@Override public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { throw new CertificateException(); }
private void checkRevoked(X509Certificate[] x509Certificates) throws CertificateException { for (X509Certificate cert : x509Certificates) { for (CRL crl : crls) { if (crl.isRevoked(cert)) { throw new CertificateException("Certificate revoked"); } } } } @Override
private void checkTrusted(String type, X509Certificate[] chain) throws CertificateException { X509Certificate cert = chain[0]; byte[] fingerprint = fingerprint(cert); boolean found = false; for (byte[] allowedFingerprint: fingerprints) { if (Arrays.equals(fingerprint, allowedFingerprint)) { found = true; break; } } if (!found) { throw new CertificateException( type + " certificate with unknown fingerprint: " + cert.getSubjectDN()); } }
public static KeyStore loadKeyStore(File certificateChainFile, File privateKeyFile, Optional<String> keyPassword) throws IOException, GeneralSecurityException { PrivateKey key = loadPrivateKey(privateKeyFile, keyPassword); List<X509Certificate> certificateChain = readCertificateChain(certificateChainFile); if (certificateChain.isEmpty()) { throw new CertificateException("Certificate file does not contain any certificates: " + certificateChainFile); } KeyStore keyStore = KeyStore.getInstance("JKS"); keyStore.load(null, null); keyStore.setKeyEntry("key", key, keyPassword.orElse("").toCharArray(), certificateChain.toArray(new Certificate[0])); return keyStore; }
@Override public void checkClient( X509Certificate[] chain, String authType, SSLEngine engine, X509ExtendedTrustManager baseTrustManager ) throws CertificateException { // only the integration test client with "thisisprobablynottherighthostname" cert is allowed to talk to me if (!chain[0].toString().contains("thisisprobablynottherighthostname") || !engine.getPeerHost().contains("172.172.172.1")) { throw new CertificateException("Custom check rejected request from client."); } }
static ByteBuf[] readCertificates(File file) throws CertificateException { try { InputStream in = new FileInputStream(file); try { return readCertificates(in); } finally { safeClose(in); } } catch (FileNotFoundException e) { throw new CertificateException("could not find certificate file: " + file); } }
@Override public void checkServer( X509Certificate[] chain, String authType, SSLEngine engine, X509ExtendedTrustManager baseTrustManager ) throws CertificateException { baseTrustManager.checkServerTrusted(chain, authType, engine); // fail intentionally when trying to talk to the broker if (chain[0].toString().contains("172.172.172.8")) { throw new CertificateException("Custom check intentionally terminated request to broker."); } } }
@Override public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { if (!trust.get()) { throw new CertificateException("Server certificate not trusted."); } tm.checkServerTrusted(chain, authType); }
/** {@inheritDoc} */ @Override public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException { clientCheckCallCnt.incrementAndGet(); if (shouldFail) throw new CertificateException("Client check failed."); }
/** {@inheritDoc} */ @Override public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException { srvCheckCallCnt.incrementAndGet(); if (shouldFail) throw new CertificateException("Server check failed."); }
@Override public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { if (!Arrays.equals(cert.getEncoded(), chain[0].getEncoded())) { throw new CertificateException("Server cert not trusted"); } } @Override
static ByteBuf[] readCertificates(File file) throws CertificateException { try { InputStream in = new FileInputStream(file); try { return readCertificates(in); } finally { safeClose(in); } } catch (FileNotFoundException e) { throw new CertificateException("could not find certificate file: " + file); } }
@Override public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { if (!Arrays.equals(cert.getEncoded(), chain[0].getEncoded())) { throw new CertificateException("Client cert not trusted"); } } @Override
@Override public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException { x509ExtendedTrustManager.checkClientTrusted(chain, authType, engine); if (clientHostnameVerificationEnabled) { try { performHostVerification(InetAddress.getByName(engine.getPeerHost()), chain[0]); } catch (UnknownHostException e) { throw new CertificateException("Failed to verify host", e); } } }
@Override public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException { x509ExtendedTrustManager.checkServerTrusted(chain, authType, engine); if (serverHostnameVerificationEnabled) { try { performHostVerification(InetAddress.getByName(engine.getPeerHost()), chain[0]); } catch (UnknownHostException e) { throw new CertificateException("Failed to verify host", e); } } }
@Override public final CertificateException notTrustedRealmProblem(final RealmUnavailableException e, final Principal principal) { final CertificateException result = new CertificateException(String.format(getLoggingLocale(), notTrustedRealmProblem$str(), principal), e); final StackTraceElement[] st = result.getStackTrace(); result.setStackTrace(Arrays.copyOfRange(st, 1, st.length)); return result; } private static final String notTrusted = "ELY04004: Credential validation failed: certificate is not trusted for principal [%s]";
@Override public final CertificateException notTrusted(final Principal principal) { final CertificateException result = new CertificateException(String.format(getLoggingLocale(), notTrusted$str(), principal)); final StackTraceElement[] st = result.getStackTrace(); result.setStackTrace(Arrays.copyOfRange(st, 1, st.length)); return result; } private static final String noDefaultTrustManager = "ELY04005: No default trust manager available";
private SSLEngineConfigurator buildSslEngineConfigurator(Path certFile, Path keyFile, String keyPassword) throws GeneralSecurityException, IOException { if (keyFile == null || !Files.isRegularFile(keyFile) || !Files.isReadable(keyFile)) { throw new InvalidKeyException("Unreadable or missing private key: " + keyFile); } if (certFile == null || !Files.isRegularFile(certFile) || !Files.isReadable(certFile)) { throw new CertificateException("Unreadable or missing X.509 certificate: " + certFile); } final SSLContextConfigurator sslContextConfigurator = new SSLContextConfigurator(); final char[] password = firstNonNull(keyPassword, "").toCharArray(); final KeyStore keyStore = PemKeyStore.buildKeyStore(certFile, keyFile, password); sslContextConfigurator.setKeyStorePass(password); sslContextConfigurator.setKeyStoreBytes(KeyStoreUtils.getBytes(keyStore, password)); final SSLContext sslContext = sslContextConfigurator.createSSLContext(true); return new SSLEngineConfigurator(sslContext, false, false, false); }
@Test(expected = CertificateValidationException.class) public void open_whenTrustedSocketFactoryThrowsSSLCertificateException_throwCertificateValidationException() throws Exception { when(mockTrustedSocketFactory.createSocket(null, host, port, null)).thenThrow( new SSLException(new CertificateException())); addSettingsForValidMockSocket(); settings.setAuthType(AuthType.PLAIN); Pop3Connection connection = new Pop3Connection(settings, mockTrustedSocketFactory); connection.open(); }
public X509Certificate generate(String dn, KeyPair keyPair) throws CertificateException { try { Security.addProvider(new BouncyCastleProvider()); AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find(algorithm); AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId); AsymmetricKeyParameter privateKeyAsymKeyParam = PrivateKeyFactory.createKey(keyPair.getPrivate().getEncoded()); SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded()); ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(privateKeyAsymKeyParam); X500Name name = new X500Name(dn); Date from = new Date(); Date to = new Date(from.getTime() + days * 86400000L); BigInteger sn = new BigInteger(64, new SecureRandom()); X509v3CertificateBuilder v3CertGen = new X509v3CertificateBuilder(name, sn, from, to, name, subPubKeyInfo); if (subjectAltName != null) v3CertGen.addExtension(Extension.subjectAlternativeName, false, subjectAltName); X509CertificateHolder certificateHolder = v3CertGen.build(sigGen); return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certificateHolder); } catch (CertificateException ce) { throw ce; } catch (Exception e) { throw new CertificateException(e); } } }