PKIXBuilderParameters pkixParamsBuilder = new PKIXBuilderParameters( trustStore, new X509CertSelector() ); pkixParamsBuilder.setRevocationEnabled( true );
PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); if (crlPath != null) { pkixParams.setRevocationEnabled(true);
final PKIXBuilderParameters parameters = new PKIXBuilderParameters( trustAnchors, selector );
X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(x509Certificates[0]); PKIXBuilderParameters params = new PKIXBuilderParameters(trustStore,certSelector); if(useCRLs) { params.addCertStore(crlStore);
checkMinimumParameter("maxCertPath", 1, maxCertPath); try { PKIXBuilderParameters params = new PKIXBuilderParameters(trustStore, new X509CertSelector());
final PKIXBuilderParameters params = new PKIXBuilderParameters( store, selector ); params.addCertStore( cs ); params.setDate( new Date() );
/* Givens. */ InputStream trustStoreInput = ... char[] password = ... List<X509Certificate> chain = ... Collection<X509CRL> crls = ... /* Construct a valid path. */ KeyStore anchors = KeyStore.getInstance(KeyStore.getDefaultType()); anchors.load(trustStoreInput, password); X509CertSelector target = new X509CertSelector(); target.setCertificate(chain.get(0)); PKIXBuilderParameters params = new PKIXBuilderParameters(anchors, target); CertStoreParameters intermediates = new CollectionCertStoreParameters(chain) params.addCertStore(CertStore.getInstance("Collection", intermediates)); CertStoreParameters revoked = new CollectionCertStoreParameters(crls); params.addCertStore(CertStore.getInstance("Collection", revoked)); CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); /* * If build() returns successfully, the certificate is valid. More details * about the valid path can be obtained through the PKIXBuilderResult. * If no valid path can be found, a CertPathBuilderException is thrown. */ PKIXBuilderResult r = (PKIXBuilderResult) builder.build(params);
.build() .loadTrustStore(); PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ts, new X509CertSelector()); if (crlEnabled || ocspEnabled) { pbParams.setRevocationEnabled(true);
PKIXBuilderParameters pkixParams = new PKIXBuilderParameters( trustAnchors, selector);
X509CertSelector targetConstraints = new X509CertSelector(); targetConstraints.setCertificate(certificates.get(0)); // Here's the issue for PKCS7 certificates since they are not ordered, // but I havent figured out how I can see what the target certificate // (lowest level) is in the incoming certificates.. PKIXBuilderParameters params = new PKIXBuilderParameters(anchors, targetConstraints);
pkixParams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); } else { pkixParams = new PKIXBuilderParameters(defaultTrustAnchors, new X509CertSelector());
private void validateChain(final List<Certificate> chain, final Certificate cert) { final List<Certificate> certs = new ArrayList<Certificate>(); final Set<TrustAnchor> anchors = new HashSet<TrustAnchor>(); certs.add(cert); // adding for self signed certs certs.addAll(chain); for (final Certificate c : certs) { if (!(c instanceof X509Certificate)) { throw new IllegalArgumentException("Invalid chain format. Expected X509 certificate"); } final X509Certificate xCert = (X509Certificate)c; anchors.add(new TrustAnchor(xCert, null)); } final X509CertSelector target = new X509CertSelector(); target.setCertificate((X509Certificate)cert); PKIXBuilderParameters params = null; try { params = new PKIXBuilderParameters(anchors, target); params.setRevocationEnabled(false); params.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certs))); final CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC"); builder.build(params); } catch (final InvalidAlgorithmParameterException | CertPathBuilderException | NoSuchAlgorithmException e) { throw new IllegalStateException("Invalid certificate chain", e); } catch (final NoSuchProviderException e) { throw new CloudRuntimeException("No provider for certificate validation", e); } }
PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
CertPathParameters params; if ("PKIX".equalsIgnoreCase(algorithm)) { PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); Collection crls = getCRLs(crlf); CertStoreParameters csp = new CollectionCertStoreParameters(crls);
@Override public ManagerFactoryParameters configFor(KeyStore trustStore, Set<TrustAnchor> defaultTrustAnchors) { checkArgument(url != null, "tls:custom-ocsp-responder requires the 'url' attribute"); checkArgument(trustStore != null, "tls:custom-ocsp-responder requires a trust store"); try { CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); PKIXRevocationChecker rc = (PKIXRevocationChecker) cpb.getRevocationChecker(); rc.setOptions(EnumSet.of(PKIXRevocationChecker.Option.NO_FALLBACK)); if (url != null) { rc.setOcspResponder(new URI(url)); } if (certAlias != null) { if (trustStore.isCertificateEntry(certAlias)) { rc.setOcspResponderCert((X509Certificate) trustStore.getCertificate(certAlias)); } else { throw new IllegalStateException("Key with alias \"" + certAlias + "\" was not found"); } } PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); pkixParams.addCertPathChecker(rc); return new CertPathTrustManagerParameters(pkixParams); } catch (GeneralSecurityException | URISyntaxException e) { throw new RuntimeException(e); } }
PKIXBuilderParameters pbParams = new PKIXBuilderParameters(_trustStore, certSelect); pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList)));
@Override public ManagerFactoryParameters configFor(KeyStore trustStore, Set<TrustAnchor> defaultTrustAnchors) { checkArgument(path != null, "tls:crl-file requires the 'path' attribute"); checkArgument(trustStore != null, "tls:crl-file requires a trust store"); try { Set<TrustAnchor> trustAnchors = getTrustAnchorsFromKeyStore(trustStore); PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustAnchors, new X509CertSelector()); // Make sure revocation checking is enabled (com.sun.net.ssl.checkRevocation) pbParams.setRevocationEnabled(true); Collection<? extends CRL> crls = loadCRL(path); if (crls != null && !crls.isEmpty()) { pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crls))); } return new CertPathTrustManagerParameters(pbParams); } catch (IOException | GeneralSecurityException e) { throw new RuntimeException(e); } }
protected PKIXBuilderParameters newPKIXBuilderParameters(KeyStore trustStore, Collection<? extends CRL> crls) throws Exception PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustStore, new X509CertSelector());
PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
KeyStore trustAnchors = getTrustAnchors(); X509CertSelector target = new X509CertSelector(); target.setCertificate(signerCertificate); PKIXBuilderParameters params = new PKIXBuilderParameters(anchors, target); CertStoreParameters additionalCerts = new CollectionCertStoreParameters(allOtherCerts) params.addCertStore(CertStore.getInstance("Collection", additionalCerts)); CertStoreParameters revocationObjects = new CollectionCertStoreParameters(allCRLs); params.addCertStore(CertStore.getInstance("Collection", revocationObjects)); CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); PKIXCertPathBuilderResult r = (PKIXCertPathBuilderResult) builder.build(params); /* if the build method returns without exception, the certificate chain is valid */