sun.security.provider.certpath.CertId Java Examples

/**
 * Add a response to the cache.
 *
 * @param certId The {@code CertId} for the OCSP response
 * @param entry A cache entry containing the response bytes and
 *      the {@code OCSPResponse} built from those bytes.
 */
private void addToCache(CertId certId, ResponseCacheEntry entry) {
    // If no cache lifetime has been set on entries then
    // don't cache this response if there is no nextUpdate field
    if (entry.nextUpdate == null && cacheLifetime == 0) {
        if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
            SSLLogger.fine("Not caching this OCSP response");
        }
    } else {
        responseCache.put(certId, entry);
        if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
            SSLLogger.fine(
                "Added response for SN " +
                certId.getSerialNumber() +
                " to cache");
        }
    }
}
 

public static void main(String[] args) throws Exception {

        X509CertImpl cert = loadCert(CERT_FILENAME);

        /* Compute the hash in the same way as CertId constructor */
        MessageDigest hash = MessageDigest.getInstance("SHA1");
        hash.update(cert.getSubjectX500Principal().getEncoded());
        byte[] expectedHash = hash.digest();

        CertId certId = new CertId(cert, null);
        byte[] receivedHash = certId.getIssuerNameHash();

        if (! Arrays.equals(expectedHash, receivedHash)) {
            throw new
                Exception("Bad hash value for issuer name in CertId object");
        }
    }
 

public static void main(String[] args) throws Exception {

        X509CertImpl cert = loadCert(CERT_FILENAME);

        /* Compute the hash in the same way as CertId constructor */
        MessageDigest hash = MessageDigest.getInstance("SHA1");
        hash.update(cert.getSubjectX500Principal().getEncoded());
        byte[] expectedHash = hash.digest();

        CertId certId = new CertId(cert, null);
        byte[] receivedHash = certId.getIssuerNameHash();

        if (! Arrays.equals(expectedHash, receivedHash)) {
            throw new
                Exception("Bad hash value for issuer name in CertId object");
        }
    }
 

public static void main(String[] args) throws Exception {

        X509CertImpl cert = loadCert(CERT_FILENAME);

        /* Compute the hash in the same way as CertId constructor */
        MessageDigest hash = MessageDigest.getInstance("SHA1");
        hash.update(cert.getSubjectX500Principal().getEncoded());
        byte[] expectedHash = hash.digest();

        CertId certId = new CertId(cert, null);
        byte[] receivedHash = certId.getIssuerNameHash();

        if (! Arrays.equals(expectedHash, receivedHash)) {
            throw new
                Exception("Bad hash value for issuer name in CertId object");
        }
    }
 

public static void main(String[] args) throws Exception {

        X509CertImpl cert = loadCert(CERT_FILENAME);

        /* Compute the hash in the same way as CertId constructor */
        MessageDigest hash = MessageDigest.getInstance("SHA1");
        hash.update(cert.getSubjectX500Principal().getEncoded());
        byte[] expectedHash = hash.digest();

        CertId certId = new CertId(cert, null);
        byte[] receivedHash = certId.getIssuerNameHash();

        if (! Arrays.equals(expectedHash, receivedHash)) {
            throw new
                Exception("Bad hash value for issuer name in CertId object");
        }
    }
 

private LocalSingleRequest(DerInputStream dis)
        throws IOException {
    DerValue[] srItems = dis.getSequence(2);

    // There should be 1, possibly 2 DerValue items
    if (srItems.length == 1 || srItems.length == 2) {
        // The first parsable item should be the mandatory CertId
        cid = new CertId(srItems[0].data);
        if (srItems.length == 2) {
            if (srItems[1].isContextSpecific((byte)0)) {
                DerValue[] extDerItems = srItems[1].data.getSequence(2);
                extensions = parseExtensions(extDerItems);
            } else {
                throw new IOException("Illegal tag in Request " +
                        "extensions: " + srItems[1].tag);
            }
        }
    } else {
        throw new IOException("Invalid number of items in " +
                "Request (" + srItems.length + ")");
    }
}
 

/**
 * Check the status database for revocation information one one or more
 * certificates.
 *
 * @param reqList the list of {@code LocalSingleRequest} objects taken
 * from the incoming OCSP request.
 *
 * @return a {@code Map} of {@code CertStatusInfo} objects keyed by their
 * {@code CertId} values, for each single request passed in.  Those
 * CertIds not found in the statusDb will have returned List members with
 * a status of UNKNOWN.
 */
private Map<CertId, CertStatusInfo> checkStatusDb(
        List<LocalOcspRequest.LocalSingleRequest> reqList) {
    // TODO figure out what, if anything to do with request extensions
    Map<CertId, CertStatusInfo> returnMap = new HashMap<>();

    for (LocalOcspRequest.LocalSingleRequest req : reqList) {
        CertId cid = req.getCertId();
        CertStatusInfo info = statusDb.get(cid);
        if (info != null) {
            log("Status for SN " + cid.getSerialNumber() + ": " +
                    info.getType());
            returnMap.put(cid, info);
        } else {
            log("Status for SN " + cid.getSerialNumber() +
                    " not found, using CERT_STATUS_UNKNOWN");
            returnMap.put(cid,
                    new CertStatusInfo(CertStatus.CERT_STATUS_UNKNOWN));
        }
    }

    return Collections.unmodifiableMap(returnMap);
}
 

/**
 * Add entries into the responder's status database.
 *
 * @param newEntries a map of {@code CertStatusInfo} objects, keyed on
 * their serial number (as a {@code BigInteger}).  All serial numbers
 * are assumed to have come from this responder's issuer certificate.
 *
 * @throws IOException if a CertId cannot be generated.
 */
public void updateStatusDb(Map<BigInteger, CertStatusInfo> newEntries)
        throws IOException {
     if (newEntries != null) {
        for (BigInteger serial : newEntries.keySet()) {
            CertStatusInfo info = newEntries.get(serial);
            if (info != null) {
                CertId cid = new CertId(issuerCert,
                        new SerialNumber(serial));
                statusDb.put(cid, info);
                log("Added entry for serial " + serial + "(" +
                        info.getType() + ")");
            }
        }
    }
}
 

/**
 * Create a new cache entry from the raw bytes of the response
 *
 * @param responseBytes the DER encoding for the OCSP response
 *
 * @throws IOException if an {@code OCSPResponse} cannot be created from
 *      the encoded bytes.
 */
ResponseCacheEntry(byte[] responseBytes, CertId cid)
        throws IOException {
    Objects.requireNonNull(responseBytes,
            "Non-null responseBytes required");
    Objects.requireNonNull(cid, "Non-null Cert ID required");

    ocspBytes = responseBytes.clone();
    OCSPResponse oResp = new OCSPResponse(ocspBytes);
    status = oResp.getResponseStatus();
    respId = oResp.getResponderId();
    singleResp = oResp.getSingleResponse(cid);
    if (status == OCSPResponse.ResponseStatus.SUCCESSFUL) {
        if (singleResp != null) {
            // Pull out the nextUpdate field in advance because the
            // Date is cloned.
            nextUpdate = singleResp.getNextUpdate();
        } else {
            throw new IOException("Unable to find SingleResponse for " +
                    "SN " + cid.getSerialNumber());
        }
    } else {
        nextUpdate = null;
    }
}
 

public static void main(String[] args) throws Exception {

        X509CertImpl cert = loadCert(CERT_FILENAME);

        /* Compute the hash in the same way as CertId constructor */
        MessageDigest hash = MessageDigest.getInstance("SHA1");
        hash.update(cert.getSubjectX500Principal().getEncoded());
        byte[] expectedHash = hash.digest();

        CertId certId = new CertId(cert, null);
        byte[] receivedHash = certId.getIssuerNameHash();

        if (! Arrays.equals(expectedHash, receivedHash)) {
            throw new
                Exception("Bad hash value for issuer name in CertId object");
        }
    }
 

/**
 * Create a new cache entry from the raw bytes of the response
 *
 * @param responseBytes the DER encoding for the OCSP response
 *
 * @throws IOException if an {@code OCSPResponse} cannot be
 *         created from the encoded bytes.
 */
ResponseCacheEntry(byte[] responseBytes, CertId cid)
        throws IOException {
    Objects.requireNonNull(responseBytes,
            "Non-null responseBytes required");
    Objects.requireNonNull(cid, "Non-null Cert ID required");

    ocspBytes = responseBytes.clone();
    OCSPResponse oResp = new OCSPResponse(ocspBytes);
    status = oResp.getResponseStatus();
    respId = oResp.getResponderId();
    singleResp = oResp.getSingleResponse(cid);
    if (status == OCSPResponse.ResponseStatus.SUCCESSFUL) {
        if (singleResp != null) {
            // Pull out the nextUpdate field in advance because the
            // Date is cloned.
            nextUpdate = singleResp.getNextUpdate();
        } else {
            throw new IOException(
                    "Unable to find SingleResponse for SN " +
                    cid.getSerialNumber());
        }
    } else {
        nextUpdate = null;
    }
}
 

public static void main(String[] args) throws Exception {

        X509CertImpl cert = loadCert(CERT_FILENAME);

        /* Compute the hash in the same way as CertId constructor */
        MessageDigest hash = MessageDigest.getInstance("SHA1");
        hash.update(cert.getSubjectX500Principal().getEncoded());
        byte[] expectedHash = hash.digest();

        CertId certId = new CertId(cert, null);
        byte[] receivedHash = certId.getIssuerNameHash();

        if (! Arrays.equals(expectedHash, receivedHash)) {
            throw new
                Exception("Bad hash value for issuer name in CertId object");
        }
    }
 

public static void main(String[] args) throws Exception {

        X509CertImpl cert = loadCert(CERT_FILENAME);

        /* Compute the hash in the same way as CertId constructor */
        MessageDigest hash = MessageDigest.getInstance("SHA1");
        hash.update(cert.getSubjectX500Principal().getEncoded());
        byte[] expectedHash = hash.digest();

        CertId certId = new CertId(cert, null);
        byte[] receivedHash = certId.getIssuerNameHash();

        if (! Arrays.equals(expectedHash, receivedHash)) {
            throw new
                Exception("Bad hash value for issuer name in CertId object");
        }
    }
 

public static void main(String[] args) throws Exception {

        X509CertImpl cert = loadCert(CERT_FILENAME);

        /* Compute the hash in the same way as CertId constructor */
        MessageDigest hash = MessageDigest.getInstance("SHA1");
        hash.update(cert.getSubjectX500Principal().getEncoded());
        byte[] expectedHash = hash.digest();

        CertId certId = new CertId(cert, null);
        byte[] receivedHash = certId.getIssuerNameHash();

        if (! Arrays.equals(expectedHash, receivedHash)) {
            throw new
                Exception("Bad hash value for issuer name in CertId object");
        }
    }
 

/**
 * Create a new cache entry from the raw bytes of the response
 *
 * @param responseBytes the DER encoding for the OCSP response
 *
 * @throws IOException if an {@code OCSPResponse} cannot be
 *         created from the encoded bytes.
 */
ResponseCacheEntry(byte[] responseBytes, CertId cid)
        throws IOException {
    Objects.requireNonNull(responseBytes,
            "Non-null responseBytes required");
    Objects.requireNonNull(cid, "Non-null Cert ID required");

    ocspBytes = responseBytes.clone();
    OCSPResponse oResp = new OCSPResponse(ocspBytes);
    status = oResp.getResponseStatus();
    respId = oResp.getResponderId();
    singleResp = oResp.getSingleResponse(cid);
    if (status == OCSPResponse.ResponseStatus.SUCCESSFUL) {
        if (singleResp != null) {
            // Pull out the nextUpdate field in advance because the
            // Date is cloned.
            nextUpdate = singleResp.getNextUpdate();
        } else {
            throw new IOException(
                    "Unable to find SingleResponse for SN " +
                    cid.getSerialNumber());
        }
    } else {
        nextUpdate = null;
    }
}
 

public static void main(String[] args) throws Exception {

        X509CertImpl cert = loadCert(CERT_FILENAME);

        /* Compute the hash in the same way as CertId constructor */
        MessageDigest hash = MessageDigest.getInstance("SHA1");
        hash.update(cert.getSubjectX500Principal().getEncoded());
        byte[] expectedHash = hash.digest();

        CertId certId = new CertId(cert, null);
        byte[] receivedHash = certId.getIssuerNameHash();

        if (! Arrays.equals(expectedHash, receivedHash)) {
            throw new
                Exception("Bad hash value for issuer name in CertId object");
        }
    }
 

public static void main(String[] args) throws Exception {

        X509CertImpl cert = loadCert(CERT_FILENAME);

        /* Compute the hash in the same way as CertId constructor */
        MessageDigest hash = MessageDigest.getInstance("SHA1");
        hash.update(cert.getSubjectX500Principal().getEncoded());
        byte[] expectedHash = hash.digest();

        CertId certId = new CertId(cert, null);
        byte[] receivedHash = certId.getIssuerNameHash();

        if (! Arrays.equals(expectedHash, receivedHash)) {
            throw new
                Exception("Bad hash value for issuer name in CertId object");
        }
    }
 

public static void main(String[] args) throws Exception {

        X509CertImpl cert = loadCert(CERT_FILENAME);

        /* Compute the hash in the same way as CertId constructor */
        MessageDigest hash = MessageDigest.getInstance("SHA1");
        hash.update(cert.getSubjectX500Principal().getEncoded());
        byte[] expectedHash = hash.digest();

        CertId certId = new CertId(cert, null);
        byte[] receivedHash = certId.getIssuerNameHash();

        if (! Arrays.equals(expectedHash, receivedHash)) {
            throw new
                Exception("Bad hash value for issuer name in CertId object");
        }
    }
 

public static void main(String[] args) throws Exception {

        X509CertImpl cert = loadCert(CERT_FILENAME);

        /* Compute the hash in the same way as CertId constructor */
        MessageDigest hash = MessageDigest.getInstance("SHA1");
        hash.update(cert.getSubjectX500Principal().getEncoded());
        byte[] expectedHash = hash.digest();

        CertId certId = new CertId(cert, null);
        byte[] receivedHash = certId.getIssuerNameHash();

        if (! Arrays.equals(expectedHash, receivedHash)) {
            throw new
                Exception("Bad hash value for issuer name in CertId object");
        }
    }
 

public static void main(String[] args) throws Exception {

        X509CertImpl cert = loadCert(CERT_FILENAME);

        /* Compute the hash in the same way as CertId constructor */
        MessageDigest hash = MessageDigest.getInstance("SHA1");
        hash.update(cert.getSubjectX500Principal().getEncoded());
        byte[] expectedHash = hash.digest();

        CertId certId = new CertId(cert, null);
        byte[] receivedHash = certId.getIssuerNameHash();

        if (! Arrays.equals(expectedHash, receivedHash)) {
            throw new
                Exception("Bad hash value for issuer name in CertId object");
        }
    }
 

/**
 * Add a response to the cache.
 *
 * @param certId The {@code CertId} for the OCSP response
 * @param entry A cache entry containing the response bytes and
 *      the {@code OCSPResponse} built from those bytes.
 */
private void addToCache(CertId certId, ResponseCacheEntry entry) {
    // If no cache lifetime has been set on entries then
    // don't cache this response if there is no nextUpdate field
    if (entry.nextUpdate == null && cacheLifetime == 0) {
        if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
            SSLLogger.fine("Not caching this OCSP response");
        }
    } else {
        responseCache.put(certId, entry);
        if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
            SSLLogger.fine(
                "Added response for SN " +
                certId.getSerialNumber() +
                " to cache");
        }
    }
}
 

/**
 * wrapper to overcome JDK differences between oracle vs openjdk
 */
 public static RevocationStatus check(X509Certificate cert,
     X509Certificate issuerCert)
     throws IOException, CertPathValidatorException, CertificateException {
     CertId certId = null;
     URI responderURI = null;
     
         X509CertImpl certImpl = X509CertImpl.toImpl(cert);
         responderURI = getResponderURI(certImpl);
         if (responderURI == null) {
             throw new CertPathValidatorException
                 ("No OCSP Responder URI in certificate");
         }
         return OCSP.check(cert, issuerCert, responderURI, cert, null);
}
 

public LocalSingleResponse(CertId cid, CertStatusInfo info) {
    certId = Objects.requireNonNull(cid, "CertId must be non-null");
    csInfo = Objects.requireNonNull(info,
            "CertStatusInfo must be non-null");

    // For now, we'll keep things simple and make the thisUpdate
    // field the same as the producedAt date.
    thisUpdate = producedAtDate;
    lsrNextUpdate = getNextUpdate();

    // TODO Add extensions support
    singleExtensions = Collections.emptyMap();
}
 

/**
 * Construct a response from a list of certificate
 * status objects and extensions.
 *
 * @param respStat the status of the entire response
 * @param itemMap a {@code Map} of {@code CertId} objects and their
 * respective revocation statuses from the server's response DB.
 * @param reqExtensions a {@code Map} of request extensions
 *
 * @throws IOException if an error happens during encoding
 * @throws NullPointerException if {@code respStat} is {@code null}
 * or {@code respStat} is successful, and a {@code null} {@code itemMap}
 * has been provided.
 */
public LocalOcspResponse(OCSPResponse.ResponseStatus respStat,
        Map<CertId, CertStatusInfo> itemMap,
        Map<String, Extension> reqExtensions) throws IOException {
    responseStatus = Objects.requireNonNull(respStat,
            "Illegal null response status");
    if (responseStatus == ResponseStatus.SUCCESSFUL) {
        respItemMap = Objects.requireNonNull(itemMap,
                "SUCCESSFUL responses must have a response map");
        producedAtDate = new Date();

        // Turn the answerd from the response DB query into a list
        // of single responses.
        for (CertId id : itemMap.keySet()) {
            singleResponseList.add(
                    new LocalSingleResponse(id, itemMap.get(id)));
        }

        responseExtensions = setResponseExtensions(reqExtensions);
        certificates = new ArrayList<>();
        if (signerCert != issuerCert) {
            certificates.add(signerCert);
        }
        certificates.add(issuerCert);
    } else {
        respItemMap = null;
        producedAtDate = null;
        responseExtensions = null;
        certificates = null;
    }
    encodedResponse = this.getBytes();
}
 

/**
 * Add a response to the cache.
 *
 * @param certId The {@code CertId} for the OCSP response
 * @param entry A cache entry containing the response bytes and
 *      the {@code OCSPResponse} built from those bytes.
 */
private void addToCache(CertId certId, ResponseCacheEntry entry) {
    // If no cache lifetime has been set on entries then
    // don't cache this response if there is no nextUpdate field
    if (entry.nextUpdate == null && cacheLifetime == 0) {
        debugLog("Not caching this OCSP response");
    } else {
        responseCache.put(certId, entry);
        debugLog("Added response for SN " + certId.getSerialNumber() +
                " to cache");
    }
}
 

/**
 * Check the cache for a given {@code CertId}.
 *
 * @param cid the CertId of the response to look up
 * @param ocspRequest the OCSP request structure sent by the client
 *      in the TLS status_request[_v2] hello extension.
 *
 * @return the {@code ResponseCacheEntry} for a specific CertId, or
 *      {@code null} if it is not found or a nonce extension has been
 *      requested by the caller.
 */
private ResponseCacheEntry getFromCache(CertId cid,
        OCSPStatusRequest ocspRequest) {
    // Determine if the nonce extension is present in the request.  If
    // so, then do not attempt to retrieve the response from the cache.
    for (Extension ext : ocspRequest.extensions) {
        if (ext.getId().equals(
                PKIXExtensions.OCSPNonce_Id.toString())) {
            if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
                SSLLogger.fine(
                        "Nonce extension found, skipping cache check");
            }
            return null;
        }
    }

    ResponseCacheEntry respEntry = responseCache.get(cid);

    // If the response entry has a nextUpdate and it has expired
    // before the cache expiration, purge it from the cache
    // and do not return it as a cache hit.
    if (respEntry != null && respEntry.nextUpdate != null &&
            respEntry.nextUpdate.before(new Date())) {
        if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
            SSLLogger.fine(
                "nextUpdate threshold exceeded, purging from cache");
        }
        respEntry = null;
    }

    if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
        SSLLogger.fine(
                "Check cache for SN" + cid.getSerialNumber() + ": " +
                (respEntry != null ? "HIT" : "MISS"));
    }
    return respEntry;
}
 

/**
 * Check the cache for a given {@code CertId}.
 *
 * @param cid the CertId of the response to look up
 * @param ocspRequest the OCSP request structure sent by the client
 *      in the TLS status_request[_v2] hello extension.
 *
 * @return the {@code ResponseCacheEntry} for a specific CertId, or
 *      {@code null} if it is not found or a nonce extension has been
 *      requested by the caller.
 */
private ResponseCacheEntry getFromCache(CertId cid,
        OCSPStatusRequest ocspRequest) {
    // Determine if the nonce extension is present in the request.  If
    // so, then do not attempt to retrieve the response from the cache.
    for (Extension ext : ocspRequest.getExtensions()) {
        if (ext.getId().equals(PKIXExtensions.OCSPNonce_Id.toString())) {
            debugLog("Nonce extension found, skipping cache check");
            return null;
        }
    }

    ResponseCacheEntry respEntry = responseCache.get(cid);

    // If the response entry has a nextUpdate and it has expired
    // before the cache expiration, purge it from the cache
    // and do not return it as a cache hit.
    if (respEntry != null && respEntry.nextUpdate != null &&
            respEntry.nextUpdate.before(new Date())) {
        debugLog("nextUpdate threshold exceeded, purging from cache");
        respEntry = null;
    }

    debugLog("Check cache for SN" + cid.getSerialNumber() + ": " +
            (respEntry != null ? "HIT" : "MISS"));
    return respEntry;
}
 

/**
 * Check the cache for a given {@code CertId}.
 *
 * @param cid the CertId of the response to look up
 * @param ocspRequest the OCSP request structure sent by the client
 *      in the TLS status_request[_v2] hello extension.
 *
 * @return the {@code ResponseCacheEntry} for a specific CertId, or
 *      {@code null} if it is not found or a nonce extension has been
 *      requested by the caller.
 */
private ResponseCacheEntry getFromCache(CertId cid,
        OCSPStatusRequest ocspRequest) {
    // Determine if the nonce extension is present in the request.  If
    // so, then do not attempt to retrieve the response from the cache.
    for (Extension ext : ocspRequest.extensions) {
        if (ext.getId().equals(
                PKIXExtensions.OCSPNonce_Id.toString())) {
            if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
                SSLLogger.fine(
                        "Nonce extension found, skipping cache check");
            }
            return null;
        }
    }

    ResponseCacheEntry respEntry = responseCache.get(cid);

    // If the response entry has a nextUpdate and it has expired
    // before the cache expiration, purge it from the cache
    // and do not return it as a cache hit.
    if (respEntry != null && respEntry.nextUpdate != null &&
            respEntry.nextUpdate.before(new Date())) {
        if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
            SSLLogger.fine(
                "nextUpdate threshold exceeded, purging from cache");
        }
        respEntry = null;
    }

    if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
        SSLLogger.fine(
                "Check cache for SN" + cid.getSerialNumber() + ": " +
                (respEntry != null ? "HIT" : "MISS"));
    }
    return respEntry;
}
 

/**
 * Create a StatusInfo object from an existing subject certificate
 * and its corresponding CertId.
 *
 * @param subjectCert the certificate to be checked for revocation
 * @param cid the CertId for {@code subjectCert}
 */
StatusInfo(X509Certificate subjectCert, CertId certId) {
    cert = subjectCert;
    cid = certId;
    responder = getURI(cert);
    responseData = null;
}
 

/**
 * Create a StatusInfo object from an existing subject certificate
 * and its corresponding CertId.
 *
 * @param subjectCert the certificate to be checked for revocation
 * @param cid the CertId for {@code subjectCert}
 */
StatusInfo(X509Certificate subjectCert, CertId certId) {
    cert = subjectCert;
    cid = certId;
    responder = getURI(cert);
    responseData = null;
}