Example 1 with PKIXCertRevocationCheckerParameters
use of com.github.zhenwei.provider.jcajce.PKIXCertRevocationCheckerParameters in project LinLong-Java by zhenwei1108.
the class RFC3280CertPathUtilities method processCertA.
protected static void processCertA(CertPath certPath, PKIXExtendedParameters paramsPKIX, Date validityDate, PKIXCertRevocationChecker revocationChecker, int index, PublicKey workingPublicKey, boolean verificationAlreadyPerformed, X500Name workingIssuerName, X509Certificate sign) throws CertPathValidatorException {
List certs = certPath.getCertificates();
X509Certificate cert = (X509Certificate) certs.get(index);
//
if (!verificationAlreadyPerformed) {
try {
// (a) (1)
//
CertPathValidatorUtilities.verifyX509Certificate(cert, workingPublicKey, paramsPKIX.getSigProvider());
} catch (GeneralSecurityException e) {
throw new ExtCertPathValidatorException("Could not validate certificate signature.", e, certPath, index);
}
}
final Date validCertDate;
try {
validCertDate = CertPathValidatorUtilities.getValidCertDateFromValidityModel(validityDate, paramsPKIX.getValidityModel(), certPath, index);
} catch (AnnotatedException e) {
throw new ExtCertPathValidatorException("Could not validate time of certificate.", e, certPath, index);
}
//
try {
cert.checkValidity(validCertDate);
} catch (CertificateExpiredException e) {
throw new ExtCertPathValidatorException("Could not validate certificate: " + e.getMessage(), e, certPath, index);
} catch (CertificateNotYetValidException e) {
throw new ExtCertPathValidatorException("Could not validate certificate: " + e.getMessage(), e, certPath, index);
}
//
if (revocationChecker != null) {
revocationChecker.initialize(new PKIXCertRevocationCheckerParameters(paramsPKIX, validCertDate, certPath, index, sign, workingPublicKey));
revocationChecker.check(cert);
}
//
// (a) (4) name chaining
//
X500Name issuer = PrincipalUtils.getIssuerPrincipal(cert);
if (!issuer.equals(workingIssuerName)) {
throw new ExtCertPathValidatorException("IssuerName(" + issuer + ") does not match SubjectName(" + workingIssuerName + ") of signing certificate.", null, certPath, index);
}
}
Also used :
PKIXCertRevocationCheckerParameters(com.github.zhenwei.provider.jcajce.PKIXCertRevocationCheckerParameters)
CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException)
ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException)
CertificateExpiredException(java.security.cert.CertificateExpiredException)
GeneralSecurityException(java.security.GeneralSecurityException)
List(java.util.List)
ArrayList(java.util.ArrayList)
X500Name(com.github.zhenwei.core.asn1.x500.X500Name)
X509Certificate(java.security.cert.X509Certificate)
Date(java.util.Date)
Example 2 with PKIXCertRevocationCheckerParameters
use of com.github.zhenwei.provider.jcajce.PKIXCertRevocationCheckerParameters in project LinLong-Java by zhenwei1108.
the class RFC3281CertPathUtilities method checkCRL.
/**
* Checks a distribution point for revocation information for the certificate
* <code>attrCert</code>.
*
* @param dp The distribution point to consider.
* @param attrCert The attribute certificate which should be checked.
* @param paramsPKIX PKIX parameters.
* @param validDate The date when the certificate revocation status should be checked.
* @param issuerCert Certificate to check if it is revoked.
* @param reasonMask The reasons mask which is already checked.
* @param certPathCerts The certificates of the certification path to be checked.
* @throws AnnotatedException if the certificate is revoked or the status cannot be checked or
* some error occurs.
*/
private static void checkCRL(DistributionPoint dp, X509AttributeCertificate attrCert, PKIXExtendedParameters paramsPKIX, Date currentDate, Date validityDate, X509Certificate issuerCert, CertStatus certStatus, ReasonsMask reasonMask, List certPathCerts, JcaJceHelper helper) throws AnnotatedException, RecoverableCertPathValidatorException {
/*
* 4.3.6 No Revocation Available
*
* The noRevAvail extension, defined in [X.509-2000], allows an AC
* issuer to indicate that no revocation information will be made
* available for this AC.
*/
if (attrCert.getExtensionValue(X509Extensions.NoRevAvail.getId()) != null) {
return;
}
if (validityDate.getTime() > currentDate.getTime()) {
throw new AnnotatedException("Validation time is in future.");
}
// (a)
/*
* We always get timely valid CRLs, so there is no step (a) (1).
* "locally cached" CRLs are assumed to be in getStore(), additional
* CRLs must be enabled in the PKIXExtendedParameters and are in
* getAdditionalStore()
*/
PKIXCertRevocationCheckerParameters params = new PKIXCertRevocationCheckerParameters(paramsPKIX, validityDate, null, -1, issuerCert, null);
Set crls = CertPathValidatorUtilities.getCompleteCRLs(params, dp, attrCert, paramsPKIX, validityDate);
boolean validCrlFound = false;
AnnotatedException lastException = null;
Iterator crl_iter = crls.iterator();
while (crl_iter.hasNext() && certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonMask.isAllReasons()) {
try {
X509CRL crl = (X509CRL) crl_iter.next();
// (d)
ReasonsMask interimReasonsMask = RFC3280CertPathUtilities.processCRLD(crl, dp);
/*
* The reasons mask is updated at the end, so only valid CRLs
* can update it. If this CRL does not contain new reasons it
* must be ignored.
*/
if (!interimReasonsMask.hasNewReasons(reasonMask)) {
continue;
}
// (f)
Set keys = RFC3280CertPathUtilities.processCRLF(crl, attrCert, null, null, paramsPKIX, certPathCerts, helper);
// (g)
PublicKey key = RFC3280CertPathUtilities.processCRLG(crl, keys);
X509CRL deltaCRL = null;
if (paramsPKIX.isUseDeltasEnabled()) {
// get delta CRLs
Set deltaCRLs = CertPathValidatorUtilities.getDeltaCRLs(currentDate, crl, paramsPKIX.getCertStores(), paramsPKIX.getCRLStores(), helper);
// we only want one valid delta CRL
// (h)
deltaCRL = RFC3280CertPathUtilities.processCRLH(deltaCRLs, key);
}
if (paramsPKIX.getValidityModel() != PKIXExtendedParameters.CHAIN_VALIDITY_MODEL) {
/*
* if a certificate has expired, but was revoked, it is not
* more in the CRL, so it would be regarded as valid if the
* first check is not done
*/
if (attrCert.getNotAfter().getTime() < crl.getThisUpdate().getTime()) {
throw new AnnotatedException("No valid CRL for current time found.");
}
}
RFC3280CertPathUtilities.processCRLB1(dp, attrCert, crl);
// (b) (2)
RFC3280CertPathUtilities.processCRLB2(dp, attrCert, crl);
// (c)
RFC3280CertPathUtilities.processCRLC(deltaCRL, crl, paramsPKIX);
// (i)
RFC3280CertPathUtilities.processCRLI(validityDate, deltaCRL, attrCert, certStatus, paramsPKIX);
// (j)
RFC3280CertPathUtilities.processCRLJ(validityDate, crl, attrCert, certStatus);
// (k)
if (certStatus.getCertStatus() == CRLReason.removeFromCRL) {
certStatus.setCertStatus(CertStatus.UNREVOKED);
}
// update reasons mask
reasonMask.addReasons(interimReasonsMask);
validCrlFound = true;
} catch (AnnotatedException e) {
lastException = e;
}
}
if (!validCrlFound) {
throw lastException;
}
}
Also used :
PKIXCertRevocationCheckerParameters(com.github.zhenwei.provider.jcajce.PKIXCertRevocationCheckerParameters)
LinkedHashSet(java.util.LinkedHashSet)
Set(java.util.Set)
X509CRL(java.security.cert.X509CRL)
PublicKey(java.security.PublicKey)
Iterator(java.util.Iterator)
Aggregations
PKIXCertRevocationCheckerParameters (com.github.zhenwei.provider.jcajce.PKIXCertRevocationCheckerParameters)2
X500Name (com.github.zhenwei.core.asn1.x500.X500Name)1
ExtCertPathValidatorException (com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException)1
GeneralSecurityException (java.security.GeneralSecurityException)1
PublicKey (java.security.PublicKey)1
CertificateExpiredException (java.security.cert.CertificateExpiredException)1
CertificateNotYetValidException (java.security.cert.CertificateNotYetValidException)1
X509CRL (java.security.cert.X509CRL)1
X509Certificate (java.security.cert.X509Certificate)1
ArrayList (java.util.ArrayList)1
Date (java.util.Date)1
Iterator (java.util.Iterator)1
LinkedHashSet (java.util.LinkedHashSet)1
List (java.util.List)1
Set (java.util.Set)1
