KeyStore ts = KeyStore.getInstance("JKS"); FileInputStream tfis = new FileInputStream(trustStorePath); ts.load(tfis, trustStorePass.toCharArray()); KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); // initialize certification path checking for the offered certificates and revocation checks against CLRs CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); PKIXRevocationChecker rc = (PKIXRevocationChecker)cpb.getRevocationChecker(); rc.setOptions(EnumSet.of( PKIXRevocationChecker.Option.PREFER_CRLS, // prefer CLR over OCSP PKIXRevocationChecker.Option.ONLY_END_ENTITY, PKIXRevocationChecker.Option.SOFT_FAIL, // handshake should not fail when CRL is not available PKIXRevocationChecker.Option.NO_FALLBACK)); // don't fall back to OCSP checking PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(ts, new X509CertSelector()); pkixParams.addCertPathChecker(rc); tmf.init( new CertPathTrustManagerParameters(pkixParams) ); // init KeyManagerFactory kmf.init(...) SSLContext ctx = SSLContext.getInstance("TLS"); ctx.init(kmf.getKeyManagers), tmf.getTrustManagers(), null);
params.addCertPathChecker(rc); CertificateFactory certFactory = CertificateFactory.getInstance("X.509"); CertPath certPath = certFactory.generateCertPath(certs); rc.setOptions(Collections.emptySet()); params.setRevocationEnabled(false); params.addCertPathChecker(null);
PKIXParameters params = new PKIXParameters(trustAnchor); params.setRevocationEnabled(false); params.addCertPathChecker(new ExtendedKeyUsagePKIXCertPathChecker(clientAuth, newChain[0])); validator.validate(certPath, params);
X509Certificate endPointCert = untrustedChain.get(0); setOcspResponses(params, endPointCert, ocspData); params.addCertPathChecker( new ExtendedKeyUsagePKIXCertPathChecker(clientAuth, endPointCert)); validator.validate(certPath, params);
PKIXParameters param = new PKIXParameters(trust); param.addCertPathChecker(pathChecker); param.setRevocationEnabled(false); param.addCertStore(store);
PKIXParameters params = new PKIXParameters(trustAnchor); params.setRevocationEnabled(false); params.addCertPathChecker(new ExtendedKeyUsagePKIXCertPathChecker(clientAuth, newChain[0])); validator.validate(certPath, params);
PKIXParameters param = new PKIXParameters(trust); param.addCertPathChecker(pathChecker); param.setRevocationEnabled(false); param.addCertStore(store);
X509Certificate endPointCert = untrustedChain.get(0); setOcspResponses(params, endPointCert, ocspData); params.addCertPathChecker( new ExtendedKeyUsagePKIXCertPathChecker(clientAuth, endPointCert)); validator.validate(certPath, params);
proxyParams.addCertPathChecker(new PKIXProxyCertificateChecker()); proxyParams.setRevocationEnabled(false); proxyReviewer = new PKIXCertPathReviewer(proxyCertPath, proxyParams);
private void validateNoCache(List<? extends X509Certificate> certs) throws SignatureException { try { CertPathValidator validator = CertPathValidator.getInstance( VALIDATOR_TYPE); PKIXParameters params = new PKIXParameters(trustRoots); params.addCertPathChecker(WAVE_OID_CHECKER); params.setDate(timeSource.now()); // turn off default revocation-checking mechanism params.setRevocationEnabled(false); // TODO: add a way for clients to add certificate revocation checks, // perhaps by letting them pass in PKIXCertPathCheckers. This can also be // useful to check for Wave-specific certificate extensions. CertificateFactory certFactory = CertificateFactory.getInstance( CERTIFICATE_TYPE); CertPath certPath = certFactory.generateCertPath(certs); validator.validate(certPath, params); } catch (GeneralSecurityException e) { throw new SignatureException("Certificate validation failure", e); } }