Java tutorial
/* * JOSSO: Java Open Single Sign-On * * Copyright 2004-2009, Atricore, Inc. * * This is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as * published by the Free Software Foundation; either version 2.1 of * the License, or (at your option) any later version. * * This software is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this software; if not, write to the Free * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA * 02110-1301 USA, or see the FSF site: http://www.fsf.org. * */ package org.josso.auth.scheme.validation; import java.security.Security; import java.security.cert.CertPath; import java.security.cert.CertPathValidator; import java.security.cert.CertPathValidatorException; import java.security.cert.CertStore; import java.security.cert.CertStoreParameters; import java.security.cert.CollectionCertStoreParameters; import java.security.cert.PKIXCertPathValidatorResult; import java.security.cert.PKIXParameters; import java.security.cert.TrustAnchor; import java.security.cert.X509Certificate; import java.util.HashSet; import java.util.Set; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; /** * OCSP X509 Certificate validator. * * @org.apache.xbean.XBean element="ocsp-validator" */ public class OCSPX509CertificateValidator extends AbstractX509CertificateValidator { private static final Log log = LogFactory.getLog(OCSPX509CertificateValidator.class); private String _ocspResponderCertificateAlias; private X509Certificate _ocspCert; public void validate(X509Certificate certificate) throws X509CertificateValidationException { try { if (_url != null) { log.debug("Using the OCSP server at: " + _url); Security.setProperty("ocsp.responderURL", _url); } else { log.debug("Using the OCSP server specified in the " + "Authority Info Access (AIA) extension " + "of the certificate"); } // configure the proxy if (_httpProxyHost != null && _httpProxyPort != null) { System.setProperty("http.proxyHost", _httpProxyHost); System.setProperty("http.proxyPort", _httpProxyPort); } else { System.clearProperty("http.proxyHost"); System.clearProperty("http.proxyPort"); } // get certificate path CertPath cp = generateCertificatePath(certificate); // get trust anchors Set<TrustAnchor> trustedCertsSet = generateTrustAnchors(); // init PKIX parameters PKIXParameters params = new PKIXParameters(trustedCertsSet); // init cert store Set<X509Certificate> certSet = new HashSet<X509Certificate>(); if (_ocspCert == null) { _ocspCert = getCertificate(_ocspResponderCertificateAlias); } if (_ocspCert != null) { certSet.add(_ocspCert); CertStoreParameters storeParams = new CollectionCertStoreParameters(certSet); CertStore store = CertStore.getInstance("Collection", storeParams); params.addCertStore(store); Security.setProperty("ocsp.responderCertSubjectName", _ocspCert.getSubjectX500Principal().getName()); } // activate certificate revocation checking params.setRevocationEnabled(true); // activate OCSP Security.setProperty("ocsp.enable", "true"); // perform validation CertPathValidator cpv = CertPathValidator.getInstance("PKIX"); PKIXCertPathValidatorResult cpvResult = (PKIXCertPathValidatorResult) cpv.validate(cp, params); X509Certificate trustedCert = (X509Certificate) cpvResult.getTrustAnchor().getTrustedCert(); if (trustedCert == null) { log.debug("Trsuted Cert = NULL"); } else { log.debug("Trusted CA DN = " + trustedCert.getSubjectDN()); } } catch (CertPathValidatorException e) { log.error(e, e); throw new X509CertificateValidationException(e); } catch (Exception e) { log.error(e, e); throw new X509CertificateValidationException(e); } log.debug("CERTIFICATE VALIDATION SUCCEEDED"); } /** * @return the ocspResponderCertificateAlias */ public String getOcspResponderCertificateAlias() { return _ocspResponderCertificateAlias; } /** * @param ocspResponderCertificateAlias the ocspResponderCertificateAlias to set */ public void setOcspResponderCertificateAlias(String ocspResponderCertificateAlias) { _ocspResponderCertificateAlias = ocspResponderCertificateAlias; } }