Java TrustAnchor类代码示例

import java.security.cert.TrustAnchor; //导入依赖的package包/类
public X509TrustManagerWrapper(X509TrustManager tm, boolean verifyServerCertificate) throws CertificateException {
    this.origTm = tm;
    this.verifyServerCert = verifyServerCertificate;

    if (verifyServerCertificate) {
        try {
            Set<TrustAnchor> anch = new HashSet<TrustAnchor>();
            for (X509Certificate cert : tm.getAcceptedIssuers()) {
                anch.add(new TrustAnchor(cert, null));
            }
            this.validatorParams = new PKIXParameters(anch);
            this.validatorParams.setRevocationEnabled(false);
            this.validator = CertPathValidator.getInstance("PKIX");
            this.certFactory = CertificateFactory.getInstance("X.509");
        } catch (Exception e) {
            throw new CertificateException(e);
        }
    }
}
 

import java.security.cert.TrustAnchor; //导入依赖的package包/类
/**
 * Check the trustedCertificateIndex for the cert to see if it is
 * already trusted and failing that check the KeyStore if it is
 * available.
 */
private TrustAnchor findTrustAnchorBySubjectAndPublicKey(X509Certificate cert) {
    TrustAnchor trustAnchor = trustedCertificateIndex.findBySubjectAndPublicKey(cert);
    if (trustAnchor != null) {
        return trustAnchor;
    }
    if (trustedCertificateStore == null) {
        // not trusted and no TrustedCertificateStore to check
        return null;
    }
    // probe KeyStore for a cert. AndroidCAStore stores its
    // contents hashed by cert subject on the filesystem to make
    // this faster than scanning all key store entries.
    X509Certificate systemCert = trustedCertificateStore.getTrustAnchor(cert);
    if (systemCert != null) {
        // Don't index the system certificate here, that way the only place that adds anchors to
        // the index are findAllTrustAnchorsByIssuerAndSignature.
        // This allows findAllTrustAnchorsByIssuerAndSignature to avoid checking the
        // TrustedCertificateStore if the TrustedCertificateIndex contains any issuers for the
        // certificate because it will have cached all certificates contained in the
        // TrustedCertificateStore.
        return new TrustAnchor(systemCert, null);
    }
    return null;
}
 

import java.security.cert.TrustAnchor; //导入依赖的package包/类
/**
 * Sets the trusted attribute certificate issuers. If attribute certificates
 * is verified the trusted AC issuers must be set.
 * <p>
 * The <code>trustedACIssuers</code> must be a <code>Set</code> of
 * <code>TrustAnchor</code>
 * <p>
 * The given set is cloned.
 * 
 * @param trustedACIssuers The trusted AC issuers to set. Is never
 *            <code>null</code>.
 * @throws ClassCastException if an element of <code>stores</code> is not
 *             a <code>TrustAnchor</code>.
 */
public void setTrustedACIssuers(Set trustedACIssuers)
{
    if (trustedACIssuers == null)
    {
        this.trustedACIssuers.clear();
        return;
    }
    for (Iterator it = trustedACIssuers.iterator(); it.hasNext();)
    {
        if (!(it.next() instanceof TrustAnchor))
        {
            throw new ClassCastException("All elements of set must be "
                + "of type " + TrustAnchor.class.getName() + ".");
        }
    }
    this.trustedACIssuers.clear();
    this.trustedACIssuers.addAll(trustedACIssuers);
}
 

import java.security.cert.TrustAnchor; //导入依赖的package包/类
protected static void processAttrCert4(X509Certificate acIssuerCert,
    ExtendedPKIXParameters pkixParams) throws CertPathValidatorException
{
    Set set = pkixParams.getTrustedACIssuers();
    boolean trusted = false;
    for (Iterator it = set.iterator(); it.hasNext();)
    {
        TrustAnchor anchor = (TrustAnchor) it.next();
        if (acIssuerCert.getSubjectX500Principal().getName("RFC2253")
            .equals(anchor.getCAName())
            || acIssuerCert.equals(anchor.getTrustedCert()))
        {
            trusted = true;
        }
    }
    if (!trusted)
    {
        throw new CertPathValidatorException(
            "Attribute certificate issuer is not directly trusted.");
    }
}
 

import java.security.cert.TrustAnchor; //导入依赖的package包/类
/**
 * Creates the collection of trust anchors to use during validation.
 * 
 * @param validationInfo PKIX validation information
 * 
 * @return trust anchors to use during validation
 */
protected Set<TrustAnchor> getTrustAnchors(PKIXValidationInformation validationInfo) {
    Collection<X509Certificate> validationCertificates = validationInfo.getCertificates();

    log.trace("Constructing trust anchors for PKIX validation");
    Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
    for (X509Certificate cert : validationCertificates) {
        trustAnchors.add(buildTrustAnchor(cert));
    }

    if (log.isTraceEnabled()) {
        for (TrustAnchor anchor : trustAnchors) {
            log.trace("TrustAnchor: {}", anchor.toString());
        }
    }

    return trustAnchors;
}
 

import java.security.cert.TrustAnchor; //导入依赖的package包/类
/**
 * Log information from the constructed cert path at level debug.
 * 
 * @param buildResult the PKIX cert path builder result containing the cert path and trust anchor
 * @param targetCert the cert untrusted certificate that was being evaluated
 */
private void logCertPathDebug(PKIXCertPathBuilderResult buildResult, X509Certificate targetCert) {
    log.debug("Built valid PKIX cert path");
    log.debug("Target certificate: {}", x500DNHandler.getName(targetCert.getSubjectX500Principal()));
    for (Certificate cert : buildResult.getCertPath().getCertificates()) {
        log.debug("CertPath certificate: {}", x500DNHandler.getName(((X509Certificate) cert)
                .getSubjectX500Principal()));
    }
    TrustAnchor ta = buildResult.getTrustAnchor();
    if (ta.getTrustedCert() != null) {
        log.debug("TrustAnchor: {}", x500DNHandler.getName(ta.getTrustedCert().getSubjectX500Principal()));
    } else if (ta.getCA() != null) {
        log.debug("TrustAnchor: {}", x500DNHandler.getName(ta.getCA()));
    } else {
        log.debug("TrustAnchor: {}", ta.getCAName());
    }
}
 

import java.security.cert.TrustAnchor; //导入依赖的package包/类
/**
 * Create a new <code>AlgorithmChecker</code> with the
 * given <code>TrustAnchor</code> and <code>AlgorithmConstraints</code>.
 *
 * @param anchor the trust anchor selected to validate the target
 *     certificate
 * @param constraints the algorithm constraints (or null)
 *
 * @throws IllegalArgumentException if the <code>anchor</code> is null
 */
public AlgorithmChecker(TrustAnchor anchor,
        AlgorithmConstraints constraints) {

    if (anchor == null) {
        throw new IllegalArgumentException(
                    "The trust anchor cannot be null");
    }

    if (anchor.getTrustedCert() != null) {
        this.trustedPubKey = anchor.getTrustedCert().getPublicKey();
    } else {
        this.trustedPubKey = anchor.getCAPublicKey();
    }

    this.prevPubKey = trustedPubKey;
    this.constraints = constraints;
}
 

import java.security.cert.TrustAnchor; //导入依赖的package包/类
/**
 * Try to set the trust anchor of the checker.
 * <p>
 * If there is no trust anchor specified and the checker has not started,
 * set the trust anchor.
 *
 * @param anchor the trust anchor selected to validate the target
 *     certificate
 */
void trySetTrustAnchor(TrustAnchor anchor) {
    // Don't bother if the check has started or trust anchor has already
    // specified.
    if (prevPubKey == null) {
        if (anchor == null) {
            throw new IllegalArgumentException(
                    "The trust anchor cannot be null");
        }

        // Don't bother to change the trustedPubKey.
        if (anchor.getTrustedCert() != null) {
            prevPubKey = anchor.getTrustedCert().getPublicKey();
        } else {
            prevPubKey = anchor.getCAPublicKey();
        }
    }
}
 

import java.security.cert.TrustAnchor; //导入依赖的package包/类
/**
 * Initialize the builder with the input parameters.
 *
 * @param params the parameter set used to build a certification path
 */
ForwardBuilder(BuilderParams buildParams, boolean searchAllCertStores) {
    super(buildParams);

    // populate sets of trusted certificates and subject DNs
    trustAnchors = buildParams.trustAnchors();
    trustedCerts = new HashSet<X509Certificate>(trustAnchors.size());
    trustedSubjectDNs = new HashSet<X500Principal>(trustAnchors.size());
    for (TrustAnchor anchor : trustAnchors) {
        X509Certificate trustedCert = anchor.getTrustedCert();
        if (trustedCert != null) {
            trustedCerts.add(trustedCert);
            trustedSubjectDNs.add(trustedCert.getSubjectX500Principal());
        } else {
            trustedSubjectDNs.add(anchor.getCA());
        }
    }
    comparator = new PKIXCertComparator(trustedSubjectDNs);
    this.searchAllCertStores = searchAllCertStores;
}
 

import java.security.cert.TrustAnchor; //导入依赖的package包/类
/**
 * Create a new <code>AlgorithmChecker</code> with the
 * given <code>TrustAnchor</code> and <code>AlgorithmConstraints</code>.
 *
 * @param anchor the trust anchor selected to validate the target
 *     certificate
 * @param constraints the algorithm constraints (or null)
 *
 * @throws IllegalArgumentException if the <code>anchor</code> is null
 */
public AlgorithmChecker(TrustAnchor anchor,
        AlgorithmConstraints constraints) {

    if (anchor == null) {
        throw new IllegalArgumentException(
                    "The trust anchor cannot be null");
    }

    if (anchor.getTrustedCert() != null) {
        this.trustedPubKey = anchor.getTrustedCert().getPublicKey();
        // Check for anchor certificate restrictions
        trustedMatch = checkFingerprint(anchor.getTrustedCert());
        if (trustedMatch && debug != null) {
            debug.println("trustedMatch = true");
        }
    } else {
        this.trustedPubKey = anchor.getCAPublicKey();
    }

    this.prevPubKey = trustedPubKey;
    this.constraints = constraints;
}
 

import java.security.cert.TrustAnchor; //导入依赖的package包/类
/**
 * Try to set the trust anchor of the checker.
 * <p>
 * If there is no trust anchor specified and the checker has not started,
 * set the trust anchor.
 *
 * @param anchor the trust anchor selected to validate the target
 *     certificate
 */
void trySetTrustAnchor(TrustAnchor anchor) {
    // Don't bother if the check has started or trust anchor has already
    // specified.
    if (prevPubKey == null) {
        if (anchor == null) {
            throw new IllegalArgumentException(
                    "The trust anchor cannot be null");
        }

        // Don't bother to change the trustedPubKey.
        if (anchor.getTrustedCert() != null) {
            prevPubKey = anchor.getTrustedCert().getPublicKey();
            // Check for anchor certificate restrictions
            trustedMatch = checkFingerprint(anchor.getTrustedCert());
            if (trustedMatch && debug != null) {
                debug.println("trustedMatch = true");
            }
        } else {
            prevPubKey = anchor.getCAPublicKey();
        }
    }
}
 

import java.security.cert.TrustAnchor; //导入依赖的package包/类
/**
 * Initialize the builder with the input parameters.
 *
 * @param params the parameter set used to build a certification path
 */
ForwardBuilder(BuilderParams buildParams, boolean searchAllCertStores) {
    super(buildParams);

    // populate sets of trusted certificates and subject DNs
    trustAnchors = buildParams.trustAnchors();
    trustedCerts = new HashSet<X509Certificate>(trustAnchors.size());
    trustedSubjectDNs = new HashSet<X500Principal>(trustAnchors.size());
    for (TrustAnchor anchor : trustAnchors) {
        X509Certificate trustedCert = anchor.getTrustedCert();
        if (trustedCert != null) {
            trustedCerts.add(trustedCert);
            trustedSubjectDNs.add(trustedCert.getSubjectX500Principal());
        } else {
            trustedSubjectDNs.add(anchor.getCA());
        }
    }
    this.searchAllCertStores = searchAllCertStores;
}
 

import java.security.cert.TrustAnchor; //导入依赖的package包/类
public static void createPath(String[] certs) throws Exception {
    TrustAnchor anchor = new TrustAnchor(getCertFromFile(certs[0]), null);
    List list = new ArrayList();
    for (int i = 1; i < certs.length; i++) {
        list.add(0, getCertFromFile(certs[i]));
    }
    CertificateFactory cf = CertificateFactory.getInstance("X509");
    path = cf.generateCertPath(list);

    Set anchors = Collections.singleton(anchor);
    params = new PKIXParameters(anchors);
    params.setRevocationEnabled(false);
    X509CertSelector sel = new X509CertSelector();
    sel.setSerialNumber(new BigInteger("1427"));
    params.setTargetCertConstraints(sel);
}
 

import java.security.cert.TrustAnchor; //导入依赖的package包/类
public static void createPath(String[] certs) throws Exception {

        X509Certificate anchorCert = getCertFromFile(certs[0]);
        byte [] nameConstraints = anchorCert.getExtensionValue("2.5.29.30");
        if (nameConstraints != null) {
            DerInputStream in = new DerInputStream(nameConstraints);
            nameConstraints = in.getOctetString();
        }
        TrustAnchor anchor = new TrustAnchor(anchorCert, nameConstraints);
        List list = new ArrayList();
        for (int i = 1; i < certs.length; i++) {
            list.add(0, getCertFromFile(certs[i]));
        }
        CertificateFactory cf = CertificateFactory.getInstance("X509");
        path = cf.generateCertPath(list);

        anchors = Collections.singleton(anchor);
        params = new PKIXParameters(anchors);
        params.setRevocationEnabled(false);
    }
 

import java.security.cert.TrustAnchor; //导入依赖的package包/类
IssuerInfo(TrustAnchor anchor, X509Certificate issuerCert) {
    if (anchor == null && issuerCert == null) {
        throw new NullPointerException("TrustAnchor and issuerCert " +
                "cannot be null");
    }
    this.anchor = anchor;
    if (issuerCert != null) {
        name = issuerCert.getSubjectX500Principal();
        pubKey = issuerCert.getPublicKey();
        certificate = issuerCert;
    } else {
        name = anchor.getCA();
        pubKey = anchor.getCAPublicKey();
        certificate = anchor.getTrustedCert();
    }
}