X509Certificate certToVerify = ... CertificateFactory cf = CertificateFactory.getInstance("X.509"); CertPath cp = cf.generateCertPath(Arrays .asList(new X509Certificate[] { certToVerify })); TrustAnchor trustAnchor = new TrustAnchor(caCert, null); CertPathValidator cpv = CertPathValidator.getInstance("PKIX"); PKIXParameters pkixParams = new PKIXParameters( Collections.singleton(trustAnchor)); pkixParams.setRevocationEnabled(false); cpv.validate(cp, pkixParams);
/** * Returns a new certification path validator for the specified algorithm. * * @param algorithm * the algorithm name. * @return a certification path validator for the requested algorithm. * @throws NoSuchAlgorithmException * if no installed provider provides the specified algorithm. * @throws NullPointerException * if algorithm is {@code null}. */ public static CertPathValidator getInstance(String algorithm) throws NoSuchAlgorithmException { if (algorithm == null) { throw new NullPointerException("algorithm == null"); } Engine.SpiAndProvider sap = ENGINE.getInstance(algorithm, null); return new CertPathValidator((CertPathValidatorSpi) sap.spi, sap.provider, algorithm); }
try first.checkValidity(); if ( chain.length == 1 && first.getSubjectX500Principal().equals( first.getIssuerX500Principal() ) ) final CertStore cs = CertStore.getInstance( "Collection", new CollectionCertStoreParameters( allCerts ) ); final X509CertSelector selector = new X509CertSelector(); selector.setCertificate( first ); final PKIXBuilderParameters params = new PKIXBuilderParameters( store, selector ); params.addCertStore( cs ); params.setDate( new Date() ); params.setRevocationEnabled( false ); final CertPathBuilder pathBuilder = CertPathBuilder.getInstance( CertPathBuilder.getDefaultType() ); final CertPath cp = pathBuilder.build( params ).getCertPath(); final CertPathValidator pathValidator = CertPathValidator.getInstance( "PKIX" ); pathValidator.validate( cp, params );
CertPathValidator cpv = CertPathValidator.getInstance("PKIX"); CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(x509Certificates[0]); PKIXBuilderParameters params = new PKIXBuilderParameters(trustStore,certSelector); if(useCRLs) { params.addCertStore(crlStore); } else { Log.debug("ClientTrustManager: no CRL's found, so setRevocationEnabled(false)"); params.setRevocationEnabled(false); CertPathBuilderResult cpbr = cpb.build(params); CertPath cp = cpbr.getCertPath(); if(JiveGlobals.getBooleanProperty("ocsp.enable",false)) { Log.debug("ClientTrustManager: OCSP requested"); params.addCertPathChecker(ocspChecker); PKIXCertPathValidatorResult cpvResult = (PKIXCertPathValidatorResult) cpv.validate(cp, params); X509Certificate trustedCert = cpvResult.getTrustAnchor().getTrustedCert(); if(trustedCert == null) {
certificate.checkValidity(); } catch (CertificateExpiredException e) { log.log(Level.SEVERE, "WSS1517.X509.expired", e); if (certificate.getIssuerX500Principal().equals(certificate.getSubjectX500Principal())) { return true; X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(certificate); parameters = new PKIXBuilderParameters(trustStore, certSelector); parameters.setRevocationEnabled(revocationEnabled); if (certStore != null) { parameters.addCertStore(certStore); } else { CertStore cs = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Collections.singleton(certificate))); parameters.addCertStore(cs); CertificateFactory cf = CertificateFactory.getInstance("X.509"); certPath = cf.generateCertPath(certChainList); certValidator = CertPathValidator.getInstance("PKIX"); certValidator.validate(certPath, parameters); } catch (Exception e) { log.log(Level.SEVERE, "WSS1518.failedto.validate.certificate", e);
X509CertSelector certSelect = new X509CertSelector(); certSelect.setCertificate(certList.get(0)); PKIXBuilderParameters pbParams = new PKIXBuilderParameters(_trustStore, certSelect); pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList))); pbParams.setMaxPathLength(_maxCertPathLength); pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(_crls))); CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams); CertPathValidator.getInstance("PKIX").validate(buildResult.getCertPath(),pbParams);
CertificateFactory cf = CertificateFactory.getInstance("X.509"); X509Certificate ca; ByteArrayInputStream is = new ByteArrayInputStream(bytes); try { ca = (X509Certificate) cf.generateCertificate(is); Log.d(TAG, "ca=", ca.getSubjectDN()); } finally { is.close(); X509Certificate cert = chain[0]; cert.checkValidity(); CertificateFactory cf = CertificateFactory.getInstance("X.509"); ArrayList<X509Certificate> list = new ArrayList<X509Certificate>(); list.add(cert); CertPath cp = cf.generateCertPath(list); try { PKIXParameters params = new PKIXParameters(keyStore); params.setRevocationEnabled(false); // CLR is broken, remember? CertPathValidator cpv = CertPathValidator .getInstance(CertPathValidator.getDefaultType()); cpv.validate(cp, params); } catch (KeyStoreException e) { Log.d(TAG, "invalid key store", e);
cFact = CertificateFactory.getInstance("X.509", BouncyCastleProvider.PROVIDER_NAME); validator = CertPathValidator.getInstance("RFC3281", BouncyCastleProvider.PROVIDER_NAME); try certPath = cFact.generateCertPath(tbvPath); result = (PKIXCertPathValidatorResult) validator.validate( certPath, pkixParams); if (issuer.getIssuerX500Principal().equals( issuer.getSubjectX500Principal()))
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); List<X509Certificate> certs = Lists.newArrayList(); for (ByteString bytes : protoCerts.getCertificateList()) certs.add((X509Certificate) certificateFactory.generateCertificate(bytes.newInput())); CertPath path = certificateFactory.generateCertPath(certs); PKIXParameters params = new PKIXParameters(createKeyStore(trustStorePath)); params.setRevocationEnabled(false); CertPathValidator validator = CertPathValidator.getInstance("PKIX"); PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) validator.validate(path, params); PublicKey publicKey = result.getPublicKey(); X500Principal principal = cert.getSubjectX500Principal(); final Iterator<List<?>> it = cert.getSubjectAlternativeNames().iterator(); List<?> list;
String issuerString = certs[0].getIssuerX500Principal().getName(); BigInteger issuerSerial = certs[0].getSerialNumber(); if (foundCerts != null && foundCerts[0] != null && foundCerts[0].equals(certs[0])) { try { certs[0].checkValidity(); CertPathValidator validator = null; if (provider == null || provider.length() == 0) { validator = CertPathValidator.getInstance("PKIX"); } else { validator = CertPathValidator.getInstance("PKIX", provider); CertPath path = getCertificateFactory().generateCertPath(certList); validator.validate(path, param); CertPath path = getCertificateFactory().generateCertPath(certList); validator.validate(path, param);
final CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); final X509Certificate certificateToCheck = (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(certBytes)); final KeyStore trustStore = KeyStore.getInstance("JKS"); InputStream keyStoreStream = ... trustStore.load(keyStoreStrem, "your password".toCharArray()); final CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX"); final X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(certificateToCheck); final CertPathParameters certPathParameters = new PKIXBuilderParameters(trustStore, certSelector); final CertPathBuilderResult certPathBuilderResult = certPathBuilder.build(certPathParameters); final CertPath certPath = certPathBuilderResult.getCertPath(); final CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX"); final PKIXParameters validationParameters = new PKIXParameters(trustStore); validationParameters.setRevocationEnabled(true); // if you want to check CRL final X509CertSelector keyUsageSelector = new X509CertSelector(); keyUsageSelector.setKeyUsage(new boolean[] { true, false, true }); // to check digitalSignature and keyEncipherment bits validationParameters.setTargetCertConstraints(keyUsageSelector); final PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) certPathValidator.validate(certPath, validationParameters); System.out.println(result);
CertificateFactory cf = CertificateFactory.getInstance("X.509"); List<Certificate> certx = new ArrayList<>(certChain.length); for (byte[] c : certChain) certx.add(cf.generateCertificate(new ByteArrayInputStream(c))); CertPath path = cf.generateCertPath(certx); CertPathValidator validator = CertPathValidator.getInstance("PKIX"); KeyStore keystore = KeyStore.getInstance("JKS"); try (InputStream is = Files.newInputStream(Paths.get("cacerts.jks"))) { keystore.load(is, "changeit".toCharArray()); } Collection<? extends CRL> crls; try (InputStream is = Files.newInputStream(Paths.get("crls.p7c"))) { crls = cf.generateCRLs(is); } PKIXParameters params = new PKIXParameters(keystore); CertStore store = CertStore.getInstance("Collection", new CollectionCertStoreParameters(crls)); /* If necessary, specify the certificate policy or other requirements * with the appropriate params.setXXX() method. */ params.addCertStore(store); /* Validate will throw an exception on invalid chains. */ PKIXCertPathValidatorResult r = (PKIXCertPathValidatorResult) validator.validate(path, params);
CollectionCertStoreParameters params = new CollectionCertStoreParameters(fullCertChain); try { CertStore store = CertStore.getInstance("Collection", params, Constants.BOUNCY_CASTLE_PROVIDER); .getInstance(Constants.X_509, Constants.BOUNCY_CASTLE_PROVIDER); CertPath certPath = fact.generateCertPath(certChain); TrustAnchor trustAnchor = new TrustAnchor(fullCertChain.get(fullCertChain.size() - 1), null); Set<TrustAnchor> trust = Collections.singleton(trustAnchor); .getInstance(Constants.ALGORITHM, Constants.BOUNCY_CASTLE_PROVIDER); PKIXParameters param = new PKIXParameters(trust); param.addCertPathChecker(pathChecker); param.setRevocationEnabled(false); param.addCertStore(store); param.setDate(new Date()); validator.validate(certPath, param); if (LOG.isInfoEnabled()) { LOG.info("Certificate path validated");
logger.info("verifying signature based on X509 public key " + signingcert.getSubjectDN().toString()); if (map.containsKey(CHECK_TIMESTAMPS) && Boolean.parseBoolean(map.getProperty(CHECK_TIMESTAMPS))) { signingcert.checkValidity(); logger.info("verifying revocation status via OSCP for X509 public key " + signingcert.getSubjectDN().toString()); X500Principal issuerX500Principal = signingcert.getIssuerX500Principal(); logger.info("certificate " + signingcert.getSubjectDN().toString() + " was issued by " + issuerX500Principal.getName() + ", attempting to retrieve certificate"); System.setProperty("com.sun.security.enableCRLDP", "true"); X509CertSelector targetConstraints = new X509CertSelector(); targetConstraints.setCertificate(signingcert); PKIXParameters params = new PKIXParameters(GetTrustStore()); params.setRevocationEnabled(true); CertPath certPath = cf.generateCertPath(Arrays.asList(signingcert)); CertPathValidator certPathValidator = CertPathValidator.getInstance(CertPathValidator.getDefaultType()); CertPathValidatorResult result = certPathValidator.validate(certPath, params); try { PKIXCertPathValidatorResult pkixResult = (PKIXCertPathValidatorResult) result; CertPathValidator certPathValidator = CertPathValidator.getInstance(CertPathValidator.getDefaultType()); CertPathValidatorResult result = certPathValidator.validate(certPath, params);
String issuerString = certs[0].getIssuerX500Principal().getName(); BigInteger issuerSerial = certs[0].getSerialNumber(); if (foundCerts != null && foundCerts[0] != null && foundCerts[0].equals(certs[0])) { LOG.debug( "Direct trust for certificate with {}", certs[0].getSubjectX500Principal().getName() CertPathValidator validator = null; if (provider == null || provider.length() == 0) { validator = CertPathValidator.getInstance("PKIX"); } else { validator = CertPathValidator.getInstance("PKIX", provider); PKIXParameters param = new PKIXParameters(set); param.setRevocationEnabled(enableRevocation); CertPath path = getCertificateFactory().generateCertPath(certList); validator.validate(path, param); } else { List<X509Certificate> certList = Arrays.asList(certs); CertPath path = getCertificateFactory().generateCertPath(certList); validator.validate(path, param);
X509CertSelector targetConstraints = new X509CertSelector(); targetConstraints.setSubject(certs[0].getSubjectX500Principal()); PKIXBuilderParameters params = new PKIXBuilderParameters(cacerts, targetConstraints); params.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(certs)))); params.setRevocationEnabled(false); CertPath cp = CertPathBuilder.getInstance("PKIX").build(params).getCertPath(); PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) CertPathValidator.getInstance("PKIX").validate(cp, params); return isEV(result); } catch (Exception ex) { X500Principal root = result.getTrustAnchor().getTrustedCert().getSubjectX500Principal(); System.out.println("[Debug] Found root DN: "+root.getName()); String policy = policies.get(root);
@Override public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { // TODO Auto-generated method stub List<X509Certificate> certs = new ArrayList<X509Certificate>(); for (X509Certificate certificate : chain) { certificate.checkValidity(); certs.add(certificate); } CertPath cp = CertificateFactory.getInstance("X.509").generateCertPath(certs); try { CertPathValidatorResult result = validator.validate(cp, parameters); System.out.println(result); } catch (CertPathValidatorException e) { // e.printStackTrace(); throw new CertificateException(e); } catch (InvalidAlgorithmParameterException e) { // e.printStackTrace(); throw new CertificateException(e); } }
private void validateNoCache(List<? extends X509Certificate> certs) throws SignatureException { try { CertPathValidator validator = CertPathValidator.getInstance( VALIDATOR_TYPE); PKIXParameters params = new PKIXParameters(trustRoots); params.addCertPathChecker(WAVE_OID_CHECKER); params.setDate(timeSource.now()); // turn off default revocation-checking mechanism params.setRevocationEnabled(false); // TODO: add a way for clients to add certificate revocation checks, // perhaps by letting them pass in PKIXCertPathCheckers. This can also be // useful to check for Wave-specific certificate extensions. CertificateFactory certFactory = CertificateFactory.getInstance( CERTIFICATE_TYPE); CertPath certPath = certFactory.generateCertPath(certs); validator.validate(certPath, params); } catch (GeneralSecurityException e) { throw new SignatureException("Certificate validation failure", e); } }
PKIXParameters params = new PKIXParameters(trustAnchors); CertPathValidator cpv = CertPathValidator.getInstance("PKIX"); PKIXRevocationChecker rc = (PKIXRevocationChecker) cpv.getRevocationChecker(); rc.setOptions(EnumSet.of(PKIXRevocationChecker.Option.SOFT_FAIL, PKIXRevocationChecker.Option.PREFER_CRLS)); params.addCertPathChecker(rc); CertificateFactory certFactory = CertificateFactory.getInstance("X.509"); CertPath certPath = certFactory.generateCertPath(certs); return cert; } else { params = new PKIXParameters(trustAnchors); cpv = CertPathValidator.getInstance("PKIX"); rc = (PKIXRevocationChecker) cpv.getRevocationChecker(); rc.setOptions(Collections.emptySet()); params.setRevocationEnabled(false);
aCertificate.checkValidity (); final PKIXParameters aPKIXParams = new PKIXParameters (m_aKeyStore); aPKIXParams.setRevocationEnabled (false); final CertificateFactory aCertificateFactory = CertificateHelper.getX509CertificateFactory (); final CertPath aCertPath = aCertificateFactory.generateCertPath (new CommonsArrayList <> (aCertArray)); final CertPathValidator aPathValidator = CertPathValidator.getInstance ("PKIX"); aPathValidator.validate (aCertPath, aPKIXParams); final PublicKey aPublicKey = aCertificate.getPublicKey ();