pkixParamsBuilder.setRevocationEnabled( true );
PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); if (crlPath != null) { pkixParams.setRevocationEnabled(true); Collection<? extends CRL> crlList = loadCRL(crlPath); if (crlList != null) {
parameters.setRevocationEnabled( false );
} else { Log.debug("ClientTrustManager: no CRL's found, so setRevocationEnabled(false)"); params.setRevocationEnabled(false);
params.setRevocationEnabled(true); params.setMaxPathLength(maxCertPath);
PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ts, new X509CertSelector()); if (crlEnabled || ocspEnabled) { pbParams.setRevocationEnabled(true); System.setProperty("com.sun.net.ssl.checkRevocation", "true"); System.setProperty("com.sun.security.enableCRLDP", "true"); pbParams.setRevocationEnabled(false);
params.addCertStore( cs ); params.setDate( new Date() ); params.setRevocationEnabled( false );
intermediateCerts.add(cert); pkixParams.setRevocationEnabled(false);
private void validateChain(final List<Certificate> chain, final Certificate cert) { final List<Certificate> certs = new ArrayList<Certificate>(); final Set<TrustAnchor> anchors = new HashSet<TrustAnchor>(); certs.add(cert); // adding for self signed certs certs.addAll(chain); for (final Certificate c : certs) { if (!(c instanceof X509Certificate)) { throw new IllegalArgumentException("Invalid chain format. Expected X509 certificate"); } final X509Certificate xCert = (X509Certificate)c; anchors.add(new TrustAnchor(xCert, null)); } final X509CertSelector target = new X509CertSelector(); target.setCertificate((X509Certificate)cert); PKIXBuilderParameters params = null; try { params = new PKIXBuilderParameters(anchors, target); params.setRevocationEnabled(false); params.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certs))); final CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC"); builder.build(params); } catch (final InvalidAlgorithmParameterException | CertPathBuilderException | NoSuchAlgorithmException e) { throw new IllegalStateException("Invalid certificate chain", e); } catch (final NoSuchProviderException e) { throw new CloudRuntimeException("No provider for certificate validation", e); } }
intermediateCerts.add(cert); pkixParams.setRevocationEnabled(false);
CertStore store = CertStore.getInstance("Collection", csp); xparams.addCertStore(store); xparams.setRevocationEnabled(true); String trustLength = (String) attributes.get("trustMaxCertLength"); if (trustLength != null) {
pbParams.setRevocationEnabled(true);
@Override public ManagerFactoryParameters configFor(KeyStore trustStore, Set<TrustAnchor> defaultTrustAnchors) { checkArgument(path != null, "tls:crl-file requires the 'path' attribute"); checkArgument(trustStore != null, "tls:crl-file requires a trust store"); try { Set<TrustAnchor> trustAnchors = getTrustAnchorsFromKeyStore(trustStore); PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustAnchors, new X509CertSelector()); // Make sure revocation checking is enabled (com.sun.net.ssl.checkRevocation) pbParams.setRevocationEnabled(true); Collection<? extends CRL> crls = loadCRL(path); if (crls != null && !crls.isEmpty()) { pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crls))); } return new CertPathTrustManagerParameters(pbParams); } catch (IOException | GeneralSecurityException e) { throw new RuntimeException(e); } }
pbParams.setRevocationEnabled(true);
pkixParams.setRevocationEnabled(false);
private static TrustManagerFactory getTrustManagerFactory( KeyStore trustStore, Reader crls) throws NoSuchAlgorithmException, KeyStoreException, IOException, CRLException, InvalidAlgorithmParameterException { TrustManagerFactory factory = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm()); if (crls != null) { PKIXBuilderParameters pbParams = new PKIXBuilderParameters( trustStore, new X509CertSelector()); pbParams.setRevocationEnabled(true); List<X509CRL> crlsAsList = pemToCRLs(crls); pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crlsAsList))); factory.init(new CertPathTrustManagerParameters(pbParams)); } else { factory.init(trustStore); } return factory; }
private static TrustManagerFactory getTrustManagerFactory( KeyStore trustStore, Reader crls) throws NoSuchAlgorithmException, KeyStoreException, IOException, CRLException, InvalidAlgorithmParameterException { TrustManagerFactory factory = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm()); if (crls != null) { PKIXBuilderParameters pbParams = new PKIXBuilderParameters( trustStore, new X509CertSelector()); pbParams.setRevocationEnabled(true); List<X509CRL> crlsAsList = pemToCRLs(crls); pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crlsAsList))); factory.init(new CertPathTrustManagerParameters(pbParams)); } else { factory.init(trustStore); } return factory; }
@Override public ManagerFactoryParameters configFor(KeyStore trustStore, Set<TrustAnchor> defaultTrustAnchors) { checkArgument(path != null, "tls:crl-file requires the 'path' attribute"); checkArgument(trustStore != null, "tls:crl-file requires a trust store"); try { Set<TrustAnchor> trustAnchors = getTrustAnchorsFromKeyStore(trustStore); PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustAnchors, new X509CertSelector()); // Make sure revocation checking is enabled (com.sun.net.ssl.checkRevocation) pbParams.setRevocationEnabled(true); Collection<? extends CRL> crls = loadCRL(path); if (crls != null && !crls.isEmpty()) { pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crls))); } return new CertPathTrustManagerParameters(pbParams); } catch (IOException | GeneralSecurityException e) { throw new RuntimeException(e); } }
public static void validateCertificateChain(KeyStore ks, List<X509Certificate> inCerts) { // Initial chain validation, to be enhanced as needed try { X509CertSelector certSelect = new X509CertSelector(); certSelect.setCertificate(inCerts.get(0)); PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ks, certSelect); pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(inCerts))); pbParams.setMaxPathLength(-1); pbParams.setRevocationEnabled(false); CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams); CertPath certPath = buildResult.getCertPath(); CertPathValidator.getInstance("PKIX").validate(certPath, pbParams); } catch (Exception ex) { LOG.warning("Certificate path validation error"); throw new JoseException(ex); } } public static X509Certificate[] toX509CertificateChainArray(List<String> base64EncodedChain) {
public static void validateCertificateChain(KeyStore ks, List<X509Certificate> inCerts) { // Initial chain validation, to be enhanced as needed try { X509CertSelector certSelect = new X509CertSelector(); certSelect.setCertificate(inCerts.get(0)); PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ks, certSelect); pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(inCerts))); pbParams.setMaxPathLength(-1); pbParams.setRevocationEnabled(false); CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams); CertPath certPath = buildResult.getCertPath(); CertPathValidator.getInstance("PKIX").validate(certPath, pbParams); } catch (Exception ex) { LOG.warning("Certificate path validation error"); throw new JoseException(ex); } } public static X509Certificate[] toX509CertificateChainArray(List<String> base64EncodedChain) {