@Override public void checkServerTrusted( X509Certificate[] chain, String authType ) throws CertificateException { // Find and use the end entity as the selector for verification. final X509Certificate endEntityCert = CertificateUtils.identifyEndEntityCertificate( Arrays.asList( chain ) ); final X509CertSelector selector = new X509CertSelector(); selector.setCertificate( endEntityCert ); try { checkChainTrusted( selector, chain ); } catch ( InvalidAlgorithmParameterException | NoSuchAlgorithmException | CertPathBuilderException ex ) { throw new CertificateException( ex ); } }
@Override public void checkClientTrusted( X509Certificate[] chain, String authType ) throws CertificateException { // Find and use the end entity as the selector for verification. final X509Certificate endEntityCert = CertificateUtils.identifyEndEntityCertificate( Arrays.asList( chain ) ); final X509CertSelector selector = new X509CertSelector(); selector.setCertificate( endEntityCert ); try { checkChainTrusted( selector, chain ); } catch ( InvalidAlgorithmParameterException | NoSuchAlgorithmException | CertPathBuilderException ex ) { throw new CertificateException( ex ); } }
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(x509Certificates[0]); PKIXBuilderParameters params = new PKIXBuilderParameters(trustStore,certSelector); if(useCRLs) {
selector.setCertificate( first );
/* Givens. */ InputStream trustStoreInput = ... char[] password = ... List<X509Certificate> chain = ... Collection<X509CRL> crls = ... /* Construct a valid path. */ KeyStore anchors = KeyStore.getInstance(KeyStore.getDefaultType()); anchors.load(trustStoreInput, password); X509CertSelector target = new X509CertSelector(); target.setCertificate(chain.get(0)); PKIXBuilderParameters params = new PKIXBuilderParameters(anchors, target); CertStoreParameters intermediates = new CollectionCertStoreParameters(chain) params.addCertStore(CertStore.getInstance("Collection", intermediates)); CertStoreParameters revoked = new CollectionCertStoreParameters(crls); params.addCertStore(CertStore.getInstance("Collection", revoked)); CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); /* * If build() returns successfully, the certificate is valid. More details * about the valid path can be obtained through the PKIXBuilderResult. * If no valid path can be found, a CertPathBuilderException is thrown. */ PKIXBuilderResult r = (PKIXBuilderResult) builder.build(params);
selector.setCertificate(cert);
X509CertSelector targetConstraints = new X509CertSelector(); targetConstraints.setCertificate(certificates.get(0)); // Here's the issue for PKCS7 certificates since they are not ordered, // but I havent figured out how I can see what the target certificate // (lowest level) is in the incoming certificates.. PKIXBuilderParameters params = new PKIXBuilderParameters(anchors, targetConstraints);
private void validateChain(final List<Certificate> chain, final Certificate cert) { final List<Certificate> certs = new ArrayList<Certificate>(); final Set<TrustAnchor> anchors = new HashSet<TrustAnchor>(); certs.add(cert); // adding for self signed certs certs.addAll(chain); for (final Certificate c : certs) { if (!(c instanceof X509Certificate)) { throw new IllegalArgumentException("Invalid chain format. Expected X509 certificate"); } final X509Certificate xCert = (X509Certificate)c; anchors.add(new TrustAnchor(xCert, null)); } final X509CertSelector target = new X509CertSelector(); target.setCertificate((X509Certificate)cert); PKIXBuilderParameters params = null; try { params = new PKIXBuilderParameters(anchors, target); params.setRevocationEnabled(false); params.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certs))); final CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC"); builder.build(params); } catch (final InvalidAlgorithmParameterException | CertPathBuilderException | NoSuchAlgorithmException e) { throw new IllegalStateException("Invalid certificate chain", e); } catch (final NoSuchProviderException e) { throw new CloudRuntimeException("No provider for certificate validation", e); } }
selector.setCertificate(cert);
certSelect.setCertificate(certList.get(0));
selector.setCertificate(cert);
@Override public void checkClientTrusted( X509Certificate[] chain, String authType ) throws CertificateException { // Find and use the end entity as the selector for verification. final X509Certificate endEntityCert = CertificateUtils.identifyEndEntityCertificate( Arrays.asList( chain ) ); final X509CertSelector selector = new X509CertSelector(); selector.setCertificate( endEntityCert ); try { checkChainTrusted( selector, chain ); } catch ( InvalidAlgorithmParameterException | NoSuchAlgorithmException | CertPathBuilderException ex ) { throw new CertificateException( ex ); } }
@Override public void checkServerTrusted( X509Certificate[] chain, String authType ) throws CertificateException { // Find and use the end entity as the selector for verification. final X509Certificate endEntityCert = CertificateUtils.identifyEndEntityCertificate( Arrays.asList( chain ) ); final X509CertSelector selector = new X509CertSelector(); selector.setCertificate( endEntityCert ); try { checkChainTrusted( selector, chain ); } catch ( InvalidAlgorithmParameterException | NoSuchAlgorithmException | CertPathBuilderException ex ) { throw new CertificateException( ex ); } }
@Override public ValidationData getValidationData( List<X509Certificate> certChainFragment) throws ValidationDataException { try { X509CertSelector cs = new X509CertSelector(); cs.setCertificate(certChainFragment.get(0)); return this.certificateValidationProvider.validate(cs, new Date(), certChainFragment); } catch (XAdES4jException ex) { throw new ValidationDataException("Cannot validate certificate to obtain validation data", ex); } } }
... CertificateFactory fac = CertificateFactory.getInstance("X.509"); FileInputStream is = new FileInputStream("client.crt"); Collection<? extends Certificate> intermediate; try { intermediate = fac.generateCertificates(is); } finally { is.close(); } X509Certificate client = null; for (Certificate c : intermediate) client = (X509Certificate) c; if (client == null) throw new IllegalArgumentException("Empty chain."); X509CertSelector t = new X509CertSelector(); t.setCertificate(client); PKIXBuilderParameters params = new PKIXBuilderParameters(anchors, t); CertStoreParameters store = new CollectionCertStoreParameters(intermediate); params.addCertStore(CertStore.getInstance("Collection", store)); params.setRevocationEnabled(false); ...
final CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); final X509Certificate certificateToCheck = (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(certBytes)); final KeyStore trustStore = KeyStore.getInstance("JKS"); InputStream keyStoreStream = ... trustStore.load(keyStoreStrem, "your password".toCharArray()); final CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX"); final X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(certificateToCheck); final CertPathParameters certPathParameters = new PKIXBuilderParameters(trustStore, certSelector); final CertPathBuilderResult certPathBuilderResult = certPathBuilder.build(certPathParameters); final CertPath certPath = certPathBuilderResult.getCertPath(); final CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX"); final PKIXParameters validationParameters = new PKIXParameters(trustStore); validationParameters.setRevocationEnabled(true); // if you want to check CRL final X509CertSelector keyUsageSelector = new X509CertSelector(); keyUsageSelector.setKeyUsage(new boolean[] { true, false, true }); // to check digitalSignature and keyEncipherment bits validationParameters.setTargetCertConstraints(keyUsageSelector); final PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) certPathValidator.validate(certPath, validationParameters); System.out.println(result);
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate((X509Certificate) myKeyStore.getCertificate("mykey")); PKIXBuilderParameters cpp = new PKIXBuilderParameters(trustAnchors, certSelector); cpp.addCertStore(cs); cpp.setRevocationEnabled(true); cpp.setMaxPathLength(6); cpp.setDate(new Date()); CertPathBuilderResult a = cpb.build(cpp); CertPath certPath = a.getCertPath();
public static void validateCertificateChain(KeyStore ks, List<X509Certificate> inCerts) { // Initial chain validation, to be enhanced as needed try { X509CertSelector certSelect = new X509CertSelector(); certSelect.setCertificate(inCerts.get(0)); PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ks, certSelect); pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(inCerts))); pbParams.setMaxPathLength(-1); pbParams.setRevocationEnabled(false); CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams); CertPath certPath = buildResult.getCertPath(); CertPathValidator.getInstance("PKIX").validate(certPath, pbParams); } catch (Exception ex) { LOG.warning("Certificate path validation error"); throw new JoseException(ex); } } public static X509Certificate[] toX509CertificateChainArray(List<String> base64EncodedChain) {
public static void validateCertificateChain(KeyStore ks, List<X509Certificate> inCerts) { // Initial chain validation, to be enhanced as needed try { X509CertSelector certSelect = new X509CertSelector(); certSelect.setCertificate(inCerts.get(0)); PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ks, certSelect); pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(inCerts))); pbParams.setMaxPathLength(-1); pbParams.setRevocationEnabled(false); CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams); CertPath certPath = buildResult.getCertPath(); CertPathValidator.getInstance("PKIX").validate(certPath, pbParams); } catch (Exception ex) { LOG.warning("Certificate path validation error"); throw new JoseException(ex); } } public static X509Certificate[] toX509CertificateChainArray(List<String> base64EncodedChain) {
KeyStore trustAnchors = getTrustAnchors(); X509CertSelector target = new X509CertSelector(); target.setCertificate(signerCertificate); PKIXBuilderParameters params = new PKIXBuilderParameters(anchors, target); CertStoreParameters additionalCerts = new CollectionCertStoreParameters(allOtherCerts) params.addCertStore(CertStore.getInstance("Collection", additionalCerts)); CertStoreParameters revocationObjects = new CollectionCertStoreParameters(allCRLs); params.addCertStore(CertStore.getInstance("Collection", revocationObjects)); CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); PKIXCertPathBuilderResult r = (PKIXCertPathBuilderResult) builder.build(params); /* if the build method returns without exception, the certificate chain is valid */