Example 26 with CertificateParsingException
use of java.security.cert.CertificateParsingException in project Bytecoder by mirkosertic.
the class OCSPResponse method verify.
void verify(List<CertId> certIds, IssuerInfo issuerInfo, X509Certificate responderCert, Date date, byte[] nonce, String variant) throws CertPathValidatorException {
switch(responseStatus) {
case SUCCESSFUL:
break;
case TRY_LATER:
case INTERNAL_ERROR:
throw new CertPathValidatorException("OCSP response error: " + responseStatus, null, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
case UNAUTHORIZED:
default:
throw new CertPathValidatorException("OCSP response error: " + responseStatus);
}
// certs that were supplied in the request
for (CertId certId : certIds) {
SingleResponse sr = getSingleResponse(certId);
if (sr == null) {
if (debug != null) {
debug.println("No response found for CertId: " + certId);
}
throw new CertPathValidatorException("OCSP response does not include a response for a " + "certificate supplied in the OCSP request");
}
if (debug != null) {
debug.println("Status of certificate (with serial number " + certId.getSerialNumber() + ") is: " + sr.getCertStatus());
}
}
// Locate the signer cert
if (signerCert == null) {
// of certs from the OCSP response
try {
if (issuerInfo.getCertificate() != null) {
certs.add(X509CertImpl.toImpl(issuerInfo.getCertificate()));
}
if (responderCert != null) {
certs.add(X509CertImpl.toImpl(responderCert));
}
} catch (CertificateException ce) {
throw new CertPathValidatorException("Invalid issuer or trusted responder certificate", ce);
}
if (respId.getType() == ResponderId.Type.BY_NAME) {
X500Principal rName = respId.getResponderName();
for (X509CertImpl cert : certs) {
if (cert.getSubjectX500Principal().equals(rName)) {
signerCert = cert;
break;
}
}
} else if (respId.getType() == ResponderId.Type.BY_KEY) {
KeyIdentifier ridKeyId = respId.getKeyIdentifier();
for (X509CertImpl cert : certs) {
// Match responder's key identifier against the cert's SKID
// This will match if the SKID is encoded using the 160-bit
// SHA-1 hash method as defined in RFC 5280.
KeyIdentifier certKeyId = cert.getSubjectKeyId();
if (certKeyId != null && ridKeyId.equals(certKeyId)) {
signerCert = cert;
break;
} else {
// cert's public key using the 160-bit SHA-1 method.
try {
certKeyId = new KeyIdentifier(cert.getPublicKey());
} catch (IOException e) {
// ignore
}
if (ridKeyId.equals(certKeyId)) {
signerCert = cert;
break;
}
}
}
}
}
// Check whether the signer cert returned by the responder is trusted
if (signerCert != null) {
// Check if the response is signed by the issuing CA
if (signerCert.getSubjectX500Principal().equals(issuerInfo.getName()) && signerCert.getPublicKey().equals(issuerInfo.getPublicKey())) {
if (debug != null) {
debug.println("OCSP response is signed by the target's " + "Issuing CA");
}
// cert is trusted, now verify the signed response
// Check if the response is signed by a trusted responder
} else if (signerCert.equals(responderCert)) {
if (debug != null) {
debug.println("OCSP response is signed by a Trusted " + "Responder");
}
// cert is trusted, now verify the signed response
// Check if the response is signed by an authorized responder
} else if (signerCert.getIssuerX500Principal().equals(issuerInfo.getName())) {
// Check for the OCSPSigning key purpose
try {
List<String> keyPurposes = signerCert.getExtendedKeyUsage();
if (keyPurposes == null || !keyPurposes.contains(KP_OCSP_SIGNING_OID)) {
throw new CertPathValidatorException("Responder's certificate not valid for signing " + "OCSP responses");
}
} catch (CertificateParsingException cpe) {
// assume cert is not valid for signing
throw new CertPathValidatorException("Responder's certificate not valid for signing " + "OCSP responses", cpe);
}
// Check algorithm constraints specified in security property
// "jdk.certpath.disabledAlgorithms".
AlgorithmChecker algChecker = new AlgorithmChecker(issuerInfo.getAnchor(), date, variant);
algChecker.init(false);
algChecker.check(signerCert, Collections.<String>emptySet());
// check the validity
try {
if (date == null) {
signerCert.checkValidity();
} else {
signerCert.checkValidity(date);
}
} catch (CertificateException e) {
throw new CertPathValidatorException("Responder's certificate not within the " + "validity period", e);
}
// check for revocation
//
// A CA may specify that an OCSP client can trust a
// responder for the lifetime of the responder's
// certificate. The CA does so by including the
// extension id-pkix-ocsp-nocheck.
//
Extension noCheck = signerCert.getExtension(PKIXExtensions.OCSPNoCheck_Id);
if (noCheck != null) {
if (debug != null) {
debug.println("Responder's certificate includes " + "the extension id-pkix-ocsp-nocheck.");
}
} else {
// we should do the revocation checking of the
// authorized responder in a future update.
}
// verify the signature
try {
signerCert.verify(issuerInfo.getPublicKey());
if (debug != null) {
debug.println("OCSP response is signed by an " + "Authorized Responder");
}
// cert is trusted, now verify the signed response
} catch (GeneralSecurityException e) {
signerCert = null;
}
} else {
throw new CertPathValidatorException("Responder's certificate is not authorized to sign " + "OCSP responses");
}
}
// key from the trusted responder cert
if (signerCert != null) {
// Check algorithm constraints specified in security property
// "jdk.certpath.disabledAlgorithms".
AlgorithmChecker.check(signerCert.getPublicKey(), sigAlgId, variant);
if (!verifySignature(signerCert)) {
throw new CertPathValidatorException("Error verifying OCSP Response's signature");
}
} else {
// Need responder's cert in order to verify the signature
throw new CertPathValidatorException("Unable to verify OCSP Response's signature");
}
if (nonce != null) {
if (responseNonce != null && !Arrays.equals(nonce, responseNonce)) {
throw new CertPathValidatorException("Nonces don't match");
}
}
// Check freshness of OCSPResponse
long now = (date == null) ? System.currentTimeMillis() : date.getTime();
Date nowPlusSkew = new Date(now + MAX_CLOCK_SKEW);
Date nowMinusSkew = new Date(now - MAX_CLOCK_SKEW);
for (SingleResponse sr : singleResponseMap.values()) {
if (debug != null) {
String until = "";
if (sr.nextUpdate != null) {
until = " until " + sr.nextUpdate;
}
debug.println("OCSP response validity interval is from " + sr.thisUpdate + until);
debug.println("Checking validity of OCSP response on: " + new Date(now));
}
// MAX(thisUpdate, nextUpdate) + MAX_CLOCK_SKEW ]
if (nowPlusSkew.before(sr.thisUpdate) || nowMinusSkew.after(sr.nextUpdate != null ? sr.nextUpdate : sr.thisUpdate)) {
throw new CertPathValidatorException("Response is unreliable: its validity " + "interval is out-of-date");
}
}
}
Also used :
CertificateParsingException(java.security.cert.CertificateParsingException)
CertificateException(java.security.cert.CertificateException)
Date(java.util.Date)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
X500Principal(javax.security.auth.x500.X500Principal)
Example 27 with CertificateParsingException
use of java.security.cert.CertificateParsingException in project service-proxy by membrane.
the class TrustManagerWrapper method adjustChain.
private void adjustChain(X509Certificate[] chain) {
for (int i = 0; i < chain.length; i++) {
final X509Certificate x509 = chain[i];
chain[i] = new X509Certificate() {
public boolean hasUnsupportedCriticalExtension() {
return x509.hasUnsupportedCriticalExtension();
}
public Set<String> getCriticalExtensionOIDs() {
return x509.getCriticalExtensionOIDs();
}
@Override
public boolean equals(Object other) {
return x509.equals(other);
}
@Override
public int hashCode() {
return x509.hashCode();
}
public Set<String> getNonCriticalExtensionOIDs() {
return x509.getNonCriticalExtensionOIDs();
}
@Override
public byte[] getEncoded() throws CertificateEncodingException {
return x509.getEncoded();
}
@Override
public void verify(PublicKey key) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException {
x509.verify(key);
}
public byte[] getExtensionValue(String oid) {
return x509.getExtensionValue(oid);
}
@Override
public void verify(PublicKey key, String sigProvider) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException {
x509.verify(key, sigProvider);
}
@Override
public int getVersion() {
return x509.getVersion();
}
@Override
public BigInteger getSerialNumber() {
return x509.getSerialNumber();
}
@Override
public String toString() {
return x509.toString();
}
@Override
public PublicKey getPublicKey() {
return x509.getPublicKey();
}
@Override
public Principal getIssuerDN() {
return x509.getIssuerDN();
}
@Override
public X500Principal getIssuerX500Principal() {
return x509.getIssuerX500Principal();
}
@Override
public Principal getSubjectDN() {
return x509.getSubjectDN();
}
@Override
public X500Principal getSubjectX500Principal() {
return x509.getSubjectX500Principal();
}
@Override
public Date getNotBefore() {
return x509.getNotBefore();
}
@Override
public Date getNotAfter() {
return x509.getNotAfter();
}
@Override
public byte[] getTBSCertificate() throws CertificateEncodingException {
return x509.getTBSCertificate();
}
@Override
public byte[] getSignature() {
return x509.getSignature();
}
@Override
public String getSigAlgName() {
return x509.getSigAlgName();
}
@Override
public String getSigAlgOID() {
return x509.getSigAlgOID();
}
@Override
public byte[] getSigAlgParams() {
return x509.getSigAlgParams();
}
@Override
public boolean[] getIssuerUniqueID() {
return x509.getIssuerUniqueID();
}
@Override
public boolean[] getSubjectUniqueID() {
return x509.getSubjectUniqueID();
}
@Override
public boolean[] getKeyUsage() {
return x509.getKeyUsage();
}
@Override
public List<String> getExtendedKeyUsage() throws CertificateParsingException {
return x509.getExtendedKeyUsage();
}
@Override
public int getBasicConstraints() {
return x509.getBasicConstraints();
}
@Override
public Collection<List<?>> getSubjectAlternativeNames() throws CertificateParsingException {
return x509.getSubjectAlternativeNames();
}
@Override
public Collection<List<?>> getIssuerAlternativeNames() throws CertificateParsingException {
return x509.getIssuerAlternativeNames();
}
@Override
public void checkValidity(Date date) throws CertificateExpiredException, CertificateNotYetValidException {
if (ignoreTimestampCheckFailure)
return;
x509.checkValidity(date);
}
@Override
public void checkValidity() throws CertificateExpiredException, CertificateNotYetValidException {
if (ignoreTimestampCheckFailure)
return;
x509.checkValidity();
}
};
}
}
Also used :
CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException)
Set(java.util.Set)
CertificateParsingException(java.security.cert.CertificateParsingException)
CertificateExpiredException(java.security.cert.CertificateExpiredException)
PublicKey(java.security.PublicKey)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
CertificateException(java.security.cert.CertificateException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
SignatureException(java.security.SignatureException)
InvalidKeyException(java.security.InvalidKeyException)
X509Certificate(java.security.cert.X509Certificate)
Date(java.util.Date)
BigInteger(java.math.BigInteger)
X500Principal(javax.security.auth.x500.X500Principal)
Collection(java.util.Collection)
List(java.util.List)
NoSuchProviderException(java.security.NoSuchProviderException)
X500Principal(javax.security.auth.x500.X500Principal)
Principal(java.security.Principal)
Example 28 with CertificateParsingException
use of java.security.cert.CertificateParsingException in project j2objc by google.
the class OCSPResponse method verify.
void verify(List<CertId> certIds, X509Certificate issuerCert, X509Certificate responderCert, Date date, byte[] nonce) throws CertPathValidatorException {
switch(responseStatus) {
case SUCCESSFUL:
break;
case TRY_LATER:
case INTERNAL_ERROR:
throw new CertPathValidatorException("OCSP response error: " + responseStatus, null, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
case UNAUTHORIZED:
default:
throw new CertPathValidatorException("OCSP response error: " + responseStatus);
}
// certs that were supplied in the request
for (CertId certId : certIds) {
SingleResponse sr = getSingleResponse(certId);
if (sr == null) {
if (debug != null) {
debug.println("No response found for CertId: " + certId);
}
throw new CertPathValidatorException("OCSP response does not include a response for a " + "certificate supplied in the OCSP request");
}
if (debug != null) {
debug.println("Status of certificate (with serial number " + certId.getSerialNumber() + ") is: " + sr.getCertStatus());
}
}
// Locate the signer cert
if (signerCert == null) {
// of certs from the OCSP response
try {
certs.add(X509CertImpl.toImpl(issuerCert));
if (responderCert != null) {
certs.add(X509CertImpl.toImpl(responderCert));
}
} catch (CertificateException ce) {
throw new CertPathValidatorException("Invalid issuer or trusted responder certificate", ce);
}
if (responderName != null) {
for (X509CertImpl cert : certs) {
if (cert.getSubjectX500Principal().equals(responderName)) {
signerCert = cert;
break;
}
}
} else if (responderKeyId != null) {
for (X509CertImpl cert : certs) {
// Match responder's key identifier against the cert's SKID
// This will match if the SKID is encoded using the 160-bit
// SHA-1 hash method as defined in RFC 5280.
KeyIdentifier certKeyId = cert.getSubjectKeyId();
if (certKeyId != null && responderKeyId.equals(certKeyId)) {
signerCert = cert;
break;
} else {
// cert's public key using the 160-bit SHA-1 method.
try {
certKeyId = new KeyIdentifier(cert.getPublicKey());
} catch (IOException e) {
// ignore
}
if (responderKeyId.equals(certKeyId)) {
signerCert = cert;
break;
}
}
}
}
}
// Check whether the signer cert returned by the responder is trusted
if (signerCert != null) {
// Check if the response is signed by the issuing CA
if (signerCert.equals(issuerCert)) {
if (debug != null) {
debug.println("OCSP response is signed by the target's " + "Issuing CA");
}
// cert is trusted, now verify the signed response
// Check if the response is signed by a trusted responder
} else if (signerCert.equals(responderCert)) {
if (debug != null) {
debug.println("OCSP response is signed by a Trusted " + "Responder");
}
// cert is trusted, now verify the signed response
// Check if the response is signed by an authorized responder
} else if (signerCert.getIssuerX500Principal().equals(issuerCert.getSubjectX500Principal())) {
// Check for the OCSPSigning key purpose
try {
List<String> keyPurposes = signerCert.getExtendedKeyUsage();
if (keyPurposes == null || !keyPurposes.contains(KP_OCSP_SIGNING_OID)) {
throw new CertPathValidatorException("Responder's certificate not valid for signing " + "OCSP responses");
}
} catch (CertificateParsingException cpe) {
// assume cert is not valid for signing
throw new CertPathValidatorException("Responder's certificate not valid for signing " + "OCSP responses", cpe);
}
// Check algorithm constraints specified in security property
// "jdk.certpath.disabledAlgorithms".
AlgorithmChecker algChecker = new AlgorithmChecker(new TrustAnchor(issuerCert, null));
algChecker.init(false);
algChecker.check(signerCert, Collections.<String>emptySet());
// check the validity
try {
if (date == null) {
signerCert.checkValidity();
} else {
signerCert.checkValidity(date);
}
} catch (CertificateException e) {
throw new CertPathValidatorException("Responder's certificate not within the " + "validity period", e);
}
// check for revocation
//
// A CA may specify that an OCSP client can trust a
// responder for the lifetime of the responder's
// certificate. The CA does so by including the
// extension id-pkix-ocsp-nocheck.
//
Extension noCheck = signerCert.getExtension(PKIXExtensions.OCSPNoCheck_Id);
if (noCheck != null) {
if (debug != null) {
debug.println("Responder's certificate includes " + "the extension id-pkix-ocsp-nocheck.");
}
} else {
// we should do the revocation checking of the
// authorized responder in a future update.
}
// verify the signature
try {
signerCert.verify(issuerCert.getPublicKey());
if (debug != null) {
debug.println("OCSP response is signed by an " + "Authorized Responder");
}
// cert is trusted, now verify the signed response
} catch (GeneralSecurityException e) {
signerCert = null;
}
} else {
throw new CertPathValidatorException("Responder's certificate is not authorized to sign " + "OCSP responses");
}
}
// key from the trusted responder cert
if (signerCert != null) {
// Check algorithm constraints specified in security property
// "jdk.certpath.disabledAlgorithms".
AlgorithmChecker.check(signerCert.getPublicKey(), sigAlgId);
if (!verifySignature(signerCert)) {
throw new CertPathValidatorException("Error verifying OCSP Response's signature");
}
} else {
// Need responder's cert in order to verify the signature
throw new CertPathValidatorException("Unable to verify OCSP Response's signature");
}
// Check freshness of OCSPResponse
if (nonce != null) {
if (responseNonce != null && !Arrays.equals(nonce, responseNonce)) {
throw new CertPathValidatorException("Nonces don't match");
}
}
long now = (date == null) ? System.currentTimeMillis() : date.getTime();
Date nowPlusSkew = new Date(now + MAX_CLOCK_SKEW);
Date nowMinusSkew = new Date(now - MAX_CLOCK_SKEW);
for (SingleResponse sr : singleResponseMap.values()) {
if (debug != null) {
String until = "";
if (sr.nextUpdate != null) {
until = " until " + sr.nextUpdate;
}
debug.println("Response's validity interval is from " + sr.thisUpdate + until);
}
// Check that the test date is within the validity interval
if ((sr.thisUpdate != null && nowPlusSkew.before(sr.thisUpdate)) || (sr.nextUpdate != null && nowMinusSkew.after(sr.nextUpdate))) {
throw new CertPathValidatorException("Response is unreliable: its validity " + "interval is out-of-date");
}
}
}
Also used :
CertificateParsingException(java.security.cert.CertificateParsingException)
CertificateException(java.security.cert.CertificateException)
TrustAnchor(java.security.cert.TrustAnchor)
Date(java.util.Date)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
Example 29 with CertificateParsingException
use of java.security.cert.CertificateParsingException in project j2objc by google.
the class CertificateParsingExceptionTest method testCertificateParsingException04.
/**
* Test for <code>CertificateParsingException(Throwable)</code>
* constructor Assertion: constructs CertificateParsingException when
* <code>cause</code> is null
*/
public void testCertificateParsingException04() {
Throwable cause = null;
CertificateParsingException tE = new CertificateParsingException(cause);
assertNull("getMessage() must return null.", tE.getMessage());
assertNull("getCause() must return null", tE.getCause());
}
Also used :
CertificateParsingException(java.security.cert.CertificateParsingException)
Example 30 with CertificateParsingException
use of java.security.cert.CertificateParsingException in project j2objc by google.
the class CertificateParsingExceptionTest method testCertificateParsingException01.
/**
* Test for <code>CertificateParsingException()</code> constructor
* Assertion: constructs CertificateParsingException with no detail message
*/
public void testCertificateParsingException01() {
CertificateParsingException tE = new CertificateParsingException();
assertNull("getMessage() must return null.", tE.getMessage());
assertNull("getCause() must return null", tE.getCause());
}
Also used :
CertificateParsingException(java.security.cert.CertificateParsingException)
Aggregations
CertificateParsingException (java.security.cert.CertificateParsingException)72
List (java.util.List)25
IOException (java.io.IOException)18
ArrayList (java.util.ArrayList)18
X509Certificate (java.security.cert.X509Certificate)15
CertificateException (java.security.cert.CertificateException)13
Collection (java.util.Collection)12
X500Principal (javax.security.auth.x500.X500Principal)11
BigInteger (java.math.BigInteger)8
InvalidKeyException (java.security.InvalidKeyException)7
HashMap (java.util.HashMap)7
DERIA5String (org.bouncycastle.asn1.DERIA5String)7
DEROctetString (org.bouncycastle.asn1.DEROctetString)7
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)6
NoSuchProviderException (java.security.NoSuchProviderException)6
SignatureException (java.security.SignatureException)6
CertificateEncodingException (java.security.cert.CertificateEncodingException)6
CertificateExpiredException (java.security.cert.CertificateExpiredException)6
CertificateNotYetValidException (java.security.cert.CertificateNotYetValidException)6
GeneralName (org.bouncycastle.asn1.x509.GeneralName)6
