/** * Build the CertStore from the current inputs. * * @return a CertStore. * @throws GeneralSecurityException */ public CertStore build() throws GeneralSecurityException { CollectionCertStoreParameters params = convertHolders(certificateConverter, crlConverter); if (provider instanceof String) { return CertStore.getInstance(type, params, (String)provider); } if (provider instanceof Provider) { return CertStore.getInstance(type, params, (Provider)provider); } return CertStore.getInstance(type, params); }
private CollectionCertStoreParameters convertHolders(JcaX509CertificateConverter certificateConverter, JcaX509CRLConverter crlConverter) throws CertificateException, CRLException { List jcaObjs = new ArrayList(certs.size() + crls.size()); for (Iterator it = certs.iterator(); it.hasNext();) { jcaObjs.add(certificateConverter.getCertificate((X509CertificateHolder)it.next())); } for (Iterator it = crls.iterator(); it.hasNext();) { jcaObjs.add(crlConverter.getCRL((X509CRLHolder)it.next())); } return new CollectionCertStoreParameters(jcaObjs); }
/** * If the request is signed return a possibly empty CertStore containing the certificates in the * request. If the request is not signed the method returns null. * * @param type type of CertStore to return * @param provider provider to use * @return null if not signed, a CertStore otherwise * @throws NoSuchAlgorithmException * @throws NoSuchProviderException * @throws OCSPException */ public CertStore getCertificates( String type, String provider) throws NoSuchAlgorithmException, NoSuchProviderException, OCSPException { if (!this.isSigned()) { return null; } try { CertStoreParameters params = new CollectionCertStoreParameters(this.getCertList(provider)); return OCSPUtil.createCertStoreInstance(type, params, provider); } catch (InvalidAlgorithmParameterException e) { throw new OCSPException("can't setup the CertStore", e); } }
/** * Return the certificates, if any associated with the response. * @param type type of CertStore to create * @param provider provider to use * @return a CertStore, possibly empty * @throws NoSuchAlgorithmException * @throws NoSuchProviderException * @throws OCSPException */ public CertStore getCertificates( String type, String provider) throws NoSuchAlgorithmException, NoSuchProviderException, OCSPException { try { CertStoreParameters params = new CollectionCertStoreParameters(this.getCertList(provider)); return OCSPUtil.createCertStoreInstance(type, params, provider); } catch (InvalidAlgorithmParameterException e) { throw new OCSPException("can't setup the CertStore", e); } }
/** * Return the initialization parameters for the TrustManager. * Currently, only the default <code>PKIX</code> is supported. * * @param algorithm The algorithm to get parameters for. * @param crlf The path to the CRL file. * @param trustStore The configured TrustStore. * @return The parameters including the CRLs and TrustStore. */ protected CertPathParameters getParameters(String algorithm, String crlf, KeyStore trustStore) throws Exception { CertPathParameters params = null; if("PKIX".equalsIgnoreCase(algorithm)) { PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); Collection crls = getCRLs(crlf); CertStoreParameters csp = new CollectionCertStoreParameters(crls); CertStore store = CertStore.getInstance("Collection", csp); xparams.addCertStore(store); xparams.setRevocationEnabled(true); xparams.setMaxPathLength(listener.getSslTrustMaxCertLength()); params = xparams; } else { throw new CRLException("CRLs not supported for type: "+algorithm); } return params; }
/** * Return the initialization parameters for the TrustManager. Currently, * only the default <code>PKIX</code> is supported. * * @param algorithm * The algorithm to get parameters for. * @param crlf * The path to the CRL file. * @param trustStore * The configured TrustStore. * @return The parameters including the CRLs and TrustStore. */ protected CertPathParameters getParameters(String algorithm, String crlf, KeyStore trustStore) throws Exception { CertPathParameters params = null; if ("PKIX".equalsIgnoreCase(algorithm)) { PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); Collection<? extends CRL> crls = getCRLs(crlf); CertStoreParameters csp = new CollectionCertStoreParameters(crls); CertStore store = CertStore.getInstance("Collection", csp); xparams.addCertStore(store); xparams.setRevocationEnabled(true); String trustLength = endpoint.getTrustMaxCertLength(); if (trustLength != null) { try { xparams.setMaxPathLength(Integer.parseInt(trustLength)); } catch (Exception ex) { log.warn("Bad maxCertLength: " + trustLength); } } params = xparams; } else { throw new CRLException("CRLs not supported for type: " + algorithm); } return params; }
/** * Test #2 for <code>CollectionCertStoreParameters</code> constructor<br> */ @TestTargetNew( level = TestLevel.PARTIAL_COMPLETE, notes = "", method = "CollectionCertStoreParameters", args = {} ) @SuppressWarnings("unchecked") public final void testCollectionCertStoreParameters02() { CollectionCertStoreParameters cp = new CollectionCertStoreParameters(); Collection c = cp.getCollection(); assertTrue("isEmpty", c.isEmpty()); // check that empty collection is immutable try { // try to modify it c.add(new Object()); fail("empty collection must be immutable"); } catch (Exception e) { } }
/** * Test #3 for <code>CollectionCertStoreParameters(Collection)</code> * constructor<br> */ @TestTargetNew( level = TestLevel.PARTIAL_COMPLETE, notes = "", method = "CollectionCertStoreParameters", args = {java.util.Collection.class} ) public final void testCollectionCertStoreParametersCollection03() { Vector<Certificate> certificates = new Vector<Certificate>(); // create using empty collection CollectionCertStoreParameters cp = new CollectionCertStoreParameters(certificates); // check that the reference is used assertTrue("isRefUsed_1", certificates == cp.getCollection()); // check that collection still empty assertTrue("isEmpty", cp.getCollection().isEmpty()); // modify our collection certificates.add(new MyCertificate("TEST", new byte[] {(byte)1})); certificates.add(new MyCertificate("TEST", new byte[] {(byte)2})); // check that internal state has been changed accordingly assertTrue("isRefUsed_2", certificates.equals(cp.getCollection())); }
/** * Test #1 for <code>clone()</code> method<br> */ @TestTargetNew( level = TestLevel.PARTIAL_COMPLETE, notes = "", method = "clone", args = {} ) public final void testClone01() { Vector<Certificate> certificates = new Vector<Certificate>(); certificates.add(new MyCertificate("TEST", new byte[] {(byte)4})); CollectionCertStoreParameters cp1 = new CollectionCertStoreParameters(certificates); CollectionCertStoreParameters cp2 = (CollectionCertStoreParameters)cp1.clone(); // check that that we have new object assertTrue(cp1 != cp2); }
/** * Test #2 for <code>clone()</code> method<br> */ @TestTargetNew( level = TestLevel.PARTIAL_COMPLETE, notes = "", method = "clone", args = {} ) public final void testClone02() { Vector<Certificate> certificates = new Vector<Certificate>(); certificates.add(new MyCertificate("TEST", new byte[] {(byte)4})); CollectionCertStoreParameters cp1 = new CollectionCertStoreParameters(certificates); CollectionCertStoreParameters cp2 = (CollectionCertStoreParameters)cp1.clone(); // check that both objects hold the same reference assertTrue(cp1.getCollection() == cp2.getCollection()); }
/** * Test #3 for <code>clone()</code> method<br> */ @TestTargetNew( level = TestLevel.PARTIAL_COMPLETE, notes = "", method = "clone", args = {} ) public final void testClone03() { CollectionCertStoreParameters cp1 = new CollectionCertStoreParameters(); CollectionCertStoreParameters cp2 = (CollectionCertStoreParameters)cp1.clone(); CollectionCertStoreParameters cp3 = (CollectionCertStoreParameters)cp2.clone(); // check that all objects hold the same reference assertTrue(cp1.getCollection() == cp2.getCollection() && cp3.getCollection() == cp2.getCollection()); }
public ClientTrustManager(KeyStore trustTrust) { super(); this.trustStore = trustTrust; //Note: A reference of the Collection is used in the CertStore, so we can add CRL's // after creating the CertStore. crls = new ArrayList<>(); CollectionCertStoreParameters params = new CollectionCertStoreParameters(crls); try { crlStore = CertStore.getInstance("Collection", params); } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException ex) { Log.warn("ClientTrustManager: ",ex); } loadCRL(); }
/** * Test #3 for <code>CollectionCertStoreParameters(Collection)</code> * constructor<br> * Assertion: The Collection is not copied. Instead, a reference is used. * This allows the caller to subsequently add or remove Certificates or * CRLs from the Collection, thus changing the set of Certificates or CRLs * available to the Collection CertStore. The Collection CertStore will * not modify the contents of the Collection */ public final void testCollectionCertStoreParametersCollection03() { Vector certificates = new Vector(); // create using empty collection CollectionCertStoreParameters cp = new CollectionCertStoreParameters(certificates); // check that the reference is used assertTrue("isRefUsed_1", certificates == cp.getCollection()); // check that collection still empty assertTrue("isEmpty", cp.getCollection().isEmpty()); // modify our collection certificates.add(new MyCertificate("TEST", new byte[] {(byte)1})); certificates.add(new MyCertificate("TEST", new byte[] {(byte)2})); // check that internal state has been changed accordingly assertTrue("isRefUsed_2", certificates.equals(cp.getCollection())); }
CrlRevocationChecker(TrustAnchor anchor, PKIXParameters params, Collection<X509Certificate> certs, boolean onlyEECert) throws CertPathValidatorException { mAnchor = anchor; mParams = params; mStores = new ArrayList<CertStore>(params.getCertStores()); mSigProvider = params.getSigProvider(); if (certs != null) { try { mStores.add(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certs))); } catch (Exception e) { // should never occur but not necessarily fatal, so log it, // ignore and continue if (debug != null) { debug.println("CrlRevocationChecker: " + "error creating Collection CertStore: " + e); } } } Date testDate = params.getDate(); mCurrentTime = (testDate != null ? testDate : new Date()); mOnlyEECert = onlyEECert; init(false); }
public void testRevoked() throws Exception { String message = "validator.revoked.eml"; PKIXParameters params = createDefaultParams(); List crlList = new ArrayList(); crlList.add(loadCRL("validator.revoked.crl")); CertStore crls = CertStore.getInstance("Collection",new CollectionCertStoreParameters(crlList)); params.addCertStore(crls); params.setRevocationEnabled(true); SignedMailValidator.ValidationResult result = doTest(message, params); assertTrue(result.isVerifiedSignature()); assertFalse(result.isValidSignature()); PKIXCertPathReviewer review = result.getCertPathReview(); assertFalse(review.isValidCertPath()); assertContainsMessage( review.getErrors(0), "CertPathReviewer.certRevoked", "The certificate was revoked at Sep 1, 2006 9:30:00 AM GMT. Reason: Key Compromise."); }
private MimeMultipart generateMultiPartGost( MimeBodyPart msg) throws Exception { List certList = new ArrayList(); certList.add(_signCert); certList.add(_signGostCert); CertStore certs = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList), "BC"); SMIMESignedGenerator gen = new SMIMESignedGenerator(); gen.addSigner(_signGostKP.getPrivate(), _signGostCert, SMIMESignedGenerator.DIGEST_GOST3411); gen.addCertificatesAndCRLs(certs); return gen.generate(msg, "BC"); }
private MimeBodyPart generateEncapsulatedRsa(String digestOid, MimeBodyPart msg) throws Exception { List certList = new ArrayList(); certList.add(_signCert); certList.add(_origCert); CertStore certs = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList), "BC"); ASN1EncodableVector signedAttrs = generateSignedAttributes(); SMIMESignedGenerator gen = new SMIMESignedGenerator(); gen.addSigner(_signKP.getPrivate(), _signCert, digestOid, new AttributeTable(signedAttrs), null); gen.addCertificatesAndCRLs(certs); return gen.generateEncapsulated(msg, "BC"); }
public CertStoreCollectionSpi(CertStoreParameters params) throws InvalidAlgorithmParameterException { super(params); if (!(params instanceof CollectionCertStoreParameters)) { throw new InvalidAlgorithmParameterException("org.bouncycastle.jce.provider.CertStoreCollectionSpi: parameter must be a CollectionCertStoreParameters object\n" + params.toString()); } this.params = (CollectionCertStoreParameters)params; }
/** * Return the initialization parameters for the TrustManager. * Currently, only the default <code>PKIX</code> is supported. * * @param algorithm The algorithm to get parameters for. * @param crlf The path to the CRL file. * @param trustStore The configured TrustStore. * @return The parameters including the CRLs and TrustStore. */ protected CertPathParameters getParameters(String algorithm, String crlf, KeyStore trustStore) throws Exception { CertPathParameters params = null; if("PKIX".equalsIgnoreCase(algorithm)) { PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); Collection<? extends CRL> crls = getCRLs(crlf); CertStoreParameters csp = new CollectionCertStoreParameters(crls); CertStore store = CertStore.getInstance("Collection", csp); xparams.addCertStore(store); xparams.setRevocationEnabled(true); String trustLength = endpoint.getTrustMaxCertLength(); if(trustLength != null) { try { xparams.setMaxPathLength(Integer.parseInt(trustLength)); } catch(Exception ex) { log.warn("Bad maxCertLength: "+trustLength); } } params = xparams; } else { throw new CRLException("CRLs not supported for type: "+algorithm); } return params; }
/** * Creates the certificate store that will be used during validation. * * @param validationInfo PKIX validation information * @param untrustedCredential credential to be validated * * @return certificate store used during validation * * @throws GeneralSecurityException thrown if the certificate store can not be created from the cert and CRL * material */ protected CertStore buildCertStore(PKIXValidationInformation validationInfo, X509Credential untrustedCredential) throws GeneralSecurityException { log.trace("Creating cert store to use during path validation"); log.trace("Adding entity certificate chain to cert store"); List<Object> storeMaterial = new ArrayList<Object>(untrustedCredential.getEntityCertificateChain()); if (log.isTraceEnabled()) { for (X509Certificate cert : untrustedCredential.getEntityCertificateChain()) { log.trace(String.format("Added X509Certificate from entity cert chain to cert store " + "with subject name '%s' issued by '%s' with serial number '%s'", x500DNHandler.getName(cert.getSubjectX500Principal()), x500DNHandler.getName(cert.getIssuerX500Principal()), cert.getSerialNumber().toString())); } } Date now = new Date(); if (validationInfo.getCRLs() != null && !validationInfo.getCRLs().isEmpty()) { log.trace("Processing CRL's from PKIX info set"); addCRLsToStoreMaterial(storeMaterial, validationInfo.getCRLs(), now); } if (untrustedCredential.getCRLs() != null && !untrustedCredential.getCRLs().isEmpty() && options.isProcessCredentialCRLs()) { log.trace("Processing CRL's from untrusted credential"); addCRLsToStoreMaterial(storeMaterial, untrustedCredential.getCRLs(), now); } return CertStore.getInstance("Collection", new CollectionCertStoreParameters(storeMaterial)); }
/** * Return the initialization parameters for the TrustManager. * Currently, only the default <code>PKIX</code> is supported. * * @param algorithm The algorithm to get parameters for. * @param crlf The path to the CRL file. * @param trustStore The configured TrustStore. * @return The parameters including the CRLs and TrustStore. */ protected CertPathParameters getParameters(String algorithm, String crlf, KeyStore trustStore) throws Exception { CertPathParameters params = null; if("PKIX".equalsIgnoreCase(algorithm)) { PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); Collection crls = getCRLs(crlf); CertStoreParameters csp = new CollectionCertStoreParameters(crls); CertStore store = CertStore.getInstance("Collection", csp); xparams.addCertStore(store); xparams.setRevocationEnabled(true); String trustLength = (String)attributes.get("trustMaxCertLength"); if(trustLength != null) { try { xparams.setMaxPathLength(Integer.parseInt(trustLength)); } catch(Exception ex) { log.warn("Bad maxCertLength: "+trustLength); } } params = xparams; } else { throw new CRLException("CRLs not supported for type: "+algorithm); } return params; }
private void doBuild(X509Certificate userCert) throws Exception { // get the set of trusted CA certificates (only one in this instance) HashSet trustAnchors = new HashSet(); X509Certificate trustedCert = getTrustedCertificate(); trustAnchors.add(new TrustAnchor(trustedCert, null)); // put together a CertStore (repository of the certificates and CRLs) ArrayList certs = new ArrayList(); certs.add(trustedCert); certs.add(userCert); CollectionCertStoreParameters certStoreParams = new CollectionCertStoreParameters(certs); CertStore certStore = CertStore.getInstance("Collection", certStoreParams); // specify the target certificate via a CertSelector X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(userCert); certSelector.setSubject(userCert.getSubjectDN().getName()); // seems to be required // build a valid cerificate path CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX", "SUN"); PKIXBuilderParameters certPathBuilderParams = new PKIXBuilderParameters(trustAnchors, certSelector); certPathBuilderParams.addCertStore(certStore); certPathBuilderParams.setRevocationEnabled(false); CertPathBuilderResult result = certPathBuilder.build(certPathBuilderParams); // get and show cert path CertPath certPath = result.getCertPath(); // System.out.println(certPath.toString()); }
public static void main(String[] args) throws Exception { // reset the security property to make sure that the algorithms // and keys used in this test are not disabled. Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2"); X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer"); TrustAnchor anchor = new TrustAnchor (rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null); X509CertSelector sel = new X509CertSelector(); sel.setBasicConstraints(-2); PKIXBuilderParameters params = new PKIXBuilderParameters (Collections.singleton(anchor), sel); params.setRevocationEnabled(false); X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer"); X509Certificate caCert = CertUtils.getCertFromFile("ca.cer"); ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>(); certs.add(caCert); certs.add(eeCert); CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(certs); CertStore cs = CertStore.getInstance("Collection", ccsp); params.addCertStore(cs); PKIXCertPathBuilderResult res = CertUtils.build(params); CertPath cp = res.getCertPath(); // check that first certificate is an EE cert List<? extends Certificate> certList = cp.getCertificates(); X509Certificate cert = (X509Certificate) certList.get(0); if (cert.getBasicConstraints() != -1) { throw new Exception("Target certificate is not an EE certificate"); } }
/** * Read a bunch of certs from files and create a CertStore from them. * * @param relPath relative path containing certs (must end in * file.separator) * @param fileNames an array of <code>String</code>s that are file names * @return the <code>CertStore</code> created * @throws Exception on error */ public static CertStore createStore(String relPath, String [] fileNames) throws Exception { Set<X509Certificate> certs = new HashSet<X509Certificate>(); for (int i = 0; i < fileNames.length; i++) { certs.add(getCertFromFile(relPath + fileNames[i])); } return CertStore.getInstance("Collection", new CollectionCertStoreParameters(certs)); }
/** * Read a bunch of CRLs from files and create a CertStore from them. * * @param relPath relative path containing CRLs (must end in file.separator) * @param fileNames an array of <code>String</code>s that are file names * @return the <code>CertStore</code> created * @throws Exception on error */ public static CertStore createCRLStore(String relPath, String [] fileNames) throws Exception { Set<X509CRL> crls = new HashSet<X509CRL>(); for (int i = 0; i < fileNames.length; i++) { crls.add(getCRLFromFile(relPath + fileNames[i])); } return CertStore.getInstance("Collection", new CollectionCertStoreParameters(crls)); }