try { CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); PKIXRevocationChecker rc = (PKIXRevocationChecker) cpb.getRevocationChecker();
@Override public ManagerFactoryParameters configFor(KeyStore trustStore, Set<TrustAnchor> defaultTrustAnchors) { checkArgument(url != null, "tls:custom-ocsp-responder requires the 'url' attribute"); checkArgument(trustStore != null, "tls:custom-ocsp-responder requires a trust store"); try { CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); PKIXRevocationChecker rc = (PKIXRevocationChecker) cpb.getRevocationChecker(); rc.setOptions(EnumSet.of(PKIXRevocationChecker.Option.NO_FALLBACK)); if (url != null) { rc.setOcspResponder(new URI(url)); } if (certAlias != null) { if (trustStore.isCertificateEntry(certAlias)) { rc.setOcspResponderCert((X509Certificate) trustStore.getCertificate(certAlias)); } else { throw new IllegalStateException("Key with alias \"" + certAlias + "\" was not found"); } } PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); pkixParams.addCertPathChecker(rc); return new CertPathTrustManagerParameters(pkixParams); } catch (GeneralSecurityException | URISyntaxException e) { throw new RuntimeException(e); } }
KeyStore ts = KeyStore.getInstance("JKS"); FileInputStream tfis = new FileInputStream(trustStorePath); ts.load(tfis, trustStorePass.toCharArray()); KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); // initialize certification path checking for the offered certificates and revocation checks against CLRs CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); PKIXRevocationChecker rc = (PKIXRevocationChecker)cpb.getRevocationChecker(); rc.setOptions(EnumSet.of( PKIXRevocationChecker.Option.PREFER_CRLS, // prefer CLR over OCSP PKIXRevocationChecker.Option.ONLY_END_ENTITY, PKIXRevocationChecker.Option.SOFT_FAIL, // handshake should not fail when CRL is not available PKIXRevocationChecker.Option.NO_FALLBACK)); // don't fall back to OCSP checking PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(ts, new X509CertSelector()); pkixParams.addCertPathChecker(rc); tmf.init( new CertPathTrustManagerParameters(pkixParams) ); // init KeyManagerFactory kmf.init(...) SSLContext ctx = SSLContext.getInstance("TLS"); ctx.init(kmf.getKeyManagers), tmf.getTrustManagers(), null);
static TrustManager[] newTrustManager(@Nullable final String trustedCertificates, final Supplier<KeyStore> keyStoreSupplier) throws NoSuchAlgorithmException, CertificateException, KeyStoreException, InvalidAlgorithmParameterException { final javax.net.ssl.TrustManagerFactory trustManagerFactory = javax.net.ssl.TrustManagerFactory.getInstance(PKIX); if (trustedCertificates != null) { final KeyStore keystore = keyStoreSupplier.get(); final Collection<? extends Certificate> caCerts; final byte[] caCertsPem = trustedCertificates.getBytes(StandardCharsets.US_ASCII); caCerts = X509_CERTIFICATE_FACTORY.generateCertificates(new ByteArrayInputStream(caCertsPem)); long cnt = 0; for (final Certificate caCert : caCerts) { keystore.setCertificateEntry("ca-" + cnt++, caCert); } trustManagerFactory.init(keystore); // TODO: consider adding cert revocation checker if AWS-IoT has OSCP/CRL. } else { // standard CAs; add revocation check final PKIXRevocationChecker revocationChecker = (PKIXRevocationChecker) CertPathBuilder.getInstance(PKIX).getRevocationChecker(); final PKIXBuilderParameters parameters = new PKIXBuilderParameters(DEFAULT_CA_KEYSTORE, new X509CertSelector()); parameters.addCertPathChecker(revocationChecker); trustManagerFactory.init(new CertPathTrustManagerParameters(parameters)); } return trustManagerFactory.getTrustManagers(); }
static TrustManager[] newTrustManager(@Nullable final String trustedCertificates, final Supplier<KeyStore> keyStoreSupplier) throws NoSuchAlgorithmException, CertificateException, KeyStoreException, InvalidAlgorithmParameterException { final javax.net.ssl.TrustManagerFactory trustManagerFactory = javax.net.ssl.TrustManagerFactory.getInstance(PKIX); if (trustedCertificates != null) { final KeyStore keystore = keyStoreSupplier.get(); final Collection<? extends Certificate> caCerts; final byte[] caCertsPem = trustedCertificates.getBytes(StandardCharsets.US_ASCII); caCerts = X509_CERTIFICATE_FACTORY.generateCertificates(new ByteArrayInputStream(caCertsPem)); long cnt = 0; for (final Certificate caCert : caCerts) { keystore.setCertificateEntry("ca-" + cnt++, caCert); } trustManagerFactory.init(keystore); // TODO: consider adding cert revocation checker if AWS-IoT has OSCP/CRL. } else { // standard CAs; add revocation check final PKIXRevocationChecker revocationChecker = (PKIXRevocationChecker) CertPathBuilder.getInstance(PKIX).getRevocationChecker(); final PKIXBuilderParameters parameters = new PKIXBuilderParameters(DEFAULT_CA_KEYSTORE, new X509CertSelector()); parameters.addCertPathChecker(revocationChecker); trustManagerFactory.init(new CertPathTrustManagerParameters(parameters)); } return trustManagerFactory.getTrustManagers(); }
try { CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); PKIXRevocationChecker rc = (PKIXRevocationChecker) cpb.getRevocationChecker();
PKIXRevocationChecker rc = (PKIXRevocationChecker) cpb.getRevocationChecker();
@Override public ManagerFactoryParameters configFor(KeyStore trustStore, Set<TrustAnchor> defaultTrustAnchors) { checkArgument(url != null, "tls:custom-ocsp-responder requires the 'url' attribute"); checkArgument(trustStore != null, "tls:custom-ocsp-responder requires a trust store"); try { CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); PKIXRevocationChecker rc = (PKIXRevocationChecker) cpb.getRevocationChecker(); rc.setOptions(EnumSet.of(PKIXRevocationChecker.Option.NO_FALLBACK)); if (url != null) { rc.setOcspResponder(new URI(url)); } if (certAlias != null) { if (trustStore.isCertificateEntry(certAlias)) { rc.setOcspResponderCert((X509Certificate) trustStore.getCertificate(certAlias)); } else { throw new IllegalStateException("Key with alias \"" + certAlias + "\" was not found"); } } PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); pkixParams.addCertPathChecker(rc); return new CertPathTrustManagerParameters(pkixParams); } catch (GeneralSecurityException | URISyntaxException e) { throw new RuntimeException(e); } }
PKIXRevocationChecker rc = (PKIXRevocationChecker) cpb.getRevocationChecker(); rc.setOptions(EnumSet.of(PKIXRevocationChecker.Option.NO_FALLBACK));
PKIXRevocationChecker revocationChecker = (PKIXRevocationChecker) certPathBuilder.getRevocationChecker();
PKIXRevocationChecker checker = (PKIXRevocationChecker) certPathBuilder.getRevocationChecker();