@Override public void init(boolean forward) throws CertPathValidatorException { if (!forward) { certIndex = certs.length - 1; } else { throw new CertPathValidatorException( "Forward checking not supported"); } }
throw new CertPathValidatorException( "Must specify at least one trust anchor"); throw new CertPathValidatorException("No trusted certificate for " + currCert.getIssuerDN()); throw new CertPathValidatorException("Cannot find the responder's certificate."); url = new URL(ocspServerUrl); } catch (MalformedURLException e) { throw new CertPathValidatorException(e); throw new CertPathValidatorException("Must set OCSP Server URL"); try { if( ! brep.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC").build(responderCert.getPublicKey()))) { throw new CertPathValidatorException("OCSP response is not verified"); throw new CertPathValidatorException("OCSP response could not be verified ("+e.getMessage()+")" ,null, cp, certIndex); Log.debug("OCSPChecker: Status of certificate (with serial number " + serialNumber.toString() + ") is: revoked"); throw new CertPathValidatorException("Certificate has been revoked", null, cp, certIndex); } else if (status instanceof org.bouncycastle.cert.ocsp.UnknownStatus) { Log.debug("OCSPChecker: Status of certificate (with serial number " + serialNumber.toString() + ") is: unknown"); throw new CertPathValidatorException("Certificate's revocation status is unknown", null, cp, certIndex); } else { Log.debug("Status of certificate (with serial number " + serialNumber.toString() + ") is: not recognized");
@Override public void init(boolean forward) throws CertPathValidatorException { if (!forward) { certIndex = certs.length - 1; } else { throw new CertPathValidatorException( "Forward checking not supported"); } }
@Override public void init(boolean forward) throws CertPathValidatorException { if (forward) { throw new CertPathValidatorException("Forward checking is not supported"); } }
@Override public void init(boolean forward) throws CertPathValidatorException { if (forward) { throw new CertPathValidatorException("Forward checking is not supported"); } }
protected static void additionalChecks(X509AttributeCertificate attrCert, Set prohibitedACAttributes, Set necessaryACAttributes) throws CertPathValidatorException { // 1 for (Iterator it = prohibitedACAttributes.iterator(); it .hasNext();) { String oid = (String) it.next(); if (attrCert.getAttributes(oid) != null) { throw new CertPathValidatorException( "Attribute certificate contains prohibited attribute: " + oid + "."); } } for (Iterator it = necessaryACAttributes.iterator(); it .hasNext();) { String oid = (String) it.next(); if (attrCert.getAttributes(oid) == null) { throw new CertPathValidatorException( "Attribute certificate does not contain necessary attribute: " + oid + "."); } } }
protected static void additionalChecks(X509AttributeCertificate attrCert, Set prohibitedACAttributes, Set necessaryACAttributes) throws CertPathValidatorException { // 1 for (Iterator it = prohibitedACAttributes.iterator(); it .hasNext();) { String oid = (String) it.next(); if (attrCert.getAttributes(oid) != null) { throw new CertPathValidatorException( "Attribute certificate contains prohibited attribute: " + oid + "."); } } for (Iterator it = necessaryACAttributes.iterator(); it .hasNext();) { String oid = (String) it.next(); if (attrCert.getAttributes(oid) == null) { throw new CertPathValidatorException( "Attribute certificate does not contain necessary attribute: " + oid + "."); } } }
/** * Used by CertPathValidator to pass the certificates one by one from the certificate chain. * * @param cert the certificate passed to be checked. * @param unresolvedCritExts not used in this method. * @throws CertPathValidatorException */ @Override public void check(Certificate cert, Collection<String> unresolvedCritExts) throws CertPathValidatorException { RevocationStatus status; try { status = verifier.checkRevocationStatus((X509Certificate) cert, nextIssuer()); log.info("Certificate status is: "+status.getMessage()); if (status != RevocationStatus.GOOD) throw new CertPathValidatorException("Revocation Status is Not Good"); } catch (CertificateVerificationException e) { throw new CertPathValidatorException(e); } }
/** * Used by CertPathValidator to pass the certificates one by one from the certificate chain. * * @param cert the certificate passed to be checked. * @param unresolvedCritExts not used in this method. * @throws CertPathValidatorException if any error occurs while verifying the status given by CA. */ @Override public void check(Certificate cert, Collection<String> unresolvedCritExts) throws CertPathValidatorException { RevocationStatus status; try { status = verifier.checkRevocationStatus((X509Certificate) cert, nextIssuer()); if (LOG.isInfoEnabled()) { LOG.info("Certificate status is: {}", status.getMessage()); } if (status != RevocationStatus.GOOD) { throw new CertPathValidatorException("Revocation Status is Not Good"); } } catch (CertificateVerificationException e) { throw new CertPathValidatorException(e); } }
protected static void processAttrCert4(X509Certificate acIssuerCert, Set trustedACIssuers) throws CertPathValidatorException { Set set = trustedACIssuers; boolean trusted = false; for (Iterator it = set.iterator(); it.hasNext();) { TrustAnchor anchor = (TrustAnchor) it.next(); if (acIssuerCert.getSubjectX500Principal().getName("RFC2253") .equals(anchor.getCAName()) || acIssuerCert.equals(anchor.getTrustedCert())) { trusted = true; } } if (!trusted) { throw new CertPathValidatorException( "Attribute certificate issuer is not directly trusted."); } }
protected static void processAttrCert4(X509Certificate acIssuerCert, Set trustedACIssuers) throws CertPathValidatorException { Set set = trustedACIssuers; boolean trusted = false; for (Iterator it = set.iterator(); it.hasNext();) { TrustAnchor anchor = (TrustAnchor) it.next(); if (acIssuerCert.getSubjectX500Principal().getName("RFC2253") .equals(anchor.getCAName()) || acIssuerCert.equals(anchor.getTrustedCert())) { trusted = true; } } if (!trusted) { throw new CertPathValidatorException( "Attribute certificate issuer is not directly trusted."); } }
protected static void processAttrCert4(X509Certificate acIssuerCert, Set trustedACIssuers) throws CertPathValidatorException { Set set = trustedACIssuers; boolean trusted = false; for (Iterator it = set.iterator(); it.hasNext();) { TrustAnchor anchor = (TrustAnchor) it.next(); if (acIssuerCert.getSubjectX500Principal().getName("RFC2253") .equals(anchor.getCAName()) || acIssuerCert.equals(anchor.getTrustedCert())) { trusted = true; } } if (!trusted) { throw new CertPathValidatorException( "Attribute certificate issuer is not directly trusted."); } }
protected static void processAttrCert3(X509Certificate acIssuerCert, ExtendedPKIXParameters pkixParams) throws CertPathValidatorException { if (acIssuerCert.getKeyUsage() != null && (!acIssuerCert.getKeyUsage()[0] && !acIssuerCert.getKeyUsage()[1])) { throw new CertPathValidatorException( "Attribute certificate issuer public key cannot be used to validate digital signatures."); } if (acIssuerCert.getBasicConstraints() != -1) { throw new CertPathValidatorException( "Attribute certificate issuer is also a public key certificate issuer."); } }
protected static void processAttrCert3(X509Certificate acIssuerCert, PKIXExtendedParameters pkixParams) throws CertPathValidatorException { if (acIssuerCert.getKeyUsage() != null && (!acIssuerCert.getKeyUsage()[0] && !acIssuerCert.getKeyUsage()[1])) { throw new CertPathValidatorException( "Attribute certificate issuer public key cannot be used to validate digital signatures."); } if (acIssuerCert.getBasicConstraints() != -1) { throw new CertPathValidatorException( "Attribute certificate issuer is also a public key certificate issuer."); } }
protected static void processAttrCert3(X509Certificate acIssuerCert, PKIXExtendedParameters pkixParams) throws CertPathValidatorException { if (acIssuerCert.getKeyUsage() != null && (!acIssuerCert.getKeyUsage()[0] && !acIssuerCert.getKeyUsage()[1])) { throw new CertPathValidatorException( "Attribute certificate issuer public key cannot be used to validate digital signatures."); } if (acIssuerCert.getBasicConstraints() != -1) { throw new CertPathValidatorException( "Attribute certificate issuer is also a public key certificate issuer."); } }
protected static void processAttrCert3(X509Certificate acIssuerCert, PKIXExtendedParameters pkixParams) throws CertPathValidatorException { if (acIssuerCert.getKeyUsage() != null && (!acIssuerCert.getKeyUsage()[0] && !acIssuerCert.getKeyUsage()[1])) { throw new CertPathValidatorException( "Attribute certificate issuer public key cannot be used to validate digital signatures."); } if (acIssuerCert.getBasicConstraints() != -1) { throw new CertPathValidatorException( "Attribute certificate issuer is also a public key certificate issuer."); } }
protected static void processAttrCert4(X509Certificate acIssuerCert, ExtendedPKIXParameters pkixParams) throws CertPathValidatorException { Set set = pkixParams.getTrustedACIssuers(); boolean trusted = false; for (Iterator it = set.iterator(); it.hasNext();) { TrustAnchor anchor = (TrustAnchor) it.next(); if (acIssuerCert.getSubjectX500Principal().getName("RFC2253") .equals(anchor.getCAName()) || acIssuerCert.equals(anchor.getTrustedCert())) { trusted = true; } } if (!trusted) { throw new CertPathValidatorException( "Attribute certificate issuer is not directly trusted."); } }
/** * wrapper to overcome JDK differences between oracle vs openjdk */ public static RevocationStatus check(X509Certificate cert, X509Certificate issuerCert) throws IOException, CertPathValidatorException, CertificateException { CertId certId = null; URI responderURI = null; X509CertImpl certImpl = X509CertImpl.toImpl(cert); responderURI = getResponderURI(certImpl); if (responderURI == null) { throw new CertPathValidatorException ("No OCSP Responder URI in certificate"); } return OCSP.check(cert, issuerCert, responderURI, cert, null); }
private static OCSPRevocationStatus processBasicOCSPResponse(X509Certificate issuerCertificate, X509Certificate responderCertificate, Date date, JcaCertificateID certificateID, BigInteger nounce, BasicOCSPResp basicOcspResponse) throws OCSPException, NoSuchProviderException, NoSuchAlgorithmException, CertificateNotYetValidException, CertificateExpiredException, CertPathValidatorException { SingleResp expectedResponse = null; for (SingleResp singleResponse : basicOcspResponse.getResponses()) { if (compareCertIDs(certificateID, singleResponse.getCertID())) { expectedResponse = singleResponse; break; } } if (expectedResponse != null) { verifyResponse(basicOcspResponse, issuerCertificate, responderCertificate, nounce.toByteArray(), date); return singleResponseToRevocationStatus(expectedResponse); } else { throw new CertPathValidatorException("OCSP response does not include a response for a certificate supplied in the OCSP request"); } }
protected void checkLastCNNameRule(X500Principal srcP, X500Principal issuerP, List<ValidationError> errors, int position, X509Certificate[] proxyChain) throws CertPathValidatorException { X500Name src = CertificateHelpers.toX500Name(srcP); X500Name issuer = CertificateHelpers.toX500Name(issuerP); RDN[] srcRDNs = src.getRDNs(); if (srcRDNs.length < 2) { errors.add(new ValidationError(proxyChain, position+1, ValidationErrorCode.proxySubjectOneRDN)); throw new CertPathValidatorException(); } if (srcRDNs[srcRDNs.length-1].isMultiValued()) { errors.add(new ValidationError(proxyChain, position+1, ValidationErrorCode.proxySubjectMultiLastRDN)); throw new CertPathValidatorException(); } AttributeTypeAndValue lastAVA = srcRDNs[srcRDNs.length-1].getFirst(); if (!lastAVA.getType().equals(BCStyle.CN)) { errors.add(new ValidationError(proxyChain, position+1, ValidationErrorCode.proxySubjectLastRDNNotCN)); throw new CertPathValidatorException(); } RDN[] finalRDNs = Arrays.copyOf(srcRDNs, srcRDNs.length-1); JavaAndBCStyle style = new JavaAndBCStyle(); X500Name truncatedName = new X500Name(style, finalRDNs); if (!style.areEqual(issuer, truncatedName)) errors.add(new ValidationError(proxyChain, position+1, ValidationErrorCode.proxySubjectBaseWrong)); }