Example 1 with Extension
use of java.security.cert.Extension in project jdk8u_jdk by JetBrains.
the class OCSPRequest method encodeBytes.
byte[] encodeBytes() throws IOException {
// encode tbsRequest
DerOutputStream tmp = new DerOutputStream();
DerOutputStream requestsOut = new DerOutputStream();
for (CertId certId : certIds) {
DerOutputStream certIdOut = new DerOutputStream();
certId.encode(certIdOut);
requestsOut.write(DerValue.tag_Sequence, certIdOut);
}
tmp.write(DerValue.tag_Sequence, requestsOut);
if (!extensions.isEmpty()) {
DerOutputStream extOut = new DerOutputStream();
for (Extension ext : extensions) {
ext.encode(extOut);
if (ext.getId().equals(PKIXExtensions.OCSPNonce_Id.toString())) {
nonce = ext.getValue();
}
}
DerOutputStream extsOut = new DerOutputStream();
extsOut.write(DerValue.tag_Sequence, extOut);
tmp.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 2), extsOut);
}
DerOutputStream tbsRequest = new DerOutputStream();
tbsRequest.write(DerValue.tag_Sequence, tmp);
// OCSPRequest without the signature
DerOutputStream ocspRequest = new DerOutputStream();
ocspRequest.write(DerValue.tag_Sequence, tbsRequest);
byte[] bytes = ocspRequest.toByteArray();
if (dump) {
HexDumpEncoder hexEnc = new HexDumpEncoder();
debug.println("OCSPRequest bytes...\n\n" + hexEnc.encode(bytes) + "\n");
}
return bytes;
}
Also used :
Extension(java.security.cert.Extension)
HexDumpEncoder(sun.misc.HexDumpEncoder)
Example 2 with Extension
use of java.security.cert.Extension in project Bytecoder by mirkosertic.
the class RevocationChecker method checkOCSP.
private void checkOCSP(X509Certificate cert, Collection<String> unresolvedCritExts) throws CertPathValidatorException {
X509CertImpl currCert = null;
try {
currCert = X509CertImpl.toImpl(cert);
} catch (CertificateException ce) {
throw new CertPathValidatorException(ce);
}
// The algorithm constraints of the OCSP trusted responder certificate
// does not need to be checked in this code. The constraints will be
// checked when the responder's certificate is validated.
OCSPResponse response = null;
CertId certId = null;
try {
certId = new CertId(issuerInfo.getName(), issuerInfo.getPublicKey(), currCert.getSerialNumberObject());
// check if there is a cached OCSP response available
byte[] responseBytes = ocspResponses.get(cert);
if (responseBytes != null) {
if (debug != null) {
debug.println("Found cached OCSP response");
}
response = new OCSPResponse(responseBytes);
// verify the response
byte[] nonce = null;
for (Extension ext : ocspExtensions) {
if (ext.getId().equals("1.3.6.1.5.5.7.48.1.2")) {
nonce = ext.getValue();
}
}
response.verify(Collections.singletonList(certId), issuerInfo, responderCert, params.date(), nonce, params.variant());
} else {
URI responderURI = (this.responderURI != null) ? this.responderURI : OCSP.getResponderURI(currCert);
if (responderURI == null) {
throw new CertPathValidatorException("Certificate does not specify OCSP responder", null, null, -1);
}
response = OCSP.check(Collections.singletonList(certId), responderURI, issuerInfo, responderCert, null, ocspExtensions, params.variant());
}
} catch (IOException e) {
throw new CertPathValidatorException("Unable to determine revocation status due to network error", e, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
}
RevocationStatus rs = (RevocationStatus) response.getSingleResponse(certId);
RevocationStatus.CertStatus certStatus = rs.getCertStatus();
if (certStatus == RevocationStatus.CertStatus.REVOKED) {
Date revocationTime = rs.getRevocationTime();
if (revocationTime.before(params.date())) {
Throwable t = new CertificateRevokedException(revocationTime, rs.getRevocationReason(), response.getSignerCertificate().getSubjectX500Principal(), rs.getSingleExtensions());
throw new CertPathValidatorException(t.getMessage(), t, null, -1, BasicReason.REVOKED);
}
} else if (certStatus == RevocationStatus.CertStatus.UNKNOWN) {
throw new CertPathValidatorException("Certificate's revocation status is unknown", null, params.certPath(), -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
}
}
Also used :
IOException(java.io.IOException)
URI(java.net.URI)
Extension(java.security.cert.Extension)
Example 3 with Extension
use of java.security.cert.Extension in project Bytecoder by mirkosertic.
the class OCSPStatusRequest method toString.
/**
* Create a string representation of this {@code OCSPStatusRequest}
*
* @return a string representation of this {@code OCSPStatusRequest}
*/
@Override
public String toString() {
StringBuilder sb = new StringBuilder();
sb.append("OCSPStatusRequest\n");
sb.append(" ResponderIds:");
if (responderIds.isEmpty()) {
sb.append(" <EMPTY>");
} else {
for (ResponderId rid : responderIds) {
sb.append("\n ").append(rid.toString());
}
}
sb.append("\n").append(" Extensions:");
if (extensions.isEmpty()) {
sb.append(" <EMPTY>");
} else {
for (Extension ext : extensions) {
sb.append("\n ").append(ext.toString());
}
}
return sb.toString();
}
Also used :
Extension(java.security.cert.Extension)
ResponderId(sun.security.provider.certpath.ResponderId)
Example 4 with Extension
use of java.security.cert.Extension in project Bytecoder by mirkosertic.
the class OCSPStatusRequest method send.
/**
* Send the encoded {@code OCSPStatusRequest} out through the provided
* {@code HandshakeOutputStream}
*
* @param s the {@code HandshakeOutputStream} on which to send the encoded
* data
*
* @throws IOException if any encoding errors occur
*/
@Override
public void send(HandshakeOutStream s) throws IOException {
s.putInt16(ridListLen);
for (ResponderId rid : responderIds) {
s.putBytes16(rid.getEncoded());
}
DerOutputStream seqOut = new DerOutputStream();
DerOutputStream extBytes = new DerOutputStream();
if (extensions.size() > 0) {
for (Extension ext : extensions) {
ext.encode(extBytes);
}
seqOut.write(DerValue.tag_Sequence, extBytes);
}
s.putBytes16(seqOut.toByteArray());
}
Also used :
Extension(java.security.cert.Extension)
DerOutputStream(sun.security.util.DerOutputStream)
ResponderId(sun.security.provider.certpath.ResponderId)
Example 5 with Extension
use of java.security.cert.Extension in project j2objc by google.
the class RevocationChecker method checkOCSP.
private void checkOCSP(X509Certificate cert, Collection<String> unresolvedCritExts) throws CertPathValidatorException {
X509CertImpl currCert = null;
try {
currCert = X509CertImpl.toImpl(cert);
} catch (CertificateException ce) {
throw new CertPathValidatorException(ce);
}
// The algorithm constraints of the OCSP trusted responder certificate
// does not need to be checked in this code. The constraints will be
// checked when the responder's certificate is validated.
OCSPResponse response = null;
CertId certId = null;
try {
if (issuerCert != null) {
certId = new CertId(issuerCert, currCert.getSerialNumberObject());
} else {
// must be an anchor name and key
certId = new CertId(anchor.getCA(), anchor.getCAPublicKey(), currCert.getSerialNumberObject());
}
// check if there is a cached OCSP response available
byte[] responseBytes = ocspResponses.get(cert);
if (responseBytes != null) {
if (debug != null) {
debug.println("Found cached OCSP response");
}
response = new OCSPResponse(responseBytes);
// verify the response
byte[] nonce = null;
for (Extension ext : ocspExtensions) {
if (ext.getId().equals("1.3.6.1.5.5.7.48.1.2")) {
nonce = ext.getValue();
}
}
response.verify(Collections.singletonList(certId), issuerCert, responderCert, params.date(), nonce);
} else {
URI responderURI = (this.responderURI != null) ? this.responderURI : OCSP.getResponderURI(currCert);
if (responderURI == null) {
throw new CertPathValidatorException("Certificate does not specify OCSP responder", null, null, -1);
}
response = OCSP.check(Collections.singletonList(certId), responderURI, issuerCert, responderCert, null, ocspExtensions);
}
} catch (IOException e) {
throw new CertPathValidatorException("Unable to determine revocation status due to network error", e, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
}
RevocationStatus rs = (RevocationStatus) response.getSingleResponse(certId);
RevocationStatus.CertStatus certStatus = rs.getCertStatus();
if (certStatus == RevocationStatus.CertStatus.REVOKED) {
Date revocationTime = rs.getRevocationTime();
if (revocationTime.before(params.date())) {
Throwable t = new CertificateRevokedException(revocationTime, rs.getRevocationReason(), response.getSignerCertificate().getSubjectX500Principal(), rs.getSingleExtensions());
throw new CertPathValidatorException(t.getMessage(), t, null, -1, BasicReason.REVOKED);
}
} else if (certStatus == RevocationStatus.CertStatus.UNKNOWN) {
throw new CertPathValidatorException("Certificate's revocation status is unknown", null, params.certPath(), -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
}
}
Also used :
IOException(java.io.IOException)
URI(java.net.URI)
Extension(java.security.cert.Extension)
Aggregations
Extension (java.security.cert.Extension)15
IOException (java.io.IOException)6
URI (java.net.URI)3
CertificateRevokedException (java.security.cert.CertificateRevokedException)3
ResponderId (sun.security.provider.certpath.ResponderId)3
CertPathValidatorException (java.security.cert.CertPathValidatorException)2
Date (java.util.Date)2
X500Principal (javax.security.auth.x500.X500Principal)2
HexDumpEncoder (sun.misc.HexDumpEncoder)2
DerOutputStream (sun.security.util.DerOutputStream)2
AuthorityInfoAccessExtension (sun.security.x509.AuthorityInfoAccessExtension)2
CertificateException (java.security.cert.CertificateException)1
CertificateExpiredException (java.security.cert.CertificateExpiredException)1
CertificateNotYetValidException (java.security.cert.CertificateNotYetValidException)1
ArrayList (java.util.ArrayList)1
HashMap (java.util.HashMap)1
HexDumpEncoder (sun.security.util.HexDumpEncoder)1
