本文整理汇总了Java中java.security.cert.X509Certificate.getBasicConstraints方法的典型用法代码示例。如果您正苦于以下问题:Java X509Certificate.getBasicConstraints方法的具体用法?Java X509Certificate.getBasicConstraints怎么用?Java X509Certificate.getBasicConstraints使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类java.security.cert.X509Certificate的用法示例。
在下文中一共展示了X509Certificate.getBasicConstraints方法的13个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Java代码示例。
示例1: validate
import java.security.cert.X509Certificate; //导入方法依赖的package包/类
/**
* Validate the X509Certificate received.
*
* @param cert the cert
* @throws GeneralSecurityException the general security exception
*/
private void validate(final X509Certificate cert) throws GeneralSecurityException {
cert.checkValidity();
this.revocationChecker.check(cert);
final int pathLength = cert.getBasicConstraints();
if (pathLength < 0) {
if (!isCertificateAllowed(cert)) {
throw new FailedLoginException(
"Certificate subject does not match pattern " + this.regExSubjectDnPattern.pattern());
}
if (this.checkKeyUsage && !isValidKeyUsage(cert)) {
throw new FailedLoginException(
"Certificate keyUsage constraint forbids SSL client authentication.");
}
} else {
// Check pathLength for CA cert
if (pathLength == Integer.MAX_VALUE && !this.maxPathLengthAllowUnspecified) {
throw new FailedLoginException("Unlimited certificate path length not allowed by configuration.");
} else if (pathLength > this.maxPathLength && pathLength < Integer.MAX_VALUE) {
throw new FailedLoginException(String.format(
"Certificate path length %s exceeds maximum value %s.", pathLength, this.maxPathLength));
}
}
}
开发者ID:hsj-xiaokang,项目名称:springboot-shiro-cas-mybatis,代码行数:31,代码来源:X509CredentialsAuthenticationHandler.java
示例2: validate
import java.security.cert.X509Certificate; //导入方法依赖的package包/类
private void validate(final X509Certificate cert) throws GeneralSecurityException {
cert.checkValidity();
this.revocationChecker.check(cert);
int pathLength = cert.getBasicConstraints();
if (pathLength < 0) {
if (!isCertificateAllowed(cert)) {
throw new FailedLoginException(
"Certificate subject does not match pattern " + this.regExSubjectDnPattern.pattern());
}
if (this.checkKeyUsage && !isValidKeyUsage(cert)) {
throw new FailedLoginException(
"Certificate keyUsage constraint forbids SSL client authentication.");
}
} else {
// Check pathLength for CA cert
if (pathLength == Integer.MAX_VALUE && this.maxPathLengthAllowUnspecified != true) {
throw new FailedLoginException("Unlimited certificate path length not allowed by configuration.");
} else if (pathLength > this.maxPathLength && pathLength < Integer.MAX_VALUE) {
throw new FailedLoginException(String.format(
"Certificate path length %s exceeds maximum value %s.", pathLength, this.maxPathLength));
}
}
}
示例3: getSubCertificates
import java.security.cert.X509Certificate; //导入方法依赖的package包/类
/**
* Returns the intermediate certificates (sub CAs) from a given certificate chain.
*
* @param certChain The certificate chain given as an array of Certificate instances
* @return The sub certificates given as a list of byte arrays contained in a SubCertiticatesType instance
*/
public static SubCertificatesType getSubCertificates(Certificate[] certChain) {
SubCertificatesType subCertificates = new SubCertificatesType();
for (Certificate cert : certChain) {
X509Certificate x509Cert = (X509Certificate) cert;
// Check whether the pathLen constraint is set which indicates if this certificate is a CA
if (x509Cert.getBasicConstraints() != -1)
try {
subCertificates.getCertificate().add(x509Cert.getEncoded());
} catch (CertificateEncodingException e) {
X500Principal subject = x509Cert.getIssuerX500Principal();
getLogger().error("A CertificateEncodingException occurred while trying to get certificate " +
"with distinguished name '" + subject.getName().toString() + "'", e);
}
}
if (subCertificates.getCertificate().size() == 0) {
getLogger().warn("No intermediate CAs found in given certificate array");
}
return subCertificates;
}
示例4: doAuthentication
import java.security.cert.X509Certificate; //导入方法依赖的package包/类
@Override
protected final HandlerResult doAuthentication(final Credential credential) throws GeneralSecurityException, PreventedException {
final X509CertificateCredential x509Credential = (X509CertificateCredential) credential;
final X509Certificate[] certificates = x509Credential.getCertificates();
X509Certificate clientCert = null;
boolean hasTrustedIssuer = false;
for (int i = certificates.length - 1; i >= 0; i--) {
final X509Certificate certificate = certificates[i];
logger.debug("Evaluating {}", CertUtils.toString(certificate));
validate(certificate);
if (!hasTrustedIssuer) {
hasTrustedIssuer = isCertificateFromTrustedIssuer(certificate);
}
// getBasicConstraints returns pathLenContraint which is generally
// >=0 when this is a CA cert and -1 when it's not
final int pathLength = certificate.getBasicConstraints();
if (pathLength < 0) {
logger.debug("Found valid client certificate");
clientCert = certificate;
} else {
logger.debug("Found valid CA certificate");
}
}
if (hasTrustedIssuer && clientCert != null) {
x509Credential.setCertificate(clientCert);
return new DefaultHandlerResult(this, x509Credential, this.principalFactory.createPrincipal(x509Credential.getId()));
}
throw new FailedLoginException();
}
开发者ID:hsj-xiaokang,项目名称:springboot-shiro-cas-mybatis,代码行数:35,代码来源:X509CredentialsAuthenticationHandler.java
示例5: doAuthentication
import java.security.cert.X509Certificate; //导入方法依赖的package包/类
/**
* {@inheritDoc}
*/
@Override
protected final HandlerResult doAuthentication(final Credential credential) throws GeneralSecurityException, PreventedException {
final X509CertificateCredential x509Credential = (X509CertificateCredential) credential;
final X509Certificate[] certificates = x509Credential.getCertificates();
X509Certificate clientCert = null;
boolean hasTrustedIssuer = false;
for (int i = certificates.length - 1; i >= 0; i--) {
final X509Certificate certificate = certificates[i];
logger.debug("Evaluating {}", CertUtils.toString(certificate));
validate(certificate);
if (!hasTrustedIssuer) {
hasTrustedIssuer = isCertificateFromTrustedIssuer(certificate);
}
// getBasicConstraints returns pathLenContraint which is generally
// >=0 when this is a CA cert and -1 when it's not
final int pathLength = certificate.getBasicConstraints();
if (pathLength < 0) {
logger.debug("Found valid client certificate");
clientCert = certificate;
} else {
logger.debug("Found valid CA certificate");
}
}
if (hasTrustedIssuer && clientCert != null) {
x509Credential.setCertificate(clientCert);
return new DefaultHandlerResult(this, x509Credential, this.principalFactory.createPrincipal(x509Credential.getId()));
}
throw new FailedLoginException();
}
开发者ID:hsj-xiaokang,项目名称:springboot-shiro-cas-mybatis,代码行数:38,代码来源:X509CredentialsAuthenticationHandler.java
示例6: doAuthentication
import java.security.cert.X509Certificate; //导入方法依赖的package包/类
@Override
protected HandlerResult doAuthentication(final Credential credential) throws GeneralSecurityException, PreventedException {
final X509CertificateCredential x509Credential = (X509CertificateCredential) credential;
final X509Certificate[] certificates = x509Credential.getCertificates();
X509Certificate clientCert = null;
boolean hasTrustedIssuer = false;
for (int i = certificates.length - 1; i >= 0; i--) {
final X509Certificate certificate = certificates[i];
LOGGER.debug("Evaluating [{}]", CertUtils.toString(certificate));
validate(certificate);
if (!hasTrustedIssuer) {
hasTrustedIssuer = isCertificateFromTrustedIssuer(certificate);
}
// getBasicConstraints returns pathLenConstraints which is generally
// >=0 when this is a CA cert and -1 when it's not
final int pathLength = certificate.getBasicConstraints();
if (pathLength < 0) {
LOGGER.debug("Found valid client certificate");
clientCert = certificate;
} else {
LOGGER.debug("Found valid CA certificate");
}
}
if (hasTrustedIssuer && clientCert != null) {
x509Credential.setCertificate(clientCert);
return new DefaultHandlerResult(this, x509Credential, this.principalFactory.createPrincipal(x509Credential.getId()));
}
LOGGER.warn("Either client certificate could not be determined, or a trusted issuer could not be located");
throw new FailedLoginException();
}
示例7: main
import java.security.cert.X509Certificate; //导入方法依赖的package包/类
public static void main(String[] args) throws Exception {
// reset the security property to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");
X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
TrustAnchor anchor = new TrustAnchor
(rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null);
X509CertSelector sel = new X509CertSelector();
sel.setBasicConstraints(-2);
PKIXBuilderParameters params = new PKIXBuilderParameters
(Collections.singleton(anchor), sel);
params.setRevocationEnabled(false);
X509Certificate eeCert = CertUtils.getCertFromFile("ee.cer");
X509Certificate caCert = CertUtils.getCertFromFile("ca.cer");
ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
certs.add(caCert);
certs.add(eeCert);
CollectionCertStoreParameters ccsp =
new CollectionCertStoreParameters(certs);
CertStore cs = CertStore.getInstance("Collection", ccsp);
params.addCertStore(cs);
PKIXCertPathBuilderResult res = CertUtils.build(params);
CertPath cp = res.getCertPath();
// check that first certificate is an EE cert
List<? extends Certificate> certList = cp.getCertificates();
X509Certificate cert = (X509Certificate) certList.get(0);
if (cert.getBasicConstraints() != -1) {
throw new Exception("Target certificate is not an EE certificate");
}
}
示例8: doAuthentication
import java.security.cert.X509Certificate; //导入方法依赖的package包/类
/** {@inheritDoc} */
@Override
protected final HandlerResult doAuthentication(final Credential credential) throws GeneralSecurityException, PreventedException {
final X509CertificateCredential x509Credential = (X509CertificateCredential) credential;
final X509Certificate[] certificates = x509Credential.getCertificates();
X509Certificate clientCert = null;
boolean hasTrustedIssuer = false;
for (int i = certificates.length - 1; i >= 0; i--) {
final X509Certificate certificate = certificates[i];
logger.debug("Evaluating {}", CertUtils.toString(certificate));
validate(certificate);
if (!hasTrustedIssuer) {
hasTrustedIssuer = isCertificateFromTrustedIssuer(certificate);
}
// getBasicConstraints returns pathLenContraint which is generally
// >=0 when this is a CA cert and -1 when it's not
int pathLength = certificate.getBasicConstraints();
if (pathLength < 0) {
logger.debug("Found valid client certificate");
clientCert = certificate;
} else {
logger.debug("Found valid CA certificate");
}
}
if (hasTrustedIssuer && clientCert != null) {
x509Credential.setCertificate(clientCert);
return new HandlerResult(this, x509Credential, new SimplePrincipal(x509Credential.getId()));
}
throw new FailedLoginException();
}
示例9: getLeafCertificate
import java.security.cert.X509Certificate; //导入方法依赖的package包/类
/**
* Returns the leaf certificate from a given certificate chain.
*
* @param certChain The certificate chain given as an array of Certificate instances
* @return The leaf certificate (begin not a CA)
*/
public static X509Certificate getLeafCertificate(Certificate[] certChain) {
for (Certificate cert : certChain) {
X509Certificate x509Cert = (X509Certificate) cert;
// Check whether the pathLen constraint is set which indicates if this certificate is a CA
if (x509Cert.getBasicConstraints() == -1) return x509Cert;
}
getLogger().warn("No leaf certificate found in given certificate chain");
return null;
}
示例10: check
import java.security.cert.X509Certificate; //导入方法依赖的package包/类
@Override
public void check(Certificate cert,
Collection<String> unresolvedCritExts)
throws CertPathValidatorException {
X509Certificate currCert = (X509Certificate)cert;
// check that this is an EE cert
if (currCert.getBasicConstraints() == -1) {
if (unresolvedCritExts != null &&
!unresolvedCritExts.isEmpty()) {
unresolvedCritExts.remove("1.2.3.4");
}
}
}
示例11: mergeBasicConstraints
import java.security.cert.X509Certificate; //导入方法依赖的package包/类
/**
* Merges the specified maxPathLength with the pathLenConstraint
* obtained from the certificate.
*
* @param cert the <code>X509Certificate</code>
* @param maxPathLength the previous maximum path length
* @return the new maximum path length constraint (-1 means no more
* certificates can follow, Integer.MAX_VALUE means path length is
* unconstrained)
*/
static int mergeBasicConstraints(X509Certificate cert, int maxPathLength) {
int pathLenConstraint = cert.getBasicConstraints();
if (!X509CertImpl.isSelfIssued(cert)) {
maxPathLength--;
}
if (pathLenConstraint < maxPathLength) {
maxPathLength = pathLenConstraint;
}
return maxPathLength;
}
示例12: checkBasicConstraints
import java.security.cert.X509Certificate; //导入方法依赖的package包/类
/**
* Internal method to check that a given cert meets basic constraints.
*/
private void checkBasicConstraints(X509Certificate currCert)
throws CertPathValidatorException
{
String msg = "basic constraints";
if (debug != null) {
debug.println("---checking " + msg + "...");
debug.println("i = " + i +
", maxPathLength = " + maxPathLength);
}
/* check if intermediate cert */
if (i < certPathLength) {
// RFC5280: If certificate i is a version 3 certificate, verify
// that the basicConstraints extension is present and that cA is
// set to TRUE. (If certificate i is a version 1 or version 2
// certificate, then the application MUST either verify that
// certificate i is a CA certificate through out-of-band means
// or reject the certificate. Conforming implementations may
// choose to reject all version 1 and version 2 intermediate
// certificates.)
//
// We choose to reject all version 1 and version 2 intermediate
// certificates except that it is self issued by the trust
// anchor in order to support key rollover or changes in
// certificate policies.
int pathLenConstraint = -1;
if (currCert.getVersion() < 3) { // version 1 or version 2
if (i == 1) { // issued by a trust anchor
if (X509CertImpl.isSelfIssued(currCert)) {
pathLenConstraint = Integer.MAX_VALUE;
}
}
} else {
pathLenConstraint = currCert.getBasicConstraints();
}
if (pathLenConstraint == -1) {
throw new CertPathValidatorException
(msg + " check failed: this is not a CA certificate",
null, null, -1, PKIXReason.NOT_CA_CERT);
}
if (!X509CertImpl.isSelfIssued(currCert)) {
if (maxPathLength <= 0) {
throw new CertPathValidatorException
(msg + " check failed: pathLenConstraint violated - "
+ "this cert must be the last cert in the "
+ "certification path", null, null, -1,
PKIXReason.PATH_TOO_LONG);
}
maxPathLength--;
}
if (pathLenConstraint < maxPathLength)
maxPathLength = pathLenConstraint;
}
if (debug != null) {
debug.println("after processing, maxPathLength = " + maxPathLength);
debug.println(msg + " verified.");
}
}
示例13: updateState
import java.security.cert.X509Certificate; //导入方法依赖的package包/类
/**
* Update the state with the next certificate added to the path.
*
* @param cert the certificate which is used to update the state
*/
@Override
public void updateState(X509Certificate cert)
throws CertificateException, IOException, CertPathValidatorException {
if (cert == null)
return;
X509CertImpl icert = X509CertImpl.toImpl(cert);
/* see if certificate key has null parameters */
if (PKIX.isDSAPublicKeyWithoutParams(icert.getPublicKey())) {
keyParamsNeededFlag = true;
}
/* update certificate */
this.cert = icert;
/* update issuer DN */
issuerDN = cert.getIssuerX500Principal();
if (!X509CertImpl.isSelfIssued(cert)) {
/*
* update traversedCACerts only if this is a non-self-issued
* intermediate CA cert
*/
if (!init && cert.getBasicConstraints() != -1) {
traversedCACerts++;
}
}
/* update subjectNamesTraversed only if this is the EE cert or if
this cert is not self-issued */
if (init || !X509CertImpl.isSelfIssued(cert)){
X500Principal subjName = cert.getSubjectX500Principal();
subjectNamesTraversed.add(X500Name.asX500Name(subjName));
try {
SubjectAlternativeNameExtension subjAltNameExt
= icert.getSubjectAlternativeNameExtension();
if (subjAltNameExt != null) {
GeneralNames gNames = subjAltNameExt.get(
SubjectAlternativeNameExtension.SUBJECT_NAME);
for (GeneralName gName : gNames.names()) {
subjectNamesTraversed.add(gName.getName());
}
}
} catch (IOException e) {
if (debug != null) {
debug.println("ForwardState.updateState() unexpected "
+ "exception");
e.printStackTrace();
}
throw new CertPathValidatorException(e);
}
}
init = false;
}