build()源码实例Demo

java.security.cert.CertPathBuilder#build()源码实例Demo

下面列出了java.security.cert.CertPathBuilder#build() 实例代码,或者点击链接到github查看源代码,也可以在右侧发表评论。

源代码1 项目: jdk8u_jdk   文件: ValidateNC.java
/**
 * Perform a PKIX build.
 *
 * @param params PKIXBuilderParameters to use in the build
 * @throws Exception on error
 */
public static void build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX", "SUN");
    CertPathBuilderResult cpbr = builder.build(params);
}
 
源代码2 项目: jdk8u-jdk   文件: ValidateNC.java
/**
 * Perform a PKIX build.
 *
 * @param params PKIXBuilderParameters to use in the build
 * @throws Exception on error
 */
public static void build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX", "SUN");
    CertPathBuilderResult cpbr = builder.build(params);
}
 
源代码3 项目: openjdk-8-source   文件: BuildOddSel.java
/**
 * Perform a PKIX build.
 *
 * @param params PKIXBuilderParameters to use in building
 * @throws Exception on error
 */
public static void build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    CertPathBuilderResult cpbr = builder.build(params);
}
 
源代码4 项目: dragonwell8_jdk   文件: CertUtils.java
/**
 * Perform a PKIX path build. On failure, throw an exception.
 *
 * @param params PKIXBuilderParameters to use in validation
 * @throws Exception on error
 */
public static PKIXCertPathBuilderResult build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    return (PKIXCertPathBuilderResult) builder.build(params);
}
 
源代码5 项目: hottub   文件: ValidateNC.java
/**
 * Perform a PKIX build.
 *
 * @param params PKIXBuilderParameters to use in the build
 * @throws Exception on error
 */
public static void build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX", "SUN");
    CertPathBuilderResult cpbr = builder.build(params);
}
 
源代码6 项目: openjdk-8-source   文件: CertUtils.java
/**
 * Perform a PKIX path build. On failure, throw an exception.
 *
 * @param params PKIXBuilderParameters to use in validation
 * @throws Exception on error
 */
public static PKIXCertPathBuilderResult build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    return (PKIXCertPathBuilderResult) builder.build(params);
}
 
源代码7 项目: TencentKona-8   文件: ValidateNC.java
/**
 * Perform a PKIX build.
 *
 * @param params PKIXBuilderParameters to use in the build
 * @throws Exception on error
 */
public static void build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX", "SUN");
    CertPathBuilderResult cpbr = builder.build(params);
}
 
源代码8 项目: TencentKona-8   文件: CertUtils.java
/**
 * Perform a PKIX path build. On failure, throw an exception.
 *
 * @param params PKIXBuilderParameters to use in validation
 * @throws Exception on error
 */
public static PKIXCertPathBuilderResult build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    return (PKIXCertPathBuilderResult) builder.build(params);
}
 
源代码9 项目: opc-ua-stack   文件: CertificateValidationUtil.java
public static void validateTrustChain(X509Certificate certificate,
                                      List<X509Certificate> chain,
                                      Set<X509Certificate> trustedCertificates,
                                      Set<X509Certificate> authorityCertificates) throws UaException {

    boolean certificateTrusted = trustedCertificates.stream()
            .anyMatch(c -> Arrays.equals(certificate.getSignature(), c.getSignature()));

    if (certificateTrusted) return;

    try {
        Set<TrustAnchor> trustAnchors = new HashSet<>();
        authorityCertificates.forEach(ca -> trustAnchors.add(new TrustAnchor(ca, null)));

        X509CertSelector selector = new X509CertSelector();
        selector.setCertificate(certificate);

        PKIXBuilderParameters params = new PKIXBuilderParameters(trustAnchors, selector);

        params.setRevocationEnabled(false);

        CertStore intermediateCertStore =
                CertStore.getInstance("Collection", new CollectionCertStoreParameters(chain));

        params.addCertStore(intermediateCertStore);

        CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");

        PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) builder.build(params);

        LOGGER.debug("Validated certificate chain: {}", result.getCertPath());
    } catch (Throwable t) {
        throw new UaException(StatusCodes.Bad_SecurityChecksFailed);
    }
}
 
源代码10 项目: openjdk-jdk9   文件: NoExtensions.java
private void doBuild(X509Certificate userCert) throws Exception {
        // get the set of trusted CA certificates (only one in this instance)
        HashSet trustAnchors = new HashSet();
        X509Certificate trustedCert = getTrustedCertificate();
        trustAnchors.add(new TrustAnchor(trustedCert, null));

        // put together a CertStore (repository of the certificates and CRLs)
        ArrayList certs = new ArrayList();
        certs.add(trustedCert);
        certs.add(userCert);
        CollectionCertStoreParameters certStoreParams = new CollectionCertStoreParameters(certs);
        CertStore certStore = CertStore.getInstance("Collection", certStoreParams);

        // specify the target certificate via a CertSelector
        X509CertSelector certSelector = new X509CertSelector();
        certSelector.setCertificate(userCert);
        certSelector.setSubject(userCert.getSubjectDN().getName()); // seems to be required

        // build a valid cerificate path
        CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX", "SUN");
        PKIXBuilderParameters certPathBuilderParams = new PKIXBuilderParameters(trustAnchors, certSelector);
        certPathBuilderParams.addCertStore(certStore);
        certPathBuilderParams.setRevocationEnabled(false);
        CertPathBuilderResult result = certPathBuilder.build(certPathBuilderParams);

        // get and show cert path
        CertPath certPath = result.getCertPath();
//        System.out.println(certPath.toString());
    }
 
源代码11 项目: jdk8u60   文件: ValidateNC.java
/**
 * Perform a PKIX build.
 *
 * @param params PKIXBuilderParameters to use in the build
 * @throws Exception on error
 */
public static void build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX", "SUN");
    CertPathBuilderResult cpbr = builder.build(params);
}
 
源代码12 项目: jdk8u60   文件: CertUtils.java
/**
 * Perform a PKIX path build. On failure, throw an exception.
 *
 * @param params PKIXBuilderParameters to use in validation
 * @throws Exception on error
 */
public static PKIXCertPathBuilderResult build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    return (PKIXCertPathBuilderResult) builder.build(params);
}
 
源代码13 项目: openjdk-8   文件: ValidateNC.java
/**
 * Perform a PKIX build.
 *
 * @param params PKIXBuilderParameters to use in the build
 * @throws Exception on error
 */
public static void build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX", "SUN");
    CertPathBuilderResult cpbr = builder.build(params);
}
 
源代码14 项目: openjdk-jdk8u   文件: BuildOddSel.java
/**
 * Perform a PKIX build.
 *
 * @param params PKIXBuilderParameters to use in building
 * @throws Exception on error
 */
public static void build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    CertPathBuilderResult cpbr = builder.build(params);
}
 
源代码15 项目: jdk8u-jdk   文件: BuildOddSel.java
/**
 * Perform a PKIX build.
 *
 * @param params PKIXBuilderParameters to use in building
 * @throws Exception on error
 */
public static void build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    CertPathBuilderResult cpbr = builder.build(params);
}
 
源代码16 项目: wildfly-camel   文件: SecurityInInterceptor.java
/**
 * Based on https://svn.apache.org/repos/asf/cxf/tags/cxf-2.4.1/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CertificateVerifier.java
 *
 * @param cert
 * @throws CertificateException
 * @throws NoSuchAlgorithmException
 * @throws NoSuchProviderException
 * @throws InvalidAlgorithmParameterException
 * @throws CertPathBuilderException
 */
public void verifyCertificate(X509Certificate cert) throws CertificateException, NoSuchAlgorithmException,
        NoSuchProviderException, InvalidAlgorithmParameterException, CertPathBuilderException {
    // Prepare a set of trusted root CA certificates
    // and a set of intermediate certificates
    // Create the selector that specifies the starting certificate
    X509CertSelector selector = new X509CertSelector();
    selector.setCertificate(cert);

    // Create the trust anchors (set of root CA certificates)
    Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
    for (X509Certificate trustedRootCert : trustedRootCerts) {
        trustAnchors.add(new TrustAnchor(trustedRootCert, null));
    }

    // Configure the PKIX certificate builder algorithm parameters
    PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);

    // Disable CRL checks (this is done manually as additional step)
    pkixParams.setRevocationEnabled(false);

    // Specify a list of intermediate certificates
    CertStore intermediateCertStore = CertStore.getInstance("Collection",
            new CollectionCertStoreParameters(intermediateCerts));
    pkixParams.addCertStore(intermediateCertStore);

    // Build and verify the certification chain
    CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
    builder.build(pkixParams);
    // Attempt to build the certification chain and verify it

    // Check whether the certificate is revoked by the CRL
    // given in its CRL distribution point extension
    // CRLVerifier.verifyCertificateCRLs(cert);

    // The chain is verified.
}
 
源代码17 项目: hottub   文件: NoExtensions.java
private void doBuild(X509Certificate userCert) throws Exception {
        // get the set of trusted CA certificates (only one in this instance)
        HashSet trustAnchors = new HashSet();
        X509Certificate trustedCert = getTrustedCertificate();
        trustAnchors.add(new TrustAnchor(trustedCert, null));

        // put together a CertStore (repository of the certificates and CRLs)
        ArrayList certs = new ArrayList();
        certs.add(trustedCert);
        certs.add(userCert);
        CollectionCertStoreParameters certStoreParams = new CollectionCertStoreParameters(certs);
        CertStore certStore = CertStore.getInstance("Collection", certStoreParams);

        // specify the target certificate via a CertSelector
        X509CertSelector certSelector = new X509CertSelector();
        certSelector.setCertificate(userCert);
        certSelector.setSubject(userCert.getSubjectDN().getName()); // seems to be required

        // build a valid cerificate path
        CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX", "SUN");
        PKIXBuilderParameters certPathBuilderParams = new PKIXBuilderParameters(trustAnchors, certSelector);
        certPathBuilderParams.addCertStore(certStore);
        certPathBuilderParams.setRevocationEnabled(false);
        CertPathBuilderResult result = certPathBuilder.build(certPathBuilderParams);

        // get and show cert path
        CertPath certPath = result.getCertPath();
//        System.out.println(certPath.toString());
    }
 
源代码18 项目: oxAuth   文件: PathCertificateVerifier.java
/**
 * Attempts to build a certification chain for given certificate to verify
 * it. Relies on a set of root CA certificates (trust anchors) and a set of
 * intermediate certificates (to be used as part of the chain).
 */
private PKIXCertPathBuilderResult verifyCertificate(X509Certificate certificate, Set<X509Certificate> trustedRootCerts, Set<X509Certificate> intermediateCerts)
		throws GeneralSecurityException {

	// Create the selector that specifies the starting certificate
	X509CertSelector selector = new X509CertSelector();
	selector.setBasicConstraints(-2);
	selector.setCertificate(certificate);

	// Create the trust anchors (set of root CA certificates)
	Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
	for (X509Certificate trustedRootCert : trustedRootCerts) {
		trustAnchors.add(new TrustAnchor(trustedRootCert, null));
	}

	// Configure the PKIX certificate builder algorithm parameters
	PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);

	// Turn off default revocation-checking mechanism
	pkixParams.setRevocationEnabled(false);

	// Specify a list of intermediate certificates
	CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(intermediateCerts));
	pkixParams.addCertStore(intermediateCertStore);

	// Build and verify the certification chain
	CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME);
	PKIXCertPathBuilderResult certPathBuilderResult = (PKIXCertPathBuilderResult) builder.build(pkixParams);

	// Additional check to Verify cert path
	CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME);
	PKIXCertPathValidatorResult certPathValidationResult = (PKIXCertPathValidatorResult) certPathValidator.validate(certPathBuilderResult.getCertPath(), pkixParams);

	return certPathBuilderResult;
}
 
源代码19 项目: openjdk-jdk8u-backup   文件: CertUtils.java
/**
 * Perform a PKIX path build. On failure, throw an exception.
 *
 * @param params PKIXBuilderParameters to use in validation
 * @throws Exception on error
 */
public static PKIXCertPathBuilderResult build(PKIXBuilderParameters params)
    throws Exception {
    CertPathBuilder builder =
        CertPathBuilder.getInstance("PKIX");
    return (PKIXCertPathBuilderResult) builder.build(params);
}
 
源代码20 项目: Spark   文件: SparkTrustManager.java
/**
 * Validate certificate path
 * 
 * @throws NoSuchAlgorithmException
 * @throws KeyStoreException
 * @throws InvalidAlgorithmParameterException
 * @throws CertPathValidatorException
 * @throws CertPathBuilderException
 * @throws CertificateException
 */
private void validatePath(X509Certificate[] chain)
        throws NoSuchAlgorithmException, KeyStoreException, InvalidAlgorithmParameterException,
        CertPathValidatorException, CertPathBuilderException, CertificateException {
    // PKIX algorithm is defined in rfc3280
    CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
    CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");

    X509CertSelector certSelector = new X509CertSelector();

    // set last certificate (often root CA) from chain for CertSelector so trust store must contain it
    certSelector.setCertificate(chain[chain.length - 1]);

    // checks against time validity aren't done here as are already done in checkDateValidity (X509Certificate[]
    // chain)
    certSelector.setCertificateValid(null);
    // create parameters using trustStore as source of Trust Anchors and using X509CertSelector
    PKIXBuilderParameters parameters = new PKIXBuilderParameters(allStore, certSelector);

    // will use PKIXRevocationChecker (or nothing if revocation mechanisms are
    // disabled) instead of the default revocation checker
    parameters.setRevocationEnabled(false);   

    // if revoked certificates aren't accepted, but no revocation checks then only
    // certificates from blacklist will be rejected
    if (acceptRevoked == false) {
        
        // OCSP checking is done according to Java PKI Programmer's Guide, PKIXRevocationChecker was added in Java 8:
        // https://docs.oracle.com/javase/8/docs/technotes/guides/security/certpath/CertPathProgGuide.html#PKIXRevocationChecker
        PKIXRevocationChecker checker = (PKIXRevocationChecker) certPathBuilder.getRevocationChecker();

        EnumSet<PKIXRevocationChecker.Option> checkerOptions = EnumSet.noneOf(PKIXRevocationChecker.Option.class);
        // if soft fail isn't enabled then OCSP or CRL must pass validation, in case
        // when any of them cannot be validated verification will fail, if soft fail
        // is enabled then in case of network issues revocation checking is omitted
        if (allowSoftFail) {
            checkerOptions.add(PKIXRevocationChecker.Option.SOFT_FAIL);
        }
        // check OCSP, CRL serve as backup
        if (checkOCSP && checkCRL) {
            checker.setOptions(checkerOptions);
            parameters.addCertPathChecker(checker);
        } else if (!checkOCSP && checkCRL) {
            // check only CRL, if CRL fail then there is no fallback to OCSP
            checkerOptions.add(PKIXRevocationChecker.Option.PREFER_CRLS);
            checkerOptions.add(PKIXRevocationChecker.Option.NO_FALLBACK);
            checker.setOptions(checkerOptions);
            parameters.addCertPathChecker(checker);
        }
                    
    }
    
    try {
        CertPathBuilderResult pathResult = certPathBuilder.build(parameters);
        CertPath certPath = pathResult.getCertPath();

        PKIXCertPathValidatorResult validationResult = (PKIXCertPathValidatorResult) certPathValidator
                .validate(certPath, parameters);
        X509Certificate trustedCert = validationResult.getTrustAnchor().getTrustedCert();

        if (trustedCert == null) {
            throw new CertificateException("certificate path failed: Trusted CA is NULL");
        }
        // check if all certificates in path have Basic Constraints, only certificate that isn't required to have
        // this extension is last certificate: root CA
        for (int i = 0; i < chain.length - 1; i++) {
            checkBasicConstraints(chain[i]);
        }
    } catch (CertificateRevokedException e) {
        Log.warning("Certificate was revoked", e);
        for (X509Certificate cert : chain) {
            for (X509CRL crl : crlCollection) {
                if (crl.isRevoked(cert)) {
                    try {
                        addToBlackList(cert);
                    } catch (IOException | HeadlessException | InvalidNameException e1) {
                        Log.error("Couldn't move to the blacklist", e1);
                    }
                    break;
                }
            }
        }
        throw new CertificateException("Certificate was revoked");
    }
}
 
源代码评论
动弹
沙发等你来抢