List of usage examples for java.security.cert X509Certificate getIssuerDN
public abstract Principal getIssuerDN();
From source file:de.duenndns.ssl.MemorizingTrustManager.java
private void certDetails(StringBuffer si, X509Certificate c) { SimpleDateFormat validityDateFormater = new SimpleDateFormat("yyyy-MM-dd"); si.append("\n"); si.append(c.getSubjectDN().toString()); si.append("\n"); si.append(validityDateFormater.format(c.getNotBefore())); si.append(" - "); si.append(validityDateFormater.format(c.getNotAfter())); si.append("\nSHA-256: "); si.append(certHash(c, "SHA-256")); si.append("\nSHA-1: "); si.append(certHash(c, "SHA-1")); si.append("\nSigned by: "); si.append(c.getIssuerDN().toString()); si.append("\n"); }
From source file:org.wso2.carbon.security.util.ServerCrypto.java
private String getAliasForX509Cert(String issuer, BigInteger serialNumber, boolean useSerialNumber, KeyStore ks) throws WSSecurityException { Vector issuerRDN = splitAndTrim(issuer); X509Certificate x509cert; Vector certRDN;//from w ww . j av a 2 s. c o m Certificate cert; try { for (Enumeration e = ks.aliases(); e.hasMoreElements();) { String alias = (String) e.nextElement(); Certificate[] certs = this.getCertificates(alias); if (certs == null || certs.length == 0) { return null; } else { cert = certs[0]; } if (!(cert instanceof X509Certificate)) { continue; } x509cert = (X509Certificate) cert; if (useSerialNumber && x509cert.getSerialNumber().compareTo(serialNumber) == 0) { certRDN = splitAndTrim(x509cert.getIssuerDN().getName()); if (certRDN.equals(issuerRDN)) { return alias; } } } } catch (KeyStoreException e) { throw new WSSecurityException(WSSecurityException.FAILURE, "keystore"); } return null; }
From source file:com.stargame.ad.util.http.ssl.AuthSSLProtocolSocketFactory.java
private SSLContext createSSLContext() { try {//from w w w. ja v a2s . c om KeyManager[] keymanagers = null; TrustManager[] trustmanagers = null; if (this.keystoreUrl != null) { KeyStore keystore = createKeyStore(this.keystoreUrl, this.keystorePassword); if (LogUtil.D) { Enumeration aliases = keystore.aliases(); while (aliases.hasMoreElements()) { String alias = (String) aliases.nextElement(); Certificate[] certs = keystore.getCertificateChain(alias); if (certs != null) { LogUtil.d(AuthSSLProtocolSocketFactory.class, "Certificate chain '" + alias + "':"); for (int c = 0; c < certs.length; c++) { if (certs[c] instanceof X509Certificate) { X509Certificate cert = (X509Certificate) certs[c]; LogUtil.d(AuthSSLProtocolSocketFactory.class, " Certificate " + (c + 1) + ":"); LogUtil.d(AuthSSLProtocolSocketFactory.class, " Subject DN: " + cert.getSubjectDN()); LogUtil.d(AuthSSLProtocolSocketFactory.class, " Signature Algorithm: " + cert.getSigAlgName()); LogUtil.d(AuthSSLProtocolSocketFactory.class, " Valid from: " + cert.getNotBefore()); LogUtil.d(AuthSSLProtocolSocketFactory.class, " Valid until: " + cert.getNotAfter()); LogUtil.d(AuthSSLProtocolSocketFactory.class, " Issuer: " + cert.getIssuerDN()); } } } } } keymanagers = createKeyManagers(keystore, this.keystorePassword); } if (this.truststoreUrl != null) { KeyStore keystore = createKeyStore(this.truststoreUrl, this.truststorePassword); if (LogUtil.D) { Enumeration aliases = keystore.aliases(); while (aliases.hasMoreElements()) { String alias = (String) aliases.nextElement(); LogUtil.d(AuthSSLProtocolSocketFactory.class, "Trusted certificate '" + alias + "':"); Certificate trustedcert = keystore.getCertificate(alias); if (trustedcert != null && trustedcert instanceof X509Certificate) { X509Certificate cert = (X509Certificate) trustedcert; LogUtil.d(AuthSSLProtocolSocketFactory.class, " Subject DN: " + cert.getSubjectDN()); LogUtil.d(AuthSSLProtocolSocketFactory.class, " Signature Algorithm: " + cert.getSigAlgName()); LogUtil.d(AuthSSLProtocolSocketFactory.class, " Valid from: " + cert.getNotBefore()); LogUtil.d(AuthSSLProtocolSocketFactory.class, " Valid until: " + cert.getNotAfter()); LogUtil.d(AuthSSLProtocolSocketFactory.class, " Issuer: " + cert.getIssuerDN()); } } } trustmanagers = createTrustManagers(keystore); } SSLContext sslcontext = SSLContext.getInstance("SSL"); sslcontext.init(keymanagers, trustmanagers, null); return sslcontext; } catch (NoSuchAlgorithmException e) { LogUtil.e(AuthSSLProtocolSocketFactory.class, e.getMessage()); throw new AuthSSLInitializationError("Unsupported algorithm exception: " + e.getMessage()); } catch (KeyStoreException e) { LogUtil.e(AuthSSLProtocolSocketFactory.class, e.getMessage()); throw new AuthSSLInitializationError("Keystore exception: " + e.getMessage()); } catch (GeneralSecurityException e) { LogUtil.e(AuthSSLProtocolSocketFactory.class, e.getMessage()); throw new AuthSSLInitializationError("Key management exception: " + e.getMessage()); } catch (IOException e) { LogUtil.e(AuthSSLProtocolSocketFactory.class, e.getMessage()); throw new AuthSSLInitializationError("I/O error reading keystore/truststore file: " + e.getMessage()); } }
From source file:org.dogtagpki.server.rest.UserService.java
public UserCertData createUserCertData(String userID, X509Certificate cert) throws Exception { UserCertData userCertData = new UserCertData(); userCertData.setVersion(cert.getVersion()); userCertData.setSerialNumber(new CertId(cert.getSerialNumber())); userCertData.setIssuerDN(cert.getIssuerDN().toString()); userCertData.setSubjectDN(cert.getSubjectDN().toString()); userID = URLEncoder.encode(userID, "UTF-8"); String certID = URLEncoder.encode(userCertData.getID(), "UTF-8"); URI uri = uriInfo.getBaseUriBuilder().path(UserResource.class).path("{userID}/certs/{certID}").build(userID, certID);/* w w w . j ava2s. c o m*/ userCertData.setLink(new Link("self", uri)); return userCertData; }
From source file:com.tremolosecurity.idp.providers.OpenIDConnectIdP.java
private String buildKID(X509Certificate cert) { StringBuffer b = new StringBuffer(); b.append(cert.getSubjectDN().getName()).append('-').append(cert.getIssuerDN().getName()).append('-') .append(cert.getSerialNumber().toString()); return b.toString(); }
From source file:nl.nn.adapterframework.webcontrol.action.ShowSecurityItems.java
private void addCertificateInfo(XmlBuilder certElem, final URL url, final String password, String keyStoreType, String prefix) {//from w w w .j a v a 2 s . c o m try { KeyStore keystore = KeyStore.getInstance(keyStoreType); keystore.load(url.openStream(), password != null ? password.toCharArray() : null); if (log.isInfoEnabled()) { Enumeration aliases = keystore.aliases(); while (aliases.hasMoreElements()) { String alias = (String) aliases.nextElement(); XmlBuilder infoElem = new XmlBuilder("info"); infoElem.setCdataValue(prefix + " '" + alias + "':"); certElem.addSubElement(infoElem); Certificate trustedcert = keystore.getCertificate(alias); if (trustedcert != null && trustedcert instanceof X509Certificate) { X509Certificate cert = (X509Certificate) trustedcert; infoElem = new XmlBuilder("info"); infoElem.setCdataValue(" Subject DN: " + cert.getSubjectDN()); certElem.addSubElement(infoElem); infoElem = new XmlBuilder("info"); infoElem.setCdataValue(" Signature Algorithm: " + cert.getSigAlgName()); certElem.addSubElement(infoElem); infoElem = new XmlBuilder("info"); infoElem.setCdataValue(" Valid from: " + cert.getNotBefore()); certElem.addSubElement(infoElem); infoElem = new XmlBuilder("info"); infoElem.setCdataValue(" Valid until: " + cert.getNotAfter()); certElem.addSubElement(infoElem); infoElem = new XmlBuilder("info"); infoElem.setCdataValue(" Issuer: " + cert.getIssuerDN()); certElem.addSubElement(infoElem); } } } } catch (Exception e) { XmlBuilder infoElem = new XmlBuilder("info"); infoElem.setCdataValue("*** ERROR ***"); certElem.addSubElement(infoElem); } }
From source file:cn.org.eshow.framwork.http.ssl.AuthSSLProtocolSocketFactory.java
private SSLContext createSSLContext() { try {//from ww w . jav a 2 s . c o m KeyManager[] keymanagers = null; TrustManager[] trustmanagers = null; if (this.keystoreUrl != null) { KeyStore keystore = createKeyStore(this.keystoreUrl, this.keystorePassword); if (AbLogUtil.D) { Enumeration aliases = keystore.aliases(); while (aliases.hasMoreElements()) { String alias = (String) aliases.nextElement(); Certificate[] certs = keystore.getCertificateChain(alias); if (certs != null) { AbLogUtil.d(AuthSSLProtocolSocketFactory.class, "Certificate chain '" + alias + "':"); for (int c = 0; c < certs.length; c++) { if (certs[c] instanceof X509Certificate) { X509Certificate cert = (X509Certificate) certs[c]; AbLogUtil.d(AuthSSLProtocolSocketFactory.class, " Certificate " + (c + 1) + ":"); AbLogUtil.d(AuthSSLProtocolSocketFactory.class, " Subject DN: " + cert.getSubjectDN()); AbLogUtil.d(AuthSSLProtocolSocketFactory.class, " Signature Algorithm: " + cert.getSigAlgName()); AbLogUtil.d(AuthSSLProtocolSocketFactory.class, " Valid from: " + cert.getNotBefore()); AbLogUtil.d(AuthSSLProtocolSocketFactory.class, " Valid until: " + cert.getNotAfter()); AbLogUtil.d(AuthSSLProtocolSocketFactory.class, " Issuer: " + cert.getIssuerDN()); } } } } } keymanagers = createKeyManagers(keystore, this.keystorePassword); } if (this.truststoreUrl != null) { KeyStore keystore = createKeyStore(this.truststoreUrl, this.truststorePassword); if (AbLogUtil.D) { Enumeration aliases = keystore.aliases(); while (aliases.hasMoreElements()) { String alias = (String) aliases.nextElement(); AbLogUtil.d(AuthSSLProtocolSocketFactory.class, "Trusted certificate '" + alias + "':"); Certificate trustedcert = keystore.getCertificate(alias); if (trustedcert != null && trustedcert instanceof X509Certificate) { X509Certificate cert = (X509Certificate) trustedcert; AbLogUtil.d(AuthSSLProtocolSocketFactory.class, " Subject DN: " + cert.getSubjectDN()); AbLogUtil.d(AuthSSLProtocolSocketFactory.class, " Signature Algorithm: " + cert.getSigAlgName()); AbLogUtil.d(AuthSSLProtocolSocketFactory.class, " Valid from: " + cert.getNotBefore()); AbLogUtil.d(AuthSSLProtocolSocketFactory.class, " Valid until: " + cert.getNotAfter()); AbLogUtil.d(AuthSSLProtocolSocketFactory.class, " Issuer: " + cert.getIssuerDN()); } } } trustmanagers = createTrustManagers(keystore); } SSLContext sslcontext = SSLContext.getInstance("SSL"); sslcontext.init(keymanagers, trustmanagers, null); return sslcontext; } catch (NoSuchAlgorithmException e) { AbLogUtil.e(AuthSSLProtocolSocketFactory.class, e.getMessage()); throw new AuthSSLInitializationError("Unsupported algorithm exception: " + e.getMessage()); } catch (KeyStoreException e) { AbLogUtil.e(AuthSSLProtocolSocketFactory.class, e.getMessage()); throw new AuthSSLInitializationError("Keystore exception: " + e.getMessage()); } catch (GeneralSecurityException e) { AbLogUtil.e(AuthSSLProtocolSocketFactory.class, e.getMessage()); throw new AuthSSLInitializationError("Key management exception: " + e.getMessage()); } catch (IOException e) { AbLogUtil.e(AuthSSLProtocolSocketFactory.class, e.getMessage()); throw new AuthSSLInitializationError("I/O error reading keystore/truststore file: " + e.getMessage()); } }
From source file:org.signserver.client.cli.validationservice.ValidateCertificateCommand.java
private int run() throws Exception { // read certificate X509Certificate cert = null; FileInputStream fis = new FileInputStream(certPath); try {/*w ww .j a v a 2 s. c o m*/ if (pemFlag) { Collection<?> certs = CertTools.getCertsFromPEM(fis); if (certs.iterator().hasNext()) { cert = (X509Certificate) certs.iterator().next(); } } else { byte[] data = new byte[fis.available()]; fis.read(data, 0, fis.available()); cert = (X509Certificate) CertTools.getCertfromByteArray(data); } } finally { fis.close(); } if (cert == null) { println("Error, Certificate in file " + certPath + " not read succesfully."); } println("\n\nValidating certificate with: "); println(" Subject : " + cert.getSubjectDN().toString()); println(" Issuer : " + cert.getIssuerDN().toString()); println(" Valid From : " + cert.getNotBefore()); println(" Valid To : " + cert.getNotAfter()); println("\n"); // validate final ValidateResponse vresp; switch (protocol) { case WEBSERVICES: // set up trust SSLSocketFactory sslf = null; if (trustStorePath != null) { sslf = WSClientUtil.genCustomSSLSocketFactory(null, null, trustStorePath, trustStorePwd); } vresp = runWS(sslf, cert); break; case HTTP: vresp = runHTTP(cert); break; default: throw new IllegalArgumentException("Unknown protocol: " + protocol.toString()); } ; // output result String certificatePurposes = vresp.getValidCertificatePurposes(); println("Valid Certificate Purposes:\n " + (certificatePurposes == null ? "" : certificatePurposes)); Validation validation = vresp.getValidation(); println("Certificate Status:\n " + validation.getStatus()); return getReturnValue(validation.getStatus()); }
From source file:org.apache.rampart.PolicyBasedResultsValidator.java
/** * Evaluate whether a given certificate should be trusted. Hook to allow subclasses to implement * custom validation methods however they see fit. * <p/>/*from ww w . j a v a2 s .c o m*/ * Policy used in this implementation: 1. Search the keystore for the transmitted certificate 2. * Search the keystore for a connection to the transmitted certificate (that is, search for * certificate(s) of the issuer of the transmitted certificate 3. Verify the trust path for * those certificates found because the search for the issuer might be fooled by a phony DN * (String!) * * @param cert the certificate that should be validated against the keystore * @return true if the certificate is trusted, false if not (AxisFault is thrown for exceptions * during CertPathValidation) * @throws WSSecurityException */ protected boolean verifyTrust(X509Certificate cert, RampartMessageData rmd) throws RampartException { // If no certificate was transmitted, do not trust the signature if (cert == null) { return false; } String[] aliases = null; String alias = null; X509Certificate[] certs; String subjectString = cert.getSubjectDN().getName(); String issuerString = cert.getIssuerDN().getName(); BigInteger issuerSerial = cert.getSerialNumber(); boolean doDebug = log.isDebugEnabled(); if (doDebug) { log.debug("WSHandler: Transmitted certificate has subject " + subjectString); log.debug("WSHandler: Transmitted certificate has issuer " + issuerString + " (serial " + issuerSerial + ")"); } // FIRST step // Search the keystore for the transmitted certificate // Search the keystore for the alias of the transmitted certificate try { alias = RampartUtil .getSignatureCrypto(rmd.getPolicyData().getRampartConfig(), rmd.getCustomClassLoader()) .getAliasForX509Cert(issuerString, issuerSerial); } catch (WSSecurityException ex) { throw new RampartException("cannotFindAliasForCert", new String[] { subjectString }, ex); } if (alias != null) { // Retrieve the certificate for the alias from the keystore try { certs = RampartUtil .getSignatureCrypto(rmd.getPolicyData().getRampartConfig(), rmd.getCustomClassLoader()) .getCertificates(alias); } catch (WSSecurityException ex) { throw new RampartException("noCertForAlias", new String[] { alias }, ex); } // If certificates have been found, the certificates must be compared // to ensure against phony DNs (compare encoded form including signature) if (certs != null && certs.length > 0 && cert.equals(certs[0])) { if (doDebug) { log.debug("Direct trust for certificate with " + subjectString); } // Set the alias of the cert used for the msg. sig. as a msg. cxt. property rmd.getMsgContext().setProperty(RampartMessageData.SIGNATURE_CERT_ALIAS, alias); return true; } } else { if (doDebug) { log.debug("No alias found for subject from issuer with " + issuerString + " (serial " + issuerSerial + ")"); } } // SECOND step // Search for the issuer of the transmitted certificate in the keystore // Search the keystore for the alias of the transmitted certificates issuer try { aliases = RampartUtil .getSignatureCrypto(rmd.getPolicyData().getRampartConfig(), rmd.getCustomClassLoader()) .getAliasesForDN(issuerString); } catch (WSSecurityException ex) { throw new RampartException("cannotFindAliasForCert", new String[] { issuerString }, ex); } // If the alias has not been found, the issuer is not in the keystore // As a direct result, do not trust the transmitted certificate if (aliases == null || aliases.length < 1) { if (doDebug) { log.debug("No aliases found in keystore for issuer " + issuerString + " of certificate for " + subjectString); } return false; } // THIRD step // Check the certificate trust path for every alias of the issuer found in the keystore for (int i = 0; i < aliases.length; i++) { alias = aliases[i]; if (doDebug) { log.debug("Preparing to validate certificate path with alias " + alias + " for issuer " + issuerString); } // Retrieve the certificate(s) for the alias from the keystore try { certs = RampartUtil .getSignatureCrypto(rmd.getPolicyData().getRampartConfig(), rmd.getCustomClassLoader()) .getCertificates(alias); } catch (WSSecurityException ex) { throw new RampartException("noCertForAlias", new String[] { alias }, ex); } // If no certificates have been found, there has to be an error: // The keystore can find an alias but no certificate(s) if (certs == null || certs.length < 1) { throw new RampartException("noCertForAlias", new String[] { alias }); } // Form a certificate chain from the transmitted certificate // and the certificate(s) of the issuer from the keystore // First, create new array X509Certificate[] x509certs = new X509Certificate[certs.length + 1]; // Then add the first certificate ... x509certs[0] = cert; // ... and the other certificates for (int j = 0; j < certs.length; j++) { cert = certs[j]; x509certs[j + 1] = cert; } certs = x509certs; // Use the validation method from the crypto to check whether the subjects certificate // was really signed by the issuer stated in the certificate try { if (RampartUtil .getSignatureCrypto(rmd.getPolicyData().getRampartConfig(), rmd.getCustomClassLoader()) .validateCertPath(certs)) { if (doDebug) { log.debug("WSHandler: Certificate path has been verified for certificate with subject " + subjectString); } return true; } } catch (WSSecurityException ex) { throw new RampartException("certPathVerificationFailed", new String[] { subjectString }, ex); } } if (doDebug) { log.debug("WSHandler: Certificate path could not be verified for certificate with subject " + subjectString); } return false; }
From source file:com.idevity.card.read.ShowCHUID.java
/** * Method onCreateView.//from w w w. ja va2 s . c om * * @param inflater * LayoutInflater * @param container * ViewGroup * @param savedInstanceState * Bundle * @return View */ @Override public View onCreateView(LayoutInflater inflater, ViewGroup container, Bundle savedInstanceState) { Globals g = Globals.getInstance(); String issuer = new String(); String subject = new String(); String validfrom = new String(); String validto = new String(); boolean certvalid = true; boolean sigvalid = false; CMSSignedDataObject chuidSig = null; X509Certificate pcs = null; View chuidLayout = inflater.inflate(R.layout.activity_show_chuid, container, false); // get card data byte[] _data = g.getCard(); CardData80073 carddata = new CardData80073(_data); // get chuid PIVCardHolderUniqueID chuid = null; PIVDataTempl chuidInDataTempl = carddata.getPIVCardHolderUniqueID(); if (chuidInDataTempl != null) { byte[] chuidData = chuidInDataTempl.getData(); if (chuidData == null) { chuidData = chuidInDataTempl.getEncoded(); } chuid = new PIVCardHolderUniqueID(chuidData); } if (chuid != null) { try { // get chuid signature object chuidSig = new CMSSignedDataObject(chuid.getSignatureBytes(), chuid.getSignatureDataBytes()); chuidSig.setProviderName("OpenSSLFIPSProvider"); // validate the signature, don't do PDVAL sigvalid = chuidSig.verifySignature(false); } catch (SignatureException e) { Log.e(TAG, "Error: " + e.getMessage()); } // get x509 cert if (chuidSig != null) { pcs = chuidSig.getSigner(); } // get values from x509 if (pcs != null) { issuer = pcs.getIssuerDN().getName(); subject = pcs.getSubjectDN().getName(); validfrom = pcs.getNotBefore().toString(); validto = pcs.getNotAfter().toString(); } } ImageView sigthumbs = (ImageView) chuidLayout.findViewById(R.id.chuidindicator1); TextView sigtext = (TextView) chuidLayout.findViewById(R.id.chuid1); if (sigvalid) { sigthumbs.setImageResource(R.drawable.cert_good); } else { sigthumbs.setImageResource(R.drawable.cert_bad); sigtext.setTextColor(getResources().getColor(R.color.idredmain)); } /* * Note to self. I am not thrilled how Java almost forces you to assume * a certificate if valid unless an exception is thrown! */ TextView vfText = (TextView) chuidLayout.findViewById(R.id.chuid4); TextView vtText = (TextView) chuidLayout.findViewById(R.id.chuid5); try { if (pcs != null) { pcs.checkValidity(); } } catch (CertificateNotYetValidException e) { certvalid = false; vfText.setTextColor(getResources().getColor(R.color.idredmain)); if (debug) { Log.d(TAG, "Error: Authentication Certificate Not Vaid Yet!"); } } catch (CertificateExpiredException e) { certvalid = false; vtText.setTextColor(getResources().getColor(R.color.idredmain)); if (debug) { Log.d(TAG, "Error: Card Authentication Certificate Expired!"); } } ImageView certthumbs = (ImageView) chuidLayout.findViewById(R.id.chuidindicator2); TextView certtext = (TextView) chuidLayout.findViewById(R.id.chuid2); if (certvalid && pcs != null) { certthumbs.setImageResource(R.drawable.cert_good); } else { certthumbs.setImageResource(R.drawable.cert_bad); certtext.setTextColor(getResources().getColor(R.color.idredmain)); } // setting all values in activity TextView editChuidSubject = (TextView) chuidLayout.findViewById(R.id.chuid_subject); editChuidSubject.setText(subject); TextView editValidFrom = (TextView) chuidLayout.findViewById(R.id.chuid_date); editValidFrom.setText(validfrom); TextView editValidTo = (TextView) chuidLayout.findViewById(R.id.chuid_expiry); editValidTo.setText(validto); TextView editIssuer = (TextView) chuidLayout.findViewById(R.id.chuid_issuer); editIssuer.setText(issuer); return chuidLayout; }