use of com.github.zhenwei.core.asn1.ocsp.RevokedInfo in project jruby-openssl by jruby.
the class OCSPBasicResponse method add_status.
@JRubyMethod(name = "add_status", rest = true)
public OCSPBasicResponse add_status(final ThreadContext context, IRubyObject[] args) {
Ruby runtime = context.getRuntime();
Arity.checkArgumentCount(runtime, args, 7, 7);
IRubyObject certificateId = args[0];
IRubyObject status = args[1];
IRubyObject reason = args[2];
IRubyObject revocation_time = args[3];
IRubyObject this_update = args[4];
IRubyObject next_update = args[5];
IRubyObject extensions = args[6];
CertStatus certStatus = null;
switch(RubyFixnum.fix2int((RubyFixnum) status)) {
case 0:
certStatus = new CertStatus();
break;
case 1:
ASN1GeneralizedTime revTime = rubyIntOrTimeToGenTime(revocation_time);
RevokedInfo revokedInfo = new RevokedInfo(revTime, CRLReason.lookup(RubyFixnum.fix2int((RubyFixnum) reason)));
certStatus = new CertStatus(revokedInfo);
break;
case 2:
certStatus = new CertStatus(2, DERNull.INSTANCE);
break;
default:
break;
}
ASN1GeneralizedTime thisUpdate = rubyIntOrTimeToGenTime(this_update);
ASN1GeneralizedTime nextUpdate = rubyIntOrTimeToGenTime(next_update);
Extensions singleExtensions = convertRubyExtensions(extensions);
CertID certID = ((OCSPCertificateId) certificateId).getCertID();
SingleResponse ocspSingleResp = new SingleResponse(certID, certStatus, thisUpdate, nextUpdate, singleExtensions);
OCSPSingleResponse rubySingleResp = new OCSPSingleResponse(runtime);
try {
rubySingleResp.initialize(context, RubyString.newString(runtime, ocspSingleResp.getEncoded()));
singleResponses.add(rubySingleResp);
} catch (IOException e) {
throw newOCSPError(runtime, e);
}
return this;
}
use of com.github.zhenwei.core.asn1.ocsp.RevokedInfo in project LinLong-Java by zhenwei1108.
the class ProvOcspRevocationChecker method check.
public void check(Certificate certificate) throws CertPathValidatorException {
X509Certificate cert = (X509Certificate) certificate;
Map<X509Certificate, byte[]> ocspResponses = parent.getOcspResponses();
URI ocspUri = parent.getOcspResponder();
if (ocspUri == null) {
if (this.ocspURL != null) {
try {
ocspUri = new URI(this.ocspURL);
} catch (URISyntaxException e) {
throw new CertPathValidatorException("configuration error: " + e.getMessage(), e, parameters.getCertPath(), parameters.getIndex());
}
} else {
ocspUri = getOcspResponderURI(cert);
}
}
byte[] nonce = null;
boolean preValidated = false;
if (ocspResponses.get(cert) == null && ocspUri != null) {
// if we're here we need to make a network access, if we haven't been given a URL explicitly block it.
if (ocspURL == null && parent.getOcspResponder() == null && !isEnabledOCSP) {
throw new RecoverableCertPathValidatorException("OCSP disabled by \"ocsp.enable\" setting", null, parameters.getCertPath(), parameters.getIndex());
}
com.github.zhenwei.core.asn1.x509.Certificate issuer = extractCert();
// TODO: configure hash algorithm
CertID id = createCertID(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1), issuer, new ASN1Integer(cert.getSerialNumber()));
OCSPResponse response = OcspCache.getOcspResponse(id, parameters, ocspUri, parent.getOcspResponderCert(), parent.getOcspExtensions(), helper);
try {
ocspResponses.put(cert, response.getEncoded());
preValidated = true;
} catch (IOException e) {
throw new CertPathValidatorException("unable to encode OCSP response", e, parameters.getCertPath(), parameters.getIndex());
}
} else {
List exts = parent.getOcspExtensions();
for (int i = 0; i != exts.size(); i++) {
Extension ext = (Extension) exts.get(i);
byte[] value = ext.getValue();
if (OCSPObjectIdentifiers.id_pkix_ocsp_nonce.getId().equals(ext.getId())) {
nonce = value;
}
}
}
if (!ocspResponses.isEmpty()) {
OCSPResponse ocspResponse = OCSPResponse.getInstance(ocspResponses.get(cert));
ASN1Integer serialNumber = new ASN1Integer(cert.getSerialNumber());
if (ocspResponse != null) {
if (OCSPResponseStatus.SUCCESSFUL == ocspResponse.getResponseStatus().getIntValue()) {
ResponseBytes respBytes = ResponseBytes.getInstance(ocspResponse.getResponseBytes());
if (respBytes.getResponseType().equals(OCSPObjectIdentifiers.id_pkix_ocsp_basic)) {
try {
BasicOCSPResponse basicResp = BasicOCSPResponse.getInstance(respBytes.getResponse().getOctets());
if (preValidated || validatedOcspResponse(basicResp, parameters, nonce, parent.getOcspResponderCert(), helper)) {
ResponseData responseData = ResponseData.getInstance(basicResp.getTbsResponseData());
ASN1Sequence s = responseData.getResponses();
CertID certID = null;
for (int i = 0; i != s.size(); i++) {
SingleResponse resp = SingleResponse.getInstance(s.getObjectAt(i));
if (serialNumber.equals(resp.getCertID().getSerialNumber())) {
ASN1GeneralizedTime nextUp = resp.getNextUpdate();
if (nextUp != null && parameters.getValidDate().after(nextUp.getDate())) {
throw new ExtCertPathValidatorException("OCSP response expired");
}
if (certID == null || !certID.getHashAlgorithm().equals(resp.getCertID().getHashAlgorithm())) {
com.github.zhenwei.core.asn1.x509.Certificate issuer = extractCert();
certID = createCertID(resp.getCertID(), issuer, serialNumber);
}
if (certID.equals(resp.getCertID())) {
if (resp.getCertStatus().getTagNo() == 0) {
// we're good!
return;
}
if (resp.getCertStatus().getTagNo() == 1) {
RevokedInfo info = RevokedInfo.getInstance(resp.getCertStatus().getStatus());
CRLReason reason = info.getRevocationReason();
throw new CertPathValidatorException("certificate revoked, reason=(" + reason + "), date=" + info.getRevocationTime().getDate(), null, parameters.getCertPath(), parameters.getIndex());
}
throw new CertPathValidatorException("certificate revoked, details unknown", null, parameters.getCertPath(), parameters.getIndex());
}
}
}
}
} catch (CertPathValidatorException e) {
throw e;
} catch (Exception e) {
throw new CertPathValidatorException("unable to process OCSP response", e, parameters.getCertPath(), parameters.getIndex());
}
}
} else {
throw new CertPathValidatorException("OCSP response failed: " + ocspResponse.getResponseStatus().getValue(), null, parameters.getCertPath(), parameters.getIndex());
}
} else {
// TODO: add checking for the OCSP extension (properly vetted)
throw new RecoverableCertPathValidatorException("no OCSP response found for certificate", null, parameters.getCertPath(), parameters.getIndex());
}
} else {
throw new RecoverableCertPathValidatorException("no OCSP response found for any certificate", null, parameters.getCertPath(), parameters.getIndex());
}
}
use of com.github.zhenwei.core.asn1.ocsp.RevokedInfo in project jruby-openssl by jruby.
the class OCSPSingleResponse method revocation_time.
@JRubyMethod(name = "revocation_time")
public IRubyObject revocation_time() {
Ruby runtime = getRuntime();
RubyFixnum revoked = (RubyFixnum) _OCSP(runtime).getConstant("V_CERTSTATUS_REVOKED");
if (bcSingleResponse.getCertStatus().getTagNo() == (int) revoked.getLongValue()) {
try {
RevokedInfo revokedInfo = RevokedInfo.getInstance(DERTaggedObject.fromByteArray(bcSingleResponse.getCertStatus().getStatus().toASN1Primitive().getEncoded()));
return RubyTime.newTime(runtime, revokedInfo.getRevocationTime().getDate().getTime());
} catch (Exception e) {
throw newOCSPError(runtime, e);
}
}
return runtime.getNil();
}
use of com.github.zhenwei.core.asn1.ocsp.RevokedInfo in project jruby-openssl by jruby.
the class OCSPSingleResponse method revocation_reason.
@JRubyMethod(name = "revocation_reason")
public IRubyObject revocation_reason() {
Ruby runtime = getRuntime();
RubyFixnum revoked = (RubyFixnum) _OCSP(runtime).getConstant("V_CERTSTATUS_REVOKED");
if (bcSingleResponse.getCertStatus().getTagNo() == (int) revoked.getLongValue()) {
try {
RevokedInfo revokedInfo = RevokedInfo.getInstance(DERTaggedObject.fromByteArray(bcSingleResponse.getCertStatus().getStatus().toASN1Primitive().getEncoded()));
return RubyFixnum.newFixnum(runtime, revokedInfo.getRevocationReason().getValue().intValue());
} catch (IOException e) {
throw newOCSPError(runtime, e);
}
}
return runtime.getNil();
}
use of com.github.zhenwei.core.asn1.ocsp.RevokedInfo in project LinLong-Java by zhenwei1108.
the class RevokedInfo method toASN1Primitive.
/**
* Produce an object suitable for an ASN1OutputStream.
* <pre>
* RevokedInfo ::= SEQUENCE {
* revocationTime GeneralizedTime,
* revocationReason [0] EXPLICIT CRLReason OPTIONAL }
* </pre>
*/
public ASN1Primitive toASN1Primitive() {
ASN1EncodableVector v = new ASN1EncodableVector(2);
v.add(revocationTime);
if (revocationReason != null) {
v.add(new DERTaggedObject(true, 0, revocationReason));
}
return new DERSequence(v);
}
Aggregations