Example 56 with X509CRL
use of java.security.cert.X509CRL in project OpenAM by OpenRock.
the class Cert method doJSSRevocationValidation.
private int doJSSRevocationValidation(X509Certificate cert) {
int ret = ISAuthConstants.LOGIN_IGNORE;
boolean validateCA = amAuthCert_validateCA.equalsIgnoreCase("true");
X509CRL crl = null;
if (crlEnabled) {
crl = AMCRLStore.getCRL(ldapParam, cert, amAuthCert_chkAttributesCRL);
if ((crl != null) && (!crl.isRevoked(cert))) {
ret = ISAuthConstants.LOGIN_SUCCEED;
}
}
/**
* OCSP validation, this will use the CryptoManager.isCertvalid()
* method to validate certificate, OCSP is one of the steps in
* this process. Here is the algorith to find OCSP responder:
* 1. use global OCSP responder if set
* 2. use the OCSP responder in user's certificate if presents
* 3. no OCSP responder
* The isCertValid() WON'T perform OCSP validation if no OCSP responder
* found in above process.
*/
if (ocspEnabled) {
try {
CryptoManager cm = CryptoManager.getInstance();
if (cm.isCertValid(cert.getEncoded(), true, CryptoManager.CertUsage.SSLClient) == true) {
debug.message("cert is valid");
ret = ISAuthConstants.LOGIN_SUCCEED;
} else {
ret = ISAuthConstants.LOGIN_IGNORE;
}
} catch (Exception e) {
debug.message("certValidation failed with exception", e);
}
}
if ((ret == ISAuthConstants.LOGIN_SUCCEED) && (crlEnabled || ocspEnabled) && validateCA && !AMCertStore.isRootCA(cert)) {
/*
The trust anchor is not necessarily a certificate, but a public key (trusted) entry in the trust-store. Don't
march up the chain unless the AMCertStore can actually return a non-null issuer certificate. If the issuer
certificate is null, then the result of the previous doRevocationValidation invocation is the final answer.
*/
X509Certificate issuerCertificate = AMCertStore.getIssuerCertificate(ldapParam, cert, amAuthCert_chkAttrCertInLDAP);
if (issuerCertificate != null) {
ret = doJSSRevocationValidation(issuerCertificate);
}
}
return ret;
}
Also used :
X509CRL(java.security.cert.X509CRL)
CryptoManager(org.mozilla.jss.CryptoManager)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException)
X509Certificate(java.security.cert.X509Certificate)
Example 57 with X509CRL
use of java.security.cert.X509CRL in project XobotOS by xamarin.
the class X509CertFactoryImpl method getCRL.
/**
* Returns the CRL object corresponding to the encoding provided
* by the stream.
* Resulting object is retrieved from the cache
* if it contains such correspondence
* and is constructed on the base of encoding
* and stored in the cache otherwise.
* @throws IOException if some decoding errors occur
* (in the case of cache miss).
*/
private static CRL getCRL(InputStream inStream) throws CRLException, IOException {
synchronized (CRL_CACHE) {
inStream.mark(CRL_CACHE_SEED_LENGTH);
byte[] buff = readBytes(inStream, CRL_CACHE_SEED_LENGTH);
// read the prefix of the encoding
inStream.reset();
if (buff == null) {
throw new CRLException("InputStream doesn't contain enough data");
}
long hash = CRL_CACHE.getHash(buff);
if (CRL_CACHE.contains(hash)) {
byte[] encoding = new byte[BerInputStream.getLength(buff)];
if (encoding.length < CRL_CACHE_SEED_LENGTH) {
throw new CRLException("Bad CRL encoding");
}
Streams.readFully(inStream, encoding);
CRL res = (CRL) CRL_CACHE.get(hash, encoding);
if (res != null) {
return res;
}
res = new X509CRLImpl(encoding);
CRL_CACHE.put(hash, encoding, res);
return res;
} else {
X509CRL res = new X509CRLImpl(inStream);
CRL_CACHE.put(hash, res.getEncoded(), res);
return res;
}
}
}
Also used :
X509CRL(java.security.cert.X509CRL)
X509CRL(java.security.cert.X509CRL)
CRL(java.security.cert.CRL)
CRLException(java.security.cert.CRLException)
Example 58 with X509CRL
use of java.security.cert.X509CRL in project XobotOS by xamarin.
the class RFC3280CertPathUtilities method checkCRL.
/**
* Checks a distribution point for revocation information for the
* certificate <code>cert</code>.
*
* @param dp The distribution point to consider.
* @param paramsPKIX PKIX parameters.
* @param cert Certificate to check if it is revoked.
* @param validDate The date when the certificate revocation status should be
* checked.
* @param defaultCRLSignCert The issuer certificate of the certificate <code>cert</code>.
* @param defaultCRLSignKey The public key of the issuer certificate
* <code>defaultCRLSignCert</code>.
* @param certStatus The current certificate revocation status.
* @param reasonMask The reasons mask which is already checked.
* @param certPathCerts The certificates of the certification path.
* @throws AnnotatedException if the certificate is revoked or the status cannot be checked
* or some error occurs.
*/
private static void checkCRL(DistributionPoint dp, ExtendedPKIXParameters paramsPKIX, X509Certificate cert, Date validDate, X509Certificate defaultCRLSignCert, PublicKey defaultCRLSignKey, CertStatus certStatus, ReasonsMask reasonMask, List certPathCerts) throws AnnotatedException {
Date currentDate = new Date(System.currentTimeMillis());
if (validDate.getTime() > currentDate.getTime()) {
throw new AnnotatedException("Validation time is in future.");
}
// (a)
/*
* We always get timely valid CRLs, so there is no step (a) (1).
* "locally cached" CRLs are assumed to be in getStore(), additional
* CRLs must be enabled in the ExtendedPKIXParameters and are in
* getAdditionalStore()
*/
Set crls = CertPathValidatorUtilities.getCompleteCRLs(dp, cert, currentDate, paramsPKIX);
boolean validCrlFound = false;
AnnotatedException lastException = null;
Iterator crl_iter = crls.iterator();
while (crl_iter.hasNext() && certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonMask.isAllReasons()) {
try {
X509CRL crl = (X509CRL) crl_iter.next();
// (d)
ReasonsMask interimReasonsMask = RFC3280CertPathUtilities.processCRLD(crl, dp);
/*
* The reasons mask is updated at the end, so only valid CRLs
* can update it. If this CRL does not contain new reasons it
* must be ignored.
*/
if (!interimReasonsMask.hasNewReasons(reasonMask)) {
continue;
}
// (f)
Set keys = RFC3280CertPathUtilities.processCRLF(crl, cert, defaultCRLSignCert, defaultCRLSignKey, paramsPKIX, certPathCerts);
// (g)
PublicKey key = RFC3280CertPathUtilities.processCRLG(crl, keys);
X509CRL deltaCRL = null;
if (paramsPKIX.isUseDeltasEnabled()) {
// get delta CRLs
Set deltaCRLs = CertPathValidatorUtilities.getDeltaCRLs(currentDate, paramsPKIX, crl);
// we only want one valid delta CRL
// (h)
deltaCRL = RFC3280CertPathUtilities.processCRLH(deltaCRLs, key);
}
if (paramsPKIX.getValidityModel() != ExtendedPKIXParameters.CHAIN_VALIDITY_MODEL) {
/*
* if a certificate has expired, but was revoked, it is not
* more in the CRL, so it would be regarded as valid if the
* first check is not done
*/
if (cert.getNotAfter().getTime() < crl.getThisUpdate().getTime()) {
throw new AnnotatedException("No valid CRL for current time found.");
}
}
RFC3280CertPathUtilities.processCRLB1(dp, cert, crl);
// (b) (2)
RFC3280CertPathUtilities.processCRLB2(dp, cert, crl);
// (c)
RFC3280CertPathUtilities.processCRLC(deltaCRL, crl, paramsPKIX);
// (i)
RFC3280CertPathUtilities.processCRLI(validDate, deltaCRL, cert, certStatus, paramsPKIX);
// (j)
RFC3280CertPathUtilities.processCRLJ(validDate, crl, cert, certStatus);
// (k)
if (certStatus.getCertStatus() == CRLReason.removeFromCRL) {
certStatus.setCertStatus(CertStatus.UNREVOKED);
}
// update reasons mask
reasonMask.addReasons(interimReasonsMask);
Set criticalExtensions = crl.getCriticalExtensionOIDs();
if (criticalExtensions != null) {
criticalExtensions = new HashSet(criticalExtensions);
criticalExtensions.remove(X509Extensions.IssuingDistributionPoint.getId());
criticalExtensions.remove(X509Extensions.DeltaCRLIndicator.getId());
if (!criticalExtensions.isEmpty()) {
throw new AnnotatedException("CRL contains unsupported critical extensions.");
}
}
if (deltaCRL != null) {
criticalExtensions = deltaCRL.getCriticalExtensionOIDs();
if (criticalExtensions != null) {
criticalExtensions = new HashSet(criticalExtensions);
criticalExtensions.remove(X509Extensions.IssuingDistributionPoint.getId());
criticalExtensions.remove(X509Extensions.DeltaCRLIndicator.getId());
if (!criticalExtensions.isEmpty()) {
throw new AnnotatedException("Delta CRL contains unsupported critical extension.");
}
}
}
validCrlFound = true;
} catch (AnnotatedException e) {
lastException = e;
}
}
if (!validCrlFound) {
throw lastException;
}
}Example 59 with X509CRL
use of java.security.cert.X509CRL in project XobotOS by xamarin.
the class X509CRLStoreSelector method match.
public boolean match(Object obj) {
if (!(obj instanceof X509CRL)) {
return false;
}
X509CRL crl = (X509CRL) obj;
DERInteger dci = null;
try {
byte[] bytes = crl.getExtensionValue(X509Extensions.DeltaCRLIndicator.getId());
if (bytes != null) {
dci = DERInteger.getInstance(X509ExtensionUtil.fromExtensionValue(bytes));
}
} catch (Exception e) {
return false;
}
if (isDeltaCRLIndicatorEnabled()) {
if (dci == null) {
return false;
}
}
if (isCompleteCRLEnabled()) {
if (dci != null) {
return false;
}
}
if (dci != null) {
if (maxBaseCRLNumber != null) {
if (dci.getPositiveValue().compareTo(maxBaseCRLNumber) == 1) {
return false;
}
}
}
if (issuingDistributionPointEnabled) {
byte[] idp = crl.getExtensionValue(X509Extensions.IssuingDistributionPoint.getId());
if (issuingDistributionPoint == null) {
if (idp != null) {
return false;
}
} else {
if (!Arrays.areEqual(idp, issuingDistributionPoint)) {
return false;
}
}
}
return super.match((X509CRL) obj);
}
Also used :
X509CRL(java.security.cert.X509CRL)
IOException(java.io.IOException)
DERInteger(org.bouncycastle.asn1.DERInteger)
Example 60 with X509CRL
use of java.security.cert.X509CRL in project XobotOS by xamarin.
the class CertPathValidatorUtilities method getDeltaCRLs.
/**
* Fetches delta CRLs according to RFC 3280 section 5.2.4.
*
* @param currentDate The date for which the delta CRLs must be valid.
* @param paramsPKIX The extended PKIX parameters.
* @param completeCRL The complete CRL the delta CRL is for.
* @return A <code>Set</code> of <code>X509CRL</code>s with delta CRLs.
* @throws AnnotatedException if an exception occurs while picking the delta
* CRLs.
*/
protected static Set getDeltaCRLs(Date currentDate, ExtendedPKIXParameters paramsPKIX, X509CRL completeCRL) throws AnnotatedException {
X509CRLStoreSelector deltaSelect = new X509CRLStoreSelector();
// 5.2.4 (a)
try {
deltaSelect.addIssuerName(CertPathValidatorUtilities.getIssuerPrincipal(completeCRL).getEncoded());
} catch (IOException e) {
new AnnotatedException("Cannot extract issuer from CRL.", e);
}
BigInteger completeCRLNumber = null;
try {
DERObject derObject = CertPathValidatorUtilities.getExtensionValue(completeCRL, CRL_NUMBER);
if (derObject != null) {
completeCRLNumber = CRLNumber.getInstance(derObject).getPositiveValue();
}
} catch (Exception e) {
throw new AnnotatedException("CRL number extension could not be extracted from CRL.", e);
}
// 5.2.4 (b)
byte[] idp = null;
try {
idp = completeCRL.getExtensionValue(ISSUING_DISTRIBUTION_POINT);
} catch (Exception e) {
throw new AnnotatedException("Issuing distribution point extension value could not be read.", e);
}
// 5.2.4 (d)
deltaSelect.setMinCRLNumber(completeCRLNumber == null ? null : completeCRLNumber.add(BigInteger.valueOf(1)));
deltaSelect.setIssuingDistributionPoint(idp);
deltaSelect.setIssuingDistributionPointEnabled(true);
// 5.2.4 (c)
deltaSelect.setMaxBaseCRLNumber(completeCRLNumber);
// find delta CRLs
Set temp = CRL_UTIL.findCRLs(deltaSelect, paramsPKIX, currentDate);
Set result = new HashSet();
for (Iterator it = temp.iterator(); it.hasNext(); ) {
X509CRL crl = (X509CRL) it.next();
if (isDeltaCRL(crl)) {
result.add(crl);
}
}
return result;
}
Also used :
X509CRLStoreSelector(org.bouncycastle.x509.X509CRLStoreSelector)
DERObject(org.bouncycastle.asn1.DERObject)
Set(java.util.Set)
HashSet(java.util.HashSet)
X509CRL(java.security.cert.X509CRL)
Iterator(java.util.Iterator)
BigInteger(java.math.BigInteger)
IOException(java.io.IOException)
GeneralSecurityException(java.security.GeneralSecurityException)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
ParseException(java.text.ParseException)
ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException)
CertStoreException(java.security.cert.CertStoreException)
CertificateParsingException(java.security.cert.CertificateParsingException)
StoreException(org.bouncycastle.util.StoreException)
IOException(java.io.IOException)
HashSet(java.util.HashSet)
Aggregations
X509CRL (java.security.cert.X509CRL)74
IOException (java.io.IOException)23
CRLException (java.security.cert.CRLException)14
X509Certificate (java.security.cert.X509Certificate)14
File (java.io.File)12
GeneralSecurityException (java.security.GeneralSecurityException)8
CertificateException (java.security.cert.CertificateException)8
CRL (java.security.cert.CRL)7
CertificateFactory (java.security.cert.CertificateFactory)7
Iterator (java.util.Iterator)7
Calendar (java.util.Calendar)6
HashSet (java.util.HashSet)6
Set (java.util.Set)6
ByteArrayInputStream (java.io.ByteArrayInputStream)5
InputStream (java.io.InputStream)5
ArrayList (java.util.ArrayList)5
Date (java.util.Date)5
LocalizedIllegalArgumentException (org.forgerock.i18n.LocalizedIllegalArgumentException)5
LdapException (org.forgerock.opendj.ldap.LdapException)5
FileInputStream (java.io.FileInputStream)4
