下面列出了java.security.cert.CertPathBuilder#build() 实例代码,或者点击链接到github查看源代码,也可以在右侧发表评论。
/**
* Perform a PKIX build.
*
* @param params PKIXBuilderParameters to use in the build
* @throws Exception on error
*/
public static void build(PKIXBuilderParameters params)
throws Exception {
CertPathBuilder builder =
CertPathBuilder.getInstance("PKIX", "SUN");
CertPathBuilderResult cpbr = builder.build(params);
}
/**
* Perform a PKIX build.
*
* @param params PKIXBuilderParameters to use in the build
* @throws Exception on error
*/
public static void build(PKIXBuilderParameters params)
throws Exception {
CertPathBuilder builder =
CertPathBuilder.getInstance("PKIX", "SUN");
CertPathBuilderResult cpbr = builder.build(params);
}
/**
* Perform a PKIX build.
*
* @param params PKIXBuilderParameters to use in building
* @throws Exception on error
*/
public static void build(PKIXBuilderParameters params)
throws Exception {
CertPathBuilder builder =
CertPathBuilder.getInstance("PKIX");
CertPathBuilderResult cpbr = builder.build(params);
}
/**
* Perform a PKIX path build. On failure, throw an exception.
*
* @param params PKIXBuilderParameters to use in validation
* @throws Exception on error
*/
public static PKIXCertPathBuilderResult build(PKIXBuilderParameters params)
throws Exception {
CertPathBuilder builder =
CertPathBuilder.getInstance("PKIX");
return (PKIXCertPathBuilderResult) builder.build(params);
}
/**
* Perform a PKIX build.
*
* @param params PKIXBuilderParameters to use in the build
* @throws Exception on error
*/
public static void build(PKIXBuilderParameters params)
throws Exception {
CertPathBuilder builder =
CertPathBuilder.getInstance("PKIX", "SUN");
CertPathBuilderResult cpbr = builder.build(params);
}
/**
* Perform a PKIX path build. On failure, throw an exception.
*
* @param params PKIXBuilderParameters to use in validation
* @throws Exception on error
*/
public static PKIXCertPathBuilderResult build(PKIXBuilderParameters params)
throws Exception {
CertPathBuilder builder =
CertPathBuilder.getInstance("PKIX");
return (PKIXCertPathBuilderResult) builder.build(params);
}
/**
* Perform a PKIX build.
*
* @param params PKIXBuilderParameters to use in the build
* @throws Exception on error
*/
public static void build(PKIXBuilderParameters params)
throws Exception {
CertPathBuilder builder =
CertPathBuilder.getInstance("PKIX", "SUN");
CertPathBuilderResult cpbr = builder.build(params);
}
/**
* Perform a PKIX path build. On failure, throw an exception.
*
* @param params PKIXBuilderParameters to use in validation
* @throws Exception on error
*/
public static PKIXCertPathBuilderResult build(PKIXBuilderParameters params)
throws Exception {
CertPathBuilder builder =
CertPathBuilder.getInstance("PKIX");
return (PKIXCertPathBuilderResult) builder.build(params);
}
public static void validateTrustChain(X509Certificate certificate,
List<X509Certificate> chain,
Set<X509Certificate> trustedCertificates,
Set<X509Certificate> authorityCertificates) throws UaException {
boolean certificateTrusted = trustedCertificates.stream()
.anyMatch(c -> Arrays.equals(certificate.getSignature(), c.getSignature()));
if (certificateTrusted) return;
try {
Set<TrustAnchor> trustAnchors = new HashSet<>();
authorityCertificates.forEach(ca -> trustAnchors.add(new TrustAnchor(ca, null)));
X509CertSelector selector = new X509CertSelector();
selector.setCertificate(certificate);
PKIXBuilderParameters params = new PKIXBuilderParameters(trustAnchors, selector);
params.setRevocationEnabled(false);
CertStore intermediateCertStore =
CertStore.getInstance("Collection", new CollectionCertStoreParameters(chain));
params.addCertStore(intermediateCertStore);
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) builder.build(params);
LOGGER.debug("Validated certificate chain: {}", result.getCertPath());
} catch (Throwable t) {
throw new UaException(StatusCodes.Bad_SecurityChecksFailed);
}
}
private void doBuild(X509Certificate userCert) throws Exception {
// get the set of trusted CA certificates (only one in this instance)
HashSet trustAnchors = new HashSet();
X509Certificate trustedCert = getTrustedCertificate();
trustAnchors.add(new TrustAnchor(trustedCert, null));
// put together a CertStore (repository of the certificates and CRLs)
ArrayList certs = new ArrayList();
certs.add(trustedCert);
certs.add(userCert);
CollectionCertStoreParameters certStoreParams = new CollectionCertStoreParameters(certs);
CertStore certStore = CertStore.getInstance("Collection", certStoreParams);
// specify the target certificate via a CertSelector
X509CertSelector certSelector = new X509CertSelector();
certSelector.setCertificate(userCert);
certSelector.setSubject(userCert.getSubjectDN().getName()); // seems to be required
// build a valid cerificate path
CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX", "SUN");
PKIXBuilderParameters certPathBuilderParams = new PKIXBuilderParameters(trustAnchors, certSelector);
certPathBuilderParams.addCertStore(certStore);
certPathBuilderParams.setRevocationEnabled(false);
CertPathBuilderResult result = certPathBuilder.build(certPathBuilderParams);
// get and show cert path
CertPath certPath = result.getCertPath();
// System.out.println(certPath.toString());
}
/**
* Perform a PKIX build.
*
* @param params PKIXBuilderParameters to use in the build
* @throws Exception on error
*/
public static void build(PKIXBuilderParameters params)
throws Exception {
CertPathBuilder builder =
CertPathBuilder.getInstance("PKIX", "SUN");
CertPathBuilderResult cpbr = builder.build(params);
}
/**
* Perform a PKIX path build. On failure, throw an exception.
*
* @param params PKIXBuilderParameters to use in validation
* @throws Exception on error
*/
public static PKIXCertPathBuilderResult build(PKIXBuilderParameters params)
throws Exception {
CertPathBuilder builder =
CertPathBuilder.getInstance("PKIX");
return (PKIXCertPathBuilderResult) builder.build(params);
}
/**
* Perform a PKIX build.
*
* @param params PKIXBuilderParameters to use in the build
* @throws Exception on error
*/
public static void build(PKIXBuilderParameters params)
throws Exception {
CertPathBuilder builder =
CertPathBuilder.getInstance("PKIX", "SUN");
CertPathBuilderResult cpbr = builder.build(params);
}
/**
* Perform a PKIX build.
*
* @param params PKIXBuilderParameters to use in building
* @throws Exception on error
*/
public static void build(PKIXBuilderParameters params)
throws Exception {
CertPathBuilder builder =
CertPathBuilder.getInstance("PKIX");
CertPathBuilderResult cpbr = builder.build(params);
}
/**
* Perform a PKIX build.
*
* @param params PKIXBuilderParameters to use in building
* @throws Exception on error
*/
public static void build(PKIXBuilderParameters params)
throws Exception {
CertPathBuilder builder =
CertPathBuilder.getInstance("PKIX");
CertPathBuilderResult cpbr = builder.build(params);
}
/**
* Based on https://svn.apache.org/repos/asf/cxf/tags/cxf-2.4.1/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CertificateVerifier.java
*
* @param cert
* @throws CertificateException
* @throws NoSuchAlgorithmException
* @throws NoSuchProviderException
* @throws InvalidAlgorithmParameterException
* @throws CertPathBuilderException
*/
public void verifyCertificate(X509Certificate cert) throws CertificateException, NoSuchAlgorithmException,
NoSuchProviderException, InvalidAlgorithmParameterException, CertPathBuilderException {
// Prepare a set of trusted root CA certificates
// and a set of intermediate certificates
// Create the selector that specifies the starting certificate
X509CertSelector selector = new X509CertSelector();
selector.setCertificate(cert);
// Create the trust anchors (set of root CA certificates)
Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
for (X509Certificate trustedRootCert : trustedRootCerts) {
trustAnchors.add(new TrustAnchor(trustedRootCert, null));
}
// Configure the PKIX certificate builder algorithm parameters
PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
// Disable CRL checks (this is done manually as additional step)
pkixParams.setRevocationEnabled(false);
// Specify a list of intermediate certificates
CertStore intermediateCertStore = CertStore.getInstance("Collection",
new CollectionCertStoreParameters(intermediateCerts));
pkixParams.addCertStore(intermediateCertStore);
// Build and verify the certification chain
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
builder.build(pkixParams);
// Attempt to build the certification chain and verify it
// Check whether the certificate is revoked by the CRL
// given in its CRL distribution point extension
// CRLVerifier.verifyCertificateCRLs(cert);
// The chain is verified.
}
private void doBuild(X509Certificate userCert) throws Exception {
// get the set of trusted CA certificates (only one in this instance)
HashSet trustAnchors = new HashSet();
X509Certificate trustedCert = getTrustedCertificate();
trustAnchors.add(new TrustAnchor(trustedCert, null));
// put together a CertStore (repository of the certificates and CRLs)
ArrayList certs = new ArrayList();
certs.add(trustedCert);
certs.add(userCert);
CollectionCertStoreParameters certStoreParams = new CollectionCertStoreParameters(certs);
CertStore certStore = CertStore.getInstance("Collection", certStoreParams);
// specify the target certificate via a CertSelector
X509CertSelector certSelector = new X509CertSelector();
certSelector.setCertificate(userCert);
certSelector.setSubject(userCert.getSubjectDN().getName()); // seems to be required
// build a valid cerificate path
CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX", "SUN");
PKIXBuilderParameters certPathBuilderParams = new PKIXBuilderParameters(trustAnchors, certSelector);
certPathBuilderParams.addCertStore(certStore);
certPathBuilderParams.setRevocationEnabled(false);
CertPathBuilderResult result = certPathBuilder.build(certPathBuilderParams);
// get and show cert path
CertPath certPath = result.getCertPath();
// System.out.println(certPath.toString());
}
/**
* Attempts to build a certification chain for given certificate to verify
* it. Relies on a set of root CA certificates (trust anchors) and a set of
* intermediate certificates (to be used as part of the chain).
*/
private PKIXCertPathBuilderResult verifyCertificate(X509Certificate certificate, Set<X509Certificate> trustedRootCerts, Set<X509Certificate> intermediateCerts)
throws GeneralSecurityException {
// Create the selector that specifies the starting certificate
X509CertSelector selector = new X509CertSelector();
selector.setBasicConstraints(-2);
selector.setCertificate(certificate);
// Create the trust anchors (set of root CA certificates)
Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
for (X509Certificate trustedRootCert : trustedRootCerts) {
trustAnchors.add(new TrustAnchor(trustedRootCert, null));
}
// Configure the PKIX certificate builder algorithm parameters
PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
// Turn off default revocation-checking mechanism
pkixParams.setRevocationEnabled(false);
// Specify a list of intermediate certificates
CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(intermediateCerts));
pkixParams.addCertStore(intermediateCertStore);
// Build and verify the certification chain
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME);
PKIXCertPathBuilderResult certPathBuilderResult = (PKIXCertPathBuilderResult) builder.build(pkixParams);
// Additional check to Verify cert path
CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME);
PKIXCertPathValidatorResult certPathValidationResult = (PKIXCertPathValidatorResult) certPathValidator.validate(certPathBuilderResult.getCertPath(), pkixParams);
return certPathBuilderResult;
}
/**
* Perform a PKIX path build. On failure, throw an exception.
*
* @param params PKIXBuilderParameters to use in validation
* @throws Exception on error
*/
public static PKIXCertPathBuilderResult build(PKIXBuilderParameters params)
throws Exception {
CertPathBuilder builder =
CertPathBuilder.getInstance("PKIX");
return (PKIXCertPathBuilderResult) builder.build(params);
}
/**
* Validate certificate path
*
* @throws NoSuchAlgorithmException
* @throws KeyStoreException
* @throws InvalidAlgorithmParameterException
* @throws CertPathValidatorException
* @throws CertPathBuilderException
* @throws CertificateException
*/
private void validatePath(X509Certificate[] chain)
throws NoSuchAlgorithmException, KeyStoreException, InvalidAlgorithmParameterException,
CertPathValidatorException, CertPathBuilderException, CertificateException {
// PKIX algorithm is defined in rfc3280
CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");
X509CertSelector certSelector = new X509CertSelector();
// set last certificate (often root CA) from chain for CertSelector so trust store must contain it
certSelector.setCertificate(chain[chain.length - 1]);
// checks against time validity aren't done here as are already done in checkDateValidity (X509Certificate[]
// chain)
certSelector.setCertificateValid(null);
// create parameters using trustStore as source of Trust Anchors and using X509CertSelector
PKIXBuilderParameters parameters = new PKIXBuilderParameters(allStore, certSelector);
// will use PKIXRevocationChecker (or nothing if revocation mechanisms are
// disabled) instead of the default revocation checker
parameters.setRevocationEnabled(false);
// if revoked certificates aren't accepted, but no revocation checks then only
// certificates from blacklist will be rejected
if (acceptRevoked == false) {
// OCSP checking is done according to Java PKI Programmer's Guide, PKIXRevocationChecker was added in Java 8:
// https://docs.oracle.com/javase/8/docs/technotes/guides/security/certpath/CertPathProgGuide.html#PKIXRevocationChecker
PKIXRevocationChecker checker = (PKIXRevocationChecker) certPathBuilder.getRevocationChecker();
EnumSet<PKIXRevocationChecker.Option> checkerOptions = EnumSet.noneOf(PKIXRevocationChecker.Option.class);
// if soft fail isn't enabled then OCSP or CRL must pass validation, in case
// when any of them cannot be validated verification will fail, if soft fail
// is enabled then in case of network issues revocation checking is omitted
if (allowSoftFail) {
checkerOptions.add(PKIXRevocationChecker.Option.SOFT_FAIL);
}
// check OCSP, CRL serve as backup
if (checkOCSP && checkCRL) {
checker.setOptions(checkerOptions);
parameters.addCertPathChecker(checker);
} else if (!checkOCSP && checkCRL) {
// check only CRL, if CRL fail then there is no fallback to OCSP
checkerOptions.add(PKIXRevocationChecker.Option.PREFER_CRLS);
checkerOptions.add(PKIXRevocationChecker.Option.NO_FALLBACK);
checker.setOptions(checkerOptions);
parameters.addCertPathChecker(checker);
}
}
try {
CertPathBuilderResult pathResult = certPathBuilder.build(parameters);
CertPath certPath = pathResult.getCertPath();
PKIXCertPathValidatorResult validationResult = (PKIXCertPathValidatorResult) certPathValidator
.validate(certPath, parameters);
X509Certificate trustedCert = validationResult.getTrustAnchor().getTrustedCert();
if (trustedCert == null) {
throw new CertificateException("certificate path failed: Trusted CA is NULL");
}
// check if all certificates in path have Basic Constraints, only certificate that isn't required to have
// this extension is last certificate: root CA
for (int i = 0; i < chain.length - 1; i++) {
checkBasicConstraints(chain[i]);
}
} catch (CertificateRevokedException e) {
Log.warning("Certificate was revoked", e);
for (X509Certificate cert : chain) {
for (X509CRL crl : crlCollection) {
if (crl.isRevoked(cert)) {
try {
addToBlackList(cert);
} catch (IOException | HeadlessException | InvalidNameException e1) {
Log.error("Couldn't move to the blacklist", e1);
}
break;
}
}
}
throw new CertificateException("Certificate was revoked");
}
}