java.security.cert.PKIXRevocationChecker#setOptions()源码实例Demo

public static boolean pkixvalidate(CertPath cp, Set<TrustAnchor> trustAnchorSet,
        boolean isRevocationChecked, boolean isPolicyQualifiersRejected) {
    try {
        CertPathValidator cpv = CertPathValidator.getInstance("PKIX");  //TODO use BCFIPS when "Support for PKIXRevocationChecker
                                                                        //in the CertPath implementation" is added

        PKIXParameters pkix = new PKIXParameters(trustAnchorSet);

        if(isRevocationChecked){
            PKIXRevocationChecker prc = (PKIXRevocationChecker) cpv.getRevocationChecker();
            prc.setOptions(EnumSet.of(PKIXRevocationChecker.Option.PREFER_CRLS, PKIXRevocationChecker.Option.NO_FALLBACK));
            pkix.addCertPathChecker(prc);
        }
        else{
            pkix.setRevocationEnabled(false);
        }

        pkix.setPolicyQualifiersRejected(isPolicyQualifiersRejected);
        pkix.setDate(null);
        CertPathValidatorResult cpvr = cpv.validate(cp, pkix);
        if (cpvr != null) {
            System.out.println("Certificate validated");
            return true;
        } else {
            System.out.println("Certificate not valid");
            return false;
        }
    } catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException | CertPathValidatorException ex) {
        Logger.getLogger(PKIXChainValidation.class.getName()).log(Level.SEVERE, null, ex);
        return false;
    }
}
 

private CertPathParameters getParameters(KeyStore trustStore)
{
    try
    {
        final PKIXBuilderParameters parameters = new PKIXBuilderParameters(trustStore, new X509CertSelector());
        parameters.setRevocationEnabled(_certificateRevocationCheckEnabled);
        if (_certificateRevocationCheckEnabled)
        {
            if (_certificateRevocationListUrl != null)
            {
                parameters.addCertStore(
                        CertStore.getInstance("Collection", new CollectionCertStoreParameters(getCRLs())));
            }
            final PKIXRevocationChecker revocationChecker = (PKIXRevocationChecker) CertPathBuilder
                    .getInstance(TrustManagerFactory.getDefaultAlgorithm()).getRevocationChecker();
            final Set<PKIXRevocationChecker.Option> options = new HashSet<>();
            if (_certificateRevocationCheckOfOnlyEndEntityCertificates)
            {
                options.add(PKIXRevocationChecker.Option.ONLY_END_ENTITY);
            }
            if (_certificateRevocationCheckWithPreferringCertificateRevocationList)
            {
                options.add(PKIXRevocationChecker.Option.PREFER_CRLS);
            }
            if (_certificateRevocationCheckWithNoFallback)
            {
                options.add(PKIXRevocationChecker.Option.NO_FALLBACK);
            }
            if (_certificateRevocationCheckWithIgnoringSoftFailures)
            {
                options.add(PKIXRevocationChecker.Option.SOFT_FAIL);
            }
            revocationChecker.setOptions(options);
            parameters.addCertPathChecker(revocationChecker);
        }
        return parameters;
    }
    catch (NoSuchAlgorithmException | KeyStoreException | InvalidAlgorithmParameterException e)
    {
        throw new IllegalConfigurationException("Cannot create trust manager factory parameters for truststore '" +
                getName() + "' :" + e, e);
    }
}
 

/**
 * Validate certificate path
 * 
 * @throws NoSuchAlgorithmException
 * @throws KeyStoreException
 * @throws InvalidAlgorithmParameterException
 * @throws CertPathValidatorException
 * @throws CertPathBuilderException
 * @throws CertificateException
 */
private void validatePath(X509Certificate[] chain)
        throws NoSuchAlgorithmException, KeyStoreException, InvalidAlgorithmParameterException,
        CertPathValidatorException, CertPathBuilderException, CertificateException {
    // PKIX algorithm is defined in rfc3280
    CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
    CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");

    X509CertSelector certSelector = new X509CertSelector();

    // set last certificate (often root CA) from chain for CertSelector so trust store must contain it
    certSelector.setCertificate(chain[chain.length - 1]);

    // checks against time validity aren't done here as are already done in checkDateValidity (X509Certificate[]
    // chain)
    certSelector.setCertificateValid(null);
    // create parameters using trustStore as source of Trust Anchors and using X509CertSelector
    PKIXBuilderParameters parameters = new PKIXBuilderParameters(allStore, certSelector);

    // will use PKIXRevocationChecker (or nothing if revocation mechanisms are
    // disabled) instead of the default revocation checker
    parameters.setRevocationEnabled(false);   

    // if revoked certificates aren't accepted, but no revocation checks then only
    // certificates from blacklist will be rejected
    if (acceptRevoked == false) {
        
        // OCSP checking is done according to Java PKI Programmer's Guide, PKIXRevocationChecker was added in Java 8:
        // https://docs.oracle.com/javase/8/docs/technotes/guides/security/certpath/CertPathProgGuide.html#PKIXRevocationChecker
        PKIXRevocationChecker checker = (PKIXRevocationChecker) certPathBuilder.getRevocationChecker();

        EnumSet<PKIXRevocationChecker.Option> checkerOptions = EnumSet.noneOf(PKIXRevocationChecker.Option.class);
        // if soft fail isn't enabled then OCSP or CRL must pass validation, in case
        // when any of them cannot be validated verification will fail, if soft fail
        // is enabled then in case of network issues revocation checking is omitted
        if (allowSoftFail) {
            checkerOptions.add(PKIXRevocationChecker.Option.SOFT_FAIL);
        }
        // check OCSP, CRL serve as backup
        if (checkOCSP && checkCRL) {
            checker.setOptions(checkerOptions);
            parameters.addCertPathChecker(checker);
        } else if (!checkOCSP && checkCRL) {
            // check only CRL, if CRL fail then there is no fallback to OCSP
            checkerOptions.add(PKIXRevocationChecker.Option.PREFER_CRLS);
            checkerOptions.add(PKIXRevocationChecker.Option.NO_FALLBACK);
            checker.setOptions(checkerOptions);
            parameters.addCertPathChecker(checker);
        }
                    
    }
    
    try {
        CertPathBuilderResult pathResult = certPathBuilder.build(parameters);
        CertPath certPath = pathResult.getCertPath();

        PKIXCertPathValidatorResult validationResult = (PKIXCertPathValidatorResult) certPathValidator
                .validate(certPath, parameters);
        X509Certificate trustedCert = validationResult.getTrustAnchor().getTrustedCert();

        if (trustedCert == null) {
            throw new CertificateException("certificate path failed: Trusted CA is NULL");
        }
        // check if all certificates in path have Basic Constraints, only certificate that isn't required to have
        // this extension is last certificate: root CA
        for (int i = 0; i < chain.length - 1; i++) {
            checkBasicConstraints(chain[i]);
        }
    } catch (CertificateRevokedException e) {
        Log.warning("Certificate was revoked", e);
        for (X509Certificate cert : chain) {
            for (X509CRL crl : crlCollection) {
                if (crl.isRevoked(cert)) {
                    try {
                        addToBlackList(cert);
                    } catch (IOException | HeadlessException | InvalidNameException e1) {
                        Log.error("Couldn't move to the blacklist", e1);
                    }
                    break;
                }
            }
        }
        throw new CertificateException("Certificate was revoked");
    }
}