Log.debug("ClientTrustManager: OCSP requested"); OCSPChecker ocspChecker = new OCSPChecker(cp,params); params.addCertPathChecker(ocspChecker);
pkixParams.addCertPathChecker(rc);
@Override public ManagerFactoryParameters configFor(KeyStore trustStore, Set<TrustAnchor> defaultTrustAnchors) { checkArgument(url != null, "tls:custom-ocsp-responder requires the 'url' attribute"); checkArgument(trustStore != null, "tls:custom-ocsp-responder requires a trust store"); try { CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); PKIXRevocationChecker rc = (PKIXRevocationChecker) cpb.getRevocationChecker(); rc.setOptions(EnumSet.of(PKIXRevocationChecker.Option.NO_FALLBACK)); if (url != null) { rc.setOcspResponder(new URI(url)); } if (certAlias != null) { if (trustStore.isCertificateEntry(certAlias)) { rc.setOcspResponderCert((X509Certificate) trustStore.getCertificate(certAlias)); } else { throw new IllegalStateException("Key with alias \"" + certAlias + "\" was not found"); } } PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); pkixParams.addCertPathChecker(rc); return new CertPathTrustManagerParameters(pkixParams); } catch (GeneralSecurityException | URISyntaxException e) { throw new RuntimeException(e); } }
pbParams.addCertPathChecker(_pkixCertPathChecker);
static TrustManager[] newTrustManager(@Nullable final String trustedCertificates, final Supplier<KeyStore> keyStoreSupplier) throws NoSuchAlgorithmException, CertificateException, KeyStoreException, InvalidAlgorithmParameterException { final javax.net.ssl.TrustManagerFactory trustManagerFactory = javax.net.ssl.TrustManagerFactory.getInstance(PKIX); if (trustedCertificates != null) { final KeyStore keystore = keyStoreSupplier.get(); final Collection<? extends Certificate> caCerts; final byte[] caCertsPem = trustedCertificates.getBytes(StandardCharsets.US_ASCII); caCerts = X509_CERTIFICATE_FACTORY.generateCertificates(new ByteArrayInputStream(caCertsPem)); long cnt = 0; for (final Certificate caCert : caCerts) { keystore.setCertificateEntry("ca-" + cnt++, caCert); } trustManagerFactory.init(keystore); // TODO: consider adding cert revocation checker if AWS-IoT has OSCP/CRL. } else { // standard CAs; add revocation check final PKIXRevocationChecker revocationChecker = (PKIXRevocationChecker) CertPathBuilder.getInstance(PKIX).getRevocationChecker(); final PKIXBuilderParameters parameters = new PKIXBuilderParameters(DEFAULT_CA_KEYSTORE, new X509CertSelector()); parameters.addCertPathChecker(revocationChecker); trustManagerFactory.init(new CertPathTrustManagerParameters(parameters)); } return trustManagerFactory.getTrustManagers(); }
static TrustManager[] newTrustManager(@Nullable final String trustedCertificates, final Supplier<KeyStore> keyStoreSupplier) throws NoSuchAlgorithmException, CertificateException, KeyStoreException, InvalidAlgorithmParameterException { final javax.net.ssl.TrustManagerFactory trustManagerFactory = javax.net.ssl.TrustManagerFactory.getInstance(PKIX); if (trustedCertificates != null) { final KeyStore keystore = keyStoreSupplier.get(); final Collection<? extends Certificate> caCerts; final byte[] caCertsPem = trustedCertificates.getBytes(StandardCharsets.US_ASCII); caCerts = X509_CERTIFICATE_FACTORY.generateCertificates(new ByteArrayInputStream(caCertsPem)); long cnt = 0; for (final Certificate caCert : caCerts) { keystore.setCertificateEntry("ca-" + cnt++, caCert); } trustManagerFactory.init(keystore); // TODO: consider adding cert revocation checker if AWS-IoT has OSCP/CRL. } else { // standard CAs; add revocation check final PKIXRevocationChecker revocationChecker = (PKIXRevocationChecker) CertPathBuilder.getInstance(PKIX).getRevocationChecker(); final PKIXBuilderParameters parameters = new PKIXBuilderParameters(DEFAULT_CA_KEYSTORE, new X509CertSelector()); parameters.addCertPathChecker(revocationChecker); trustManagerFactory.init(new CertPathTrustManagerParameters(parameters)); } return trustManagerFactory.getTrustManagers(); }
pkixParams.addCertPathChecker(rc);
pkixParams.addCertPathChecker(rc);
Log.debug("ClientTrustManager: OCSP requested"); OCSPChecker ocspChecker = new OCSPChecker(cp,params); params.addCertPathChecker(ocspChecker);
@Override public ManagerFactoryParameters configFor(KeyStore trustStore, Set<TrustAnchor> defaultTrustAnchors) { checkArgument(url != null, "tls:custom-ocsp-responder requires the 'url' attribute"); checkArgument(trustStore != null, "tls:custom-ocsp-responder requires a trust store"); try { CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); PKIXRevocationChecker rc = (PKIXRevocationChecker) cpb.getRevocationChecker(); rc.setOptions(EnumSet.of(PKIXRevocationChecker.Option.NO_FALLBACK)); if (url != null) { rc.setOcspResponder(new URI(url)); } if (certAlias != null) { if (trustStore.isCertificateEntry(certAlias)) { rc.setOcspResponderCert((X509Certificate) trustStore.getCertificate(certAlias)); } else { throw new IllegalStateException("Key with alias \"" + certAlias + "\" was not found"); } } PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); pkixParams.addCertPathChecker(rc); return new CertPathTrustManagerParameters(pkixParams); } catch (GeneralSecurityException | URISyntaxException e) { throw new RuntimeException(e); } }
pkixParams.addCertPathChecker(rc);
pbParams.addCertPathChecker(revocationChecker);
pbParams.addCertPathChecker(_pkixCertPathChecker);
parameters.addCertPathChecker(checker); } else if (!checkOCSP && checkCRL) { checkerOptions.add(PKIXRevocationChecker.Option.NO_FALLBACK); checker.setOptions(checkerOptions); parameters.addCertPathChecker(checker);