Package java.security.cert

Examples of java.security.cert.CertPath


      // perhaps by letting them pass in PKIXCertPathCheckers. This can also be
      // useful to check for Wave-specific certificate extensions.

      CertificateFactory certFactory = CertificateFactory.getInstance(
          CERTIFICATE_TYPE);
      CertPath certPath = certFactory.generateCertPath(certs);
      validator.validate(certPath, params);
    } catch (GeneralSecurityException e) {
      throw new SignatureException("Certificate validation failure", e);
    }
  }
View Full Code Here


        }
       
        try {
            // Generate cert path
            List<X509Certificate> certList = Arrays.asList(x509certs);
            CertPath path = getCertificateFactory().generateCertPath(certList);

            Set<TrustAnchor> set = new HashSet<TrustAnchor>();
            if (truststore != null) {
                Enumeration<String> truststoreAliases = truststore.aliases();
                while (truststoreAliases.hasMoreElements()) {
View Full Code Here

        }
        parameters.setRevocationEnabled(false);

        // Build a certificate path.
        CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
        CertPath path = builder.build(parameters).getCertPath();

        if (disableRevocationCheck) {
            // Disable revocatin check.
            parameters.setRevocationEnabled(false);
        } else {
            // Enable revocation check.
            parameters.setRevocationEnabled(true);

            // Select a method to check revocation status.
            boolean useOCSP = OCSPClient.getOCSPURLs(certificate).size() > 0;
            boolean useCRL = CRLDownloader.getCRLDistributionPoints(certificate).size() > 0;
            if (!useOCSP && !useCRL) {
                throw new NoRevocationStatusException(
                    String.format(messages.getString(
                    "Certificate_has_no_method_to_verify_revocation_status__%s"),
                    CertificateValidator.getCertificateName(certificate)));
            }

            // Select online or offline revocation check.
            if (date == null) {
                // Enable online revocation check.
                Security.setProperty("ocsp.enable", "true");

                // Correct problem with enableCRLDP system property.
                // Once enableCRLDP is true, it cannot be disabled.
                // Must manually download all CRLs.
                System.setProperty("com.sun.security.enableCRLDP", "false");

                // Download manually CRLs.
                Collection<? extends Certificate> certificates = path.getCertificates();
                ArrayList<X509CRL> crls = new ArrayList<X509CRL>();
                for (Certificate c : certificates) {
                    X509CRL crl = CRLDownloader.getCRL((X509Certificate) c);
                    if (crl != null) {
                        crls.add(crl);
                    }
                }
                parameters.addCertStore(CertStore.getInstance("Collection",
                    new CollectionCertStoreParameters(crls)));

            } else {
                // Enable validation on a previous date.
                parameters.setDate(date.getTime());

                // Disable online revocation check.
                Security.setProperty("ocsp.enable", "false");
                System.setProperty("com.sun.security.enableCRLDP", "false");

                // Determine the issuer certificate.
                X509Certificate issuerCertificate = null;
                if (path.getCertificates().size() > 1) {
                    // Assign the next certificate in chain as the issuer.
                    issuerCertificate = (X509Certificate) path.getCertificates().get(1);
                } else {
                    // Check if a root certificate is the issuer.
                    for (X509Certificate rootCertificate : rootCertificates) {
                        try {
                            certificate.verify(rootCertificate.getPublicKey());
                            issuerCertificate = rootCertificate;
                            break;
                        } catch (Exception exception) {
                            // Try the next root certificate.
                            continue;
                        }
                    }
                }

                // Perform offline revocation check using stored OCSP responses.
                if (useOCSP) {
                    // Check if offline OCSP responses were provided.
                    if (ocspResponses == null) {
                        throw new NoOCSPResponseException(
                            String.format(messages.getString(
                            "No_OCSP_response_was_provided_to_perform_offline_revocation_check_of_the_certificate__%s"),
                            CertificateValidator.getCertificateName(certificate)));
                    }

                    // Disable standard online revocation check.
                    parameters.setRevocationEnabled(false);

                    // Verify the certificate using OCSP responses.
                    OCSPVerifier verifier = new OCSPVerifier(null, (ArrayList<BasicOCSPResp>) ocspResponses);
                    verifier.setOnlineCheckingAllowed(false);
                    if (verifier.verify(certificate, issuerCertificate, date.getTime()).size() == 0) {
                        throw new NoOCSPResponseException(
                            String.format(messages.getString(
                            "Could_not_find_a_valid_OCSP_response_for_the_certificate__%s"),
                            CertificateValidator.getCertificateName(certificate)));
                    }

                // Enable offline revocation check using CRL.
                } else if (useCRL) {
                    // Check if CRLs were provided.
                    if (certificateRevocationLists == null) {
                        throw new NoCRLException(
                            String.format(messages.getString(
                            "No_certificate_revocation_list_was_provided_to_perform_offline_revocation_check_of_the_certificate__%s"),
                            CertificateValidator.getCertificateName(certificate)));
                    }

                    // Add CRLs to perform offline revocation check.
                    parameters.addCertStore(CertStore.getInstance("Collection",
                        new CollectionCertStoreParameters(certificateRevocationLists)));
                }

                // If it is necessary to verify OCSP responses offline,
                // validate recursively the certificate chain.
                if (ocspResponses != null && ocspResponses.size() > 0
                && path.getCertificates().size() > 1) {
                    validate(
                        issuerCertificate,
                        intermediateCertificates,
                        rootCertificates,
                        ocspResponses,
View Full Code Here

            ArrayList<X509Certificate> intermediateCertificates = new ArrayList<X509Certificate>();
            for (Certificate intermediateCertificate : chain) {
                intermediateCertificates.add((X509Certificate) factory.generateCertificate(
                    new ByteArrayInputStream(intermediateCertificate.getEncoded())));
            }
            CertPath path = CertificateValidator.validate(
                signingCertificate,
                intermediateCertificates,
                rootCertificates,
                null, null, null, true);

            // Prepare structures to store certificates, OCSP responses and CRLs for this signature.
            ArrayList<X509Certificate> certificates = new ArrayList<X509Certificate>();
            ArrayList<X509CRL> crls = new ArrayList<X509CRL>();
            ArrayList<BasicOCSPResp> ocspResponses = new ArrayList<BasicOCSPResp>();

            // Get OCSP response or CRL for each certificate.
            ArrayList<X509Certificate> pathCertificates = new ArrayList<X509Certificate>();
            for (Certificate certificate : path.getCertificates()) {
                pathCertificates.add((X509Certificate) certificate);
            }
            for (int i = 0; i < pathCertificates.size(); i++) {
                // Get current certificate.
                X509Certificate certificate = pathCertificates.get(i);
View Full Code Here

            pkixParams.addCertStore(CertStore.getInstance("Collection", intermediateParams));
            pkixParams.addCertStore(CertStore.getInstance("Collection", certificateParams));
            pkixParams.setRevocationEnabled(false);
           
            CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
            CertPath certPath = builder.build(pkixParams).getCertPath();
           
            // Now validate the CertPath (including CRL checking)
            if (enableRevocation) {
                List<X509CRL> crls = certRepo.getCRLs();
                if (!crls.isEmpty()) {
View Full Code Here

     * @throws WSSecurityException
     */
    public X509Certificate[] getX509Certificates(byte[] data, boolean reverse)
            throws WSSecurityException {
        InputStream in = new ByteArrayInputStream(data);
        CertPath path = null;
        try {
            path = getCertificateFactory().generateCertPath(in);
        } catch (CertificateException e) {
            throw new WSSecurityException(WSSecurityException.SECURITY_TOKEN_UNAVAILABLE,
                    "parseError");
        }
        List l = path.getCertificates();
        X509Certificate[] certs = new X509Certificate[l.size()];
        Iterator iterator = l.iterator();
        for (int i = 0; i < l.size(); i++) {
            certs[(reverse) ? (l.size() - 1 - i) : i] = (X509Certificate) iterator.next();
        }
View Full Code Here

            } else {
                list.add(certs[i]);
            }
        }
        try {
            CertPath path = getCertificateFactory().generateCertPath(list);
            return path.getEncoded();
        } catch (CertificateEncodingException e) {
            throw new WSSecurityException(WSSecurityException.SECURITY_TOKEN_UNAVAILABLE,
                    "encodeError");
        } catch (CertificateException e) {
            throw new WSSecurityException(WSSecurityException.SECURITY_TOKEN_UNAVAILABLE,
View Full Code Here

    public boolean validateCertPath(X509Certificate[] certs) throws WSSecurityException {

        try {
            // Generate cert path
            java.util.List certList = java.util.Arrays.asList(certs);
            CertPath path = this.getCertificateFactory().generateCertPath(certList);

            // Use the certificates in the keystore as TrustAnchors
            PKIXParameters param = new PKIXParameters(this.keystore);

            // Do not check a revocation list
View Full Code Here

      Subject subject = getSubject();
      X509Certificate cert = clientCredential.getCertificate();
      if (SubjectCredentials.getPrincipal(subject, cert) == null) {
    throw new UnsupportedConstraintException("Missing principal");
      }
      CertPath chain =
    SubjectCredentials.getCertificateChain(subject, cert);
      if (chain == null) {
    throw new UnsupportedConstraintException(
        "Missing public credentials");
      }
View Full Code Here

  Map serverKeyTypes = new HashMap();
  List certPaths =
      SubjectCredentials.getCertificateChains(serverSubject);
  if (certPaths != null) {
      for (int i = certPaths.size(); --i >= 0; ) {
    CertPath chain = (CertPath) certPaths.get(i);
    X509Certificate cert = SubjectCredentials.firstX509Cert(chain);
    X500Principal principal = SubjectCredentials.getPrincipal(
        serverSubject, cert);
    if (principal != null) {
        Collection keyTypes =
View Full Code Here

TOP

Related Classes of java.security.cert.CertPath

Copyright © 2018 www.massapicom. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.