/* Givens. */ InputStream trustStoreInput = ... char[] password = ... List<X509Certificate> chain = ... Collection<X509CRL> crls = ... /* Construct a valid path. */ KeyStore anchors = KeyStore.getInstance(KeyStore.getDefaultType()); anchors.load(trustStoreInput, password); X509CertSelector target = new X509CertSelector(); target.setCertificate(chain.get(0)); PKIXBuilderParameters params = new PKIXBuilderParameters(anchors, target); CertStoreParameters intermediates = new CollectionCertStoreParameters(chain) params.addCertStore(CertStore.getInstance("Collection", intermediates)); CertStoreParameters revoked = new CollectionCertStoreParameters(crls); params.addCertStore(CertStore.getInstance("Collection", revoked)); CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); /* * If build() returns successfully, the certificate is valid. More details * about the valid path can be obtained through the PKIXBuilderResult. * If no valid path can be found, a CertPathBuilderException is thrown. */ PKIXBuilderResult r = (PKIXBuilderResult) builder.build(params);
/** * Returns the string representation of this instance. * * @return the string representation of this instance. */ public String toString() { StringBuilder sb = new StringBuilder("CollectionCertStoreParameters: [\ncollection: "); sb.append(getCollection().toString()); sb.append("\n]"); return sb.toString(); } }
PKIXBuilderParameters pkixParamsBuilder = new PKIXBuilderParameters( trustStore, new X509CertSelector() ); pkixParamsBuilder.setRevocationEnabled( true ); pkixParamsBuilder.addCertStore( CertStore.getInstance( "Collection", new CollectionCertStoreParameters( crls ) ) );
final CertStore certificates = CertStore.getInstance( "Collection", new CollectionCertStoreParameters( Arrays.asList( chain ) ) ); final PKIXBuilderParameters parameters = new PKIXBuilderParameters( trustAnchors, selector ); parameters.setDate( validPointInTime ); parameters.addCertStore( certificates ); try pathBuilder = CertPathBuilder.getInstance( "PKIX", "BC" ); pathBuilder = CertPathBuilder.getInstance( "PKIX" ); final CertPathBuilderResult result = pathBuilder.build( parameters ); return result.getCertPath();
... CertificateFactory fac = CertificateFactory.getInstance("X.509"); FileInputStream is = new FileInputStream("client.crt"); Collection<? extends Certificate> intermediate; try { intermediate = fac.generateCertificates(is); } finally { is.close(); } X509Certificate client = null; for (Certificate c : intermediate) client = (X509Certificate) c; if (client == null) throw new IllegalArgumentException("Empty chain."); X509CertSelector t = new X509CertSelector(); t.setCertificate(client); PKIXBuilderParameters params = new PKIXBuilderParameters(anchors, t); CertStoreParameters store = new CollectionCertStoreParameters(intermediate); params.addCertStore(CertStore.getInstance("Collection", store)); params.setRevocationEnabled(false); ...
X509CertSelector certSelector = new X509CertSelector(); certSelector.setSubject(x509certificate.getSubjectX500Principal()); PKIXParameters params = new PKIXBuilderParameters(store,certSelector); CertStore cstore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(icert1, icert2 /*, other certs... */))); params.addCertStore(cstore); CertPathBuilder cpb = CertPathBuilder.getInstance(CertPathBuilder.getDefaultType()); CertPath certPath = cpb.build(params).getCertPath();
public ClientTrustManager(KeyStore trustTrust) { super(); this.trustStore = trustTrust; //Note: A reference of the Collection is used in the CertStore, so we can add CRL's // after creating the CertStore. crls = new ArrayList<>(); CollectionCertStoreParameters params = new CollectionCertStoreParameters(crls); try { crlStore = CertStore.getInstance("Collection", params); } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException ex) { Log.warn("ClientTrustManager: ",ex); } loadCRL(); }
protected void validatePath(X509Certificate[] x509Certificates) throws CertificateException { try { CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(x509Certificates)), pkixProvider); CertPathBuilder pathBuilder = CertPathBuilder.getInstance("PKIX", pkixProvider); X509CertSelector constraints = (X509CertSelector)baseParameters.getTargetCertConstraints().clone(); constraints.setCertificate(x509Certificates[0]); PKIXBuilderParameters param = (PKIXBuilderParameters)baseParameters.clone(); param.addCertStore(certStore); param.setTargetCertConstraints(constraints); PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult)pathBuilder.build(param); } catch (GeneralSecurityException e) { throw new CertificateException("unable to process certificates: " + e.getMessage(), e); } } }
private CollectionCertStoreParameters convertHolders(JcaX509CertificateConverter certificateConverter, JcaX509CRLConverter crlConverter) throws CertificateException, CRLException { List jcaObjs = new ArrayList(certs.size() + crls.size()); for (Iterator it = certs.iterator(); it.hasNext();) { jcaObjs.add(certificateConverter.getCertificate((X509CertificateHolder)it.next())); } for (Iterator it = crls.iterator(); it.hasNext();) { jcaObjs.add(crlConverter.getCRL((X509CRLHolder)it.next())); } return new CollectionCertStoreParameters(jcaObjs); } }
TrustManagerFactory trustMgrFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); KeyStore trustStore = SSLSupport.loadKeystore(trustStoreProvider, trustStorePath, trustStorePassword); boolean ocsp = Boolean.valueOf(Security.getProperty("ocsp.enable")); PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); if (crlPath != null) { pkixParams.setRevocationEnabled(true); Collection<? extends CRL> crlList = loadCRL(crlPath); if (crlList != null) { pkixParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crlList)));
// initialize a new TMF with our keyStore TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX", "SunJSSE"); CertPathParameters pkixParams = new PKIXBuilderParameters(keyStore, new X509CertSelector()); // Activate certificate revocation checking ((PKIXBuilderParameters) pkixParams).setRevocationEnabled(true); List<CertStore> certStores = new ArrayList<>(1); Collection<CRL> crls = new HashSet<>(1); crls.add(CertificateFactory.getInstance("X.509").generateCRL( new java.io.FileInputStream("your_local_file.crl"))); certStores.add(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crls))); ((PKIXBuilderParameters) pkixParams).setCertStores(certStores); System.setProperty("com.sun.security.enableCRLDP", "true"); tmf.init(new CertPathTrustManagerParameters(pkixParams)); // acquire X509 trust manager from factory TrustManager tms[] = tmf.getTrustManagers(); for (TrustManager tm : tms) { if (tm instanceof X509TrustManager) { trustManager = (X509TrustManager) tm; break; } }
CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(crls); try { CertStore store = CertStore.getInstance("Collection", ccsp); return store; } catch (GeneralSecurityException gse) {
private Store generatedCertStore() { Store result = null; try { List<Certificate> certificates = new ArrayList<>(); certificates.addAll(Arrays.asList(certificateChain)); CollectionCertStoreParameters cert = new CollectionCertStoreParameters(certificates); result = new JcaCertStore(certificates); } catch (CertificateEncodingException ex) { throw new SignerException(ex); } return result; }
final CertStore cs = CertStore.getInstance( "Collection", new CollectionCertStoreParameters( allCerts ) ); final X509CertSelector selector = new X509CertSelector(); selector.setCertificate( first ); final PKIXBuilderParameters params = new PKIXBuilderParameters( store, selector ); params.addCertStore( cs ); params.setDate( new Date() ); params.setRevocationEnabled( false ); final CertPathBuilder pathBuilder = CertPathBuilder.getInstance( CertPathBuilder.getDefaultType() ); final CertPath cp = pathBuilder.build( params ).getCertPath();
checkMinimumParameter("maxCertPath", 1, maxCertPath); try { PKIXBuilderParameters params = new PKIXBuilderParameters(trustStore, new X509CertSelector()); CertStoreParameters csp = new CollectionCertStoreParameters(getCRLs(crlStream)); CertStore store = CertStore.getInstance("Collection", csp); params.addCertStore(store); params.setRevocationEnabled(true); params.setMaxPathLength(maxCertPath);
loadCRLs(crls, rdir); CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(crls); CertStore store; try { store = CertStore.getInstance("Collection", ccsp); } catch (GeneralSecurityException gse) {
private CollectionCertStoreParameters convertHolders(JcaX509CertificateConverter certificateConverter, JcaX509CRLConverter crlConverter) throws CertificateException, CRLException { List jcaObjs = new ArrayList(certs.size() + crls.size()); for (Iterator it = certs.iterator(); it.hasNext();) { jcaObjs.add(certificateConverter.getCertificate((X509CertificateHolder)it.next())); } for (Iterator it = crls.iterator(); it.hasNext();) { jcaObjs.add(crlConverter.getCRL((X509CRLHolder)it.next())); } return new CollectionCertStoreParameters(jcaObjs); } }
/** * Returns the string representation of this instance. * * @return the string representation of this instance. */ public String toString() { StringBuilder sb = new StringBuilder("CollectionCertStoreParameters: [\ncollection: "); sb.append(getCollection().toString()); sb.append("\n]"); return sb.toString(); } }
X509CertSelector selector = new X509CertSelector(); selector.setCertificate(cert); PKIXBuilderParameters pkixParams = new PKIXBuilderParameters( trustAnchors, selector); intermediateCerts.add(cert); pkixParams.setRevocationEnabled(false); CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(intermediateCerts), "BC"); pkixParams.addCertStore(intermediateCertStore); CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC"); .build(pkixParams); LogUtil.writeLog("verify certificate chain succeed."); return true;
protected PKIXBuilderParameters newPKIXBuilderParameters(KeyStore trustStore, Collection<? extends CRL> crls) throws Exception PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); pbParams.setMaxPathLength(_maxCertPathLength); pbParams.setRevocationEnabled(true); pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crls))); Security.setProperty("ocsp.enable", "true"); Security.setProperty("ocsp.responderURL", _ocspResponderURL);