java.security.cert.CertPathValidatorException.BasicReason Java Examples
The following examples show how to use
java.security.cert.CertPathValidatorException.BasicReason.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: CertificateMessage.java From openjsse with GNU General Public License v2.0 | 6 votes |
|
/**
* When a failure happens during certificate checking from an
* {@link X509TrustManager}, determine what TLS alert description
* to use.
*
* @param cexc The exception thrown by the {@link X509TrustManager}
*
* @return A byte value corresponding to a TLS alert description number.
*/
private static Alert getCertificateAlert(
ClientHandshakeContext chc, CertificateException cexc) {
// The specific reason for the failure will determine how to
// set the alert description value
Alert alert = Alert.CERTIFICATE_UNKNOWN;
Throwable baseCause = cexc.getCause();
if (baseCause instanceof CertPathValidatorException) {
CertPathValidatorException cpve =
(CertPathValidatorException)baseCause;
Reason reason = cpve.getReason();
if (reason == BasicReason.REVOKED) {
alert = chc.staplingActive ?
Alert.BAD_CERT_STATUS_RESPONSE :
Alert.CERTIFICATE_REVOKED;
} else if (
reason == BasicReason.UNDETERMINED_REVOCATION_STATUS) {
alert = chc.staplingActive ?
Alert.BAD_CERT_STATUS_RESPONSE :
Alert.CERTIFICATE_UNKNOWN;
}
}
return alert;
}
Example #2
| Source File: CertificateMessage.java From Bytecoder with Apache License 2.0 | 6 votes |
|
/**
* When a failure happens during certificate checking from an
* {@link X509TrustManager}, determine what TLS alert description
* to use.
*
* @param cexc The exception thrown by the {@link X509TrustManager}
*
* @return A byte value corresponding to a TLS alert description number.
*/
private static Alert getCertificateAlert(
ClientHandshakeContext chc, CertificateException cexc) {
// The specific reason for the failure will determine how to
// set the alert description value
Alert alert = Alert.CERTIFICATE_UNKNOWN;
Throwable baseCause = cexc.getCause();
if (baseCause instanceof CertPathValidatorException) {
CertPathValidatorException cpve =
(CertPathValidatorException)baseCause;
Reason reason = cpve.getReason();
if (reason == BasicReason.REVOKED) {
alert = chc.staplingActive ?
Alert.BAD_CERT_STATUS_RESPONSE :
Alert.CERTIFICATE_REVOKED;
} else if (
reason == BasicReason.UNDETERMINED_REVOCATION_STATUS) {
alert = chc.staplingActive ?
Alert.BAD_CERT_STATUS_RESPONSE :
Alert.CERTIFICATE_UNKNOWN;
}
}
return alert;
}
Example #3
| Source File: DisabledAlgorithmConstraints.java From TencentKona-8 with GNU General Public License v2.0 | 6 votes |
|
@Override
public void permits(ConstraintsParameters cp)
throws CertPathValidatorException {
Key key = null;
if (cp.getPublicKey() != null) {
key = cp.getPublicKey();
} else if (cp.getCertificate() != null) {
key = cp.getCertificate().getPublicKey();
}
if (key != null && !permitsImpl(key)) {
if (nextConstraint != null) {
nextConstraint.permits(cp);
return;
}
throw new CertPathValidatorException(
"Algorithm constraints check failed on keysize limits. " +
algorithm + " " + KeyUtil.getKeySize(key) + "bit key" +
extendedMsg(cp),
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
}
Example #4
| Source File: DisabledAlgorithmConstraints.java From Bytecoder with Apache License 2.0 | 6 votes |
|
@Override
public void permits(ConstraintsParameters cp)
throws CertPathValidatorException {
if (debug != null) {
debug.println("jdkCAConstraints.permits(): " + algorithm);
}
// Check chain has a trust anchor in cacerts
if (cp.isTrustedMatch()) {
if (next(cp)) {
return;
}
throw new CertPathValidatorException(
"Algorithm constraints check failed on certificate " +
"anchor limits. " + algorithm + extendedMsg(cp),
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
}
Example #5
| Source File: DisabledAlgorithmConstraints.java From dragonwell8_jdk with GNU General Public License v2.0 | 6 votes |
|
@Override
public void permits(ConstraintsParameters cp)
throws CertPathValidatorException {
Key key = null;
if (cp.getPublicKey() != null) {
key = cp.getPublicKey();
} else if (cp.getCertificate() != null) {
key = cp.getCertificate().getPublicKey();
}
if (key != null && !permitsImpl(key)) {
if (nextConstraint != null) {
nextConstraint.permits(cp);
return;
}
throw new CertPathValidatorException(
"Algorithm constraints check failed on keysize limits. " +
algorithm + " " + KeyUtil.getKeySize(key) + "bit key" +
extendedMsg(cp),
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
}
Example #6
| Source File: DisabledAlgorithmConstraints.java From dragonwell8_jdk with GNU General Public License v2.0 | 6 votes |
|
@Override
public void permits(ConstraintsParameters cp)
throws CertPathValidatorException {
if (debug != null) {
debug.println("jdkCAConstraints.permits(): " + algorithm);
}
// Check chain has a trust anchor in cacerts
if (cp.isTrustedMatch()) {
if (next(cp)) {
return;
}
throw new CertPathValidatorException(
"Algorithm constraints check failed on certificate " +
"anchor limits. " + algorithm + extendedMsg(cp),
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
}
Example #7
| Source File: DisabledAlgorithmConstraints.java From Bytecoder with Apache License 2.0 | 6 votes |
|
public final void permits(String algorithm, ConstraintsParameters cp)
throws CertPathValidatorException {
// Check if named curves in the ConstraintParameters are disabled.
if (cp.getNamedCurve() != null) {
for (String curve : cp.getNamedCurve()) {
if (!checkAlgorithm(disabledAlgorithms, curve, decomposer)) {
throw new CertPathValidatorException(
"Algorithm constraints check failed on disabled " +
"algorithm: " + curve,
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
}
}
algorithmConstraints.permits(algorithm, cp);
}
Example #8
| Source File: DisabledAlgorithmConstraints.java From jdk8u-jdk with GNU General Public License v2.0 | 6 votes |
|
public void permits(CertConstraintParameters cp)
throws CertPathValidatorException {
if (debug != null) {
debug.println("jdkCAConstraints.permits(): " + algorithm);
}
// Return false if the chain has a trust anchor in cacerts
if (cp.isTrustedMatch()) {
if (nextConstraint != null) {
nextConstraint.permits(cp);
return;
}
throw new CertPathValidatorException(
"Algorithm constraints check failed on certificate " +
"anchor limits",
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
}
Example #9
| Source File: AlgorithmChecker.java From openjdk-8 with GNU General Public License v2.0 | 5 votes |
|
/**
* Check the signature algorithm with the specified public key.
*
* @param key the public key to verify the CRL signature
* @param crl the target CRL
*/
static void check(PublicKey key, AlgorithmId algorithmId)
throws CertPathValidatorException {
String sigAlgName = algorithmId.getName();
AlgorithmParameters sigAlgParams = algorithmId.getParameters();
if (!certPathDefaultConstraints.permits(
SIGNATURE_PRIMITIVE_SET, sigAlgName, key, sigAlgParams)) {
throw new CertPathValidatorException(
"algorithm check failed: " + sigAlgName + " is disabled",
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
}
Example #10
| Source File: LdapTlsHandshakeExceptionTest.java From directory-ldap-api with Apache License 2.0 | 5 votes |
|
@Test
public void testClassifyCertPathValidatorException()
{
LdapTlsHandshakeException e = new LdapTlsHandshakeException( "msg",
new Exception( new Exception( new Exception( new Exception(
new CertPathValidatorException( "foo", null, null, -1, BasicReason.ALGORITHM_CONSTRAINED ) ) ) ) ) );
assertThat( e.getMessage(), equalTo( "msg, reason: Failed to verify certification path: foo" ) );
}
Example #11
| Source File: RevocationChecker.java From openjdk-jdk8u-backup with GNU General Public License v2.0 | 5 votes |
|
/**
* We have a cert whose revocation status couldn't be verified by
* a CRL issued by the cert that issued the CRL. See if we can
* find a valid CRL issued by a separate key that can verify the
* revocation status of this certificate.
* <p>
* Note that this does not provide support for indirect CRLs,
* only CRLs signed with a different key (but the same issuer
* name) as the certificate being checked.
*
* @param currCert the <code>X509Certificate</code> to be checked
* @param prevKey the <code>PublicKey</code> that failed
* @param signFlag <code>true</code> if that key was trusted to sign CRLs
* @param stackedCerts a <code>Set</code> of <code>X509Certificate</code>s>
* whose revocation status depends on the
* non-revoked status of this cert. To avoid
* circular dependencies, we assume they're
* revoked while checking the revocation
* status of this cert.
* @throws CertPathValidatorException if the cert's revocation status
* cannot be verified successfully with another key
*/
private void verifyWithSeparateSigningKey(X509Certificate cert,
PublicKey prevKey,
boolean signFlag,
Set<X509Certificate> stackedCerts)
throws CertPathValidatorException
{
String msg = "revocation status";
if (debug != null) {
debug.println(
"RevocationChecker.verifyWithSeparateSigningKey()" +
" ---checking " + msg + "...");
}
// Reject circular dependencies - RFC 5280 is not explicit on how
// to handle this, but does suggest that they can be a security
// risk and can create unresolvable dependencies
if ((stackedCerts != null) && stackedCerts.contains(cert)) {
if (debug != null) {
debug.println(
"RevocationChecker.verifyWithSeparateSigningKey()" +
" circular dependency");
}
throw new CertPathValidatorException
("Could not determine revocation status", null, null, -1,
BasicReason.UNDETERMINED_REVOCATION_STATUS);
}
// Try to find another key that might be able to sign
// CRLs vouching for this cert.
// If prevKey wasn't trusted, maybe we just didn't have the right
// path to it. Don't rule that key out.
if (!signFlag) {
buildToNewKey(cert, null, stackedCerts);
} else {
buildToNewKey(cert, prevKey, stackedCerts);
}
}
Example #12
| Source File: CircularCRLOneLevelRevoked.java From jdk8u-jdk with GNU General Public License v2.0 | 5 votes |
|
public static void main(String args[]) throws Exception {
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// set the validation time
params.setDate(new Date(109, 5, 1)); // 2009-05-01
// disable OCSP checker
Security.setProperty("ocsp.enable", "false");
// enable CRL checker
System.setProperty("com.sun.security.enableCRLDP", "true");
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
throw new Exception("unexpected status, should be REVOKED");
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpected exception, should be a REVOKED CPVE", cpve);
}
}
}
Example #13
| Source File: AlgorithmChecker.java From j2objc with Apache License 2.0 | 5 votes |
|
/**
* Check the signature algorithm with the specified public key.
*
* @param key the public key to verify the CRL signature
* @param crl the target CRL
*/
static void check(PublicKey key, AlgorithmId algorithmId)
throws CertPathValidatorException {
String sigAlgName = algorithmId.getName();
AlgorithmParameters sigAlgParams = algorithmId.getParameters();
if (!certPathDefaultConstraints.permits(
SIGNATURE_PRIMITIVE_SET, sigAlgName, key, sigAlgParams)) {
throw new CertPathValidatorException(
"algorithm check failed: " + sigAlgName + " is disabled",
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
}
Example #14
| Source File: DisabledAlgorithmConstraints.java From openjdk-jdk8u-backup with GNU General Public License v2.0 | 5 votes |
|
@Override
public void permits(ConstraintsParameters cp)
throws CertPathValidatorException {
throw new CertPathValidatorException(
"Algorithm constraints check failed on disabled " +
"algorithm: " + algorithm + extendedMsg(cp),
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
Example #15
| Source File: CircularCRLOneLevelRevoked.java From openjdk-jdk8u-backup with GNU General Public License v2.0 | 5 votes |
|
public static void main(String args[]) throws Exception {
// MD5 is used in this test case, don't disable MD5 algorithm.
Security.setProperty(
"jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// set the validation time
params.setDate(new Date(109, 5, 1)); // 2009-05-01
// disable OCSP checker
Security.setProperty("ocsp.enable", "false");
// enable CRL checker
System.setProperty("com.sun.security.enableCRLDP", "true");
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
throw new Exception("unexpected status, should be REVOKED");
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpected exception, should be a REVOKED CPVE", cpve);
}
}
}
Example #16
| Source File: CircularCRLOneLevel.java From openjdk-jdk8u-backup with GNU General Public License v2.0 | 5 votes |
|
public static void main(String args[]) throws Exception {
// MD5 is used in this test case, don't disable MD5 algorithm.
Security.setProperty(
"jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// set the validation time
params.setDate(new Date(109, 5, 1)); // 2009-05-01
// disable OCSP checker
Security.setProperty("ocsp.enable", "false");
// enable CRL checker
System.setProperty("com.sun.security.enableCRLDP", "true");
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpect exception, should be a REVOKED CPVE", cpve);
}
}
}
Example #17
| Source File: DisabledAlgorithmConstraints.java From Bytecoder with Apache License 2.0 | 5 votes |
|
@Override
public void permits(ConstraintsParameters cp)
throws CertPathValidatorException {
throw new CertPathValidatorException(
"Algorithm constraints check failed on disabled " +
"algorithm: " + algorithm + extendedMsg(cp),
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
Example #18
| Source File: RevocationChecker.java From jdk8u-jdk with GNU General Public License v2.0 | 5 votes |
|
private boolean isSoftFailException(CertPathValidatorException e) {
if (softFail &&
e.getReason() == BasicReason.UNDETERMINED_REVOCATION_STATUS)
{
// recreate exception with correct index
CertPathValidatorException e2 = new CertPathValidatorException(
e.getMessage(), e.getCause(), params.certPath(), certIndex,
e.getReason());
softFailExceptions.addFirst(e2);
return true;
}
return false;
}
Example #19
| Source File: RevocationChecker.java From openjdk-jdk8u-backup with GNU General Public License v2.0 | 5 votes |
|
private boolean isSoftFailException(CertPathValidatorException e) {
if (softFail &&
e.getReason() == BasicReason.UNDETERMINED_REVOCATION_STATUS)
{
// recreate exception with correct index
CertPathValidatorException e2 = new CertPathValidatorException(
e.getMessage(), e.getCause(), params.certPath(), certIndex,
e.getReason());
softFailExceptions.addFirst(e2);
return true;
}
return false;
}
Example #20
| Source File: CircularCRLOneLevel.java From openjdk-jdk8u with GNU General Public License v2.0 | 5 votes |
|
public static void main(String args[]) throws Exception {
// MD5 is used in this test case, don't disable MD5 algorithm.
Security.setProperty(
"jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// set the validation time
params.setDate(new Date(109, 5, 1)); // 2009-05-01
// disable OCSP checker
Security.setProperty("ocsp.enable", "false");
// enable CRL checker
System.setProperty("com.sun.security.enableCRLDP", "true");
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpect exception, should be a REVOKED CPVE", cpve);
}
}
}
Example #21
| Source File: OCSP.java From openjdk-jdk8u with GNU General Public License v2.0 | 5 votes |
|
/**
* Checks the revocation status of a list of certificates using OCSP.
*
* @param certIds the CertIds to be checked
* @param responderURI the URI of the OCSP responder
* @param issuerInfo the issuer's certificate and/or subject and public key
* @param responderCert the OCSP responder's certificate
* @param date the time the validity of the OCSP responder's certificate
* should be checked against. If null, the current time is used.
* @param extensions zero or more OCSP extensions to be included in the
* request. If no extensions are requested, an empty {@code List} must
* be used. A {@code null} value is not allowed.
* @return the OCSPResponse
* @throws IOException if there is an exception connecting to or
* communicating with the OCSP responder
* @throws CertPathValidatorException if an exception occurs while
* encoding the OCSP Request or validating the OCSP Response
*/
static OCSPResponse check(List<CertId> certIds, URI responderURI,
OCSPResponse.IssuerInfo issuerInfo,
X509Certificate responderCert, Date date,
List<Extension> extensions, String variant)
throws IOException, CertPathValidatorException
{
byte[] nonce = null;
for (Extension ext : extensions) {
if (ext.getId().equals(PKIXExtensions.OCSPNonce_Id.toString())) {
nonce = ext.getValue();
}
}
OCSPResponse ocspResponse = null;
try {
byte[] response = getOCSPBytes(certIds, responderURI, extensions);
ocspResponse = new OCSPResponse(response);
// verify the response
ocspResponse.verify(certIds, issuerInfo, responderCert, date,
nonce, variant);
} catch (IOException ioe) {
throw new CertPathValidatorException(
"Unable to determine revocation status due to network error",
ioe, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
}
return ocspResponse;
}
Example #22
| Source File: CircularCRLTwoLevel.java From jdk8u60 with GNU General Public License v2.0 | 5 votes |
|
public static void main(String args[]) throws Exception {
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// set the validation time
params.setDate(new Date(109, 5, 1)); // 2009-05-01
// disable OCSP checker
Security.setProperty("ocsp.enable", "false");
// enable CRL checker
System.setProperty("com.sun.security.enableCRLDP", "true");
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpect exception, should be a REVOKED CPVE", cpve);
}
}
}
Example #23
| Source File: DisabledAlgorithmConstraints.java From openjdk-jdk8u with GNU General Public License v2.0 | 5 votes |
|
@Override
public void permits(ConstraintsParameters cp)
throws CertPathValidatorException {
throw new CertPathValidatorException(
"Algorithm constraints check failed on disabled " +
"algorithm: " + algorithm + extendedMsg(cp),
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
Example #24
| Source File: FailoverToCRL.java From openjdk-jdk8u-backup with GNU General Public License v2.0 | 5 votes |
|
public static void main(String args[]) throws Exception {
// MD5 is used in this test case, don't disable MD5 algorithm.
Security.setProperty(
"jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// Activate OCSP
Security.setProperty("ocsp.enable", "true");
System.setProperty("com.sun.security.enableCRLDP", "true");
// Ensure that the ocsp.responderURL property is not set.
if (Security.getProperty("ocsp.responderURL") != null) {
throw new
Exception("The ocsp.responderURL property must not be set");
}
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpected exception, should be a REVOKED CPVE", cpve);
}
}
}
Example #25
| Source File: DisabledAlgorithmConstraints.java From openjdk-jdk8u with GNU General Public License v2.0 | 5 votes |
|
@Override
public void permits(ConstraintsParameters cp)
throws CertPathValidatorException {
for (String usage : usages) {
String v = null;
if (usage.compareToIgnoreCase("TLSServer") == 0) {
v = Validator.VAR_TLS_SERVER;
} else if (usage.compareToIgnoreCase("TLSClient") == 0) {
v = Validator.VAR_TLS_CLIENT;
} else if (usage.compareToIgnoreCase("SignedJAR") == 0) {
v = Validator.VAR_PLUGIN_CODE_SIGNING;
}
if (debug != null) {
debug.println("Checking if usage constraint \"" + v +
"\" matches \"" + cp.getVariant() + "\"");
// Because usage checking can come from many places
// a stack trace is very helpful.
ByteArrayOutputStream ba = new ByteArrayOutputStream();
PrintStream ps = new PrintStream(ba);
(new Exception()).printStackTrace(ps);
debug.println(ba.toString());
}
if (cp.getVariant().compareTo(v) == 0) {
if (next(cp)) {
return;
}
throw new CertPathValidatorException("Usage constraint " +
usage + " check failed: " + algorithm +
extendedMsg(cp),
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
}
}
Example #26
| Source File: RevocationChecker.java From openjdk-jdk8u with GNU General Public License v2.0 | 5 votes |
|
/**
* We have a cert whose revocation status couldn't be verified by
* a CRL issued by the cert that issued the CRL. See if we can
* find a valid CRL issued by a separate key that can verify the
* revocation status of this certificate.
* <p>
* Note that this does not provide support for indirect CRLs,
* only CRLs signed with a different key (but the same issuer
* name) as the certificate being checked.
*
* @param currCert the <code>X509Certificate</code> to be checked
* @param prevKey the <code>PublicKey</code> that failed
* @param signFlag <code>true</code> if that key was trusted to sign CRLs
* @param stackedCerts a <code>Set</code> of <code>X509Certificate</code>s>
* whose revocation status depends on the
* non-revoked status of this cert. To avoid
* circular dependencies, we assume they're
* revoked while checking the revocation
* status of this cert.
* @throws CertPathValidatorException if the cert's revocation status
* cannot be verified successfully with another key
*/
private void verifyWithSeparateSigningKey(X509Certificate cert,
PublicKey prevKey,
boolean signFlag,
Set<X509Certificate> stackedCerts)
throws CertPathValidatorException
{
String msg = "revocation status";
if (debug != null) {
debug.println(
"RevocationChecker.verifyWithSeparateSigningKey()" +
" ---checking " + msg + "...");
}
// Reject circular dependencies - RFC 5280 is not explicit on how
// to handle this, but does suggest that they can be a security
// risk and can create unresolvable dependencies
if ((stackedCerts != null) && stackedCerts.contains(cert)) {
if (debug != null) {
debug.println(
"RevocationChecker.verifyWithSeparateSigningKey()" +
" circular dependency");
}
throw new CertPathValidatorException
("Could not determine revocation status", null, null, -1,
BasicReason.UNDETERMINED_REVOCATION_STATUS);
}
// Try to find another key that might be able to sign
// CRLs vouching for this cert.
// If prevKey wasn't trusted, maybe we just didn't have the right
// path to it. Don't rule that key out.
if (!signFlag) {
buildToNewKey(cert, null, stackedCerts);
} else {
buildToNewKey(cert, prevKey, stackedCerts);
}
}
Example #27
| Source File: FailoverToCRL.java From jdk8u-dev-jdk with GNU General Public License v2.0 | 5 votes |
|
public static void main(String args[]) throws Exception {
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// Activate OCSP
Security.setProperty("ocsp.enable", "true");
System.setProperty("com.sun.security.enableCRLDP", "true");
// Ensure that the ocsp.responderURL property is not set.
if (Security.getProperty("ocsp.responderURL") != null) {
throw new
Exception("The ocsp.responderURL property must not be set");
}
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpected exception, should be a REVOKED CPVE", cpve);
}
}
}
Example #28
| Source File: RevocationChecker.java From jdk8u-dev-jdk with GNU General Public License v2.0 | 5 votes |
|
private boolean isSoftFailException(CertPathValidatorException e) {
if (softFail &&
e.getReason() == BasicReason.UNDETERMINED_REVOCATION_STATUS)
{
// recreate exception with correct index
CertPathValidatorException e2 = new CertPathValidatorException(
e.getMessage(), e.getCause(), params.certPath(), certIndex,
e.getReason());
softFailExceptions.addFirst(e2);
return true;
}
return false;
}
Example #29
| Source File: RevocationChecker.java From openjdk-jdk8u with GNU General Public License v2.0 | 5 votes |
|
private boolean isSoftFailException(CertPathValidatorException e) {
if (softFail &&
e.getReason() == BasicReason.UNDETERMINED_REVOCATION_STATUS)
{
// recreate exception with correct index
CertPathValidatorException e2 = new CertPathValidatorException(
e.getMessage(), e.getCause(), params.certPath(), certIndex,
e.getReason());
softFailExceptions.addFirst(e2);
return true;
}
return false;
}
Example #30
| Source File: AlgorithmChecker.java From hottub with GNU General Public License v2.0 | 5 votes |
|
/**
* Check the signature algorithm with the specified public key.
*
* @param key the public key to verify the CRL signature
* @param crl the target CRL
*/
static void check(PublicKey key, AlgorithmId algorithmId)
throws CertPathValidatorException {
String sigAlgName = algorithmId.getName();
AlgorithmParameters sigAlgParams = algorithmId.getParameters();
if (!certPathDefaultConstraints.permits(
SIGNATURE_PRIMITIVE_SET, sigAlgName, key, sigAlgParams)) {
throw new CertPathValidatorException(
"algorithm check failed: " + sigAlgName + " is disabled",
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
}
