List of usage examples for java.security.cert CertPathBuilderResult getCertPath
CertPath getCertPath();
From source file:com.vmware.identity.idm.IDPConfig.java
/** * Validate the chain is in the required order user's certificate first, * root CA certificate last including the case of only root CA is present. * Also validate that there is only one chain, which consists of all the * certificates listed./*w w w. j av a 2 s .c om*/ */ private static boolean validateSingleX509CertChain(List<X509Certificate> chain) throws ExternalIDPExtraneousCertsInCertChainException, ExternalIDPCertChainInvalidTrustedPathException { final String ALGO_PKIX = "PKIX"; //for X.509 final String CERTSTORE_PROVIDER_COLLECTION = "Collection"; try { Set<TrustAnchor> anchors = new HashSet<TrustAnchor>(); anchors.add(new TrustAnchor(chain.get(chain.size() - 1), null)); X509CertSelector targetCertSelector = new X509CertSelector(); targetCertSelector.setCertificate(chain.get(0)); CertStore builderStore = CertStore.getInstance(CERTSTORE_PROVIDER_COLLECTION, new CollectionCertStoreParameters(chain)); PKIXBuilderParameters buildParams = new PKIXBuilderParameters(anchors, targetCertSelector); buildParams.addCertStore(builderStore); buildParams.setRevocationEnabled(false); CertPathBuilder pathBuilder = CertPathBuilder.getInstance(ALGO_PKIX); CertPathBuilderResult builderResult = pathBuilder.build(buildParams); if (chain.size() - 1 != builderResult.getCertPath().getCertificates().size()) { throw new ExternalIDPExtraneousCertsInCertChainException(chain); } return true; } catch (CertPathBuilderException cpbe) { throw new ExternalIDPCertChainInvalidTrustedPathException(cpbe.getMessage(), chain); // no need to chain the exception. } catch (GeneralSecurityException gse) { throw new ExternalIDPCertChainInvalidTrustedPathException(gse.getMessage(), chain); } }
From source file:mitm.common.security.certpath.CertPathBuilderSpeedTest.java
@Test public void testBuildPathManyCertificates() throws Exception { int tries = 1000; TrustAnchorBuilder trustAnchorBuilder = new CertStoreTrustAnchorBuilder(rootStoreParams.getCertStore(), 10 * DateUtils.MILLIS_PER_SECOND); long start = System.currentTimeMillis(); Set<TrustAnchor> trustAnchors = trustAnchorBuilder.getTrustAnchors(); for (int i = 0; i < tries; i++) { X509CertSelector selector = new X509CertSelector(); selector.setSerialNumber(BigIntegerUtils.hexDecode("116A448F117FF69FE4F2D4D38F689D7")); selector.setIssuer("EMAILADDRESS=ca@example.com, CN=MITM Test CA, L=Amsterdam, ST=NH, C=NL"); CertificatePathBuilder builder = new PKIXCertificatePathBuilder(); //Set<TrustAnchor> trustAnchors = trustAnchorBuilder.getTrustAnchors(); trustAnchors = trustAnchorBuilder.getTrustAnchors(); builder.setTrustAnchors(trustAnchors); builder.addCertPathChecker(new SMIMEExtendedKeyUsageCertPathChecker()); builder.addCertStore(certStore); builder.setRevocationEnabled(false); CertPathBuilderResult result = builder.buildPath(selector); assertEquals(2, result.getCertPath().getCertificates().size()); }// ww w. j a va2s .c om long diff = System.currentTimeMillis() - start; double secondsPerBuild = diff * 0.001 / tries; System.out.println("Seconds / build: " + secondsPerBuild); if (secondsPerBuild > 0.03) { /*************************************************** * Note: This might fail on slower systems!! ***************************************************/ fail("Seconds / build too slow. Note: This might fail on slower systems!!!"); } }
From source file:mitm.application.djigzo.ws.impl.CertificateValidatorWSImpl.java
@Override @StartTransaction/*from w w w. j a va2 s . co m*/ public X509CertificateDTO getIssuerCertificate(CertificateStore store, String thumbprint) throws WebServiceCheckedException { X509Certificate certificate = getCertificate(store, thumbprint); if (certificate == null) { throw new WebServiceCheckedException("Certificate not found"); } X509CertificateDTO issuerDTO = null; try { CertificatePathBuilder pathBuilder = pKISecurityServices.getCertificatePathBuilderFactory() .createCertificatePathBuilder(); CertPathBuilderResult pathBuilderResult = pathBuilder.buildPath(certificate); CertPath certPath = pathBuilderResult.getCertPath(); if (certPath != null) { X509Certificate issuer = null; CertificateStore issuerStore = null; List<? extends Certificate> path = certPath.getCertificates(); if (CollectionUtils.isNotEmpty(path)) { if (CollectionUtils.getSize(path) == 1) { /* * Since there is only one certificate (the certificate itself) we need * to check whether there is a root in the path */ if (pathBuilderResult instanceof PKIXCertPathBuilderResult) { TrustAnchor trustAnchor = ((PKIXCertPathBuilderResult) pathBuilderResult) .getTrustAnchor(); if (trustAnchor != null) { issuer = trustAnchor.getTrustedCert(); issuerStore = CertificateStore.ROOTS; } } } else { issuer = (X509Certificate) path.get(1); issuerStore = CertificateStore.CERTIFICATES; } } if (issuer != null) { issuerDTO = certificateDTOBuilder.buildCertificateDTO(issuer, null); issuerDTO.setCertificateStore(issuerStore); } } } catch (CertPathBuilderException e) { /* * Log on debug level because CertPathBuilderException is for example thrown * when trying to get the issuer of a root for example */ logger.debug("getIssuer failed.", e); } return issuerDTO; }
From source file:mitm.common.security.crl.CRLStoreMaintainerImpl.java
private CertPath getCRLCertPath(X509CRL crl) { CertPath certPath = null;/*from w w w . j a v a2s . co m*/ try { CRLPathBuilder pathBuilder = pathBuilderFactory.createCRLPathBuilder(); try { CertPathBuilderResult pathBuilderResult = pathBuilder.buildPath(crl); if (pathBuilderResult != null) { certPath = pathBuilderResult.getCertPath(); } } catch (CertPathBuilderException e) { /* * CertPathBuilderException is thrown for a lot of reasons so we will try to extract * the reason. */ Throwable rootCause = ExceptionUtils.getRootCause(e); Throwable cause = (rootCause != null ? rootCause : e); String errorMessage; if (cause instanceof CertificateExpiredException) { errorMessage = "Certificate in the CRL path is expired. CRL: " + X509CRLInspector.toString(crl) + ". Message: " + cause.getMessage(); } else { errorMessage = "Error while building path for CRL. CRL: " + X509CRLInspector.toString(crl); } if (logger.isDebugEnabled()) { logger.error(errorMessage, cause); } else { logger.error(errorMessage + ". Message: " + cause.getMessage()); } } } catch (CRLStoreException e) { logger.error("error creating CRLPathBuilder", e); } return certPath; }
From source file:mitm.common.security.certificate.validator.PKITrustCheckCertificateValidatorImpl.java
private CertPathAndAnchor getCertPathAndAnchor(X509Certificate certificate) throws CertPathBuilderException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, NoSuchProviderException, SecurityFactoryFactoryException { CertificatePathBuilder pathBuilder = certificatePathBuilderFactory.createCertificatePathBuilder(); modifyPathBuilder(pathBuilder);// w ww .j av a2s .c o m /* * Add the x509Certificate to the stores used for path building to make sure the * certificate is found by the path builder. */ pathBuilder.addCertStore(CertStoreUtils.createCertStore(certificate)); /* * Add the additional certificates if there are any */ if (additionalCertificates != null) { pathBuilder.addCertStore(CertStoreUtils.createCertStore(additionalCertificates)); } pathBuilder.setDate(getDate()); CertPathBuilderResult pathBuilderResult = pathBuilder.buildPath(certificate); CertPath certPath = pathBuilderResult.getCertPath(); TrustAnchor trustAnchor = null; if (pathBuilderResult instanceof PKIXCertPathBuilderResult) { PKIXCertPathBuilderResult pkixResult = (PKIXCertPathBuilderResult) pathBuilderResult; trustAnchor = pkixResult.getTrustAnchor(); } return new CertPathAndAnchor(certPath, trustAnchor); }
From source file:mitm.application.djigzo.james.mailets.SMIMESign.java
private X509Certificate[] getCertificateChain(X509Certificate signingCertificate) { X509Certificate[] chain = null; try {/* w ww . ja va2 s . c o m*/ /* * Use CertificatePathBuilderFactory instead of PKITrustCheckCertificateValidator because we * assume that the signing certificate was already checked for revocation etc. * CertificatePathBuilderFactory is faster than PKITrustCheckCertificateValidator */ CertificatePathBuilder pathBuilder = certificatePathBuilderFactory.createCertificatePathBuilder(); CertPathBuilderResult pathBuilderResult = pathBuilder.buildPath(signingCertificate); CertPath certPath = pathBuilderResult.getCertPath(); if (certPath != null && CollectionUtils.isNotEmpty(certPath.getCertificates())) { X509Certificate root = null; if (addRoot && pathBuilderResult instanceof PKIXCertPathBuilderResult) { TrustAnchor trustAnchor = ((PKIXCertPathBuilderResult) pathBuilderResult).getTrustAnchor(); if (trustAnchor != null) { root = trustAnchor.getTrustedCert(); } } List<X509Certificate> completePath = new LinkedList<X509Certificate>(); for (Certificate fromPath : certPath.getCertificates()) { if (!(fromPath instanceof X509Certificate)) { /* * only X509Certificates are supported */ continue; } completePath.add((X509Certificate) fromPath); } if (root != null && addRoot) { completePath.add(root); } chain = new X509Certificate[completePath.size()]; chain = completePath.toArray(chain); } } catch (CertPathBuilderException e) { if (getLogger().isDebugEnabled()) { getLogger().warn("Error building path for signing certificate.", e); } else { getLogger().warn( "Error building path for signing certificate. " + ExceptionUtils.getRootCauseMessage(e)); } } if (chain == null) { chain = new X509Certificate[] { signingCertificate }; } return chain; }
From source file:mitm.common.security.certpath.CertPathBuilderTest.java
@Test public void testAlgorithmIdentifierComparisonFailed() throws Exception { addCertificates("AC_MINEFI_DPMA.cer", certStoreParams.getCertStore()); addCertificates("MINEFI_AUTORITE_DE_CERTIFICATION_RACINE.cer", rootStoreParams.getCertStore()); CertificatePathBuilder builder = new PKIXCertificatePathBuilder(); builder.addCertStore(certStore);/*from w ww .j a v a2 s. c o m*/ builder.setTrustAnchors(getTrustAnchors()); X509CertSelector selector = new X509CertSelector(); selector.setSerialNumber(BigIntegerUtils.hexDecode("30303031303935373731383130383135")); selector.setIssuer("CN=MINEFI-AUTORITE DE CERTIFICATION RACINE, OU=AGENCE AUTORITE, O=MINEFI, C=FR"); CertPathBuilderResult results = builder.buildPath(selector); assertNotNull(results.getCertPath()); assertEquals(1, results.getCertPath().getCertificates().size()); }
From source file:mitm.common.security.certpath.CertPathBuilderTest.java
@Test public void testBuildPathEKUCriticalCertPathCheckerAdded() throws Exception { // add roots/* w w w .j av a2 s.com*/ addCertificates("mitm-test-root.cer", rootStoreParams.getCertStore()); addCertificates("mitm-test-ca.cer", certStoreParams.getCertStore()); addCertificates("testCertificates.p7b", certStoreParams.getCertStore()); addCRL("test-ca.crl", certStoreParams.getCRLStore()); addCRL("test-root-ca-not-revoked.crl", certStoreParams.getCRLStore()); trustAnchors = getTrustAnchors(); X509CertSelector selector = new X509CertSelector(); selector.setSerialNumber(BigIntegerUtils.hexDecode("116A448F117FF69FE4F2D4D38F689D7")); selector.setIssuer("EMAILADDRESS=ca@example.com, CN=MITM Test CA, L=Amsterdam, ST=NH, C=NL"); CertificatePathBuilder builder = new PKIXCertificatePathBuilder(); builder.setTrustAnchors(trustAnchors); builder.addCertPathChecker(new SMIMEExtendedKeyUsageCertPathChecker()); builder.addCertStore(certStore); builder.setRevocationEnabled(true); CertPathBuilderResult result = builder.buildPath(selector); assertEquals(2, result.getCertPath().getCertificates().size()); }
From source file:mitm.common.security.certpath.CertPathBuilderTest.java
@Test public void testBuildPathCRLSignedByIncorrectKeyAndCorrectKey() throws Exception { // add roots//from w w w . j a v a 2 s . c o m addCertificates("windows-xp-all-roots.p7b", rootStoreParams.getCertStore()); addCertificates("mitm-test-root.cer", rootStoreParams.getCertStore()); addCertificates("windows-xp-all-intermediates.p7b", certStoreParams.getCertStore()); addCertificates("mitm-test-ca.cer", certStoreParams.getCertStore()); addCertificates("testCertificates.p7b", certStoreParams.getCertStore()); addCRL("test-root-ca-not-revoked.crl", certStoreParams.getCRLStore()); addCRL("test-ca.crl", certStoreParams.getCRLStore()); addCRL("test-ca-signed-incorrect-key.crl", certStoreParams.getCRLStore()); trustAnchors = getTrustAnchors(); X509CertSelector selector = new X509CertSelector(); selector.setSerialNumber(BigIntegerUtils.hexDecode("115FD110A82F742D0AE14A71B651962")); selector.setIssuer("EMAILADDRESS=ca@example.com, CN=MITM Test CA, L=Amsterdam, ST=NH, C=NL"); CertificatePathBuilder builder = new PKIXCertificatePathBuilder(); builder.setTrustAnchors(trustAnchors); builder.addCertPathChecker(new SMIMEExtendedKeyUsageCertPathChecker()); builder.addCertStore(certStore); builder.setRevocationEnabled(true); CertPathBuilderResult result = builder.buildPath(selector); assertEquals(2, result.getCertPath().getCertificates().size()); }
From source file:mitm.common.security.certpath.CertPathBuilderTest.java
@Test public void testBuildPathManyCertificates() throws Exception { // add roots//from w ww.java 2s . c o m addCertificates("windows-xp-all-roots.p7b", rootStoreParams.getCertStore()); addCertificates("mitm-test-root.cer", rootStoreParams.getCertStore()); long start = System.currentTimeMillis(); addCertificatesBulk("random-self-signed-1000.p7b"); //addCertificatesBulk("random-self-signed-10000.p7b"); //addCertificatesBulk("random-self-signed-40000.p7b"); System.out.println("Seconds : " + (System.currentTimeMillis() - start) * 0.001); addCertificates("mitm-test-ca.cer", certStoreParams.getCertStore()); addCertificates("testCertificates.p7b", certStoreParams.getCertStore()); addCRL("test-ca.crl", certStoreParams.getCRLStore()); addCRL("test-root-ca-not-revoked.crl", certStoreParams.getCRLStore()); int tries = 100; start = System.currentTimeMillis(); TrustAnchorBuilder trustAnchorBuilder = new CertStoreTrustAnchorBuilder(rootStoreParams.getCertStore(), 0 /* milliseconds */); for (int i = 0; i < tries; i++) { X509CertSelector selector = new X509CertSelector(); selector.setSerialNumber(BigIntegerUtils.hexDecode("116A448F117FF69FE4F2D4D38F689D7")); selector.setIssuer("EMAILADDRESS=ca@example.com, CN=MITM Test CA, L=Amsterdam, ST=NH, C=NL"); CertificatePathBuilder builder = new PKIXCertificatePathBuilder(); builder.setTrustAnchors(trustAnchorBuilder.getTrustAnchors()); builder.addCertPathChecker(new SMIMEExtendedKeyUsageCertPathChecker()); builder.addCertStore(certStore); builder.setRevocationEnabled(true); CertPathBuilderResult result = builder.buildPath(selector); assertEquals(2, result.getCertPath().getCertificates().size()); } double end = (System.currentTimeMillis() - start) * 0.001 / tries; System.out.println("Seconds / build: " + end); start = System.currentTimeMillis(); Collection<? extends Certificate> certificates = certStore.getCertificates(new X509CertSelector()); end = (System.currentTimeMillis() - start) * 0.001 / certificates.size(); System.out.println("Seconds / certificate: " + end); }