List of usage examples for java.security.cert X509CRL getRevokedCertificate
public X509CRLEntry getRevokedCertificate(X509Certificate certificate)
From source file:dk.itst.oiosaml.sp.metadata.CRLChecker.java
public void checkCertificates(IdpMetadata metadata, Configuration conf) { for (String entityId : metadata.getEntityIDs()) { Metadata md = metadata.getMetadata(entityId); for (X509Certificate certificate : md.getAllCertificates()) { String url = getCRLUrl(conf, entityId, certificate); if (url == null) { log.debug("No CRL configured in oiosaml-sp.properties, and no CRL found in certificate"); continue; }//from w w w.j av a 2 s. co m try { URL u = new URL(url); InputStream is = u.openStream(); CertificateFactory cf = CertificateFactory.getInstance("X.509"); X509CRL crl = (X509CRL) cf.generateCRL(is); is.close(); if (log.isDebugEnabled()) log.debug("CRL for " + url + ": " + crl); if (!checkCRLSignature(crl, certificate, conf)) { md.setCertificateValid(certificate, false); } else { X509CRLEntry revokedCertificate = crl.getRevokedCertificate(certificate.getSerialNumber()); boolean revoked = revokedCertificate != null; log.debug( "Certificate status for " + entityId + ": " + revoked + " - cert: " + certificate); Audit.log(Operation.CRLCHECK, false, entityId, "Revoked: " + revoked); md.setCertificateValid(certificate, !revoked); } } catch (MalformedURLException e) { log.error("Unable to parse url " + url, e); throw new WrappedException(Layer.BUSINESS, e); } catch (IOException e) { log.error("Unable to read CRL from " + url, e); throw new WrappedException(Layer.BUSINESS, e); } catch (GeneralSecurityException e) { throw new WrappedException(Layer.BUSINESS, e); } } } }
From source file:mitm.common.security.crl.PKIXRevocationChecker.java
private RevocationDetail getRevocationDetail(List<X509CRL> crls, X509Certificate targetCertificate, X509Certificate issuerCertificate, PublicKey issuerPublicKey, Date now) throws NoSuchProviderException { RevocationDetailImpl detail = new RevocationDetailImpl(RevocationStatus.UNKNOWN); boolean validCRLFound = false; int reasonMask = 0; for (X509CRL crl : crls) { BigInteger serialNumber = targetCertificate.getSerialNumber(); X509CRLEntry crlEntry = crl.getRevokedCertificate(serialNumber); Date revocationDate = null; if (crlEntry != null) { revocationDate = crlEntry.getRevocationDate(); if (revocationDate == null || !now.before(revocationDate)) { /*// w w w .j a v a 2 s.co m * X.509 7.3 NOTE 4 When an implementation processing a certificate revocation list does not * recognize a critical extension in the crlEntryExtensions field, it shall assume that, * at a minimum, the identified certificate has been revoked and is no longer valid and * perform additional actions concerning that revoked certificate as dictated by local policy. * * We do not need to check for unsupported critical extension because if we do not support them * we should assume that the certificate is revoked. */ // TODO: add support for onHold/removeFromCRL Integer reasonCode = null; try { reasonCode = X509CRLEntryInspector.getReasonCode(crlEntry); } catch (IOException e) { logger.error("Error retrieving reasonCode.", e); } detail = (reasonCode != null ? new RevocationDetailImpl(RevocationStatus.REVOKED, reasonCode) : new RevocationDetailImpl(RevocationStatus.REVOKED)); /* there is no need to continue because certificate is revoked */ break; } else { if (now.before(revocationDate)) { logger.info("Certificate is revoked in the future."); } } } if (hasUnsupportedCriticalExtensions(crl)) { logger.debug("The CRL has unsupported critical extensions."); detail = new RevocationDetailImpl(RevocationStatus.UNSUPPORTED_CRITICAL_EXTENSION); continue; } /* * check that the start time the CRL is valid is before the time the certificate is * no longer valid. In other words, that the expiration date of the certificate is * later than the date the CRL was issued. It is possible that the certificate was * at some point revoked but the CA removed it because the certificate is no longer * valid */ if (crl.getThisUpdate() != null && targetCertificate.getNotAfter().before(crl.getThisUpdate())) { logger.info("Certificate has expired before the CRL was valid."); continue; } try { if (X509CRLInspector.isDeltaCRL(crl)) { DeltaCRLStatus deltaStatus = getDeltaCRLStatus(targetCertificate, crl, issuerPublicKey, now); if (deltaStatus == DeltaCRLStatus.UNSUPPORTED_CRITICAL_EXTENSION) { detail = new RevocationDetailImpl(RevocationStatus.UNSUPPORTED_CRITICAL_EXTENSION); continue; } else if (deltaStatus == DeltaCRLStatus.UNKNOWN) { continue; } } else { if (!acceptCRL_6_3_3_b(targetCertificate, crl)) { logger.debug("CRL not valid according to acceptCRL_6_3_3_b."); continue; } } } catch (IOException e) { logger.error("Error inspecting CRL.", e); continue; } if (crl.getNextUpdate() != null && now.after(crl.getNextUpdate())) { /* * an CRL cannot really expire but, when we want at least to log that the * nextUpdate is overdue */ logger.debug("The CRL next update is overdue."); /* we need to set the nextUpdate if this is a newer CRL */ if (detail.getStatus() != RevocationStatus.EXPIRED || detail.getNextUpdate() == null) { detail = new RevocationDetailImpl(RevocationStatus.EXPIRED, crl.getNextUpdate()); } else { if (crl.getNextUpdate().after(detail.getNextUpdate())) { /* the nextUpdate of the current CRL is later so it's longer valid */ detail = new RevocationDetailImpl(RevocationStatus.EXPIRED, crl.getNextUpdate()); } } continue; } try { reasonMask = reasonMask | getInterimReasonsMask(targetCertificate, crl); /* a valid crl was found. Continue search. */ validCRLFound = true; } catch (IOException e) { logger.error("Error getting interim mask.", e); } } /* * if one the CRLs was good and the certificate was not revoked we will set the * status to NOT_REVOKED */ if (validCRLFound && detail.getStatus() != RevocationStatus.REVOKED) { /* check if all reasons are covered */ if (reasonMask == allReasons) { detail = new RevocationDetailImpl(RevocationStatus.NOT_REVOKED); } else { logger.debug("Not all reasons were covered."); detail = new RevocationDetailImpl(RevocationStatus.UNKNOWN); } } return detail; }
From source file:be.fedict.trust.crl.CrlTrustLinker.java
private TrustLinkerResult processCrl(URI crlUri, X509Certificate childCertificate, X509Certificate certificate, Date validationDate, RevocationData revocationData, BigInteger baseCrlNumber) { LOG.debug("CRL URI: " + crlUri); X509CRL x509crl = this.crlRepository.findCrl(crlUri, certificate, validationDate); if (null == x509crl) { return null; }//www.ja v a2 s . c o m // check CRL integrity boolean crlIntegrityResult = checkCrlIntegrity(x509crl, certificate, validationDate); if (false == crlIntegrityResult) { return null; } // check CRL signature TrustLinkerResult trustResult = TrustValidator.checkSignatureAlgorithm(x509crl.getSigAlgName()); if (!trustResult.isValid()) { return trustResult; } // we don't support indirect CRLs if (isIndirectCRL(x509crl)) { LOG.debug("indirect CRL detected"); return null; } LOG.debug("CRL number: " + getCrlNumber(x509crl)); // check delta CRL indicator against completeCrlNuber if (null != baseCrlNumber) { BigInteger crlNumber = getDeltaCrlIndicator(x509crl); if (!baseCrlNumber.equals(crlNumber)) { LOG.error("Delta CRL indicator (" + crlNumber + ") not equals base CRL number(" + baseCrlNumber + ")"); return null; } } // fill up revocation data if not null with this valid CRL if (null != revocationData) { try { revocationData.getCrlRevocationData().add(new CRLRevocationData(x509crl.getEncoded())); } catch (CRLException e) { LOG.error("CRLException: " + e.getMessage(), e); throw new RuntimeException("CRLException : " + e.getMessage(), e); } } boolean revoked = true; X509CRLEntry crlEntry = x509crl.getRevokedCertificate(childCertificate.getSerialNumber()); if (null == crlEntry) { LOG.debug("CRL OK for: " + childCertificate.getSubjectX500Principal()); revoked = false; } else if (crlEntry.getRevocationDate().after(validationDate)) { LOG.debug("CRL OK for: " + childCertificate.getSubjectX500Principal() + " at " + validationDate); revoked = false; } if (null != x509crl.getExtensionValue(X509Extensions.DeltaCRLIndicator.getId())) { // Delta CRL if (!revoked) return null; } else { // Base CRL, look for delta's List<URI> deltaCrlUris = getDeltaCrlUris(x509crl); if (null != deltaCrlUris) { for (URI deltaCrlUri : deltaCrlUris) { LOG.debug("delta CRL: " + deltaCrlUri.toString()); TrustLinkerResult result = processCrl(deltaCrlUri, childCertificate, certificate, validationDate, revocationData, getCrlNumber(x509crl)); if (null != result) return result; } } } if (!revoked) return new TrustLinkerResult(true); return new TrustLinkerResult(false, TrustLinkerResultReason.INVALID_REVOCATION_STATUS, "certificate revoked by CRL=" + crlEntry.getSerialNumber()); }
From source file:org.jasig.cas.adaptors.x509.authentication.handler.support.AbstractCRLRevocationChecker.java
/** {@inheritDoc} */ public void check(final X509Certificate cert) throws GeneralSecurityException { if (cert == null) { throw new IllegalArgumentException("Certificate cannot be null."); }// w w w . j a v a2s .c o m if (log.isDebugEnabled()) { log.debug("Evaluating certificate revocation status for " + CertUtils.toString(cert)); } final X509CRL crl = getCRL(cert); if (crl == null) { log.warn("CRL data is not available for " + CertUtils.toString(cert)); this.unavailableCRLPolicy.apply(null); return; } if (CertUtils.isExpired(crl)) { log.warn("CRL data expired on " + crl.getNextUpdate()); this.expiredCRLPolicy.apply(crl); } final X509CRLEntry entry = crl.getRevokedCertificate(cert); if (entry != null) { throw new RevokedCertificateException(entry); } }
From source file:org.xdi.oxauth.cert.validation.CRLCertificateVerifier.java
@Override public ValidationStatus validate(X509Certificate certificate, List<X509Certificate> issuers, Date validationDate) {//ww w. j a va 2 s. c o m X509Certificate issuer = issuers.get(0); ValidationStatus status = new ValidationStatus(certificate, issuer, validationDate, ValidatorSourceType.CRL, CertificateValidity.UNKNOWN); try { Principal subjectX500Principal = certificate.getSubjectX500Principal(); String crlURL = getCrlUri(certificate); if (crlURL == null) { log.error("CRL's URL for '" + subjectX500Principal + "' is empty"); return status; } log.debug("CRL's URL for '" + subjectX500Principal + "' is '" + crlURL + "'"); X509CRL x509crl = getCrl(crlURL); if (!validateCRL(x509crl, certificate, issuer, validationDate)) { log.error("The CRL is not valid!"); status.setValidity(CertificateValidity.INVALID); return status; } X509CRLEntry crlEntry = x509crl.getRevokedCertificate(certificate.getSerialNumber()); if (crlEntry == null) { log.debug("CRL status is valid for '" + subjectX500Principal + "'"); status.setValidity(CertificateValidity.VALID); } else if (crlEntry.getRevocationDate().after(validationDate)) { log.warn("CRL revocation time after the validation date, the certificate '" + subjectX500Principal + "' was valid at " + validationDate); status.setRevocationObjectIssuingTime(x509crl.getThisUpdate()); status.setValidity(CertificateValidity.VALID); } else { log.info("CRL for certificate '" + subjectX500Principal + "' is revoked since " + crlEntry.getRevocationDate()); status.setRevocationObjectIssuingTime(x509crl.getThisUpdate()); status.setRevocationDate(crlEntry.getRevocationDate()); status.setValidity(CertificateValidity.REVOKED); } } catch (Exception ex) { log.error("CRL exception: ", ex); } return status; }