X509Certificate certToVerify = ... CertificateFactory cf = CertificateFactory.getInstance("X.509"); CertPath cp = cf.generateCertPath(Arrays .asList(new X509Certificate[] { certToVerify })); TrustAnchor trustAnchor = new TrustAnchor(caCert, null); CertPathValidator cpv = CertPathValidator.getInstance("PKIX"); PKIXParameters pkixParams = new PKIXParameters( Collections.singleton(trustAnchor)); pkixParams.setRevocationEnabled(false); cpv.validate(cp, pkixParams);
params.setRevocationEnabled(false); // to avoid exception on empty CRL
boolean validateCertificate(Certificate cert) { boolean isValidated; if (cert == null) { return false; } try { KeyStore keyStore = getTrustStore(); PKIXParameters parms = new PKIXParameters(keyStore); parms.setRevocationEnabled(false); CertPathValidator certValidator = CertPathValidator.getInstance(CertPathValidator.getDefaultType()); // PKIX ArrayList<Certificate> start = new ArrayList<>(); start.add(cert); CertificateFactory certFactory = CertificateFactory.getInstance(CERTIFICATE_FORMAT); CertPath certPath = certFactory.generateCertPath(start); certValidator.validate(certPath, parms); isValidated = true; } catch (KeyStoreException | InvalidAlgorithmParameterException | NoSuchAlgorithmException | CertificateException | CertPathValidatorException | CryptoException e) { logger.error("Cannot validate certificate. Error is: " + e.getMessage() + "\r\nCertificate" + cert.toString()); isValidated = false; } return isValidated; } // validateCertificate
/** * This creates a verification instance against a specific set of TrustAnchors * @param trustAnchors * @param enableRevocation * @throws InvalidAlgorithmParameterException */ public X509HostKeyVerification(Set<TrustAnchor> trustAnchors, boolean enableRevocation) throws InvalidAlgorithmParameterException { params = new PKIXParameters(trustAnchors); params.setRevocationEnabled(enableRevocation); }
public LocalTrustManager(boolean verify, List<X509Certificate> trusted) throws InvalidAlgorithmParameterException { this.verify = verify; this.trusted = trusted; if (!trusted.isEmpty()) { this.anchors = trusted.stream() .map(x509 -> new TrustAnchor(x509, null)) .collect(Collectors.toSet()); this.parameter = new PKIXParameters(anchors); this.parameter.setRevocationEnabled(false); } }
public LocalTrustManager(boolean verify, List<X509Certificate> trusted) throws InvalidAlgorithmParameterException { this.verify = verify; this.trusted = trusted; if (!trusted.isEmpty()) { this.anchors = trusted.stream() .map(x509 -> new TrustAnchor(x509, null)) .collect(Collectors.toSet()); this.parameter = new PKIXParameters(anchors); this.parameter.setRevocationEnabled(false); } }
PKIXParameters params = new PKIXParameters(anchors); // Activate certificate revocation checking params.setRevocationEnabled(true); // Activate OCSP Security.setProperty("ocsp.enable", "true");
protected PKIXParameters createPKIXParameters( Set<TrustAnchor> trustAnchors, boolean enableRevocation ) throws InvalidAlgorithmParameterException { PKIXParameters param = new PKIXParameters(trustAnchors); param.setRevocationEnabled(enableRevocation); if (enableRevocation && crlCertStore != null) { param.addCertStore(crlCertStore); } return param; }
protected PKIXParameters createPKIXParameters( Set<TrustAnchor> trustAnchors, boolean enableRevocation ) throws InvalidAlgorithmParameterException { PKIXParameters param = new PKIXParameters(trustAnchors); param.setRevocationEnabled(enableRevocation); if (enableRevocation && crlCertStore != null) { param.addCertStore(crlCertStore); } return param; }
protected PKIXParameters createPKIXParameters( Set<TrustAnchor> trustAnchors, boolean enableRevocation ) throws InvalidAlgorithmParameterException { PKIXParameters param = new PKIXParameters(trustAnchors); param.setRevocationEnabled(enableRevocation); if (enableRevocation && crlCertStore != null) { param.addCertStore(crlCertStore); } return param; }
/** * Create an instance of PKIXParameters used as input for the PKIX CertPathValidator * * @param trustedCerts * @return * @throws CertificateException */ private static PKIXParameters toPkixParameters(Set<X509Certificate> trustedCerts) throws CertificateException { try { if (trustedCerts == null || trustedCerts.size() == 0) { throw new CertificateException("No trusted Certs"); } PKIXParameters pkixParameters = new PKIXParameters(trustedCerts.stream() .map(c -> new TrustAnchor(c, null)) .collect(toSet())); pkixParameters.setRevocationEnabled(false); return pkixParameters; } catch (InvalidAlgorithmParameterException e) { throw new IllegalStateException(e); } }
public static PKIXCertPathValidatorResult validatePath(List<X509Certificate> certs, Set<TrustAnchor> trustAnchors) throws GeneralSecurityException { CertPathValidator cpv = CertPathValidator.getInstance("PKIX"); PKIXParameters params = new PKIXParameters(trustAnchors); params.setRevocationEnabled(false); CertificateFactory cf = CertificateFactory.getInstance("X509"); CertPath path = cf.generateCertPath(certs); return (PKIXCertPathValidatorResult) cpv.validate(path, params); } }
public static PKIXCertPathValidatorResult validatePath(List<X509Certificate> certs, Set<TrustAnchor> trustAnchors) throws GeneralSecurityException { CertPathValidator cpv = CertPathValidator.getInstance("PKIX"); PKIXParameters params = new PKIXParameters(trustAnchors); params.setRevocationEnabled(false); CertificateFactory cf = CertificateFactory.getInstance("X509"); CertPath path = cf.generateCertPath(certs); return (PKIXCertPathValidatorResult) cpv.validate(path, params); } }
public ProvX509TrustManager(Provider pkixProvider, Set trustAnchors) throws InvalidAlgorithmParameterException { this.pkixProvider = pkixProvider; this.trustAnchors = trustAnchors; this.baseParameters = new PKIXBuilderParameters(trustAnchors, new X509CertSelector()); this.baseParameters.setRevocationEnabled(false); }
public static PKIXCertPathValidatorResult validatePath(List<X509Certificate> certs, Set<TrustAnchor> trustAnchors) throws GeneralSecurityException { CertPathValidator cpv = CertPathValidator.getInstance("PKIX"); PKIXParameters params = new PKIXParameters(trustAnchors); params.setRevocationEnabled(false); CertificateFactory cf = CertificateFactory.getInstance("X509"); CertPath path = cf.generateCertPath(certs); return (PKIXCertPathValidatorResult) cpv.validate(path, params); } }
public static CertFilesTrustManager getInstance(String pathToCertsFiles) throws Exception { certificateFactory = CertificateFactory.getInstance("X.509"); Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>(); File[] files = new File(pathToCertsFiles).listFiles(); for (File file : files) { if (!file.isFile()) { continue; } try { X509Certificate cert = loadCertificate(file); TrustAnchor ta = new TrustAnchor(cert, null); trustAnchors.add(ta); } catch (CertificateParsingException e) {} } CertPathValidator val = CertPathValidator.getInstance(CertPathValidator.getDefaultType()); PKIXParameters cpp = new PKIXParameters(trustAnchors); cpp.setRevocationEnabled(false); CertFilesTrustManager tm = new CertFilesTrustManager(val, cpp); return tm; }
... CertificateFactory fac = CertificateFactory.getInstance("X.509"); FileInputStream is = new FileInputStream("client.crt"); Collection<? extends Certificate> intermediate; try { intermediate = fac.generateCertificates(is); } finally { is.close(); } X509Certificate client = null; for (Certificate c : intermediate) client = (X509Certificate) c; if (client == null) throw new IllegalArgumentException("Empty chain."); X509CertSelector t = new X509CertSelector(); t.setCertificate(client); PKIXBuilderParameters params = new PKIXBuilderParameters(anchors, t); CertStoreParameters store = new CollectionCertStoreParameters(intermediate); params.addCertStore(CertStore.getInstance("Collection", store)); params.setRevocationEnabled(false); ...
final CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); final X509Certificate certificateToCheck = (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(certBytes)); final KeyStore trustStore = KeyStore.getInstance("JKS"); InputStream keyStoreStream = ... trustStore.load(keyStoreStrem, "your password".toCharArray()); final CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX"); final X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate(certificateToCheck); final CertPathParameters certPathParameters = new PKIXBuilderParameters(trustStore, certSelector); final CertPathBuilderResult certPathBuilderResult = certPathBuilder.build(certPathParameters); final CertPath certPath = certPathBuilderResult.getCertPath(); final CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX"); final PKIXParameters validationParameters = new PKIXParameters(trustStore); validationParameters.setRevocationEnabled(true); // if you want to check CRL final X509CertSelector keyUsageSelector = new X509CertSelector(); keyUsageSelector.setKeyUsage(new boolean[] { true, false, true }); // to check digitalSignature and keyEncipherment bits validationParameters.setTargetCertConstraints(keyUsageSelector); final PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) certPathValidator.validate(certPath, validationParameters); System.out.println(result);
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); X509CertSelector certSelector = new X509CertSelector(); certSelector.setCertificate((X509Certificate) myKeyStore.getCertificate("mykey")); PKIXBuilderParameters cpp = new PKIXBuilderParameters(trustAnchors, certSelector); cpp.addCertStore(cs); cpp.setRevocationEnabled(true); cpp.setMaxPathLength(6); cpp.setDate(new Date()); CertPathBuilderResult a = cpb.build(cpp); CertPath certPath = a.getCertPath();
private void validateNoCache(List<? extends X509Certificate> certs) throws SignatureException { try { CertPathValidator validator = CertPathValidator.getInstance( VALIDATOR_TYPE); PKIXParameters params = new PKIXParameters(trustRoots); params.addCertPathChecker(WAVE_OID_CHECKER); params.setDate(timeSource.now()); // turn off default revocation-checking mechanism params.setRevocationEnabled(false); // TODO: add a way for clients to add certificate revocation checks, // perhaps by letting them pass in PKIXCertPathCheckers. This can also be // useful to check for Wave-specific certificate extensions. CertificateFactory certFactory = CertificateFactory.getInstance( CERTIFICATE_TYPE); CertPath certPath = certFactory.generateCertPath(certs); validator.validate(certPath, params); } catch (GeneralSecurityException e) { throw new SignatureException("Certificate validation failure", e); } }