checkMinimumParameter("maxCertPath", 1, maxCertPath); try { PKIXBuilderParameters params = new PKIXBuilderParameters(trustStore, new X509CertSelector()); CertStoreParameters csp = new CollectionCertStoreParameters(getCRLs(crlStream)); CertStore store = CertStore.getInstance("Collection", csp); params.addCertStore(store); params.setRevocationEnabled(true); params.setMaxPathLength(maxCertPath); trustManagerFactory.init(new CertPathTrustManagerParameters(params)); X509TrustManager[] trustManagers = Stream.of(trustManagerFactory.getTrustManagers()).map(trustManager -> trustManager instanceof X509TrustManager ? (X509TrustManager) trustManager : null).filter(Objects::nonNull).toArray(X509TrustManager[]::new);
protected PKIXBuilderParameters newPKIXBuilderParameters(KeyStore trustStore, Collection<? extends CRL> crls) throws Exception PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); pbParams.setMaxPathLength(_maxCertPathLength); pbParams.setRevocationEnabled(true); pbParams.addCertPathChecker(_pkixCertPathChecker); pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crls))); Security.setProperty("ocsp.enable", "true"); Security.setProperty("ocsp.responderURL", _ocspResponderURL);
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm() ); PKIXBuilderParameters pkixParamsBuilder = new PKIXBuilderParameters( trustStore, new X509CertSelector() ); pkixParamsBuilder.setRevocationEnabled( true ); pkixParamsBuilder.addCertStore( CertStore.getInstance( "Collection", new CollectionCertStoreParameters( crls ) ) ); trustManagerFactory.init( new CertPathTrustManagerParameters( pkixParamsBuilder ) );
.build() .loadTrustStore(); PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ts, new X509CertSelector()); if (crlEnabled || ocspEnabled) { pbParams.setRevocationEnabled(true); System.setProperty("com.sun.net.ssl.checkRevocation", "true"); System.setProperty("com.sun.security.enableCRLDP", "true"); if (ocspEnabled) { Security.setProperty("ocsp.enable", "true"); pbParams.setRevocationEnabled(false); TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX"); tmf.init(new CertPathTrustManagerParameters(pbParams)); for (final TrustManager tm : tmf.getTrustManagers()) { if (tm instanceof X509ExtendedTrustManager) { return new ZKTrustManager((X509ExtendedTrustManager) tm,
final CertStore cs = CertStore.getInstance( "Collection", new CollectionCertStoreParameters( allCerts ) ); final X509CertSelector selector = new X509CertSelector(); selector.setCertificate( first ); final PKIXBuilderParameters params = new PKIXBuilderParameters( store, selector ); params.addCertStore( cs ); params.setDate( new Date() ); params.setRevocationEnabled( false ); final CertPathBuilder pathBuilder = CertPathBuilder.getInstance( CertPathBuilder.getDefaultType() ); final CertPath cp = pathBuilder.build( params ).getCertPath();
static TrustManager[] newTrustManager(@Nullable final String trustedCertificates, final Supplier<KeyStore> keyStoreSupplier) throws NoSuchAlgorithmException, CertificateException, KeyStoreException, InvalidAlgorithmParameterException { final javax.net.ssl.TrustManagerFactory trustManagerFactory = javax.net.ssl.TrustManagerFactory.getInstance(PKIX); if (trustedCertificates != null) { final KeyStore keystore = keyStoreSupplier.get(); final Collection<? extends Certificate> caCerts; final byte[] caCertsPem = trustedCertificates.getBytes(StandardCharsets.US_ASCII); caCerts = X509_CERTIFICATE_FACTORY.generateCertificates(new ByteArrayInputStream(caCertsPem)); long cnt = 0; for (final Certificate caCert : caCerts) { keystore.setCertificateEntry("ca-" + cnt++, caCert); } trustManagerFactory.init(keystore); // TODO: consider adding cert revocation checker if AWS-IoT has OSCP/CRL. } else { // standard CAs; add revocation check final PKIXRevocationChecker revocationChecker = (PKIXRevocationChecker) CertPathBuilder.getInstance(PKIX).getRevocationChecker(); final PKIXBuilderParameters parameters = new PKIXBuilderParameters(DEFAULT_CA_KEYSTORE, new X509CertSelector()); parameters.addCertPathChecker(revocationChecker); trustManagerFactory.init(new CertPathTrustManagerParameters(parameters)); } return trustManagerFactory.getTrustManagers(); }
// initialize a new TMF with our keyStore TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX", "SunJSSE"); CertPathParameters pkixParams = new PKIXBuilderParameters(keyStore, new X509CertSelector()); // Activate certificate revocation checking ((PKIXBuilderParameters) pkixParams).setRevocationEnabled(true); List<CertStore> certStores = new ArrayList<>(1); Collection<CRL> crls = new HashSet<>(1); crls.add(CertificateFactory.getInstance("X.509").generateCRL( new java.io.FileInputStream("your_local_file.crl"))); certStores.add(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crls))); ((PKIXBuilderParameters) pkixParams).setCertStores(certStores); System.setProperty("com.sun.security.enableCRLDP", "true"); tmf.init(new CertPathTrustManagerParameters(pkixParams)); // acquire X509 trust manager from factory TrustManager tms[] = tmf.getTrustManagers(); for (TrustManager tm : tms) { if (tm instanceof X509TrustManager) { trustManager = (X509TrustManager) tm; break; } }
KeyStore ts = KeyStore.getInstance("JKS"); FileInputStream tfis = new FileInputStream(trustStorePath); ts.load(tfis, trustStorePass.toCharArray()); KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); // initialize certification path checking for the offered certificates and revocation checks against CLRs CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); PKIXRevocationChecker rc = (PKIXRevocationChecker)cpb.getRevocationChecker(); rc.setOptions(EnumSet.of( PKIXRevocationChecker.Option.PREFER_CRLS, // prefer CLR over OCSP PKIXRevocationChecker.Option.ONLY_END_ENTITY, PKIXRevocationChecker.Option.SOFT_FAIL, // handshake should not fail when CRL is not available PKIXRevocationChecker.Option.NO_FALLBACK)); // don't fall back to OCSP checking PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(ts, new X509CertSelector()); pkixParams.addCertPathChecker(rc); tmf.init( new CertPathTrustManagerParameters(pkixParams) ); // init KeyManagerFactory kmf.init(...) SSLContext ctx = SSLContext.getInstance("TLS"); ctx.init(kmf.getKeyManagers), tmf.getTrustManagers(), null);
CertPathParameters params; if ("PKIX".equalsIgnoreCase(algorithm)) { PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); Collection crls = getCRLs(crlf); CertStoreParameters csp = new CollectionCertStoreParameters(crls); CertStore store = CertStore.getInstance("Collection", csp); xparams.addCertStore(store); xparams.setRevocationEnabled(true); String trustLength = (String) attributes.get("trustMaxCertLength"); if (trustLength != null) { try { xparams.setMaxPathLength(Integer.parseInt(trustLength)); } catch (Exception ex) { logger.warning("Bad maxCertLength: " + trustLength);
@Override public ManagerFactoryParameters configFor(KeyStore trustStore, Set<TrustAnchor> defaultTrustAnchors) { checkArgument(path != null, "tls:crl-file requires the 'path' attribute"); checkArgument(trustStore != null, "tls:crl-file requires a trust store"); try { Set<TrustAnchor> trustAnchors = getTrustAnchorsFromKeyStore(trustStore); PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustAnchors, new X509CertSelector()); // Make sure revocation checking is enabled (com.sun.net.ssl.checkRevocation) pbParams.setRevocationEnabled(true); Collection<? extends CRL> crls = loadCRL(path); if (crls != null && !crls.isEmpty()) { pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crls))); } return new CertPathTrustManagerParameters(pbParams); } catch (IOException | GeneralSecurityException e) { throw new RuntimeException(e); } }
/* Givens. */ InputStream trustStoreInput = ... char[] password = ... List<X509Certificate> chain = ... Collection<X509CRL> crls = ... /* Construct a valid path. */ KeyStore anchors = KeyStore.getInstance(KeyStore.getDefaultType()); anchors.load(trustStoreInput, password); X509CertSelector target = new X509CertSelector(); target.setCertificate(chain.get(0)); PKIXBuilderParameters params = new PKIXBuilderParameters(anchors, target); CertStoreParameters intermediates = new CollectionCertStoreParameters(chain) params.addCertStore(CertStore.getInstance("Collection", intermediates)); CertStoreParameters revoked = new CollectionCertStoreParameters(crls); params.addCertStore(CertStore.getInstance("Collection", revoked)); CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); /* * If build() returns successfully, the certificate is valid. More details * about the valid path can be obtained through the PKIXBuilderResult. * If no valid path can be found, a CertPathBuilderException is thrown. */ PKIXBuilderResult r = (PKIXBuilderResult) builder.build(params);
X509CertSelector certSelect = new X509CertSelector(); certSelect.setCertificate(certList.get(0)); CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX"); PKIXRevocationChecker revocationChecker = (PKIXRevocationChecker) certPathBuilder.getRevocationChecker(); pbParams = new PKIXBuilderParameters(_trustStore, certSelect); } else { Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>(); pbParams = new PKIXBuilderParameters(trustAnchors, certSelect); pbParams.addCertPathChecker(revocationChecker); pbParams.setDate(date); pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList))); pbParams.setMaxPathLength(_maxCertPathLength); pbParams.setRevocationEnabled(true); pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(_crls))); Security.setProperty("ocsp.enable","true"); CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams);
final CertStore certificates = CertStore.getInstance( "Collection", new CollectionCertStoreParameters( Arrays.asList( chain ) ) ); final PKIXBuilderParameters parameters = new PKIXBuilderParameters( trustAnchors, selector ); parameters.setDate( validPointInTime ); parameters.addCertStore( certificates ); parameters.setRevocationEnabled( false ); try pathBuilder = CertPathBuilder.getInstance( "PKIX", "BC" ); pathBuilder = CertPathBuilder.getInstance( "PKIX" ); final CertPathBuilderResult result = pathBuilder.build( parameters ); return result.getCertPath();
@Override public ManagerFactoryParameters configFor(KeyStore trustStore, Set<TrustAnchor> defaultTrustAnchors) { try { CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); PKIXRevocationChecker rc = (PKIXRevocationChecker) cpb.getRevocationChecker(); pkixParams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); } else { pkixParams = new PKIXBuilderParameters(defaultTrustAnchors, new X509CertSelector()); pkixParams.addCertPathChecker(rc); return new CertPathTrustManagerParameters(pkixParams); } catch (GeneralSecurityException e) { throw new RuntimeException(e);
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(x509Certificates[0]); PKIXBuilderParameters params = new PKIXBuilderParameters(trustStore,certSelector); if(useCRLs) { params.addCertStore(crlStore); } else { Log.debug("ClientTrustManager: no CRL's found, so setRevocationEnabled(false)"); params.setRevocationEnabled(false); CertPathBuilderResult cpbr = cpb.build(params); CertPath cp = cpbr.getCertPath(); if(JiveGlobals.getBooleanProperty("ocsp.enable",false)) { Log.debug("ClientTrustManager: OCSP requested"); OCSPChecker ocspChecker = new OCSPChecker(cp,params); params.addCertPathChecker(ocspChecker);
X509CertSelector certSelector = new X509CertSelector(); certSelector.setSubject(x509certificate.getSubjectX500Principal()); PKIXParameters params = new PKIXBuilderParameters(store,certSelector); CertStore cstore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(icert1, icert2 /*, other certs... */))); params.addCertStore(cstore); CertPathBuilder cpb = CertPathBuilder.getInstance(CertPathBuilder.getDefaultType()); CertPath certPath = cpb.build(params).getCertPath();
protected void validatePath(X509Certificate[] x509Certificates) throws CertificateException { try { CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(x509Certificates)), pkixProvider); CertPathBuilder pathBuilder = CertPathBuilder.getInstance("PKIX", pkixProvider); X509CertSelector constraints = (X509CertSelector)baseParameters.getTargetCertConstraints().clone(); constraints.setCertificate(x509Certificates[0]); PKIXBuilderParameters param = (PKIXBuilderParameters)baseParameters.clone(); param.addCertStore(certStore); param.setTargetCertConstraints(constraints); PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult)pathBuilder.build(param); } catch (GeneralSecurityException e) { throw new CertificateException("unable to process certificates: " + e.getMessage(), e); } } }
... CertificateFactory fac = CertificateFactory.getInstance("X.509"); FileInputStream is = new FileInputStream("client.crt"); Collection<? extends Certificate> intermediate; try { intermediate = fac.generateCertificates(is); } finally { is.close(); } X509Certificate client = null; for (Certificate c : intermediate) client = (X509Certificate) c; if (client == null) throw new IllegalArgumentException("Empty chain."); X509CertSelector t = new X509CertSelector(); t.setCertificate(client); PKIXBuilderParameters params = new PKIXBuilderParameters(anchors, t); CertStoreParameters store = new CollectionCertStoreParameters(intermediate); params.addCertStore(CertStore.getInstance("Collection", store)); params.setRevocationEnabled(false); ...
CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX"); X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(chain[chain.length - 1]); certSelector.setCertificateValid(null); PKIXBuilderParameters parameters = new PKIXBuilderParameters(allStore, certSelector); parameters.setRevocationEnabled(false); PKIXRevocationChecker checker = (PKIXRevocationChecker) certPathBuilder.getRevocationChecker(); parameters.addCertPathChecker(checker); } else if (!checkOCSP && checkCRL) { checkerOptions.add(PKIXRevocationChecker.Option.NO_FALLBACK); checker.setOptions(checkerOptions); parameters.addCertPathChecker(checker); CertPathBuilderResult pathResult = certPathBuilder.build(parameters); CertPath certPath = pathResult.getCertPath();
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate((X509Certificate) myKeyStore.getCertificate("mykey")); PKIXBuilderParameters cpp = new PKIXBuilderParameters(trustAnchors, certSelector); cpp.addCertStore(cs); cpp.setRevocationEnabled(true); cpp.setMaxPathLength(6); cpp.setDate(new Date()); CertPathBuilderResult a = cpb.build(cpp); CertPath certPath = a.getCertPath();