use of org.bouncycastle.asn1.ocsp.CertStatus in project oxAuth by GluuFederation.
the class OCSPCertificateVerifier method validate.
@Override
public ValidationStatus validate(X509Certificate certificate, List<X509Certificate> issuers, Date validationDate) {
X509Certificate issuer = issuers.get(0);
ValidationStatus status = new ValidationStatus(certificate, issuer, validationDate, ValidatorSourceType.OCSP, CertificateValidity.UNKNOWN);
try {
Principal subjectX500Principal = certificate.getSubjectX500Principal();
String ocspUrl = getOCSPUrl(certificate);
if (ocspUrl == null) {
log.error("OCSP URL for '" + subjectX500Principal + "' is empty");
return status;
}
log.debug("OCSP URL for '" + subjectX500Principal + "' is '" + ocspUrl + "'");
DigestCalculator digestCalculator = new JcaDigestCalculatorProviderBuilder().build().get(CertificateID.HASH_SHA1);
CertificateID certificateId = new CertificateID(digestCalculator, new JcaX509CertificateHolder(certificate), certificate.getSerialNumber());
// Generate OCSP request
OCSPReq ocspReq = generateOCSPRequest(certificateId);
// Get OCSP response from server
OCSPResp ocspResp = requestOCSPResponse(ocspUrl, ocspReq);
if (ocspResp.getStatus() != OCSPRespBuilder.SUCCESSFUL) {
log.error("OCSP response is invalid!");
status.setValidity(CertificateValidity.INVALID);
return status;
}
boolean foundResponse = false;
BasicOCSPResp basicOCSPResp = (BasicOCSPResp) ocspResp.getResponseObject();
SingleResp[] singleResps = basicOCSPResp.getResponses();
for (SingleResp singleResp : singleResps) {
CertificateID responseCertificateId = singleResp.getCertID();
if (!certificateId.equals(responseCertificateId)) {
continue;
}
foundResponse = true;
log.debug("OCSP validationDate: " + validationDate);
log.debug("OCSP thisUpdate: " + singleResp.getThisUpdate());
log.debug("OCSP nextUpdate: " + singleResp.getNextUpdate());
status.setRevocationObjectIssuingTime(basicOCSPResp.getProducedAt());
Object certStatus = singleResp.getCertStatus();
if (certStatus == CertificateStatus.GOOD) {
log.debug("OCSP status is valid for '" + certificate.getSubjectX500Principal() + "'");
status.setValidity(CertificateValidity.VALID);
} else {
if (singleResp.getCertStatus() instanceof RevokedStatus) {
log.warn("OCSP status is revoked for: " + subjectX500Principal);
if (validationDate.before(((RevokedStatus) singleResp.getCertStatus()).getRevocationTime())) {
log.warn("OCSP revocation time after the validation date, the certificate '" + subjectX500Principal + "' was valid at " + validationDate);
status.setValidity(CertificateValidity.VALID);
} else {
Date revocationDate = ((RevokedStatus) singleResp.getCertStatus()).getRevocationTime();
log.info("OCSP for certificate '" + subjectX500Principal + "' is revoked since " + revocationDate);
status.setRevocationDate(revocationDate);
status.setRevocationObjectIssuingTime(singleResp.getThisUpdate());
status.setValidity(CertificateValidity.REVOKED);
}
}
}
}
if (!foundResponse) {
log.error("There is no matching OCSP response entries");
}
} catch (Exception ex) {
log.error("OCSP exception: ", ex);
}
return status;
}
use of org.bouncycastle.asn1.ocsp.CertStatus in project ddf by codice.
the class OcspChecker method logResponse.
private void logResponse(OCSPResp response) {
BasicOCSPResp basicOCSPResp;
BasicOCSPResponse basicOCSPResponse;
try {
basicOCSPResp = (BasicOCSPResp) response.getResponseObject();
basicOCSPResponse = BasicOCSPResponse.getInstance(((BasicOCSPResp) response.getResponseObject()).getEncoded());
StringBuilder logBuilder = new StringBuilder();
logBuilder.append("OCSP Response: \n");
logBuilder.append(" responseStatus: " + getValueOrDefault(response.getStatus(), "") + "\n");
logBuilder.append(" responseBytes:\n");
logBuilder.append(" responseType: " + getValueOrDefault(basicOCSPResponse, "").getClass().getSimpleName() + "\n");
logBuilder.append(" response:\n");
logBuilder.append(" tbsResponseData:\n");
if (basicOCSPResponse.getTbsResponseData() != null) {
logBuilder.append(" version: " + getValueOrDefault(basicOCSPResponse.getTbsResponseData().getVersion(), "").toString() + "\n");
logBuilder.append(" responderId:\n");
if (basicOCSPResponse.getTbsResponseData().getResponderID() != null) {
logBuilder.append(" byName: " + getValueOrDefault(basicOCSPResponse.getTbsResponseData().getResponderID().getName(), "").toString() + "\n");
logBuilder.append(" byKey: " + getValueOrDefault(Arrays.toString(basicOCSPResponse.getTbsResponseData().getResponderID().getKeyHash()), "") + "\n");
} else {
logBuilder.append(" byName:\n");
}
if (basicOCSPResponse.getTbsResponseData().getProducedAt() != null) {
logBuilder.append(" producedAt: " + getValueOrDefault(basicOCSPResponse.getTbsResponseData().getProducedAt().getTimeString(), "") + "\n");
} else {
logBuilder.append(" producedAt:\n");
}
}
logBuilder.append(" responses:\n");
if (basicOCSPResp.getResponses() != null) {
SingleResp[] singleResps = basicOCSPResp.getResponses();
for (int i = 0; i < singleResps.length; i++) {
CertificateID certificateID = singleResps[i].getCertID();
if (certificateID != null) {
logBuilder.append(" certID #: " + i + "\n");
logBuilder.append(" hashAlgorithm: " + getValueOrDefault(certificateID.getHashAlgOID(), "").toString() + "\n");
logBuilder.append(" issuerNameHash: " + getValueOrDefault(Arrays.toString(certificateID.getIssuerNameHash()), "") + "\n");
logBuilder.append(" issuerKeyHash: " + getValueOrDefault(Arrays.toString(certificateID.getIssuerKeyHash()), "") + "\n");
logBuilder.append(" cert serial number: " + getValueOrDefault(certificateID.getSerialNumber(), "") + "\n");
logBuilder.append(" certStatus: " + getValueOrDefault(singleResps[i].getCertStatus(), "good").getClass().getSimpleName() + "\n");
logBuilder.append(" thisUpdate: " + getValueOrDefault(singleResps[i].getThisUpdate(), "").toString() + "\n");
logBuilder.append(" nextUpdate: " + getValueOrDefault(singleResps[i].getNextUpdate(), "").toString() + "\n");
}
}
}
if (basicOCSPResp.getSignatureAlgorithmID() != null) {
logBuilder.append(" signatureAlgorithm: " + getValueOrDefault(basicOCSPResp.getSignatureAlgorithmID().getAlgorithm(), "").toString() + "\n");
}
logBuilder.append(" signature: " + getValueOrDefault(Arrays.toString(basicOCSPResp.getSignature()), "") + "\n");
logBuilder.append(" certs:\n");
if (basicOCSPResp.getCerts() != null) {
X509CertificateHolder[] x509CertificateHolders = basicOCSPResp.getCerts();
for (int i = 0; i < x509CertificateHolders.length; i++) {
logBuilder.append(" certificate: " + i + "\n");
logBuilder.append(" issuer: " + getValueOrDefault(x509CertificateHolders[i].getIssuer(), "").toString() + "\n");
logBuilder.append(" subject: " + getValueOrDefault(x509CertificateHolders[i].getSubject(), "").toString() + "\n");
if (basicOCSPResp.getSignatureAlgorithmID() != null) {
logBuilder.append(" signatureAlgorithm: " + getValueOrDefault(x509CertificateHolders[i].getSignatureAlgorithm().getAlgorithm(), "").toString() + "\n");
}
logBuilder.append(" start date: " + getValueOrDefault(x509CertificateHolders[i].toASN1Structure().getStartDate(), "").toString() + "\n");
logBuilder.append(" end date: " + getValueOrDefault(x509CertificateHolders[i].toASN1Structure().getEndDate(), "").toString() + "\n");
logBuilder.append(" cert serial number: " + getValueOrDefault(x509CertificateHolders[i].getSerialNumber(), "") + "\n");
}
}
LOGGER.trace(logBuilder.toString());
} catch (IOException | OCSPException e) {
LOGGER.trace("Could not log response, issue converting response to a BasicOcspResponse.", e);
}
}
use of org.bouncycastle.asn1.ocsp.CertStatus in project XobotOS by xamarin.
the class CertPathValidatorUtilities method getCertStatus.
protected static void getCertStatus(Date validDate, X509CRL crl, Object cert, CertStatus certStatus) throws AnnotatedException {
// use BC X509CRLObject so that indirect CRLs are supported
X509CRLObject bcCRL = null;
try {
bcCRL = new X509CRLObject(new CertificateList((ASN1Sequence) ASN1Sequence.fromByteArray(crl.getEncoded())));
} catch (Exception exception) {
throw new AnnotatedException("Bouncy Castle X509CRLObject could not be created.", exception);
}
// use BC X509CRLEntryObject, so that getCertificateIssuer() is
// supported.
X509CRLEntryObject crl_entry = (X509CRLEntryObject) bcCRL.getRevokedCertificate(getSerialNumber(cert));
if (crl_entry != null && (getEncodedIssuerPrincipal(cert).equals(crl_entry.getCertificateIssuer()) || getEncodedIssuerPrincipal(cert).equals(getIssuerPrincipal(crl)))) {
DEREnumerated reasonCode = null;
if (crl_entry.hasExtensions()) {
try {
reasonCode = DEREnumerated.getInstance(CertPathValidatorUtilities.getExtensionValue(crl_entry, X509Extensions.ReasonCode.getId()));
} catch (Exception e) {
new AnnotatedException("Reason code CRL entry extension could not be decoded.", e);
}
}
// unspecified
if (!(validDate.getTime() < crl_entry.getRevocationDate().getTime()) || reasonCode == null || reasonCode.getValue().intValue() == 0 || reasonCode.getValue().intValue() == 1 || reasonCode.getValue().intValue() == 2 || reasonCode.getValue().intValue() == 8) {
// (i) or (j) (1)
if (reasonCode != null) {
certStatus.setCertStatus(reasonCode.getValue().intValue());
} else // (i) or (j) (2)
{
certStatus.setCertStatus(CRLReason.unspecified);
}
certStatus.setRevocationDate(crl_entry.getRevocationDate());
}
}
}
use of org.bouncycastle.asn1.ocsp.CertStatus in project XobotOS by xamarin.
the class RFC3280CertPathUtilities method checkCRLs.
/**
* Checks a certificate if it is revoked.
*
* @param paramsPKIX PKIX parameters.
* @param cert Certificate to check if it is revoked.
* @param validDate The date when the certificate revocation status should be
* checked.
* @param sign The issuer certificate of the certificate <code>cert</code>.
* @param workingPublicKey The public key of the issuer certificate <code>sign</code>.
* @param certPathCerts The certificates of the certification path.
* @throws AnnotatedException if the certificate is revoked or the status cannot be checked
* or some error occurs.
*/
protected static void checkCRLs(ExtendedPKIXParameters paramsPKIX, X509Certificate cert, Date validDate, X509Certificate sign, PublicKey workingPublicKey, List certPathCerts) throws AnnotatedException {
AnnotatedException lastException = null;
CRLDistPoint crldp = null;
try {
crldp = CRLDistPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.CRL_DISTRIBUTION_POINTS));
} catch (Exception e) {
throw new AnnotatedException("CRL distribution point extension could not be read.", e);
}
try {
CertPathValidatorUtilities.addAdditionalStoresFromCRLDistributionPoint(crldp, paramsPKIX);
} catch (AnnotatedException e) {
throw new AnnotatedException("No additional CRL locations could be decoded from CRL distribution point extension.", e);
}
CertStatus certStatus = new CertStatus();
ReasonsMask reasonsMask = new ReasonsMask();
boolean validCrlFound = false;
// for each distribution point
if (crldp != null) {
DistributionPoint[] dps = null;
try {
dps = crldp.getDistributionPoints();
} catch (Exception e) {
throw new AnnotatedException("Distribution points could not be read.", e);
}
if (dps != null) {
for (int i = 0; i < dps.length && certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons(); i++) {
ExtendedPKIXParameters paramsPKIXClone = (ExtendedPKIXParameters) paramsPKIX.clone();
try {
checkCRL(dps[i], paramsPKIXClone, cert, validDate, sign, workingPublicKey, certStatus, reasonsMask, certPathCerts);
validCrlFound = true;
} catch (AnnotatedException e) {
lastException = e;
}
}
}
}
if (certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons()) {
try {
/*
* assume a DP with both the reasons and the cRLIssuer fields
* omitted and a distribution point name of the certificate
* issuer.
*/
DERObject issuer = null;
try {
issuer = new ASN1InputStream(CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert).getEncoded()).readObject();
} catch (Exception e) {
throw new AnnotatedException("Issuer from certificate for CRL could not be reencoded.", e);
}
DistributionPoint dp = new DistributionPoint(new DistributionPointName(0, new GeneralNames(new GeneralName(GeneralName.directoryName, issuer))), null, null);
ExtendedPKIXParameters paramsPKIXClone = (ExtendedPKIXParameters) paramsPKIX.clone();
checkCRL(dp, paramsPKIXClone, cert, validDate, sign, workingPublicKey, certStatus, reasonsMask, certPathCerts);
validCrlFound = true;
} catch (AnnotatedException e) {
lastException = e;
}
}
if (!validCrlFound) {
if (lastException instanceof AnnotatedException) {
throw lastException;
}
throw new AnnotatedException("No valid CRL found.", lastException);
}
if (certStatus.getCertStatus() != CertStatus.UNREVOKED) {
String message = "Certificate revocation after " + certStatus.getRevocationDate();
message += ", reason: " + crlReasons[certStatus.getCertStatus()];
throw new AnnotatedException(message);
}
if (!reasonsMask.isAllReasons() && certStatus.getCertStatus() == CertStatus.UNREVOKED) {
certStatus.setCertStatus(CertStatus.UNDETERMINED);
}
if (certStatus.getCertStatus() == CertStatus.UNDETERMINED) {
throw new AnnotatedException("Certificate status could not be determined.");
}
}
use of org.bouncycastle.asn1.ocsp.CertStatus in project robovm by robovm.
the class RFC3280CertPathUtilities method checkCRLs.
/**
* Checks a certificate if it is revoked.
*
* @param paramsPKIX PKIX parameters.
* @param cert Certificate to check if it is revoked.
* @param validDate The date when the certificate revocation status should be
* checked.
* @param sign The issuer certificate of the certificate <code>cert</code>.
* @param workingPublicKey The public key of the issuer certificate <code>sign</code>.
* @param certPathCerts The certificates of the certification path.
* @throws AnnotatedException if the certificate is revoked or the status cannot be checked
* or some error occurs.
*/
protected static void checkCRLs(ExtendedPKIXParameters paramsPKIX, X509Certificate cert, Date validDate, X509Certificate sign, PublicKey workingPublicKey, List certPathCerts) throws AnnotatedException {
AnnotatedException lastException = null;
CRLDistPoint crldp = null;
try {
crldp = CRLDistPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.CRL_DISTRIBUTION_POINTS));
} catch (Exception e) {
throw new AnnotatedException("CRL distribution point extension could not be read.", e);
}
try {
CertPathValidatorUtilities.addAdditionalStoresFromCRLDistributionPoint(crldp, paramsPKIX);
} catch (AnnotatedException e) {
throw new AnnotatedException("No additional CRL locations could be decoded from CRL distribution point extension.", e);
}
CertStatus certStatus = new CertStatus();
ReasonsMask reasonsMask = new ReasonsMask();
boolean validCrlFound = false;
// for each distribution point
if (crldp != null) {
DistributionPoint[] dps = null;
try {
dps = crldp.getDistributionPoints();
} catch (Exception e) {
throw new AnnotatedException("Distribution points could not be read.", e);
}
if (dps != null) {
for (int i = 0; i < dps.length && certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons(); i++) {
ExtendedPKIXParameters paramsPKIXClone = (ExtendedPKIXParameters) paramsPKIX.clone();
try {
checkCRL(dps[i], paramsPKIXClone, cert, validDate, sign, workingPublicKey, certStatus, reasonsMask, certPathCerts);
validCrlFound = true;
} catch (AnnotatedException e) {
lastException = e;
}
}
}
}
if (certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons()) {
try {
/*
* assume a DP with both the reasons and the cRLIssuer fields
* omitted and a distribution point name of the certificate
* issuer.
*/
ASN1Primitive issuer = null;
try {
issuer = new ASN1InputStream(CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert).getEncoded()).readObject();
} catch (Exception e) {
throw new AnnotatedException("Issuer from certificate for CRL could not be reencoded.", e);
}
DistributionPoint dp = new DistributionPoint(new DistributionPointName(0, new GeneralNames(new GeneralName(GeneralName.directoryName, issuer))), null, null);
ExtendedPKIXParameters paramsPKIXClone = (ExtendedPKIXParameters) paramsPKIX.clone();
checkCRL(dp, paramsPKIXClone, cert, validDate, sign, workingPublicKey, certStatus, reasonsMask, certPathCerts);
validCrlFound = true;
} catch (AnnotatedException e) {
lastException = e;
}
}
if (!validCrlFound) {
if (lastException instanceof AnnotatedException) {
throw lastException;
}
throw new AnnotatedException("No valid CRL found.", lastException);
}
if (certStatus.getCertStatus() != CertStatus.UNREVOKED) {
String message = "Certificate revocation after " + certStatus.getRevocationDate();
message += ", reason: " + crlReasons[certStatus.getCertStatus()];
throw new AnnotatedException(message);
}
if (!reasonsMask.isAllReasons() && certStatus.getCertStatus() == CertStatus.UNREVOKED) {
certStatus.setCertStatus(CertStatus.UNDETERMINED);
}
if (certStatus.getCertStatus() == CertStatus.UNDETERMINED) {
throw new AnnotatedException("Certificate status could not be determined.");
}
}
Aggregations