Java Code Examples for java.security.cert.CertPathValidatorException.BasicReason#REVOKED
The following examples show how to use
java.security.cert.CertPathValidatorException.BasicReason#REVOKED .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: CircularCRLOneLevelRevoked.java From jdk8u_jdk with GNU General Public License v2.0 | 5 votes |
|
public static void main(String args[]) throws Exception {
// MD5 is used in this test case, don't disable MD5 algorithm.
Security.setProperty(
"jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// set the validation time
params.setDate(new Date(109, 5, 1)); // 2009-05-01
// disable OCSP checker
Security.setProperty("ocsp.enable", "false");
// enable CRL checker
System.setProperty("com.sun.security.enableCRLDP", "true");
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
throw new Exception("unexpected status, should be REVOKED");
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpected exception, should be a REVOKED CPVE", cpve);
}
}
}
Example 2
| Source File: CircularCRLTwoLevel.java From openjdk-jdk9 with GNU General Public License v2.0 | 5 votes |
|
public static void main(String args[]) throws Exception {
// MD5 is used in this test case, don't disable MD5 algorithm.
Security.setProperty(
"jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// set the validation time
params.setDate(new Date(109, 5, 1)); // 2009-05-01
// disable OCSP checker
Security.setProperty("ocsp.enable", "false");
// enable CRL checker
System.setProperty("com.sun.security.enableCRLDP", "true");
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpect exception, should be a REVOKED CPVE", cpve);
}
}
}
Example 3
| Source File: CircularCRLTwoLevelRevoked.java From TencentKona-8 with GNU General Public License v2.0 | 5 votes |
|
public static void main(String args[]) throws Exception {
// MD5 is used in this test case, don't disable MD5 algorithm.
Security.setProperty(
"jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// set the validation time
params.setDate(new Date(109, 5, 1)); // 2009-05-01
// disable OCSP checker
Security.setProperty("ocsp.enable", "false");
// enable CRL checker
System.setProperty("com.sun.security.enableCRLDP", "true");
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
throw new Exception("unexpected status, should be REVOKED");
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpect exception, should be a REVOKED CPVE", cpve);
}
}
}
Example 4
| Source File: CircularCRLOneLevel.java From openjdk-8-source with GNU General Public License v2.0 | 5 votes |
|
public static void main(String args[]) throws Exception {
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// set the validation time
params.setDate(new Date(109, 5, 1)); // 2009-05-01
// disable OCSP checker
Security.setProperty("ocsp.enable", "false");
// enable CRL checker
System.setProperty("com.sun.security.enableCRLDP", "true");
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpect exception, should be a REVOKED CPVE", cpve);
}
}
}
Example 5
| Source File: CircularCRLOneLevel.java From hottub with GNU General Public License v2.0 | 5 votes |
|
public static void main(String args[]) throws Exception {
// MD5 is used in this test case, don't disable MD5 algorithm.
Security.setProperty(
"jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// set the validation time
params.setDate(new Date(109, 5, 1)); // 2009-05-01
// disable OCSP checker
Security.setProperty("ocsp.enable", "false");
// enable CRL checker
System.setProperty("com.sun.security.enableCRLDP", "true");
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpect exception, should be a REVOKED CPVE", cpve);
}
}
}
Example 6
| Source File: FailoverToCRL.java From openjdk-8 with GNU General Public License v2.0 | 5 votes |
|
public static void main(String args[]) throws Exception {
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// Activate OCSP
Security.setProperty("ocsp.enable", "true");
System.setProperty("com.sun.security.enableCRLDP", "true");
// Ensure that the ocsp.responderURL property is not set.
if (Security.getProperty("ocsp.responderURL") != null) {
throw new
Exception("The ocsp.responderURL property must not be set");
}
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpected exception, should be a REVOKED CPVE", cpve);
}
}
}
Example 7
| Source File: CircularCRLOneLevel.java From jdk8u-jdk with GNU General Public License v2.0 | 5 votes |
|
public static void main(String args[]) throws Exception {
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// set the validation time
params.setDate(new Date(109, 5, 1)); // 2009-05-01
// disable OCSP checker
Security.setProperty("ocsp.enable", "false");
// enable CRL checker
System.setProperty("com.sun.security.enableCRLDP", "true");
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpect exception, should be a REVOKED CPVE", cpve);
}
}
}
Example 8
| Source File: FailoverToCRL.java From dragonwell8_jdk with GNU General Public License v2.0 | 5 votes |
|
public static void main(String args[]) throws Exception {
// MD5 is used in this test case, don't disable MD5 algorithm.
Security.setProperty(
"jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// Activate OCSP
Security.setProperty("ocsp.enable", "true");
System.setProperty("com.sun.security.enableCRLDP", "true");
// Ensure that the ocsp.responderURL property is not set.
if (Security.getProperty("ocsp.responderURL") != null) {
throw new
Exception("The ocsp.responderURL property must not be set");
}
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpected exception, should be a REVOKED CPVE", cpve);
}
}
}
Example 9
| Source File: FailoverToCRL.java From openjdk-jdk9 with GNU General Public License v2.0 | 5 votes |
|
public static void main(String args[]) throws Exception {
// MD5 is used in this test case, don't disable MD5 algorithm.
Security.setProperty(
"jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// Activate OCSP
Security.setProperty("ocsp.enable", "true");
System.setProperty("com.sun.security.enableCRLDP", "true");
// Ensure that the ocsp.responderURL property is not set.
if (Security.getProperty("ocsp.responderURL") != null) {
throw new
Exception("The ocsp.responderURL property must not be set");
}
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpected exception, should be a REVOKED CPVE", cpve);
}
}
}
Example 10
| Source File: CertificateMessage.java From Bytecoder with Apache License 2.0 | 5 votes |
|
/**
* When a failure happens during certificate checking from an
* {@link X509TrustManager}, determine what TLS alert description
* to use.
*
* @param cexc The exception thrown by the {@link X509TrustManager}
*
* @return A byte value corresponding to a TLS alert description number.
*/
private static Alert getCertificateAlert(
ClientHandshakeContext chc, CertificateException cexc) {
// The specific reason for the failure will determine how to
// set the alert description value
Alert alert = Alert.CERTIFICATE_UNKNOWN;
Throwable baseCause = cexc.getCause();
if (baseCause instanceof CertPathValidatorException) {
CertPathValidatorException cpve =
(CertPathValidatorException)baseCause;
Reason reason = cpve.getReason();
if (reason == BasicReason.REVOKED) {
alert = chc.staplingActive ?
Alert.BAD_CERT_STATUS_RESPONSE :
Alert.CERTIFICATE_REVOKED;
} else if (
reason == BasicReason.UNDETERMINED_REVOCATION_STATUS) {
alert = chc.staplingActive ?
Alert.BAD_CERT_STATUS_RESPONSE :
Alert.CERTIFICATE_UNKNOWN;
} else if (reason == BasicReason.ALGORITHM_CONSTRAINED) {
alert = Alert.UNSUPPORTED_CERTIFICATE;
} else if (reason == BasicReason.EXPIRED) {
alert = Alert.CERTIFICATE_EXPIRED;
} else if (reason == BasicReason.INVALID_SIGNATURE ||
reason == BasicReason.NOT_YET_VALID) {
alert = Alert.BAD_CERTIFICATE;
}
}
return alert;
}
Example 11
| Source File: CircularCRLOneLevelRevoked.java From jdk8u-jdk with GNU General Public License v2.0 | 5 votes |
|
public static void main(String args[]) throws Exception {
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// set the validation time
params.setDate(new Date(109, 5, 1)); // 2009-05-01
// disable OCSP checker
Security.setProperty("ocsp.enable", "false");
// enable CRL checker
System.setProperty("com.sun.security.enableCRLDP", "true");
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
throw new Exception("unexpected status, should be REVOKED");
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpected exception, should be a REVOKED CPVE", cpve);
}
}
}
Example 12
| Source File: CircularCRLTwoLevelRevoked.java From jdk8u-jdk with GNU General Public License v2.0 | 5 votes |
|
public static void main(String args[]) throws Exception {
// MD5 is used in this test case, don't disable MD5 algorithm.
Security.setProperty(
"jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// set the validation time
params.setDate(new Date(109, 5, 1)); // 2009-05-01
// disable OCSP checker
Security.setProperty("ocsp.enable", "false");
// enable CRL checker
System.setProperty("com.sun.security.enableCRLDP", "true");
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
throw new Exception("unexpected status, should be REVOKED");
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpect exception, should be a REVOKED CPVE", cpve);
}
}
}
Example 13
| Source File: CertificateMessage.java From openjsse with GNU General Public License v2.0 | 5 votes |
|
/**
* When a failure happens during certificate checking from an
* {@link X509TrustManager}, determine what TLS alert description
* to use.
*
* @param cexc The exception thrown by the {@link X509TrustManager}
*
* @return A byte value corresponding to a TLS alert description number.
*/
private static Alert getCertificateAlert(
ClientHandshakeContext chc, CertificateException cexc) {
// The specific reason for the failure will determine how to
// set the alert description value
Alert alert = Alert.CERTIFICATE_UNKNOWN;
Throwable baseCause = cexc.getCause();
if (baseCause instanceof CertPathValidatorException) {
CertPathValidatorException cpve =
(CertPathValidatorException)baseCause;
Reason reason = cpve.getReason();
if (reason == BasicReason.REVOKED) {
alert = chc.staplingActive ?
Alert.BAD_CERT_STATUS_RESPONSE :
Alert.CERTIFICATE_REVOKED;
} else if (
reason == BasicReason.UNDETERMINED_REVOCATION_STATUS) {
alert = chc.staplingActive ?
Alert.BAD_CERT_STATUS_RESPONSE :
Alert.CERTIFICATE_UNKNOWN;
} else if (reason == BasicReason.ALGORITHM_CONSTRAINED) {
alert = Alert.UNSUPPORTED_CERTIFICATE;
} else if (reason == BasicReason.EXPIRED) {
alert = Alert.CERTIFICATE_EXPIRED;
} else if (reason == BasicReason.INVALID_SIGNATURE ||
reason == BasicReason.NOT_YET_VALID) {
alert = Alert.BAD_CERTIFICATE;
}
}
return alert;
}
Example 14
| Source File: RevocationChecker.java From openjdk-jdk8u with GNU General Public License v2.0 | 4 votes |
|
private void checkOCSP(X509Certificate cert,
Collection<String> unresolvedCritExts)
throws CertPathValidatorException
{
X509CertImpl currCert = null;
try {
currCert = X509CertImpl.toImpl(cert);
} catch (CertificateException ce) {
throw new CertPathValidatorException(ce);
}
// The algorithm constraints of the OCSP trusted responder certificate
// does not need to be checked in this code. The constraints will be
// checked when the responder's certificate is validated.
OCSPResponse response = null;
CertId certId = null;
try {
certId = new CertId(issuerInfo.getName(), issuerInfo.getPublicKey(),
currCert.getSerialNumberObject());
// check if there is a cached OCSP response available
byte[] responseBytes = ocspResponses.get(cert);
if (responseBytes != null) {
if (debug != null) {
debug.println("Found cached OCSP response");
}
response = new OCSPResponse(responseBytes);
// verify the response
byte[] nonce = null;
for (Extension ext : ocspExtensions) {
if (ext.getId().equals("1.3.6.1.5.5.7.48.1.2")) {
nonce = ext.getValue();
}
}
response.verify(Collections.singletonList(certId), issuerInfo,
responderCert, params.date(), nonce, params.variant());
} else {
URI responderURI = (this.responderURI != null)
? this.responderURI
: OCSP.getResponderURI(currCert);
if (responderURI == null) {
throw new CertPathValidatorException(
"Certificate does not specify OCSP responder", null,
null, -1);
}
response = OCSP.check(Collections.singletonList(certId),
responderURI, issuerInfo, responderCert, null,
ocspExtensions, params.variant());
}
} catch (IOException e) {
throw new CertPathValidatorException(
"Unable to determine revocation status due to network error",
e, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
}
RevocationStatus rs =
(RevocationStatus)response.getSingleResponse(certId);
RevocationStatus.CertStatus certStatus = rs.getCertStatus();
if (certStatus == RevocationStatus.CertStatus.REVOKED) {
Date revocationTime = rs.getRevocationTime();
if (revocationTime.before(params.date())) {
Throwable t = new CertificateRevokedException(
revocationTime, rs.getRevocationReason(),
response.getSignerCertificate().getSubjectX500Principal(),
rs.getSingleExtensions());
throw new CertPathValidatorException(t.getMessage(), t, null,
-1, BasicReason.REVOKED);
}
} else if (certStatus == RevocationStatus.CertStatus.UNKNOWN) {
throw new CertPathValidatorException(
"Certificate's revocation status is unknown", null,
params.certPath(), -1,
BasicReason.UNDETERMINED_REVOCATION_STATUS);
}
}
Example 15
| Source File: RevocationChecker.java From jdk8u-dev-jdk with GNU General Public License v2.0 | 4 votes |
|
private void checkOCSP(X509Certificate cert,
Collection<String> unresolvedCritExts)
throws CertPathValidatorException
{
X509CertImpl currCert = null;
try {
currCert = X509CertImpl.toImpl(cert);
} catch (CertificateException ce) {
throw new CertPathValidatorException(ce);
}
// The algorithm constraints of the OCSP trusted responder certificate
// does not need to be checked in this code. The constraints will be
// checked when the responder's certificate is validated.
OCSPResponse response = null;
CertId certId = null;
try {
if (issuerCert != null) {
certId = new CertId(issuerCert,
currCert.getSerialNumberObject());
} else {
// must be an anchor name and key
certId = new CertId(anchor.getCA(), anchor.getCAPublicKey(),
currCert.getSerialNumberObject());
}
// check if there is a cached OCSP response available
byte[] responseBytes = ocspResponses.get(cert);
if (responseBytes != null) {
if (debug != null) {
debug.println("Found cached OCSP response");
}
response = new OCSPResponse(responseBytes);
// verify the response
byte[] nonce = null;
for (Extension ext : ocspExtensions) {
if (ext.getId().equals("1.3.6.1.5.5.7.48.1.2")) {
nonce = ext.getValue();
}
}
response.verify(Collections.singletonList(certId), issuerCert,
responderCert, params.date(), nonce);
} else {
URI responderURI = (this.responderURI != null)
? this.responderURI
: OCSP.getResponderURI(currCert);
if (responderURI == null) {
throw new CertPathValidatorException(
"Certificate does not specify OCSP responder", null,
null, -1);
}
response = OCSP.check(Collections.singletonList(certId),
responderURI, issuerCert, responderCert,
null, ocspExtensions);
}
} catch (IOException e) {
throw new CertPathValidatorException(
"Unable to determine revocation status due to network error",
e, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
}
RevocationStatus rs =
(RevocationStatus)response.getSingleResponse(certId);
RevocationStatus.CertStatus certStatus = rs.getCertStatus();
if (certStatus == RevocationStatus.CertStatus.REVOKED) {
Date revocationTime = rs.getRevocationTime();
if (revocationTime.before(params.date())) {
Throwable t = new CertificateRevokedException(
revocationTime, rs.getRevocationReason(),
response.getSignerCertificate().getSubjectX500Principal(),
rs.getSingleExtensions());
throw new CertPathValidatorException(t.getMessage(), t, null,
-1, BasicReason.REVOKED);
}
} else if (certStatus == RevocationStatus.CertStatus.UNKNOWN) {
throw new CertPathValidatorException(
"Certificate's revocation status is unknown", null,
params.certPath(), -1,
BasicReason.UNDETERMINED_REVOCATION_STATUS);
}
}
Example 16
| Source File: RevocationChecker.java From openjdk-8-source with GNU General Public License v2.0 | 4 votes |
|
private void checkApprovedCRLs(X509Certificate cert,
Set<X509CRL> approvedCRLs)
throws CertPathValidatorException
{
// See if the cert is in the set of approved crls.
if (debug != null) {
BigInteger sn = cert.getSerialNumber();
debug.println("RevocationChecker.checkApprovedCRLs() " +
"starting the final sweep...");
debug.println("RevocationChecker.checkApprovedCRLs()" +
" cert SN: " + sn.toString());
}
CRLReason reasonCode = CRLReason.UNSPECIFIED;
X509CRLEntryImpl entry = null;
for (X509CRL crl : approvedCRLs) {
X509CRLEntry e = crl.getRevokedCertificate(cert);
if (e != null) {
try {
entry = X509CRLEntryImpl.toImpl(e);
} catch (CRLException ce) {
throw new CertPathValidatorException(ce);
}
if (debug != null) {
debug.println("RevocationChecker.checkApprovedCRLs()"
+ " CRL entry: " + entry.toString());
}
/*
* Abort CRL validation and throw exception if there are any
* unrecognized critical CRL entry extensions (see section
* 5.3 of RFC 3280).
*/
Set<String> unresCritExts = entry.getCriticalExtensionOIDs();
if (unresCritExts != null && !unresCritExts.isEmpty()) {
/* remove any that we will process */
unresCritExts.remove(ReasonCode_Id.toString());
unresCritExts.remove(CertificateIssuer_Id.toString());
if (!unresCritExts.isEmpty()) {
throw new CertPathValidatorException(
"Unrecognized critical extension(s) in revoked " +
"CRL entry");
}
}
reasonCode = entry.getRevocationReason();
if (reasonCode == null) {
reasonCode = CRLReason.UNSPECIFIED;
}
Date revocationDate = entry.getRevocationDate();
if (revocationDate.before(params.date())) {
Throwable t = new CertificateRevokedException(
revocationDate, reasonCode,
crl.getIssuerX500Principal(), entry.getExtensions());
throw new CertPathValidatorException(
t.getMessage(), t, null, -1, BasicReason.REVOKED);
}
}
}
}
Example 17
| Source File: RevocationChecker.java From openjdk-8 with GNU General Public License v2.0 | 4 votes |
|
private void checkApprovedCRLs(X509Certificate cert,
Set<X509CRL> approvedCRLs)
throws CertPathValidatorException
{
// See if the cert is in the set of approved crls.
if (debug != null) {
BigInteger sn = cert.getSerialNumber();
debug.println("RevocationChecker.checkApprovedCRLs() " +
"starting the final sweep...");
debug.println("RevocationChecker.checkApprovedCRLs()" +
" cert SN: " + sn.toString());
}
CRLReason reasonCode = CRLReason.UNSPECIFIED;
X509CRLEntryImpl entry = null;
for (X509CRL crl : approvedCRLs) {
X509CRLEntry e = crl.getRevokedCertificate(cert);
if (e != null) {
try {
entry = X509CRLEntryImpl.toImpl(e);
} catch (CRLException ce) {
throw new CertPathValidatorException(ce);
}
if (debug != null) {
debug.println("RevocationChecker.checkApprovedCRLs()"
+ " CRL entry: " + entry.toString());
}
/*
* Abort CRL validation and throw exception if there are any
* unrecognized critical CRL entry extensions (see section
* 5.3 of RFC 3280).
*/
Set<String> unresCritExts = entry.getCriticalExtensionOIDs();
if (unresCritExts != null && !unresCritExts.isEmpty()) {
/* remove any that we will process */
unresCritExts.remove(ReasonCode_Id.toString());
unresCritExts.remove(CertificateIssuer_Id.toString());
if (!unresCritExts.isEmpty()) {
throw new CertPathValidatorException(
"Unrecognized critical extension(s) in revoked " +
"CRL entry");
}
}
reasonCode = entry.getRevocationReason();
if (reasonCode == null) {
reasonCode = CRLReason.UNSPECIFIED;
}
Date revocationDate = entry.getRevocationDate();
if (revocationDate.before(params.date())) {
Throwable t = new CertificateRevokedException(
revocationDate, reasonCode,
crl.getIssuerX500Principal(), entry.getExtensions());
throw new CertPathValidatorException(
t.getMessage(), t, null, -1, BasicReason.REVOKED);
}
}
}
}
Example 18
| Source File: RevocationChecker.java From dragonwell8_jdk with GNU General Public License v2.0 | 4 votes |
|
private void check(X509Certificate xcert,
Collection<String> unresolvedCritExts,
PublicKey pubKey, boolean crlSignFlag)
throws CertPathValidatorException
{
if (debug != null) {
debug.println("RevocationChecker.check: checking cert" +
"\n SN: " + Debug.toHexString(xcert.getSerialNumber()) +
"\n Subject: " + xcert.getSubjectX500Principal() +
"\n Issuer: " + xcert.getIssuerX500Principal());
}
try {
if (onlyEE && xcert.getBasicConstraints() != -1) {
if (debug != null) {
debug.println("Skipping revocation check; cert is not " +
"an end entity cert");
}
return;
}
switch (mode) {
case PREFER_OCSP:
case ONLY_OCSP:
checkOCSP(xcert, unresolvedCritExts);
break;
case PREFER_CRLS:
case ONLY_CRLS:
checkCRLs(xcert, unresolvedCritExts, null,
pubKey, crlSignFlag);
break;
}
} catch (CertPathValidatorException e) {
if (e.getReason() == BasicReason.REVOKED) {
throw e;
}
boolean eSoftFail = isSoftFailException(e);
if (eSoftFail) {
if (mode == Mode.ONLY_OCSP || mode == Mode.ONLY_CRLS) {
return;
}
} else {
if (mode == Mode.ONLY_OCSP || mode == Mode.ONLY_CRLS) {
throw e;
}
}
CertPathValidatorException cause = e;
// Otherwise, failover
if (debug != null) {
debug.println("RevocationChecker.check() " + e.getMessage());
debug.println("RevocationChecker.check() preparing to failover");
}
try {
switch (mode) {
case PREFER_OCSP:
checkCRLs(xcert, unresolvedCritExts, null,
pubKey, crlSignFlag);
break;
case PREFER_CRLS:
checkOCSP(xcert, unresolvedCritExts);
break;
}
} catch (CertPathValidatorException x) {
if (debug != null) {
debug.println("RevocationChecker.check() failover failed");
debug.println("RevocationChecker.check() " + x.getMessage());
}
if (x.getReason() == BasicReason.REVOKED) {
throw x;
}
if (!isSoftFailException(x)) {
cause.addSuppressed(x);
throw cause;
} else {
// only pass if both exceptions were soft failures
if (!eSoftFail) {
throw cause;
}
}
}
} finally {
updateState(xcert);
}
}
Example 19
| Source File: RevocationChecker.java From hottub with GNU General Public License v2.0 | 4 votes |
|
private void check(X509Certificate xcert,
Collection<String> unresolvedCritExts,
PublicKey pubKey, boolean crlSignFlag)
throws CertPathValidatorException
{
if (debug != null) {
debug.println("RevocationChecker.check: checking cert" +
"\n SN: " + Debug.toHexString(xcert.getSerialNumber()) +
"\n Subject: " + xcert.getSubjectX500Principal() +
"\n Issuer: " + xcert.getIssuerX500Principal());
}
try {
if (onlyEE && xcert.getBasicConstraints() != -1) {
if (debug != null) {
debug.println("Skipping revocation check; cert is not " +
"an end entity cert");
}
return;
}
switch (mode) {
case PREFER_OCSP:
case ONLY_OCSP:
checkOCSP(xcert, unresolvedCritExts);
break;
case PREFER_CRLS:
case ONLY_CRLS:
checkCRLs(xcert, unresolvedCritExts, null,
pubKey, crlSignFlag);
break;
}
} catch (CertPathValidatorException e) {
if (e.getReason() == BasicReason.REVOKED) {
throw e;
}
boolean eSoftFail = isSoftFailException(e);
if (eSoftFail) {
if (mode == Mode.ONLY_OCSP || mode == Mode.ONLY_CRLS) {
return;
}
} else {
if (mode == Mode.ONLY_OCSP || mode == Mode.ONLY_CRLS) {
throw e;
}
}
CertPathValidatorException cause = e;
// Otherwise, failover
if (debug != null) {
debug.println("RevocationChecker.check() " + e.getMessage());
debug.println("RevocationChecker.check() preparing to failover");
}
try {
switch (mode) {
case PREFER_OCSP:
checkCRLs(xcert, unresolvedCritExts, null,
pubKey, crlSignFlag);
break;
case PREFER_CRLS:
checkOCSP(xcert, unresolvedCritExts);
break;
}
} catch (CertPathValidatorException x) {
if (debug != null) {
debug.println("RevocationChecker.check() failover failed");
debug.println("RevocationChecker.check() " + x.getMessage());
}
if (x.getReason() == BasicReason.REVOKED) {
throw x;
}
if (!isSoftFailException(x)) {
cause.addSuppressed(x);
throw cause;
} else {
// only pass if both exceptions were soft failures
if (!eSoftFail) {
throw cause;
}
}
}
} finally {
updateState(xcert);
}
}
Example 20
| Source File: RevocationChecker.java From Bytecoder with Apache License 2.0 | 4 votes |
|
private void checkOCSP(X509Certificate cert,
Collection<String> unresolvedCritExts)
throws CertPathValidatorException
{
X509CertImpl currCert = null;
try {
currCert = X509CertImpl.toImpl(cert);
} catch (CertificateException ce) {
throw new CertPathValidatorException(ce);
}
// The algorithm constraints of the OCSP trusted responder certificate
// does not need to be checked in this code. The constraints will be
// checked when the responder's certificate is validated.
OCSPResponse response = null;
CertId certId = null;
try {
certId = new CertId(issuerInfo.getName(), issuerInfo.getPublicKey(),
currCert.getSerialNumberObject());
// check if there is a cached OCSP response available
byte[] responseBytes = ocspResponses.get(cert);
if (responseBytes != null) {
if (debug != null) {
debug.println("Found cached OCSP response");
}
response = new OCSPResponse(responseBytes);
// verify the response
byte[] nonce = null;
for (Extension ext : ocspExtensions) {
if (ext.getId().equals("1.3.6.1.5.5.7.48.1.2")) {
nonce = ext.getValue();
}
}
response.verify(Collections.singletonList(certId), issuerInfo,
responderCert, params.date(), nonce, params.variant());
} else {
URI responderURI = (this.responderURI != null)
? this.responderURI
: OCSP.getResponderURI(currCert);
if (responderURI == null) {
throw new CertPathValidatorException(
"Certificate does not specify OCSP responder", null,
null, -1);
}
response = OCSP.check(Collections.singletonList(certId),
responderURI, issuerInfo, responderCert, null,
ocspExtensions, params.variant());
}
} catch (IOException e) {
throw new CertPathValidatorException(
"Unable to determine revocation status due to network error",
e, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
}
RevocationStatus rs =
(RevocationStatus)response.getSingleResponse(certId);
RevocationStatus.CertStatus certStatus = rs.getCertStatus();
if (certStatus == RevocationStatus.CertStatus.REVOKED) {
Date revocationTime = rs.getRevocationTime();
if (revocationTime.before(params.date())) {
Throwable t = new CertificateRevokedException(
revocationTime, rs.getRevocationReason(),
response.getSignerCertificate().getSubjectX500Principal(),
rs.getSingleExtensions());
throw new CertPathValidatorException(t.getMessage(), t, null,
-1, BasicReason.REVOKED);
}
} else if (certStatus == RevocationStatus.CertStatus.UNKNOWN) {
throw new CertPathValidatorException(
"Certificate's revocation status is unknown", null,
params.certPath(), -1,
BasicReason.UNDETERMINED_REVOCATION_STATUS);
}
}
