Search in sources :

Example 1 with CertUtils

use of org.apereo.cas.util.crypto.CertUtils in project cas by apereo.

the class AbstractCRLRevocationChecker method check.

@Override
public void check(final X509Certificate cert) throws GeneralSecurityException {
    if (cert == null) {
        throw new IllegalArgumentException("Certificate cannot be null.");
    }
    LOGGER.debug("Evaluating certificate revocation status for [{}]", CertUtils.toString(cert));
    final Collection<X509CRL> crls = getCRLs(cert);
    if (crls == null || crls.isEmpty()) {
        LOGGER.warn("CRL data is not available for [{}]", CertUtils.toString(cert));
        this.unavailableCRLPolicy.apply(null);
        return;
    }
    final List<X509CRL> expiredCrls = new ArrayList<>();
    final List<X509CRLEntry> revokedCrls;
    crls.stream().filter(CertUtils::isExpired).forEach(crl -> {
        LOGGER.warn("CRL data expired on [{}]", crl.getNextUpdate());
        expiredCrls.add(crl);
    });
    if (crls.size() == expiredCrls.size()) {
        LOGGER.warn("All CRLs retrieved have expired. Applying CRL expiration policy...");
        for (final X509CRL crl : expiredCrls) {
            this.expiredCRLPolicy.apply(crl);
        }
    } else {
        crls.removeAll(expiredCrls);
        LOGGER.debug("Valid CRLs [{}] found that are not expired yet", crls);
        revokedCrls = crls.stream().map(crl -> crl.getRevokedCertificate(cert)).filter(Objects::nonNull).collect(Collectors.toList());
        if (revokedCrls.size() == crls.size()) {
            final X509CRLEntry entry = revokedCrls.get(0);
            LOGGER.warn("All CRL entries have been revoked. Rejecting the first entry [{}]", entry);
            throw new RevokedCertificateException(entry);
        }
    }
}
Also used : X509Certificate(java.security.cert.X509Certificate) RevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.RevocationPolicy) X509CRLEntry(java.security.cert.X509CRLEntry) Getter(lombok.Getter) Collection(java.util.Collection) X509CRL(java.security.cert.X509CRL) Collectors(java.util.stream.Collectors) RevokedCertificateException(org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException) CertUtils(org.apereo.cas.util.crypto.CertUtils) ArrayList(java.util.ArrayList) Objects(java.util.Objects) Slf4j(lombok.extern.slf4j.Slf4j) List(java.util.List) DenyRevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.DenyRevocationPolicy) GeneralSecurityException(java.security.GeneralSecurityException) ThresholdExpiredCRLRevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy) X509CRLEntry(java.security.cert.X509CRLEntry) X509CRL(java.security.cert.X509CRL) RevokedCertificateException(org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException) ArrayList(java.util.ArrayList) Objects(java.util.Objects)

Aggregations

GeneralSecurityException (java.security.GeneralSecurityException)1 X509CRL (java.security.cert.X509CRL)1 X509CRLEntry (java.security.cert.X509CRLEntry)1 X509Certificate (java.security.cert.X509Certificate)1 ArrayList (java.util.ArrayList)1 Collection (java.util.Collection)1 List (java.util.List)1 Objects (java.util.Objects)1 Collectors (java.util.stream.Collectors)1 Getter (lombok.Getter)1 Slf4j (lombok.extern.slf4j.Slf4j)1 RevokedCertificateException (org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException)1 DenyRevocationPolicy (org.apereo.cas.adaptors.x509.authentication.revocation.policy.DenyRevocationPolicy)1 RevocationPolicy (org.apereo.cas.adaptors.x509.authentication.revocation.policy.RevocationPolicy)1 ThresholdExpiredCRLRevocationPolicy (org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy)1 CertUtils (org.apereo.cas.util.crypto.CertUtils)1