pkixParamsBuilder.setRevocationEnabled( true ); pkixParamsBuilder.addCertStore( CertStore.getInstance( "Collection", new CollectionCertStoreParameters( crls ) ) );
Collection<? extends CRL> crlList = loadCRL(crlPath); if (crlList != null) { pkixParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crlList)));
parameters.addCertStore( certificates );
CertStoreParameters csp = new CollectionCertStoreParameters(getCRLs(crlStream)); CertStore store = CertStore.getInstance("Collection", csp); params.addCertStore(store);
PKIXBuilderParameters params = new PKIXBuilderParameters(trustStore,certSelector); if(useCRLs) { params.addCertStore(crlStore); } else { Log.debug("ClientTrustManager: no CRL's found, so setRevocationEnabled(false)");
params.addCertStore( cs ); params.setDate( new Date() ); params.setRevocationEnabled( false );
pkixParams.addCertStore(intermediateCertStore);
private void validateChain(final List<Certificate> chain, final Certificate cert) { final List<Certificate> certs = new ArrayList<Certificate>(); final Set<TrustAnchor> anchors = new HashSet<TrustAnchor>(); certs.add(cert); // adding for self signed certs certs.addAll(chain); for (final Certificate c : certs) { if (!(c instanceof X509Certificate)) { throw new IllegalArgumentException("Invalid chain format. Expected X509 certificate"); } final X509Certificate xCert = (X509Certificate)c; anchors.add(new TrustAnchor(xCert, null)); } final X509CertSelector target = new X509CertSelector(); target.setCertificate((X509Certificate)cert); PKIXBuilderParameters params = null; try { params = new PKIXBuilderParameters(anchors, target); params.setRevocationEnabled(false); params.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certs))); final CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC"); builder.build(params); } catch (final InvalidAlgorithmParameterException | CertPathBuilderException | NoSuchAlgorithmException e) { throw new IllegalStateException("Invalid certificate chain", e); } catch (final NoSuchProviderException e) { throw new CloudRuntimeException("No provider for certificate validation", e); } }
pkixParams.addCertStore(intermediateCertStore);
pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList))); pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(_crls)));
CertStoreParameters csp = new CollectionCertStoreParameters(crls); CertStore store = CertStore.getInstance("Collection", csp); xparams.addCertStore(store); xparams.setRevocationEnabled(true); String trustLength = (String) attributes.get("trustMaxCertLength");
@Override public ManagerFactoryParameters configFor(KeyStore trustStore, Set<TrustAnchor> defaultTrustAnchors) { checkArgument(path != null, "tls:crl-file requires the 'path' attribute"); checkArgument(trustStore != null, "tls:crl-file requires a trust store"); try { Set<TrustAnchor> trustAnchors = getTrustAnchorsFromKeyStore(trustStore); PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustAnchors, new X509CertSelector()); // Make sure revocation checking is enabled (com.sun.net.ssl.checkRevocation) pbParams.setRevocationEnabled(true); Collection<? extends CRL> crls = loadCRL(path); if (crls != null && !crls.isEmpty()) { pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crls))); } return new CertPathTrustManagerParameters(pbParams); } catch (IOException | GeneralSecurityException e) { throw new RuntimeException(e); } }
pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crls)));
pkixParams.addCertStore(intermediateCertStore);
private static TrustManagerFactory getTrustManagerFactory( KeyStore trustStore, Reader crls) throws NoSuchAlgorithmException, KeyStoreException, IOException, CRLException, InvalidAlgorithmParameterException { TrustManagerFactory factory = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm()); if (crls != null) { PKIXBuilderParameters pbParams = new PKIXBuilderParameters( trustStore, new X509CertSelector()); pbParams.setRevocationEnabled(true); List<X509CRL> crlsAsList = pemToCRLs(crls); pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crlsAsList))); factory.init(new CertPathTrustManagerParameters(pbParams)); } else { factory.init(trustStore); } return factory; }
private static TrustManagerFactory getTrustManagerFactory( KeyStore trustStore, Reader crls) throws NoSuchAlgorithmException, KeyStoreException, IOException, CRLException, InvalidAlgorithmParameterException { TrustManagerFactory factory = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm()); if (crls != null) { PKIXBuilderParameters pbParams = new PKIXBuilderParameters( trustStore, new X509CertSelector()); pbParams.setRevocationEnabled(true); List<X509CRL> crlsAsList = pemToCRLs(crls); pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crlsAsList))); factory.init(new CertPathTrustManagerParameters(pbParams)); } else { factory.init(trustStore); } return factory; }
protected void validatePath(X509Certificate[] x509Certificates) throws CertificateException { try { CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(x509Certificates)), pkixProvider); CertPathBuilder pathBuilder = CertPathBuilder.getInstance("PKIX", pkixProvider); X509CertSelector constraints = (X509CertSelector)baseParameters.getTargetCertConstraints().clone(); constraints.setCertificate(x509Certificates[0]); PKIXBuilderParameters param = (PKIXBuilderParameters)baseParameters.clone(); param.addCertStore(certStore); param.setTargetCertConstraints(constraints); PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult)pathBuilder.build(param); } catch (GeneralSecurityException e) { throw new CertificateException("unable to process certificates: " + e.getMessage(), e); } } }
@Override public ManagerFactoryParameters configFor(KeyStore trustStore, Set<TrustAnchor> defaultTrustAnchors) { checkArgument(path != null, "tls:crl-file requires the 'path' attribute"); checkArgument(trustStore != null, "tls:crl-file requires a trust store"); try { Set<TrustAnchor> trustAnchors = getTrustAnchorsFromKeyStore(trustStore); PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustAnchors, new X509CertSelector()); // Make sure revocation checking is enabled (com.sun.net.ssl.checkRevocation) pbParams.setRevocationEnabled(true); Collection<? extends CRL> crls = loadCRL(path); if (crls != null && !crls.isEmpty()) { pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crls))); } return new CertPathTrustManagerParameters(pbParams); } catch (IOException | GeneralSecurityException e) { throw new RuntimeException(e); } }
public static void validateCertificateChain(KeyStore ks, List<X509Certificate> inCerts) { // Initial chain validation, to be enhanced as needed try { X509CertSelector certSelect = new X509CertSelector(); certSelect.setCertificate(inCerts.get(0)); PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ks, certSelect); pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(inCerts))); pbParams.setMaxPathLength(-1); pbParams.setRevocationEnabled(false); CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams); CertPath certPath = buildResult.getCertPath(); CertPathValidator.getInstance("PKIX").validate(certPath, pbParams); } catch (Exception ex) { LOG.warning("Certificate path validation error"); throw new JoseException(ex); } } public static X509Certificate[] toX509CertificateChainArray(List<String> base64EncodedChain) {
public static void validateCertificateChain(KeyStore ks, List<X509Certificate> inCerts) { // Initial chain validation, to be enhanced as needed try { X509CertSelector certSelect = new X509CertSelector(); certSelect.setCertificate(inCerts.get(0)); PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ks, certSelect); pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(inCerts))); pbParams.setMaxPathLength(-1); pbParams.setRevocationEnabled(false); CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams); CertPath certPath = buildResult.getCertPath(); CertPathValidator.getInstance("PKIX").validate(certPath, pbParams); } catch (Exception ex) { LOG.warning("Certificate path validation error"); throw new JoseException(ex); } } public static X509Certificate[] toX509CertificateChainArray(List<String> base64EncodedChain) {