List of usage examples for java.security.cert CertPathValidatorException getMessage
public String getMessage()
From source file:be.apsu.extremon.probes.ocsp.OCSPProbe.java
public void probe_forever() { log("running"); for (;;) {/*from w w w . j a va 2 s. c o m*/ double start = System.currentTimeMillis(); try { this.certificatePathValidator.validate(this.certificatePath, this.pkixParams); put(RESULT_SUFFIX, STATE.OK); put(RESULT_COMMENT_SUFFIX, "responder validates ok"); } catch (CertPathValidatorException ex) { put(RESULT_SUFFIX, STATE.ALERT); put(RESULT_COMMENT_SUFFIX, "ocsp responder does not validate cert:" + ex.getMessage()); } catch (InvalidAlgorithmParameterException ex) { put(RESULT_SUFFIX, STATE.ALERT); put(RESULT_COMMENT_SUFFIX, "ocsp responder finds invalid algorithm parameter:" + ex.getMessage()); } double end = System.currentTimeMillis(); put("responsetime", (end - start)); try { Thread.sleep(this.delay); } catch (InterruptedException iex) { log("Interrupted During Sleep:" + iex.getMessage()); return; } } }
From source file:org.simbasecurity.core.util.CertificateChainValidator.java
public void validate(List<X509Certificate> certificateChain, String userName, String clientIpAddress) { TrustValidator trustValidator = BelgianTrustValidatorFactory.createTrustValidator(); try {// w ww. j a v a2 s.co m trustValidator.isTrusted(certificateChain); } catch (CertPathValidatorException e) { audit.log(eventFactory.createEventForAuthenticationEID(userName, clientIpAddress, "E-ID Certificate was not trusted")); throw new SecurityException("Certificate was not trusted. Message: " + e.getMessage()); } }
From source file:be.fedict.trust.service.bean.TrustServiceBean.java
@TransactionAttribute(TransactionAttributeType.REQUIRED) @SNMP(oid = SnmpConstants.VALIDATE)/*from w ww . j a va2s. com*/ public ValidationResult validate(String trustDomainName, List<X509Certificate> certificateChain, boolean returnRevocationData) throws TrustDomainNotFoundException { if (null == certificateChain) { throw new IllegalArgumentException("certificate chain should not be null"); } for (X509Certificate certificate : certificateChain) { if (null == certificate) { throw new IllegalArgumentException("certificate chain entry should not be null"); } } LOG.debug("isValid: " + certificateChain.get(0).getSubjectX500Principal()); TrustLinkerResult lastResult = null; RevocationData lastRevocationData = null; for (TrustDomainEntity trustDomain : getTrustDomains(trustDomainName)) { TrustValidator trustValidator = getTrustValidator(trustDomain, returnRevocationData); try { trustValidator.isTrusted(certificateChain); } catch (CertPathValidatorException ignored) { LOG.debug("cert path validation error: " + ignored.getMessage(), ignored); } if (trustValidator.getResult().isValid()) { LOG.debug("valid for trust domain: " + trustDomain.getName()); harvest(trustDomain, certificateChain); return new ValidationResult(trustValidator.getResult(), trustValidator.getRevocationData()); } lastResult = trustValidator.getResult(); lastRevocationData = trustValidator.getRevocationData(); } return new ValidationResult(lastResult, lastRevocationData); }
From source file:org.apache.synapse.transport.certificatevalidation.pathvalidation.CertificatePathValidator.java
/** * Certificate Path Validation process//from w w w . j av a 2 s . com * * @throws CertificateVerificationException * if validation process fails. */ public void validatePath() throws CertificateVerificationException { Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); CollectionCertStoreParameters params = new CollectionCertStoreParameters(fullCertChain); try { CertStore store = CertStore.getInstance("Collection", params, "BC"); // create certificate path CertificateFactory fact = CertificateFactory.getInstance("X.509", "BC"); CertPath certPath = fact.generateCertPath(certChain); TrustAnchor trustAnchor = new TrustAnchor(fullCertChain.get(fullCertChain.size() - 1), null); Set<TrustAnchor> trust = Collections.singleton(trustAnchor); // perform validation CertPathValidator validator = CertPathValidator.getInstance("PKIX", "BC"); PKIXParameters param = new PKIXParameters(trust); param.addCertPathChecker(pathChecker); param.setRevocationEnabled(false); param.addCertStore(store); param.setDate(new Date()); validator.validate(certPath, param); log.info("Certificate path validated"); } catch (CertPathValidatorException e) { throw new CertificateVerificationException("Certificate Path Validation failed on certificate number " + e.getIndex() + ", details: " + e.getMessage(), e); } catch (Exception e) { throw new CertificateVerificationException("Certificate Path Validation failed", e); } }
From source file:org.apache.synapse.transport.utils.sslcert.pathvalidation.CertificatePathValidator.java
/** * Certificate Path Validation process/* w ww . j a v a2 s . com*/ * * @throws CertificateVerificationException * if validation process fails. */ public void validatePath() throws CertificateVerificationException { Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); CollectionCertStoreParameters params = new CollectionCertStoreParameters(fullCertChain); try { CertStore store = CertStore.getInstance("Collection", params, "BC"); // create certificate path CertificateFactory fact = CertificateFactory.getInstance("X.509", "BC"); CertPath certPath = fact.generateCertPath(certChain); TrustAnchor trustAnchor = new TrustAnchor(fullCertChain.get(fullCertChain.size() - 1), null); Set<TrustAnchor> trust = Collections.singleton(trustAnchor); // perform validation CertPathValidator validator = CertPathValidator.getInstance("PKIX", "BC"); PKIXParameters param = new PKIXParameters(trust); param.addCertPathChecker(pathChecker); param.setRevocationEnabled(false); param.addCertStore(store); param.setDate(new Date()); validator.validate(certPath, param); log.debug("Certificate path validated"); } catch (CertPathValidatorException e) { throw new CertificateVerificationException("Certificate Path Validation failed on " + "certificate number " + e.getIndex() + ", details: " + e.getMessage(), e); } catch (Exception e) { throw new CertificateVerificationException("Certificate Path Validation failed", e); } }
From source file:org.cesecore.util.CertTools.java
/** * Check the certificate with CA certificate. * // w w w . ja v a 2 s .c o m * @param certificate cert to verify * @param caCertChain collection of X509Certificate * @return true if verified OK * @throws Exception if verification failed */ public static boolean verify(Certificate certificate, Collection<Certificate> caCertChain) throws Exception { try { ArrayList<Certificate> certlist = new ArrayList<Certificate>(); // Create CertPath certlist.add(certificate); // Add other certs... CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC"); java.security.cert.CertPath cp = cf.generateCertPath(certlist); // Create TrustAnchor. Since EJBCA use BouncyCastle provider, we assume // certificate already in correct order X509Certificate[] cac = (X509Certificate[]) caCertChain.toArray(new X509Certificate[] {}); java.security.cert.TrustAnchor anchor = new java.security.cert.TrustAnchor(cac[0], null); // Set the PKIX parameters java.security.cert.PKIXParameters params = new java.security.cert.PKIXParameters( java.util.Collections.singleton(anchor)); params.setRevocationEnabled(false); java.security.cert.CertPathValidator cpv = java.security.cert.CertPathValidator.getInstance("PKIX", "BC"); java.security.cert.PKIXCertPathValidatorResult result = (java.security.cert.PKIXCertPathValidatorResult) cpv .validate(cp, params); if (log.isDebugEnabled()) { log.debug("Certificate verify result: " + result.toString()); } } catch (java.security.cert.CertPathValidatorException cpve) { throw new Exception( "Invalid certificate or certificate not issued by specified CA: " + cpve.getMessage()); } catch (Exception e) { throw new Exception("Error checking certificate chain: " + e.getMessage()); } return true; }
From source file:org.ejbca.util.CertTools.java
/** * Check the certificate with CA certificate. * * @param certificate cert to verify//from w ww . j a v a 2 s .c o m * @param caCertPath collection of X509Certificate * @return true if verified OK * @throws Exception if verification failed */ public static boolean verify(Certificate certificate, Collection<Certificate> caCertPath) throws Exception { try { ArrayList<Certificate> certlist = new ArrayList<Certificate>(); // Create CertPath certlist.add(certificate); // Add other certs... CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC"); java.security.cert.CertPath cp = cf.generateCertPath(certlist); // Create TrustAnchor. Since EJBCA use BouncyCastle provider, we assume // certificate already in correct order X509Certificate[] cac = (X509Certificate[]) caCertPath.toArray(new X509Certificate[] {}); java.security.cert.TrustAnchor anchor = new java.security.cert.TrustAnchor(cac[0], null); // Set the PKIX parameters java.security.cert.PKIXParameters params = new java.security.cert.PKIXParameters( java.util.Collections.singleton(anchor)); params.setRevocationEnabled(false); java.security.cert.CertPathValidator cpv = java.security.cert.CertPathValidator.getInstance("PKIX", "BC"); java.security.cert.PKIXCertPathValidatorResult result = (java.security.cert.PKIXCertPathValidatorResult) cpv .validate(cp, params); if (log.isDebugEnabled()) { log.debug("Certificate verify result: " + result.toString()); } } catch (java.security.cert.CertPathValidatorException cpve) { throw new Exception( "Invalid certificate or certificate not issued by specified CA: " + cpve.getMessage()); } catch (Exception e) { throw new Exception("Error checking certificate chain: " + e.getMessage()); } return true; }
From source file:org.globus.gsi.trustmanager.PKITrustManager.java
/** * Test if the client is trusted based on the certificate chain. Does not currently support anonymous clients. * * @param x509Certificates The certificate chain to test for validity. * @param authType The authentication type based on the client certificate. * @throws CertificateException If the path validation fails. */// www . j a v a2 s . co m public void checkClientTrusted(X509Certificate[] x509Certificates, String authType) throws CertificateException { // JGLOBUS-97 : anonymous clients? CertPath certPath = CertificateUtil.getCertPath(x509Certificates); try { this.result = this.validator.engineValidate(certPath, parameters); } catch (CertPathValidatorException exception) { throw new CertificateException("Path validation failed: " + exception.getMessage(), exception); } catch (InvalidAlgorithmParameterException exception) { throw new CertificateException("Path validation failed: " + exception.getMessage(), exception); } }
From source file:org.globus.gsi.trustmanager.PKITrustManager.java
/** * Test if the server is trusted based on the certificate chain. * * @param x509Certificates The certificate chain to test for validity. * @param authType The authentication type based on the server certificate. * @throws CertificateException If the path validation fails. */// w w w .j a va 2 s . co m public void checkServerTrusted(X509Certificate[] x509Certificates, String authType) throws CertificateException { CertPath certPath = CertificateUtil.getCertPath(x509Certificates); try { this.result = this.validator.engineValidate(certPath, parameters); } catch (CertPathValidatorException exception) { throw new CertificateException("Path validation failed. " + exception.getMessage(), exception); } catch (InvalidAlgorithmParameterException exception) { throw new CertificateException("Path validation failed. " + exception.getMessage(), exception); } }
From source file:org.viafirma.nucleo.validacion.ValidadorHandler.java
/** * Valida el certificado indicado. Utilizando segn el tipo validacin OCSP * o CRL.//from ww w.ja v a2 s. co m * * @param certificadoX509 * @return */ public CodigoError validar(X509Certificate certificadoX509) { // Si el protocolo es OCSP.... if (isOCSPProtocol(certificadoX509)) { if (log.isDebugEnabled()) log.debug("Validando con OCSP el certificado : " + certificadoX509.getSubjectDN().getName()); try { return ocspValidationHandler.validarOCSP(certificadoX509); } catch (CertPathValidatorException e) { log.warn(e.getMessage()); return CodigoError.ERROR_OCSP_INTERNAL_ERROR; } } else { // el certificado sera validado utilizando el mtodo de acceso a // CRLs if (log.isDebugEnabled()) log.debug("Validando certificado : " + certificadoX509.getSubjectDN().getName()); return crlValidationHandler.validarCRL(certificadoX509); } }