java.security.cert.Extension Java Examples

The following examples show how to use java.security.cert.Extension. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: OCSP.java    From jdk8u-jdk with GNU General Public License v2.0 7 votes vote down vote up
public static RevocationStatus check(X509Certificate cert,
                                     X509Certificate issuerCert,
                                     URI responderURI,
                                     X509Certificate responderCert,
                                     Date date, List<Extension> extensions)
    throws IOException, CertPathValidatorException
{
    CertId certId = null;
    try {
        X509CertImpl certImpl = X509CertImpl.toImpl(cert);
        certId = new CertId(issuerCert, certImpl.getSerialNumberObject());
    } catch (CertificateException | IOException e) {
        throw new CertPathValidatorException
            ("Exception while encoding OCSPRequest", e);
    }
    OCSPResponse ocspResponse = check(Collections.singletonList(certId),
        responderURI, issuerCert, responderCert, date, extensions);
    return (RevocationStatus) ocspResponse.getSingleResponse(certId);
}
 
Example #2
Source File: OCSP.java    From jdk8u-jdk with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Obtains the revocation status of a certificate using OCSP using the most
 * common defaults. The OCSP responder URI is retrieved from the
 * certificate's AIA extension. The OCSP responder certificate is assumed
 * to be the issuer's certificate (or issued by the issuer CA).
 *
 * @param cert the certificate to be checked
 * @param issuerCert the issuer certificate
 * @return the RevocationStatus
 * @throws IOException if there is an exception connecting to or
 *    communicating with the OCSP responder
 * @throws CertPathValidatorException if an exception occurs while
 *    encoding the OCSP Request or validating the OCSP Response
 */
public static RevocationStatus check(X509Certificate cert,
                                     X509Certificate issuerCert)
    throws IOException, CertPathValidatorException {
    CertId certId = null;
    URI responderURI = null;
    try {
        X509CertImpl certImpl = X509CertImpl.toImpl(cert);
        responderURI = getResponderURI(certImpl);
        if (responderURI == null) {
            throw new CertPathValidatorException
                ("No OCSP Responder URI in certificate");
        }
        certId = new CertId(issuerCert, certImpl.getSerialNumberObject());
    } catch (CertificateException | IOException e) {
        throw new CertPathValidatorException
            ("Exception while encoding OCSPRequest", e);
    }
    OCSPResponse ocspResponse = check(Collections.singletonList(certId),
        responderURI, issuerCert, null, null,
        Collections.<Extension>emptyList());
    return (RevocationStatus)ocspResponse.getSingleResponse(certId);
}
 
Example #3
Source File: CertificateRevocationExceptionTest.java    From j2objc with Apache License 2.0 6 votes vote down vote up
private Extension getReasonExtension() {
    return new Extension() {
        @Override
        public String getId() {
            return "2.5.29.21";
        }

        @Override
        public boolean isCritical() {
            return false;
        }

        @Override
        public byte[] getValue() {
            return new byte[] {4, 3, 10, 1, 5};
        }

        @Override
        public void encode(OutputStream out) throws IOException {
            throw new UnsupportedOperationException();
        }
    };
}
 
Example #4
Source File: OCSP.java    From openjdk-8-source with GNU General Public License v2.0 6 votes vote down vote up
public static RevocationStatus check(X509Certificate cert,
                                     X509Certificate issuerCert,
                                     URI responderURI,
                                     X509Certificate responderCert,
                                     Date date, List<Extension> extensions)
    throws IOException, CertPathValidatorException
{
    CertId certId = null;
    try {
        X509CertImpl certImpl = X509CertImpl.toImpl(cert);
        certId = new CertId(issuerCert, certImpl.getSerialNumberObject());
    } catch (CertificateException | IOException e) {
        throw new CertPathValidatorException
            ("Exception while encoding OCSPRequest", e);
    }
    OCSPResponse ocspResponse = check(Collections.singletonList(certId),
        responderURI, issuerCert, responderCert, date, extensions);
    return (RevocationStatus) ocspResponse.getSingleResponse(certId);
}
 
Example #5
Source File: OCSP.java    From openjdk-8-source with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Obtains the revocation status of a certificate using OCSP using the most
 * common defaults. The OCSP responder URI is retrieved from the
 * certificate's AIA extension. The OCSP responder certificate is assumed
 * to be the issuer's certificate (or issued by the issuer CA).
 *
 * @param cert the certificate to be checked
 * @param issuerCert the issuer certificate
 * @return the RevocationStatus
 * @throws IOException if there is an exception connecting to or
 *    communicating with the OCSP responder
 * @throws CertPathValidatorException if an exception occurs while
 *    encoding the OCSP Request or validating the OCSP Response
 */
public static RevocationStatus check(X509Certificate cert,
                                     X509Certificate issuerCert)
    throws IOException, CertPathValidatorException {
    CertId certId = null;
    URI responderURI = null;
    try {
        X509CertImpl certImpl = X509CertImpl.toImpl(cert);
        responderURI = getResponderURI(certImpl);
        if (responderURI == null) {
            throw new CertPathValidatorException
                ("No OCSP Responder URI in certificate");
        }
        certId = new CertId(issuerCert, certImpl.getSerialNumberObject());
    } catch (CertificateException | IOException e) {
        throw new CertPathValidatorException
            ("Exception while encoding OCSPRequest", e);
    }
    OCSPResponse ocspResponse = check(Collections.singletonList(certId),
        responderURI, issuerCert, null, null,
        Collections.<Extension>emptyList());
    return (RevocationStatus)ocspResponse.getSingleResponse(certId);
}
 
Example #6
Source File: OCSP.java    From jdk8u-dev-jdk with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Obtains the revocation status of a certificate using OCSP using the most
 * common defaults. The OCSP responder URI is retrieved from the
 * certificate's AIA extension. The OCSP responder certificate is assumed
 * to be the issuer's certificate (or issued by the issuer CA).
 *
 * @param cert the certificate to be checked
 * @param issuerCert the issuer certificate
 * @return the RevocationStatus
 * @throws IOException if there is an exception connecting to or
 *    communicating with the OCSP responder
 * @throws CertPathValidatorException if an exception occurs while
 *    encoding the OCSP Request or validating the OCSP Response
 */
public static RevocationStatus check(X509Certificate cert,
                                     X509Certificate issuerCert)
    throws IOException, CertPathValidatorException {
    CertId certId = null;
    URI responderURI = null;
    try {
        X509CertImpl certImpl = X509CertImpl.toImpl(cert);
        responderURI = getResponderURI(certImpl);
        if (responderURI == null) {
            throw new CertPathValidatorException
                ("No OCSP Responder URI in certificate");
        }
        certId = new CertId(issuerCert, certImpl.getSerialNumberObject());
    } catch (CertificateException | IOException e) {
        throw new CertPathValidatorException
            ("Exception while encoding OCSPRequest", e);
    }
    OCSPResponse ocspResponse = check(Collections.singletonList(certId),
        responderURI, issuerCert, null, null,
        Collections.<Extension>emptyList());
    return (RevocationStatus)ocspResponse.getSingleResponse(certId);
}
 
Example #7
Source File: OCSP.java    From jdk8u-jdk with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Obtains the revocation status of a certificate using OCSP using the most
 * common defaults. The OCSP responder URI is retrieved from the
 * certificate's AIA extension. The OCSP responder certificate is assumed
 * to be the issuer's certificate (or issued by the issuer CA).
 *
 * @param cert the certificate to be checked
 * @param issuerCert the issuer certificate
 * @return the RevocationStatus
 * @throws IOException if there is an exception connecting to or
 *    communicating with the OCSP responder
 * @throws CertPathValidatorException if an exception occurs while
 *    encoding the OCSP Request or validating the OCSP Response
 */
public static RevocationStatus check(X509Certificate cert,
                                     X509Certificate issuerCert)
    throws IOException, CertPathValidatorException {
    CertId certId = null;
    URI responderURI = null;
    try {
        X509CertImpl certImpl = X509CertImpl.toImpl(cert);
        responderURI = getResponderURI(certImpl);
        if (responderURI == null) {
            throw new CertPathValidatorException
                ("No OCSP Responder URI in certificate");
        }
        certId = new CertId(issuerCert, certImpl.getSerialNumberObject());
    } catch (CertificateException | IOException e) {
        throw new CertPathValidatorException
            ("Exception while encoding OCSPRequest", e);
    }
    OCSPResponse ocspResponse = check(Collections.singletonList(certId),
        responderURI, issuerCert, null, null,
        Collections.<Extension>emptyList());
    return (RevocationStatus)ocspResponse.getSingleResponse(certId);
}
 
Example #8
Source File: OCSP.java    From openjdk-8 with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Obtains the revocation status of a certificate using OCSP using the most
 * common defaults. The OCSP responder URI is retrieved from the
 * certificate's AIA extension. The OCSP responder certificate is assumed
 * to be the issuer's certificate (or issued by the issuer CA).
 *
 * @param cert the certificate to be checked
 * @param issuerCert the issuer certificate
 * @return the RevocationStatus
 * @throws IOException if there is an exception connecting to or
 *    communicating with the OCSP responder
 * @throws CertPathValidatorException if an exception occurs while
 *    encoding the OCSP Request or validating the OCSP Response
 */
public static RevocationStatus check(X509Certificate cert,
                                     X509Certificate issuerCert)
    throws IOException, CertPathValidatorException {
    CertId certId = null;
    URI responderURI = null;
    try {
        X509CertImpl certImpl = X509CertImpl.toImpl(cert);
        responderURI = getResponderURI(certImpl);
        if (responderURI == null) {
            throw new CertPathValidatorException
                ("No OCSP Responder URI in certificate");
        }
        certId = new CertId(issuerCert, certImpl.getSerialNumberObject());
    } catch (CertificateException | IOException e) {
        throw new CertPathValidatorException
            ("Exception while encoding OCSPRequest", e);
    }
    OCSPResponse ocspResponse = check(Collections.singletonList(certId),
        responderURI, issuerCert, null, null,
        Collections.<Extension>emptyList());
    return (RevocationStatus)ocspResponse.getSingleResponse(certId);
}
 
Example #9
Source File: OCSP.java    From Bytecoder with Apache License 2.0 6 votes vote down vote up
public static RevocationStatus check(X509Certificate cert,
        URI responderURI, TrustAnchor anchor, X509Certificate issuerCert,
        X509Certificate responderCert, Date date,
        List<Extension> extensions, String variant)
        throws IOException, CertPathValidatorException
{
    CertId certId;
    try {
        X509CertImpl certImpl = X509CertImpl.toImpl(cert);
        certId = new CertId(issuerCert, certImpl.getSerialNumberObject());
    } catch (CertificateException | IOException e) {
        throw new CertPathValidatorException
            ("Exception while encoding OCSPRequest", e);
    }
    OCSPResponse ocspResponse = check(Collections.singletonList(certId),
            responderURI, new OCSPResponse.IssuerInfo(anchor, issuerCert),
            responderCert, date, extensions, variant);
    return (RevocationStatus) ocspResponse.getSingleResponse(certId);
}
 
Example #10
Source File: OCSPNonceExtensionTests.java    From openjdk-jdk9 with GNU General Public License v2.0 6 votes vote down vote up
@Override
public Map.Entry<Boolean, String> runTest() {
    Boolean pass = Boolean.FALSE;
    String message = null;
    try (ByteArrayOutputStream baos = new ByteArrayOutputStream()) {
        Extension nonceByLength = new OCSPNonceExtension(true, 32);
        Extension nonceByValue =
                new OCSPNonceExtension(true, DEADBEEF_16);
        pass = nonceByLength.isCritical() && nonceByValue.isCritical();
        if (!pass) {
            message = "nonceByLength or nonceByValue was not marked " +
                    "critical as expected";
        }
    }  catch (Exception e) {
        e.printStackTrace(System.out);
        message = e.getClass().getName();
    }

    return new AbstractMap.SimpleEntry<>(pass, message);
}
 
Example #11
Source File: OCSP.java    From hottub with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Obtains the revocation status of a certificate using OCSP using the most
 * common defaults. The OCSP responder URI is retrieved from the
 * certificate's AIA extension. The OCSP responder certificate is assumed
 * to be the issuer's certificate (or issued by the issuer CA).
 *
 * @param cert the certificate to be checked
 * @param issuerCert the issuer certificate
 * @return the RevocationStatus
 * @throws IOException if there is an exception connecting to or
 *    communicating with the OCSP responder
 * @throws CertPathValidatorException if an exception occurs while
 *    encoding the OCSP Request or validating the OCSP Response
 */
public static RevocationStatus check(X509Certificate cert,
                                     X509Certificate issuerCert)
    throws IOException, CertPathValidatorException {
    CertId certId = null;
    URI responderURI = null;
    try {
        X509CertImpl certImpl = X509CertImpl.toImpl(cert);
        responderURI = getResponderURI(certImpl);
        if (responderURI == null) {
            throw new CertPathValidatorException
                ("No OCSP Responder URI in certificate");
        }
        certId = new CertId(issuerCert, certImpl.getSerialNumberObject());
    } catch (CertificateException | IOException e) {
        throw new CertPathValidatorException
            ("Exception while encoding OCSPRequest", e);
    }
    OCSPResponse ocspResponse = check(Collections.singletonList(certId),
        responderURI, issuerCert, null, null,
        Collections.<Extension>emptyList());
    return (RevocationStatus)ocspResponse.getSingleResponse(certId);
}
 
Example #12
Source File: OCSP.java    From jdk8u-jdk with GNU General Public License v2.0 6 votes vote down vote up
public static RevocationStatus check(X509Certificate cert,
                                     X509Certificate issuerCert,
                                     URI responderURI,
                                     X509Certificate responderCert,
                                     Date date, List<Extension> extensions)
    throws IOException, CertPathValidatorException
{
    CertId certId = null;
    try {
        X509CertImpl certImpl = X509CertImpl.toImpl(cert);
        certId = new CertId(issuerCert, certImpl.getSerialNumberObject());
    } catch (CertificateException | IOException e) {
        throw new CertPathValidatorException
            ("Exception while encoding OCSPRequest", e);
    }
    OCSPResponse ocspResponse = check(Collections.singletonList(certId),
        responderURI, issuerCert, responderCert, date, extensions);
    return (RevocationStatus) ocspResponse.getSingleResponse(certId);
}
 
Example #13
Source File: OCSP.java    From openjdk-jdk9 with GNU General Public License v2.0 6 votes vote down vote up
public static RevocationStatus check(X509Certificate cert,
        URI responderURI, TrustAnchor anchor, X509Certificate issuerCert,
        X509Certificate responderCert, Date date,
        List<Extension> extensions, String variant)
        throws IOException, CertPathValidatorException
{
    CertId certId;
    try {
        X509CertImpl certImpl = X509CertImpl.toImpl(cert);
        certId = new CertId(issuerCert, certImpl.getSerialNumberObject());
    } catch (CertificateException | IOException e) {
        throw new CertPathValidatorException
            ("Exception while encoding OCSPRequest", e);
    }
    OCSPResponse ocspResponse = check(Collections.singletonList(certId),
            responderURI, new OCSPResponse.IssuerInfo(anchor, issuerCert),
            responderCert, date, extensions, variant);
    return (RevocationStatus) ocspResponse.getSingleResponse(certId);
}
 
Example #14
Source File: OCSP.java    From hottub with GNU General Public License v2.0 6 votes vote down vote up
public static RevocationStatus check(X509Certificate cert,
                                     X509Certificate issuerCert,
                                     URI responderURI,
                                     X509Certificate responderCert,
                                     Date date, List<Extension> extensions)
    throws IOException, CertPathValidatorException
{
    CertId certId = null;
    try {
        X509CertImpl certImpl = X509CertImpl.toImpl(cert);
        certId = new CertId(issuerCert, certImpl.getSerialNumberObject());
    } catch (CertificateException | IOException e) {
        throw new CertPathValidatorException
            ("Exception while encoding OCSPRequest", e);
    }
    OCSPResponse ocspResponse = check(Collections.singletonList(certId),
        responderURI, issuerCert, responderCert, date, extensions);
    return (RevocationStatus) ocspResponse.getSingleResponse(certId);
}
 
Example #15
Source File: SslErrorTest.java    From netty-4.1.22 with Apache License 2.0 5 votes vote down vote up
@Parameterized.Parameters(name = "{index}: serverProvider = {0}, clientProvider = {1}, exception = {2}")
public static Collection<Object[]> data() {
    List<SslProvider> serverProviders = new ArrayList<SslProvider>(2);
    List<SslProvider> clientProviders = new ArrayList<SslProvider>(3);

    if (OpenSsl.isAvailable()) {
        serverProviders.add(SslProvider.OPENSSL);
        serverProviders.add(SslProvider.OPENSSL_REFCNT);
        clientProviders.add(SslProvider.OPENSSL);
        clientProviders.add(SslProvider.OPENSSL_REFCNT);
    }
    // We not test with SslProvider.JDK on the server side as the JDK implementation currently just send the same
    // alert all the time, sigh.....
    clientProviders.add(SslProvider.JDK);

    List<CertificateException> exceptions = new ArrayList<CertificateException>(6);
    exceptions.add(new CertificateExpiredException());
    exceptions.add(new CertificateNotYetValidException());
    exceptions.add(new CertificateRevokedException(
            new Date(), CRLReason.AA_COMPROMISE, new X500Principal(""),
            Collections.<String, Extension>emptyMap()));

    // Also use wrapped exceptions as this is what the JDK implementation of X509TrustManagerFactory is doing.
    exceptions.add(newCertificateException(CertPathValidatorException.BasicReason.EXPIRED));
    exceptions.add(newCertificateException(CertPathValidatorException.BasicReason.NOT_YET_VALID));
    exceptions.add(newCertificateException(CertPathValidatorException.BasicReason.REVOKED));

    List<Object[]> params = new ArrayList<Object[]>();
    for (SslProvider serverProvider: serverProviders) {
        for (SslProvider clientProvider: clientProviders) {
            for (CertificateException exception: exceptions) {
                params.add(new Object[] { serverProvider, clientProvider, exception});
            }
        }
    }
    return params;
}
 
Example #16
Source File: OCSP.java    From TencentKona-8 with GNU General Public License v2.0 5 votes vote down vote up
public static RevocationStatus check(X509Certificate cert,
        X509Certificate issuerCert, URI responderURI,
        X509Certificate responderCert, Date date, List<Extension> extensions,
        String variant)
    throws IOException, CertPathValidatorException
{
    return check(cert, responderURI, null, issuerCert, responderCert, date,
            extensions, variant);
}
 
Example #17
Source File: OCSP.java    From dragonwell8_jdk with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Checks the revocation status of a list of certificates using OCSP.
 *
 * @param certIds the CertIds to be checked
 * @param responderURI the URI of the OCSP responder
 * @param issuerInfo the issuer's certificate and/or subject and public key
 * @param responderCert the OCSP responder's certificate
 * @param date the time the validity of the OCSP responder's certificate
 *    should be checked against. If null, the current time is used.
 * @param extensions zero or more OCSP extensions to be included in the
 *    request.  If no extensions are requested, an empty {@code List} must
 *    be used.  A {@code null} value is not allowed.
 * @return the OCSPResponse
 * @throws IOException if there is an exception connecting to or
 *    communicating with the OCSP responder
 * @throws CertPathValidatorException if an exception occurs while
 *    encoding the OCSP Request or validating the OCSP Response
 */
static OCSPResponse check(List<CertId> certIds, URI responderURI,
                          OCSPResponse.IssuerInfo issuerInfo,
                          X509Certificate responderCert, Date date,
                          List<Extension> extensions, String variant)
    throws IOException, CertPathValidatorException
{
    byte[] nonce = null;
    for (Extension ext : extensions) {
        if (ext.getId().equals(PKIXExtensions.OCSPNonce_Id.toString())) {
            nonce = ext.getValue();
        }
    }

    OCSPResponse ocspResponse = null;
    try {
        byte[] response = getOCSPBytes(certIds, responderURI, extensions);
        ocspResponse = new OCSPResponse(response);

        // verify the response
        ocspResponse.verify(certIds, issuerInfo, responderCert, date,
                nonce, variant);
    } catch (IOException ioe) {
        throw new CertPathValidatorException(
            "Unable to determine revocation status due to network error",
            ioe, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
    }

    return ocspResponse;
}
 
Example #18
Source File: StatusResponseManager.java    From openjsse with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Check the cache for a given {@code CertId}.
 *
 * @param cid the CertId of the response to look up
 * @param ocspRequest the OCSP request structure sent by the client
 *      in the TLS status_request[_v2] hello extension.
 *
 * @return the {@code ResponseCacheEntry} for a specific CertId, or
 *      {@code null} if it is not found or a nonce extension has been
 *      requested by the caller.
 */
private ResponseCacheEntry getFromCache(CertId cid,
        OCSPStatusRequest ocspRequest) {
    // Determine if the nonce extension is present in the request.  If
    // so, then do not attempt to retrieve the response from the cache.
    for (Extension ext : ocspRequest.extensions) {
        if (ext.getId().equals(
                PKIXExtensions.OCSPNonce_Id.toString())) {
            if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
                SSLLogger.fine(
                        "Nonce extension found, skipping cache check");
            }
            return null;
        }
    }

    ResponseCacheEntry respEntry = responseCache.get(cid);

    // If the response entry has a nextUpdate and it has expired
    // before the cache expiration, purge it from the cache
    // and do not return it as a cache hit.
    if (respEntry != null && respEntry.nextUpdate != null &&
            respEntry.nextUpdate.before(new Date())) {
        if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
            SSLLogger.fine(
                "nextUpdate threshold exceeded, purging from cache");
        }
        respEntry = null;
    }

    if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
        SSLLogger.fine(
                "Check cache for SN" + cid.getSerialNumber() + ": " +
                (respEntry != null ? "HIT" : "MISS"));
    }
    return respEntry;
}
 
Example #19
Source File: OCSP.java    From TencentKona-8 with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Checks the revocation status of a list of certificates using OCSP.
 *
 * @param certIds the CertIds to be checked
 * @param responderURI the URI of the OCSP responder
 * @param issuerInfo the issuer's certificate and/or subject and public key
 * @param responderCert the OCSP responder's certificate
 * @param date the time the validity of the OCSP responder's certificate
 *    should be checked against. If null, the current time is used.
 * @param extensions zero or more OCSP extensions to be included in the
 *    request.  If no extensions are requested, an empty {@code List} must
 *    be used.  A {@code null} value is not allowed.
 * @return the OCSPResponse
 * @throws IOException if there is an exception connecting to or
 *    communicating with the OCSP responder
 * @throws CertPathValidatorException if an exception occurs while
 *    encoding the OCSP Request or validating the OCSP Response
 */
static OCSPResponse check(List<CertId> certIds, URI responderURI,
                          OCSPResponse.IssuerInfo issuerInfo,
                          X509Certificate responderCert, Date date,
                          List<Extension> extensions, String variant)
    throws IOException, CertPathValidatorException
{
    byte[] nonce = null;
    for (Extension ext : extensions) {
        if (ext.getId().equals(PKIXExtensions.OCSPNonce_Id.toString())) {
            nonce = ext.getValue();
        }
    }

    OCSPResponse ocspResponse = null;
    try {
        byte[] response = getOCSPBytes(certIds, responderURI, extensions);
        ocspResponse = new OCSPResponse(response);

        // verify the response
        ocspResponse.verify(certIds, issuerInfo, responderCert, date,
                nonce, variant);
    } catch (IOException ioe) {
        throw new CertPathValidatorException(
            "Unable to determine revocation status due to network error",
            ioe, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
    }

    return ocspResponse;
}
 
Example #20
Source File: SimpleOCSPServer.java    From openjdk-jdk9 with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Construct a response from a list of certificate
 * status objects and extensions.
 *
 * @param respStat the status of the entire response
 * @param itemMap a {@code Map} of {@code CertId} objects and their
 * respective revocation statuses from the server's response DB.
 * @param reqExtensions a {@code Map} of request extensions
 *
 * @throws IOException if an error happens during encoding
 * @throws NullPointerException if {@code respStat} is {@code null}
 * or {@code respStat} is successful, and a {@code null} {@code itemMap}
 * has been provided.
 */
public LocalOcspResponse(OCSPResponse.ResponseStatus respStat,
        Map<CertId, CertStatusInfo> itemMap,
        Map<String, Extension> reqExtensions) throws IOException {
    responseStatus = Objects.requireNonNull(respStat,
            "Illegal null response status");
    if (responseStatus == ResponseStatus.SUCCESSFUL) {
        respItemMap = Objects.requireNonNull(itemMap,
                "SUCCESSFUL responses must have a response map");
        producedAtDate = new Date();

        // Turn the answerd from the response DB query into a list
        // of single responses.
        for (CertId id : itemMap.keySet()) {
            singleResponseList.add(
                    new LocalSingleResponse(id, itemMap.get(id)));
        }

        responseExtensions = setResponseExtensions(reqExtensions);
        certificates = new ArrayList<>();
        if (signerCert != issuerCert) {
            certificates.add(signerCert);
        }
        certificates.add(issuerCert);
    } else {
        respItemMap = null;
        producedAtDate = null;
        responseExtensions = null;
        certificates = null;
    }
    encodedResponse = this.getBytes();
}
 
Example #21
Source File: CertificateBuilder.java    From openjdk-jdk9 with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Add multiple extensions contained in a {@code List}.
 *
 * @param extList The {@link List} of extensions to be added to
 * the certificate.
 */
public void addExtensions(List<Extension> extList) {
    Objects.requireNonNull(extList, "Caught null extension list");
    for (Extension ext : extList) {
        extensions.put(ext.getId(), ext);
    }
}
 
Example #22
Source File: OCSP.java    From openjdk-jdk8u with GNU General Public License v2.0 5 votes vote down vote up
public static RevocationStatus check(X509Certificate cert,
        X509Certificate issuerCert, URI responderURI,
        X509Certificate responderCert, Date date, List<Extension> extensions,
        String variant)
    throws IOException, CertPathValidatorException
{
    return check(cert, responderURI, null, issuerCert, responderCert, date,
            extensions, variant);
}
 
Example #23
Source File: OCSP.java    From openjdk-jdk8u-backup with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Checks the revocation status of a list of certificates using OCSP.
 *
 * @param certIds the CertIds to be checked
 * @param responderURI the URI of the OCSP responder
 * @param issuerInfo the issuer's certificate and/or subject and public key
 * @param responderCert the OCSP responder's certificate
 * @param date the time the validity of the OCSP responder's certificate
 *    should be checked against. If null, the current time is used.
 * @param extensions zero or more OCSP extensions to be included in the
 *    request.  If no extensions are requested, an empty {@code List} must
 *    be used.  A {@code null} value is not allowed.
 * @return the OCSPResponse
 * @throws IOException if there is an exception connecting to or
 *    communicating with the OCSP responder
 * @throws CertPathValidatorException if an exception occurs while
 *    encoding the OCSP Request or validating the OCSP Response
 */
static OCSPResponse check(List<CertId> certIds, URI responderURI,
                          OCSPResponse.IssuerInfo issuerInfo,
                          X509Certificate responderCert, Date date,
                          List<Extension> extensions, String variant)
    throws IOException, CertPathValidatorException
{
    byte[] nonce = null;
    for (Extension ext : extensions) {
        if (ext.getId().equals(PKIXExtensions.OCSPNonce_Id.toString())) {
            nonce = ext.getValue();
        }
    }

    OCSPResponse ocspResponse = null;
    try {
        byte[] response = getOCSPBytes(certIds, responderURI, extensions);
        ocspResponse = new OCSPResponse(response);

        // verify the response
        ocspResponse.verify(certIds, issuerInfo, responderCert, date,
                nonce, variant);
    } catch (IOException ioe) {
        throw new CertPathValidatorException(
            "Unable to determine revocation status due to network error",
            ioe, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
    }

    return ocspResponse;
}
 
Example #24
Source File: OCSP.java    From jdk8u_jdk with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Checks the revocation status of a list of certificates using OCSP.
 *
 * @param certIds the CertIds to be checked
 * @param responderURI the URI of the OCSP responder
 * @param issuerInfo the issuer's certificate and/or subject and public key
 * @param responderCert the OCSP responder's certificate
 * @param date the time the validity of the OCSP responder's certificate
 *    should be checked against. If null, the current time is used.
 * @param extensions zero or more OCSP extensions to be included in the
 *    request.  If no extensions are requested, an empty {@code List} must
 *    be used.  A {@code null} value is not allowed.
 * @return the OCSPResponse
 * @throws IOException if there is an exception connecting to or
 *    communicating with the OCSP responder
 * @throws CertPathValidatorException if an exception occurs while
 *    encoding the OCSP Request or validating the OCSP Response
 */
static OCSPResponse check(List<CertId> certIds, URI responderURI,
                          OCSPResponse.IssuerInfo issuerInfo,
                          X509Certificate responderCert, Date date,
                          List<Extension> extensions, String variant)
    throws IOException, CertPathValidatorException
{
    byte[] nonce = null;
    for (Extension ext : extensions) {
        if (ext.getId().equals(PKIXExtensions.OCSPNonce_Id.toString())) {
            nonce = ext.getValue();
        }
    }

    OCSPResponse ocspResponse = null;
    try {
        byte[] response = getOCSPBytes(certIds, responderURI, extensions);
        ocspResponse = new OCSPResponse(response);

        // verify the response
        ocspResponse.verify(certIds, issuerInfo, responderCert, date,
                nonce, variant);
    } catch (IOException ioe) {
        throw new CertPathValidatorException(
            "Unable to determine revocation status due to network error",
            ioe, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
    }

    return ocspResponse;
}
 
Example #25
Source File: OCSP.java    From Bytecoder with Apache License 2.0 5 votes vote down vote up
/**
 * Checks the revocation status of a list of certificates using OCSP.
 *
 * @param certIds the CertIds to be checked
 * @param responderURI the URI of the OCSP responder
 * @param issuerInfo the issuer's certificate and/or subject and public key
 * @param responderCert the OCSP responder's certificate
 * @param date the time the validity of the OCSP responder's certificate
 *    should be checked against. If null, the current time is used.
 * @param extensions zero or more OCSP extensions to be included in the
 *    request.  If no extensions are requested, an empty {@code List} must
 *    be used.  A {@code null} value is not allowed.
 * @return the OCSPResponse
 * @throws IOException if there is an exception connecting to or
 *    communicating with the OCSP responder
 * @throws CertPathValidatorException if an exception occurs while
 *    encoding the OCSP Request or validating the OCSP Response
 */
static OCSPResponse check(List<CertId> certIds, URI responderURI,
                          OCSPResponse.IssuerInfo issuerInfo,
                          X509Certificate responderCert, Date date,
                          List<Extension> extensions, String variant)
    throws IOException, CertPathValidatorException
{
    byte[] nonce = null;
    for (Extension ext : extensions) {
        if (ext.getId().equals(PKIXExtensions.OCSPNonce_Id.toString())) {
            nonce = ext.getValue();
        }
    }

    OCSPResponse ocspResponse = null;
    try {
        byte[] response = getOCSPBytes(certIds, responderURI, extensions);
        ocspResponse = new OCSPResponse(response);

        // verify the response
        ocspResponse.verify(certIds, issuerInfo, responderCert, date,
                nonce, variant);
    } catch (IOException ioe) {
        throw new CertPathValidatorException(
            "Unable to determine revocation status due to network error",
            ioe, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
    }

    return ocspResponse;
}
 
Example #26
Source File: OCSPStatusRequest.java    From openjdk-jdk9 with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Construct an {@code OCSPStatusRequest} object from data read from
 * a {@code HandshakeInputStream}
 *
 * @param s the {@code HandshakeInputStream} providing the encoded data
 *
 * @throws IOException if any decoding errors happen during object
 *      construction.
 */
OCSPStatusRequest(HandshakeInStream in) throws IOException {
    responderIds = new ArrayList<>();
    extensions = new ArrayList<>();

    int ridListBytesRemaining = in.getInt16();
    while (ridListBytesRemaining != 0) {
        byte[] ridBytes = in.getBytes16();
        responderIds.add(new ResponderId(ridBytes));
        ridListBytesRemaining -= (ridBytes.length + 2);
        // Make sure that no individual responder ID's length caused an
        // overrun relative to the outer responder ID list length
        if (ridListBytesRemaining < 0) {
            throw new SSLException("Responder ID length overflow: " +
                    "current rid = " + ridBytes.length + ", remaining = " +
                    ridListBytesRemaining);
        }
    }

    int extensionLength = in.getInt16();
    if (extensionLength > 0) {
        byte[] extensionData = new byte[extensionLength];
        in.read(extensionData);
        DerInputStream dis = new DerInputStream(extensionData);
        DerValue[] extSeqContents = dis.getSequence(extensionData.length);
        for (DerValue extDerVal : extSeqContents) {
            extensions.add(new sun.security.x509.Extension(extDerVal));
        }
    }
}
 
Example #27
Source File: OCSPStatusRequest.java    From openjdk-jdk9 with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Obtain the length of the {@code OCSPStatusRequest} object in its
 *      encoded form
 *
 * @return the length of the {@code OCSPStatusRequest} object in its
 *      encoded form
 */
@Override
public int length() {
    // If we've previously calculated encodedLen simply return it
    if (encodedLen != 0) {
        return encodedLen;
    }

    ridListLen = 0;
    for (ResponderId rid : responderIds) {
        ridListLen += rid.length() + 2;
    }

    extListLen = 0;
    if (!extensions.isEmpty()) {
        try {
            DerOutputStream extSequence = new DerOutputStream();
            DerOutputStream extEncoding = new DerOutputStream();
            for (Extension ext : extensions) {
                ext.encode(extEncoding);
            }
            extSequence.write(DerValue.tag_Sequence, extEncoding);
            extListLen = extSequence.size();
        } catch (IOException ioe) {
            // Not sure what to do here
        }
    }

    // Total length is the responder ID list length and extensions length
    // plus each lists' 2-byte length fields.
    encodedLen = ridListLen + extListLen + 4;

    return encodedLen;
}
 
Example #28
Source File: StatusResponseManager.java    From openjdk-jdk9 with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Check the cache for a given {@code CertId}.
 *
 * @param cid the CertId of the response to look up
 * @param ocspRequest the OCSP request structure sent by the client
 *      in the TLS status_request[_v2] hello extension.
 *
 * @return the {@code ResponseCacheEntry} for a specific CertId, or
 *      {@code null} if it is not found or a nonce extension has been
 *      requested by the caller.
 */
private ResponseCacheEntry getFromCache(CertId cid,
        OCSPStatusRequest ocspRequest) {
    // Determine if the nonce extension is present in the request.  If
    // so, then do not attempt to retrieve the response from the cache.
    for (Extension ext : ocspRequest.getExtensions()) {
        if (ext.getId().equals(PKIXExtensions.OCSPNonce_Id.toString())) {
            debugLog("Nonce extension found, skipping cache check");
            return null;
        }
    }

    ResponseCacheEntry respEntry = responseCache.get(cid);

    // If the response entry has a nextUpdate and it has expired
    // before the cache expiration, purge it from the cache
    // and do not return it as a cache hit.
    if (respEntry != null && respEntry.nextUpdate != null &&
            respEntry.nextUpdate.before(new Date())) {
        debugLog("nextUpdate threshold exceeded, purging from cache");
        respEntry = null;
    }

    debugLog("Check cache for SN" + cid.getSerialNumber() + ": " +
            (respEntry != null ? "HIT" : "MISS"));
    return respEntry;
}
 
Example #29
Source File: OCSP.java    From openjdk-jdk9 with GNU General Public License v2.0 5 votes vote down vote up
public static RevocationStatus check(X509Certificate cert,
        X509Certificate issuerCert, URI responderURI,
        X509Certificate responderCert, Date date, List<Extension> extensions,
        String variant)
    throws IOException, CertPathValidatorException
{
    return check(cert, responderURI, null, issuerCert, responderCert, date,
            extensions, variant);
}
 
Example #30
Source File: OCSP.java    From openjdk-jdk9 with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Checks the revocation status of a list of certificates using OCSP.
 *
 * @param certIds the CertIds to be checked
 * @param responderURI the URI of the OCSP responder
 * @param issuerInfo the issuer's certificate and/or subject and public key
 * @param responderCert the OCSP responder's certificate
 * @param date the time the validity of the OCSP responder's certificate
 *    should be checked against. If null, the current time is used.
 * @param extensions zero or more OCSP extensions to be included in the
 *    request.  If no extensions are requested, an empty {@code List} must
 *    be used.  A {@code null} value is not allowed.
 * @return the OCSPResponse
 * @throws IOException if there is an exception connecting to or
 *    communicating with the OCSP responder
 * @throws CertPathValidatorException if an exception occurs while
 *    encoding the OCSP Request or validating the OCSP Response
 */
static OCSPResponse check(List<CertId> certIds, URI responderURI,
                          OCSPResponse.IssuerInfo issuerInfo,
                          X509Certificate responderCert, Date date,
                          List<Extension> extensions, String variant)
    throws IOException, CertPathValidatorException
{
    byte[] nonce = null;
    for (Extension ext : extensions) {
        if (ext.getId().equals(PKIXExtensions.OCSPNonce_Id.toString())) {
            nonce = ext.getValue();
        }
    }

    OCSPResponse ocspResponse = null;
    try {
        byte[] response = getOCSPBytes(certIds, responderURI, extensions);
        ocspResponse = new OCSPResponse(response);

        // verify the response
        ocspResponse.verify(certIds, issuerInfo, responderCert, date,
                nonce, variant);
    } catch (IOException ioe) {
        throw new CertPathValidatorException(
            "Unable to determine revocation status due to network error",
            ioe, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
    }

    return ocspResponse;
}