TrustAnchor certificateAuthority = new TrustAnchor((X509Certificate) certificate, null); LOGGER.log(Level.FINE, "Add Certificate Authority {0}: {1}", new Object[]{cert, (certificateAuthority.getTrustedCert() == null ? null : certificateAuthority.getTrustedCert().getSubjectDN())}); anchors.add(certificateAuthority); } catch (IllegalArgumentException e) { TrustAnchor certificateAuthority = new TrustAnchor((X509Certificate) certificate, null); LOGGER.log(Level.FINE, "Add Certificate Authority {0}: {1}", new Object[]{cert, (certificateAuthority.getTrustedCert() == null ? null : certificateAuthority.getTrustedCert().getSubjectDN())}); anchors.add(certificateAuthority); } catch (IllegalArgumentException e) {
responderSubjectName = new X500Principal(ocspServerSubject); Iterator anchors = pkixParams.getTrustAnchors().iterator(); if (!anchors.hasNext()) { throw new CertPathValidatorException( currCert.getIssuerX500Principal(); while (anchors.hasNext() && (!haveIssuerCert || !haveResponderCert)) { X509Certificate anchorCert = anchor.getTrustedCert(); X500Principal anchorSubjectName = anchorCert.getSubjectX500Principal(); if (!haveIssuerCert && certIssuerName.equals(anchorSubjectName)) { responderSubjectName.equals(anchorSubjectName)) { throw new CertPathValidatorException("No trusted certificate for " + currCert.getIssuerDN()); X509CertSelector filter = new X509CertSelector(); filter.setSubject(responderSubjectName.getName()); List<CertStore> certStores = pkixParams.getCertStores(); for (CertStore certStore : certStores) { Iterator i = certStore.getCertificates(filter).iterator();
Exception invalidKeyEx = null; X509CertSelector certSelectX509 = new X509CertSelector(); X500Principal certIssuer = getEncodedIssuerPrincipal(cert); certSelectX509.setSubject(certIssuer.getEncoded()); if (trust.getTrustedCert() != null) if (certSelectX509.match(trust.getTrustedCert())) trustPublicKey = trust.getTrustedCert().getPublicKey(); else if (trust.getCAName() != null && trust.getCAPublicKey() != null) X500Principal caName = new X500Principal(trust.getCAName()); if (certIssuer.equals(caName)) trustPublicKey = trust.getCAPublicKey();
public TrustAnchor findByIssuerAndSignature(X509Certificate cert) { X500Principal issuer = cert.getIssuerX500Principal(); synchronized (subjectToTrustAnchors) { List<TrustAnchor> anchors = subjectToTrustAnchors.get(issuer); if (anchors == null) { return null; } for (TrustAnchor anchor : anchors) { PublicKey publicKey; try { X509Certificate caCert = anchor.getTrustedCert(); if (caCert != null) { publicKey = caCert.getPublicKey(); } else { publicKey = anchor.getCAPublicKey(); } cert.verify(publicKey); return anchor; } catch (Exception ignored) { } } } return null; }
for (int i = nSize -1; i >= 0 ; i--) { X509Certificate x509certificate = x509Certificates[i]; Principal principalIssuer = x509certificate.getIssuerDN(); Principal principalSubject = x509certificate.getSubjectDN(); if (principalLast != null) { if (principalIssuer.equals(principalLast)) { try { PublicKey publickey = x509Certificates[i + 1].getPublicKey(); x509Certificates[i].verify(publickey); CertPathValidator cpv = CertPathValidator.getInstance("PKIX"); CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(x509Certificates[0]); PKIXBuilderParameters params = new PKIXBuilderParameters(trustStore,certSelector); if(useCRLs) { X509Certificate trustedCert = cpvResult.getTrustAnchor().getTrustedCert(); if(trustedCert == null) { throw new CertificateException("certificate path failed: Trusted CA is NULL");
protected static void processAttrCert4(X509Certificate acIssuerCert, Set trustedACIssuers) throws CertPathValidatorException { Set set = trustedACIssuers; boolean trusted = false; for (Iterator it = set.iterator(); it.hasNext();) { TrustAnchor anchor = (TrustAnchor) it.next(); if (acIssuerCert.getSubjectX500Principal().getName("RFC2253") .equals(anchor.getCAName()) || acIssuerCert.equals(anchor.getTrustedCert())) { trusted = true; } } if (!trusted) { throw new CertPathValidatorException( "Attribute certificate issuer is not directly trusted."); } }
Iterator it = trustanchors.iterator(); X509CertSelector certSelectX509 = new X509CertSelector(); certSelectX509.setSubject(getEncodedIssuerPrincipal(cert).getEncoded()); byte[] ext = cert.getExtensionValue(Extension.authorityKeyIdentifier.getId()); AuthorityKeyIdentifier authID = AuthorityKeyIdentifier.getInstance(ASN1Primitive.fromByteArray(oct.getOctets())); certSelectX509.setSerialNumber(authID.getAuthorityCertSerialNumber()); byte[] keyID = authID.getKeyIdentifier(); if (keyID != null) if (trust.getTrustedCert() != null) if (certSelectX509.match(trust.getTrustedCert())) else if (trust.getCAName() != null && trust.getCAPublicKey() != null) X500Principal caName = new X500Principal(trust.getCAName()); if (certIssuer.equals(caName))
for (X509Certificate currentCertificate: chainCertificates) { if (CertificateChainVerificationUtil.isSelfSigned(currentCertificate)) { LOG.debug("Root: "+currentCertificate.getSubjectDN().getName()); rootCertificates.add(currentCertificate); } else { LOG.debug("Sub: "+currentCertificate.getSubjectDN().getName()); subCertificates.add(currentCertificate); X509CertSelector selector = new X509CertSelector(); selector.setCertificate(theCertificate); trustAnchors.add(new TrustAnchor(currentCertificate,null)); } catch (CertPathBuilderException e) { LOG.error("Exception: ",e); LOG.error("Cannot verify certification chain for "+theCertificate.getSubjectX500Principal());
public static List<? extends X509Certificate> getCertificateChain(X509Certificate client, KeyStore ks) throws CertificateChainNotFound{ try { CertPathBuilder pathBuilder = CertPathBuilder.getInstance("PKIX"); X509CertSelector select = new X509CertSelector(); select.setSubject(client.getSubjectX500Principal().getEncoded()); while (enumeration.hasMoreElements()) { X509Certificate certificate = (X509Certificate) ks.getCertificate(enumeration.nextElement()); if (certificate.getIssuerX500Principal().equals(certificate.getSubjectX500Principal())) { if (isCertificateSelfSigned(certificate)) { trustanchors.add(new TrustAnchor((X509Certificate) certificate, null)); throw new CertificateChainNotFound("Não foi possivel gerar a cadeia de certificação", ex); } catch (CertPathBuilderException ex){ throw new CertificateChainNotFound("Não foi gerada a cadeia de certificação para o certificado com o subject: "+client.getSubjectX500Principal().getName());
X509CertSelector targetConstraints = new X509CertSelector(); targetConstraints.setSubject(certs[0].getSubjectX500Principal()); params.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(certs)))); params.setRevocationEnabled(false); CertPath cp = CertPathBuilder.getInstance("PKIX").build(params).getCertPath(); new X500Principal("OU=Class 3 Public Primary Certification Authority,O=VeriSign\\, Inc.,C=US"), "2.16.840.1.113733.1.7.23.6" ); X500Principal root = result.getTrustAnchor().getTrustedCert().getSubjectX500Principal(); System.out.println("[Debug] Found root DN: "+root.getName()); String policy = policies.get(root); if (policy != null)
Exception invalidKeyEx = null; X509CertSelector certSelectX509 = new X509CertSelector(); X500Name certIssuer = PrincipalUtils.getEncodedIssuerPrincipal(cert); certSelectX509.setSubject(certIssuer.getEncoded()); if (trust.getTrustedCert() != null) if (certSelectX509.match(trust.getTrustedCert())) trustPublicKey = trust.getTrustedCert().getPublicKey(); else if (trust.getCAName() != null && trust.getCAPublicKey() != null) if (certIssuer.equals(caName)) trustPublicKey = trust.getCAPublicKey();
public static boolean isLeafCertificateValid(KeyStore kstore, X509Certificate cert) throws LeafCertificateValidationException { try { CertPathBuilder pathBuilder = CertPathBuilder.getInstance("PKIX"); X509CertSelector select = new X509CertSelector(); select.setSubject(cert.getSubjectX500Principal().getEncoded()); while (enumeration.hasMoreElements()) { X509Certificate certificate = (X509Certificate) kstore.getCertificate(enumeration.nextElement()); if (certificate.getIssuerX500Principal().equals(certificate.getSubjectX500Principal())) { if (isCertificateSelfSigned(certificate)) { trustanchors.add(new TrustAnchor((X509Certificate) certificate, null)); CertPathBuilderResult cpbr = pathBuilder.build(params); List<X509Certificate> path = (List<X509Certificate>) cpbr.getCertPath().getCertificates(); X509Certificate issuer = (path.size()< 2 ? ((TrustAnchor)trustanchors.iterator().next()).getTrustedCert() : path.get(1)); OCSPClient client = new OCSPClient(issuer, path.get(0));
trustAnchorSet.add(new TrustAnchor(archor, null)); PKIXParameters params = new PKIXParameters(trustAnchorSet); params.setRevocationEnabled(false); LOGGER.warn("Certificate " + certificate.getSubjectX500Principal().getName() + " is not trusted.", e);
private static TrustAnchor findBySubjectAndPublicKey(X509Certificate cert, Collection<TrustAnchor> anchors) { PublicKey certPublicKey = cert.getPublicKey(); for (TrustAnchor anchor : anchors) { PublicKey caPublicKey; try { X509Certificate caCert = anchor.getTrustedCert(); if (caCert != null) { caPublicKey = caCert.getPublicKey(); } else { caPublicKey = anchor.getCAPublicKey(); } if (caPublicKey.equals(certPublicKey)) { return anchor; } } catch (Exception e) { // can happen with unsupported public key types } } return null; } }
/** * Log information from the constructed cert path at level debug. * * @param buildResult the PKIX cert path builder result containing the cert path and trust anchor * @param targetCert the cert untrusted certificate that was being evaluated */ private void logCertPathDebug(PKIXCertPathBuilderResult buildResult, X509Certificate targetCert) { log.debug("Built valid PKIX cert path"); log.debug("Target certificate: {}", x500DNHandler.getName(targetCert.getSubjectX500Principal())); for (Certificate cert : buildResult.getCertPath().getCertificates()) { log.debug("CertPath certificate: {}", x500DNHandler.getName(((X509Certificate) cert) .getSubjectX500Principal())); } TrustAnchor ta = buildResult.getTrustAnchor(); if (ta.getTrustedCert() != null) { log.debug("TrustAnchor: {}", x500DNHandler.getName(ta.getTrustedCert().getSubjectX500Principal())); } else if (ta.getCA() != null) { log.debug("TrustAnchor: {}", x500DNHandler.getName(ta.getCA())); } else { log.debug("TrustAnchor: {}", ta.getCAName()); } }
public void index(TrustAnchor anchor) { X500Principal subject; X509Certificate cert = anchor.getTrustedCert(); if (cert != null) { subject = cert.getSubjectX500Principal(); } else { subject = anchor.getCA(); } synchronized (subjectToTrustAnchors) { List<TrustAnchor> anchors = subjectToTrustAnchors.get(subject); if (anchors == null) { anchors = new ArrayList<TrustAnchor>(1); subjectToTrustAnchors.put(subject, anchors); } else { // Avoid indexing the same certificate multiple times if (cert != null) { for (TrustAnchor entry : anchors) { if (cert.equals(entry.getTrustedCert())) { return; } } } } anchors.add(anchor); } }
private @Nullable String getNameFromCert(TrustAnchor rootAuthority) throws PaymentRequestException.PkiVerificationException { org.spongycastle.asn1.x500.X500Name name = new X500Name(rootAuthority.getTrustedCert().getSubjectX500Principal().getName()); String commonName = null, org = null, location = null, country = null; for (RDN rdn : name.getRDNs()) { AttributeTypeAndValue pair = rdn.getFirst(); String val = ((ASN1String)pair.getValue()).getString(); if (pair.getType().equals(RFC4519Style.cn)) commonName = val; else if (pair.getType().equals(RFC4519Style.o)) org = val; else if (pair.getType().equals(RFC4519Style.l)) location = val; else if (pair.getType().equals(RFC4519Style.c)) country = val; } if (org != null) { return Joiner.on(", ").skipNulls().join(org, location, country); } else { return commonName; } } }
public void index(TrustAnchor anchor) { X500Principal subject; X509Certificate cert = anchor.getTrustedCert(); if (cert != null) { subject = cert.getSubjectX500Principal(); } else { subject = anchor.getCA(); } synchronized (subjectToTrustAnchors) { List<TrustAnchor> anchors = subjectToTrustAnchors.get(subject); if (anchors == null) { anchors = new ArrayList<TrustAnchor>(1); subjectToTrustAnchors.put(subject, anchors); } anchors.add(anchor); } }
new X500Principal("OU=Class 3 Public Primary Certification Authority,O=VeriSign\\, Inc.,C=US"), "2.16.840.1.113733.1.7.23.6" ); X500Principal root = result.getTrustAnchor().getTrustedCert().getSubjectX500Principal(); String policy = policies.get(root); if (policy == null)
X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(chain[chain.length - 1]); certSelector.setCertificateValid(null); PKIXBuilderParameters parameters = new PKIXBuilderParameters(allStore, certSelector); PKIXCertPathValidatorResult validationResult = (PKIXCertPathValidatorResult) certPathValidator .validate(certPath, parameters); X509Certificate trustedCert = validationResult.getTrustAnchor().getTrustedCert(); Log.debug("ClientTrustManager: Trusted CA: " + trustedCert.getSubjectDN());