下面列出了java.security.cert.CertPathBuilderSpi#java.security.cert.CertPathParameters 实例代码,或者点击链接到github查看源代码,也可以在右侧发表评论。
/**
* Return the initialization parameters for the TrustManager.
* Currently, only the default <code>PKIX</code> is supported.
*
* @param crlf The path to the CRL file.
* @param trustStore The configured TrustStore.
* @param revocationEnabled Should the JSSE provider perform revocation
* checks? Ignored if {@code crlf} is non-null.
* Configuration of revocation checks are expected
* to be via proprietary JSSE provider methods.
* @return The parameters including the CRLs and TrustStore.
* @throws Exception An error occurred
*/
protected CertPathParameters getParameters(String crlf, KeyStore trustStore,
boolean revocationEnabled) throws Exception {
PKIXBuilderParameters xparams =
new PKIXBuilderParameters(trustStore, new X509CertSelector());
if (crlf != null && crlf.length() > 0) {
Collection<? extends CRL> crls = getCRLs(crlf);
CertStoreParameters csp = new CollectionCertStoreParameters(crls);
CertStore store = CertStore.getInstance("Collection", csp);
xparams.addCertStore(store);
xparams.setRevocationEnabled(true);
} else {
xparams.setRevocationEnabled(revocationEnabled);
}
xparams.setMaxPathLength(sslHostConfig.getCertificateVerificationDepth());
return xparams;
}
/**
* Return the initialization parameters for the TrustManager.
* Currently, only the default <code>PKIX</code> is supported.
*
* @param algorithm The algorithm to get parameters for.
* @param crlFilename The path to the CRL file.
* @param maxCertificateChainLength Optional maximum cert chain length.
* @param trustStore The configured TrustStore.
*
* @return The parameters including the TrustStore and any CRLs.
*
* @throws InvalidAlgorithmParameterException
* @throws KeyStoreException
* @throws IOException
* @throws CertificateException
* @throws CRLException
* @throws NoSuchAlgorithmException
*/
protected static CertPathParameters getParameters(String algorithm,
String crlFilename,
Integer maxCertificateChainLength,
KeyStore trustStore)
throws KeyStoreException, InvalidAlgorithmParameterException, CRLException, CertificateException, IOException, NoSuchAlgorithmException
{
CertPathParameters params = null;
if("PKIX".equalsIgnoreCase(algorithm)) {
PKIXBuilderParameters xparams =
new PKIXBuilderParameters(trustStore, new X509CertSelector());
Collection<? extends CRL> crls = getCRLs(crlFilename);
CertStoreParameters csp = new CollectionCertStoreParameters(crls);
CertStore store = CertStore.getInstance("Collection", csp);
xparams.addCertStore(store);
xparams.setRevocationEnabled(true);
if(maxCertificateChainLength != null)
xparams.setMaxPathLength(maxCertificateChainLength.intValue());
params = xparams;
} else {
throw new CRLException("CRLs not supported for type: " + algorithm);
}
return params;
}
/**
* Check if a certificate chain is to be trusted.
*
* @return true, if validator trusts certificate chain, otherwise false.
*/
public boolean validateCertificateChain(List<X509Certificate> chain) {
if (keystore == null) {
return false;
}
try {
CertPath c = getCertificateFactory().generateCertPath(chain);
CertPathValidator cpv = getCertPathValidator();
CertPathParameters params = getCertPathParameters(keystore);
cpv.validate(c, params);
} catch (GeneralSecurityException gse) {
if (debug.certificates) {
debug.printStackTrace("Failed to validate cert", gse);
}
// NYI! Log this?
return false;
}
return true;
}
/**
*
*/
private CertPathParameters getCertPathParameters(KeyStore keystore)
throws GeneralSecurityException
{
HashSet<TrustAnchor> tas = new HashSet<TrustAnchor>();
for (Enumeration<String> e = keystore.aliases(); e.hasMoreElements(); ) {
String name = e.nextElement();
Certificate c = keystore.getCertificate(name);
if (c != null) {
if (trustKeys || keystore.isCertificateEntry(name)) {
tas.add(new TrustAnchor((X509Certificate)c, null));
}
}
}
PKIXParameters p = new PKIXParameters(tas);
// NYI! Handle CRLs
p.setRevocationEnabled(false);
if (validationDate != null) {
p.setDate(validationDate);
}
return p;
}
public CertPathValidatorResult engineValidate(CertPath certPath,
CertPathParameters params) throws CertPathValidatorException,
InvalidAlgorithmParameterException {
++sw;
if (certPath == null) {
if ((sw % 2) == 0) {
throw new CertPathValidatorException("certPath null");
}
}
if (params == null) {
if ((sw % 3) == 0) {
throw new InvalidAlgorithmParameterException("params null");
}
}
return null;
}
/**
* Gets an array of TrustManagers for the specified trust store
* and optional CRL file.
*
* @param trustStoreFilename
* @param trustStorePassword
* @param trustStoreType
* @param trustStoreProvider
* @param trustStoreAlgorithm
* @param maxCertificatePathLength
* @param crlFilename
*
* @return An array of TrustManagers
*
* @throws IOException
* @throws KeyStoreException
* @throws NoSuchProviderException
* @throws NoSuchAlgorithmException
* @throws CertificateException
* @throws InvalidAlgorithmParameterException
* @throws CRLException
*/
protected static TrustManager[] getTrustManagers(String trustStoreFilename,
String trustStorePassword,
String trustStoreType,
String trustStoreProvider,
String trustStoreAlgorithm,
Integer maxCertificatePathLength,
String crlFilename)
throws IOException, KeyStoreException, NoSuchProviderException, NoSuchAlgorithmException, CertificateException, InvalidAlgorithmParameterException, CRLException
{
KeyStore trustStore = getStore(trustStoreFilename,
trustStorePassword,
trustStoreType,
trustStoreProvider);
if(null == trustStoreAlgorithm)
trustStoreAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(trustStoreAlgorithm);
if (null == crlFilename)
{
tmf.init(trustStore);
}
else
{
CertPathParameters params =
getParameters(trustStoreAlgorithm,
crlFilename,
maxCertificatePathLength,
trustStore);
ManagerFactoryParameters mfp =
new CertPathTrustManagerParameters(params);
tmf.init(mfp);
}
return tmf.getTrustManagers();
}
/**
* Return the initialization parameters for the TrustManager.
* Currently, only the default <code>PKIX</code> is supported.
*
* @param algorithm The algorithm to get parameters for.
* @param crlf The path to the CRL file.
* @param trustStore The configured TrustStore.
* @return The parameters including the CRLs and TrustStore.
*/
protected CertPathParameters getParameters(String algorithm,
String crlf,
KeyStore trustStore)
throws Exception {
CertPathParameters params = null;
if("PKIX".equalsIgnoreCase(algorithm)) {
PKIXBuilderParameters xparams =
new PKIXBuilderParameters(trustStore, new X509CertSelector());
Collection<? extends CRL> crls = getCRLs(crlf);
CertStoreParameters csp = new CollectionCertStoreParameters(crls);
CertStore store = CertStore.getInstance("Collection", csp);
xparams.addCertStore(store);
xparams.setRevocationEnabled(true);
String trustLength = endpoint.getTrustMaxCertLength();
if(trustLength != null) {
try {
xparams.setMaxPathLength(Integer.parseInt(trustLength));
} catch(Exception ex) {
log.warn("Bad maxCertLength: "+trustLength);
}
}
params = xparams;
} else {
throw new CRLException("CRLs not supported for type: "+algorithm);
}
return params;
}
/**
* Return the initialization parameters for the TrustManager.
* Currently, only the default <code>PKIX</code> is supported.
*
* @param algorithm The algorithm to get parameters for.
* @param crlf The path to the CRL file.
* @param trustStore The configured TrustStore.
* @return The parameters including the CRLs and TrustStore.
*/
protected CertPathParameters getParameters(String algorithm,
String crlf,
KeyStore trustStore)
throws Exception {
CertPathParameters params = null;
if("PKIX".equalsIgnoreCase(algorithm)) {
PKIXBuilderParameters xparams =
new PKIXBuilderParameters(trustStore, new X509CertSelector());
Collection<? extends CRL> crls = getCRLs(crlf);
CertStoreParameters csp = new CollectionCertStoreParameters(crls);
CertStore store = CertStore.getInstance("Collection", csp);
xparams.addCertStore(store);
xparams.setRevocationEnabled(true);
String trustLength = endpoint.getTrustMaxCertLength();
if(trustLength != null) {
try {
xparams.setMaxPathLength(Integer.parseInt(trustLength));
} catch(Exception ex) {
log.warn("Bad maxCertLength: "+trustLength);
}
}
params = xparams;
} else {
throw new CRLException("CRLs not supported for type: "+algorithm);
}
return params;
}
public CertPathBuilderResult engineBuild(CertPathParameters params)
throws CertPathBuilderException, InvalidAlgorithmParameterException {
swi++;
if ((params == null) && ((swi %2 ) != 0)) {
throw new CertPathBuilderException("Null parameter");
}
return null;
}
/**
* Test for <code>CertPathBuilderSpi</code> constructor Assertion:
* constructs CertPathBuilderSpi
*/
public void testCertPathBuilderSpi01() throws CertPathBuilderException,
InvalidAlgorithmParameterException {
CertPathBuilderSpi certPathBuilder = new MyCertPathBuilderSpi();
CertPathParameters cpp = null;
try {
certPathBuilder.engineBuild(cpp);
fail("CertPathBuilderException must be thrown");
} catch (CertPathBuilderException e) {
}
CertPathBuilderResult cpbResult = certPathBuilder.engineBuild(cpp);
assertNull("Not null CertPathBuilderResult", cpbResult);
}
public CertPathBuilderResult engineBuild(CertPathParameters params) {
called = true;
return null;
}
public CertPathBuilderResult engineBuild(CertPathParameters params) {
called = true;
return null;
}
public CertPathBuilderResult engineBuild(CertPathParameters params) {
called = true;
return null;
}
public CertPathBuilderResult engineBuild(CertPathParameters params) {
called = true;
return null;
}
public CertPathBuilderResult engineBuild(CertPathParameters params) {
called = true;
return null;
}
public CertPathBuilderResult engineBuild(CertPathParameters params) {
called = true;
return null;
}
public CertPathBuilderResult engineBuild(CertPathParameters params) {
called = true;
return null;
}
private CertPathParameters getParameters(KeyStore trustStore)
{
try
{
final PKIXBuilderParameters parameters = new PKIXBuilderParameters(trustStore, new X509CertSelector());
parameters.setRevocationEnabled(_certificateRevocationCheckEnabled);
if (_certificateRevocationCheckEnabled)
{
if (_certificateRevocationListUrl != null)
{
parameters.addCertStore(
CertStore.getInstance("Collection", new CollectionCertStoreParameters(getCRLs())));
}
final PKIXRevocationChecker revocationChecker = (PKIXRevocationChecker) CertPathBuilder
.getInstance(TrustManagerFactory.getDefaultAlgorithm()).getRevocationChecker();
final Set<PKIXRevocationChecker.Option> options = new HashSet<>();
if (_certificateRevocationCheckOfOnlyEndEntityCertificates)
{
options.add(PKIXRevocationChecker.Option.ONLY_END_ENTITY);
}
if (_certificateRevocationCheckWithPreferringCertificateRevocationList)
{
options.add(PKIXRevocationChecker.Option.PREFER_CRLS);
}
if (_certificateRevocationCheckWithNoFallback)
{
options.add(PKIXRevocationChecker.Option.NO_FALLBACK);
}
if (_certificateRevocationCheckWithIgnoringSoftFailures)
{
options.add(PKIXRevocationChecker.Option.SOFT_FAIL);
}
revocationChecker.setOptions(options);
parameters.addCertPathChecker(revocationChecker);
}
return parameters;
}
catch (NoSuchAlgorithmException | KeyStoreException | InvalidAlgorithmParameterException e)
{
throw new IllegalConfigurationException("Cannot create trust manager factory parameters for truststore '" +
getName() + "' :" + e, e);
}
}
public CertPathBuilderResult engineBuild(CertPathParameters params) {
called = true;
return null;
}
public CertPathBuilderResult engineBuild(CertPathParameters params) {
called = true;
return null;
}
public CertPathBuilderResult engineBuild(CertPathParameters params) {
called = true;
return null;
}
public CertPathBuilderResult engineBuild(CertPathParameters params) {
called = true;
return null;
}
public CertPathBuilderResult engineBuild(CertPathParameters params) {
called = true;
return null;
}
public CertPathBuilderResult engineBuild(CertPathParameters params) {
called = true;
return null;
}
/**
* Validates an attribute certificate with the given certificate path.
*
* <p>
* <code>params</code> must be an instance of
* <code>ExtendedPKIXParameters</code>.
* <p>
* The target constraints in the <code>params</code> must be an
* <code>X509AttributeCertStoreSelector</code> with at least the attribute
* certificate criterion set. Obey that also target informations may be
* necessary to correctly validate this attribute certificate.
* <p>
* The attribute certificate issuer must be added to the trusted attribute
* issuers with {@link org.ripple.bouncycastle.x509.ExtendedPKIXParameters#setTrustedACIssuers(java.util.Set)}.
*
* @param certPath The certificate path which belongs to the attribute
* certificate issuer public key certificate.
* @param params The PKIX parameters.
* @return A <code>PKIXCertPathValidatorResult</code> of the result of
* validating the <code>certPath</code>.
* @throws java.security.InvalidAlgorithmParameterException if <code>params</code> is
* inappropriate for this validator.
* @throws java.security.cert.CertPathValidatorException if the verification fails.
*/
public CertPathValidatorResult engineValidate(CertPath certPath,
CertPathParameters params) throws CertPathValidatorException,
InvalidAlgorithmParameterException
{
if (!(params instanceof ExtendedPKIXParameters || params instanceof PKIXExtendedParameters))
{
throw new InvalidAlgorithmParameterException(
"Parameters must be a "
+ ExtendedPKIXParameters.class.getName() + " instance.");
}
Set attrCertCheckers = new HashSet();
Set prohibitedACAttrbiutes = new HashSet();
Set necessaryACAttributes = new HashSet();
Set trustedACIssuers = new HashSet();
PKIXExtendedParameters paramsPKIX;
if (params instanceof PKIXParameters)
{
PKIXExtendedParameters.Builder paramsPKIXBldr = new PKIXExtendedParameters.Builder((PKIXParameters)params);
if (params instanceof ExtendedPKIXParameters)
{
ExtendedPKIXParameters extPKIX = (ExtendedPKIXParameters)params;
paramsPKIXBldr.setUseDeltasEnabled(extPKIX.isUseDeltasEnabled());
paramsPKIXBldr.setValidityModel(extPKIX.getValidityModel());
attrCertCheckers = extPKIX.getAttrCertCheckers();
prohibitedACAttrbiutes = extPKIX.getProhibitedACAttributes();
necessaryACAttributes = extPKIX.getNecessaryACAttributes();
}
paramsPKIX = paramsPKIXBldr.build();
}
else
{
paramsPKIX = (PKIXExtendedParameters)params;
}
Selector certSelect = paramsPKIX.getTargetConstraints();
if (!(certSelect instanceof X509AttributeCertStoreSelector))
{
throw new InvalidAlgorithmParameterException(
"TargetConstraints must be an instance of "
+ X509AttributeCertStoreSelector.class.getName() + " for "
+ this.getClass().getName() + " class.");
}
X509AttributeCertificate attrCert = ((X509AttributeCertStoreSelector) certSelect)
.getAttributeCert();
CertPath holderCertPath = RFC3281CertPathUtilities.processAttrCert1(attrCert, paramsPKIX);
CertPathValidatorResult result = RFC3281CertPathUtilities.processAttrCert2(certPath, paramsPKIX);
X509Certificate issuerCert = (X509Certificate) certPath
.getCertificates().get(0);
RFC3281CertPathUtilities.processAttrCert3(issuerCert, paramsPKIX);
RFC3281CertPathUtilities.processAttrCert4(issuerCert, trustedACIssuers);
RFC3281CertPathUtilities.processAttrCert5(attrCert, paramsPKIX);
// 6 already done in X509AttributeCertStoreSelector
RFC3281CertPathUtilities.processAttrCert7(attrCert, certPath, holderCertPath, paramsPKIX, attrCertCheckers);
RFC3281CertPathUtilities.additionalChecks(attrCert, prohibitedACAttrbiutes, necessaryACAttributes);
Date date = null;
try
{
date = CertPathValidatorUtilities.getValidCertDateFromValidityModel(paramsPKIX, null, -1);
}
catch (AnnotatedException e)
{
throw new ExtCertPathValidatorException(
"Could not get validity date from attribute certificate.", e);
}
RFC3281CertPathUtilities.checkCRLs(attrCert, paramsPKIX, issuerCert, date, certPath.getCertificates(), helper);
return result;
}
/**
* Validates an attribute certificate with the given certificate path.
*
* <p>
* <code>params</code> must be an instance of
* <code>ExtendedPKIXParameters</code>.
* <p>
* The target constraints in the <code>params</code> must be an
* <code>X509AttributeCertStoreSelector</code> with at least the attribute
* certificate criterion set. Obey that also target informations may be
* necessary to correctly validate this attribute certificate.
* <p>
* The attribute certificate issuer must be added to the trusted attribute
* issuers with {@link org.ripple.bouncycastle.x509.ExtendedPKIXParameters#setTrustedACIssuers(java.util.Set)}.
*
* @param certPath The certificate path which belongs to the attribute
* certificate issuer public key certificate.
* @param params The PKIX parameters.
* @return A <code>PKIXCertPathValidatorResult</code> of the result of
* validating the <code>certPath</code>.
* @throws java.security.InvalidAlgorithmParameterException if <code>params</code> is
* inappropriate for this validator.
* @throws java.security.cert.CertPathValidatorException if the verification fails.
*/
public CertPathValidatorResult engineValidate(CertPath certPath,
CertPathParameters params) throws CertPathValidatorException,
InvalidAlgorithmParameterException
{
if (!(params instanceof ExtendedPKIXParameters || params instanceof PKIXExtendedParameters))
{
throw new InvalidAlgorithmParameterException(
"Parameters must be a "
+ ExtendedPKIXParameters.class.getName() + " instance.");
}
Set attrCertCheckers = new HashSet();
Set prohibitedACAttrbiutes = new HashSet();
Set necessaryACAttributes = new HashSet();
Set trustedACIssuers = new HashSet();
PKIXExtendedParameters paramsPKIX;
if (params instanceof PKIXParameters)
{
PKIXExtendedParameters.Builder paramsPKIXBldr = new PKIXExtendedParameters.Builder((PKIXParameters)params);
if (params instanceof ExtendedPKIXParameters)
{
ExtendedPKIXParameters extPKIX = (ExtendedPKIXParameters)params;
paramsPKIXBldr.setUseDeltasEnabled(extPKIX.isUseDeltasEnabled());
paramsPKIXBldr.setValidityModel(extPKIX.getValidityModel());
attrCertCheckers = extPKIX.getAttrCertCheckers();
prohibitedACAttrbiutes = extPKIX.getProhibitedACAttributes();
necessaryACAttributes = extPKIX.getNecessaryACAttributes();
}
paramsPKIX = paramsPKIXBldr.build();
}
else
{
paramsPKIX = (PKIXExtendedParameters)params;
}
Selector certSelect = paramsPKIX.getTargetConstraints();
if (!(certSelect instanceof X509AttributeCertStoreSelector))
{
throw new InvalidAlgorithmParameterException(
"TargetConstraints must be an instance of "
+ X509AttributeCertStoreSelector.class.getName() + " for "
+ this.getClass().getName() + " class.");
}
X509AttributeCertificate attrCert = ((X509AttributeCertStoreSelector) certSelect)
.getAttributeCert();
CertPath holderCertPath = RFC3281CertPathUtilities.processAttrCert1(attrCert, paramsPKIX);
CertPathValidatorResult result = RFC3281CertPathUtilities.processAttrCert2(certPath, paramsPKIX);
X509Certificate issuerCert = (X509Certificate) certPath
.getCertificates().get(0);
RFC3281CertPathUtilities.processAttrCert3(issuerCert, paramsPKIX);
RFC3281CertPathUtilities.processAttrCert4(issuerCert, trustedACIssuers);
RFC3281CertPathUtilities.processAttrCert5(attrCert, paramsPKIX);
// 6 already done in X509AttributeCertStoreSelector
RFC3281CertPathUtilities.processAttrCert7(attrCert, certPath, holderCertPath, paramsPKIX, attrCertCheckers);
RFC3281CertPathUtilities.additionalChecks(attrCert, prohibitedACAttrbiutes, necessaryACAttributes);
Date date = null;
try
{
date = CertPathValidatorUtilities.getValidCertDateFromValidityModel(paramsPKIX, null, -1);
}
catch (AnnotatedException e)
{
throw new ExtCertPathValidatorException(
"Could not get validity date from attribute certificate.", e);
}
RFC3281CertPathUtilities.checkCRLs(attrCert, paramsPKIX, issuerCert, date, certPath.getCertificates(), helper);
return result;
}
/**
* Construct new CertPathTrustManagerParameters from the specified
* parameters. The parameters are cloned to protect against subsequent
* modification.
*
* @param parameters the CertPathParameters to be used
*
* @throws NullPointerException if parameters is null
*/
public CertPathTrustManagerParameters(CertPathParameters parameters) {
this.parameters = (CertPathParameters)parameters.clone();
}
/**
* Return a clone of the CertPathParameters encapsulated by this class.
*
* @return a clone of the CertPathParameters encapsulated by this class.
*/
public CertPathParameters getParameters() {
return (CertPathParameters)parameters.clone();
}
/**
* Construct new CertPathTrustManagerParameters from the specified
* parameters. The parameters are cloned to protect against subsequent
* modification.
*
* @param parameters the CertPathParameters to be used
*
* @throws NullPointerException if parameters is null
*/
public CertPathTrustManagerParameters(CertPathParameters parameters) {
this.parameters = (CertPathParameters)parameters.clone();
}
/**
* Return a clone of the CertPathParameters encapsulated by this class.
*
* @return a clone of the CertPathParameters encapsulated by this class.
*/
public CertPathParameters getParameters() {
return (CertPathParameters)parameters.clone();
}