PKIXBuilderParameters pkixParamsBuilder = new PKIXBuilderParameters( trustStore, new X509CertSelector() ); pkixParamsBuilder.setRevocationEnabled( true ); pkixParamsBuilder.addCertStore( CertStore.getInstance( "Collection", new CollectionCertStoreParameters( crls ) ) ); trustManagerFactory.init( new CertPathTrustManagerParameters( pkixParamsBuilder ) );
X509CertSelector selector = new X509CertSelector(); selector.setCertificate(cert); PKIXBuilderParameters pkixParams = new PKIXBuilderParameters( trustAnchors, selector); intermediateCerts.add(cert); pkixParams.setRevocationEnabled(false); CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(intermediateCerts), "BC"); pkixParams.addCertStore(intermediateCertStore); CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC"); .build(pkixParams); LogUtil.writeLog("verify certificate chain succeed."); return true;
responderSubjectName = new X500Principal(ocspServerSubject); currCert.getIssuerX500Principal(); while (anchors.hasNext() && (!haveIssuerCert || !haveResponderCert)) { X509Certificate anchorCert = anchor.getTrustedCert(); X500Principal anchorSubjectName = anchorCert.getSubjectX500Principal(); if (!haveIssuerCert && certIssuerName.equals(anchorSubjectName)) { responderSubjectName.equals(anchorSubjectName)) { throw new CertPathValidatorException("No trusted certificate for " + currCert.getIssuerDN()); X509CertSelector filter = new X509CertSelector(); filter.setSubject(responderSubjectName.getName()); Iterator i = certStore.getCertificates(filter).iterator(); if (i.hasNext()) { responderCert = (X509Certificate) i.next();
@Override public void checkClientTrusted( X509Certificate[] chain, String authType ) throws CertificateException { // Find and use the end entity as the selector for verification. final X509Certificate endEntityCert = CertificateUtils.identifyEndEntityCertificate( Arrays.asList( chain ) ); final X509CertSelector selector = new X509CertSelector(); selector.setCertificate( endEntityCert ); try { checkChainTrusted( selector, chain ); } catch ( InvalidAlgorithmParameterException | NoSuchAlgorithmException | CertPathBuilderException ex ) { throw new CertificateException( ex ); } }
/* Givens. */ InputStream trustStoreInput = ... char[] password = ... List<X509Certificate> chain = ... Collection<X509CRL> crls = ... /* Construct a valid path. */ KeyStore anchors = KeyStore.getInstance(KeyStore.getDefaultType()); anchors.load(trustStoreInput, password); X509CertSelector target = new X509CertSelector(); target.setCertificate(chain.get(0)); PKIXBuilderParameters params = new PKIXBuilderParameters(anchors, target); CertStoreParameters intermediates = new CollectionCertStoreParameters(chain) params.addCertStore(CertStore.getInstance("Collection", intermediates)); CertStoreParameters revoked = new CollectionCertStoreParameters(crls); params.addCertStore(CertStore.getInstance("Collection", revoked)); CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); /* * If build() returns successfully, the certificate is valid. More details * about the valid path can be obtained through the PKIXBuilderResult. * If no valid path can be found, a CertPathBuilderException is thrown. */ PKIXBuilderResult r = (PKIXBuilderResult) builder.build(params);
try first.checkValidity(); if ( chain.length == 1 && first.getSubjectX500Principal().equals( first.getIssuerX500Principal() ) ) final CertStore cs = CertStore.getInstance( "Collection", new CollectionCertStoreParameters( allCerts ) ); final X509CertSelector selector = new X509CertSelector(); selector.setCertificate( first ); final PKIXBuilderParameters params = new PKIXBuilderParameters( store, selector ); params.addCertStore( cs ); params.setDate( new Date() ); params.setRevocationEnabled( false ); final CertPathBuilder pathBuilder = CertPathBuilder.getInstance( CertPathBuilder.getDefaultType() ); final CertPath cp = pathBuilder.build( params ).getCertPath();
certificate.checkValidity(); } catch (CertificateExpiredException e) { log.log(Level.SEVERE, "WSS1517.X509.expired", e); if (certificate.getIssuerX500Principal().equals(certificate.getSubjectX500Principal())) { return true; X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(certificate); parameters = new PKIXBuilderParameters(trustStore, certSelector); parameters.setRevocationEnabled(revocationEnabled); if (certStore != null) { parameters.addCertStore(certStore); } else { CertStore cs = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Collections.singleton(certificate))); parameters.addCertStore(cs); if (certChainIssuer.equals(x509Cert.getSubjectX500Principal())) { certChainList.add(cert); if (x509Cert.getSubjectX500Principal().equals(x509Cert.getIssuerX500Principal())) { caFound = true; break;
for (int i = nSize -1; i >= 0 ; i--) { X509Certificate x509certificate = x509Certificates[i]; Principal principalIssuer = x509certificate.getIssuerDN(); Principal principalSubject = x509certificate.getSubjectDN(); if (principalLast != null) { if (principalIssuer.equals(principalLast)) { try { PublicKey publickey = x509Certificates[i + 1].getPublicKey(); x509Certificates[i].verify(publickey); CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(x509Certificates[0]); PKIXBuilderParameters params = new PKIXBuilderParameters(trustStore,certSelector); if(useCRLs) { params.addCertStore(crlStore); } else { Log.debug("ClientTrustManager: no CRL's found, so setRevocationEnabled(false)"); params.setRevocationEnabled(false); CertPathBuilderResult cpbr = cpb.build(params); CertPath cp = cpbr.getCertPath(); if(JiveGlobals.getBooleanProperty("ocsp.enable",false)) {
public static List<? extends X509Certificate> getCertificateChain(X509Certificate client, KeyStore ks) throws CertificateChainNotFound{ try { CertPathBuilder pathBuilder = CertPathBuilder.getInstance("PKIX"); X509CertSelector select = new X509CertSelector(); select.setSubject(client.getSubjectX500Principal().getEncoded()); while (enumeration.hasMoreElements()) { X509Certificate certificate = (X509Certificate) ks.getCertificate(enumeration.nextElement()); if (certificate.getIssuerX500Principal().equals(certificate.getSubjectX500Principal())) { if (isCertificateSelfSigned(certificate)) { trustanchors.add(new TrustAnchor((X509Certificate) certificate, null)); PKIXBuilderParameters params = new PKIXBuilderParameters(trustanchors, select); CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList)); params.addCertStore(certStore); params.setRevocationEnabled(false); PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) pathBuilder.build(params); throw new CertificateChainNotFound("Não foi possivel gerar a cadeia de certificação", ex); } catch (CertPathBuilderException ex){ throw new CertificateChainNotFound("Não foi gerada a cadeia de certificação para o certificado com o subject: "+client.getSubjectX500Principal().getName());
if (isOwnedCert(certificate)) { if (logger.isDebugEnabled()) { logger.debug("Certificate with DN [" + certificate.getSubjectX500Principal().getName() + "] is in private keystore"); certificate.checkValidity(); logger.debug("Certificate with DN [" + certificate.getSubjectX500Principal().getName() + "] has expired"); logger.debug("Certificate with DN [" + certificate.getSubjectX500Principal().getName() + "] is not yet valid"); X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(certificate); try { parameters = createBuilderParameters(trustStore, certSelector); parameters.setRevocationEnabled(revocationEnabled); builder = CertPathBuilder.getInstance("PKIX"); builder.build(parameters);
Exception invalidKeyEx = null; X509CertSelector certSelectX509 = new X509CertSelector(); X500Principal certIssuer = getEncodedIssuerPrincipal(cert); certSelectX509.setSubject(certIssuer.getEncoded()); if (trust.getTrustedCert() != null) if (certSelectX509.match(trust.getTrustedCert())) trustPublicKey = trust.getTrustedCert().getPublicKey(); X500Principal caName = new X500Principal(trust.getCAName()); if (certIssuer.equals(caName))
X509CertSelector targetConstraints = new X509CertSelector(); targetConstraints.setSubject(certs[0].getSubjectX500Principal()); PKIXBuilderParameters params = new PKIXBuilderParameters(cacerts, targetConstraints); params.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(certs)))); params.setRevocationEnabled(false); CertPath cp = CertPathBuilder.getInstance("PKIX").build(params).getCertPath(); new X500Principal("OU=Class 3 Public Primary Certification Authority,O=VeriSign\\, Inc.,C=US"), "2.16.840.1.113733.1.7.23.6" ); X500Principal root = result.getTrustAnchor().getTrustedCert().getSubjectX500Principal(); System.out.println("[Debug] Found root DN: "+root.getName()); String policy = policies.get(root); if (policy != null)
Iterator it = trustanchors.iterator(); X509CertSelector certSelectX509 = new X509CertSelector(); certSelectX509.setSubject(getEncodedIssuerPrincipal(cert).getEncoded()); byte[] ext = cert.getExtensionValue(Extension.authorityKeyIdentifier.getId()); AuthorityKeyIdentifier authID = AuthorityKeyIdentifier.getInstance(ASN1Primitive.fromByteArray(oct.getOctets())); certSelectX509.setSerialNumber(authID.getAuthorityCertSerialNumber()); byte[] keyID = authID.getKeyIdentifier(); if (keyID != null) certSelectX509.setSubjectKeyIdentifier(new DEROctetString(keyID).getEncoded()); if (trust.getTrustedCert() != null) if (certSelectX509.match(trust.getTrustedCert())) X500Principal caName = new X500Principal(trust.getCAName()); if (certIssuer.equals(caName))
CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX"); X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(chain[chain.length - 1]); certSelector.setCertificateValid(null); PKIXBuilderParameters parameters = new PKIXBuilderParameters(allStore, certSelector); parameters.setRevocationEnabled(false); CertPathBuilderResult pathResult = certPathBuilder.build(parameters); CertPath certPath = pathResult.getCertPath(); PKIXCertPathValidatorResult validationResult = (PKIXCertPathValidatorResult) certPathValidator throw new CertificateException("Certificate path failed"); } else { Log.debug("ClientTrustManager: Trusted CA: " + trustedCert.getSubjectDN());
throws AnnotatedException X509CertSelector selector = new X509CertSelector(); selector.setSubject(cert.getIssuerX500Principal().getEncoded());
.build() .loadTrustStore(); PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ts, new X509CertSelector()); if (crlEnabled || ocspEnabled) { pbParams.setRevocationEnabled(true); System.setProperty("com.sun.net.ssl.checkRevocation", "true"); System.setProperty("com.sun.security.enableCRLDP", "true"); if (ocspEnabled) { Security.setProperty("ocsp.enable", "true"); pbParams.setRevocationEnabled(false); tmf.init(new CertPathTrustManagerParameters(pbParams));
throws AnnotatedException X509CertSelector selector = new X509CertSelector(); selector.setSubject(PrincipalUtils.getIssuerPrincipal(cert).getEncoded()); byte[] akiExtensionValue = cert.getExtensionValue(AUTHORITY_KEY_IDENTIFIER); if (akiExtensionValue != null) if (authorityKeyIdentifier != null) selector.setSubjectKeyIdentifier(new DEROctetString(authorityKeyIdentifier).getEncoded());
X509CertSelector certSelector = new X509CertSelector(); certSelector.setSubject(x509certificate.getSubjectX500Principal()); PKIXParameters params = new PKIXBuilderParameters(store,certSelector); CertStore cstore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(icert1, icert2 /*, other certs... */))); params.addCertStore(cstore); CertPathBuilder cpb = CertPathBuilder.getInstance(CertPathBuilder.getDefaultType()); CertPath certPath = cpb.build(params).getCertPath();
@Override public ManagerFactoryParameters configFor(KeyStore trustStore, Set<TrustAnchor> defaultTrustAnchors) { try { CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); PKIXRevocationChecker rc = (PKIXRevocationChecker) cpb.getRevocationChecker(); pkixParams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); } else { pkixParams = new PKIXBuilderParameters(defaultTrustAnchors, new X509CertSelector()); pkixParams.addCertPathChecker(rc); return new CertPathTrustManagerParameters(pkixParams); } catch (GeneralSecurityException e) { throw new RuntimeException(e);
protected void validatePath(X509Certificate[] x509Certificates) throws CertificateException { try { CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(x509Certificates)), pkixProvider); CertPathBuilder pathBuilder = CertPathBuilder.getInstance("PKIX", pkixProvider); X509CertSelector constraints = (X509CertSelector)baseParameters.getTargetCertConstraints().clone(); constraints.setCertificate(x509Certificates[0]); PKIXBuilderParameters param = (PKIXBuilderParameters)baseParameters.clone(); param.addCertStore(certStore); param.setTargetCertConstraints(constraints); PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult)pathBuilder.build(param); } catch (GeneralSecurityException e) { throw new CertificateException("unable to process certificates: " + e.getMessage(), e); } } }