Examples of java.security.cert.PKIXBuilderParameters

java.security.cert.PKIXBuilderParameters
Parameters used as input for the PKIX {@code CertPathBuilder}algorithm.
A PKIX {@code CertPathBuilder} uses these parameters to {@link CertPathBuilder#build build} a {@code CertPath} which has beenvalidated according to the PKIX certification path validation algorithm.
To instantiate a {@code PKIXBuilderParameters} object, anapplication must specify one or more most-trusted CAs as defined by the PKIX certification path validation algorithm. The most-trusted CA can be specified using one of two constructors. An application can call {@link #PKIXBuilderParameters(Set,CertSelector) PKIXBuilderParameters(Set, CertSelector)}, specifying a {@code Set} of {@code TrustAnchor} objects, each of whichidentifies a most-trusted CA. Alternatively, an application can call {@link #PKIXBuilderParameters(KeyStore,CertSelector) PKIXBuilderParameters(KeyStore, CertSelector)}, specifying a {@code KeyStore} instance containing trusted certificate entries, eachof which will be considered as a most-trusted CA.
In addition, an application must specify constraints on the target certificate that the {@code CertPathBuilder} will attemptto build a path to. The constraints are specified as a {@code CertSelector} object. These constraints should provide the{@code CertPathBuilder} with enough search criteria to find the targetcertificate. Minimal criteria for an {@code X509Certificate} usuallyinclude the subject name and/or one or more subject alternative names. If enough criteria is not specified, the {@code CertPathBuilder}may throw a {@code CertPathBuilderException}.
Concurrent Access
Unless otherwise specified, the methods defined in this class are not thread-safe. Multiple threads that need to access a single object concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating separate objects need not synchronize. @see CertPathBuilder @since 1.4 @author Sean Mullan

     * @return The parameters including the CRLs and TrustStore.
     */
    protected CertPathParameters getParameters(String algorithm, String crlf, KeyStore trustStore) throws Exception {
        CertPathParameters params;
        if ("PKIX".equalsIgnoreCase(algorithm)) {
            PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, new X509CertSelector());
            Collection crls = getCRLs(crlf);
            CertStoreParameters csp = new CollectionCertStoreParameters(crls);
            CertStore store = CertStore.getInstance("Collection", csp);
            xparams.addCertStore(store);
            xparams.setRevocationEnabled(true);
            String trustLength = (String) attributes.get("trustMaxCertLength");
            if (trustLength != null) {
                try {
                    xparams.setMaxPathLength(Integer.parseInt(trustLength));
                } catch (Exception ex) {
                    logger.warning("Bad maxCertLength: " + trustLength);
                }
            }
            params = xparams;

View Full Code Here

                                                String crlf, 
                                                KeyStore trustStore)
        throws Exception {
        CertPathParameters params = null;
        if("PKIX".equalsIgnoreCase(algorithm)) {
            PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, 
                                                                     new X509CertSelector());
            Collection crls = getCRLs(crlf);
            CertStoreParameters csp = new CollectionCertStoreParameters(crls);
            CertStore store = CertStore.getInstance("Collection", csp);
            xparams.addCertStore(store);
            xparams.setRevocationEnabled(true);
            String trustLength = (String)attributes.get("trustMaxCertLength");
            if(trustLength != null) {
                try {
                    xparams.setMaxPathLength(Integer.parseInt(trustLength));
                } catch(Exception ex) {
                    log.warn("Bad maxCertLength: "+trustLength);
                }
            }

View Full Code Here

                                                String crlf, 
                                                KeyStore trustStore)
        throws Exception {
        CertPathParameters params = null;
        if("PKIX".equalsIgnoreCase(algorithm)) {
            PKIXBuilderParameters xparams =
                new PKIXBuilderParameters(trustStore, new X509CertSelector());
            Collection<? extends CRL> crls = getCRLs(crlf);
            CertStoreParameters csp = new CollectionCertStoreParameters(crls);
            CertStore store = CertStore.getInstance("Collection", csp);
            xparams.addCertStore(store);
            xparams.setRevocationEnabled(true);
            String trustLength = (String)attributes.get(
                    AbstractEndpoint.SSL_ATTR_TRUST_MAX_CERT_LENGTH);
            if(trustLength != null) {
                try {
                    xparams.setMaxPathLength(Integer.parseInt(trustLength));
                } catch(Exception ex) {
                    log.warn("Bad maxCertLength: "+trustLength);
                }
            }

View Full Code Here

                                                String crlf,
                                                KeyStore trustStore)
        throws Exception {
        CertPathParameters params = null;
        if("PKIX".equalsIgnoreCase(algorithm)) {
            PKIXBuilderParameters xparams =
                new PKIXBuilderParameters(trustStore, new X509CertSelector());
            Collection<? extends CRL> crls = getCRLs(crlf);
            CertStoreParameters csp = new CollectionCertStoreParameters(crls);
            CertStore store = CertStore.getInstance("Collection", csp);
            xparams.addCertStore(store);
            xparams.setRevocationEnabled(true);
            String trustLength = endpoint.getTrustMaxCertLength();
            if(trustLength != null) {
                try {
                    xparams.setMaxPathLength(Integer.parseInt(trustLength));
                } catch(Exception ex) {
                    log.warn("Bad maxCertLength: "+trustLength);
                }
            }

View Full Code Here

                                                String crlf, 
                                                KeyStore trustStore)
        throws Exception {
        CertPathParameters params = null;
        if("PKIX".equalsIgnoreCase(algorithm)) {
            PKIXBuilderParameters xparams =
                new PKIXBuilderParameters(trustStore, new X509CertSelector());
            Collection<? extends CRL> crls = getCRLs(crlf);
            CertStoreParameters csp = new CollectionCertStoreParameters(crls);
            CertStore store = CertStore.getInstance("Collection", csp);
            xparams.addCertStore(store);
            xparams.setRevocationEnabled(true);
            String trustLength = (String)attributes.get(
                    AbstractEndpoint.SSL_ATTR_TRUST_MAX_CERT_LENGTH);
            if(trustLength != null) {
                try {
                    xparams.setMaxPathLength(Integer.parseInt(trustLength));
                } catch(Exception ex) {
                    log.warn("Bad maxCertLength: "+trustLength);
                }
            }

View Full Code Here

                                                String crlf, 
                                                KeyStore trustStore)
        throws Exception {
        CertPathParameters params = null;
        if("PKIX".equalsIgnoreCase(algorithm)) {
            PKIXBuilderParameters xparams =
                new PKIXBuilderParameters(trustStore, new X509CertSelector());
            Collection<? extends CRL> crls = getCRLs(crlf);
            CertStoreParameters csp = new CollectionCertStoreParameters(crls);
            CertStore store = CertStore.getInstance("Collection", csp);
            xparams.addCertStore(store);
            xparams.setRevocationEnabled(true);
            String trustLength = endpoint.getTrustMaxCertLength();
            if(trustLength != null) {
                try {
                    xparams.setMaxPathLength(Integer.parseInt(trustLength));
                } catch(Exception ex) {
                    log.warn("Bad maxCertLength: "+trustLength);
                }
            }

View Full Code Here

            log.debug("Attempting PKIX path validation on untrusted credential: {}",
                    X509Util.getIdentifiersToken(untrustedCredential, x500DNHandler));
        }        
        
        try {
            PKIXBuilderParameters params = getPKIXBuilderParameters(validationInfo, untrustedCredential);


            log.trace("Building certificate validation path");


            CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
            PKIXCertPathBuilderResult buildResult = (PKIXCertPathBuilderResult) builder.build(params);

View Full Code Here


        X509CertSelector selector = new X509CertSelector();
        selector.setCertificate(untrustedCredential.getEntityCertificate());


        log.trace("Adding trust anchors to PKIX validator parameters");
        PKIXBuilderParameters params = new PKIXBuilderParameters(trustAnchors, selector);


        Integer effectiveVerifyDepth = getEffectiveVerificationDepth(validationInfo);
        log.trace("Setting max verification depth to: {} ", effectiveVerifyDepth);
        params.setMaxPathLength(effectiveVerifyDepth);


        CertStore certStore = buildCertStore(validationInfo, untrustedCredential);
        params.addCertStore(certStore);


        boolean isForceRevocationEnabled = false;
        boolean forcedRevocation = false;
        boolean policyMappingInhibited = false;
        boolean anyPolicyInhibited = false;
        Set<String> initialPolicies = null;
        if (options instanceof CertPathPKIXValidationOptions) {
           CertPathPKIXValidationOptions certpathOptions = (CertPathPKIXValidationOptions) options;
           isForceRevocationEnabled = certpathOptions.isForceRevocationEnabled();
           forcedRevocation = certpathOptions.isRevocationEnabled();
           policyMappingInhibited = certpathOptions.isPolicyMappingInhibited();
           anyPolicyInhibited = certpathOptions.isAnyPolicyInhibited();
           initialPolicies = certpathOptions.getInitialPolicies();
        }
        
        if (isForceRevocationEnabled) {
            log.trace("PKIXBuilderParameters#setRevocationEnabled is being forced to: {}", forcedRevocation);
            params.setRevocationEnabled(forcedRevocation);
        } else {
            if (storeContainsCRLs(certStore)) {
                log.trace("At least one CRL was present in cert store, enabling revocation checking");
                params.setRevocationEnabled(true);
            } else {
                log.trace("No CRLs present in cert store, disabling revocation checking");
                params.setRevocationEnabled(false);
            }
        }


        params.setPolicyMappingInhibited(policyMappingInhibited);
        params.setAnyPolicyInhibited(anyPolicyInhibited);


        if (initialPolicies != null && !initialPolicies.isEmpty()) {
            log.debug("PKIXBuilderParameters#setInitialPolicies is being set to: {}", initialPolicies.toString());
            params.setInitialPolicies(initialPolicies);
            params.setExplicitPolicyRequired(true);
        }


        log.trace("PKIXBuilderParameters successfully created: {}", params.toString());


        return params;
    }

View Full Code Here

    
            X509CertSelector certSelect = new X509CertSelector();
            certSelect.setCertificate(certList.get(0));
            
            // Configure certification path builder parameters
            PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustStore, certSelect);
            pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList)));
    
            // Set maximum certification path length
            pbParams.setMaxPathLength(maxCertPathLength);
    
            // Enable revocation checking
            pbParams.setRevocationEnabled(true);
    
            // Set static Certificate Revocation List
            if (crls != null && !crls.isEmpty()) {
                pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crls)));
            }
    
            // Enable On-Line Certificate Status Protocol (OCSP) support
            if (enableOCSP) {
                Security.setProperty("ocsp.enable","true");

View Full Code Here

        TrustManager[] managers = null;
        if (trustStore != null) {
            // Revocation checking is only supported for PKIX algorithm
            if (sslConfig.isValidatePeerCerts() &&
    sslConfig.getTrustManagerFactoryAlgorithm().equalsIgnoreCase("PKIX")) {
                PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustStore, new X509CertSelector());
                // Set maximum certification path length
                pbParams.setMaxPathLength(sslConfig.getMaxCertPathLength());
                // Make sure revocation checking is enabled
                pbParams.setRevocationEnabled(true);


                if (crls != null && !crls.isEmpty()) {
                    pbParams.addCertStore(CertStore.getInstance("Collection",
                new CollectionCertStoreParameters(crls)));
                }


                if (sslConfig.isEnableCRLDP()) {
                    // Enable Certificate Revocation List Distribution Points (CRLDP) support

View Full Code Here

0 1 2 3 4 5 6 7 8 9

TOP

Related Classes of java.security.cert.PKIXBuilderParameters

br.net.woodstock.rockframework.security.cert.impl.PKIXCertificateValidator

br.net.woodstock.rockframework.security.cert.impl.PKIXCertificateVerifier

BuildOddSel

com.cloudhopper.commons.ssl.CertificateValidator

com.cloudhopper.commons.ssl.SslContextFactory

com.cloudhopper.smpp.ssl.CertificateValidator

com.cloudhopper.smpp.ssl.SslContextFactory

com.facebook.presto.jdbc.internal.jetty.util.security.CertificateValidator

com.facebook.presto.jdbc.internal.jetty.util.ssl.SslContextFactory

com.gitblit.utils.X509Utils

All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.