public X509TrustManagerWrapper(X509TrustManager tm, boolean verifyServerCertificate) throws CertificateException { this.origTm = tm; this.verifyServerCert = verifyServerCertificate; if (verifyServerCertificate) { try { Set<TrustAnchor> anch = new HashSet<TrustAnchor>(); for (X509Certificate cert : tm.getAcceptedIssuers()) { anch.add(new TrustAnchor(cert, null)); } this.validatorParams = new PKIXParameters(anch); this.validatorParams.setRevocationEnabled(false); this.validator = CertPathValidator.getInstance("PKIX"); this.certFactory = CertificateFactory.getInstance("X.509"); } catch (Exception e) { throw new CertificateException(e); } } }
private void validateNoCache(List<? extends X509Certificate> certs) throws SignatureException { try { CertPathValidator validator = CertPathValidator.getInstance( VALIDATOR_TYPE); PKIXParameters params = new PKIXParameters(trustRoots); params.addCertPathChecker(WAVE_OID_CHECKER); params.setDate(timeSource.now()); // turn off default revocation-checking mechanism params.setRevocationEnabled(false); // TODO: add a way for clients to add certificate revocation checks, // perhaps by letting them pass in PKIXCertPathCheckers. This can also be // useful to check for Wave-specific certificate extensions. CertificateFactory certFactory = CertificateFactory.getInstance( CERTIFICATE_TYPE); CertPath certPath = certFactory.generateCertPath(certs); validator.validate(certPath, params); } catch (GeneralSecurityException e) { throw new SignatureException("Certificate validation failure", e); } }
/** * Returns an instance with the parameters of a given * <code>PKIXParameters</code> object. * * @param pkixParams The given <code>PKIXParameters</code> * @return an extended PKIX params object */ public static ExtendedPKIXParameters getInstance(PKIXParameters pkixParams) { ExtendedPKIXParameters params; try { params = new ExtendedPKIXParameters(pkixParams.getTrustAnchors()); } catch (Exception e) { // cannot happen throw new RuntimeException(e.getMessage()); } params.setParams(pkixParams); return params; }
/** * Returns an instance of <code>ExtendedPKIXParameters</code> which can be * safely casted to <code>ExtendedPKIXBuilderParameters</code>. * <p> * This method can be used to get a copy from other * <code>PKIXBuilderParameters</code>, <code>PKIXParameters</code>, * and <code>ExtendedPKIXParameters</code> instances. * * @param pkixParams The PKIX parameters to create a copy of. * @return An <code>ExtendedPKIXBuilderParameters</code> instance. */ public static ExtendedPKIXParameters getInstance(PKIXParameters pkixParams) { ExtendedPKIXBuilderParameters params; try { params = new ExtendedPKIXBuilderParameters(pkixParams .getTrustAnchors(), X509CertStoreSelector .getInstance((X509CertSelector) pkixParams .getTargetCertConstraints())); } catch (Exception e) { // cannot happen throw new RuntimeException(e.getMessage()); } params.setParams(pkixParams); return params; }
public Set findCRLs(X509CRLStoreSelector crlselect, PKIXParameters paramsPKIX) throws AnnotatedException { Set completeSet = new HashSet(); // get complete CRL(s) try { completeSet.addAll(findCRLs(crlselect, paramsPKIX.getCertStores())); } catch (AnnotatedException e) { throw new AnnotatedException("Exception obtaining complete CRLs.", e); } return completeSet; }
public static void createPath(String[] certs) throws Exception { TrustAnchor anchor = new TrustAnchor(getCertFromFile(certs[0]), null); List list = new ArrayList(); for (int i = 1; i < certs.length; i++) { list.add(0, getCertFromFile(certs[i])); } CertificateFactory cf = CertificateFactory.getInstance("X509"); path = cf.generateCertPath(list); Set anchors = Collections.singleton(anchor); params = new PKIXParameters(anchors); params.setRevocationEnabled(false); X509CertSelector sel = new X509CertSelector(); sel.setSerialNumber(new BigInteger("1427")); params.setTargetCertConstraints(sel); }
public static void createPath(String[] certs) throws Exception { X509Certificate anchorCert = getCertFromFile(certs[0]); byte [] nameConstraints = anchorCert.getExtensionValue("2.5.29.30"); if (nameConstraints != null) { DerInputStream in = new DerInputStream(nameConstraints); nameConstraints = in.getOctetString(); } TrustAnchor anchor = new TrustAnchor(anchorCert, nameConstraints); List list = new ArrayList(); for (int i = 1; i < certs.length; i++) { list.add(0, getCertFromFile(certs[i])); } CertificateFactory cf = CertificateFactory.getInstance("X509"); path = cf.generateCertPath(list); anchors = Collections.singleton(anchor); params = new PKIXParameters(anchors); params.setRevocationEnabled(false); }
private static void runTest(CertificateFactory cf, List<X509Certificate> certList, TrustAnchor anchor) throws Exception { CertPath path = cf.generateCertPath(certList); CertPathValidator validator = CertPathValidator.getInstance("PKIX"); System.out.println(anchor); // Attach the OCSP responses to a PKIXParameters object PKIXRevocationChecker pkrev = (PKIXRevocationChecker)validator.getRevocationChecker(); Map<X509Certificate, byte[]> responseMap = new HashMap<>(); responseMap.put(certList.get(0), DECODER.decode(EE_OCSP_RESP)); responseMap.put(certList.get(1), DECODER.decode(INT_CA_OCSP_RESP)); pkrev.setOcspResponses(responseMap); PKIXParameters params = new PKIXParameters(Collections.singleton(anchor)); params.addCertPathChecker(pkrev); params.setDate(EVAL_DATE); validator.validate(path, params); }
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { try { this.mOriginalX509TrustManager.checkServerTrusted(chain, authType); } catch (CertificateException e1) { try { X509Certificate[] ex = this.reorderCertificateChain(chain); CertPathValidator validator = CertPathValidator.getInstance("PKIX"); CertificateFactory factory = CertificateFactory.getInstance("X509"); CertPath certPath = factory.generateCertPath(Arrays.asList(ex)); PKIXParameters params = new PKIXParameters(this.mTrustStore); params.setRevocationEnabled(false); validator.validate(certPath, params); } catch (Exception e) { throw e1; } } }
private PKIXParameters createPKIXParms( Collection<X509Certificate> trustAnchorColl, Date dtDate) throws InvalidAlgorithmParameterException { // TODO Auto-generated method stub Set tmpTA = new HashSet(); Iterator<X509Certificate> itLast = trustAnchorColl.iterator(); while (itLast.hasNext()) { X509Certificate certOnPath = itLast.next(); TrustAnchor trustAnchor = new TrustAnchor(certOnPath, null); tmpTA.add(trustAnchor); } PKIXParameters params = new PKIXParameters(tmpTA); params.setDate(dtDate); return params; }
public RuleCheckResult validate(CACCertAuthParamParser pp) { CertPath cp = getCertPath(pp); if (cp == null) { logger.printToConsole("Can't load user certificate, please check " + pp.getUserCert()); return RuleCheckResult.FALSE; } // Load the root CA certificate Set<TrustAnchor> trustedCerts = getTrustedCerts(pp); if (trustedCerts == null) { logger.printToConsole("Can't parse the trusted CA certificates, please check " + pp.getRootCerts()); return RuleCheckResult.FALSE; } PKIXParameters params = initPKIXParams(trustedCerts, new ArrayList(), pp); RuleCheckResult result = validate(cp, params); return result; }
/** * Creates trust manager implementation * * @param ks */ public TrustManagerImpl(KeyStore ks) { try { validator = CertPathValidator.getInstance("PKIX"); factory = CertificateFactory.getInstance("X509"); byte[] nameConstrains = null; Set<TrustAnchor> trusted = new HashSet<TrustAnchor>(); for (Enumeration<String> en = ks.aliases(); en.hasMoreElements();) { final String alias = en.nextElement(); final X509Certificate cert = (X509Certificate) ks.getCertificate(alias); if (cert != null) { trusted.add(new TrustAnchor(cert, nameConstrains)); } } params = new PKIXParameters(trusted); params.setRevocationEnabled(false); } catch (Exception e) { err = e; } }
/** * Test #1 for <code>PKIXBuilderParameters(Set, CertSelector)</code> * constructor<br> * Assertion: creates an instance of <code>PKIXBuilderParameters</code> * @throws InvalidAlgorithmParameterException */ @TestTargetNew( level = TestLevel.PARTIAL_COMPLETE, notes = "Verifies positive case.", method = "PKIXBuilderParameters", args = {java.util.Set.class, java.security.cert.CertSelector.class} ) public final void testPKIXBuilderParametersSetCertSelector01() throws InvalidAlgorithmParameterException { Set<TrustAnchor> taSet = TestUtils.getTrustAnchorSet(); if (taSet == null) { fail(getName() + ": not performed (could not create test TrustAnchor set)"); } // both parameters are valid and non-null PKIXParameters p = new PKIXBuilderParameters(taSet, new X509CertSelector()); assertTrue("instanceOf", p instanceof PKIXBuilderParameters); assertNotNull("certSelector", p.getTargetCertConstraints()); }
/** * Test #2 for <code>PKIXBuilderParameters(Set, CertSelector)</code> * constructor<br> * Assertion: creates an instance of <code>PKIXBuilderParameters</code> * @throws InvalidAlgorithmParameterException */ @TestTargetNew( level = TestLevel.PARTIAL_COMPLETE, notes = "Verifies null as a CertSelector parameter.", method = "PKIXBuilderParameters", args = {java.util.Set.class, java.security.cert.CertSelector.class} ) public final void testPKIXBuilderParametersSetCertSelector02() throws InvalidAlgorithmParameterException { Set<TrustAnchor> taSet = TestUtils.getTrustAnchorSet(); if (taSet == null) { fail(getName() + ": not performed (could not create test TrustAnchor set)"); } // both parameters are valid but CertSelector is null PKIXParameters p = new PKIXBuilderParameters(taSet, null); assertTrue("instanceOf", p instanceof PKIXBuilderParameters); assertNull("certSelector", p.getTargetCertConstraints()); }
public static CertFilesTrustManager getInstance(String pathToCertsFiles) throws Exception { certificateFactory = CertificateFactory.getInstance("X.509"); Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>(); File[] files = new File(pathToCertsFiles).listFiles(); for (File file : files) { if (!file.isFile()) { continue; } try { X509Certificate cert = loadCertificate(file); TrustAnchor ta = new TrustAnchor(cert, null); trustAnchors.add(ta); } catch (CertificateParsingException e) {} } CertPathValidator val = CertPathValidator.getInstance(CertPathValidator.getDefaultType()); PKIXParameters cpp = new PKIXParameters(trustAnchors); cpp.setRevocationEnabled(false); CertFilesTrustManager tm = new CertFilesTrustManager(val, cpp); return tm; }
/** * Test for <code>toString</code> method<br> */ @TestTargetNew( level = TestLevel.COMPLETE, notes = "", method = "toString", args = {} ) public final void testToString() throws Exception { Set<TrustAnchor> taSet = TestUtils.getTrustAnchorSet(); if (taSet == null) { fail(getName() + ": not performed (could not create test TrustAnchor set)"); } PKIXParameters p = new PKIXParameters(taSet); assertNotNull(p.toString()); PKIXParameters p1 = null; try { p1.toString(); fail("NullPointerException expected"); } catch (NullPointerException e) { // expected } }
/** * Internal method to setup the internal state */ private void populateVariables(PKIXParameters pkixParam) { // default value for testDate is current time testDate = pkixParam.getDate(); if (testDate == null) { testDate = new Date(System.currentTimeMillis()); } userCheckers = pkixParam.getCertPathCheckers(); sigProvider = pkixParam.getSigProvider(); if (pkixParam.isRevocationEnabled()) { // Examine OCSP security property ocspEnabled = AccessController.doPrivileged( new GetBooleanSecurityPropertyAction (OCSPChecker.OCSP_ENABLE_PROP)); onlyEECert = AccessController.doPrivileged( new GetBooleanSecurityPropertyAction ("com.sun.security.onlyCheckRevocationOfEECert")); } }