use of io.jans.as.common.cert.validation.model.ValidationStatus in project jans by JanssenProject.
the class GenericCertificateVerifier method validate.
@Override
public ValidationStatus validate(X509Certificate certificate, List<X509Certificate> issuers, Date validationDate) {
X509Certificate issuer = issuers.get(0);
ValidationStatus status = new ValidationStatus(certificate, issuer, validationDate, ValidationStatus.ValidatorSourceType.APP, ValidationStatus.CertificateValidity.UNKNOWN);
try {
Principal subjectX500Principal = certificate.getSubjectX500Principal();
try {
log.debug("Validity status is valid for '" + subjectX500Principal + "'");
certificate.checkValidity(validationDate);
status.setValidity(ValidationStatus.CertificateValidity.VALID);
} catch (CertificateExpiredException ex) {
log.debug("Validity status is expied for '" + subjectX500Principal + "'");
} catch (CertificateNotYetValidException ex) {
log.warn("Validity status is not yet valid for '" + subjectX500Principal + "'");
}
} catch (Exception ex) {
log.error("CRL exception: ", ex);
}
return status;
}
use of io.jans.as.common.cert.validation.model.ValidationStatus in project jans by JanssenProject.
the class CRLCertificateVerifier method validate.
@Override
public ValidationStatus validate(X509Certificate certificate, List<X509Certificate> issuers, Date validationDate) {
X509Certificate issuer = issuers.get(0);
ValidationStatus status = new ValidationStatus(certificate, issuer, validationDate, ValidationStatus.ValidatorSourceType.CRL, ValidationStatus.CertificateValidity.UNKNOWN);
try {
Principal subjectX500Principal = certificate.getSubjectX500Principal();
String crlURL = getCrlUri(certificate);
if (crlURL == null) {
log.error("CRL's URL for '" + subjectX500Principal + "' is empty");
return status;
}
log.debug("CRL's URL for '" + subjectX500Principal + "' is '" + crlURL + "'");
X509CRL x509crl = getCrl(crlURL);
if (!validateCRL(x509crl, certificate, issuer, validationDate)) {
log.error("The CRL is not valid!");
status.setValidity(ValidationStatus.CertificateValidity.INVALID);
return status;
}
X509CRLEntry crlEntry = x509crl.getRevokedCertificate(certificate.getSerialNumber());
if (crlEntry == null) {
log.debug("CRL status is valid for '" + subjectX500Principal + "'");
status.setValidity(ValidationStatus.CertificateValidity.VALID);
} else if (crlEntry.getRevocationDate().after(validationDate)) {
log.warn("CRL revocation time after the validation date, the certificate '" + subjectX500Principal + "' was valid at " + validationDate);
status.setRevocationObjectIssuingTime(x509crl.getThisUpdate());
status.setValidity(ValidationStatus.CertificateValidity.VALID);
} else {
log.info("CRL for certificate '" + subjectX500Principal + "' is revoked since " + crlEntry.getRevocationDate());
status.setRevocationObjectIssuingTime(x509crl.getThisUpdate());
status.setRevocationDate(crlEntry.getRevocationDate());
status.setValidity(ValidationStatus.CertificateValidity.REVOKED);
}
} catch (Exception ex) {
log.error("CRL exception: ", ex);
}
return status;
}
use of io.jans.as.common.cert.validation.model.ValidationStatus in project jans by JanssenProject.
the class OCSPCertificateVerifier method validate.
@Override
public ValidationStatus validate(X509Certificate certificate, List<X509Certificate> issuers, Date validationDate) {
X509Certificate issuer = issuers.get(0);
ValidationStatus status = new ValidationStatus(certificate, issuer, validationDate, ValidationStatus.ValidatorSourceType.OCSP, ValidationStatus.CertificateValidity.UNKNOWN);
try {
Principal subjectX500Principal = certificate.getSubjectX500Principal();
String ocspUrl = getOCSPUrl(certificate);
if (ocspUrl == null) {
log.error("OCSP URL for '" + subjectX500Principal + "' is empty");
return status;
}
log.debug("OCSP URL for '" + subjectX500Principal + "' is '" + ocspUrl + "'");
DigestCalculator digestCalculator = new JcaDigestCalculatorProviderBuilder().build().get(CertificateID.HASH_SHA1);
CertificateID certificateId = new CertificateID(digestCalculator, new JcaX509CertificateHolder(certificate), certificate.getSerialNumber());
// Generate OCSP request
OCSPReq ocspReq = generateOCSPRequest(certificateId);
// Get OCSP response from server
OCSPResp ocspResp = requestOCSPResponse(ocspUrl, ocspReq);
if (ocspResp.getStatus() != OCSPRespBuilder.SUCCESSFUL) {
log.error("OCSP response is invalid!");
status.setValidity(ValidationStatus.CertificateValidity.INVALID);
return status;
}
boolean foundResponse = false;
BasicOCSPResp basicOCSPResp = (BasicOCSPResp) ocspResp.getResponseObject();
SingleResp[] singleResps = basicOCSPResp.getResponses();
for (SingleResp singleResp : singleResps) {
CertificateID responseCertificateId = singleResp.getCertID();
if (!certificateId.equals(responseCertificateId)) {
continue;
}
foundResponse = true;
log.debug("OCSP validationDate: " + validationDate);
log.debug("OCSP thisUpdate: " + singleResp.getThisUpdate());
log.debug("OCSP nextUpdate: " + singleResp.getNextUpdate());
status.setRevocationObjectIssuingTime(basicOCSPResp.getProducedAt());
Object certStatus = singleResp.getCertStatus();
if (certStatus == CertificateStatus.GOOD) {
log.debug("OCSP status is valid for '" + certificate.getSubjectX500Principal() + "'");
status.setValidity(ValidationStatus.CertificateValidity.VALID);
} else {
if (singleResp.getCertStatus() instanceof RevokedStatus) {
log.warn("OCSP status is revoked for: " + subjectX500Principal);
if (validationDate.before(((RevokedStatus) singleResp.getCertStatus()).getRevocationTime())) {
log.warn("OCSP revocation time after the validation date, the certificate '" + subjectX500Principal + "' was valid at " + validationDate);
status.setValidity(ValidationStatus.CertificateValidity.VALID);
} else {
Date revocationDate = ((RevokedStatus) singleResp.getCertStatus()).getRevocationTime();
log.info("OCSP for certificate '" + subjectX500Principal + "' is revoked since " + revocationDate);
status.setRevocationDate(revocationDate);
status.setRevocationObjectIssuingTime(singleResp.getThisUpdate());
status.setValidity(ValidationStatus.CertificateValidity.REVOKED);
}
}
}
}
if (!foundResponse) {
log.error("There is no matching OCSP response entries");
}
} catch (Exception ex) {
log.error("OCSP exception: ", ex);
}
return status;
}
use of io.jans.as.common.cert.validation.model.ValidationStatus in project jans by JanssenProject.
the class PathCertificateVerifier method validate.
@Override
public ValidationStatus validate(X509Certificate certificate, List<X509Certificate> issuers, Date validationDate) {
X509Certificate issuer = issuers.get(0);
ValidationStatus status = new ValidationStatus(certificate, issuer, validationDate, ValidationStatus.ValidatorSourceType.CHAIN, ValidationStatus.CertificateValidity.UNKNOWN);
try {
ArrayList<X509Certificate> chains = new ArrayList<>();
chains.add(certificate);
chains.addAll(issuers);
Principal subjectX500Principal = certificate.getSubjectX500Principal();
PKIXCertPathBuilderResult certPathResult = verifyCertificate(certificate, chains);
if (certPathResult == null) {
log.warn("Chain status is not valid for '" + subjectX500Principal + "'");
status.setValidity(ValidationStatus.CertificateValidity.INVALID);
return status;
}
log.debug("Chain status is valid for '" + subjectX500Principal + "'");
status.setValidity(ValidationStatus.CertificateValidity.VALID);
} catch (Exception ex) {
log.error("OCSP exception: ", ex);
}
return status;
}
Aggregations