type, params); }
public Collection engineGetCertificates(CertSelector certSelector) throws CertStoreException { boolean searchAllStores = params.getSearchAllStores(); Iterator iter = params.getCertStores().iterator(); List allCerts = searchAllStores ? new ArrayList() : Collections.EMPTY_LIST; while (iter.hasNext()) { CertStore store = (CertStore)iter.next(); Collection certs = store.getCertificates(certSelector); if (searchAllStores) { allCerts.addAll(certs); } else if (!certs.isEmpty()) { return certs; } } return allCerts; }
public Collection engineGetCRLs(CRLSelector crlSelector) throws CertStoreException { boolean searchAllStores = params.getSearchAllStores(); Iterator iter = params.getCertStores().iterator(); List allCRLs = searchAllStores ? new ArrayList() : Collections.EMPTY_LIST; while (iter.hasNext()) { CertStore store = (CertStore)iter.next(); Collection crls = store.getCRLs(crlSelector); if (searchAllStores) { allCRLs.addAll(crls); } else if (!crls.isEmpty()) { return crls; } } return allCRLs; }
/** * If the request is signed return a possibly empty CertStore containing the certificates in the * request. If the request is not signed the method returns null. * * @param type type of CertStore to return * @param provider provider to use * @return null if not signed, a CertStore otherwise * @throws NoSuchAlgorithmException * @throws NoSuchProviderException * @throws OCSPException */ public CertStore getCertificates( String type, String provider) throws NoSuchAlgorithmException, NoSuchProviderException, OCSPException { if (!this.isSigned()) { return null; } try { CertStoreParameters params = new CollectionCertStoreParameters(this.getCertList(provider)); return OCSPUtil.createCertStoreInstance(type, params, provider); } catch (InvalidAlgorithmParameterException e) { throw new OCSPException("can't setup the CertStore", e); } }
/** * Return the certificates, if any associated with the response. * @param type type of CertStore to create * @param provider provider to use * @return a CertStore, possibly empty * @throws NoSuchAlgorithmException * @throws NoSuchProviderException * @throws OCSPException */ public CertStore getCertificates( String type, String provider) throws NoSuchAlgorithmException, NoSuchProviderException, OCSPException { try { CertStoreParameters params = new CollectionCertStoreParameters(this.getCertList(provider)); return OCSPUtil.createCertStoreInstance(type, params, provider); } catch (InvalidAlgorithmParameterException e) { throw new OCSPException("can't setup the CertStore", e); } }
/** * Determine whether there are any CRL's in the {@link CertStore} that is to be used. * * @param certStore the cert store that will be used for validation * @return true if the store contains at least 1 CRL instance, false otherwise */ protected boolean storeContainsCRLs(CertStore certStore) { Collection<? extends CRL> crls = null; try { //Save some cycles and memory: Collection cert store allows null as specifier to return all. //crls = certStore.getCRLs( new X509CRLSelector() ); crls = certStore.getCRLs(null); } catch (CertStoreException e) { log.error("Error examining cert store for CRL's, treating as if no CRL's present", e); return false; } if (crls != null && !crls.isEmpty()) { return true; } return false; }
/** * Return the initialization parameters for the TrustManager. * Currently, only the default <code>PKIX</code> is supported. * * @param algorithm The algorithm to get parameters for. * @param crlf The path to the CRL file. * @param trustStore The configured TrustStore. * @return The parameters including the CRLs and TrustStore. */ protected CertPathParameters getParameters(String algorithm, String crlf, KeyStore trustStore) throws Exception { CertPathParameters params = null; if("PKIX".equalsIgnoreCase(algorithm)) { PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); Collection crls = getCRLs(crlf); CertStoreParameters csp = new CollectionCertStoreParameters(crls); CertStore store = CertStore.getInstance("Collection", csp); xparams.addCertStore(store); xparams.setRevocationEnabled(true); xparams.setMaxPathLength(listener.getSslTrustMaxCertLength()); params = xparams; } else { throw new CRLException("CRLs not supported for type: "+algorithm); } return params; }
static synchronized CertStore getInstance(URICertStoreParameters params) throws NoSuchAlgorithmException, InvalidAlgorithmParameterException { if (debug != null) { debug.println("CertStore URI:" + params.uri); } CertStore ucs = certStoreCache.get(params); if (ucs == null) { ucs = new UCS(new URICertStore(params), null, "URI", params); certStoreCache.put(params, ucs); } else { if (debug != null) { debug.println("URICertStore.getInstance: cache hit"); } } return ucs; }
/** * Creates a CertStore from information included in the AccessDescription * object of a certificate's Authority Information Access Extension. */ static CertStore getInstance(AccessDescription ad) { if (!ad.getAccessMethod().equals((Object) AccessDescription.Ad_CAISSUERS_Id)) { return null; } GeneralNameInterface gn = ad.getAccessLocation().getName(); if (!(gn instanceof URIName)) { return null; } URI uri = ((URIName) gn).getURI(); try { return URICertStore.getInstance (new URICertStore.URICertStoreParameters(uri)); } catch (Exception ex) { if (debug != null) { debug.println("exception creating CertStore: " + ex); ex.printStackTrace(); } return null; } }
/** * Retrieves all certs from the specified CertStores that satisfy the * requirements specified in the parameters and the current * PKIX state (name constraints, policy constraints, etc). * * @param currentState the current state. * Must be an instance of <code>ReverseState</code> * @param certStores list of CertStores */ @Override Collection<X509Certificate> getMatchingCerts (State currState, List<CertStore> certStores) throws CertStoreException, CertificateException, IOException { ReverseState currentState = (ReverseState) currState; if (debug != null) debug.println("In ReverseBuilder.getMatchingCerts."); /* * The last certificate could be an EE or a CA certificate * (we may be building a partial certification path or * establishing trust in a CA). * * Try the EE certs before the CA certs. It will be more * common to build a path to an end entity. */ Collection<X509Certificate> certs = getMatchingEECerts(currentState, certStores); certs.addAll(getMatchingCACerts(currentState, certStores)); return certs; }
/** * Creates a URICertStore. * * @param parameters specifying the URI */ URICertStore(CertStoreParameters params) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException { super(params); if (!(params instanceof URICertStoreParameters)) { throw new InvalidAlgorithmParameterException ("params must be instanceof URICertStoreParameters"); } this.uri = ((URICertStoreParameters) params).getURI(); // if ldap URI, use an LDAPCertStore to fetch certs and CRLs if (uri.getScheme().toLowerCase(Locale.ENGLISH).equals("ldap")) { ldap = true; ldapCertStore = CertStore.getInstance("LDAP", params); } try { factory = CertificateFactory.getInstance("X.509"); } catch (CertificateException e) { throw new RuntimeException(); } }
static synchronized CertStore getInstance(URICertStoreParameters params) throws NoSuchAlgorithmException, InvalidAlgorithmParameterException { if (debug != null) { debug.println("CertStore URI:" + params.getURI()); } CertStore ucs = certStoreCache.get(params); if (ucs == null) { ucs = new UCS(new URICertStore(params), null, "URI", params); certStoreCache.put(params, ucs); } else { if (debug != null) { debug.println("URICertStore.getInstance: cache hit"); } } return ucs; }
/** * Creates a CertStore from information included in the AccessDescription * object of a certificate's Authority Information Access Extension. */ static CertStore getInstance(AccessDescription ad) { if (!ad.getAccessMethod().equals( AccessDescription.Ad_CAISSUERS_Id)) { return null; } GeneralNameInterface gn = ad.getAccessLocation().getName(); if (!(gn instanceof URIName)) { return null; } URI uri = ((URIName) gn).getURI(); try { return URICertStore.getInstance(new URICertStoreParameters(uri)); } catch (Exception ex) { if (debug != null) { debug.println("exception creating CertStore: " + ex); ex.printStackTrace(); } return null; } }
/** * Return the initialization parameters for the TrustManager. Currently, * only the default <code>PKIX</code> is supported. * * @param algorithm * The algorithm to get parameters for. * @param crlf * The path to the CRL file. * @param trustStore * The configured TrustStore. * @return The parameters including the CRLs and TrustStore. */ protected CertPathParameters getParameters(String algorithm, String crlf, KeyStore trustStore) throws Exception { CertPathParameters params = null; if ("PKIX".equalsIgnoreCase(algorithm)) { PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); Collection<? extends CRL> crls = getCRLs(crlf); CertStoreParameters csp = new CollectionCertStoreParameters(crls); CertStore store = CertStore.getInstance("Collection", csp); xparams.addCertStore(store); xparams.setRevocationEnabled(true); String trustLength = endpoint.getTrustMaxCertLength(); if (trustLength != null) { try { xparams.setMaxPathLength(Integer.parseInt(trustLength)); } catch (Exception ex) { log.warn("Bad maxCertLength: " + trustLength); } } params = xparams; } else { throw new CRLException("CRLs not supported for type: " + algorithm); } return params; }
/** * Initializes a new instance that uses the specified JCE providers for CertPathBuilder * and Signature. * @param trustAnchors the keystore with the trust-anchors ({@code TrustedCertificateEntry}) * @param revocationEnabled whether revocation is enabled * @param maxPathLength the maximum length of the certification paths * @param certPathBuilderProvider the CertPathBuilder provider * @param signatureProvider the Signature provider * @param intermCertsAndCrls a set of {@code CertStore}s that contain certificates to be * used in the construction of the certification path. May contain CRLs to be used * if revocation is enabled * @see xades4j.utils.FileSystemDirectoryCertStore * @throws NoSuchAlgorithmException if there is no provider for PKIX CertPathBuilder */ public PKIXCertificateValidationProvider( KeyStore trustAnchors, boolean revocationEnabled, int maxPathLength, String certPathBuilderProvider, String signatureProvider, CertStore... intermCertsAndCrls) throws NoSuchAlgorithmException, NoSuchProviderException { if (null == trustAnchors) { throw new NullPointerException("Trust anchors cannot be null"); } this.trustAnchors = trustAnchors; this.revocationEnabled = revocationEnabled; this.maxPathLength = maxPathLength; this.certPathBuilder = certPathBuilderProvider == null ? CertPathBuilder.getInstance("PKIX") : CertPathBuilder.getInstance("PKIX", certPathBuilderProvider); this.signatureProvider = signatureProvider; this.intermCertsAndCrls = intermCertsAndCrls; }
/** * Test for <code>getDefaultType()</code> method * Assertion: returns security property "certstore.type" or "LDAP" */ @TestTargetNew( level = TestLevel.COMPLETE, notes = "", method = "getDefaultType", args = {} ) public void testCertStore01() { if (!LDAPSupport) { return; } String dt = CertStore.getDefaultType(); String sn = Security.getProperty("certstore.type"); String def = "Proba.cert.store.type"; if (sn == null) { sn = defaultType; } assertNotNull("Default type have not be null", dt); assertEquals("Incorrect default type", dt, sn); Security.setProperty("certstore.type", def); dt = CertStore.getDefaultType(); assertEquals("Incorrect default type", dt, def); Security.setProperty("certstore.type", sn); assertEquals("Incorrect default type", Security.getProperty("certstore.type"), sn ); }
/** * Test for <code>getInstance(String type, CertStoreParameters params)</code> method * Assertion: return CertStore object */ @TestTargetNew( level = TestLevel.PARTIAL, notes = "InvalidAlgorithmParameterException checking missed", method = "getInstance", args = {java.lang.String.class, java.security.cert.CertStoreParameters.class} ) public void testCertStore05() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException { if (!initParams()) { return; } CertStore certS; for (int i = 0; i < dValid.length; i++) { certS = CertStore.getInstance(dValid[i], dParams); assertEquals("Incorrect type", certS.getType(), dValid[i]); certS.getCertStoreParameters(); } }
/** * Test for method * <code>getInstance(String type, CertStoreParameters params, String provider)</code> * Assertion: throws NoSuchProviderException when provider has invalid value */ @TestTargetNew( level = TestLevel.PARTIAL, notes = "Verifies NoSuchProviderException. InvalidAlgorithmParameterException checking missed.", method = "getInstance", args = {java.lang.String.class, java.security.cert.CertStoreParameters.class, java.lang.String.class} ) public void testCertStore07() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException { if (!initParams()) { return; } for (int i = 0; i < dValid.length; i++) { for (int j = 1; j < invalidValues.length; j++ ) { try { CertStore.getInstance(dValid[i], dParams, invalidValues[j]); fail("NoSuchProviderException must be thrown"); } catch (NoSuchProviderException e) { } } } }
/** * Test for method * <code>getInstance(String type, CertStoreParameters params, String provider)</code> * Assertion: return CertStore object */ @TestTargetNew( level = TestLevel.PARTIAL, notes = "Verifies positive case. InvalidAlgorithmParameterException checking missed.", method = "getInstance", args = {java.lang.String.class, java.security.cert.CertStoreParameters.class, java.lang.String.class} ) public void testCertStore10() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, NoSuchProviderException { if (!initParams()) { return; } CertStore certS; for (int i = 0; i < dValid.length; i++) { certS = CertStore.getInstance(dValid[i], dParams, dName); assertEquals("Incorrect type", certS.getType(), dValid[i]); certS.getCertStoreParameters(); } }
/** * Test for method * <code>getInstance(String type, CertStoreParameters params, Provider provider)</code> * Assertion: throws IllegalArgumentException when provider is null */ @TestTargetNew( level = TestLevel.PARTIAL, notes = "Verifies that getInstance throws IllegalArgumentException when provider is null. InvalidAlgorithmParameterException checking missed.", method = "getInstance", args = {java.lang.String.class, java.security.cert.CertStoreParameters.class, java.security.Provider.class} ) public void testCertStore11() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException { if (!initParams()) { return; } Provider provider = null; for (int i = 0; i < dValid.length; i++) { try { CertStore.getInstance(dValid[i], dParams, provider); fail("IllegalArgumentException must be thrown"); } catch (IllegalArgumentException e) { } } }
/** * Test for method * <code>getInstance(String type, CertStoreParameters params, Provider provider)</code> * Assertion: return CertStore object */ @TestTargetNew( level = TestLevel.PARTIAL, notes = "Verifies positive case. InvalidAlgorithmParameterException checking missed.", method = "getInstance", args = {java.lang.String.class, java.security.cert.CertStoreParameters.class, java.security.Provider.class} ) public void testCertStore14() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException { if (!initParams()) { return; } CertStore certS; for (int i = 0; i < dValid.length; i++) { certS = CertStore.getInstance(dValid[i], dParams, dProv); assertEquals("Incorrect type", certS.getType(), dValid[i]); certS.getCertStoreParameters(); } }
/** * Retrieves all certs from the specified CertStores that satisfy the * requirements specified in the parameters and the current * PKIX state (name constraints, policy constraints, etc). * * @param currentState the current state. * Must be an instance of <code>ReverseState</code> * @param certStores list of CertStores */ Collection<X509Certificate> getMatchingCerts (State currState, List<CertStore> certStores) throws CertStoreException, CertificateException, IOException { ReverseState currentState = (ReverseState) currState; if (debug != null) debug.println("In ReverseBuilder.getMatchingCerts."); /* * The last certificate could be an EE or a CA certificate * (we may be building a partial certification path or * establishing trust in a CA). * * Try the EE certs before the CA certs. It will be more * common to build a path to an end entity. */ Collection<X509Certificate> certs = getMatchingEECerts(currentState, certStores); certs.addAll(getMatchingCACerts(currentState, certStores)); return certs; }