Java Code Examples for java.security.cert.PKIXBuilderParameters#setMaxPathLength()
The following examples show how to use
java.security.cert.PKIXBuilderParameters#setMaxPathLength() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: SSLUtilBase.java From Tomcat8-Source-Read with MIT License | 6 votes |
|
/**
* Return the initialization parameters for the TrustManager.
* Currently, only the default <code>PKIX</code> is supported.
*
* @param crlf The path to the CRL file.
* @param trustStore The configured TrustStore.
* @param revocationEnabled Should the JSSE provider perform revocation
* checks? Ignored if {@code crlf} is non-null.
* Configuration of revocation checks are expected
* to be via proprietary JSSE provider methods.
* @return The parameters including the CRLs and TrustStore.
* @throws Exception An error occurred
*/
protected CertPathParameters getParameters(String crlf, KeyStore trustStore,
boolean revocationEnabled) throws Exception {
PKIXBuilderParameters xparams =
new PKIXBuilderParameters(trustStore, new X509CertSelector());
if (crlf != null && crlf.length() > 0) {
Collection<? extends CRL> crls = getCRLs(crlf);
CertStoreParameters csp = new CollectionCertStoreParameters(crls);
CertStore store = CertStore.getInstance("Collection", csp);
xparams.addCertStore(store);
xparams.setRevocationEnabled(true);
} else {
xparams.setRevocationEnabled(revocationEnabled);
}
xparams.setMaxPathLength(sslHostConfig.getCertificateVerificationDepth());
return xparams;
}
Example 2
| Source File: SSLUtils.java From ssltest with Apache License 2.0 | 6 votes |
|
/**
* Return the initialization parameters for the TrustManager.
* Currently, only the default <code>PKIX</code> is supported.
*
* @param algorithm The algorithm to get parameters for.
* @param crlFilename The path to the CRL file.
* @param maxCertificateChainLength Optional maximum cert chain length.
* @param trustStore The configured TrustStore.
*
* @return The parameters including the TrustStore and any CRLs.
*
* @throws InvalidAlgorithmParameterException
* @throws KeyStoreException
* @throws IOException
* @throws CertificateException
* @throws CRLException
* @throws NoSuchAlgorithmException
*/
protected static CertPathParameters getParameters(String algorithm,
String crlFilename,
Integer maxCertificateChainLength,
KeyStore trustStore)
throws KeyStoreException, InvalidAlgorithmParameterException, CRLException, CertificateException, IOException, NoSuchAlgorithmException
{
CertPathParameters params = null;
if("PKIX".equalsIgnoreCase(algorithm)) {
PKIXBuilderParameters xparams =
new PKIXBuilderParameters(trustStore, new X509CertSelector());
Collection<? extends CRL> crls = getCRLs(crlFilename);
CertStoreParameters csp = new CollectionCertStoreParameters(crls);
CertStore store = CertStore.getInstance("Collection", csp);
xparams.addCertStore(store);
xparams.setRevocationEnabled(true);
if(maxCertificateChainLength != null)
xparams.setMaxPathLength(maxCertificateChainLength.intValue());
params = xparams;
} else {
throw new CRLException("CRLs not supported for type: " + algorithm);
}
return params;
}
Example 3
| Source File: KeyManagementUtils.java From cxf with Apache License 2.0 | 6 votes |
|
private static void validateCertificateChain(KeyStore ks, List<X509Certificate> inCerts, boolean enableRevocation) {
// Initial chain validation, to be enhanced as needed
try {
X509CertSelector certSelect = new X509CertSelector();
certSelect.setCertificate(inCerts.get(0));
PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ks, certSelect);
pbParams.addCertStore(CertStore.getInstance("Collection",
new CollectionCertStoreParameters(inCerts)));
pbParams.setMaxPathLength(-1);
pbParams.setRevocationEnabled(false);
CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams);
pbParams.setRevocationEnabled(enableRevocation);
CertPath certPath = buildResult.getCertPath();
CertPathValidator.getInstance("PKIX").validate(certPath, pbParams);
} catch (Exception ex) {
LOG.warning("Certificate path validation error");
throw new JoseException(ex);
}
}
Example 4
| Source File: JSSESocketFactory.java From Tomcat7.0.67 with Apache License 2.0 | 5 votes |
|
/**
* Return the initialization parameters for the TrustManager.
* Currently, only the default <code>PKIX</code> is supported.
*
* @param algorithm The algorithm to get parameters for.
* @param crlf The path to the CRL file.
* @param trustStore The configured TrustStore.
* @return The parameters including the CRLs and TrustStore.
*/
protected CertPathParameters getParameters(String algorithm,
String crlf,
KeyStore trustStore)
throws Exception {
CertPathParameters params = null;
if("PKIX".equalsIgnoreCase(algorithm)) {
PKIXBuilderParameters xparams =
new PKIXBuilderParameters(trustStore, new X509CertSelector());
Collection<? extends CRL> crls = getCRLs(crlf);
CertStoreParameters csp = new CollectionCertStoreParameters(crls);
CertStore store = CertStore.getInstance("Collection", csp);
xparams.addCertStore(store);
xparams.setRevocationEnabled(true);
String trustLength = endpoint.getTrustMaxCertLength();
if(trustLength != null) {
try {
xparams.setMaxPathLength(Integer.parseInt(trustLength));
} catch(Exception ex) {
log.warn("Bad maxCertLength: "+trustLength);
}
}
params = xparams;
} else {
throw new CRLException("CRLs not supported for type: "+algorithm);
}
return params;
}
Example 5
| Source File: JSSESocketFactory.java From tomcatsrc with Apache License 2.0 | 5 votes |
|
/**
* Return the initialization parameters for the TrustManager.
* Currently, only the default <code>PKIX</code> is supported.
*
* @param algorithm The algorithm to get parameters for.
* @param crlf The path to the CRL file.
* @param trustStore The configured TrustStore.
* @return The parameters including the CRLs and TrustStore.
*/
protected CertPathParameters getParameters(String algorithm,
String crlf,
KeyStore trustStore)
throws Exception {
CertPathParameters params = null;
if("PKIX".equalsIgnoreCase(algorithm)) {
PKIXBuilderParameters xparams =
new PKIXBuilderParameters(trustStore, new X509CertSelector());
Collection<? extends CRL> crls = getCRLs(crlf);
CertStoreParameters csp = new CollectionCertStoreParameters(crls);
CertStore store = CertStore.getInstance("Collection", csp);
xparams.addCertStore(store);
xparams.setRevocationEnabled(true);
String trustLength = endpoint.getTrustMaxCertLength();
if(trustLength != null) {
try {
xparams.setMaxPathLength(Integer.parseInt(trustLength));
} catch(Exception ex) {
log.warn("Bad maxCertLength: "+trustLength);
}
}
params = xparams;
} else {
throw new CRLException("CRLs not supported for type: "+algorithm);
}
return params;
}
Example 6
| Source File: CertPathPKIXTrustEvaluator.java From lams with GNU General Public License v2.0 | 4 votes |
|
/**
* Creates the set of PKIX builder parameters to use when building the cert path builder.
*
* @param validationInfo PKIX validation information
* @param untrustedCredential credential to be validated
*
* @return PKIX builder params
*
* @throws GeneralSecurityException thrown if the parameters can not be created
*/
protected PKIXBuilderParameters getPKIXBuilderParameters(PKIXValidationInformation validationInfo,
X509Credential untrustedCredential) throws GeneralSecurityException {
Set<TrustAnchor> trustAnchors = getTrustAnchors(validationInfo);
if (trustAnchors == null || trustAnchors.isEmpty()) {
throw new GeneralSecurityException(
"Unable to validate X509 certificate, no trust anchors found in the PKIX validation information");
}
X509CertSelector selector = new X509CertSelector();
selector.setCertificate(untrustedCredential.getEntityCertificate());
log.trace("Adding trust anchors to PKIX validator parameters");
PKIXBuilderParameters params = new PKIXBuilderParameters(trustAnchors, selector);
Integer effectiveVerifyDepth = getEffectiveVerificationDepth(validationInfo);
log.trace("Setting max verification depth to: {} ", effectiveVerifyDepth);
params.setMaxPathLength(effectiveVerifyDepth);
CertStore certStore = buildCertStore(validationInfo, untrustedCredential);
params.addCertStore(certStore);
boolean isForceRevocationEnabled = false;
boolean forcedRevocation = false;
boolean policyMappingInhibited = false;
boolean anyPolicyInhibited = false;
Set<String> initialPolicies = null;
if (options instanceof CertPathPKIXValidationOptions) {
CertPathPKIXValidationOptions certpathOptions = (CertPathPKIXValidationOptions) options;
isForceRevocationEnabled = certpathOptions.isForceRevocationEnabled();
forcedRevocation = certpathOptions.isRevocationEnabled();
policyMappingInhibited = certpathOptions.isPolicyMappingInhibited();
anyPolicyInhibited = certpathOptions.isAnyPolicyInhibited();
initialPolicies = certpathOptions.getInitialPolicies();
}
if (isForceRevocationEnabled) {
log.trace("PKIXBuilderParameters#setRevocationEnabled is being forced to: {}", forcedRevocation);
params.setRevocationEnabled(forcedRevocation);
} else {
if (storeContainsCRLs(certStore)) {
log.trace("At least one CRL was present in cert store, enabling revocation checking");
params.setRevocationEnabled(true);
} else {
log.trace("No CRLs present in cert store, disabling revocation checking");
params.setRevocationEnabled(false);
}
}
params.setPolicyMappingInhibited(policyMappingInhibited);
params.setAnyPolicyInhibited(anyPolicyInhibited);
if (initialPolicies != null && !initialPolicies.isEmpty()) {
log.debug("PKIXBuilderParameters#setInitialPolicies is being set to: {}", initialPolicies.toString());
params.setInitialPolicies(initialPolicies);
params.setExplicitPolicyRequired(true);
}
log.trace("PKIXBuilderParameters successfully created: {}", params.toString());
return params;
}
Example 7
| Source File: CertificateValidator.java From IoTgo_Android_App with MIT License | 4 votes |
|
public void validate(Certificate[] certChain) throws CertificateException
{
try
{
ArrayList<X509Certificate> certList = new ArrayList<X509Certificate>();
for (Certificate item : certChain)
{
if (item == null)
continue;
if (!(item instanceof X509Certificate))
{
throw new IllegalStateException("Invalid certificate type in chain");
}
certList.add((X509Certificate)item);
}
if (certList.isEmpty())
{
throw new IllegalStateException("Invalid certificate chain");
}
X509CertSelector certSelect = new X509CertSelector();
certSelect.setCertificate(certList.get(0));
// Configure certification path builder parameters
PKIXBuilderParameters pbParams = new PKIXBuilderParameters(_trustStore, certSelect);
pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList)));
// Set maximum certification path length
pbParams.setMaxPathLength(_maxCertPathLength);
// Enable revocation checking
pbParams.setRevocationEnabled(true);
// Set static Certificate Revocation List
if (_crls != null && !_crls.isEmpty())
{
pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(_crls)));
}
// Enable On-Line Certificate Status Protocol (OCSP) support
if (_enableOCSP)
{
Security.setProperty("ocsp.enable","true");
}
// Enable Certificate Revocation List Distribution Points (CRLDP) support
if (_enableCRLDP)
{
System.setProperty("com.sun.security.enableCRLDP","true");
}
// Build certification path
CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams);
// Validate certification path
CertPathValidator.getInstance("PKIX").validate(buildResult.getCertPath(),pbParams);
}
catch (GeneralSecurityException gse)
{
LOG.debug(gse);
throw new CertificateException("Unable to validate certificate: " + gse.getMessage(), gse);
}
}
Example 8
| Source File: CertificateValidator.java From IoTgo_Android_App with MIT License | 4 votes |
|
public void validate(Certificate[] certChain) throws CertificateException
{
try
{
ArrayList<X509Certificate> certList = new ArrayList<X509Certificate>();
for (Certificate item : certChain)
{
if (item == null)
continue;
if (!(item instanceof X509Certificate))
{
throw new IllegalStateException("Invalid certificate type in chain");
}
certList.add((X509Certificate)item);
}
if (certList.isEmpty())
{
throw new IllegalStateException("Invalid certificate chain");
}
X509CertSelector certSelect = new X509CertSelector();
certSelect.setCertificate(certList.get(0));
// Configure certification path builder parameters
PKIXBuilderParameters pbParams = new PKIXBuilderParameters(_trustStore, certSelect);
pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList)));
// Set maximum certification path length
pbParams.setMaxPathLength(_maxCertPathLength);
// Enable revocation checking
pbParams.setRevocationEnabled(true);
// Set static Certificate Revocation List
if (_crls != null && !_crls.isEmpty())
{
pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(_crls)));
}
// Enable On-Line Certificate Status Protocol (OCSP) support
if (_enableOCSP)
{
Security.setProperty("ocsp.enable","true");
}
// Enable Certificate Revocation List Distribution Points (CRLDP) support
if (_enableCRLDP)
{
System.setProperty("com.sun.security.enableCRLDP","true");
}
// Build certification path
CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams);
// Validate certification path
CertPathValidator.getInstance("PKIX").validate(buildResult.getCertPath(),pbParams);
}
catch (GeneralSecurityException gse)
{
LOG.debug(gse);
throw new CertificateException("Unable to validate certificate: " + gse.getMessage(), gse);
}
}
Example 9
| Source File: CertificateValidator.java From WebSocket-for-Android with Apache License 2.0 | 4 votes |
|
public void validate(Certificate[] certChain) throws CertificateException
{
try
{
ArrayList<X509Certificate> certList = new ArrayList<X509Certificate>();
for (Certificate item : certChain)
{
if (item == null)
continue;
if (!(item instanceof X509Certificate))
{
throw new IllegalStateException("Invalid certificate type in chain");
}
certList.add((X509Certificate)item);
}
if (certList.isEmpty())
{
throw new IllegalStateException("Invalid certificate chain");
}
X509CertSelector certSelect = new X509CertSelector();
certSelect.setCertificate(certList.get(0));
// Configure certification path builder parameters
PKIXBuilderParameters pbParams = new PKIXBuilderParameters(_trustStore, certSelect);
pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList)));
// Set maximum certification path length
pbParams.setMaxPathLength(_maxCertPathLength);
// Enable revocation checking
pbParams.setRevocationEnabled(true);
// Set static Certificate Revocation List
if (_crls != null && !_crls.isEmpty())
{
pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(_crls)));
}
// Enable On-Line Certificate Status Protocol (OCSP) support
if (_enableOCSP)
{
Security.setProperty("ocsp.enable","true");
}
// Enable Certificate Revocation List Distribution Points (CRLDP) support
if (_enableCRLDP)
{
System.setProperty("com.sun.security.enableCRLDP","true");
}
// Build certification path
CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams);
// Validate certification path
CertPathValidator.getInstance("PKIX").validate(buildResult.getCertPath(),pbParams);
}
catch (GeneralSecurityException gse)
{
LOG.debug(gse);
throw new CertificateException("Unable to validate certificate: " + gse.getMessage(), gse);
}
}
Example 10
| Source File: CertificateValidator.java From cloudhopper-commons with Apache License 2.0 | 4 votes |
|
public void validate(Certificate[] certChain) throws CertificateException {
try {
ArrayList<X509Certificate> certList = new ArrayList<X509Certificate>();
for (Certificate item : certChain) {
if (item == null) continue;
if (!(item instanceof X509Certificate)) {
throw new IllegalStateException("Invalid certificate type in chain");
}
certList.add((X509Certificate)item);
}
if (certList.isEmpty()) {
throw new IllegalStateException("Invalid certificate chain");
}
X509CertSelector certSelect = new X509CertSelector();
certSelect.setCertificate(certList.get(0));
// Configure certification path builder parameters
PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustStore, certSelect);
pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList)));
// Set maximum certification path length
pbParams.setMaxPathLength(maxCertPathLength);
// Enable revocation checking
pbParams.setRevocationEnabled(true);
// Set static Certificate Revocation List
if (crls != null && !crls.isEmpty()) {
pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crls)));
}
// Enable On-Line Certificate Status Protocol (OCSP) support
if (enableOCSP) {
Security.setProperty("ocsp.enable","true");
}
// Enable Certificate Revocation List Distribution Points (CRLDP) support
if (enableCRLDP) {
System.setProperty("com.sun.security.enableCRLDP","true");
}
// Build certification path
CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams);
// Validate certification path
CertPathValidator.getInstance("PKIX").validate(buildResult.getCertPath(),pbParams);
} catch (GeneralSecurityException gse) {
logger.debug("", gse);
throw new CertificateException("Unable to validate certificate: " + gse.getMessage(), gse);
}
}
