public X509TrustManagerWrapper(X509TrustManager tm, boolean verifyServerCertificate) throws CertificateException { this.origTm = tm; this.verifyServerCert = verifyServerCertificate; if (verifyServerCertificate) { try { Set<TrustAnchor> anch = new HashSet<TrustAnchor>(); for (X509Certificate cert : tm.getAcceptedIssuers()) { anch.add(new TrustAnchor(cert, null)); } this.validatorParams = new PKIXParameters(anch); this.validatorParams.setRevocationEnabled(false); this.validator = CertPathValidator.getInstance("PKIX"); this.certFactory = CertificateFactory.getInstance("X.509"); } catch (Exception e) { throw new CertificateException(e); } } }
/** * Check the trustedCertificateIndex for the cert to see if it is * already trusted and failing that check the KeyStore if it is * available. */ private TrustAnchor findTrustAnchorBySubjectAndPublicKey(X509Certificate cert) { TrustAnchor trustAnchor = trustedCertificateIndex.findBySubjectAndPublicKey(cert); if (trustAnchor != null) { return trustAnchor; } if (trustedCertificateStore == null) { // not trusted and no TrustedCertificateStore to check return null; } // probe KeyStore for a cert. AndroidCAStore stores its // contents hashed by cert subject on the filesystem to make // this faster than scanning all key store entries. X509Certificate systemCert = trustedCertificateStore.getTrustAnchor(cert); if (systemCert != null) { // Don't index the system certificate here, that way the only place that adds anchors to // the index are findAllTrustAnchorsByIssuerAndSignature. // This allows findAllTrustAnchorsByIssuerAndSignature to avoid checking the // TrustedCertificateStore if the TrustedCertificateIndex contains any issuers for the // certificate because it will have cached all certificates contained in the // TrustedCertificateStore. return new TrustAnchor(systemCert, null); } return null; }
/** * Sets the trusted attribute certificate issuers. If attribute certificates * is verified the trusted AC issuers must be set. * <p> * The <code>trustedACIssuers</code> must be a <code>Set</code> of * <code>TrustAnchor</code> * <p> * The given set is cloned. * * @param trustedACIssuers The trusted AC issuers to set. Is never * <code>null</code>. * @throws ClassCastException if an element of <code>stores</code> is not * a <code>TrustAnchor</code>. */ public void setTrustedACIssuers(Set trustedACIssuers) { if (trustedACIssuers == null) { this.trustedACIssuers.clear(); return; } for (Iterator it = trustedACIssuers.iterator(); it.hasNext();) { if (!(it.next() instanceof TrustAnchor)) { throw new ClassCastException("All elements of set must be " + "of type " + TrustAnchor.class.getName() + "."); } } this.trustedACIssuers.clear(); this.trustedACIssuers.addAll(trustedACIssuers); }
protected static void processAttrCert4(X509Certificate acIssuerCert, ExtendedPKIXParameters pkixParams) throws CertPathValidatorException { Set set = pkixParams.getTrustedACIssuers(); boolean trusted = false; for (Iterator it = set.iterator(); it.hasNext();) { TrustAnchor anchor = (TrustAnchor) it.next(); if (acIssuerCert.getSubjectX500Principal().getName("RFC2253") .equals(anchor.getCAName()) || acIssuerCert.equals(anchor.getTrustedCert())) { trusted = true; } } if (!trusted) { throw new CertPathValidatorException( "Attribute certificate issuer is not directly trusted."); } }
/** * Creates the collection of trust anchors to use during validation. * * @param validationInfo PKIX validation information * * @return trust anchors to use during validation */ protected Set<TrustAnchor> getTrustAnchors(PKIXValidationInformation validationInfo) { Collection<X509Certificate> validationCertificates = validationInfo.getCertificates(); log.trace("Constructing trust anchors for PKIX validation"); Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>(); for (X509Certificate cert : validationCertificates) { trustAnchors.add(buildTrustAnchor(cert)); } if (log.isTraceEnabled()) { for (TrustAnchor anchor : trustAnchors) { log.trace("TrustAnchor: {}", anchor.toString()); } } return trustAnchors; }
/** * Log information from the constructed cert path at level debug. * * @param buildResult the PKIX cert path builder result containing the cert path and trust anchor * @param targetCert the cert untrusted certificate that was being evaluated */ private void logCertPathDebug(PKIXCertPathBuilderResult buildResult, X509Certificate targetCert) { log.debug("Built valid PKIX cert path"); log.debug("Target certificate: {}", x500DNHandler.getName(targetCert.getSubjectX500Principal())); for (Certificate cert : buildResult.getCertPath().getCertificates()) { log.debug("CertPath certificate: {}", x500DNHandler.getName(((X509Certificate) cert) .getSubjectX500Principal())); } TrustAnchor ta = buildResult.getTrustAnchor(); if (ta.getTrustedCert() != null) { log.debug("TrustAnchor: {}", x500DNHandler.getName(ta.getTrustedCert().getSubjectX500Principal())); } else if (ta.getCA() != null) { log.debug("TrustAnchor: {}", x500DNHandler.getName(ta.getCA())); } else { log.debug("TrustAnchor: {}", ta.getCAName()); } }
/** * Create a new <code>AlgorithmChecker</code> with the * given <code>TrustAnchor</code> and <code>AlgorithmConstraints</code>. * * @param anchor the trust anchor selected to validate the target * certificate * @param constraints the algorithm constraints (or null) * * @throws IllegalArgumentException if the <code>anchor</code> is null */ public AlgorithmChecker(TrustAnchor anchor, AlgorithmConstraints constraints) { if (anchor == null) { throw new IllegalArgumentException( "The trust anchor cannot be null"); } if (anchor.getTrustedCert() != null) { this.trustedPubKey = anchor.getTrustedCert().getPublicKey(); } else { this.trustedPubKey = anchor.getCAPublicKey(); } this.prevPubKey = trustedPubKey; this.constraints = constraints; }
/** * Try to set the trust anchor of the checker. * <p> * If there is no trust anchor specified and the checker has not started, * set the trust anchor. * * @param anchor the trust anchor selected to validate the target * certificate */ void trySetTrustAnchor(TrustAnchor anchor) { // Don't bother if the check has started or trust anchor has already // specified. if (prevPubKey == null) { if (anchor == null) { throw new IllegalArgumentException( "The trust anchor cannot be null"); } // Don't bother to change the trustedPubKey. if (anchor.getTrustedCert() != null) { prevPubKey = anchor.getTrustedCert().getPublicKey(); } else { prevPubKey = anchor.getCAPublicKey(); } } }
/** * Initialize the builder with the input parameters. * * @param params the parameter set used to build a certification path */ ForwardBuilder(BuilderParams buildParams, boolean searchAllCertStores) { super(buildParams); // populate sets of trusted certificates and subject DNs trustAnchors = buildParams.trustAnchors(); trustedCerts = new HashSet<X509Certificate>(trustAnchors.size()); trustedSubjectDNs = new HashSet<X500Principal>(trustAnchors.size()); for (TrustAnchor anchor : trustAnchors) { X509Certificate trustedCert = anchor.getTrustedCert(); if (trustedCert != null) { trustedCerts.add(trustedCert); trustedSubjectDNs.add(trustedCert.getSubjectX500Principal()); } else { trustedSubjectDNs.add(anchor.getCA()); } } comparator = new PKIXCertComparator(trustedSubjectDNs); this.searchAllCertStores = searchAllCertStores; }
/** * Create a new <code>AlgorithmChecker</code> with the * given <code>TrustAnchor</code> and <code>AlgorithmConstraints</code>. * * @param anchor the trust anchor selected to validate the target * certificate * @param constraints the algorithm constraints (or null) * * @throws IllegalArgumentException if the <code>anchor</code> is null */ public AlgorithmChecker(TrustAnchor anchor, AlgorithmConstraints constraints) { if (anchor == null) { throw new IllegalArgumentException( "The trust anchor cannot be null"); } if (anchor.getTrustedCert() != null) { this.trustedPubKey = anchor.getTrustedCert().getPublicKey(); // Check for anchor certificate restrictions trustedMatch = checkFingerprint(anchor.getTrustedCert()); if (trustedMatch && debug != null) { debug.println("trustedMatch = true"); } } else { this.trustedPubKey = anchor.getCAPublicKey(); } this.prevPubKey = trustedPubKey; this.constraints = constraints; }
/** * Try to set the trust anchor of the checker. * <p> * If there is no trust anchor specified and the checker has not started, * set the trust anchor. * * @param anchor the trust anchor selected to validate the target * certificate */ void trySetTrustAnchor(TrustAnchor anchor) { // Don't bother if the check has started or trust anchor has already // specified. if (prevPubKey == null) { if (anchor == null) { throw new IllegalArgumentException( "The trust anchor cannot be null"); } // Don't bother to change the trustedPubKey. if (anchor.getTrustedCert() != null) { prevPubKey = anchor.getTrustedCert().getPublicKey(); // Check for anchor certificate restrictions trustedMatch = checkFingerprint(anchor.getTrustedCert()); if (trustedMatch && debug != null) { debug.println("trustedMatch = true"); } } else { prevPubKey = anchor.getCAPublicKey(); } } }
/** * Initialize the builder with the input parameters. * * @param params the parameter set used to build a certification path */ ForwardBuilder(BuilderParams buildParams, boolean searchAllCertStores) { super(buildParams); // populate sets of trusted certificates and subject DNs trustAnchors = buildParams.trustAnchors(); trustedCerts = new HashSet<X509Certificate>(trustAnchors.size()); trustedSubjectDNs = new HashSet<X500Principal>(trustAnchors.size()); for (TrustAnchor anchor : trustAnchors) { X509Certificate trustedCert = anchor.getTrustedCert(); if (trustedCert != null) { trustedCerts.add(trustedCert); trustedSubjectDNs.add(trustedCert.getSubjectX500Principal()); } else { trustedSubjectDNs.add(anchor.getCA()); } } this.searchAllCertStores = searchAllCertStores; }
public static void createPath(String[] certs) throws Exception { TrustAnchor anchor = new TrustAnchor(getCertFromFile(certs[0]), null); List list = new ArrayList(); for (int i = 1; i < certs.length; i++) { list.add(0, getCertFromFile(certs[i])); } CertificateFactory cf = CertificateFactory.getInstance("X509"); path = cf.generateCertPath(list); Set anchors = Collections.singleton(anchor); params = new PKIXParameters(anchors); params.setRevocationEnabled(false); X509CertSelector sel = new X509CertSelector(); sel.setSerialNumber(new BigInteger("1427")); params.setTargetCertConstraints(sel); }
public static void createPath(String[] certs) throws Exception { X509Certificate anchorCert = getCertFromFile(certs[0]); byte [] nameConstraints = anchorCert.getExtensionValue("2.5.29.30"); if (nameConstraints != null) { DerInputStream in = new DerInputStream(nameConstraints); nameConstraints = in.getOctetString(); } TrustAnchor anchor = new TrustAnchor(anchorCert, nameConstraints); List list = new ArrayList(); for (int i = 1; i < certs.length; i++) { list.add(0, getCertFromFile(certs[i])); } CertificateFactory cf = CertificateFactory.getInstance("X509"); path = cf.generateCertPath(list); anchors = Collections.singleton(anchor); params = new PKIXParameters(anchors); params.setRevocationEnabled(false); }
IssuerInfo(TrustAnchor anchor, X509Certificate issuerCert) { if (anchor == null && issuerCert == null) { throw new NullPointerException("TrustAnchor and issuerCert " + "cannot be null"); } this.anchor = anchor; if (issuerCert != null) { name = issuerCert.getSubjectX500Principal(); pubKey = issuerCert.getPublicKey(); certificate = issuerCert; } else { name = anchor.getCA(); pubKey = anchor.getCAPublicKey(); certificate = anchor.getTrustedCert(); } }
public static RevocationStatus check(X509Certificate cert, URI responderURI, TrustAnchor anchor, X509Certificate issuerCert, X509Certificate responderCert, Date date, List<Extension> extensions, String variant) throws IOException, CertPathValidatorException { CertId certId; try { X509CertImpl certImpl = X509CertImpl.toImpl(cert); certId = new CertId(issuerCert, certImpl.getSerialNumberObject()); } catch (CertificateException | IOException e) { throw new CertPathValidatorException ("Exception while encoding OCSPRequest", e); } OCSPResponse ocspResponse = check(Collections.singletonList(certId), responderURI, new OCSPResponse.IssuerInfo(anchor, issuerCert), responderCert, date, extensions, variant); return (RevocationStatus) ocspResponse.getSingleResponse(certId); }
private static void runTest(CertificateFactory cf, List<X509Certificate> certList, TrustAnchor anchor) throws Exception { CertPath path = cf.generateCertPath(certList); CertPathValidator validator = CertPathValidator.getInstance("PKIX"); System.out.println(anchor); // Attach the OCSP responses to a PKIXParameters object PKIXRevocationChecker pkrev = (PKIXRevocationChecker)validator.getRevocationChecker(); Map<X509Certificate, byte[]> responseMap = new HashMap<>(); responseMap.put(certList.get(0), DECODER.decode(EE_OCSP_RESP)); responseMap.put(certList.get(1), DECODER.decode(INT_CA_OCSP_RESP)); pkrev.setOcspResponses(responseMap); PKIXParameters params = new PKIXParameters(Collections.singleton(anchor)); params.addCertPathChecker(pkrev); params.setDate(EVAL_DATE); validator.validate(path, params); }
/** * Create a new {@code AlgorithmChecker} with the * given {@code TrustAnchor} and {@code AlgorithmConstraints}. * * @param anchor the trust anchor selected to validate the target * certificate * @param constraints the algorithm constraints (or null) * @param pkixdate Date the constraints are checked against. The value is * either the PKIXParameter date or null for the current date. * * @throws IllegalArgumentException if the {@code anchor} is null */ public AlgorithmChecker(TrustAnchor anchor, AlgorithmConstraints constraints, Date pkixdate) { if (anchor == null) { throw new IllegalArgumentException( "The trust anchor cannot be null"); } if (anchor.getTrustedCert() != null) { this.trustedPubKey = anchor.getTrustedCert().getPublicKey(); // Check for anchor certificate restrictions trustedMatch = checkFingerprint(anchor.getTrustedCert()); if (trustedMatch && debug != null) { debug.println("trustedMatch = true"); } } else { this.trustedPubKey = anchor.getCAPublicKey(); } this.prevPubKey = trustedPubKey; this.constraints = constraints; this.pkixdate = pkixdate; }
private List<X509Certificate> checkTrusted(X509Certificate[] certs, String authType, String host, boolean clientAuth) throws CertificateException { if (certs == null || certs.length == 0 || authType == null || authType.length() == 0) { throw new IllegalArgumentException("null or zero-length parameter"); } if (err != null) { throw new CertificateException(err); } Set<X509Certificate> used = new HashSet<X509Certificate>(); ArrayList<X509Certificate> untrustedChain = new ArrayList<X509Certificate>(); ArrayList<TrustAnchor> trustedChain = new ArrayList<TrustAnchor>(); // Initialize the chain to contain the leaf certificate. This potentially could be a trust // anchor. If the leaf is a trust anchor we still continue with path building to build the // complete trusted chain for additional validation such as certificate pinning. X509Certificate leaf = certs[0]; TrustAnchor leafAsAnchor = findTrustAnchorBySubjectAndPublicKey(leaf); if (leafAsAnchor != null) { trustedChain.add(leafAsAnchor); used.add(leafAsAnchor.getTrustedCert()); } else { untrustedChain.add(leaf); } used.add(leaf); return checkTrustedRecursive(certs, host, clientAuth, untrustedChain, trustedChain, used); }
/** * Find all possible issuing trust anchors of {@code cert}. */ private Set<TrustAnchor> findAllTrustAnchorsByIssuerAndSignature(X509Certificate cert) { Set<TrustAnchor> indexedAnchors = trustedCertificateIndex.findAllByIssuerAndSignature(cert); if (!indexedAnchors.isEmpty() || trustedCertificateStore == null) { return indexedAnchors; } Set<X509Certificate> storeAnchors = trustedCertificateStore.findAllIssuers(cert); if (storeAnchors.isEmpty()) { return indexedAnchors; } Set<TrustAnchor> result = new HashSet<TrustAnchor>(storeAnchors.size()); for (X509Certificate storeCert : storeAnchors) { result.add(trustedCertificateIndex.index(storeCert)); } return result; }
public TrustAnchor findByIssuerAndSignature(X509Certificate cert) { X500Principal issuer = cert.getIssuerX500Principal(); synchronized (subjectToTrustAnchors) { List<TrustAnchor> anchors = subjectToTrustAnchors.get(issuer); if (anchors == null) { return null; } for (TrustAnchor anchor : anchors) { PublicKey publicKey; try { X509Certificate caCert = anchor.getTrustedCert(); if (caCert != null) { publicKey = caCert.getPublicKey(); } else { publicKey = anchor.getCAPublicKey(); } cert.verify(publicKey); return anchor; } catch (Exception ignored) { } } } return null; }
