Examples of PKIXBuilderParameters

java.security.cert.PKIXBuilderParameters
Parameters used as input for the PKIX {@code CertPathBuilder}algorithm.
A PKIX {@code CertPathBuilder} uses these parameters to {@link CertPathBuilder#build build} a {@code CertPath} which has beenvalidated according to the PKIX certification path validation algorithm.
To instantiate a {@code PKIXBuilderParameters} object, anapplication must specify one or more most-trusted CAs as defined by the PKIX certification path validation algorithm. The most-trusted CA can be specified using one of two constructors. An application can call {@link #PKIXBuilderParameters(Set,CertSelector) PKIXBuilderParameters(Set, CertSelector)}, specifying a {@code Set} of {@code TrustAnchor} objects, each of whichidentifies a most-trusted CA. Alternatively, an application can call {@link #PKIXBuilderParameters(KeyStore,CertSelector) PKIXBuilderParameters(KeyStore, CertSelector)}, specifying a {@code KeyStore} instance containing trusted certificate entries, eachof which will be considered as a most-trusted CA.
In addition, an application must specify constraints on the target certificate that the {@code CertPathBuilder} will attemptto build a path to. The constraints are specified as a {@code CertSelector} object. These constraints should provide the{@code CertPathBuilder} with enough search criteria to find the targetcertificate. Minimal criteria for an {@code X509Certificate} usuallyinclude the subject name and/or one or more subject alternative names. If enough criteria is not specified, the {@code CertPathBuilder}may throw a {@code CertPathBuilderException}.
Concurrent Access
Unless otherwise specified, the methods defined in this class are not thread-safe. Multiple threads that need to access a single object concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating separate objects need not synchronize. @see CertPathBuilder @since 1.4 @author Sean Mullan

Examples of java.security.cert.PKIXBuilderParameters

            List<X509Certificate> intermediateCerts = certRepo.getCaCerts();
            List<X509Certificate> trustedAuthorityCerts = certRepo.getTrustedCaCerts();
            Set<TrustAnchor> trustAnchors = asTrustAnchors(trustedAuthorityCerts);
            CertStoreParameters intermediateParams = new CollectionCertStoreParameters(intermediateCerts);
            CertStoreParameters certificateParams = new CollectionCertStoreParameters(certificates);
            PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
            pkixParams.addCertStore(CertStore.getInstance("Collection", intermediateParams));
            pkixParams.addCertStore(CertStore.getInstance("Collection", certificateParams));
            pkixParams.setRevocationEnabled(false);
            
            CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
            CertPath certPath = builder.build(pkixParams).getCertPath();
            
            // Now validate the CertPath (including CRL checking)
            if (enableRevocation) {
                List<X509CRL> crls = certRepo.getCRLs();
                if (!crls.isEmpty()) {
                    pkixParams.setRevocationEnabled(true);
                    CertStoreParameters crlParams = new CollectionCertStoreParameters(crls);
                    pkixParams.addCertStore(CertStore.getInstance("Collection", crlParams));
                }
            }
                
            CertPathValidator validator = CertPathValidator.getInstance("PKIX");
            validator.validate(certPath, pkixParams);

View Full Code Here

Examples of java.security.cert.PKIXBuilderParameters

                                                String crlf,
                                                KeyStore trustStore)
        throws Exception {
        CertPathParameters params = null;
        if("PKIX".equalsIgnoreCase(algorithm)) {
            PKIXBuilderParameters xparams =
                new PKIXBuilderParameters(trustStore, new X509CertSelector());
            Collection<? extends CRL> crls = getCRLs(crlf);
            CertStoreParameters csp = new CollectionCertStoreParameters(crls);
            CertStore store = CertStore.getInstance("Collection", csp);
            xparams.addCertStore(store);
            xparams.setRevocationEnabled(true);
            String trustLength = endpoint.getTrustMaxCertLength();
            if(trustLength != null) {
                try {
                    xparams.setMaxPathLength(Integer.parseInt(trustLength));
                } catch(Exception ex) {
                    log.warn("Bad maxCertLength: "+trustLength);
                }
            }

View Full Code Here

Examples of java.security.cert.PKIXBuilderParameters

        }


        // Prepare to build a certificate path.
        X509CertSelector selector = new X509CertSelector();
        selector.setCertificate(certificate);
        PKIXBuilderParameters parameters = new PKIXBuilderParameters(anchors, selector);
        parameters.setMaxPathLength(-1);
        parameters.addCertStore(CertStore.getInstance("Collection",
            new CollectionCertStoreParameters(Collections.singletonList(certificate))));
        if (intermediateCertificates != null) {
            parameters.addCertStore(CertStore.getInstance("Collection",
                new CollectionCertStoreParameters(intermediateCertificates)));
        }
        parameters.setRevocationEnabled(false);


        // Build a certificate path.
        CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
        CertPath path = builder.build(parameters).getCertPath();


        if (disableRevocationCheck) {
            // Disable revocatin check.
            parameters.setRevocationEnabled(false);
        } else {
            // Enable revocation check.
            parameters.setRevocationEnabled(true);


            // Select a method to check revocation status.
            boolean useOCSP = OCSPClient.getOCSPURLs(certificate).size() > 0;
            boolean useCRL = CRLDownloader.getCRLDistributionPoints(certificate).size() > 0;
            if (!useOCSP && !useCRL) {
                throw new NoRevocationStatusException(
                    String.format(messages.getString(
                    "Certificate_has_no_method_to_verify_revocation_status__%s"),
                    CertificateValidator.getCertificateName(certificate)));
            }


            // Select online or offline revocation check.
            if (date == null) {
                // Enable online revocation check.
                Security.setProperty("ocsp.enable", "true");


                // Correct problem with enableCRLDP system property.
                // Once enableCRLDP is true, it cannot be disabled.
                // Must manually download all CRLs.
                System.setProperty("com.sun.security.enableCRLDP", "false");


                // Download manually CRLs.
                Collection<? extends Certificate> certificates = path.getCertificates();
                ArrayList<X509CRL> crls = new ArrayList<X509CRL>();
                for (Certificate c : certificates) {
                    X509CRL crl = CRLDownloader.getCRL((X509Certificate) c);
                    if (crl != null) {
                        crls.add(crl);
                    }
                }
                parameters.addCertStore(CertStore.getInstance("Collection",
                    new CollectionCertStoreParameters(crls)));


            } else {
                // Enable validation on a previous date.
                parameters.setDate(date.getTime());


                // Disable online revocation check.
                Security.setProperty("ocsp.enable", "false");
                System.setProperty("com.sun.security.enableCRLDP", "false");


                // Determine the issuer certificate.
                X509Certificate issuerCertificate = null;
                if (path.getCertificates().size() > 1) {
                    // Assign the next certificate in chain as the issuer.
                    issuerCertificate = (X509Certificate) path.getCertificates().get(1);
                } else {
                    // Check if a root certificate is the issuer.
                    for (X509Certificate rootCertificate : rootCertificates) {
                        try {
                            certificate.verify(rootCertificate.getPublicKey());
                            issuerCertificate = rootCertificate;
                            break;
                        } catch (Exception exception) {
                            // Try the next root certificate.
                            continue;
                        }
                    }
                }


                // Perform offline revocation check using stored OCSP responses.
                if (useOCSP) {
                    // Check if offline OCSP responses were provided.
                    if (ocspResponses == null) {
                        throw new NoOCSPResponseException(
                            String.format(messages.getString(
                            "No_OCSP_response_was_provided_to_perform_offline_revocation_check_of_the_certificate__%s"),
                            CertificateValidator.getCertificateName(certificate)));
                    }


                    // Disable standard online revocation check.
                    parameters.setRevocationEnabled(false);


                    // Verify the certificate using OCSP responses.
                    OCSPVerifier verifier = new OCSPVerifier(null, (ArrayList<BasicOCSPResp>) ocspResponses);
                    verifier.setOnlineCheckingAllowed(false);
                    if (verifier.verify(certificate, issuerCertificate, date.getTime()).size() == 0) {
                        throw new NoOCSPResponseException(
                            String.format(messages.getString(
                            "Could_not_find_a_valid_OCSP_response_for_the_certificate__%s"),
                            CertificateValidator.getCertificateName(certificate)));
                    }


                // Enable offline revocation check using CRL.
                } else if (useCRL) {
                    // Check if CRLs were provided.
                    if (certificateRevocationLists == null) {
                        throw new NoCRLException(
                            String.format(messages.getString(
                            "No_certificate_revocation_list_was_provided_to_perform_offline_revocation_check_of_the_certificate__%s"),
                            CertificateValidator.getCertificateName(certificate)));
                    }


                    // Add CRLs to perform offline revocation check.
                    parameters.addCertStore(CertStore.getInstance("Collection",
                        new CollectionCertStoreParameters(certificateRevocationLists)));
                }


                // If it is necessary to verify OCSP responses offline,
                // validate recursively the certificate chain.

View Full Code Here

Examples of java.security.cert.PKIXBuilderParameters

            log.debug("Attempting PKIX path validation on untrusted credential: {}",
                    X509Util.getIdentifiersToken(untrustedCredential, x500DNHandler));
        }        
        
        try {
            PKIXBuilderParameters params = getPKIXBuilderParameters(validationInfo, untrustedCredential);


            log.trace("Building certificate validation path");


            CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
            PKIXCertPathBuilderResult buildResult = (PKIXCertPathBuilderResult) builder.build(params);

View Full Code Here

Examples of java.security.cert.PKIXBuilderParameters


        X509CertSelector selector = new X509CertSelector();
        selector.setCertificate(untrustedCredential.getEntityCertificate());


        log.trace("Adding trust anchors to PKIX validator parameters");
        PKIXBuilderParameters params = new PKIXBuilderParameters(trustAnchors, selector);


        Integer effectiveVerifyDepth = getEffectiveVerificationDepth(validationInfo);
        log.trace("Setting max verification depth to: {} ", effectiveVerifyDepth);
        params.setMaxPathLength(effectiveVerifyDepth);


        CertStore certStore = buildCertStore(validationInfo, untrustedCredential);
        params.addCertStore(certStore);


        boolean isForceRevocationEnabled = false;
        boolean forcedRevocation = false;
        if (options instanceof CertPathPKIXValidationOptions) {
           CertPathPKIXValidationOptions certpathOptions = (CertPathPKIXValidationOptions) options;
           isForceRevocationEnabled = certpathOptions.isForceRevocationEnabled();
           forcedRevocation = certpathOptions.isRevocationEnabled();
        }
        
        if (isForceRevocationEnabled) {
            log.trace("PKIXBuilderParameters#setRevocationEnabled is being forced to: {}", forcedRevocation);
            params.setRevocationEnabled(forcedRevocation);
        } else {
            if (storeContainsCRLs(certStore)) {
                log.trace("At least one CRL was present in cert store, enabling revocation checking");
                params.setRevocationEnabled(true);
            } else {
                log.trace("No CRLs present in cert store, disabling revocation checking");
                params.setRevocationEnabled(false);
            }
        }


        return params;
    }

View Full Code Here

Examples of java.security.cert.PKIXBuilderParameters

            List<X509Certificate> intermediateCerts = certRepo.getCaCerts();
            List<X509Certificate> trustedAuthorityCerts = certRepo.getTrustedCaCerts();
            Set<TrustAnchor> trustAnchors = asTrustAnchors(trustedAuthorityCerts);
            CertStoreParameters intermediateParams = new CollectionCertStoreParameters(intermediateCerts);
            CertStoreParameters certificateParams = new CollectionCertStoreParameters(certificates);
            PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
            pkixParams.addCertStore(CertStore.getInstance("Collection", intermediateParams));
            pkixParams.addCertStore(CertStore.getInstance("Collection", certificateParams));
            pkixParams.setRevocationEnabled(false);
            
            CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
            CertPath certPath = builder.build(pkixParams).getCertPath();
            
            // Now validate the CertPath (including CRL checking)
            if (enableRevocation) {
                List<X509CRL> crls = certRepo.getCRLs();
                if (!crls.isEmpty()) {
                    pkixParams.setRevocationEnabled(true);
                    CertStoreParameters crlParams = new CollectionCertStoreParameters(crls);
                    pkixParams.addCertStore(CertStore.getInstance("Collection", crlParams));
                }
            }
                
            CertPathValidator validator = CertPathValidator.getInstance("PKIX");
            validator.validate(certPath, pkixParams);

View Full Code Here

Examples of java.security.cert.PKIXBuilderParameters

                                                String crlf, 
                                                KeyStore trustStore)
        throws Exception {
        CertPathParameters params = null;
        if("PKIX".equalsIgnoreCase(algorithm)) {
            PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, 
                                                                     new X509CertSelector());
            Collection crls = getCRLs(crlf);
            CertStoreParameters csp = new CollectionCertStoreParameters(crls);
            CertStore store = CertStore.getInstance("Collection", csp);
            xparams.addCertStore(store);
            xparams.setRevocationEnabled(true);
            String trustLength = (String)attributes.get("trustMaxCertLength");
            if(trustLength != null) {
                try {
                    xparams.setMaxPathLength(Integer.parseInt(trustLength));
                } catch(Exception ex) {
                    log.warn("Bad maxCertLength: "+trustLength);
                }
            }

View Full Code Here

Examples of java.security.cert.PKIXBuilderParameters

                                                String crlf, 
                                                KeyStore trustStore)
        throws Exception {
        CertPathParameters params = null;
        if("PKIX".equalsIgnoreCase(algorithm)) {
            PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, 
                                                                     new X509CertSelector());
            Collection crls = getCRLs(crlf);
            CertStoreParameters csp = new CollectionCertStoreParameters(crls);
            CertStore store = CertStore.getInstance("Collection", csp);
            xparams.addCertStore(store);
            xparams.setRevocationEnabled(true);
            String trustLength = (String)attributes.get("trustMaxCertLength");
            if(trustLength != null) {
                try {
                    xparams.setMaxPathLength(Integer.parseInt(trustLength));
                } catch(Exception ex) {
                    log.warn("Bad maxCertLength: "+trustLength);
                }
            }

View Full Code Here

Examples of java.security.cert.PKIXBuilderParameters

        }


        final CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
        X509CertSelector targetConstraints = new X509CertSelector();
        targetConstraints.setCertificate(signerCert);
        PKIXBuilderParameters cpbParams =
            new PKIXBuilderParameters(anchors, targetConstraints);


        cpbParams.addCertStore(certs);
        cpbParams.setRevocationEnabled(false);


        // Build path
        PKIXCertPathBuilderResult cpbResult =
            (PKIXCertPathBuilderResult) cpb.build(cpbParams);
        CertPath certPath = cpbResult.getCertPath();

View Full Code Here

Examples of java.security.cert.PKIXBuilderParameters

                                                String crlf, 
                                                KeyStore trustStore)
        throws Exception {
        CertPathParameters params = null;
        if("PKIX".equalsIgnoreCase(algorithm)) {
            PKIXBuilderParameters xparams =
                new PKIXBuilderParameters(trustStore, new X509CertSelector());
            Collection<? extends CRL> crls = getCRLs(crlf);
            CertStoreParameters csp = new CollectionCertStoreParameters(crls);
            CertStore store = CertStore.getInstance("Collection", csp);
            xparams.addCertStore(store);
            xparams.setRevocationEnabled(true);
            String trustLength = endpoint.getTrustMaxCertLength();
            if(trustLength != null) {
                try {
                    xparams.setMaxPathLength(Integer.parseInt(trustLength));
                } catch(Exception ex) {
                    log.warn("Bad maxCertLength: "+trustLength);
                }
            }

View Full Code Here

0 1 2 3 4 5

TOP

All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.