MyX509TrustManager() throws java.security.GeneralSecurityException { TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX"); KeyStore ks = KeyStore.getInstance("JKS"); CertificateFactory cf = CertificateFactory.getInstance("X.509"); try { ks.load(null, null); File cacert = new File(cafile); if (!cacert.exists() || !cacert.canRead()) return; InputStream caStream = new FileInputStream(cafile); X509Certificate ca = (X509Certificate) cf.generateCertificate(caStream); ks.setCertificateEntry("CA", ca); PKIXBuilderParameters params = new PKIXBuilderParameters(ks, new X509CertSelector()); File crlcert = new File(crlfile); if (!crlcert.exists() || !crlcert.canRead()) { params.setRevocationEnabled(false); } else { InputStream crlStream = new FileInputStream(crlfile); Collection<? extends CRL> crls = cf.generateCRLs(crlStream); CertStoreParameters csp = new CollectionCertStoreParameters(crls); CertStore store = CertStore.getInstance("Collection", csp); params.addCertStore(store); params.setRevocationEnabled(true); } tmf.init(new CertPathTrustManagerParameters(params)); } catch (java.io.FileNotFoundException e) { vlog.error(e.toString()); } catch (java.io.IOException e) { vlog.error(e.toString()); } tm = (X509TrustManager) tmf.getTrustManagers()[0]; }
/** * Return the initialization parameters for the TrustManager. Currently, only the default <code> * PKIX</code> is supported. * * @param algorithm The algorithm to get parameters for. * @param crlf The path to the CRL file. * @param trustStore The configured TrustStore. * @return The parameters including the CRLs and TrustStore. */ protected CertPathParameters getParameters(String algorithm, String crlf, KeyStore trustStore) throws Exception { CertPathParameters params = null; if ("PKIX".equalsIgnoreCase(algorithm)) { PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); Collection crls = getCRLs(crlf); CertStoreParameters csp = new CollectionCertStoreParameters(crls); CertStore store = CertStore.getInstance("Collection", csp); xparams.addCertStore(store); xparams.setRevocationEnabled(true); String trustLength = (String) attributes.get("trustMaxCertLength"); if (trustLength != null) { try { xparams.setMaxPathLength(Integer.parseInt(trustLength)); } catch (Exception ex) { log.warn("Bad maxCertLength: " + trustLength); } } params = xparams; } else { throw new CRLException("CRLs not supported for type: " + algorithm); } return params; }
private X509Certificate[] doBuild(X509Certificate[] chain, Collection otherCerts) throws CertificateException { try { PKIXBuilderParameters params = (PKIXBuilderParameters) parameterTemplate.clone(); setDate(params); // setup target constraints X509CertSelector selector = new X509CertSelector(); selector.setCertificate(chain[0]); params.setTargetCertConstraints(selector); // setup CertStores Collection certs = new ArrayList(); certs.addAll(Arrays.asList(chain)); if (otherCerts != null) { certs.addAll(otherCerts); } CertStore store = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certs)); params.addCertStore(store); // do the build CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) builder.build(params); return toArray(result.getCertPath(), result.getTrustAnchor()); } catch (GeneralSecurityException e) { throw new ValidatorException("PKIX path building failed: " + e.toString(), e); } }
private void testExceptions() throws Exception { byte[] enc = {(byte) 0, (byte) 2, (byte) 3, (byte) 4, (byte) 5}; MyCertPath mc = new MyCertPath(enc); ByteArrayOutputStream os = new ByteArrayOutputStream(); ByteArrayInputStream is; byte[] arr; ObjectOutputStream oOut = new ObjectOutputStream(os); oOut.writeObject(mc); oOut.flush(); oOut.close(); try { CertificateFactory cFac = CertificateFactory.getInstance("X.509", "BC"); arr = os.toByteArray(); is = new ByteArrayInputStream(arr); cFac.generateCertPath(is); } catch (CertificateException e) { // ignore okay } CertificateFactory cf = CertificateFactory.getInstance("X.509"); List certCol = new ArrayList(); certCol.add(cf.generateCertificate(new ByteArrayInputStream(certA))); certCol.add(cf.generateCertificate(new ByteArrayInputStream(certB))); certCol.add(cf.generateCertificate(new ByteArrayInputStream(certC))); certCol.add(cf.generateCertificate(new ByteArrayInputStream(certD))); CertPathBuilder pathBuilder = CertPathBuilder.getInstance("PKIX", "BC"); X509CertSelector select = new X509CertSelector(); select.setSubject(((X509Certificate) certCol.get(0)).getSubjectX500Principal().getEncoded()); Set trustanchors = new HashSet(); trustanchors.add( new TrustAnchor( (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(rootCertBin)), null)); CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certCol)); PKIXBuilderParameters params = new PKIXBuilderParameters(trustanchors, select); params.addCertStore(certStore); try { CertPathBuilderResult result = pathBuilder.build(params); CertPath path = result.getCertPath(); fail("found cert path in circular set"); } catch (CertPathBuilderException e) { // expected } }
/** * Build a path using the given root as the trust anchor, and the passed in end constraints and * certificate store. * * <p>Note: the path is built with revocation checking turned off. */ public static PKIXCertPathBuilderResult buildPath( X509Certificate rootCert, X509CertSelector endConstraints, CertStore certsAndCRLs) throws Exception { CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC"); PKIXBuilderParameters buildParams = new PKIXBuilderParameters( Collections.singleton(new TrustAnchor(rootCert, null)), endConstraints); buildParams.addCertStore(certsAndCRLs); buildParams.setRevocationEnabled(false); return (PKIXCertPathBuilderResult) builder.build(buildParams); }
private void validateChain(List<Certificate> chain, Certificate cert) { List<Certificate> certs = new ArrayList<Certificate>(); List<Certificate> root = new ArrayList<Certificate>(); Set<TrustAnchor> anchors = new HashSet<TrustAnchor>(); certs.add(cert); // adding for self signed certs certs.addAll(chain); for (Certificate c : certs) { if (!(c instanceof X509Certificate)) throw new IllegalArgumentException("Invalid chain format. Expected X509 certificate"); X509Certificate xCert = (X509Certificate) c; Principal subject = xCert.getSubjectDN(); Principal issuer = xCert.getIssuerDN(); if (issuer != null && subject.equals(issuer)) { root.add(c); anchors.add(new TrustAnchor(xCert, null)); } } if (root.size() == 0) throw new IllegalArgumentException("No root certificates found for certificate chain", null); X509CertSelector target = new X509CertSelector(); target.setCertificate((X509Certificate) cert); PKIXBuilderParameters params = null; try { params = new PKIXBuilderParameters(anchors, target); params.setRevocationEnabled(false); params.addCertStore( CertStore.getInstance("Collection", new CollectionCertStoreParameters(certs))); CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC"); builder.build(params); } catch (InvalidAlgorithmParameterException e) { throw new IllegalArgumentException("Invalid certificate chain", e); } catch (CertPathBuilderException e) { throw new IllegalArgumentException("Invalid certificate chain", e); } catch (NoSuchAlgorithmException e) { throw new IllegalArgumentException("Invalid certificate chain", e); } catch (NoSuchProviderException e) { throw new CloudRuntimeException("No provider for certificate validation", e); } }
private void checkCircProcessing() throws Exception { CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC"); X509Certificate caCert = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(circCA)); X509Certificate crlCaCert = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(circCRLCA)); X509CRL crl = (X509CRL) cf.generateCRL(new ByteArrayInputStream(circCRL)); List list = new ArrayList(); list.add(caCert); list.add(crlCaCert); list.add(crl); CertStoreParameters ccsp = new CollectionCertStoreParameters(list); CertStore store = CertStore.getInstance("Collection", ccsp); Date validDate = new Date(crl.getThisUpdate().getTime() + 60 * 60 * 1000); // validating path List certchain = new ArrayList(); certchain.add(crlCaCert); CertPath cp = CertificateFactory.getInstance("X.509", "BC").generateCertPath(certchain); Set trust = new HashSet(); trust.add(new TrustAnchor(caCert, null)); CertPathValidator cpv = CertPathValidator.getInstance("PKIX", "BC"); // PKIXParameters param = new PKIXParameters(trust); PKIXBuilderParameters param = new PKIXBuilderParameters(trust, null); X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(crlCaCert); param.setTargetCertConstraints(certSelector); param.addCertStore(store); param.setRevocationEnabled(true); param.setDate(validDate); PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) cpv.validate(cp, param); }
PKIXValidator(String variant, PKIXBuilderParameters params) { super(TYPE_PKIX, variant); trustedCerts = new HashSet(); for (Iterator t = params.getTrustAnchors().iterator(); t.hasNext(); ) { TrustAnchor anchor = (TrustAnchor) t.next(); X509Certificate cert = anchor.getTrustedCert(); if (cert != null) { trustedCerts.add(cert); } } parameterTemplate = params; initCommon(); }
/** * Initialize the builder with the input parameters. * * @param params the parameter set used to build a certification path */ ReverseBuilder(PKIXBuilderParameters buildParams, X500Principal targetSubjectDN) { super(buildParams, targetSubjectDN); // Initialize date if not specified date = buildParams.getDate(); if (date == null) { date = new Date(); } targetCertSelector = (X509CertSelector) buildParams.getTargetCertConstraints(); Set initialPolicies = buildParams.getInitialPolicies(); initPolicies = new HashSet(); if (initialPolicies.isEmpty()) { // if no initialPolicies are specified by user, set // initPolicies to be anyPolicy by default initPolicies.add(PolicyChecker.ANY_POLICY); } else { Iterator i = initialPolicies.iterator(); while (i.hasNext()) { initPolicies.add(i.next()); } } }
// controlla che il certificato del firmatario sia affidabile controllando la sua catena di // certificati // valida il certificato X509 del firmatario usando il built-in PKIX support messo a disposizione // da java // caricando il keystore contenente i certificati degli enti certificatori autorizzati dallo stato // italiano private PKIXCertPathBuilderResult isTrustedSigner(SignerInformation signer) throws FirmapiuException { // genera la lista di certificati da controllare per generare la catena dei certificati del // firmatario // TODO quali certificati carica esattamente? Collection<?> certCollection = certStore.getMatches(signer.getSID()); Iterator<?> certIt = certCollection.iterator(); X509CertificateHolder cert = (X509CertificateHolder) certIt.next(); List<X509Certificate> chain = new LinkedList<X509Certificate>(); JcaX509CertificateConverter certConverter = new JcaX509CertificateConverter().setProvider(this.bcProvName); try { X509Certificate x509cert = certConverter.getCertificate(cert); chain.add(x509cert); while (certIt.hasNext()) { x509cert = certConverter.getCertificate((X509CertificateHolder) certIt.next()); chain.add(x509cert); } } catch (CertificateException e) { new FirmapiuException(CERT_DEFAULT_ERROR, e); } // carica i certificati presenti nel token crittografico passato come parametro KeyStore anchors = this.token.loadKeyStore(null); X509CertSelector target = new X509CertSelector(); target.setCertificate(chain.get(0)); PKIXBuilderParameters params; CertPathBuilder builder; try { params = new PKIXBuilderParameters(anchors, target); // disabilita il controllo delle CRL params.setRevocationEnabled(false); // se il certificato è scaduto cerca di generare lo stesso la catena dei certificati try { X509Certificate x509cert = certConverter.getCertificate(cert); // long before=x509cert.getNotBefore().getTime(); long after = x509cert.getNotAfter().getTime(); after -= 10; params.setDate(new Date(after)); } catch (CertificateException e) { throw new FirmapiuException(CERT_KEYSTORE_DEFAULT_ERROR, e); } CertStoreParameters intermediates = new CollectionCertStoreParameters(chain); params.addCertStore(CertStore.getInstance("Collection", intermediates)); params.setSigProvider(this.bcProvName); builder = CertPathBuilder.getInstance("PKIX", this.bcProvName); } catch (KeyStoreException | InvalidAlgorithmParameterException e) { throw new FirmapiuException(CERT_KEYSTORE_DEFAULT_ERROR, e); } catch (NoSuchAlgorithmException | NoSuchProviderException e) { throw new FirmapiuException(DEFAULT_ERROR, e); } /* * If build() returns successfully, the certificate is valid. More details * about the valid path can be obtained through the PKIXBuilderResult. * If no valid path can be found, a CertPathBuilderException is thrown. */ try { return (PKIXCertPathBuilderResult) builder.build(params); } catch (CertPathBuilderException e) { throw new FirmapiuException(VERIFY_SIGNER_CERTPATH_ERROR, e); } catch (InvalidAlgorithmParameterException e) { throw new FirmapiuException(DEFAULT_ERROR, e); } } // fine metodo
private X509Certificate[] doValidate(X509Certificate[] chain) throws CertificateException { PKIXBuilderParameters params = (PKIXBuilderParameters) parameterTemplate.clone(); return doValidate(chain, params); }
/** Set the check date (for debugging). */ private void setDate(PKIXBuilderParameters params) { Date date = validationDate; if (date != null) { params.setDate(date); } }
X509Certificate[] engineValidate(X509Certificate[] chain, Collection otherCerts, Object parameter) throws CertificateException { if ((chain == null) || (chain.length == 0)) { throw new CertificateException("null or zero-length certificate chain"); } if (TRY_VALIDATOR) { // check that chain is in correct order and check if chain contains // trust anchor X500Principal prevIssuer = null; for (int i = 0; i < chain.length; i++) { X509Certificate cert = chain[i]; X500Principal dn = cert.getSubjectX500Principal(); if (i != 0 && !dn.equals(prevIssuer)) { // chain is not ordered correctly, call builder instead return doBuild(chain, otherCerts); } // Check if chain[i] is already trusted. It may be inside // trustedCerts, or has the same dn and public key as a cert // inside trustedCerts. The latter happens when a CA has // updated its cert with a stronger signature algorithm in JRE // but the weak one is still in circulation. if (trustedCerts.contains(cert) || // trusted cert (trustedSubjects.containsKey(dn) && // replacing ... trustedSubjects .get(dn) .contains( // ... weak cert cert.getPublicKey()))) { if (i == 0) { return new X509Certificate[] {chain[0]}; } // Remove and call validator on partial chain [0 .. i-1] X509Certificate[] newChain = new X509Certificate[i]; System.arraycopy(chain, 0, newChain, 0, i); return doValidate(newChain); } prevIssuer = cert.getIssuerX500Principal(); } // apparently issued by trust anchor? X509Certificate last = chain[chain.length - 1]; X500Principal issuer = last.getIssuerX500Principal(); X500Principal subject = last.getSubjectX500Principal(); if (trustedSubjects.containsKey(issuer) && isSignatureValid(trustedSubjects.get(issuer), last)) { return doValidate(chain); } // don't fallback to builder if called from plugin/webstart if (plugin) { // Validate chain even if no trust anchor is found. This // allows plugin/webstart to make sure the chain is // otherwise valid if (chain.length > 1) { X509Certificate[] newChain = new X509Certificate[chain.length - 1]; System.arraycopy(chain, 0, newChain, 0, newChain.length); // temporarily set last cert as sole trust anchor PKIXBuilderParameters params = (PKIXBuilderParameters) parameterTemplate.clone(); try { params.setTrustAnchors( Collections.singleton(new TrustAnchor(chain[chain.length - 1], null))); } catch (InvalidAlgorithmParameterException iape) { // should never occur, but ... throw new CertificateException(iape); } doValidate(newChain, params); } // if the rest of the chain is valid, throw exception // indicating no trust anchor was found throw new ValidatorException(ValidatorException.T_NO_TRUST_ANCHOR); } // otherwise, fall back to builder } return doBuild(chain, otherCerts); }
/** * Set J2SE global default PKIX parameters. Currently, hardcoded to disable revocation checking. * In the future, this should be configurable. */ private void setDefaultParameters(String variant) { parameterTemplate.setRevocationEnabled(false); }