Java 类java.security.cert.PKIXRevocationChecker 实例源码

项目:openjdk-jdk10    文件:ValWithAnchorByName.java   
private static void runTest(CertificateFactory cf,
        List<X509Certificate> certList, TrustAnchor anchor)
        throws Exception {
    CertPath path = cf.generateCertPath(certList);
    CertPathValidator validator = CertPathValidator.getInstance("PKIX");

    System.out.println(anchor);

    // Attach the OCSP responses to a PKIXParameters object
    PKIXRevocationChecker pkrev =
            (PKIXRevocationChecker)validator.getRevocationChecker();
    Map<X509Certificate, byte[]> responseMap = new HashMap<>();
    responseMap.put(certList.get(0), DECODER.decode(EE_OCSP_RESP));
    responseMap.put(certList.get(1), DECODER.decode(INT_CA_OCSP_RESP));
    pkrev.setOcspResponses(responseMap);
    PKIXParameters params =
            new PKIXParameters(Collections.singleton(anchor));
    params.addCertPathChecker(pkrev);
    params.setDate(EVAL_DATE);

    validator.validate(path, params);
}
项目:openjdk-jdk10    文件:SSLSocketWithStapling.java   
/**
 * Test a case where client-side stapling is attempted, but does not
 * occur because OCSP responders are unreachable.  Client-side OCSP
 * checking is enabled for this, with SOFT_FAIL.
 */
static void testSoftFailFallback() throws Exception {
    ClientParameters cliParams = new ClientParameters();
    ServerParameters servParams = new ServerParameters();
    serverReady = false;

    // make OCSP responders reject connections
    intOcsp.rejectConnections();
    rootOcsp.rejectConnections();

    System.out.println("=======================================");
    System.out.println("Stapling enbled in client and server,");
    System.out.println("but OCSP responders disabled.");
    System.out.println("PKIXParameters with Revocation checking");
    System.out.println("enabled and SOFT_FAIL.");
    System.out.println("=======================================");

    Security.setProperty("ocsp.enable", "true");
    cliParams.pkixParams = new PKIXBuilderParameters(trustStore,
            new X509CertSelector());
    cliParams.pkixParams.setRevocationEnabled(true);
    CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
    cliParams.revChecker =
            (PKIXRevocationChecker)cpv.getRevocationChecker();
    cliParams.revChecker.setOptions(EnumSet.of(Option.SOFT_FAIL));

    SSLSocketWithStapling sslTest = new SSLSocketWithStapling(cliParams,
            servParams);
    TestResult tr = sslTest.getResult();
    if (tr.clientExc != null) {
        throw tr.clientExc;
    } else if (tr.serverExc != null) {
        throw tr.serverExc;
    }

    // make sure getSoftFailExceptions is not empty
    if (cliParams.revChecker.getSoftFailExceptions().isEmpty()) {
        throw new Exception("No soft fail exceptions");
    }

    System.out.println("                 PASS");
    System.out.println("=======================================\n");


    // Make OCSP responders accept connections
    intOcsp.acceptConnections();
    rootOcsp.acceptConnections();

    // Wait 5 seconds for server ready
    for (int i = 0; (i < 100 && (!intOcsp.isServerReady() || !rootOcsp.isServerReady())); i++) {
        Thread.sleep(50);
    }
    if (!intOcsp.isServerReady() || !rootOcsp.isServerReady()) {
        throw new RuntimeException("Server not ready yet");
    }
}
项目:OpenJSharp    文件:ReverseState.java   
/**
 * Update the state with the specified trust anchor.
 *
 * @param anchor the most-trusted CA
 * @param buildParams builder parameters
 */
public void updateState(TrustAnchor anchor, BuilderParams buildParams)
    throws CertificateException, IOException, CertPathValidatorException
{
    trustAnchor = anchor;
    X509Certificate trustedCert = anchor.getTrustedCert();
    if (trustedCert != null) {
        updateState(trustedCert);
    } else {
        X500Principal caName = anchor.getCA();
        updateState(anchor.getCAPublicKey(), caName);
    }

    // The user specified AlgorithmChecker and RevocationChecker may not be
    // able to set the trust anchor until now.
    boolean revCheckerAdded = false;
    for (PKIXCertPathChecker checker : userCheckers) {
        if (checker instanceof AlgorithmChecker) {
            ((AlgorithmChecker)checker).trySetTrustAnchor(anchor);
        } else if (checker instanceof PKIXRevocationChecker) {
            if (revCheckerAdded) {
                throw new CertPathValidatorException(
                    "Only one PKIXRevocationChecker can be specified");
            }
            // if it's our own, initialize it
            if (checker instanceof RevocationChecker) {
                ((RevocationChecker)checker).init(anchor, buildParams);
            }
            ((PKIXRevocationChecker)checker).init(false);
            revCheckerAdded = true;
        }
    }

    // only create a RevocationChecker if revocation is enabled and
    // a PKIXRevocationChecker has not already been added
    if (buildParams.revocationEnabled() && !revCheckerAdded) {
        revChecker = new RevocationChecker(anchor, buildParams);
        revChecker.init(false);
    }

    init = false;
}
项目:openjdk9    文件:SSLSocketWithStapling.java   
/**
 * Test a case where client-side stapling is attempted, but does not
 * occur because OCSP responders are unreachable.  Client-side OCSP
 * checking is enabled for this, with SOFT_FAIL.
 */
static void testSoftFailFallback() throws Exception {
    ClientParameters cliParams = new ClientParameters();
    ServerParameters servParams = new ServerParameters();
    serverReady = false;

    // Stop the OCSP responders and give a 1 second delay before
    // running the test.
    intOcsp.stop();
    rootOcsp.stop();
    Thread.sleep(1000);

    System.out.println("=======================================");
    System.out.println("Stapling enbled in client and server,");
    System.out.println("but OCSP responders disabled.");
    System.out.println("PKIXParameters with Revocation checking");
    System.out.println("enabled and SOFT_FAIL.");
    System.out.println("=======================================");

    Security.setProperty("ocsp.enable", "true");
    cliParams.pkixParams = new PKIXBuilderParameters(trustStore,
            new X509CertSelector());
    cliParams.pkixParams.setRevocationEnabled(true);
    CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
    cliParams.revChecker =
            (PKIXRevocationChecker)cpv.getRevocationChecker();
    cliParams.revChecker.setOptions(EnumSet.of(Option.SOFT_FAIL));

    SSLSocketWithStapling sslTest = new SSLSocketWithStapling(cliParams,
            servParams);
    TestResult tr = sslTest.getResult();
    if (tr.clientExc != null) {
        throw tr.clientExc;
    } else if (tr.serverExc != null) {
        throw tr.serverExc;
    }

    System.out.println("                 PASS");
    System.out.println("=======================================\n");

    // Start the OCSP responders up again
    intOcsp.start();
    rootOcsp.start();

    // Wait 5 seconds for server ready
    for (int i = 0; (i < 100 && (!intOcsp.isServerReady() || !rootOcsp.isServerReady())); i++) {
        Thread.sleep(50);
    }
    if (!intOcsp.isServerReady() || !rootOcsp.isServerReady()) {
        throw new RuntimeException("Server not ready yet");
    }
}
项目:milo    文件:CertificateValidationUtil.java   
/**
 * Verify that a chain of trust can be established for a certificate or chain of certificates.
 * <p>
 * The chain must begin with the end-entity certificate at index 0 followed by the remaining certificates in the
 * chain, if any, in the correct order.
 * <p>
 * If the end-entity certificate is present in the {@code trustedCertificates} set then trust is immediately
 * verified. Otherwise, an attempt to build a path to a trusted anchor is made using the provided
 * {@code issuerCertificates} as the anchors.
 *
 * @param certificateChain    the certificate chain to verify.
 * @param trustedCertificates the set of known-trusted certificates.
 * @param issuerCertificates  the set of CA certificates to use as trust anchors.
 * @param issuerCrls          the set of {@link X509CRL}s, if any, to use while verifying trust.
 * @throws UaException if a chain of trust could not be established.
 */
public static void verifyTrustChain(
    List<X509Certificate> certificateChain,
    Set<X509Certificate> trustedCertificates,
    Set<X509Certificate> issuerCertificates,
    Set<X509CRL> issuerCrls) throws UaException {

    Preconditions.checkArgument(!certificateChain.isEmpty(), "certificateChain must not be empty");

    X509Certificate certificate = certificateChain.get(0);

    boolean certificateTrusted = trustedCertificates.stream()
        .anyMatch(c -> Arrays.equals(certificate.getSignature(), c.getSignature()));

    if (certificateTrusted) {
        LOGGER.debug("Found certificate in trusted certificates: {}", certificate);
        return;
    }

    try {
        Set<TrustAnchor> trustAnchors = new HashSet<>();
        issuerCertificates.forEach(ca -> trustAnchors.add(new TrustAnchor(ca, null)));

        X509CertSelector selector = new X509CertSelector();
        selector.setCertificate(certificate);

        PKIXBuilderParameters params = new PKIXBuilderParameters(trustAnchors, selector);

        // Add a CertStore containing any intermediate certs and CRLs
        if (certificateChain.size() > 0 || issuerCrls.size() > 0) {
            Collection<Object> collection = Lists.newArrayList();
            collection.addAll(certificateChain);
            collection.addAll(issuerCrls);

            CertStore certStore = CertStore.getInstance(
                "Collection",
                new CollectionCertStoreParameters(collection)
            );

            params.addCertStore(certStore);
        }

        // Only enable revocation checking if the CRL list is non-empty
        params.setRevocationEnabled(!issuerCrls.isEmpty());

        CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");

        // Set up revocation options regardless of whether it's actually enabled
        CertPathChecker revocationChecker = builder.getRevocationChecker();

        if (revocationChecker instanceof PKIXRevocationChecker) {
            ((PKIXRevocationChecker) revocationChecker).setOptions(Sets.newHashSet(
                PKIXRevocationChecker.Option.NO_FALLBACK,
                PKIXRevocationChecker.Option.PREFER_CRLS,
                PKIXRevocationChecker.Option.SOFT_FAIL
            ));
        }

        PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) builder.build(params);

        LOGGER.debug("Validated certificate chain: {}", result.getCertPath());
    } catch (Throwable t) {
        LOGGER.debug("PKIX path validation failed: {}", t.getMessage());
        throw new UaException(StatusCodes.Bad_SecurityChecksFailed);
    }
}
项目:infobip-open-jdk-8    文件:ReverseState.java   
/**
 * Update the state with the specified trust anchor.
 *
 * @param anchor the most-trusted CA
 * @param buildParams builder parameters
 */
public void updateState(TrustAnchor anchor, BuilderParams buildParams)
    throws CertificateException, IOException, CertPathValidatorException
{
    trustAnchor = anchor;
    X509Certificate trustedCert = anchor.getTrustedCert();
    if (trustedCert != null) {
        updateState(trustedCert);
    } else {
        X500Principal caName = anchor.getCA();
        updateState(anchor.getCAPublicKey(), caName);
    }

    // The user specified AlgorithmChecker and RevocationChecker may not be
    // able to set the trust anchor until now.
    boolean revCheckerAdded = false;
    for (PKIXCertPathChecker checker : userCheckers) {
        if (checker instanceof AlgorithmChecker) {
            ((AlgorithmChecker)checker).trySetTrustAnchor(anchor);
        } else if (checker instanceof PKIXRevocationChecker) {
            if (revCheckerAdded) {
                throw new CertPathValidatorException(
                    "Only one PKIXRevocationChecker can be specified");
            }
            // if it's our own, initialize it
            if (checker instanceof RevocationChecker) {
                ((RevocationChecker)checker).init(anchor, buildParams);
            }
            ((PKIXRevocationChecker)checker).init(false);
            revCheckerAdded = true;
        }
    }

    // only create a RevocationChecker if revocation is enabled and
    // a PKIXRevocationChecker has not already been added
    if (buildParams.revocationEnabled() && !revCheckerAdded) {
        revChecker = new RevocationChecker(anchor, buildParams);
        revChecker.init(false);
    }

    init = false;
}
项目:jdk8u-dev-jdk    文件:ReverseState.java   
/**
 * Update the state with the specified trust anchor.
 *
 * @param anchor the most-trusted CA
 * @param buildParams builder parameters
 */
public void updateState(TrustAnchor anchor, BuilderParams buildParams)
    throws CertificateException, IOException, CertPathValidatorException
{
    trustAnchor = anchor;
    X509Certificate trustedCert = anchor.getTrustedCert();
    if (trustedCert != null) {
        updateState(trustedCert);
    } else {
        X500Principal caName = anchor.getCA();
        updateState(anchor.getCAPublicKey(), caName);
    }

    // The user specified AlgorithmChecker and RevocationChecker may not be
    // able to set the trust anchor until now.
    boolean revCheckerAdded = false;
    for (PKIXCertPathChecker checker : userCheckers) {
        if (checker instanceof AlgorithmChecker) {
            ((AlgorithmChecker)checker).trySetTrustAnchor(anchor);
        } else if (checker instanceof PKIXRevocationChecker) {
            if (revCheckerAdded) {
                throw new CertPathValidatorException(
                    "Only one PKIXRevocationChecker can be specified");
            }
            // if it's our own, initialize it
            if (checker instanceof RevocationChecker) {
                ((RevocationChecker)checker).init(anchor, buildParams);
            }
            ((PKIXRevocationChecker)checker).init(false);
            revCheckerAdded = true;
        }
    }

    // only create a RevocationChecker if revocation is enabled and
    // a PKIXRevocationChecker has not already been added
    if (buildParams.revocationEnabled() && !revCheckerAdded) {
        revChecker = new RevocationChecker(anchor, buildParams);
        revChecker.init(false);
    }

    init = false;
}
项目:OLD-OpenJDK8    文件:ReverseState.java   
/**
 * Update the state with the specified trust anchor.
 *
 * @param anchor the most-trusted CA
 * @param buildParams builder parameters
 */
public void updateState(TrustAnchor anchor, BuilderParams buildParams)
    throws CertificateException, IOException, CertPathValidatorException
{
    trustAnchor = anchor;
    X509Certificate trustedCert = anchor.getTrustedCert();
    if (trustedCert != null) {
        updateState(trustedCert);
    } else {
        X500Principal caName = anchor.getCA();
        updateState(anchor.getCAPublicKey(), caName);
    }

    // The user specified AlgorithmChecker and RevocationChecker may not be
    // able to set the trust anchor until now.
    boolean revCheckerAdded = false;
    for (PKIXCertPathChecker checker : userCheckers) {
        if (checker instanceof AlgorithmChecker) {
            ((AlgorithmChecker)checker).trySetTrustAnchor(anchor);
        } else if (checker instanceof PKIXRevocationChecker) {
            if (revCheckerAdded) {
                throw new CertPathValidatorException(
                    "Only one PKIXRevocationChecker can be specified");
            }
            // if it's our own, initialize it
            if (checker instanceof RevocationChecker) {
                ((RevocationChecker)checker).init(anchor, buildParams);
            }
            ((PKIXRevocationChecker)checker).init(false);
            revCheckerAdded = true;
        }
    }

    // only create a RevocationChecker if revocation is enabled and
    // a PKIXRevocationChecker has not already been added
    if (buildParams.revocationEnabled() && !revCheckerAdded) {
        revChecker = new RevocationChecker(anchor, buildParams);
        revChecker.init(false);
    }

    init = false;
}