params.setMaxPathLength(maxCertPath);
if (trustLength != null) { try { xparams.setMaxPathLength(Integer.parseInt(trustLength)); } catch (Exception ex) { logger.warning("Bad maxCertLength: " + trustLength);
pbParams.setMaxPathLength(_maxCertPathLength);
pbParams.setMaxPathLength(_maxCertPathLength);
if(trustLength != null) { try { xparams.setMaxPathLength(Integer.parseInt(trustLength)); } catch(Exception ex) { log.warn("Bad maxCertLength: "+trustLength);
if (trustLength != null) { try { xparams.setMaxPathLength(Integer.parseInt(trustLength)); } catch (Exception ex) { logger.warning("Bad maxCertLength: " + trustLength);
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate((X509Certificate) myKeyStore.getCertificate("mykey")); PKIXBuilderParameters cpp = new PKIXBuilderParameters(trustAnchors, certSelector); cpp.addCertStore(cs); cpp.setRevocationEnabled(true); cpp.setMaxPathLength(6); cpp.setDate(new Date()); CertPathBuilderResult a = cpb.build(cpp); CertPath certPath = a.getCertPath();
PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); pbParams.setMaxPathLength(sslConfig.getMaxCertPathLength());
if(trustLength != null) { try { xparams.setMaxPathLength(Integer.parseInt(trustLength)); } catch(Exception ex) { log.warn("Bad maxCertLength: "+trustLength);
if (trustLength != null) { try { xparams.setMaxPathLength(Integer.parseInt(trustLength)); } catch (Exception ex) { CoyoteLogger.UTIL_LOGGER.invalidMaxCertLength(trustLength);
pbParams.setMaxPathLength(_maxCertPathLength);
public static void validateCertificateChain(KeyStore ks, List<X509Certificate> inCerts) { // Initial chain validation, to be enhanced as needed try { X509CertSelector certSelect = new X509CertSelector(); certSelect.setCertificate(inCerts.get(0)); PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ks, certSelect); pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(inCerts))); pbParams.setMaxPathLength(-1); pbParams.setRevocationEnabled(false); CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams); CertPath certPath = buildResult.getCertPath(); CertPathValidator.getInstance("PKIX").validate(certPath, pbParams); } catch (Exception ex) { LOG.warning("Certificate path validation error"); throw new JoseException(ex); } } public static X509Certificate[] toX509CertificateChainArray(List<String> base64EncodedChain) {
public static void validateCertificateChain(KeyStore ks, List<X509Certificate> inCerts) { // Initial chain validation, to be enhanced as needed try { X509CertSelector certSelect = new X509CertSelector(); certSelect.setCertificate(inCerts.get(0)); PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ks, certSelect); pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(inCerts))); pbParams.setMaxPathLength(-1); pbParams.setRevocationEnabled(false); CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams); CertPath certPath = buildResult.getCertPath(); CertPathValidator.getInstance("PKIX").validate(certPath, pbParams); } catch (Exception ex) { LOG.warning("Certificate path validation error"); throw new JoseException(ex); } } public static X509Certificate[] toX509CertificateChainArray(List<String> base64EncodedChain) {
if(trustLength != null) { try { xparams.setMaxPathLength(Integer.parseInt(trustLength)); } catch(Exception ex) { log.warn("Bad maxCertLength: "+trustLength);
if(trustLength != null) { try { xparams.setMaxPathLength(Integer.parseInt(trustLength)); } catch(Exception ex) { log.warn("Bad maxCertLength: "+trustLength);
/** * Return the initialization parameters for the TrustManager. Currently, only the default <code>PKIX</code> is supported. * * @param algorithm The algorithm to get parameters for. * @param crlf The path to the CRL file. * @param trustStore The configured TrustStore. * @return The parameters including the CRLs and TrustStore. * @throws GeneralSecurityException * @throws IOException */ protected CertPathParameters getParameters(String algorithm, String crlf, KeyStore trustStore) throws GeneralSecurityException, IOException { if (!"PKIX".equalsIgnoreCase(algorithm)) { throw ModClusterMessages.MESSAGES.crlNotSupported(algorithm); } PKIXBuilderParameters params = new PKIXBuilderParameters(trustStore, new X509CertSelector()); Collection<? extends CRL> crls = this.getCRLs(crlf); CertStoreParameters csp = new CollectionCertStoreParameters(crls); CertStore store = CertStore.getInstance("Collection", csp); params.addCertStore(store); params.setRevocationEnabled(true); params.setMaxPathLength(this.config.getSslTrustMaxCertLength()); return params; }
/** * Return the initialization parameters for the TrustManager. Currently, only the default <code>PKIX</code> is supported. * * @param algorithm The algorithm to get parameters for. * @param crlf The path to the CRL file. * @param trustStore The configured TrustStore. * @return The parameters including the CRLs and TrustStore. * @throws GeneralSecurityException * @throws IOException */ protected CertPathParameters getParameters(String algorithm, String crlf, KeyStore trustStore) throws GeneralSecurityException, IOException { if (!"PKIX".equalsIgnoreCase(algorithm)) { throw ModClusterMessages.MESSAGES.crlNotSupported(algorithm); } PKIXBuilderParameters params = new PKIXBuilderParameters(trustStore, new X509CertSelector()); Collection<? extends CRL> crls = this.getCRLs(crlf); CertStoreParameters csp = new CollectionCertStoreParameters(crls); CertStore store = CertStore.getInstance("Collection", csp); params.addCertStore(store); params.setRevocationEnabled(true); params.setMaxPathLength(this.config.getSslTrustMaxCertLength()); return params; }
/** * Return the initialization parameters for the TrustManager. * Currently, only the default <code>PKIX</code> is supported. * * @param algorithm The algorithm to get parameters for. * @param crlf The path to the CRL file. * @param trustStore The configured TrustStore. * @return The parameters including the CRLs and TrustStore. * @throws GeneralSecurityException * @throws IOException */ protected CertPathParameters getParameters(String algorithm, String crlf, KeyStore trustStore) throws GeneralSecurityException, IOException { if (!"PKIX".equalsIgnoreCase(algorithm)) { throw new CRLException("CRLs not supported for type: " + algorithm); } PKIXBuilderParameters params = new PKIXBuilderParameters(trustStore, new X509CertSelector()); Collection<? extends CRL> crls = this.getCRLs(crlf); CertStoreParameters csp = new CollectionCertStoreParameters(crls); CertStore store = CertStore.getInstance("Collection", csp); params.addCertStore(store); params.setRevocationEnabled(true); params.setMaxPathLength(this.config.getSslTrustMaxCertLength()); return params; }
/** * Builds CertsPath object out of chain candidate. * Throws CertPathBuilderException exception if fails among other exceptions. * @param chain chain candidate, first end certificate last issuer. * @param trustAnchors trust anchors to use. * @return CertPath */ public static CertPath buildCertPath( List<Certificate> chain, Set<TrustAnchor> trustAnchors ) throws GeneralSecurityException { X509CertSelector selector = new X509CertSelector(); selector.setCertificate((X509Certificate)chain.get(0)); PKIXBuilderParameters pkixParams = new PKIXBuilderParameters( trustAnchors, selector ); pkixParams.setRevocationEnabled(false); pkixParams.setMaxPathLength(-1); pkixParams.addCertStore( CertStore.getInstance( "Collection", new CollectionCertStoreParameters(chain) ) ); return CertPathBuilder.getInstance("PKIX").build(pkixParams).getCertPath(); }
/** * Return the initialization parameters for the TrustManager. * Currently, only the default <code>PKIX</code> is supported. * * @param crlf The path to the CRL file. * @param trustStore The configured TrustStore. * @param revocationEnabled Should the JSSE provider perform revocation * checks? Ignored if {@code crlf} is non-null. * Configuration of revocation checks are expected * to be via proprietary JSSE provider methods. * @return The parameters including the CRLs and TrustStore. * @throws Exception An error occurred */ protected CertPathParameters getParameters(String crlf, KeyStore trustStore, boolean revocationEnabled) throws Exception { PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); if (crlf != null && crlf.length() > 0) { Collection<? extends CRL> crls = getCRLs(crlf); CertStoreParameters csp = new CollectionCertStoreParameters(crls); CertStore store = CertStore.getInstance("Collection", csp); xparams.addCertStore(store); xparams.setRevocationEnabled(true); } else { xparams.setRevocationEnabled(revocationEnabled); } xparams.setMaxPathLength(sslHostConfig.getCertificateVerificationDepth()); return xparams; }