Package br.net.woodstock.rockframework.security.cert.impl

Source Code of br.net.woodstock.rockframework.security.cert.impl.PKIXCertificateVerifier

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
/*
* This file is part of rockframework.
*
* rockframework is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* rockframework is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program.  If not, see <http://www.gnu.org/licenses/>;.
*/
package br.net.woodstock.rockframework.security.cert.impl;

import java.security.GeneralSecurityException;
import java.security.Security;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathValidator;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;

import br.net.woodstock.rockframework.config.CoreLog;
import br.net.woodstock.rockframework.security.cert.CertificateException;
import br.net.woodstock.rockframework.security.cert.CertificateVerifier;
import br.net.woodstock.rockframework.util.Assert;

public class PKIXCertificateVerifier implements CertificateVerifier {

  private static final String  CERTSTORE_TYPE      = "Collection";

  private static final String  CERTPATH_TYPE      = "PKIX";

  private static final String  OSCP_ENABLE_PROPERTY  = "ocsp.enable";

  private static final String  OSCP_ENABLE_VALUE    = "true";

  private static final String  OSCP_URL_PROPERTY    = "ocsp.responderURL";

  private static final String  OSCP_SUBJECT_PROPERTY  = "ocsp.responderCertSubjectName";

  private OCSP        ocsp;

  public PKIXCertificateVerifier() {
    super();
  }

  public PKIXCertificateVerifier(final OCSP ocsp) {
    super();
    Assert.notNull(ocsp, "ocsp");
    this.ocsp = ocsp;
  }

  @Override
  public boolean verify(final Certificate[] chain) {
    Assert.notEmpty(chain, "chain");
    if (chain.length < 2) {
      CoreLog.getInstance().getLog().info("Certificate chain must be greater than 1(certificate and issuer certificate)");
      return false;
    }
    try {
      PKIXCertPathValidatorResult validatorResult = this.getValidatorResult(chain);

      // CoreLog.getInstance().getLog().info("Result: " + validatorResult);

      return true;
    } catch (CertPathBuilderException e) {
      CoreLog.getInstance().getLog().info("Validation error: " + e.getMessage());
      return false;
    } catch (Exception e) {
      throw new CertificateException(e);
    }
  }

  protected PKIXCertPathValidatorResult getValidatorResult(final Certificate[] chain) throws GeneralSecurityException {
    X509Certificate certificate = (X509Certificate) chain[0];
    X509CertSelector selector = new X509CertSelector();
    selector.setCertificate(certificate);

    Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
    if (chain.length > 1) {
      for (int i = 1; i < chain.length; i++) {
        trustAnchors.add(new TrustAnchor((X509Certificate) chain[i], null));
      }
    }

    PKIXBuilderParameters pkixParameters = new PKIXBuilderParameters(trustAnchors, selector);
    pkixParameters.setRevocationEnabled(false);

    if (chain.length > 1) {
      List<Certificate> list = new ArrayList<Certificate>();
      for (int i = 1; i < chain.length; i++) {
        list.add(chain[i]);
      }
      CertStore intermediateCertStore = CertStore.getInstance(PKIXCertificateVerifier.CERTSTORE_TYPE, new CollectionCertStoreParameters(list));
      pkixParameters.addCertStore(intermediateCertStore);
    }

    if (this.ocsp != null) {
      Security.setProperty(PKIXCertificateVerifier.OSCP_ENABLE_PROPERTY, PKIXCertificateVerifier.OSCP_ENABLE_VALUE);
      Security.setProperty(PKIXCertificateVerifier.OSCP_URL_PROPERTY, this.ocsp.getUrl());
      Security.setProperty(PKIXCertificateVerifier.OSCP_SUBJECT_PROPERTY, ((X509Certificate) this.ocsp.getCertificate()).getSubjectX500Principal().getName());
    }

    CertPathBuilder builder = CertPathBuilder.getInstance(PKIXCertificateVerifier.CERTPATH_TYPE);
    PKIXCertPathBuilderResult builderResult = (PKIXCertPathBuilderResult) builder.build(pkixParameters);
    CertPathValidator validator = CertPathValidator.getInstance(PKIXCertificateVerifier.CERTPATH_TYPE);
    PKIXCertPathValidatorResult validatorResult = (PKIXCertPathValidatorResult) validator.validate(builderResult.getCertPath(), pkixParameters);
    return validatorResult;
  }

}
TOP

Related Classes of br.net.woodstock.rockframework.security.cert.impl.PKIXCertificateVerifier

  • java.security.PublicKey
  • java.security.cert.TrustAnchor
  • java.security.cert.CertPathValidator
  • java.security.cert.CertPathBuilder
  • java.security.cert.PKIXCertPathBuilderResult
  • java.security.cert.X509CertSelector
  • java.security.cert.CertStore
  • br.net.woodstock.rockframework.security.cert.CertificateException
  • java.security.cert.PKIXBuilderParameters
  • java.security.cert.X509Certificate
    • TOP
    Copyright © 2018 www.massapi.com. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.