Java Code Examples for java.security.cert.X509CRL#verify()
The following examples show how to use
java.security.cert.X509CRL#verify() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: RFC3280CertPathUtilities.java From ripple-lib-java with ISC License | 6 votes |
|
protected static PublicKey processCRLG(
X509CRL crl,
Set keys)
throws AnnotatedException
{
Exception lastException = null;
for (Iterator it = keys.iterator(); it.hasNext();)
{
PublicKey key = (PublicKey)it.next();
try
{
crl.verify(key);
return key;
}
catch (Exception e)
{
lastException = e;
}
}
throw new AnnotatedException("Cannot verify CRL.", lastException);
}
Example 2
| Source File: RFC3280CertPathUtilities.java From RipplePower with Apache License 2.0 | 6 votes |
|
protected static PublicKey processCRLG(
X509CRL crl,
Set keys)
throws AnnotatedException
{
Exception lastException = null;
for (Iterator it = keys.iterator(); it.hasNext();)
{
PublicKey key = (PublicKey)it.next();
try
{
crl.verify(key);
return key;
}
catch (Exception e)
{
lastException = e;
}
}
throw new AnnotatedException("Cannot verify CRL.", lastException);
}
Example 3
| Source File: X509Utils.java From nomulus with Apache License 2.0 | 5 votes |
|
/**
* Checks if an X.509 CRL you downloaded can safely replace your current CRL.
*
* <p>This routine makes sure {@code newCrl} is signed by {@code rootCert} and that its timestamps
* are correct with respect to {@code now}.
*
* @throws GeneralSecurityException for unsupported protocols, certs not signed by the TMCH,
* incorrect keys, and for invalid, old, not-yet-valid or revoked certificates.
*/
public static void verifyCrl(
X509Certificate rootCert, X509CRL oldCrl, @Tainted X509CRL newCrl, Date now)
throws GeneralSecurityException {
if (newCrl.getThisUpdate().before(oldCrl.getThisUpdate())) {
throw new CRLException(String.format(
"New CRL is more out of date than our current CRL. %s < %s\n%s",
newCrl.getThisUpdate(), oldCrl.getThisUpdate(), newCrl));
}
if (newCrl.getNextUpdate().before(now)) {
throw new CRLException("CRL has expired.\n" + newCrl);
}
newCrl.verify(rootCert.getPublicKey());
}
Example 4
| Source File: RFC3280CertPathUtilities.java From ripple-lib-java with ISC License | 5 votes |
|
protected static X509CRL processCRLH(
Set deltacrls,
PublicKey key)
throws AnnotatedException
{
Exception lastException = null;
for (Iterator it = deltacrls.iterator(); it.hasNext();)
{
X509CRL crl = (X509CRL)it.next();
try
{
crl.verify(key);
return crl;
}
catch (Exception e)
{
lastException = e;
}
}
if (lastException != null)
{
throw new AnnotatedException("Cannot verify delta CRL.", lastException);
}
return null;
}
Example 5
| Source File: CRLUtils.java From keycloak with Apache License 2.0 | 5 votes |
|
/**
* Check the signature on CRL and check if 1st certificate from the chain ((The actual certificate from the client)) is valid and not available on CRL.
*
* @param certs The 1st certificate is the actual certificate of the user. The other certificates represents the certificate chain
* @param crl Given CRL
* @throws GeneralSecurityException if some error in validation happens. Typically certificate not valid, or CRL signature not valid
*/
public static void check(X509Certificate[] certs, X509CRL crl, KeycloakSession session) throws GeneralSecurityException {
if (certs.length < 2) {
throw new GeneralSecurityException("Not possible to verify signature on CRL. X509 certificate doesn't have CA chain available on it");
}
X500Principal crlIssuerPrincipal = crl.getIssuerX500Principal();
X509Certificate crlSignatureCertificate = null;
// Try to find the certificate in the CA chain, which was used to sign the CRL
for (int i=1 ; i<certs.length ; i++) {
X509Certificate currentCACert = certs[i];
if (crlIssuerPrincipal.equals(currentCACert.getSubjectX500Principal())) {
crlSignatureCertificate = currentCACert;
log.tracef("Found certificate used to sign CRL in the CA chain of the certificate. CRL issuer: %s", crlIssuerPrincipal);
break;
}
}
// Try to find the CRL issuer certificate in the truststore
if (crlSignatureCertificate == null) {
log.tracef("Not found CRL issuer '%s' in the CA chain of the certificate. Fallback to lookup CRL issuer in the truststore", crlIssuerPrincipal);
crlSignatureCertificate = findCRLSignatureCertificateInTruststore(session, certs, crlIssuerPrincipal);
}
// Verify signature on CRL
// TODO: It will be nice to cache CRLs and also verify their signatures just once at the time when CRL is loaded, rather than in every request
crl.verify(crlSignatureCertificate.getPublicKey());
// Finally check if
if (crl.isRevoked(certs[0])) {
String message = String.format("Certificate has been revoked, certificate's subject: %s", certs[0].getSubjectDN().getName());
log.debug(message);
throw new GeneralSecurityException(message);
}
}
Example 6
| Source File: RFC3280CertPathUtilities.java From RipplePower with Apache License 2.0 | 5 votes |
|
protected static X509CRL processCRLH(
Set deltacrls,
PublicKey key)
throws AnnotatedException
{
Exception lastException = null;
for (Iterator it = deltacrls.iterator(); it.hasNext();)
{
X509CRL crl = (X509CRL)it.next();
try
{
crl.verify(key);
return crl;
}
catch (Exception e)
{
lastException = e;
}
}
if (lastException != null)
{
throw new AnnotatedException("Cannot verify delta CRL.", lastException);
}
return null;
}
Example 7
| Source File: CRLUtilsX509CRLImpl.java From dss with GNU Lesser General Public License v2.1 | 5 votes |
|
private void checkSignatureValue(final X509CRL x509CRL, final CertificateToken issuerToken, final CRLValidity crlValidity) {
try {
x509CRL.verify(issuerToken.getPublicKey());
crlValidity.setSignatureIntact(true);
crlValidity.setIssuerToken(issuerToken);
} catch (GeneralSecurityException e) {
String msg = String.format("CRL Signature cannot be validated : %s", e.getMessage());
if (LOG.isTraceEnabled()) {
LOG.trace(msg, e);
} else {
LOG.warn(msg);
}
crlValidity.setSignatureInvalidityReason(msg);
}
}
Example 8
| Source File: TmchCertificateAuthority.java From nomulus with Apache License 2.0 | 5 votes |
|
@Override
public X509CRL load(final TmchCaMode tmchCaMode) throws GeneralSecurityException {
TmchCrl storedCrl = TmchCrl.get();
String crlContents;
if (storedCrl == null) {
String file = (tmchCaMode == PILOT) ? CRL_PILOT_FILE : CRL_FILE;
crlContents = readResourceUtf8(TmchCertificateAuthority.class, file);
} else {
crlContents = storedCrl.getCrl();
}
X509CRL crl = X509Utils.loadCrl(crlContents);
crl.verify(ROOT_CERTS.get(tmchCaMode).getPublicKey());
return crl;
}
Example 9
| Source File: X509CRLImpl.java From openjdk-8 with GNU General Public License v2.0 | 2 votes |
|
/**
* This static method is the default implementation of the
* verify(PublicKey key, Provider sigProvider) method in X509CRL.
* Called from java.security.cert.X509CRL.verify(PublicKey key,
* Provider sigProvider)
*/
public static void verify(X509CRL crl, PublicKey key,
Provider sigProvider) throws CRLException,
NoSuchAlgorithmException, InvalidKeyException, SignatureException {
crl.verify(key, sigProvider);
}
Example 10
| Source File: X509CRLImpl.java From dragonwell8_jdk with GNU General Public License v2.0 | 2 votes |
|
/**
* This static method is the default implementation of the
* verify(PublicKey key, Provider sigProvider) method in X509CRL.
* Called from java.security.cert.X509CRL.verify(PublicKey key,
* Provider sigProvider)
*/
public static void verify(X509CRL crl, PublicKey key,
Provider sigProvider) throws CRLException,
NoSuchAlgorithmException, InvalidKeyException, SignatureException {
crl.verify(key, sigProvider);
}
Example 11
| Source File: X509CRLImpl.java From openjdk-8-source with GNU General Public License v2.0 | 2 votes |
|
/**
* This static method is the default implementation of the
* verify(PublicKey key, Provider sigProvider) method in X509CRL.
* Called from java.security.cert.X509CRL.verify(PublicKey key,
* Provider sigProvider)
*/
public static void verify(X509CRL crl, PublicKey key,
Provider sigProvider) throws CRLException,
NoSuchAlgorithmException, InvalidKeyException, SignatureException {
crl.verify(key, sigProvider);
}
Example 12
| Source File: X509CRLImpl.java From hottub with GNU General Public License v2.0 | 2 votes |
|
/**
* This static method is the default implementation of the
* verify(PublicKey key, Provider sigProvider) method in X509CRL.
* Called from java.security.cert.X509CRL.verify(PublicKey key,
* Provider sigProvider)
*/
public static void verify(X509CRL crl, PublicKey key,
Provider sigProvider) throws CRLException,
NoSuchAlgorithmException, InvalidKeyException, SignatureException {
crl.verify(key, sigProvider);
}
Example 13
| Source File: X509CRLImpl.java From jdk8u-jdk with GNU General Public License v2.0 | 2 votes |
|
/**
* This static method is the default implementation of the
* verify(PublicKey key, Provider sigProvider) method in X509CRL.
* Called from java.security.cert.X509CRL.verify(PublicKey key,
* Provider sigProvider)
*/
public static void verify(X509CRL crl, PublicKey key,
Provider sigProvider) throws CRLException,
NoSuchAlgorithmException, InvalidKeyException, SignatureException {
crl.verify(key, sigProvider);
}
Example 14
| Source File: X509CRLImpl.java From jdk8u-dev-jdk with GNU General Public License v2.0 | 2 votes |
|
/**
* This static method is the default implementation of the
* verify(PublicKey key, Provider sigProvider) method in X509CRL.
* Called from java.security.cert.X509CRL.verify(PublicKey key,
* Provider sigProvider)
*/
public static void verify(X509CRL crl, PublicKey key,
Provider sigProvider) throws CRLException,
NoSuchAlgorithmException, InvalidKeyException, SignatureException {
crl.verify(key, sigProvider);
}
Example 15
| Source File: X509CRLImpl.java From jdk8u-jdk with GNU General Public License v2.0 | 2 votes |
|
/**
* This static method is the default implementation of the
* verify(PublicKey key, Provider sigProvider) method in X509CRL.
* Called from java.security.cert.X509CRL.verify(PublicKey key,
* Provider sigProvider)
*/
public static void verify(X509CRL crl, PublicKey key,
Provider sigProvider) throws CRLException,
NoSuchAlgorithmException, InvalidKeyException, SignatureException {
crl.verify(key, sigProvider);
}
Example 16
| Source File: X509CRLImpl.java From openjdk-jdk9 with GNU General Public License v2.0 | 2 votes |
|
/**
* This static method is the default implementation of the
* verify(PublicKey key, Provider sigProvider) method in X509CRL.
* Called from java.security.cert.X509CRL.verify(PublicKey key,
* Provider sigProvider)
*/
public static void verify(X509CRL crl, PublicKey key,
Provider sigProvider) throws CRLException,
NoSuchAlgorithmException, InvalidKeyException, SignatureException {
crl.verify(key, sigProvider);
}
Example 17
| Source File: X509CRLImpl.java From openjdk-jdk8u-backup with GNU General Public License v2.0 | 2 votes |
|
/**
* This static method is the default implementation of the
* verify(PublicKey key, Provider sigProvider) method in X509CRL.
* Called from java.security.cert.X509CRL.verify(PublicKey key,
* Provider sigProvider)
*/
public static void verify(X509CRL crl, PublicKey key,
Provider sigProvider) throws CRLException,
NoSuchAlgorithmException, InvalidKeyException, SignatureException {
crl.verify(key, sigProvider);
}
Example 18
| Source File: X509CRLImpl.java From jdk8u60 with GNU General Public License v2.0 | 2 votes |
|
/**
* This static method is the default implementation of the
* verify(PublicKey key, Provider sigProvider) method in X509CRL.
* Called from java.security.cert.X509CRL.verify(PublicKey key,
* Provider sigProvider)
*/
public static void verify(X509CRL crl, PublicKey key,
Provider sigProvider) throws CRLException,
NoSuchAlgorithmException, InvalidKeyException, SignatureException {
crl.verify(key, sigProvider);
}
Example 19
| Source File: X509CRLImpl.java From TencentKona-8 with GNU General Public License v2.0 | 2 votes |
|
/**
* This static method is the default implementation of the
* verify(PublicKey key, Provider sigProvider) method in X509CRL.
* Called from java.security.cert.X509CRL.verify(PublicKey key,
* Provider sigProvider)
*/
public static void verify(X509CRL crl, PublicKey key,
Provider sigProvider) throws CRLException,
NoSuchAlgorithmException, InvalidKeyException, SignatureException {
crl.verify(key, sigProvider);
}
