PKIXParameters params = new PKIXParameters(keystore);
PKIXParameters params = new PKIXParameters(keyStore); params.getTrustAnchors().stream() .map(TrustAnchor::getTrustedCert)
X509Certificate certToVerify = ... CertificateFactory cf = CertificateFactory.getInstance("X.509"); CertPath cp = cf.generateCertPath(Arrays .asList(new X509Certificate[] { certToVerify })); TrustAnchor trustAnchor = new TrustAnchor(caCert, null); CertPathValidator cpv = CertPathValidator.getInstance("PKIX"); PKIXParameters pkixParams = new PKIXParameters( Collections.singleton(trustAnchor)); pkixParams.setRevocationEnabled(false); cpv.validate(cp, pkixParams);
keystore.load(is, null); PKIXParameters params = new PKIXParameters(keystore); for (TrustAnchor trustAnchor : params.getTrustAnchors()) params = new PKIXParameters(keystore); for (TrustAnchor trustAnchor : params.getTrustAnchors())
PKIXParameters params = new PKIXParameters(keyStore); params.setRevocationEnabled(false); // to avoid exception on empty CRL
boolean validateCertificate(Certificate cert) { boolean isValidated; if (cert == null) { return false; } try { KeyStore keyStore = getTrustStore(); PKIXParameters parms = new PKIXParameters(keyStore); parms.setRevocationEnabled(false); CertPathValidator certValidator = CertPathValidator.getInstance(CertPathValidator.getDefaultType()); // PKIX ArrayList<Certificate> start = new ArrayList<>(); start.add(cert); CertificateFactory certFactory = CertificateFactory.getInstance(CERTIFICATE_FORMAT); CertPath certPath = certFactory.generateCertPath(start); certValidator.validate(certPath, parms); isValidated = true; } catch (KeyStoreException | InvalidAlgorithmParameterException | NoSuchAlgorithmException | CertificateException | CertPathValidatorException | CryptoException e) { logger.error("Cannot validate certificate. Error is: " + e.getMessage() + "\r\nCertificate" + cert.toString()); isValidated = false; } return isValidated; } // validateCertificate
/** * This creates a verification instance against a specific set of TrustAnchors * @param trustAnchors * @param enableRevocation * @throws InvalidAlgorithmParameterException */ public X509HostKeyVerification(Set<TrustAnchor> trustAnchors, boolean enableRevocation) throws InvalidAlgorithmParameterException { params = new PKIXParameters(trustAnchors); params.setRevocationEnabled(enableRevocation); }
public LocalTrustManager(boolean verify, List<X509Certificate> trusted) throws InvalidAlgorithmParameterException { this.verify = verify; this.trusted = trusted; if (!trusted.isEmpty()) { this.anchors = trusted.stream() .map(x509 -> new TrustAnchor(x509, null)) .collect(Collectors.toSet()); this.parameter = new PKIXParameters(anchors); this.parameter.setRevocationEnabled(false); } }
public LocalTrustManager(boolean verify, List<X509Certificate> trusted) throws InvalidAlgorithmParameterException { this.verify = verify; this.trusted = trusted; if (!trusted.isEmpty()) { this.anchors = trusted.stream() .map(x509 -> new TrustAnchor(x509, null)) .collect(Collectors.toSet()); this.parameter = new PKIXParameters(anchors); this.parameter.setRevocationEnabled(false); } }
// Load the JDK's cacerts keystore file String filename = System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar); FileInputStream is = new FileInputStream(filename); KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); String password = "changeit"; keystore.load(is, password.toCharArray()); // This class retrieves the most-trusted CAs from the keystore PKIXParameters params = new PKIXParameters(keystore); // Get the set of trust anchors, which contain the most-trusted CA certificates Iterator it = params.getTrustAnchors().iterator(); while( it.hasNext() ) { TrustAnchor ta = (TrustAnchor)it.next(); // Get certificate X509Certificate cert = ta.getTrustedCert(); System.out.println(cert); }
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509", new BouncyCastleProvider()); InputStream is = new ByteArrayInputStream(some bytes in an array); CertPath certPath = certificateFactory.generateCertPath(is, "PKCS7"); // Throws Certificate Exception when a cert path cannot be generated CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX", new BouncyCastleProvider()); PKIXParameters parameters = new PKIXParameters(KeyTool.getCacertsKeyStore()); PKIXCertPathValidatorResult validatorResult = (PKIXCertPathValidatorResult) certPathValidator.validate(certPath, parameters); // This will throw a CertPathValidatorException if validation fails
String filename = System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar); Set<X509Certificate> additionalCerts = new HashSet<X509Certificate>(); FileInputStream is = new FileInputStream(filename); KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); String password = "changeit"; keystore.load(is, password.toCharArray()); // This class retrieves the most-trusted CAs from the keystore PKIXParameters params = new PKIXParameters(keystore); // Get the set of trust anchors, which contain the most-trusted CA certificates Iterator it = params.getTrustAnchors().iterator(); while( it.hasNext() ) { TrustAnchor ta = (TrustAnchor)it.next(); // Get certificate X509Certificate cert = ta.getTrustedCert(); additionalCerts.add(cert); }
PKIXParameters params = new PKIXParameters(anchors); // Activate certificate revocation checking params.setRevocationEnabled(true); // Activate OCSP Security.setProperty("ocsp.enable", "true");
protected PKIXParameters createPKIXParameters( Set<TrustAnchor> trustAnchors, boolean enableRevocation ) throws InvalidAlgorithmParameterException { PKIXParameters param = new PKIXParameters(trustAnchors); param.setRevocationEnabled(enableRevocation); if (enableRevocation && crlCertStore != null) { param.addCertStore(crlCertStore); } return param; }
protected PKIXParameters createPKIXParameters( Set<TrustAnchor> trustAnchors, boolean enableRevocation ) throws InvalidAlgorithmParameterException { PKIXParameters param = new PKIXParameters(trustAnchors); param.setRevocationEnabled(enableRevocation); if (enableRevocation && crlCertStore != null) { param.addCertStore(crlCertStore); } return param; }
protected PKIXParameters createPKIXParameters( Set<TrustAnchor> trustAnchors, boolean enableRevocation ) throws InvalidAlgorithmParameterException { PKIXParameters param = new PKIXParameters(trustAnchors); param.setRevocationEnabled(enableRevocation); if (enableRevocation && crlCertStore != null) { param.addCertStore(crlCertStore); } return param; }
public static PKIXCertPathValidatorResult validatePath(List<X509Certificate> certs, Set<TrustAnchor> trustAnchors) throws GeneralSecurityException { CertPathValidator cpv = CertPathValidator.getInstance("PKIX"); PKIXParameters params = new PKIXParameters(trustAnchors); params.setRevocationEnabled(false); CertificateFactory cf = CertificateFactory.getInstance("X509"); CertPath path = cf.generateCertPath(certs); return (PKIXCertPathValidatorResult) cpv.validate(path, params); } }
public static PKIXCertPathValidatorResult validatePath(List<X509Certificate> certs, Set<TrustAnchor> trustAnchors) throws GeneralSecurityException { CertPathValidator cpv = CertPathValidator.getInstance("PKIX"); PKIXParameters params = new PKIXParameters(trustAnchors); params.setRevocationEnabled(false); CertificateFactory cf = CertificateFactory.getInstance("X509"); CertPath path = cf.generateCertPath(certs); return (PKIXCertPathValidatorResult) cpv.validate(path, params); } }
public static PKIXCertPathValidatorResult validatePath(List<X509Certificate> certs, Set<TrustAnchor> trustAnchors) throws GeneralSecurityException { CertPathValidator cpv = CertPathValidator.getInstance("PKIX"); PKIXParameters params = new PKIXParameters(trustAnchors); params.setRevocationEnabled(false); CertificateFactory cf = CertificateFactory.getInstance("X509"); CertPath path = cf.generateCertPath(certs); return (PKIXCertPathValidatorResult) cpv.validate(path, params); } }
final CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); final X509Certificate certificateToCheck = (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(certBytes)); final KeyStore trustStore = KeyStore.getInstance("JKS"); InputStream keyStoreStream = ... trustStore.load(keyStoreStrem, "your password".toCharArray()); final CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX"); final X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(certificateToCheck); final CertPathParameters certPathParameters = new PKIXBuilderParameters(trustStore, certSelector); final CertPathBuilderResult certPathBuilderResult = certPathBuilder.build(certPathParameters); final CertPath certPath = certPathBuilderResult.getCertPath(); final CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX"); final PKIXParameters validationParameters = new PKIXParameters(trustStore); validationParameters.setRevocationEnabled(true); // if you want to check CRL final X509CertSelector keyUsageSelector = new X509CertSelector(); keyUsageSelector.setKeyUsage(new boolean[] { true, false, true }); // to check digitalSignature and keyEncipherment bits validationParameters.setTargetCertConstraints(keyUsageSelector); final PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) certPathValidator.validate(certPath, validationParameters); System.out.println(result);