/** * Returns an instance of <code>ExtendedPKIXParameters</code> which can be * safely casted to <code>ExtendedPKIXBuilderParameters</code>. * <p> * This method can be used to get a copy from other * <code>PKIXBuilderParameters</code>, <code>PKIXParameters</code>, * and <code>ExtendedPKIXParameters</code> instances. * * @param pkixParams The PKIX parameters to create a copy of. * @return An <code>ExtendedPKIXBuilderParameters</code> instance. */ public static ExtendedPKIXParameters getInstance(PKIXParameters pkixParams) { ExtendedPKIXBuilderParameters params; try { params = new ExtendedPKIXBuilderParameters(pkixParams .getTrustAnchors(), X509CertStoreSelector .getInstance((X509CertSelector) pkixParams .getTargetCertConstraints())); } catch (Exception e) { // cannot happen throw new RuntimeException(e.getMessage()); } params.setParams(pkixParams); return params; }
public X509CertificateHolderSelector getCertificateHolderSelector(X509CertSelector certSelector) { try { if (certSelector.getSubjectKeyIdentifier() != null) { return new X509CertificateHolderSelector(X500Name.getInstance(certSelector.getIssuerAsBytes()), certSelector.getSerialNumber(), ASN1OctetString.getInstance(certSelector.getSubjectKeyIdentifier()).getOctets()); } else { return new X509CertificateHolderSelector(X500Name.getInstance(certSelector.getIssuerAsBytes()), certSelector.getSerialNumber()); } } catch (IOException e) { throw new IllegalArgumentException("unable to convert issuer: " + e.getMessage()); } }
private Set getCACertificates(X509CertSelector xselector) throws CertStoreException { String[] attrs = {params.getCACertificateAttribute()}; String attrName = params.getLdapCACertificateAttributeName(); String subjectAttributeName = params .getCACertificateSubjectAttributeName(); Set set = certSubjectSerialSearch(xselector, attrs, attrName, subjectAttributeName); if (set.isEmpty()) { set.addAll(search(null, "*", attrs)); } return set; }
private Set getCrossCertificates(X509CertSelector xselector) throws CertStoreException { String[] attrs = {params.getCrossCertificateAttribute()}; String attrName = params.getLdapCrossCertificateAttributeName(); String subjectAttributeName = params .getCrossCertificateSubjectAttributeName(); Set set = certSubjectSerialSearch(xselector, attrs, attrName, subjectAttributeName); if (set.isEmpty()) { set.addAll(search(null, "*", attrs)); } return set; }
public SignerId getSignerId(X509CertSelector certSelector) { try { if (certSelector.getSubjectKeyIdentifier() != null) { return new SignerId(X500Name.getInstance(certSelector.getIssuerAsBytes()), certSelector.getSerialNumber(), ASN1OctetString.getInstance(certSelector.getSubjectKeyIdentifier()).getOctets()); } else { return new SignerId(X500Name.getInstance(certSelector.getIssuerAsBytes()), certSelector.getSerialNumber()); } } catch (IOException e) { throw new IllegalArgumentException("unable to convert issuer: " + e.getMessage()); } }
public KeyTransRecipientId getKeyTransRecipientId(X509CertSelector certSelector) { try { if (certSelector.getSubjectKeyIdentifier() != null) { return new KeyTransRecipientId(X500Name.getInstance(certSelector.getIssuerAsBytes()), certSelector.getSerialNumber(), ASN1OctetString.getInstance(certSelector.getSubjectKeyIdentifier()).getOctets()); } else { return new KeyTransRecipientId(X500Name.getInstance(certSelector.getIssuerAsBytes()), certSelector.getSerialNumber()); } } catch (IOException e) { throw new IllegalArgumentException("unable to convert issuer: " + e.getMessage()); } }
/** * Return the initialization parameters for the TrustManager. * Currently, only the default <code>PKIX</code> is supported. * * @param algorithm The algorithm to get parameters for. * @param crlf The path to the CRL file. * @param trustStore The configured TrustStore. * @return The parameters including the CRLs and TrustStore. */ protected CertPathParameters getParameters(String algorithm, String crlf, KeyStore trustStore) throws Exception { CertPathParameters params = null; if("PKIX".equalsIgnoreCase(algorithm)) { PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); Collection crls = getCRLs(crlf); CertStoreParameters csp = new CollectionCertStoreParameters(crls); CertStore store = CertStore.getInstance("Collection", csp); xparams.addCertStore(store); xparams.setRevocationEnabled(true); xparams.setMaxPathLength(listener.getSslTrustMaxCertLength()); params = xparams; } else { throw new CRLException("CRLs not supported for type: "+algorithm); } return params; }
/** * Returns an X509CertSelector for matching on the authority key * identifier, or null if not applicable. */ private X509CertSelector getSelector(X509CertImpl previousCert) throws IOException { if (previousCert != null) { AuthorityKeyIdentifierExtension akidExt = previousCert.getAuthorityKeyIdentifierExtension(); if (akidExt != null) { byte[] skid = akidExt.getEncodedKeyIdentifier(); if (skid != null) { X509CertSelector selector = new X509CertSelector(); selector.setSubjectKeyIdentifier(skid); return selector; } } } return null; }
private void testPrivateKeyValid() throws IOException, CertificateException { System.out.println("X.509 Certificate Match on privateKeyValid"); // bad match X509CertSelector selector = new X509CertSelector(); Calendar cal = Calendar.getInstance(); cal.set(1968, 12, 31); selector.setPrivateKeyValid(cal.getTime()); checkMatch(selector, cert, false); // good match DerInputStream in = new DerInputStream(cert.getExtensionValue("2.5.29.16")); byte[] encoded = in.getOctetString(); PrivateKeyUsageExtension ext = new PrivateKeyUsageExtension(false, encoded); Date validDate = (Date) ext.get(PrivateKeyUsageExtension.NOT_BEFORE); selector.setPrivateKeyValid(validDate); checkMatch(selector, cert, true); }
private void testPolicy() throws IOException { System.out.println("X.509 Certificate Match on certificatePolicies"); // test encoding of CertificatePoliciesExtension because we wrote the // code // bad match X509CertSelector selector = new X509CertSelector(); Set<String> s = new HashSet<>(); s.add(new String("1.2.5.7.68")); selector.setPolicy(s); checkMatch(selector, cert, false); // good match DerInputStream in = new DerInputStream(cert.getExtensionValue("2.5.29.32")); CertificatePoliciesExtension ext = new CertificatePoliciesExtension(false, in.getOctetString()); List<PolicyInformation> policies = ext.get(CertificatePoliciesExtension.POLICIES); // match on the first policy id PolicyInformation policyInfo = (PolicyInformation) policies.get(0); s.clear(); s.add(policyInfo.getPolicyIdentifier().getIdentifier().toString()); selector.setPolicy(s); checkMatch(selector, cert, true); }
public static void createPath(String[] certs) throws Exception { TrustAnchor anchor = new TrustAnchor(getCertFromFile(certs[0]), null); List list = new ArrayList(); for (int i = 1; i < certs.length; i++) { list.add(0, getCertFromFile(certs[i])); } CertificateFactory cf = CertificateFactory.getInstance("X509"); path = cf.generateCertPath(list); Set anchors = Collections.singleton(anchor); params = new PKIXParameters(anchors); params.setRevocationEnabled(false); X509CertSelector sel = new X509CertSelector(); sel.setSerialNumber(new BigInteger("1427")); params.setTargetCertConstraints(sel); }
/** * Return the initialization parameters for the TrustManager. Currently, * only the default <code>PKIX</code> is supported. * * @param algorithm * The algorithm to get parameters for. * @param crlf * The path to the CRL file. * @param trustStore * The configured TrustStore. * @return The parameters including the CRLs and TrustStore. */ protected CertPathParameters getParameters(String algorithm, String crlf, KeyStore trustStore) throws Exception { CertPathParameters params = null; if ("PKIX".equalsIgnoreCase(algorithm)) { PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); Collection<? extends CRL> crls = getCRLs(crlf); CertStoreParameters csp = new CollectionCertStoreParameters(crls); CertStore store = CertStore.getInstance("Collection", csp); xparams.addCertStore(store); xparams.setRevocationEnabled(true); String trustLength = endpoint.getTrustMaxCertLength(); if (trustLength != null) { try { xparams.setMaxPathLength(Integer.parseInt(trustLength)); } catch (Exception ex) { log.warn("Bad maxCertLength: " + trustLength); } } params = xparams; } else { throw new CRLException("CRLs not supported for type: " + algorithm); } return params; }
@Test public void testValidateMy() throws Exception { System.out.println("validateMy"); FileSystemDirectoryCertStore certStore = new FileSystemDirectoryCertStore("./src/test/cert/my"); KeyStore ks = KeyStore.getInstance("jks"); FileInputStream fis = new FileInputStream("./src/test/cert/my/myStore"); ks.load(fis, "mystorepass".toCharArray()); fis.close(); X509CertSelector certSelector = new X509CertSelector(); certSelector.setSubject(new X500Principal("CN = Luis Goncalves,OU = CC,O = ISEL,C = PT")); Collection<X509Certificate> otherCerts = Collections.emptyList(); PKIXCertificateValidationProvider instance = new PKIXCertificateValidationProvider(ks, false, certStore.getStore()); ValidationData result = instance.validate(certSelector, new Date(), otherCerts); assertEquals(result.getCerts().size(), 3); }
@Test public void testValidateNist() throws Exception { System.out.println("validateNist"); FileSystemDirectoryCertStore certStore = new FileSystemDirectoryCertStore("./src/test/cert/csrc.nist"); KeyStore ks = KeyStore.getInstance("jks"); FileInputStream fis = new FileInputStream("./src/test/cert/csrc.nist/trustAnchor"); ks.load(fis, "password".toCharArray()); fis.close(); X509CertSelector certSelector = new X509CertSelector(); certSelector.setSubject(new X500Principal("CN = User1-CP.02.01,OU = Testing,OU = DoD,O = U.S. Government,C = US")); Collection<X509Certificate> otherCerts = Collections.emptyList(); PKIXCertificateValidationProvider instance = new PKIXCertificateValidationProvider(ks, true, certStore.getStore()); ValidationData result = instance.validate(certSelector, new Date(), otherCerts); assertEquals(result.getCerts().size(), 4); assertEquals(result.getCrls().size(), 3); }
/** * Test #1 for <code>PKIXBuilderParameters(Set, CertSelector)</code> * constructor<br> * Assertion: creates an instance of <code>PKIXBuilderParameters</code> * @throws InvalidAlgorithmParameterException */ @TestTargetNew( level = TestLevel.PARTIAL_COMPLETE, notes = "Verifies positive case.", method = "PKIXBuilderParameters", args = {java.util.Set.class, java.security.cert.CertSelector.class} ) public final void testPKIXBuilderParametersSetCertSelector01() throws InvalidAlgorithmParameterException { Set<TrustAnchor> taSet = TestUtils.getTrustAnchorSet(); if (taSet == null) { fail(getName() + ": not performed (could not create test TrustAnchor set)"); } // both parameters are valid and non-null PKIXParameters p = new PKIXBuilderParameters(taSet, new X509CertSelector()); assertTrue("instanceOf", p instanceof PKIXBuilderParameters); assertNotNull("certSelector", p.getTargetCertConstraints()); }
/** * Test #1 for <code>PKIXBuilderParameters(KeyStore, CertSelector)</code> * constructor<br> * Assertion: <code>NullPointerException</code> - if the * <code>keystore</code> is <code>null</code> */ @TestTargetNew( level = TestLevel.PARTIAL_COMPLETE, notes = "Veirifies null as a KeyStore parameter.", method = "PKIXBuilderParameters", args = {java.security.KeyStore.class, java.security.cert.CertSelector.class} ) public final void testPKIXBuilderParametersKeyStoreCertSelector01() throws Exception { try { new PKIXBuilderParameters((KeyStore) null, new X509CertSelector()); fail("NullPointerException expected"); } catch (NullPointerException e) { // expected } }