Examples with Extension java.security.cert.Extension used on opensource projects

Example 6 with Extension

use of java.security.cert.Extension in project j2objc by google.

the class CertificateRevocationExceptionTest method getTestException.

private CertificateRevokedException getTestException() {
    HashMap<String, Extension> extensions = new HashMap<String, Extension>();
    // REASON_CODE
    extensions.put("2.5.29.21", getReasonExtension());
    extensions.put("2.5.29.24", getInvalidityExtension());
    return new CertificateRevokedException(new Date(1199226851000L), CRLReason.CESSATION_OF_OPERATION, new X500Principal("CN=test1"), extensions);
}

Example 7 with Extension

use of java.security.cert.Extension in project j2objc by google.

the class CertificateRevocationExceptionTest method testGetExtensions.

public void testGetExtensions() throws Exception {
    CertificateRevokedException original = getTestException();
    Map<String, Extension> extensions = original.getExtensions();
    assertNotSame(extensions, original.getExtensions());
    try {
        extensions.put("2.2.2.2", getReasonExtension());
        fail();
    } catch (UnsupportedOperationException expected) {
    }
}

Example 8 with Extension

use of java.security.cert.Extension in project jdk8u_jdk by JetBrains.

the class OCSP method check.

/**
     * Checks the revocation status of a list of certificates using OCSP.
     *
     * @param certIds the CertIds to be checked
     * @param responderURI the URI of the OCSP responder
     * @param issuerInfo the issuer's certificate and/or subject and public key
     * @param responderCert the OCSP responder's certificate
     * @param date the time the validity of the OCSP responder's certificate
     *    should be checked against. If null, the current time is used.
     * @param extensions zero or more OCSP extensions to be included in the
     *    request.  If no extensions are requested, an empty {@code List} must
     *    be used.  A {@code null} value is not allowed.
     * @return the OCSPResponse
     * @throws IOException if there is an exception connecting to or
     *    communicating with the OCSP responder
     * @throws CertPathValidatorException if an exception occurs while
     *    encoding the OCSP Request or validating the OCSP Response
     */
static OCSPResponse check(List<CertId> certIds, URI responderURI, OCSPResponse.IssuerInfo issuerInfo, X509Certificate responderCert, Date date, List<Extension> extensions, String variant) throws IOException, CertPathValidatorException {
    byte[] nonce = null;
    for (Extension ext : extensions) {
        if (ext.getId().equals(PKIXExtensions.OCSPNonce_Id.toString())) {
            nonce = ext.getValue();
        }
    }
    OCSPResponse ocspResponse = null;
    try {
        byte[] response = getOCSPBytes(certIds, responderURI, extensions);
        ocspResponse = new OCSPResponse(response);
        // verify the response
        ocspResponse.verify(certIds, issuerInfo, responderCert, date, nonce, variant);
    } catch (IOException ioe) {
        throw new CertPathValidatorException("Unable to determine revocation status due to network error", ioe, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
    }
    return ocspResponse;
}

Example 9 with Extension

use of java.security.cert.Extension in project jdk8u_jdk by JetBrains.

the class RevocationChecker method checkOCSP.

private void checkOCSP(X509Certificate cert, Collection<String> unresolvedCritExts) throws CertPathValidatorException {
    X509CertImpl currCert = null;
    try {
        currCert = X509CertImpl.toImpl(cert);
    } catch (CertificateException ce) {
        throw new CertPathValidatorException(ce);
    }
    // The algorithm constraints of the OCSP trusted responder certificate
    // does not need to be checked in this code. The constraints will be
    // checked when the responder's certificate is validated.
    OCSPResponse response = null;
    CertId certId = null;
    try {
        certId = new CertId(issuerInfo.getName(), issuerInfo.getPublicKey(), currCert.getSerialNumberObject());
        // check if there is a cached OCSP response available
        byte[] responseBytes = ocspResponses.get(cert);
        if (responseBytes != null) {
            if (debug != null) {
                debug.println("Found cached OCSP response");
            }
            response = new OCSPResponse(responseBytes);
            // verify the response
            byte[] nonce = null;
            for (Extension ext : ocspExtensions) {
                if (ext.getId().equals("1.3.6.1.5.5.7.48.1.2")) {
                    nonce = ext.getValue();
                }
            }
            response.verify(Collections.singletonList(certId), issuerInfo, responderCert, params.date(), nonce, params.variant());
        } else {
            URI responderURI = (this.responderURI != null) ? this.responderURI : OCSP.getResponderURI(currCert);
            if (responderURI == null) {
                throw new CertPathValidatorException("Certificate does not specify OCSP responder", null, null, -1);
            }
            response = OCSP.check(Collections.singletonList(certId), responderURI, issuerInfo, responderCert, null, ocspExtensions, params.variant());
        }
    } catch (IOException e) {
        throw new CertPathValidatorException("Unable to determine revocation status due to network error", e, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
    }
    RevocationStatus rs = (RevocationStatus) response.getSingleResponse(certId);
    RevocationStatus.CertStatus certStatus = rs.getCertStatus();
    if (certStatus == RevocationStatus.CertStatus.REVOKED) {
        Date revocationTime = rs.getRevocationTime();
        if (revocationTime.before(params.date())) {
            Throwable t = new CertificateRevokedException(revocationTime, rs.getRevocationReason(), response.getSignerCertificate().getSubjectX500Principal(), rs.getSingleExtensions());
            throw new CertPathValidatorException(t.getMessage(), t, null, -1, BasicReason.REVOKED);
        }
    } else if (certStatus == RevocationStatus.CertStatus.UNKNOWN) {
        throw new CertPathValidatorException("Certificate's revocation status is unknown", null, params.certPath(), -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
    }
}

Example 10 with Extension

use of java.security.cert.Extension in project Bytecoder by mirkosertic.

the class StatusResponseManager method getFromCache.

/**
 * Check the cache for a given {@code CertId}.
 *
 * @param cid the CertId of the response to look up
 * @param ocspRequest the OCSP request structure sent by the client
 *      in the TLS status_request[_v2] hello extension.
 *
 * @return the {@code ResponseCacheEntry} for a specific CertId, or
 *      {@code null} if it is not found or a nonce extension has been
 *      requested by the caller.
 */
private ResponseCacheEntry getFromCache(CertId cid, OCSPStatusRequest ocspRequest) {
    // so, then do not attempt to retrieve the response from the cache.
    for (Extension ext : ocspRequest.getExtensions()) {
        if (ext.getId().equals(PKIXExtensions.OCSPNonce_Id.toString())) {
            debugLog("Nonce extension found, skipping cache check");
            return null;
        }
    }
    ResponseCacheEntry respEntry = responseCache.get(cid);
    // and do not return it as a cache hit.
    if (respEntry != null && respEntry.nextUpdate != null && respEntry.nextUpdate.before(new Date())) {
        debugLog("nextUpdate threshold exceeded, purging from cache");
        respEntry = null;
    }
    debugLog("Check cache for SN" + cid.getSerialNumber() + ": " + (respEntry != null ? "HIT" : "MISS"));
    return respEntry;
}