Search in sources :

Example 1 with ValidationStatus

use of io.jans.as.common.cert.validation.model.ValidationStatus in project jans by JanssenProject.

the class GenericCertificateVerifier method validate.

@Override
public ValidationStatus validate(X509Certificate certificate, List<X509Certificate> issuers, Date validationDate) {
    X509Certificate issuer = issuers.get(0);
    ValidationStatus status = new ValidationStatus(certificate, issuer, validationDate, ValidationStatus.ValidatorSourceType.APP, ValidationStatus.CertificateValidity.UNKNOWN);
    try {
        Principal subjectX500Principal = certificate.getSubjectX500Principal();
        try {
            log.debug("Validity status is valid for '" + subjectX500Principal + "'");
            certificate.checkValidity(validationDate);
            status.setValidity(ValidationStatus.CertificateValidity.VALID);
        } catch (CertificateExpiredException ex) {
            log.debug("Validity status is expied for '" + subjectX500Principal + "'");
        } catch (CertificateNotYetValidException ex) {
            log.warn("Validity status is not yet valid for '" + subjectX500Principal + "'");
        }
    } catch (Exception ex) {
        log.error("CRL exception: ", ex);
    }
    return status;
}
Also used : ValidationStatus(io.jans.as.common.cert.validation.model.ValidationStatus) CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException) CertificateExpiredException(java.security.cert.CertificateExpiredException) X509Certificate(java.security.cert.X509Certificate) Principal(java.security.Principal) CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException) CertificateExpiredException(java.security.cert.CertificateExpiredException)

Example 2 with ValidationStatus

use of io.jans.as.common.cert.validation.model.ValidationStatus in project jans by JanssenProject.

the class CRLCertificateVerifier method validate.

@Override
public ValidationStatus validate(X509Certificate certificate, List<X509Certificate> issuers, Date validationDate) {
    X509Certificate issuer = issuers.get(0);
    ValidationStatus status = new ValidationStatus(certificate, issuer, validationDate, ValidationStatus.ValidatorSourceType.CRL, ValidationStatus.CertificateValidity.UNKNOWN);
    try {
        Principal subjectX500Principal = certificate.getSubjectX500Principal();
        String crlURL = getCrlUri(certificate);
        if (crlURL == null) {
            log.error("CRL's URL for '" + subjectX500Principal + "' is empty");
            return status;
        }
        log.debug("CRL's URL for '" + subjectX500Principal + "' is '" + crlURL + "'");
        X509CRL x509crl = getCrl(crlURL);
        if (!validateCRL(x509crl, certificate, issuer, validationDate)) {
            log.error("The CRL is not valid!");
            status.setValidity(ValidationStatus.CertificateValidity.INVALID);
            return status;
        }
        X509CRLEntry crlEntry = x509crl.getRevokedCertificate(certificate.getSerialNumber());
        if (crlEntry == null) {
            log.debug("CRL status is valid for '" + subjectX500Principal + "'");
            status.setValidity(ValidationStatus.CertificateValidity.VALID);
        } else if (crlEntry.getRevocationDate().after(validationDate)) {
            log.warn("CRL revocation time after the validation date, the certificate '" + subjectX500Principal + "' was valid at " + validationDate);
            status.setRevocationObjectIssuingTime(x509crl.getThisUpdate());
            status.setValidity(ValidationStatus.CertificateValidity.VALID);
        } else {
            log.info("CRL for certificate '" + subjectX500Principal + "' is revoked since " + crlEntry.getRevocationDate());
            status.setRevocationObjectIssuingTime(x509crl.getThisUpdate());
            status.setRevocationDate(crlEntry.getRevocationDate());
            status.setValidity(ValidationStatus.CertificateValidity.REVOKED);
        }
    } catch (Exception ex) {
        log.error("CRL exception: ", ex);
    }
    return status;
}
Also used : ValidationStatus(io.jans.as.common.cert.validation.model.ValidationStatus) X509CRLEntry(java.security.cert.X509CRLEntry) X509CRL(java.security.cert.X509CRL) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) X509Certificate(java.security.cert.X509Certificate) Principal(java.security.Principal) NoSuchParserException(org.bouncycastle.x509.NoSuchParserException) StreamParsingException(org.bouncycastle.x509.util.StreamParsingException) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) ExecutionException(java.util.concurrent.ExecutionException) CRLException(java.security.cert.CRLException) NoSuchProviderException(java.security.NoSuchProviderException)

Example 3 with ValidationStatus

use of io.jans.as.common.cert.validation.model.ValidationStatus in project jans by JanssenProject.

the class OCSPCertificateVerifier method validate.

@Override
public ValidationStatus validate(X509Certificate certificate, List<X509Certificate> issuers, Date validationDate) {
    X509Certificate issuer = issuers.get(0);
    ValidationStatus status = new ValidationStatus(certificate, issuer, validationDate, ValidationStatus.ValidatorSourceType.OCSP, ValidationStatus.CertificateValidity.UNKNOWN);
    try {
        Principal subjectX500Principal = certificate.getSubjectX500Principal();
        String ocspUrl = getOCSPUrl(certificate);
        if (ocspUrl == null) {
            log.error("OCSP URL for '" + subjectX500Principal + "' is empty");
            return status;
        }
        log.debug("OCSP URL for '" + subjectX500Principal + "' is '" + ocspUrl + "'");
        DigestCalculator digestCalculator = new JcaDigestCalculatorProviderBuilder().build().get(CertificateID.HASH_SHA1);
        CertificateID certificateId = new CertificateID(digestCalculator, new JcaX509CertificateHolder(certificate), certificate.getSerialNumber());
        // Generate OCSP request
        OCSPReq ocspReq = generateOCSPRequest(certificateId);
        // Get OCSP response from server
        OCSPResp ocspResp = requestOCSPResponse(ocspUrl, ocspReq);
        if (ocspResp.getStatus() != OCSPRespBuilder.SUCCESSFUL) {
            log.error("OCSP response is invalid!");
            status.setValidity(ValidationStatus.CertificateValidity.INVALID);
            return status;
        }
        boolean foundResponse = false;
        BasicOCSPResp basicOCSPResp = (BasicOCSPResp) ocspResp.getResponseObject();
        SingleResp[] singleResps = basicOCSPResp.getResponses();
        for (SingleResp singleResp : singleResps) {
            CertificateID responseCertificateId = singleResp.getCertID();
            if (!certificateId.equals(responseCertificateId)) {
                continue;
            }
            foundResponse = true;
            log.debug("OCSP validationDate: " + validationDate);
            log.debug("OCSP thisUpdate: " + singleResp.getThisUpdate());
            log.debug("OCSP nextUpdate: " + singleResp.getNextUpdate());
            status.setRevocationObjectIssuingTime(basicOCSPResp.getProducedAt());
            Object certStatus = singleResp.getCertStatus();
            if (certStatus == CertificateStatus.GOOD) {
                log.debug("OCSP status is valid for '" + certificate.getSubjectX500Principal() + "'");
                status.setValidity(ValidationStatus.CertificateValidity.VALID);
            } else {
                if (singleResp.getCertStatus() instanceof RevokedStatus) {
                    log.warn("OCSP status is revoked for: " + subjectX500Principal);
                    if (validationDate.before(((RevokedStatus) singleResp.getCertStatus()).getRevocationTime())) {
                        log.warn("OCSP revocation time after the validation date, the certificate '" + subjectX500Principal + "' was valid at " + validationDate);
                        status.setValidity(ValidationStatus.CertificateValidity.VALID);
                    } else {
                        Date revocationDate = ((RevokedStatus) singleResp.getCertStatus()).getRevocationTime();
                        log.info("OCSP for certificate '" + subjectX500Principal + "' is revoked since " + revocationDate);
                        status.setRevocationDate(revocationDate);
                        status.setRevocationObjectIssuingTime(singleResp.getThisUpdate());
                        status.setValidity(ValidationStatus.CertificateValidity.REVOKED);
                    }
                }
            }
        }
        if (!foundResponse) {
            log.error("There is no matching OCSP response entries");
        }
    } catch (Exception ex) {
        log.error("OCSP exception: ", ex);
    }
    return status;
}
Also used : CertificateID(org.bouncycastle.cert.ocsp.CertificateID) DigestCalculator(org.bouncycastle.operator.DigestCalculator) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) DERIA5String(org.bouncycastle.asn1.DERIA5String) JcaX509CertificateHolder(org.bouncycastle.cert.jcajce.JcaX509CertificateHolder) X509Certificate(java.security.cert.X509Certificate) Date(java.util.Date) OCSPException(org.bouncycastle.cert.ocsp.OCSPException) IOException(java.io.IOException) OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp) BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp) ValidationStatus(io.jans.as.common.cert.validation.model.ValidationStatus) RevokedStatus(org.bouncycastle.cert.ocsp.RevokedStatus) OCSPReq(org.bouncycastle.cert.ocsp.OCSPReq) BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp) ASN1TaggedObject(org.bouncycastle.asn1.ASN1TaggedObject) JcaDigestCalculatorProviderBuilder(org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder) SingleResp(org.bouncycastle.cert.ocsp.SingleResp) Principal(java.security.Principal)

Example 4 with ValidationStatus

use of io.jans.as.common.cert.validation.model.ValidationStatus in project jans by JanssenProject.

the class PathCertificateVerifier method validate.

@Override
public ValidationStatus validate(X509Certificate certificate, List<X509Certificate> issuers, Date validationDate) {
    X509Certificate issuer = issuers.get(0);
    ValidationStatus status = new ValidationStatus(certificate, issuer, validationDate, ValidationStatus.ValidatorSourceType.CHAIN, ValidationStatus.CertificateValidity.UNKNOWN);
    try {
        ArrayList<X509Certificate> chains = new ArrayList<>();
        chains.add(certificate);
        chains.addAll(issuers);
        Principal subjectX500Principal = certificate.getSubjectX500Principal();
        PKIXCertPathBuilderResult certPathResult = verifyCertificate(certificate, chains);
        if (certPathResult == null) {
            log.warn("Chain status is not valid for '" + subjectX500Principal + "'");
            status.setValidity(ValidationStatus.CertificateValidity.INVALID);
            return status;
        }
        log.debug("Chain status is valid for '" + subjectX500Principal + "'");
        status.setValidity(ValidationStatus.CertificateValidity.VALID);
    } catch (Exception ex) {
        log.error("OCSP exception: ", ex);
    }
    return status;
}
Also used : ValidationStatus(io.jans.as.common.cert.validation.model.ValidationStatus) PKIXCertPathBuilderResult(java.security.cert.PKIXCertPathBuilderResult) ArrayList(java.util.ArrayList) X509Certificate(java.security.cert.X509Certificate) Principal(java.security.Principal) GeneralSecurityException(java.security.GeneralSecurityException) SignatureException(java.security.SignatureException) CertificateException(java.security.cert.CertificateException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) InvalidKeyException(java.security.InvalidKeyException) NoSuchProviderException(java.security.NoSuchProviderException)

Aggregations

ValidationStatus (io.jans.as.common.cert.validation.model.ValidationStatus)4 Principal (java.security.Principal)4 X509Certificate (java.security.cert.X509Certificate)4 IOException (java.io.IOException)2 NoSuchProviderException (java.security.NoSuchProviderException)2 CertificateException (java.security.cert.CertificateException)2 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)2 DERIA5String (org.bouncycastle.asn1.DERIA5String)2 GeneralSecurityException (java.security.GeneralSecurityException)1 InvalidKeyException (java.security.InvalidKeyException)1 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 SignatureException (java.security.SignatureException)1 CRLException (java.security.cert.CRLException)1 CertificateExpiredException (java.security.cert.CertificateExpiredException)1 CertificateNotYetValidException (java.security.cert.CertificateNotYetValidException)1 PKIXCertPathBuilderResult (java.security.cert.PKIXCertPathBuilderResult)1 X509CRL (java.security.cert.X509CRL)1 X509CRLEntry (java.security.cert.X509CRLEntry)1 ArrayList (java.util.ArrayList)1 Date (java.util.Date)1