下面列出了怎么用javax.net.ssl.CertPathTrustManagerParameters的API类实例代码及写法,或者点击链接到github查看源代码。
@Override
X509TrustManager getInstance(ManagerFactoryParameters spec)
throws InvalidAlgorithmParameterException {
if (spec instanceof CertPathTrustManagerParameters == false) {
throw new InvalidAlgorithmParameterException
("Parameters must be CertPathTrustManagerParameters");
}
CertPathParameters params =
((CertPathTrustManagerParameters)spec).getParameters();
if (params instanceof PKIXBuilderParameters == false) {
throw new InvalidAlgorithmParameterException
("Encapsulated parameters must be PKIXBuilderParameters");
}
PKIXBuilderParameters pkixParams = (PKIXBuilderParameters)params;
return new X509TrustManagerImpl(Validator.TYPE_PKIX, pkixParams);
}
private TrustManagerFactory createTrustManagerFactory(@Nullable final String trustedCertificates)
throws NoSuchAlgorithmException, CertificateException, KeyStoreException,
InvalidAlgorithmParameterException {
final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(PKIX);
if (trustedCertificates != null) {
final KeyStore keystore = keyStoreFactory.newKeystore();
final Collection<? extends Certificate> caCerts;
final byte[] caCertsPem = trustedCertificates.getBytes(StandardCharsets.US_ASCII);
caCerts = X509_CERTIFICATE_FACTORY.generateCertificates(new ByteArrayInputStream(caCertsPem));
long cnt = 0;
for (final Certificate caCert : caCerts) {
keystore.setCertificateEntry("ca-" + cnt++, caCert);
}
trustManagerFactory.init(keystore);
} else {
// standard CAs; add revocation check
final PKIXRevocationChecker revocationChecker =
(PKIXRevocationChecker) CertPathBuilder.getInstance(PKIX).getRevocationChecker();
final PKIXBuilderParameters parameters =
new PKIXBuilderParameters(DEFAULT_CA_KEYSTORE, new X509CertSelector());
parameters.addCertPathChecker(revocationChecker);
trustManagerFactory.init(new CertPathTrustManagerParameters(parameters));
}
return trustManagerFactory;
}
/**
* Gets an array of TrustManagers for the specified trust store
* and optional CRL file.
*
* @param trustStoreFilename
* @param trustStorePassword
* @param trustStoreType
* @param trustStoreProvider
* @param trustStoreAlgorithm
* @param maxCertificatePathLength
* @param crlFilename
*
* @return An array of TrustManagers
*
* @throws IOException
* @throws KeyStoreException
* @throws NoSuchProviderException
* @throws NoSuchAlgorithmException
* @throws CertificateException
* @throws InvalidAlgorithmParameterException
* @throws CRLException
*/
protected static TrustManager[] getTrustManagers(String trustStoreFilename,
String trustStorePassword,
String trustStoreType,
String trustStoreProvider,
String trustStoreAlgorithm,
Integer maxCertificatePathLength,
String crlFilename)
throws IOException, KeyStoreException, NoSuchProviderException, NoSuchAlgorithmException, CertificateException, InvalidAlgorithmParameterException, CRLException
{
KeyStore trustStore = getStore(trustStoreFilename,
trustStorePassword,
trustStoreType,
trustStoreProvider);
if(null == trustStoreAlgorithm)
trustStoreAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(trustStoreAlgorithm);
if (null == crlFilename)
{
tmf.init(trustStore);
}
else
{
CertPathParameters params =
getParameters(trustStoreAlgorithm,
crlFilename,
maxCertificatePathLength,
trustStore);
ManagerFactoryParameters mfp =
new CertPathTrustManagerParameters(params);
tmf.init(mfp);
}
return tmf.getTrustManagers();
}
protected TrustManager[] getTrustManagers(KeyStore ts)
{
try
{
final TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(new CertPathTrustManagerParameters(getParameters(ts)));
return tmf.getTrustManagers();
}
catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException e)
{
throw new IllegalConfigurationException("Cannot create trust manager factory for truststore '" +
getName() + "' :" + e, e);
}
}
private TrustManagerFactory loadTrustManagerFactory() throws Exception {
if (trustManagerFactoryPlugin != null) {
return AccessController.doPrivileged((PrivilegedAction<TrustManagerFactory>) () -> ((TrustManagerFactoryPlugin) ClassloadingUtil.newInstanceFromClassLoader(SSLSupport.class, trustManagerFactoryPlugin)).getTrustManagerFactory());
} else if (trustAll) {
//This is useful for testing but not should be used outside of that purpose
return InsecureTrustManagerFactory.INSTANCE;
} else if (truststorePath == null && (truststoreProvider == null || !"PKCS11".equals(truststoreProvider.toUpperCase()))) {
return null;
} else {
TrustManagerFactory trustMgrFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
KeyStore trustStore = SSLSupport.loadKeystore(truststoreProvider, truststorePath, truststorePassword);
boolean ocsp = Boolean.valueOf(Security.getProperty("ocsp.enable"));
boolean initialized = false;
if ((ocsp || crlPath != null) && TrustManagerFactory.getDefaultAlgorithm().equalsIgnoreCase("PKIX")) {
PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustStore, new X509CertSelector());
if (crlPath != null) {
pkixParams.setRevocationEnabled(true);
Collection<? extends CRL> crlList = loadCRL();
if (crlList != null) {
pkixParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crlList)));
}
}
trustMgrFactory.init(new CertPathTrustManagerParameters(pkixParams));
initialized = true;
}
if (!initialized) {
trustMgrFactory.init(trustStore);
}
return trustMgrFactory;
}
}
public static TrustManager[] getTrustManagers(TrustManagersType tmc, boolean enableRevocation)
throws GeneralSecurityException,
IOException {
final KeyStore keyStore =
tmc.isSetKeyStore()
? getKeyStore(tmc.getKeyStore(), true)
: (tmc.isSetCertStore()
? getKeyStore(tmc.getCertStore())
: null);
String alg = tmc.isSetFactoryAlgorithm()
? tmc.getFactoryAlgorithm()
: TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory fac =
tmc.isSetProvider()
? TrustManagerFactory.getInstance(alg, tmc.getProvider())
: TrustManagerFactory.getInstance(alg);
if (enableRevocation) {
PKIXBuilderParameters param = new PKIXBuilderParameters(keyStore, new X509CertSelector());
param.setRevocationEnabled(true);
fac.init(new CertPathTrustManagerParameters(param));
} else {
fac.init(keyStore);
}
return fac.getTrustManagers();
}
@org.junit.Test
public void testOSCPOverride() throws Exception {
SpringBusFactory bf = new SpringBusFactory();
URL busFile = TrustManagerTest.class.getResource("client-trust.xml");
Bus bus = bf.createBus(busFile.toString());
BusFactory.setDefaultBus(bus);
BusFactory.setThreadDefaultBus(bus);
URL url = SOAPService.WSDL_LOCATION;
SOAPService service = new SOAPService(url, SOAPService.SERVICE);
assertNotNull("Service is null", service);
final Greeter port = service.getHttpsPort();
assertNotNull("Port is null", port);
updateAddressPort(port, PORT2);
// Enable Async
if (async) {
((BindingProvider)port).getRequestContext().put("use.async.http.conduit", true);
}
// Read truststore
KeyStore ts = KeyStore.getInstance("JKS");
try (InputStream trustStore =
ClassLoaderUtils.getResourceAsStream("keys/cxfca.jks", TrustManagerTest.class)) {
ts.load(trustStore, "password".toCharArray());
}
try {
Security.setProperty("ocsp.enable", "true");
PKIXBuilderParameters param = new PKIXBuilderParameters(ts, new X509CertSelector());
param.setRevocationEnabled(true);
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(new CertPathTrustManagerParameters(param));
TLSClientParameters tlsParams = new TLSClientParameters();
tlsParams.setTrustManagers(tmf.getTrustManagers());
tlsParams.setDisableCNCheck(true);
Client client = ClientProxy.getClient(port);
HTTPConduit http = (HTTPConduit) client.getConduit();
http.setTlsClientParameters(tlsParams);
try {
port.greetMe("Kitty");
fail("Failure expected on an invalid OCSP responder URL");
} catch (Exception ex) {
// expected
}
} finally {
Security.setProperty("ocsp.enable", "false");
}
((java.io.Closeable)port).close();
bus.shutdown(true);
}