/* Givens. */ InputStream trustStoreInput = ... char[] password = ... List<X509Certificate> chain = ... Collection<X509CRL> crls = ... /* Construct a valid path. */ KeyStore anchors = KeyStore.getInstance(KeyStore.getDefaultType()); anchors.load(trustStoreInput, password); X509CertSelector target = new X509CertSelector(); target.setCertificate(chain.get(0)); PKIXBuilderParameters params = new PKIXBuilderParameters(anchors, target); CertStoreParameters intermediates = new CollectionCertStoreParameters(chain) params.addCertStore(CertStore.getInstance("Collection", intermediates)); CertStoreParameters revoked = new CollectionCertStoreParameters(crls); params.addCertStore(CertStore.getInstance("Collection", revoked)); CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); /* * If build() returns successfully, the certificate is valid. More details * about the valid path can be obtained through the PKIXBuilderResult. * If no valid path can be found, a CertPathBuilderException is thrown. */ PKIXBuilderResult r = (PKIXBuilderResult) builder.build(params);
/** * Creates a new {@code CertPathBuilder} instance with the specified * algorithm. * * @param algorithm * the name of the algorithm. * @return a builder for the requested algorithm. * @throws NullPointerException * if the algorithm is {@code null}. * @throws NoSuchAlgorithmException * if no installed provider can provide the algorithm. */ public static CertPathBuilder getInstance(String algorithm) throws NoSuchAlgorithmException { if (algorithm == null) { throw new NullPointerException("algorithm == null"); } Engine.SpiAndProvider sap = ENGINE.getInstance(algorithm, null); return new CertPathBuilder((CertPathBuilderSpi) sap.spi, sap.provider, algorithm); }
@Override public ManagerFactoryParameters configFor(KeyStore trustStore, Set<TrustAnchor> defaultTrustAnchors) { try { CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); PKIXRevocationChecker rc = (PKIXRevocationChecker) cpb.getRevocationChecker(); pkixParams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); } else { pkixParams = new PKIXBuilderParameters(defaultTrustAnchors, new X509CertSelector()); pkixParams.addCertPathChecker(rc);
final CertStore certificates = CertStore.getInstance( "Collection", new CollectionCertStoreParameters( Arrays.asList( chain ) ) ); final PKIXBuilderParameters parameters = new PKIXBuilderParameters( trustAnchors, selector ); parameters.setDate( validPointInTime ); parameters.addCertStore( certificates ); try pathBuilder = CertPathBuilder.getInstance( "PKIX", "BC" ); pathBuilder = CertPathBuilder.getInstance( "PKIX" ); final CertPathBuilderResult result = pathBuilder.build( parameters ); return result.getCertPath();
CertPathValidator cpv = CertPathValidator.getInstance("PKIX"); CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(x509Certificates[0]); PKIXBuilderParameters params = new PKIXBuilderParameters(trustStore,certSelector); if(useCRLs) { params.addCertStore(crlStore); } else { Log.debug("ClientTrustManager: no CRL's found, so setRevocationEnabled(false)"); params.setRevocationEnabled(false); CertPathBuilderResult cpbr = cpb.build(params); CertPath cp = cpbr.getCertPath(); if(JiveGlobals.getBooleanProperty("ocsp.enable",false)) { Log.debug("ClientTrustManager: OCSP requested"); params.addCertPathChecker(ocspChecker); PKIXCertPathValidatorResult cpvResult = (PKIXCertPathValidatorResult) cpv.validate(cp, params); X509Certificate trustedCert = cpvResult.getTrustAnchor().getTrustedCert(); if(trustedCert == null) {
X509CertSelector certificateSelector = new X509CertSelector(); certificateSelector.setCertificate(certificateList.get(0)); PKIXBuilderParameters params = new PKIXBuilderParameters(trustStoreReference.get(), certificateSelector); params.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certificateList))); params.setMaxPathLength(-1); params.setRevocationEnabled(true); params.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crlReference.get()))); LOG.debug("Validating certificate " + certificateSelector.getCertificate()); CertPathBuilderResult builderResult = certPathBuilder.build(params); certPathValidator.validate(builderResult.getCertPath(), params); LOG.debug("Certificate " + certificateSelector.getCertificate() + " is valid"); } catch (GeneralSecurityException gse) {
CertPathValidatorException, CertPathBuilderException, CertificateException { CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX"); CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX"); X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(chain[chain.length - 1]); certSelector.setCertificateValid(null); PKIXBuilderParameters parameters = new PKIXBuilderParameters(allStore, certSelector); parameters.setRevocationEnabled(false); CertPathBuilderResult pathResult = certPathBuilder.build(parameters); CertPath certPath = pathResult.getCertPath(); PKIXCertPathValidatorResult validationResult = (PKIXCertPathValidatorResult) certPathValidator .validate(certPath, parameters); X509Certificate trustedCert = validationResult.getTrustAnchor().getTrustedCert();
X509CertSelector targetConstraints = new X509CertSelector(); targetConstraints.setSubject(certs[0].getSubjectX500Principal()); PKIXBuilderParameters params = new PKIXBuilderParameters(cacerts, targetConstraints); params.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(certs)))); params.setRevocationEnabled(false); CertPath cp = CertPathBuilder.getInstance("PKIX").build(params).getCertPath(); PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) CertPathValidator.getInstance("PKIX").validate(cp, params); return isEV(result); } catch (Exception ex) {
X509CertSelector certSelector = new X509CertSelector(); certSelector.setSubject(x509certificate.getSubjectX500Principal()); PKIXParameters params = new PKIXBuilderParameters(store,certSelector); CertStore cstore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(icert1, icert2 /*, other certs... */))); params.addCertStore(cstore); CertPathBuilder cpb = CertPathBuilder.getInstance(CertPathBuilder.getDefaultType()); CertPath certPath = cpb.build(params).getCertPath();
final CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); final X509Certificate certificateToCheck = (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(certBytes)); final KeyStore trustStore = KeyStore.getInstance("JKS"); InputStream keyStoreStream = ... trustStore.load(keyStoreStrem, "your password".toCharArray()); final CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX"); final X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(certificateToCheck); final CertPathParameters certPathParameters = new PKIXBuilderParameters(trustStore, certSelector); final CertPathBuilderResult certPathBuilderResult = certPathBuilder.build(certPathParameters); final CertPath certPath = certPathBuilderResult.getCertPath(); final CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX"); final PKIXParameters validationParameters = new PKIXParameters(trustStore); validationParameters.setRevocationEnabled(true); // if you want to check CRL final X509CertSelector keyUsageSelector = new X509CertSelector(); keyUsageSelector.setKeyUsage(new boolean[] { true, false, true }); // to check digitalSignature and keyEncipherment bits validationParameters.setTargetCertConstraints(keyUsageSelector); final PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) certPathValidator.validate(certPath, validationParameters); System.out.println(result);
pathBuilder = CertPathBuilder.getInstance("PKIX", "BC"); } catch (Exception e) { throw new MessagingException("Error during the creation of the certpathbuilder.", e); X509CertSelector xcs = new X509CertSelector(); xcs.setCertificate(cert); PKIXBuilderParameters params = new PKIXBuilderParameters(trustedStore, xcs); params.addCertStore(store); params.setRevocationEnabled(false); CertPathBuilderResult result = pathBuilder.build(params); return result.getCertPath(); } catch (CertPathBuilderException e) {
X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(certificate); try { parameters = createBuilderParameters(trustStore, certSelector); parameters.setRevocationEnabled(revocationEnabled); builder = CertPathBuilder.getInstance("PKIX"); builder.build(parameters);
try builderParams = new PKIXBuilderParameters(trustAnchors, certSelector); } catch (KeyStoreException ex) CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(otherCerts); CertStore othersCertStore = CertStore.getInstance("Collection", ccsp); builderParams.addCertStore(othersCertStore); builderParams.addCertStore(intermCertsAndCrls[i]); builderParams.setSigProvider(this.signatureProvider); builderRes = (PKIXCertPathBuilderResult) certPathBuilder.build(builderParams);
protected void validatePath(X509Certificate[] x509Certificates) throws CertificateException { try { CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(x509Certificates)), pkixProvider); CertPathBuilder pathBuilder = CertPathBuilder.getInstance("PKIX", pkixProvider); X509CertSelector constraints = (X509CertSelector)baseParameters.getTargetCertConstraints().clone(); constraints.setCertificate(x509Certificates[0]); PKIXBuilderParameters param = (PKIXBuilderParameters)baseParameters.clone(); param.addCertStore(certStore); param.setTargetCertConstraints(constraints); PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult)pathBuilder.build(param); } catch (GeneralSecurityException e) { throw new CertificateException("unable to process certificates: " + e.getMessage(), e); } } }
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate((X509Certificate) myKeyStore.getCertificate("mykey")); PKIXBuilderParameters cpp = new PKIXBuilderParameters(trustAnchors, certSelector); cpp.addCertStore(cs); cpp.setRevocationEnabled(true); cpp.setMaxPathLength(6); cpp.setDate(new Date()); CertPathBuilderResult a = cpb.build(cpp); CertPath certPath = a.getCertPath();
if (attrCert.getHolder().getIssuer() != null) X509CertSelector selector = new X509CertSelector(); selector.setSerialNumber(attrCert.getHolder().getSerialNumber()); Principal[] principals = attrCert.getHolder().getIssuer(); for (int i = 0; i < principals.length; i++) selector.setIssuer(((X500Principal)principals[i]) .getEncoded()); try builder = CertPathBuilder.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME); result = builder.build(new PKIXExtendedBuilderParameters.Builder(paramsBldr.build()).build()); return result.getCertPath();
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME); selector = new X509CertStoreSelector(); selector.setCertificate(signingCert); List certs = builder.build(params).getCertPath().getCertificates(); validCerts.add(signingCert); validKeys.add(CertPathValidatorUtilities.getNextWorkingKey(certs, 0));
builder = CertPathBuilder.getInstance("PKIX"); log.trace("Building certificate path using default security provider"); } else { builder = CertPathBuilder.getInstance("PKIX", securityProvider); log.trace("Building certificate path using security provider {}", securityProvider); PKIXCertPathBuilderResult buildResult = (PKIXCertPathBuilderResult) builder.build(params); if (log.isDebugEnabled()) { logCertPathDebug(buildResult, untrustedCredential.getEntityCertificate()); validator = CertPathValidator.getInstance("PKIX"); } else { validator = CertPathValidator.getInstance("PKIX", securityProvider); validator.validate(buildResult.getCertPath(), params);
certPathBuilder = CertPathBuilder.getInstance("PKIX"); certPathValidator = CertPathValidator.getInstance("PKIX"); certificateFactory = CertificateFactory.getInstance("X.509");
/** * Creates a new {@code CertPathBuilder} instance from the specified * provider providing the specified algorithm. * * @param algorithm * the name of the algorithm. * @param provider * the name of the provider. * @return a builder for the requested algorithm. * @throws NoSuchAlgorithmException * if the specified provider cannot provide the algorithm. * @throws NoSuchProviderException * if no provider with the specified name can be found. * @throws NullPointerException * if algorithm is {@code null}. * @throws IllegalArgumentException if {@code provider == null || provider.isEmpty()} */ public static CertPathBuilder getInstance(String algorithm, String provider) throws NoSuchAlgorithmException, NoSuchProviderException { if (provider == null || provider.isEmpty()) { throw new IllegalArgumentException("provider == null || provider.isEmpty()"); } Provider impProvider = Security.getProvider(provider); if (impProvider == null) { throw new NoSuchProviderException(provider); } return getInstance(algorithm, impProvider); }