Example 91 with X509CRL
use of java.security.cert.X509CRL in project OpenAM by OpenRock.
the class AMCRLStore method getCRL.
/**
* It gets the new CRL from ldap server.
* If it is ldap URI, the URI has to be a dn that can be accessed
* with ldap anonymous bind.
* (example : ldap://server:port/uid=ca,o=company.com)
* This dn entry has to have CRL in attribute certificaterevocationlist
* or certificaterevocationlist;binary.
* <p/>
* if attrNames does only contain one value the ldap search filter will be
* (attrName=Value_of_the_corresponding_Attribute_from_SubjectDN)
* e.g. SubjectDN of issuer cert 'C=BE, CN=Citizen CA, serialNumber=201007'
* attrNames is 'CN', search filter used will be (CN=Citizen CA)
* <p/>
* if attrNames does contain serveral values the ldap search filter value will be
* a comma separated list of name attribute values, the search attribute will be 'cn'
* (cn="attrNames[0]=Value_of_the_corresponding_Attribute_from_SubjectDN,
* attrNames[1]=Value_of_the_corresponding_Attribute_from_SubjectDN")
* <p/>
* e.g. SubjectDN of issuer cert 'C=BE, CN=Citizen CA, serialNumber=201007'
* attrNames is {"CN","serialNumber"}, search filter used will be
* (cn=CN=Citizen CA,serialNumber=201007)
* <p/>
* The order of the values of attrNames matter as they must match the value of the
* 'cn' attribute of a crlDistributionPoint entry in the directory server
*
* @param ldapParam
* @param cert
* @param attrNames, attributes names from the subjectDN of the issuer cert
*/
public static X509CRL getCRL(AMLDAPCertStoreParameters ldapParam, X509Certificate cert, String... attrNames) {
X509CRL crl = null;
try {
if (!ArrayUtils.isEmpty(attrNames)) {
X500Principal issuerPrincipal = cert.getIssuerX500Principal();
String searchFilter;
if (attrNames.length < 2) {
/*
* Get the CN of the input certificate
*/
String attrValue = null;
// Retrieve attribute value of the attribute name
attrValue = CertUtils.getAttributeValue(issuerPrincipal, attrNames[0]);
if (null == attrValue) {
return crl;
}
searchFilter = setSearchFilter(attrNames[0], attrValue);
} else {
String searchFilterValue = buildSearchFilterValue(attrNames, issuerPrincipal);
if (searchFilterValue.isEmpty()) {
return crl;
}
searchFilter = setSearchFilter("cn", searchFilterValue);
}
if (debug.messageEnabled()) {
debug.message("AMCRLStore:getCRL using searchFilter " + searchFilter);
}
/*
* Lookup the certificate in the LDAP certificate directory
*/
ldapParam.setSearchFilter(searchFilter);
AMCRLStore store = new AMCRLStore(ldapParam);
crl = store.getCRL(cert);
}
} catch (Exception e) {
debug.error("AMCRLStore:getCRL ", e);
}
return crl;
}
Also used :
X509CRL(java.security.cert.X509CRL)
X500Principal(javax.security.auth.x500.X500Principal)
LdapException(org.forgerock.opendj.ldap.LdapException)
GeneralSecurityException(java.security.GeneralSecurityException)
IOException(java.io.IOException)
LocalizedIllegalArgumentException(org.forgerock.i18n.LocalizedIllegalArgumentException)
Example 92 with X509CRL
use of java.security.cert.X509CRL in project OpenAM by OpenRock.
the class CRLValidator method validateCertificate.
/**
* Validate certificate against configured crl
* @param cert cert to be validated
* @return true if certificate is not in crl
*/
public static boolean validateCertificate(X509Certificate cert, boolean checkCAStatus) {
String method = "validateCertificate : ";
boolean certgood = true;
try {
Vector crls = new Vector();
X509CRL crl = AMCRLStore.getCRL(ldapParams, cert, crlSearchAttr);
if (crl != null) {
crls.add(crl);
}
if (debug.messageEnabled()) {
debug.message(method + " crls size = " + crls.size());
if (crls.size() > 0) {
debug.message(method + "CRL = " + crls.toString());
} else {
debug.message(method + "NO CRL found.");
}
}
AMCertPath certpath = new AMCertPath(crls);
X509Certificate[] certs = { cert };
if (!certpath.verify(certs, true, false)) {
debug.error(method + "CertPath:verify failed.");
return certgood = false;
}
} catch (Exception e) {
debug.error(method + "verify failed.", e);
return certgood = false;
}
if ((checkCAStatus == true) && (AMCertStore.isRootCA(cert) == false)) {
X509Certificate caCert = AMCertStore.getIssuerCertificate(ldapParams, cert, crlSearchAttr);
certgood = validateCertificate(caCert, checkCAStatus);
}
return certgood;
}
Also used :
X509CRL(java.security.cert.X509CRL)
Vector(java.util.Vector)
X509Certificate(java.security.cert.X509Certificate)
IOException(java.io.IOException)
Example 93 with X509CRL
use of java.security.cert.X509CRL in project OpenAM by OpenRock.
the class Cert method doJSSRevocationValidation.
private int doJSSRevocationValidation(X509Certificate cert) {
int ret = ISAuthConstants.LOGIN_IGNORE;
boolean validateCA = amAuthCert_validateCA.equalsIgnoreCase("true");
X509CRL crl = null;
if (crlEnabled) {
crl = AMCRLStore.getCRL(ldapParam, cert, amAuthCert_chkAttributesCRL);
if ((crl != null) && (!crl.isRevoked(cert))) {
ret = ISAuthConstants.LOGIN_SUCCEED;
}
}
/**
* OCSP validation, this will use the CryptoManager.isCertvalid()
* method to validate certificate, OCSP is one of the steps in
* this process. Here is the algorith to find OCSP responder:
* 1. use global OCSP responder if set
* 2. use the OCSP responder in user's certificate if presents
* 3. no OCSP responder
* The isCertValid() WON'T perform OCSP validation if no OCSP responder
* found in above process.
*/
if (ocspEnabled) {
try {
CryptoManager cm = CryptoManager.getInstance();
if (cm.isCertValid(cert.getEncoded(), true, CryptoManager.CertUsage.SSLClient) == true) {
debug.message("cert is valid");
ret = ISAuthConstants.LOGIN_SUCCEED;
} else {
ret = ISAuthConstants.LOGIN_IGNORE;
}
} catch (Exception e) {
debug.message("certValidation failed with exception", e);
}
}
if ((ret == ISAuthConstants.LOGIN_SUCCEED) && (crlEnabled || ocspEnabled) && validateCA && !AMCertStore.isRootCA(cert)) {
/*
The trust anchor is not necessarily a certificate, but a public key (trusted) entry in the trust-store. Don't
march up the chain unless the AMCertStore can actually return a non-null issuer certificate. If the issuer
certificate is null, then the result of the previous doRevocationValidation invocation is the final answer.
*/
X509Certificate issuerCertificate = AMCertStore.getIssuerCertificate(ldapParam, cert, amAuthCert_chkAttrCertInLDAP);
if (issuerCertificate != null) {
ret = doJSSRevocationValidation(issuerCertificate);
}
}
return ret;
}
Also used :
X509CRL(java.security.cert.X509CRL)
CryptoManager(org.mozilla.jss.CryptoManager)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException)
X509Certificate(java.security.cert.X509Certificate)
Example 94 with X509CRL
use of java.security.cert.X509CRL in project robovm by robovm.
the class X509CRLSelector2Test method testMatchLjava_security_cert_X509CRL.
/**
* match(CRL crl) method testing. Tests if the null object matches to the
* selector or not.
*/
public void testMatchLjava_security_cert_X509CRL() {
X509CRLSelector selector = new X509CRLSelector();
assertFalse("The null object should not match", selector.match((X509CRL) null));
}
Also used :
X509CRL(java.security.cert.X509CRL)
X509CRLSelector(java.security.cert.X509CRLSelector)
Example 95 with X509CRL
use of java.security.cert.X509CRL in project robovm by robovm.
the class CMSUtils method getCRLsFromStore.
static List getCRLsFromStore(CertStore certStore) throws CertStoreException, CMSException {
List crls = new ArrayList();
try {
for (Iterator it = certStore.getCRLs(null).iterator(); it.hasNext(); ) {
X509CRL c = (X509CRL) it.next();
crls.add(CertificateList.getInstance(ASN1Primitive.fromByteArray(c.getEncoded())));
}
return crls;
} catch (IllegalArgumentException e) {
throw new CMSException("error processing crls", e);
} catch (IOException e) {
throw new CMSException("error processing crls", e);
} catch (CRLException e) {
throw new CMSException("error encoding crls", e);
}
}
Also used :
X509CRL(java.security.cert.X509CRL)
ArrayList(java.util.ArrayList)
Iterator(java.util.Iterator)
ArrayList(java.util.ArrayList)
CertificateList(org.bouncycastle.asn1.x509.CertificateList)
List(java.util.List)
IOException(java.io.IOException)
CRLException(java.security.cert.CRLException)
Aggregations
X509CRL (java.security.cert.X509CRL)167
IOException (java.io.IOException)47
File (java.io.File)39
CRLException (java.security.cert.CRLException)39
X509Certificate (java.security.cert.X509Certificate)36
BigInteger (java.math.BigInteger)27
CertificateException (java.security.cert.CertificateException)27
CertificateFactory (java.security.cert.CertificateFactory)26
HashSet (java.util.HashSet)23
Date (java.util.Date)20
GeneralSecurityException (java.security.GeneralSecurityException)18
X509CRLEntry (java.security.cert.X509CRLEntry)18
InputStream (java.io.InputStream)17
Test (org.junit.Test)16
FileOutputStream (java.io.FileOutputStream)14
BufferedOutputStream (java.io.BufferedOutputStream)13
OutputStream (java.io.OutputStream)13
ArrayList (java.util.ArrayList)13
ByteArrayInputStream (java.io.ByteArrayInputStream)12
FileInputStream (java.io.FileInputStream)12
