/** * This constructor allows to build a CRL source from a list of * <code>InputStream</code>. * * @param inputStreams * the list of <code>InputStream</code> to be loaded as CRL */ public ExternalResourcesCRLSource(final InputStream... inputStreams) { for (final InputStream inputStream : inputStreams) { addCRLToken(inputStream); } }
/** * This constructor allows to initialize the list of {@code X509CRL} from an {@code OfflineCRLSource}. * * @param crlSource * an offline crl source */ public ListCRLSource(OfflineCRLSource crlSource) { addAll(crlSource); }
@Override public final CRLToken getRevocationToken(final CertificateToken certificateToken, final CertificateToken issuerToken) { if (certificateToken == null) { throw new NullPointerException(); } final CRLToken validCRLToken = validCRLTokenList.get(certificateToken); if (validCRLToken != null) { validCRLToken.setOrigin(RevocationOrigin.SIGNATURE); return validCRLToken; } if (issuerToken == null) { return null; } final CRLValidity bestCRLValidity = getBestCrlValidity(certificateToken, issuerToken); if (bestCRLValidity == null) { return null; } final CRLToken crlToken = new CRLToken(certificateToken, bestCRLValidity); crlToken.setOrigin(RevocationOrigin.SIGNATURE); validCRLTokenList.put(certificateToken, crlToken); return crlToken; }
@Test public void testOK() throws IOException { FileDocument doc = new FileDocument("src/test/resources/crl/belgium2.crl"); FileDocument caCert = new FileDocument("src/test/resources/belgiumrs2.crt"); FileDocument tsaCert = new FileDocument("src/test/resources/TSA_BE.cer"); try (InputStream crlStream = doc.openStream()) { CRLValidity crlValidity = CRLUtils.isValidCRL(crlStream, DSSUtils.loadCertificate(caCert.openStream())); assertNotNull(crlValidity); assertTrue(crlValidity.isSignatureIntact()); assertTrue(crlValidity.isCrlSignKeyUsage()); assertTrue(crlValidity.isIssuerX509PrincipalMatches()); CRLToken crl = new CRLToken(DSSUtils.loadCertificate(tsaCert.openStream()), crlValidity); assertNotNull(crl); assertNotNull(crl.getAbbreviation()); assertNotNull(crl.getCreationDate()); assertNotNull(crl.getCrlValidity()); assertNotNull(crl.getDSSId()); assertNotNull(crl.getIssuerX500Principal()); assertNotNull(crl.getPublicKeyOfTheSigner()); assertNotNull(crl.getOrigin()); assertNotNull(crl.toString()); assertEquals(crlValidity.getExpiredCertsOnCRL(), crl.getExpiredCertsOnCRL()); assertNull(crl.getCertHash()); assertNull(crl.getArchiveCutOff()); } }
final CRLToken crlToken = new CRLToken(certificateToken, crlValidity); crlToken.setSourceURL(dataAndUrl.urlString); crlToken.setAvailable(true); return crlToken; } catch (Exception e) {
@Test(expected = DSSException.class) public void wrongCRLIssuer() throws IOException { FileDocument doc = new FileDocument("src/test/resources/crl/belgium2.crl"); FileDocument tsaCert = new FileDocument("src/test/resources/TSA_BE.cer"); try (InputStream crlStream = doc.openStream()) { CRLValidity crlValidity = CRLUtils.isValidCRL(crlStream, DSSUtils.loadCertificate(tsaCert.openStream())); assertNotNull(crlValidity); assertFalse(crlValidity.isSignatureIntact()); assertFalse(crlValidity.isCrlSignKeyUsage()); assertFalse(crlValidity.isIssuerX509PrincipalMatches()); new CRLToken(DSSUtils.loadCertificate(tsaCert.openStream()), crlValidity); } }
@Override public String toString(String indentStr) { StringBuilder out = new StringBuilder(); out.append(indentStr).append("CRLToken[\n"); indentStr += "\t"; out.append(indentStr).append("Production time: ").append(productionDate == null ? "?" : DSSUtils.formatInternal(productionDate)).append('\n'); out.append(indentStr).append("Signature algorithm: ").append(signatureAlgorithm == null ? "?" : signatureAlgorithm).append('\n'); out.append(indentStr).append("Status: ").append(getStatus()).append('\n'); out.append(indentStr).append("Issuer's certificate: ").append(getIssuerX500Principal()).append('\n'); indentStr = indentStr.substring(1); out.append(indentStr).append(']'); return out.toString(); }
private void verifyOCSPToken(OCSPToken token) { if (token == null) { throw CertificateValidationException.of("No token response is present"); } try { if (token.getStatus() != null) { if (!token.getStatus()) { LOGGER.debug("Certificate with DSS ID <{}> - status <{}>", token.getDSSIdAsString(), CRLReasonEnum.valueOf(token.getReason()) .name()); throw CertificateValidationException.of(CertificateValidationException.CertificateValidationStatus.REVOKED); } // Otherwise status is GOOD return; } if (StringUtils.isNotBlank(token.getReason())) { LOGGER.debug("Certificate with DSS ID <{}> - status <{}>", token.getDSSIdAsString(), CRLReasonEnum.valueOf(token.getReason()) .name()); throw CertificateValidationException.of(CertificateValidationException.CertificateValidationStatus.UNKNOWN); } } catch (CertificateValidationException e) { throw e; } catch (Exception e) { throw CertificateValidationException.of(e); } }
@Override protected boolean process() { RevocationWrapper revocationData = certificate.getLatestRevocationData(); boolean isOnHold = (revocationData != null) && !revocationData.isStatus() && CRLReasonEnum.certificateHold.name().equals(revocationData.getReason()); if (isOnHold) { isOnHold = revocationData.getRevocationDate() != null && currentTime.after(revocationData.getRevocationDate()); } return !isOnHold; }
/** * The constructor to be used with the certificate which is managed by the * CRL and the {@code CRLValidity}. * * @param certificateToken * the {@code CertificateToken} which is managed by this CRL. * @param crlValidity * {@code CRLValidity} containing the information about the * validity of the CRL */ public CRLToken(final CertificateToken certificateToken, final CRLValidity crlValidity) { if (crlValidity == null) { throw new NullPointerException(); } this.crlValidity = crlValidity; copyCommonValuesFromCRL(); setRevocationStatus(certificateToken); LOG.debug("+CRLToken"); }
/** * This method returns the DSS abbreviation of the CRLToken. It is used for * debugging purpose. * * @return the DSS abbreviation of the CRLToken */ @Override public String getAbbreviation() { return "CRLToken[" + (productionDate == null ? "?" : DSSUtils.formatInternal(productionDate)) + ", signedBy=" + getIssuerX500Principal() + "]"; }
/** * This method allows to add all {@code X509CRL} from one {@code OfflineCRLSource} to this one. If the * {@code X509CRL} exists already within the current source then it is * ignored. * * @param offlineCRLSource * the source to be added */ public void addAll(final OfflineCRLSource offlineCRLSource) { for (Entry<String, byte[]> entry : offlineCRLSource.crlsMap.entrySet()) { super.addCRLBinary(entry.getKey(), entry.getValue()); } }
private void extractStatusInfo(SingleResp bestSingleResp) { CertificateStatus certStatus = bestSingleResp.getCertStatus(); if (CertificateStatus.GOOD == certStatus) { if (LOG.isInfoEnabled()) { LOG.info("OCSP status is good"); } status = true; } else if (certStatus instanceof RevokedStatus) { if (LOG.isInfoEnabled()) { LOG.info("OCSP status revoked"); } final RevokedStatus revokedStatus = (RevokedStatus) certStatus; status = false; revocationDate = revokedStatus.getRevocationTime(); int reasonId = 0; // unspecified if (revokedStatus.hasRevocationReason()) { reasonId = revokedStatus.getRevocationReason(); } reason = CRLReasonEnum.fromInt(reasonId); } else if (certStatus instanceof UnknownStatus) { if (LOG.isInfoEnabled()) { LOG.info("OCSP status unknown"); } reason = CRLReasonEnum.unknow; } else { LOG.info("OCSP certificate status: {}", certStatus); } }
private void addCRLToken(final InputStream inputStream) { try (InputStream is = inputStream) { addCRLBinary(Utils.toByteArray(is)); } catch (IOException e) { throw new DSSException(e); } }
final CRLValidity crlValidity = getCrlValidity(crlEntry.getKey(), crlEntry.getValue(), issuerToken); if (crlValidity == null || !crlValidity.isValid()) { continue;
@Test(expected = DSSException.class) public void wrongCertIssuer() throws IOException { FileDocument doc = new FileDocument("src/test/resources/crl/belgium2.crl"); FileDocument caCert = new FileDocument("src/test/resources/belgiumrs2.crt"); try (InputStream crlStream = doc.openStream()) { CRLValidity crlValidity = CRLUtils.isValidCRL(crlStream, DSSUtils.loadCertificate(caCert.openStream())); assertNotNull(crlValidity); assertTrue(crlValidity.isSignatureIntact()); assertTrue(crlValidity.isCrlSignKeyUsage()); assertTrue(crlValidity.isIssuerX509PrincipalMatches()); new CRLToken(DSSUtils.loadCertificate(caCert.openStream()), crlValidity); } }
@Override protected boolean process() { RevocationWrapper revocationData = certificate.getLatestRevocationData(); boolean isRevoked = (revocationData != null) && !revocationData.isStatus() && !CRLReasonEnum.certificateHold.name().equals(revocationData.getReason()); if (isRevoked) { isRevoked = revocationData.getRevocationDate() != null && currentTime.after(revocationData.getRevocationDate()); } return !isRevoked; }
/** * This constructor allows to build a CRL source from a list of * resource paths. * * @param paths * paths to be loaded as CRL */ public ExternalResourcesCRLSource(final String... paths) { for (final String pathItem : paths) { try { addCRLToken(getClass().getResourceAsStream(pathItem)); } catch (Exception e) { LOG.error("Unable to load '" + pathItem + "'", e); } } }
protected void addCRLBinary(byte[] binaries) { String base64Digest = Utils.toBase64(DSSUtils.digest(DigestAlgorithm.SHA256, binaries)); addCRLBinary(base64Digest, binaries); }
/** * @param certificateToken * the {@code CertificateToken} which is managed by this CRL. */ private void setRevocationStatus(final CertificateToken certificateToken) { final X500Principal issuerToken = certificateToken.getIssuerX500Principal(); CertificateToken crlSigner = crlValidity.getIssuerToken(); X500Principal crlSignerSubject = null; if (crlSigner != null) { crlSignerSubject = crlSigner.getSubjectX500Principal(); } if (!DSSUtils.x500PrincipalAreEquals(issuerToken, crlSignerSubject)) { if (!crlValidity.isSignatureIntact()) { throw new DSSException(crlValidity.getSignatureInvalidityReason()); } throw new DSSException("The CRLToken is not signed by the same issuer as the CertificateToken to be verified!"); } final BigInteger serialNumber = certificateToken.getSerialNumber(); X509CRLEntry crlEntry = CRLUtils.getRevocationInfo(crlValidity, serialNumber); status = null == crlEntry; if (!status) { revocationDate = crlEntry.getRevocationDate(); CRLReason revocationReason = crlEntry.getRevocationReason(); if (revocationReason != null) { reason = CRLReasonEnum.fromInt(revocationReason.ordinal()); } } }