Date nextUp = crlist.getNextUpdate(); if ((thisUp == null) || (nextUp == null)) { return false;
@Override public Date getNextUpdate() { X509CRL crl = this.crl; if (crl != null) { return crl.getNextUpdate(); } else { return null; } }
/** * Determines whether the given CRL is expired by comparing the nextUpdate field * with a given date. * * @param crl CRL to examine. * @param reference Reference date for comparison. * * @return True if reference date is after CRL next update, false otherwise. */ public static boolean isExpired(final X509CRL crl, final Date reference) { return reference.after(crl.getNextUpdate()); }
/** * CRL has a validity period. We can reuse a downloaded CRL within that period. */ public boolean isValid() { Date today = new Date(); Date nextUpdate = crl.getNextUpdate(); return nextUpdate != null && nextUpdate.after(today); }
/** * CRL has a validity period. We can reuse a downloaded CRL within that period. * thisUpdate - (the time indicating that the CA knows this status is correct), * nextUpdate - (the time that newer information will be available, * implying that this information is the most accurate to date) */ public boolean isValid() { Date today = new Date(); Date nextUpdate = crl.getNextUpdate(); return nextUpdate != null && nextUpdate.after(today); }
private boolean isCrlInValidationDate(X509CRL crl, Date validationDate) { Date thisUpdate = crl.getThisUpdate(); LOG.debug("validation date: " + validationDate); LOG.debug("CRL this update: " + thisUpdate); if (thisUpdate.after(validationDate)) { LOG.warn("CRL too young"); return false; } LOG.debug("CRL next update: " + crl.getNextUpdate()); if (validationDate.after(crl.getNextUpdate())) { LOG.debug("CRL too old"); return false; } return true; } }
/** * Determines whether the given CRL is expired by comparing the nextUpdate field * with a given date. * * @param crl CRL to examine. * @param reference Reference date for comparison. * @return True if reference date is after CRL next update, false otherwise. */ public static boolean isExpired(final X509CRL crl, final ZonedDateTime reference) { return reference.isAfter(DateTimeUtils.zonedDateTimeOf(crl.getNextUpdate())); }
/** * {@inheritDoc} * The CRL next update time is compared against the current time with the threshold * applied and rejected if and only if the next update time is in the past. * * @param crl CRL instance to evaluate. * * @throws GeneralSecurityException On expired CRL data. Check the exception type for exact details * * @see org.jasig.cas.adaptors.x509.authentication.handler.support.RevocationPolicy#apply(java.lang.Object) */ @Override public void apply(final X509CRL crl) throws GeneralSecurityException { final Calendar cutoff = Calendar.getInstance(); if (CertUtils.isExpired(crl, cutoff.getTime())) { cutoff.add(Calendar.SECOND, -this.threshold); if (CertUtils.isExpired(crl, cutoff.getTime())) { throw new ExpiredCRLException(crl.toString(), cutoff.getTime(), this.threshold); } logger.info(String.format("CRL expired on %s but is within threshold period, %s seconds.", crl.getNextUpdate(), this.threshold)); } }
LOGGER.warn("CRL data expired on [{}]", crl.getNextUpdate()); expiredCrls.add(crl); });
if (crl.getNextUpdate().after(validityDate))
if (crl.getNextUpdate().after(validityDate))
if (validationDate.after(crl.getNextUpdate())) { LOG.debug("CRL no longer valid: " + crlUri); LOG.debug("validation date: " + validationDate); LOG.debug("CRL next update: " + crl.getNextUpdate()); return refreshCrl(crlUri, issuerCertificate, validationDate);
if (crl.getNextUpdate().after(validityDate))
/** * {@inheritDoc} * The CRL next update time is compared against the current time with the threshold * applied and rejected if and only if the next update time is in the past. * * @param crl CRL instance to evaluate. * @throws ExpiredCRLException On expired CRL data. Check the exception type for exact details */ @Override public void apply(final X509CRL crl) throws ExpiredCRLException { val cutoff = ZonedDateTime.now(ZoneOffset.UTC); if (CertUtils.isExpired(crl, cutoff)) { if (CertUtils.isExpired(crl, cutoff.minusSeconds(this.threshold))) { throw new ExpiredCRLException(crl.toString(), cutoff, this.threshold); } LOGGER.info(String.format("CRL expired on %s but is within threshold period, %s seconds.", crl.getNextUpdate(), this.threshold)); } } }
if (crl.getCRL().getNextUpdate().before(new Date())) {
/** * Verifies a certificate against a single CRL. * @param crl the Certificate Revocation List * @param signCert a certificate that needs to be verified * @param issuerCert its issuer * @param signDate the sign date * @return true if the verification succeeded * @throws GeneralSecurityException */ public boolean verify(X509CRL crl, X509Certificate signCert, X509Certificate issuerCert, Date signDate) throws GeneralSecurityException { if (crl == null || signDate == null) return false; // We only check CRLs valid on the signing date for which the issuer matches if (crl.getIssuerX500Principal().equals(signCert.getIssuerX500Principal()) && signDate.after(crl.getThisUpdate()) && signDate.before(crl.getNextUpdate())) { // the signing certificate may not be revoked if (isSignatureValid(crl, issuerCert) && crl.isRevoked(signCert)) { throw new VerificationException(signCert, "The certificate has been revoked."); } return true; } return false; }
/** * Verifies a certificate against a single CRL. * @param crl the Certificate Revocation List * @param signCert a certificate that needs to be verified * @param issuerCert its issuer * @param signDate the sign date * @return true if the verification succeeded * @throws GeneralSecurityException */ public boolean verify(X509CRL crl, X509Certificate signCert, X509Certificate issuerCert, Date signDate) throws GeneralSecurityException { if (crl == null || signDate == SignUtils.UNDEFINED_TIMESTAMP_DATE) return false; // We only check CRLs valid on the signing date for which the issuer matches if (crl.getIssuerX500Principal().equals(signCert.getIssuerX500Principal()) && signDate.after(crl.getThisUpdate()) && signDate.before(crl.getNextUpdate())) { // the signing certificate may not be revoked if (isSignatureValid(crl, issuerCert) && crl.isRevoked(signCert)) { throw new VerificationException(signCert, "The certificate has been revoked."); } return true; } return false; }
/** * Verifies a certificate against a single CRL. * @param crl the Certificate Revocation List * @param signCert a certificate that needs to be verified * @param issuerCert its issuer * @param signDate the sign date * @return true if the verification succeeded * @throws GeneralSecurityException */ public boolean verify(X509CRL crl, X509Certificate signCert, X509Certificate issuerCert, Date signDate) throws GeneralSecurityException { if (crl == null || signDate == null) return false; // We only check CRLs valid on the signing date for which the issuer matches if (crl.getIssuerX500Principal().equals(signCert.getIssuerX500Principal()) && signDate.after(crl.getThisUpdate()) && signDate.before(crl.getNextUpdate())) { // the signing certificate may not be revoked if (isSignatureValid(crl, issuerCert) && crl.isRevoked(signCert)) { throw new VerificationException(signCert, "The certificate has been revoked."); } return true; } return false; }
/** * Verifies a certificate against a single CRL. * @param crl the Certificate Revocation List * @param signCert a certificate that needs to be verified * @param issuerCert its issuer * @param signDate the sign date * @return true if the verification succeeded * @throws GeneralSecurityException */ public boolean verify(X509CRL crl, X509Certificate signCert, X509Certificate issuerCert, Date signDate) throws GeneralSecurityException { if (crl == null || signDate == SignUtils.UNDEFINED_TIMESTAMP_DATE) return false; // We only check CRLs valid on the signing date for which the issuer matches if (crl.getIssuerX500Principal().equals(signCert.getIssuerX500Principal()) && signDate.after(crl.getThisUpdate()) && signDate.before(crl.getNextUpdate())) { // the signing certificate may not be revoked if (isSignatureValid(crl, issuerCert) && crl.isRevoked(signCert)) { throw new VerificationException(signCert, "The certificate has been revoked."); } return true; } return false; }
private void setDefaultValues() { final X509CRL x509crl = crlValidity.x509CRL; final String sigAlgOID = x509crl.getSigAlgOID(); final SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.forOID(sigAlgOID); this.algorithmUsedToSignToken = signatureAlgorithm; this.issuingTime = x509crl.getThisUpdate(); this.nextUpdate = x509crl.getNextUpdate(); issuerX500Principal = x509crl.getIssuerX500Principal(); this.extraInfo = new TokenValidationExtraInfo(); issuerToken = crlValidity.issuerToken; signatureValid = crlValidity.signatureIntact; signatureInvalidityReason = crlValidity.signatureInvalidityReason; }