Java Code Examples for java.security.cert.X509CRL#verify()

The following examples show how to use java.security.cert.X509CRL#verify() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: RFC3280CertPathUtilities.java    From ripple-lib-java with ISC License 6 votes vote down vote up
protected static PublicKey processCRLG(
    X509CRL crl,
    Set keys)
    throws AnnotatedException
{
    Exception lastException = null;
    for (Iterator it = keys.iterator(); it.hasNext();)
    {
        PublicKey key = (PublicKey)it.next();
        try
        {
            crl.verify(key);
            return key;
        }
        catch (Exception e)
        {
            lastException = e;
        }
    }
    throw new AnnotatedException("Cannot verify CRL.", lastException);
}
 
Example 2
Source File: RFC3280CertPathUtilities.java    From RipplePower with Apache License 2.0 6 votes vote down vote up
protected static PublicKey processCRLG(
    X509CRL crl,
    Set keys)
    throws AnnotatedException
{
    Exception lastException = null;
    for (Iterator it = keys.iterator(); it.hasNext();)
    {
        PublicKey key = (PublicKey)it.next();
        try
        {
            crl.verify(key);
            return key;
        }
        catch (Exception e)
        {
            lastException = e;
        }
    }
    throw new AnnotatedException("Cannot verify CRL.", lastException);
}
 
Example 3
Source File: X509Utils.java    From nomulus with Apache License 2.0 5 votes vote down vote up
/**
 * Checks if an X.509 CRL you downloaded can safely replace your current CRL.
 *
 * <p>This routine makes sure {@code newCrl} is signed by {@code rootCert} and that its timestamps
 * are correct with respect to {@code now}.
 *
 * @throws GeneralSecurityException for unsupported protocols, certs not signed by the TMCH,
 *         incorrect keys, and for invalid, old, not-yet-valid or revoked certificates.
 */
public static void verifyCrl(
    X509Certificate rootCert, X509CRL oldCrl, @Tainted X509CRL newCrl, Date now)
    throws GeneralSecurityException {
  if (newCrl.getThisUpdate().before(oldCrl.getThisUpdate())) {
    throw new CRLException(String.format(
        "New CRL is more out of date than our current CRL. %s < %s\n%s",
        newCrl.getThisUpdate(), oldCrl.getThisUpdate(), newCrl));
  }
  if (newCrl.getNextUpdate().before(now)) {
    throw new CRLException("CRL has expired.\n" + newCrl);
  }
  newCrl.verify(rootCert.getPublicKey());
}
 
Example 4
Source File: RFC3280CertPathUtilities.java    From ripple-lib-java with ISC License 5 votes vote down vote up
protected static X509CRL processCRLH(
    Set deltacrls,
    PublicKey key)
    throws AnnotatedException
{
    Exception lastException = null;

    for (Iterator it = deltacrls.iterator(); it.hasNext();)
    {
        X509CRL crl = (X509CRL)it.next();
        try
        {
            crl.verify(key);
            return crl;
        }
        catch (Exception e)
        {
            lastException = e;
        }
    }

    if (lastException != null)
    {
        throw new AnnotatedException("Cannot verify delta CRL.", lastException);
    }
    return null;
}
 
Example 5
Source File: CRLUtils.java    From keycloak with Apache License 2.0 5 votes vote down vote up
/**
 * Check the signature on CRL and check if 1st certificate from the chain ((The actual certificate from the client)) is valid and not available on CRL.
 *
 * @param certs The 1st certificate is the actual certificate of the user. The other certificates represents the certificate chain
 * @param crl Given CRL
 * @throws GeneralSecurityException if some error in validation happens. Typically certificate not valid, or CRL signature not valid
 */
public static void check(X509Certificate[] certs, X509CRL crl, KeycloakSession session) throws GeneralSecurityException {
    if (certs.length < 2) {
        throw new GeneralSecurityException("Not possible to verify signature on CRL. X509 certificate doesn't have CA chain available on it");
    }

    X500Principal crlIssuerPrincipal = crl.getIssuerX500Principal();
    X509Certificate crlSignatureCertificate = null;

    // Try to find the certificate in the CA chain, which was used to sign the CRL
    for (int i=1 ; i<certs.length ; i++) {
        X509Certificate currentCACert = certs[i];
        if (crlIssuerPrincipal.equals(currentCACert.getSubjectX500Principal())) {
            crlSignatureCertificate = currentCACert;

            log.tracef("Found certificate used to sign CRL in the CA chain of the certificate. CRL issuer: %s", crlIssuerPrincipal);
            break;
        }
    }

    // Try to find the CRL issuer certificate in the truststore
    if (crlSignatureCertificate == null) {
        log.tracef("Not found CRL issuer '%s' in the CA chain of the certificate. Fallback to lookup CRL issuer in the truststore", crlIssuerPrincipal);
        crlSignatureCertificate = findCRLSignatureCertificateInTruststore(session, certs, crlIssuerPrincipal);
    }

    // Verify signature on CRL
    // TODO: It will be nice to cache CRLs and also verify their signatures just once at the time when CRL is loaded, rather than in every request
    crl.verify(crlSignatureCertificate.getPublicKey());

    // Finally check if
    if (crl.isRevoked(certs[0])) {
        String message = String.format("Certificate has been revoked, certificate's subject: %s", certs[0].getSubjectDN().getName());
        log.debug(message);
        throw new GeneralSecurityException(message);
    }
}
 
Example 6
Source File: RFC3280CertPathUtilities.java    From RipplePower with Apache License 2.0 5 votes vote down vote up
protected static X509CRL processCRLH(
    Set deltacrls,
    PublicKey key)
    throws AnnotatedException
{
    Exception lastException = null;

    for (Iterator it = deltacrls.iterator(); it.hasNext();)
    {
        X509CRL crl = (X509CRL)it.next();
        try
        {
            crl.verify(key);
            return crl;
        }
        catch (Exception e)
        {
            lastException = e;
        }
    }

    if (lastException != null)
    {
        throw new AnnotatedException("Cannot verify delta CRL.", lastException);
    }
    return null;
}
 
Example 7
Source File: CRLUtilsX509CRLImpl.java    From dss with GNU Lesser General Public License v2.1 5 votes vote down vote up
private void checkSignatureValue(final X509CRL x509CRL, final CertificateToken issuerToken, final CRLValidity crlValidity) {
	try {
		x509CRL.verify(issuerToken.getPublicKey());
		crlValidity.setSignatureIntact(true);
		crlValidity.setIssuerToken(issuerToken);
	} catch (GeneralSecurityException e) {
		String msg = String.format("CRL Signature cannot be validated : %s", e.getMessage());
		if (LOG.isTraceEnabled()) {
			LOG.trace(msg, e);
		} else {
			LOG.warn(msg);
		}
		crlValidity.setSignatureInvalidityReason(msg);
	}
}
 
Example 8
Source File: TmchCertificateAuthority.java    From nomulus with Apache License 2.0 5 votes vote down vote up
@Override
public X509CRL load(final TmchCaMode tmchCaMode) throws GeneralSecurityException {
  TmchCrl storedCrl = TmchCrl.get();
  String crlContents;
  if (storedCrl == null) {
    String file = (tmchCaMode == PILOT) ? CRL_PILOT_FILE : CRL_FILE;
    crlContents = readResourceUtf8(TmchCertificateAuthority.class, file);
  } else {
    crlContents = storedCrl.getCrl();
  }
  X509CRL crl = X509Utils.loadCrl(crlContents);
  crl.verify(ROOT_CERTS.get(tmchCaMode).getPublicKey());
  return crl;
}
 
Example 9
Source File: X509CRLImpl.java    From openjdk-8 with GNU General Public License v2.0 2 votes vote down vote up
/**
 * This static method is the default implementation of the
 * verify(PublicKey key, Provider sigProvider) method in X509CRL.
 * Called from java.security.cert.X509CRL.verify(PublicKey key,
 * Provider sigProvider)
 */
public static void verify(X509CRL crl, PublicKey key,
        Provider sigProvider) throws CRLException,
        NoSuchAlgorithmException, InvalidKeyException, SignatureException {
    crl.verify(key, sigProvider);
}
 
Example 10
Source File: X509CRLImpl.java    From dragonwell8_jdk with GNU General Public License v2.0 2 votes vote down vote up
/**
 * This static method is the default implementation of the
 * verify(PublicKey key, Provider sigProvider) method in X509CRL.
 * Called from java.security.cert.X509CRL.verify(PublicKey key,
 * Provider sigProvider)
 */
public static void verify(X509CRL crl, PublicKey key,
        Provider sigProvider) throws CRLException,
        NoSuchAlgorithmException, InvalidKeyException, SignatureException {
    crl.verify(key, sigProvider);
}
 
Example 11
Source File: X509CRLImpl.java    From openjdk-8-source with GNU General Public License v2.0 2 votes vote down vote up
/**
 * This static method is the default implementation of the
 * verify(PublicKey key, Provider sigProvider) method in X509CRL.
 * Called from java.security.cert.X509CRL.verify(PublicKey key,
 * Provider sigProvider)
 */
public static void verify(X509CRL crl, PublicKey key,
        Provider sigProvider) throws CRLException,
        NoSuchAlgorithmException, InvalidKeyException, SignatureException {
    crl.verify(key, sigProvider);
}
 
Example 12
Source File: X509CRLImpl.java    From hottub with GNU General Public License v2.0 2 votes vote down vote up
/**
 * This static method is the default implementation of the
 * verify(PublicKey key, Provider sigProvider) method in X509CRL.
 * Called from java.security.cert.X509CRL.verify(PublicKey key,
 * Provider sigProvider)
 */
public static void verify(X509CRL crl, PublicKey key,
        Provider sigProvider) throws CRLException,
        NoSuchAlgorithmException, InvalidKeyException, SignatureException {
    crl.verify(key, sigProvider);
}
 
Example 13
Source File: X509CRLImpl.java    From jdk8u-jdk with GNU General Public License v2.0 2 votes vote down vote up
/**
 * This static method is the default implementation of the
 * verify(PublicKey key, Provider sigProvider) method in X509CRL.
 * Called from java.security.cert.X509CRL.verify(PublicKey key,
 * Provider sigProvider)
 */
public static void verify(X509CRL crl, PublicKey key,
        Provider sigProvider) throws CRLException,
        NoSuchAlgorithmException, InvalidKeyException, SignatureException {
    crl.verify(key, sigProvider);
}
 
Example 14
Source File: X509CRLImpl.java    From jdk8u-dev-jdk with GNU General Public License v2.0 2 votes vote down vote up
/**
 * This static method is the default implementation of the
 * verify(PublicKey key, Provider sigProvider) method in X509CRL.
 * Called from java.security.cert.X509CRL.verify(PublicKey key,
 * Provider sigProvider)
 */
public static void verify(X509CRL crl, PublicKey key,
        Provider sigProvider) throws CRLException,
        NoSuchAlgorithmException, InvalidKeyException, SignatureException {
    crl.verify(key, sigProvider);
}
 
Example 15
Source File: X509CRLImpl.java    From jdk8u-jdk with GNU General Public License v2.0 2 votes vote down vote up
/**
 * This static method is the default implementation of the
 * verify(PublicKey key, Provider sigProvider) method in X509CRL.
 * Called from java.security.cert.X509CRL.verify(PublicKey key,
 * Provider sigProvider)
 */
public static void verify(X509CRL crl, PublicKey key,
        Provider sigProvider) throws CRLException,
        NoSuchAlgorithmException, InvalidKeyException, SignatureException {
    crl.verify(key, sigProvider);
}
 
Example 16
Source File: X509CRLImpl.java    From openjdk-jdk9 with GNU General Public License v2.0 2 votes vote down vote up
/**
 * This static method is the default implementation of the
 * verify(PublicKey key, Provider sigProvider) method in X509CRL.
 * Called from java.security.cert.X509CRL.verify(PublicKey key,
 * Provider sigProvider)
 */
public static void verify(X509CRL crl, PublicKey key,
        Provider sigProvider) throws CRLException,
        NoSuchAlgorithmException, InvalidKeyException, SignatureException {
    crl.verify(key, sigProvider);
}
 
Example 17
Source File: X509CRLImpl.java    From openjdk-jdk8u-backup with GNU General Public License v2.0 2 votes vote down vote up
/**
 * This static method is the default implementation of the
 * verify(PublicKey key, Provider sigProvider) method in X509CRL.
 * Called from java.security.cert.X509CRL.verify(PublicKey key,
 * Provider sigProvider)
 */
public static void verify(X509CRL crl, PublicKey key,
        Provider sigProvider) throws CRLException,
        NoSuchAlgorithmException, InvalidKeyException, SignatureException {
    crl.verify(key, sigProvider);
}
 
Example 18
Source File: X509CRLImpl.java    From jdk8u60 with GNU General Public License v2.0 2 votes vote down vote up
/**
 * This static method is the default implementation of the
 * verify(PublicKey key, Provider sigProvider) method in X509CRL.
 * Called from java.security.cert.X509CRL.verify(PublicKey key,
 * Provider sigProvider)
 */
public static void verify(X509CRL crl, PublicKey key,
        Provider sigProvider) throws CRLException,
        NoSuchAlgorithmException, InvalidKeyException, SignatureException {
    crl.verify(key, sigProvider);
}
 
Example 19
Source File: X509CRLImpl.java    From TencentKona-8 with GNU General Public License v2.0 2 votes vote down vote up
/**
 * This static method is the default implementation of the
 * verify(PublicKey key, Provider sigProvider) method in X509CRL.
 * Called from java.security.cert.X509CRL.verify(PublicKey key,
 * Provider sigProvider)
 */
public static void verify(X509CRL crl, PublicKey key,
        Provider sigProvider) throws CRLException,
        NoSuchAlgorithmException, InvalidKeyException, SignatureException {
    crl.verify(key, sigProvider);
}