Examples with CertificateRevokedException java.security.cert.CertificateRevokedException used on opensource projects

Search in sources :

Example 1 with CertificateRevokedException

use of java.security.cert.CertificateRevokedException in project Spark by igniterealtime.

the class SparkTrustManager method validatePath.

/**
 * Validate certificate path
 *
 * @throws NoSuchAlgorithmException
 * @throws KeyStoreException
 * @throws InvalidAlgorithmParameterException
 * @throws CertPathValidatorException
 * @throws CertPathBuilderException
 * @throws CertificateException
 */
private void validatePath(X509Certificate[] chain) throws NoSuchAlgorithmException, KeyStoreException, InvalidAlgorithmParameterException, CertPathValidatorException, CertPathBuilderException, CertificateException {
    // PKIX algorithm is defined in rfc3280
    CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
    CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");
    X509CertSelector certSelector = new X509CertSelector();
    // set last certificate (often root CA) from chain for CertSelector so trust store must contain it
    certSelector.setCertificate(chain[chain.length - 1]);
    // checks against time validity aren't done here as are already done in checkDateValidity (X509Certificate[]
    // chain)
    certSelector.setCertificateValid(null);
    // create parameters using trustStore as source of Trust Anchors and using X509CertSelector
    PKIXBuilderParameters parameters = new PKIXBuilderParameters(allStore, certSelector);
    // will use PKIXRevocationChecker (or nothing if revocation mechanisms are
    // disabled) instead of the default revocation checker
    parameters.setRevocationEnabled(false);
    // certificates from blacklist will be rejected
    if (acceptRevoked == false) {
        // OCSP checking is done according to Java PKI Programmer's Guide, PKIXRevocationChecker was added in Java 8:
        // https://docs.oracle.com/javase/8/docs/technotes/guides/security/certpath/CertPathProgGuide.html#PKIXRevocationChecker
        PKIXRevocationChecker checker = (PKIXRevocationChecker) certPathBuilder.getRevocationChecker();
        EnumSet<PKIXRevocationChecker.Option> checkerOptions = EnumSet.noneOf(PKIXRevocationChecker.Option.class);
        // is enabled then in case of network issues revocation checking is omitted
        if (allowSoftFail) {
            checkerOptions.add(PKIXRevocationChecker.Option.SOFT_FAIL);
        }
        // check OCSP, CRL serve as backup
        if (checkOCSP && checkCRL) {
            checker.setOptions(checkerOptions);
            parameters.addCertPathChecker(checker);
        } else if (!checkOCSP && checkCRL) {
            // check only CRL, if CRL fail then there is no fallback to OCSP
            checkerOptions.add(PKIXRevocationChecker.Option.PREFER_CRLS);
            checkerOptions.add(PKIXRevocationChecker.Option.NO_FALLBACK);
            checker.setOptions(checkerOptions);
            parameters.addCertPathChecker(checker);
        }
    }
    try {
        CertPathBuilderResult pathResult = certPathBuilder.build(parameters);
        CertPath certPath = pathResult.getCertPath();
        PKIXCertPathValidatorResult validationResult = (PKIXCertPathValidatorResult) certPathValidator.validate(certPath, parameters);
        X509Certificate trustedCert = validationResult.getTrustAnchor().getTrustedCert();
        if (trustedCert == null) {
            throw new CertificateException("certificate path failed: Trusted CA is NULL");
        }
        // this extension is last certificate: root CA
        for (int i = 0; i < chain.length - 1; i++) {
            checkBasicConstraints(chain[i]);
        }
    } catch (CertificateRevokedException e) {
        Log.warning("Certificate was revoked", e);
        for (X509Certificate cert : chain) {
            for (X509CRL crl : crlCollection) {
                if (crl.isRevoked(cert)) {
                    try {
                        addToBlackList(cert);
                    } catch (IOException | HeadlessException | InvalidNameException e1) {
                        Log.error("Couldn't move to the blacklist", e1);
                    }
                    break;
                }
            }
        }
        throw new CertificateException("Certificate was revoked");
    }
}
Also used : X509CRL(java.security.cert.X509CRL) PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters) CertificateRevokedException(java.security.cert.CertificateRevokedException) CertPathBuilderResult(java.security.cert.CertPathBuilderResult) X509CertSelector(java.security.cert.X509CertSelector) CertificateException(java.security.cert.CertificateException) X509Certificate(java.security.cert.X509Certificate) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) CertPathValidator(java.security.cert.CertPathValidator) PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult) PKIXRevocationChecker(java.security.cert.PKIXRevocationChecker) CertPathBuilder(java.security.cert.CertPathBuilder) CertPath(java.security.cert.CertPath)

Example 2 with CertificateRevokedException

use of java.security.cert.CertificateRevokedException in project j2objc by google.

the class CertificateRevocationExceptionTest method getTestException.

private CertificateRevokedException getTestException() {
    HashMap<String, Extension> extensions = new HashMap<String, Extension>();
    // REASON_CODE
    extensions.put("2.5.29.21", getReasonExtension());
    extensions.put("2.5.29.24", getInvalidityExtension());
    return new CertificateRevokedException(new Date(1199226851000L), CRLReason.CESSATION_OF_OPERATION, new X500Principal("CN=test1"), extensions);
}
Also used : Extension(java.security.cert.Extension) HashMap(java.util.HashMap) CertificateRevokedException(java.security.cert.CertificateRevokedException) X500Principal(javax.security.auth.x500.X500Principal) Date(java.util.Date)

Example 3 with CertificateRevokedException

use of java.security.cert.CertificateRevokedException in project j2objc by google.

the class CertificateRevocationExceptionTest method testGetInvalidityDate.

public void testGetInvalidityDate() throws Exception {
    CertificateRevokedException exception = getTestException();
    Date firstDate = exception.getInvalidityDate();
    assertNotSame(firstDate, exception.getInvalidityDate());
    firstDate.setYear(firstDate.getYear() + 1);
    assertTrue(firstDate.compareTo(exception.getInvalidityDate()) > 0);
}
Also used : CertificateRevokedException(java.security.cert.CertificateRevokedException) Date(java.util.Date)

Example 4 with CertificateRevokedException

use of java.security.cert.CertificateRevokedException in project j2objc by google.

the class CertificateRevocationExceptionTest method testGetAuthorityName.

public void testGetAuthorityName() throws Exception {
    CertificateRevokedException exception = getTestException();
    assertEquals(new X500Principal("CN=test1"), exception.getAuthorityName());
}
Also used : CertificateRevokedException(java.security.cert.CertificateRevokedException) X500Principal(javax.security.auth.x500.X500Principal)

Example 5 with CertificateRevokedException

use of java.security.cert.CertificateRevokedException in project j2objc by google.

the class CertificateRevocationExceptionTest method testGetExtensions.

public void testGetExtensions() throws Exception {
    CertificateRevokedException original = getTestException();
    Map<String, Extension> extensions = original.getExtensions();
    assertNotSame(extensions, original.getExtensions());
    try {
        extensions.put("2.2.2.2", getReasonExtension());
        fail();
    } catch (UnsupportedOperationException expected) {
    }
}
Also used : Extension(java.security.cert.Extension) CertificateRevokedException(java.security.cert.CertificateRevokedException)

Aggregations

CertificateRevokedException (java.security.cert.CertificateRevokedException)9 Date (java.util.Date)4 CertificateException (java.security.cert.CertificateException)3 Extension (java.security.cert.Extension)3 X500Principal (javax.security.auth.x500.X500Principal)3 CertificateExpiredException (java.security.cert.CertificateExpiredException)2 CertificateNotYetValidException (java.security.cert.CertificateNotYetValidException)2 X509Certificate (java.security.cert.X509Certificate)2 Bootstrap (io.netty.bootstrap.Bootstrap)1 ServerBootstrap (io.netty.bootstrap.ServerBootstrap)1 Channel (io.netty.channel.Channel)1 ChannelHandlerContext (io.netty.channel.ChannelHandlerContext)1 ChannelInboundHandlerAdapter (io.netty.channel.ChannelInboundHandlerAdapter)1 EventLoopGroup (io.netty.channel.EventLoopGroup)1 NioEventLoopGroup (io.netty.channel.nio.NioEventLoopGroup)1 NioServerSocketChannel (io.netty.channel.socket.nio.NioServerSocketChannel)1 NioSocketChannel (io.netty.channel.socket.nio.NioSocketChannel)1 LoggingHandler (io.netty.handler.logging.LoggingHandler)1 SelfSignedCertificate (io.netty.handler.ssl.util.SelfSignedCertificate)1 SimpleTrustManagerFactory (io.netty.handler.ssl.util.SimpleTrustManagerFactory)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial