author | ascarpino |
Wed, 03 May 2017 09:04:35 -0700 | |
changeset 44920 | 5b66112437ba |
parent 43701 | fe8c324ba97c |
permissions | -rw-r--r-- |
2 | 1 |
/* |
43701
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
41562
diff
changeset
|
2 |
* Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
package sun.security.provider.certpath; |
|
27 |
||
28 |
import java.io.*; |
|
29 |
import java.security.*; |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
30 |
import java.security.cert.CertificateException; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
31 |
import java.security.cert.CertificateParsingException; |
2 | 32 |
import java.security.cert.CertPathValidatorException; |
19045
bc9a25fff6c5
8010748: Add PKIXRevocationChecker NO_FALLBACK option and improve SOFT_FAIL option
mullan
parents:
17729
diff
changeset
|
33 |
import java.security.cert.CertPathValidatorException.BasicReason; |
2 | 34 |
import java.security.cert.CRLReason; |
7040
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
35 |
import java.security.cert.TrustAnchor; |
2 | 36 |
import java.security.cert.X509Certificate; |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
37 |
import java.util.ArrayList; |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
38 |
import java.util.Arrays; |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
39 |
import java.util.Collections; |
2 | 40 |
import java.util.Date; |
41 |
import java.util.HashMap; |
|
42 |
import java.util.List; |
|
43 |
import java.util.Map; |
|
32032 | 44 |
import java.util.Set; |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
45 |
import javax.security.auth.x500.X500Principal; |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
46 |
|
34687
d302ed125dc9
8144995: Move sun.misc.HexDumpEncoder to sun.security.util
chegar
parents:
32649
diff
changeset
|
47 |
import sun.security.util.HexDumpEncoder; |
17044
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
13402
diff
changeset
|
48 |
import sun.security.action.GetIntegerAction; |
2 | 49 |
import sun.security.x509.*; |
50 |
import sun.security.util.*; |
|
51 |
||
52 |
/** |
|
53 |
* This class is used to process an OCSP response. |
|
54 |
* The OCSP Response is defined |
|
55 |
* in RFC 2560 and the ASN.1 encoding is as follows: |
|
56 |
* <pre> |
|
57 |
* |
|
58 |
* OCSPResponse ::= SEQUENCE { |
|
59 |
* responseStatus OCSPResponseStatus, |
|
60 |
* responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } |
|
61 |
* |
|
62 |
* OCSPResponseStatus ::= ENUMERATED { |
|
63 |
* successful (0), --Response has valid confirmations |
|
64 |
* malformedRequest (1), --Illegal confirmation request |
|
65 |
* internalError (2), --Internal error in issuer |
|
66 |
* tryLater (3), --Try again later |
|
67 |
* --(4) is not used |
|
68 |
* sigRequired (5), --Must sign the request |
|
69 |
* unauthorized (6) --Request unauthorized |
|
70 |
* } |
|
71 |
* |
|
72 |
* ResponseBytes ::= SEQUENCE { |
|
73 |
* responseType OBJECT IDENTIFIER, |
|
74 |
* response OCTET STRING } |
|
75 |
* |
|
76 |
* BasicOCSPResponse ::= SEQUENCE { |
|
77 |
* tbsResponseData ResponseData, |
|
78 |
* signatureAlgorithm AlgorithmIdentifier, |
|
79 |
* signature BIT STRING, |
|
80 |
* certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } |
|
81 |
* |
|
82 |
* The value for signature SHALL be computed on the hash of the DER |
|
83 |
* encoding ResponseData. |
|
84 |
* |
|
85 |
* ResponseData ::= SEQUENCE { |
|
86 |
* version [0] EXPLICIT Version DEFAULT v1, |
|
87 |
* responderID ResponderID, |
|
88 |
* producedAt GeneralizedTime, |
|
89 |
* responses SEQUENCE OF SingleResponse, |
|
90 |
* responseExtensions [1] EXPLICIT Extensions OPTIONAL } |
|
91 |
* |
|
92 |
* ResponderID ::= CHOICE { |
|
93 |
* byName [1] Name, |
|
94 |
* byKey [2] KeyHash } |
|
95 |
* |
|
96 |
* KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key |
|
97 |
* (excluding the tag and length fields) |
|
98 |
* |
|
99 |
* SingleResponse ::= SEQUENCE { |
|
100 |
* certID CertID, |
|
101 |
* certStatus CertStatus, |
|
102 |
* thisUpdate GeneralizedTime, |
|
103 |
* nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, |
|
104 |
* singleExtensions [1] EXPLICIT Extensions OPTIONAL } |
|
105 |
* |
|
106 |
* CertStatus ::= CHOICE { |
|
107 |
* good [0] IMPLICIT NULL, |
|
108 |
* revoked [1] IMPLICIT RevokedInfo, |
|
109 |
* unknown [2] IMPLICIT UnknownInfo } |
|
110 |
* |
|
111 |
* RevokedInfo ::= SEQUENCE { |
|
112 |
* revocationTime GeneralizedTime, |
|
113 |
* revocationReason [0] EXPLICIT CRLReason OPTIONAL } |
|
114 |
* |
|
115 |
* UnknownInfo ::= NULL -- this can be replaced with an enumeration |
|
116 |
* |
|
117 |
* </pre> |
|
118 |
* |
|
119 |
* @author Ram Marti |
|
120 |
*/ |
|
121 |
||
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
122 |
public final class OCSPResponse { |
2 | 123 |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
124 |
public enum ResponseStatus { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
125 |
SUCCESSFUL, // Response has valid confirmations |
19045
bc9a25fff6c5
8010748: Add PKIXRevocationChecker NO_FALLBACK option and improve SOFT_FAIL option
mullan
parents:
17729
diff
changeset
|
126 |
MALFORMED_REQUEST, // Illegal request |
bc9a25fff6c5
8010748: Add PKIXRevocationChecker NO_FALLBACK option and improve SOFT_FAIL option
mullan
parents:
17729
diff
changeset
|
127 |
INTERNAL_ERROR, // Internal error in responder |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
128 |
TRY_LATER, // Try again later |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
129 |
UNUSED, // is not used |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
130 |
SIG_REQUIRED, // Must sign the request |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
131 |
UNAUTHORIZED // Request unauthorized |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
132 |
}; |
32032 | 133 |
private static final ResponseStatus[] rsvalues = ResponseStatus.values(); |
2 | 134 |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
135 |
private static final Debug debug = Debug.getInstance("certpath"); |
21819
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
136 |
private static final boolean dump = debug != null && Debug.isOn("ocsp"); |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
137 |
private static final ObjectIdentifier OCSP_BASIC_RESPONSE_OID = |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
138 |
ObjectIdentifier.newInternal(new int[] { 1, 3, 6, 1, 5, 5, 7, 48, 1, 1}); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
139 |
private static final int CERT_STATUS_GOOD = 0; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
140 |
private static final int CERT_STATUS_REVOKED = 1; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
141 |
private static final int CERT_STATUS_UNKNOWN = 2; |
2 | 142 |
|
143 |
// ResponderID CHOICE tags |
|
144 |
private static final int NAME_TAG = 1; |
|
145 |
private static final int KEY_TAG = 2; |
|
146 |
||
147 |
// Object identifier for the OCSPSigning key purpose |
|
148 |
private static final String KP_OCSP_SIGNING_OID = "1.3.6.1.5.5.7.3.9"; |
|
149 |
||
17044
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
13402
diff
changeset
|
150 |
// Default maximum clock skew in milliseconds (15 minutes) |
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
13402
diff
changeset
|
151 |
// allowed when checking validity of OCSP responses |
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
13402
diff
changeset
|
152 |
private static final int DEFAULT_MAX_CLOCK_SKEW = 900000; |
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
13402
diff
changeset
|
153 |
|
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
13402
diff
changeset
|
154 |
/** |
31703 | 155 |
* Integer value indicating the maximum allowable clock skew, |
156 |
* in milliseconds, to be used for the OCSP check. |
|
17044
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
13402
diff
changeset
|
157 |
*/ |
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
13402
diff
changeset
|
158 |
private static final int MAX_CLOCK_SKEW = initializeClockSkew(); |
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
13402
diff
changeset
|
159 |
|
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
13402
diff
changeset
|
160 |
/** |
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
13402
diff
changeset
|
161 |
* Initialize the maximum allowable clock skew by getting the OCSP |
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
13402
diff
changeset
|
162 |
* clock skew system property. If the property has not been set, or if its |
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
13402
diff
changeset
|
163 |
* value is negative, set the skew to the default. |
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
13402
diff
changeset
|
164 |
*/ |
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
13402
diff
changeset
|
165 |
private static int initializeClockSkew() { |
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
13402
diff
changeset
|
166 |
Integer tmp = java.security.AccessController.doPrivileged( |
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
13402
diff
changeset
|
167 |
new GetIntegerAction("com.sun.security.ocsp.clockSkew")); |
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
13402
diff
changeset
|
168 |
if (tmp == null || tmp < 0) { |
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
13402
diff
changeset
|
169 |
return DEFAULT_MAX_CLOCK_SKEW; |
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
13402
diff
changeset
|
170 |
} |
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
13402
diff
changeset
|
171 |
// Convert to milliseconds, as the system property will be |
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
13402
diff
changeset
|
172 |
// specified in seconds |
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
13402
diff
changeset
|
173 |
return tmp * 1000; |
c67bf062ca30
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
mullan
parents:
13402
diff
changeset
|
174 |
} |
1567
58ef474069d7
6744888: OCSP validation code should permit some clock skew when checking validity of OCSP responses
mullan
parents:
2
diff
changeset
|
175 |
|
2 | 176 |
// an array of all of the CRLReasons (used in SingleResponse) |
32032 | 177 |
private static final CRLReason[] values = CRLReason.values(); |
2 | 178 |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
179 |
private final ResponseStatus responseStatus; |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
180 |
private final Map<CertId, SingleResponse> singleResponseMap; |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
181 |
private final AlgorithmId sigAlgId; |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
182 |
private final byte[] signature; |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
183 |
private final byte[] tbsResponseData; |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
184 |
private final byte[] responseNonce; |
21819
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
185 |
private List<X509CertImpl> certs; |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
186 |
private X509CertImpl signerCert = null; |
32032 | 187 |
private final ResponderId respId; |
188 |
private Date producedAtDate = null; |
|
189 |
private final Map<String, java.security.cert.Extension> responseExtensions; |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
190 |
|
2 | 191 |
/* |
192 |
* Create an OCSP response from its ASN.1 DER encoding. |
|
32032 | 193 |
* |
194 |
* @param bytes The DER-encoded bytes for an OCSP response |
|
2 | 195 |
*/ |
32032 | 196 |
public OCSPResponse(byte[] bytes) throws IOException { |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
197 |
if (dump) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
198 |
HexDumpEncoder hexEnc = new HexDumpEncoder(); |
21819
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
199 |
debug.println("OCSPResponse bytes...\n\n" + |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
200 |
hexEnc.encode(bytes) + "\n"); |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
201 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
202 |
DerValue der = new DerValue(bytes); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
203 |
if (der.tag != DerValue.tag_Sequence) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
204 |
throw new IOException("Bad encoding in OCSP response: " + |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
205 |
"expected ASN.1 SEQUENCE tag."); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
206 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
207 |
DerInputStream derIn = der.getData(); |
2 | 208 |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
209 |
// responseStatus |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
210 |
int status = derIn.getEnumerated(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
211 |
if (status >= 0 && status < rsvalues.length) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
212 |
responseStatus = rsvalues[status]; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
213 |
} else { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
214 |
// unspecified responseStatus |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
215 |
throw new IOException("Unknown OCSPResponse status: " + status); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
216 |
} |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
217 |
if (debug != null) { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
218 |
debug.println("OCSP response status: " + responseStatus); |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
219 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
220 |
if (responseStatus != ResponseStatus.SUCCESSFUL) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
221 |
// no need to continue, responseBytes are not set. |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
222 |
singleResponseMap = Collections.emptyMap(); |
21819
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
223 |
certs = new ArrayList<X509CertImpl>(); |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
224 |
sigAlgId = null; |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
225 |
signature = null; |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
226 |
tbsResponseData = null; |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
227 |
responseNonce = null; |
32032 | 228 |
responseExtensions = Collections.emptyMap(); |
229 |
respId = null; |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
230 |
return; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
231 |
} |
2 | 232 |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
233 |
// responseBytes |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
234 |
der = derIn.getDerValue(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
235 |
if (!der.isContextSpecific((byte)0)) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
236 |
throw new IOException("Bad encoding in responseBytes element " + |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
237 |
"of OCSP response: expected ASN.1 context specific tag 0."); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
238 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
239 |
DerValue tmp = der.data.getDerValue(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
240 |
if (tmp.tag != DerValue.tag_Sequence) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
241 |
throw new IOException("Bad encoding in responseBytes element " + |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
242 |
"of OCSP response: expected ASN.1 SEQUENCE tag."); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
243 |
} |
2 | 244 |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
245 |
// responseType |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
246 |
derIn = tmp.data; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
247 |
ObjectIdentifier responseType = derIn.getOID(); |
32032 | 248 |
if (responseType.equals((Object)OCSP_BASIC_RESPONSE_OID)) { |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
249 |
if (debug != null) { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
250 |
debug.println("OCSP response type: basic"); |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
251 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
252 |
} else { |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
253 |
if (debug != null) { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
254 |
debug.println("OCSP response type: " + responseType); |
2 | 255 |
} |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
256 |
throw new IOException("Unsupported OCSP response type: " + |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
257 |
responseType); |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
258 |
} |
2 | 259 |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
260 |
// BasicOCSPResponse |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
261 |
DerInputStream basicOCSPResponse = |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
262 |
new DerInputStream(derIn.getOctetString()); |
2 | 263 |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
264 |
DerValue[] seqTmp = basicOCSPResponse.getSequence(2); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
265 |
if (seqTmp.length < 3) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
266 |
throw new IOException("Unexpected BasicOCSPResponse value"); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
267 |
} |
2 | 268 |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
269 |
DerValue responseData = seqTmp[0]; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
270 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
271 |
// Need the DER encoded ResponseData to verify the signature later |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
272 |
tbsResponseData = seqTmp[0].toByteArray(); |
2 | 273 |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
274 |
// tbsResponseData |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
275 |
if (responseData.tag != DerValue.tag_Sequence) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
276 |
throw new IOException("Bad encoding in tbsResponseData " + |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
277 |
"element of OCSP response: expected ASN.1 SEQUENCE tag."); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
278 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
279 |
DerInputStream seqDerIn = responseData.data; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
280 |
DerValue seq = seqDerIn.getDerValue(); |
2 | 281 |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
282 |
// version |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
283 |
if (seq.isContextSpecific((byte)0)) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
284 |
// seq[0] is version |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
285 |
if (seq.isConstructed() && seq.isContextSpecific()) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
286 |
//System.out.println ("version is available"); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
287 |
seq = seq.data.getDerValue(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
288 |
int version = seq.getInteger(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
289 |
if (seq.data.available() != 0) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
290 |
throw new IOException("Bad encoding in version " + |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
291 |
" element of OCSP response: bad format"); |
2 | 292 |
} |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
293 |
seq = seqDerIn.getDerValue(); |
2 | 294 |
} |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
295 |
} |
2 | 296 |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
297 |
// responderID |
32032 | 298 |
respId = new ResponderId(seq.toByteArray()); |
299 |
if (debug != null) { |
|
300 |
debug.println("Responder ID: " + respId); |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
301 |
} |
2 | 302 |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
303 |
// producedAt |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
304 |
seq = seqDerIn.getDerValue(); |
32032 | 305 |
producedAtDate = seq.getGeneralizedTime(); |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
306 |
if (debug != null) { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
307 |
debug.println("OCSP response produced at: " + producedAtDate); |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
308 |
} |
2 | 309 |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
310 |
// responses |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
311 |
DerValue[] singleResponseDer = seqDerIn.getSequence(1); |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
312 |
singleResponseMap = new HashMap<>(singleResponseDer.length); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
313 |
if (debug != null) { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
314 |
debug.println("OCSP number of SingleResponses: " |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
315 |
+ singleResponseDer.length); |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
316 |
} |
32032 | 317 |
for (DerValue srDer : singleResponseDer) { |
318 |
SingleResponse singleResponse = new SingleResponse(srDer); |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
319 |
singleResponseMap.put(singleResponse.getCertId(), singleResponse); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
320 |
} |
2 | 321 |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
322 |
// responseExtensions |
32032 | 323 |
Map<String, java.security.cert.Extension> tmpExtMap = new HashMap<>(); |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
324 |
if (seqDerIn.available() > 0) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
325 |
seq = seqDerIn.getDerValue(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
326 |
if (seq.isContextSpecific((byte)1)) { |
32032 | 327 |
tmpExtMap = parseExtensions(seq); |
2 | 328 |
} |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
329 |
} |
32032 | 330 |
responseExtensions = tmpExtMap; |
331 |
||
332 |
// Attach the nonce value if found in the extension map |
|
333 |
Extension nonceExt = (Extension)tmpExtMap.get( |
|
334 |
PKIXExtensions.OCSPNonce_Id.toString()); |
|
335 |
responseNonce = (nonceExt != null) ? |
|
336 |
nonceExt.getExtensionValue() : null; |
|
337 |
if (debug != null && responseNonce != null) { |
|
338 |
debug.println("Response nonce: " + Arrays.toString(responseNonce)); |
|
339 |
} |
|
2 | 340 |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
341 |
// signatureAlgorithmId |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
342 |
sigAlgId = AlgorithmId.parse(seqTmp[1]); |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
343 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
344 |
// signature |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
345 |
signature = seqTmp[2].getBitString(); |
2 | 346 |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
347 |
// if seq[3] is available , then it is a sequence of certificates |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
348 |
if (seqTmp.length > 3) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
349 |
// certs are available |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
350 |
DerValue seqCert = seqTmp[3]; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
351 |
if (!seqCert.isContextSpecific((byte)0)) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
352 |
throw new IOException("Bad encoding in certs element of " + |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
353 |
"OCSP response: expected ASN.1 context specific tag 0."); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
354 |
} |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
355 |
DerValue[] derCerts = seqCert.getData().getSequence(3); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
356 |
certs = new ArrayList<X509CertImpl>(derCerts.length); |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
357 |
try { |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
358 |
for (int i = 0; i < derCerts.length; i++) { |
21819
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
359 |
X509CertImpl cert = |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
360 |
new X509CertImpl(derCerts[i].toByteArray()); |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
361 |
certs.add(cert); |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
362 |
|
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
363 |
if (debug != null) { |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
364 |
debug.println("OCSP response cert #" + (i + 1) + ": " + |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
365 |
cert.getSubjectX500Principal()); |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
366 |
} |
2 | 367 |
} |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
368 |
} catch (CertificateException ce) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
369 |
throw new IOException("Bad encoding in X509 Certificate", ce); |
2 | 370 |
} |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
371 |
} else { |
21819
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
372 |
certs = new ArrayList<X509CertImpl>(); |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
373 |
} |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
374 |
} |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
375 |
|
40946
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
376 |
void verify(List<CertId> certIds, IssuerInfo issuerInfo, |
43701
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
41562
diff
changeset
|
377 |
X509Certificate responderCert, Date date, byte[] nonce, |
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
41562
diff
changeset
|
378 |
String variant) |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
379 |
throws CertPathValidatorException |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
380 |
{ |
19045
bc9a25fff6c5
8010748: Add PKIXRevocationChecker NO_FALLBACK option and improve SOFT_FAIL option
mullan
parents:
17729
diff
changeset
|
381 |
switch (responseStatus) { |
bc9a25fff6c5
8010748: Add PKIXRevocationChecker NO_FALLBACK option and improve SOFT_FAIL option
mullan
parents:
17729
diff
changeset
|
382 |
case SUCCESSFUL: |
bc9a25fff6c5
8010748: Add PKIXRevocationChecker NO_FALLBACK option and improve SOFT_FAIL option
mullan
parents:
17729
diff
changeset
|
383 |
break; |
bc9a25fff6c5
8010748: Add PKIXRevocationChecker NO_FALLBACK option and improve SOFT_FAIL option
mullan
parents:
17729
diff
changeset
|
384 |
case TRY_LATER: |
bc9a25fff6c5
8010748: Add PKIXRevocationChecker NO_FALLBACK option and improve SOFT_FAIL option
mullan
parents:
17729
diff
changeset
|
385 |
case INTERNAL_ERROR: |
bc9a25fff6c5
8010748: Add PKIXRevocationChecker NO_FALLBACK option and improve SOFT_FAIL option
mullan
parents:
17729
diff
changeset
|
386 |
throw new CertPathValidatorException( |
bc9a25fff6c5
8010748: Add PKIXRevocationChecker NO_FALLBACK option and improve SOFT_FAIL option
mullan
parents:
17729
diff
changeset
|
387 |
"OCSP response error: " + responseStatus, null, null, -1, |
bc9a25fff6c5
8010748: Add PKIXRevocationChecker NO_FALLBACK option and improve SOFT_FAIL option
mullan
parents:
17729
diff
changeset
|
388 |
BasicReason.UNDETERMINED_REVOCATION_STATUS); |
19820
9ee1d7810f50
8023362: Don't allow soft-fail behavior if OCSP responder returns "unauthorized"
mullan
parents:
19045
diff
changeset
|
389 |
case UNAUTHORIZED: |
19045
bc9a25fff6c5
8010748: Add PKIXRevocationChecker NO_FALLBACK option and improve SOFT_FAIL option
mullan
parents:
17729
diff
changeset
|
390 |
default: |
bc9a25fff6c5
8010748: Add PKIXRevocationChecker NO_FALLBACK option and improve SOFT_FAIL option
mullan
parents:
17729
diff
changeset
|
391 |
throw new CertPathValidatorException("OCSP response error: " + |
bc9a25fff6c5
8010748: Add PKIXRevocationChecker NO_FALLBACK option and improve SOFT_FAIL option
mullan
parents:
17729
diff
changeset
|
392 |
responseStatus); |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
393 |
} |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
394 |
|
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
395 |
// Check that the response includes a response for all of the |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
396 |
// certs that were supplied in the request |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
397 |
for (CertId certId : certIds) { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
398 |
SingleResponse sr = getSingleResponse(certId); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
399 |
if (sr == null) { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
400 |
if (debug != null) { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
401 |
debug.println("No response found for CertId: " + certId); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
402 |
} |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
403 |
throw new CertPathValidatorException( |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
404 |
"OCSP response does not include a response for a " + |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
405 |
"certificate supplied in the OCSP request"); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
406 |
} |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
407 |
if (debug != null) { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
408 |
debug.println("Status of certificate (with serial number " + |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
409 |
certId.getSerialNumber() + ") is: " + sr.getCertStatus()); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
410 |
} |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
411 |
} |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
412 |
|
21819
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
413 |
// Locate the signer cert |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
414 |
if (signerCert == null) { |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
415 |
// Add the Issuing CA cert and/or Trusted Responder cert to the list |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
416 |
// of certs from the OCSP response |
22063
e5cdd7bc3564
8029788: Certificate validation - java.lang.ClassCastException
vinnie
parents:
21819
diff
changeset
|
417 |
try { |
40946
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
418 |
if (issuerInfo.getCertificate() != null) { |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
419 |
certs.add(X509CertImpl.toImpl(issuerInfo.getCertificate())); |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
420 |
} |
22063
e5cdd7bc3564
8029788: Certificate validation - java.lang.ClassCastException
vinnie
parents:
21819
diff
changeset
|
421 |
if (responderCert != null) { |
e5cdd7bc3564
8029788: Certificate validation - java.lang.ClassCastException
vinnie
parents:
21819
diff
changeset
|
422 |
certs.add(X509CertImpl.toImpl(responderCert)); |
e5cdd7bc3564
8029788: Certificate validation - java.lang.ClassCastException
vinnie
parents:
21819
diff
changeset
|
423 |
} |
e5cdd7bc3564
8029788: Certificate validation - java.lang.ClassCastException
vinnie
parents:
21819
diff
changeset
|
424 |
} catch (CertificateException ce) { |
e5cdd7bc3564
8029788: Certificate validation - java.lang.ClassCastException
vinnie
parents:
21819
diff
changeset
|
425 |
throw new CertPathValidatorException( |
e5cdd7bc3564
8029788: Certificate validation - java.lang.ClassCastException
vinnie
parents:
21819
diff
changeset
|
426 |
"Invalid issuer or trusted responder certificate", ce); |
21819
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
427 |
} |
2 | 428 |
|
32032 | 429 |
if (respId.getType() == ResponderId.Type.BY_NAME) { |
430 |
X500Principal rName = respId.getResponderName(); |
|
21819
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
431 |
for (X509CertImpl cert : certs) { |
32032 | 432 |
if (cert.getSubjectX500Principal().equals(rName)) { |
21819
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
433 |
signerCert = cert; |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
434 |
break; |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
435 |
} |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
436 |
} |
32032 | 437 |
} else if (respId.getType() == ResponderId.Type.BY_KEY) { |
438 |
KeyIdentifier ridKeyId = respId.getKeyIdentifier(); |
|
21819
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
439 |
for (X509CertImpl cert : certs) { |
22356
dc568020e87e
8031825: OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID
mullan
parents:
22063
diff
changeset
|
440 |
// Match responder's key identifier against the cert's SKID |
dc568020e87e
8031825: OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID
mullan
parents:
22063
diff
changeset
|
441 |
// This will match if the SKID is encoded using the 160-bit |
dc568020e87e
8031825: OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID
mullan
parents:
22063
diff
changeset
|
442 |
// SHA-1 hash method as defined in RFC 5280. |
21819
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
443 |
KeyIdentifier certKeyId = cert.getSubjectKeyId(); |
32032 | 444 |
if (certKeyId != null && ridKeyId.equals(certKeyId)) { |
21819
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
445 |
signerCert = cert; |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
446 |
break; |
22356
dc568020e87e
8031825: OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID
mullan
parents:
22063
diff
changeset
|
447 |
} else { |
dc568020e87e
8031825: OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID
mullan
parents:
22063
diff
changeset
|
448 |
// The certificate does not have a SKID or may have |
dc568020e87e
8031825: OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID
mullan
parents:
22063
diff
changeset
|
449 |
// been using a different algorithm (ex: see RFC 7093). |
dc568020e87e
8031825: OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID
mullan
parents:
22063
diff
changeset
|
450 |
// Check if the responder's key identifier matches |
dc568020e87e
8031825: OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID
mullan
parents:
22063
diff
changeset
|
451 |
// against a newly generated key identifier of the |
dc568020e87e
8031825: OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID
mullan
parents:
22063
diff
changeset
|
452 |
// cert's public key using the 160-bit SHA-1 method. |
dc568020e87e
8031825: OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID
mullan
parents:
22063
diff
changeset
|
453 |
try { |
dc568020e87e
8031825: OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID
mullan
parents:
22063
diff
changeset
|
454 |
certKeyId = new KeyIdentifier(cert.getPublicKey()); |
dc568020e87e
8031825: OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID
mullan
parents:
22063
diff
changeset
|
455 |
} catch (IOException e) { |
dc568020e87e
8031825: OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID
mullan
parents:
22063
diff
changeset
|
456 |
// ignore |
dc568020e87e
8031825: OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID
mullan
parents:
22063
diff
changeset
|
457 |
} |
32032 | 458 |
if (ridKeyId.equals(certKeyId)) { |
22356
dc568020e87e
8031825: OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID
mullan
parents:
22063
diff
changeset
|
459 |
signerCert = cert; |
dc568020e87e
8031825: OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID
mullan
parents:
22063
diff
changeset
|
460 |
break; |
dc568020e87e
8031825: OCSP client can't find responder cert if it uses a different subject key id algorithm than responderID
mullan
parents:
22063
diff
changeset
|
461 |
} |
21819
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
462 |
} |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
463 |
} |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
464 |
} |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
465 |
} |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
466 |
|
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
467 |
// Check whether the signer cert returned by the responder is trusted |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
468 |
if (signerCert != null) { |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
469 |
// Check if the response is signed by the issuing CA |
40946
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
470 |
if (signerCert.getSubjectX500Principal().equals( |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
471 |
issuerInfo.getName()) && |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
472 |
signerCert.getPublicKey().equals( |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
473 |
issuerInfo.getPublicKey())) { |
21819
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
474 |
if (debug != null) { |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
475 |
debug.println("OCSP response is signed by the target's " + |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
476 |
"Issuing CA"); |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
477 |
} |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
478 |
// cert is trusted, now verify the signed response |
2 | 479 |
|
21819
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
480 |
// Check if the response is signed by a trusted responder |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
481 |
} else if (signerCert.equals(responderCert)) { |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
482 |
if (debug != null) { |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
483 |
debug.println("OCSP response is signed by a Trusted " + |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
484 |
"Responder"); |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
485 |
} |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
486 |
// cert is trusted, now verify the signed response |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
487 |
|
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
488 |
// Check if the response is signed by an authorized responder |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
489 |
} else if (signerCert.getIssuerX500Principal().equals( |
40946
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
490 |
issuerInfo.getName())) { |
2 | 491 |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
492 |
// Check for the OCSPSigning key purpose |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
493 |
try { |
21819
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
494 |
List<String> keyPurposes = signerCert.getExtendedKeyUsage(); |
2 | 495 |
if (keyPurposes == null || |
496 |
!keyPurposes.contains(KP_OCSP_SIGNING_OID)) { |
|
497 |
throw new CertPathValidatorException( |
|
498 |
"Responder's certificate not valid for signing " + |
|
499 |
"OCSP responses"); |
|
500 |
} |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
501 |
} catch (CertificateParsingException cpe) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
502 |
// assume cert is not valid for signing |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
503 |
throw new CertPathValidatorException( |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
504 |
"Responder's certificate not valid for signing " + |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
505 |
"OCSP responses", cpe); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
506 |
} |
2281
34fd38495efa
6798714: OCSPResponse class has to check the validity of signing certificate for OCSP response
xuelei
parents:
1639
diff
changeset
|
507 |
|
7040
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
508 |
// Check algorithm constraints specified in security property |
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
509 |
// "jdk.certpath.disabledAlgorithms". |
41562
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
510 |
AlgorithmChecker algChecker = |
43701
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
41562
diff
changeset
|
511 |
new AlgorithmChecker(issuerInfo.getAnchor(), date, |
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
41562
diff
changeset
|
512 |
variant); |
7040
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
513 |
algChecker.init(false); |
21819
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
514 |
algChecker.check(signerCert, Collections.<String>emptySet()); |
7040
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
515 |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
516 |
// check the validity |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
517 |
try { |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
518 |
if (date == null) { |
21819
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
519 |
signerCert.checkValidity(); |
2281
34fd38495efa
6798714: OCSPResponse class has to check the validity of signing certificate for OCSP response
xuelei
parents:
1639
diff
changeset
|
520 |
} else { |
21819
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
521 |
signerCert.checkValidity(date); |
2281
34fd38495efa
6798714: OCSPResponse class has to check the validity of signing certificate for OCSP response
xuelei
parents:
1639
diff
changeset
|
522 |
} |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
523 |
} catch (CertificateException e) { |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
524 |
throw new CertPathValidatorException( |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
525 |
"Responder's certificate not within the " + |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
526 |
"validity period", e); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
527 |
} |
2281
34fd38495efa
6798714: OCSPResponse class has to check the validity of signing certificate for OCSP response
xuelei
parents:
1639
diff
changeset
|
528 |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
529 |
// check for revocation |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
530 |
// |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
531 |
// A CA may specify that an OCSP client can trust a |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
532 |
// responder for the lifetime of the responder's |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
533 |
// certificate. The CA does so by including the |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
534 |
// extension id-pkix-ocsp-nocheck. |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
535 |
// |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
536 |
Extension noCheck = |
21819
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
537 |
signerCert.getExtension(PKIXExtensions.OCSPNoCheck_Id); |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
538 |
if (noCheck != null) { |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
539 |
if (debug != null) { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
540 |
debug.println("Responder's certificate includes " + |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
541 |
"the extension id-pkix-ocsp-nocheck."); |
2 | 542 |
} |
2281
34fd38495efa
6798714: OCSPResponse class has to check the validity of signing certificate for OCSP response
xuelei
parents:
1639
diff
changeset
|
543 |
} else { |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
544 |
// we should do the revocation checking of the |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
545 |
// authorized responder in a future update. |
2 | 546 |
} |
547 |
||
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
548 |
// verify the signature |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
549 |
try { |
40946
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
550 |
signerCert.verify(issuerInfo.getPublicKey()); |
21819
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
551 |
if (debug != null) { |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
552 |
debug.println("OCSP response is signed by an " + |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
553 |
"Authorized Responder"); |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
554 |
} |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
555 |
// cert is trusted, now verify the signed response |
2 | 556 |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
557 |
} catch (GeneralSecurityException e) { |
21819
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
558 |
signerCert = null; |
2 | 559 |
} |
560 |
} else { |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
561 |
throw new CertPathValidatorException( |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
562 |
"Responder's certificate is not authorized to sign " + |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
563 |
"OCSP responses"); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
564 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
565 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
566 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
567 |
// Confirm that the signed response was generated using the public |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
568 |
// key from the trusted responder cert |
21819
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
569 |
if (signerCert != null) { |
7040
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
570 |
// Check algorithm constraints specified in security property |
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
571 |
// "jdk.certpath.disabledAlgorithms". |
43701
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
41562
diff
changeset
|
572 |
AlgorithmChecker.check(signerCert.getPublicKey(), sigAlgId, variant); |
7040
659824c2a550
6792180: Enhance to reject weak algorithms or conform to crypto recommendations
xuelei
parents:
5506
diff
changeset
|
573 |
|
21819
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
574 |
if (!verifySignature(signerCert)) { |
2 | 575 |
throw new CertPathValidatorException( |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
576 |
"Error verifying OCSP Response's signature"); |
2 | 577 |
} |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
578 |
} else { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
579 |
// Need responder's cert in order to verify the signature |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
580 |
throw new CertPathValidatorException( |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
581 |
"Unable to verify OCSP Response's signature"); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
582 |
} |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
583 |
|
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
584 |
if (nonce != null) { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
585 |
if (responseNonce != null && !Arrays.equals(nonce, responseNonce)) { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
586 |
throw new CertPathValidatorException("Nonces don't match"); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
587 |
} |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
588 |
} |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
589 |
|
31703 | 590 |
// Check freshness of OCSPResponse |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
591 |
long now = (date == null) ? System.currentTimeMillis() : date.getTime(); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
592 |
Date nowPlusSkew = new Date(now + MAX_CLOCK_SKEW); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
593 |
Date nowMinusSkew = new Date(now - MAX_CLOCK_SKEW); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
594 |
for (SingleResponse sr : singleResponseMap.values()) { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
595 |
if (debug != null) { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
596 |
String until = ""; |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
597 |
if (sr.nextUpdate != null) { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
598 |
until = " until " + sr.nextUpdate; |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
599 |
} |
31703 | 600 |
debug.println("OCSP response validity interval is from " + |
32032 | 601 |
sr.thisUpdate + until); |
31703 | 602 |
debug.println("Checking validity of OCSP response on: " + |
32032 | 603 |
new Date(now)); |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
604 |
} |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
605 |
|
31703 | 606 |
// Check that the test date is within the validity interval: |
607 |
// [ thisUpdate - MAX_CLOCK_SKEW, |
|
608 |
// MAX(thisUpdate, nextUpdate) + MAX_CLOCK_SKEW ] |
|
609 |
if (nowPlusSkew.before(sr.thisUpdate) || |
|
32032 | 610 |
nowMinusSkew.after( |
31703 | 611 |
sr.nextUpdate != null ? sr.nextUpdate : sr.thisUpdate)) |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
612 |
{ |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
613 |
throw new CertPathValidatorException( |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
614 |
"Response is unreliable: its validity " + |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
615 |
"interval is out-of-date"); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
616 |
} |
2 | 617 |
} |
618 |
} |
|
619 |
||
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
620 |
/** |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
621 |
* Returns the OCSP ResponseStatus. |
32032 | 622 |
* |
623 |
* @return the {@code ResponseStatus} for this OCSP response |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
624 |
*/ |
32032 | 625 |
public ResponseStatus getResponseStatus() { |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
626 |
return responseStatus; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
627 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
628 |
|
2 | 629 |
/* |
630 |
* Verify the signature of the OCSP response. |
|
631 |
*/ |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
632 |
private boolean verifySignature(X509Certificate cert) |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
633 |
throws CertPathValidatorException { |
2 | 634 |
|
635 |
try { |
|
636 |
Signature respSignature = Signature.getInstance(sigAlgId.getName()); |
|
17729
90a2bf654c4f
7174966: With OCSP enabled on Java 7 get error 'Wrong key usage' with Comodo certificate
vinnie
parents:
17044
diff
changeset
|
637 |
respSignature.initVerify(cert.getPublicKey()); |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
638 |
respSignature.update(tbsResponseData); |
2 | 639 |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
640 |
if (respSignature.verify(signature)) { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
641 |
if (debug != null) { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
642 |
debug.println("Verified signature of OCSP Response"); |
2 | 643 |
} |
644 |
return true; |
|
645 |
||
646 |
} else { |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
647 |
if (debug != null) { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
648 |
debug.println( |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
649 |
"Error verifying signature of OCSP Response"); |
2 | 650 |
} |
651 |
return false; |
|
652 |
} |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
653 |
} catch (InvalidKeyException | NoSuchAlgorithmException | |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
654 |
SignatureException e) |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
655 |
{ |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
656 |
throw new CertPathValidatorException(e); |
2 | 657 |
} |
658 |
} |
|
659 |
||
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
660 |
/** |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
661 |
* Returns the SingleResponse of the specified CertId, or null if |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
662 |
* there is no response for that CertId. |
32032 | 663 |
* |
664 |
* @param certId the {@code CertId} for a {@code SingleResponse} to be |
|
665 |
* searched for in the OCSP response. |
|
666 |
* |
|
667 |
* @return the {@code SingleResponse} for the provided {@code CertId}, |
|
668 |
* or {@code null} if it is not found. |
|
2 | 669 |
*/ |
32032 | 670 |
public SingleResponse getSingleResponse(CertId certId) { |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
671 |
return singleResponseMap.get(certId); |
2 | 672 |
} |
673 |
||
32032 | 674 |
/** |
675 |
* Return a set of all CertIds in this {@code OCSPResponse} |
|
676 |
* |
|
677 |
* @return an unmodifiable set containing every {@code CertId} in this |
|
678 |
* response. |
|
679 |
*/ |
|
680 |
public Set<CertId> getCertIds() { |
|
681 |
return Collections.unmodifiableSet(singleResponseMap.keySet()); |
|
682 |
} |
|
683 |
||
2 | 684 |
/* |
21819
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
685 |
* Returns the certificate for the authority that signed the OCSP response. |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
686 |
*/ |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
687 |
X509Certificate getSignerCertificate() { |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
688 |
return signerCert; // set in verify() |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
689 |
} |
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
690 |
|
31704
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
691 |
/** |
32032 | 692 |
* Get the {@code ResponderId} from this {@code OCSPResponse} |
693 |
* |
|
694 |
* @return the {@code ResponderId} from this response or {@code null} |
|
695 |
* if no responder ID is in the body of the response (e.g. a |
|
696 |
* response with a status other than SUCCESS. |
|
697 |
*/ |
|
698 |
public ResponderId getResponderId() { |
|
699 |
return respId; |
|
700 |
} |
|
701 |
||
702 |
/** |
|
703 |
* Provide a String representation of an OCSPResponse |
|
704 |
* |
|
705 |
* @return a human-readable representation of the OCSPResponse |
|
706 |
*/ |
|
707 |
@Override |
|
708 |
public String toString() { |
|
709 |
StringBuilder sb = new StringBuilder(); |
|
710 |
sb.append("OCSP Response:\n"); |
|
711 |
sb.append("Response Status: ").append(responseStatus).append("\n"); |
|
712 |
sb.append("Responder ID: ").append(respId).append("\n"); |
|
713 |
sb.append("Produced at: ").append(producedAtDate).append("\n"); |
|
714 |
int count = singleResponseMap.size(); |
|
715 |
sb.append(count).append(count == 1 ? |
|
716 |
" response:\n" : " responses:\n"); |
|
717 |
for (SingleResponse sr : singleResponseMap.values()) { |
|
718 |
sb.append(sr).append("\n"); |
|
719 |
} |
|
720 |
if (responseExtensions != null && responseExtensions.size() > 0) { |
|
721 |
count = responseExtensions.size(); |
|
722 |
sb.append(count).append(count == 1 ? |
|
723 |
" extension:\n" : " extensions:\n"); |
|
724 |
for (String extId : responseExtensions.keySet()) { |
|
725 |
sb.append(responseExtensions.get(extId)).append("\n"); |
|
726 |
} |
|
727 |
} |
|
728 |
||
729 |
return sb.toString(); |
|
730 |
} |
|
731 |
||
732 |
/** |
|
31704
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
733 |
* Build a String-Extension map from DER encoded data. |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
734 |
* @param derVal A {@code DerValue} object built from a SEQUENCE of |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
735 |
* extensions |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
736 |
* |
32032 | 737 |
* @return a {@code Map} using the OID in string form as the keys. If no |
31704
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
738 |
* extensions are found or an empty SEQUENCE is passed in, then |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
739 |
* an empty {@code Map} will be returned. |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
740 |
* |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
741 |
* @throws IOException if any decoding errors occur. |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
742 |
*/ |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
743 |
private static Map<String, java.security.cert.Extension> |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
744 |
parseExtensions(DerValue derVal) throws IOException { |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
745 |
DerValue[] extDer = derVal.data.getSequence(3); |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
746 |
Map<String, java.security.cert.Extension> extMap = |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
747 |
new HashMap<>(extDer.length); |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
748 |
|
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
749 |
for (DerValue extDerVal : extDer) { |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
750 |
Extension ext = new Extension(extDerVal); |
32032 | 751 |
if (debug != null) { |
752 |
debug.println("Extension: " + ext); |
|
753 |
} |
|
31704
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
754 |
// We don't support any extensions yet. Therefore, if it |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
755 |
// is critical we must throw an exception because we |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
756 |
// don't know how to process it. |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
757 |
if (ext.isCritical()) { |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
758 |
throw new IOException("Unsupported OCSP critical extension: " + |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
759 |
ext.getExtensionId()); |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
760 |
} |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
761 |
extMap.put(ext.getId(), ext); |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
762 |
} |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
763 |
|
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
764 |
return extMap; |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
765 |
} |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
766 |
|
21819
8cd757e836d8
8015571: OCSP validation fails if ocsp.responderCertSubjectName is set
vinnie
parents:
19820
diff
changeset
|
767 |
/* |
2 | 768 |
* A class representing a single OCSP response. |
769 |
*/ |
|
32649
2ee9017c7597
8136583: Core libraries should use blessed modifier order
martin
parents:
32032
diff
changeset
|
770 |
public static final class SingleResponse implements OCSP.RevocationStatus { |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
771 |
private final CertId certId; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
772 |
private final CertStatus certStatus; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
773 |
private final Date thisUpdate; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
774 |
private final Date nextUpdate; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
775 |
private final Date revocationTime; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
776 |
private final CRLReason revocationReason; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
777 |
private final Map<String, java.security.cert.Extension> singleExtensions; |
2 | 778 |
|
779 |
private SingleResponse(DerValue der) throws IOException { |
|
780 |
if (der.tag != DerValue.tag_Sequence) { |
|
781 |
throw new IOException("Bad ASN.1 encoding in SingleResponse"); |
|
782 |
} |
|
783 |
DerInputStream tmp = der.data; |
|
784 |
||
785 |
certId = new CertId(tmp.getDerValue().data); |
|
786 |
DerValue derVal = tmp.getDerValue(); |
|
787 |
short tag = (byte)(derVal.tag & 0x1f); |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
788 |
if (tag == CERT_STATUS_REVOKED) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
789 |
certStatus = CertStatus.REVOKED; |
2 | 790 |
revocationTime = derVal.data.getGeneralizedTime(); |
791 |
if (derVal.data.available() != 0) { |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
792 |
DerValue dv = derVal.data.getDerValue(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
793 |
tag = (byte)(dv.tag & 0x1f); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
794 |
if (tag == 0) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
795 |
int reason = dv.data.getEnumerated(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
796 |
// if reason out-of-range just leave as UNSPECIFIED |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
797 |
if (reason >= 0 && reason < values.length) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
798 |
revocationReason = values[reason]; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
799 |
} else { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
800 |
revocationReason = CRLReason.UNSPECIFIED; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
801 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
802 |
} else { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
803 |
revocationReason = CRLReason.UNSPECIFIED; |
2 | 804 |
} |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
805 |
} else { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
806 |
revocationReason = CRLReason.UNSPECIFIED; |
2 | 807 |
} |
808 |
// RevokedInfo |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
809 |
if (debug != null) { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
810 |
debug.println("Revocation time: " + revocationTime); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
811 |
debug.println("Revocation reason: " + revocationReason); |
2 | 812 |
} |
813 |
} else { |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
814 |
revocationTime = null; |
31704
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
815 |
revocationReason = null; |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
816 |
if (tag == CERT_STATUS_GOOD) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
817 |
certStatus = CertStatus.GOOD; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
818 |
} else if (tag == CERT_STATUS_UNKNOWN) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
819 |
certStatus = CertStatus.UNKNOWN; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
820 |
} else { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
821 |
throw new IOException("Invalid certificate status"); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
822 |
} |
2 | 823 |
} |
824 |
||
825 |
thisUpdate = tmp.getGeneralizedTime(); |
|
31704
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
826 |
if (debug != null) { |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
827 |
debug.println("thisUpdate: " + thisUpdate); |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
828 |
} |
2 | 829 |
|
31704
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
830 |
// Parse optional fields like nextUpdate and singleExtensions |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
831 |
Date tmpNextUpdate = null; |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
832 |
Map<String, java.security.cert.Extension> tmpMap = null; |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
833 |
|
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
834 |
// Check for the first optional item, it could be nextUpdate |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
835 |
// [CONTEXT 0] or singleExtensions [CONTEXT 1] |
2 | 836 |
if (tmp.available() > 0) { |
837 |
derVal = tmp.getDerValue(); |
|
31704
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
838 |
|
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
839 |
// nextUpdate processing |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
840 |
if (derVal.isContextSpecific((byte)0)) { |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
841 |
tmpNextUpdate = derVal.data.getGeneralizedTime(); |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
842 |
if (debug != null) { |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
843 |
debug.println("nextUpdate: " + tmpNextUpdate); |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
844 |
} |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
845 |
|
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
846 |
// If more data exists in the singleResponse, it |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
847 |
// can only be singleExtensions. Get this DER value |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
848 |
// for processing in the next block |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
849 |
derVal = tmp.available() > 0 ? tmp.getDerValue() : null; |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
850 |
} |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
851 |
|
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
852 |
// singleExtensions processing |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
853 |
if (derVal != null) { |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
854 |
if (derVal.isContextSpecific((byte)1)) { |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
855 |
tmpMap = parseExtensions(derVal); |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
856 |
|
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
857 |
// There should not be any other items in the |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
858 |
// singleResponse at this point. |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
859 |
if (tmp.available() > 0) { |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
860 |
throw new IOException(tmp.available() + |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
861 |
" bytes of additional data in singleResponse"); |
31703 | 862 |
} |
31704
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
863 |
} else { |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
864 |
// Unknown item in the singleResponse |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
865 |
throw new IOException("Unsupported singleResponse " + |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
866 |
"item, tag = " + String.format("%02X", derVal.tag)); |
29484
066390a3907d
8074064: OCSPResponse.SingleResponse objects do not parse singleExtensions
jnimeh
parents:
25859
diff
changeset
|
867 |
} |
066390a3907d
8074064: OCSPResponse.SingleResponse objects do not parse singleExtensions
jnimeh
parents:
25859
diff
changeset
|
868 |
} |
31704
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
869 |
} |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
870 |
|
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
871 |
nextUpdate = tmpNextUpdate; |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
872 |
singleExtensions = (tmpMap != null) ? tmpMap : |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
873 |
Collections.emptyMap(); |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
874 |
if (debug != null) { |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
875 |
for (java.security.cert.Extension ext : |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
876 |
singleExtensions.values()) { |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
877 |
debug.println("singleExtension: " + ext); |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
878 |
} |
2 | 879 |
} |
880 |
} |
|
881 |
||
882 |
/* |
|
883 |
* Return the certificate's revocation status code |
|
884 |
*/ |
|
32032 | 885 |
@Override |
886 |
public CertStatus getCertStatus() { |
|
2 | 887 |
return certStatus; |
888 |
} |
|
889 |
||
32032 | 890 |
/** |
891 |
* Get the Cert ID that this SingleResponse is for. |
|
892 |
* |
|
893 |
* @return the {@code CertId} for this {@code SingleResponse} |
|
894 |
*/ |
|
895 |
public CertId getCertId() { |
|
2 | 896 |
return certId; |
897 |
} |
|
898 |
||
32032 | 899 |
/** |
900 |
* Get the {@code thisUpdate} field from this {@code SingleResponse}. |
|
901 |
* |
|
902 |
* @return a {@link Date} object containing the thisUpdate date |
|
903 |
*/ |
|
904 |
public Date getThisUpdate() { |
|
905 |
return (thisUpdate != null ? (Date) thisUpdate.clone() : null); |
|
906 |
} |
|
907 |
||
908 |
/** |
|
909 |
* Get the {@code nextUpdate} field from this {@code SingleResponse}. |
|
910 |
* |
|
911 |
* @return a {@link Date} object containing the nexUpdate date or |
|
912 |
* {@code null} if a nextUpdate field is not present in the response. |
|
913 |
*/ |
|
914 |
public Date getNextUpdate() { |
|
915 |
return (nextUpdate != null ? (Date) nextUpdate.clone() : null); |
|
916 |
} |
|
917 |
||
918 |
/** |
|
919 |
* Get the {@code revocationTime} field from this |
|
920 |
* {@code SingleResponse}. |
|
921 |
* |
|
922 |
* @return a {@link Date} object containing the revocationTime date or |
|
923 |
* {@code null} if the {@code SingleResponse} does not have a status |
|
924 |
* of {@code REVOKED}. |
|
925 |
*/ |
|
926 |
@Override |
|
927 |
public Date getRevocationTime() { |
|
31704
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
928 |
return (revocationTime != null ? (Date) revocationTime.clone() : |
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
929 |
null); |
2 | 930 |
} |
931 |
||
32032 | 932 |
/** |
933 |
* Get the {@code revocationReason} field for the |
|
934 |
* {@code SingleResponse}. |
|
935 |
* |
|
936 |
* @return a {@link CRLReason} containing the revocation reason, or |
|
937 |
* {@code null} if a revocation reason was not provided or the |
|
938 |
* response status is not {@code REVOKED}. |
|
939 |
*/ |
|
940 |
@Override |
|
941 |
public CRLReason getRevocationReason() { |
|
2 | 942 |
return revocationReason; |
943 |
} |
|
944 |
||
32032 | 945 |
/** |
946 |
* Get the {@code singleExtensions} for this {@code SingleResponse}. |
|
947 |
* |
|
948 |
* @return a {@link Map} of {@link Extension} objects, keyed by |
|
949 |
* their OID value in string form. |
|
950 |
*/ |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
951 |
@Override |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
952 |
public Map<String, java.security.cert.Extension> getSingleExtensions() { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
953 |
return Collections.unmodifiableMap(singleExtensions); |
2 | 954 |
} |
955 |
||
956 |
/** |
|
957 |
* Construct a string representation of a single OCSP response. |
|
958 |
*/ |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
959 |
@Override public String toString() { |
2 | 960 |
StringBuilder sb = new StringBuilder(); |
32032 | 961 |
sb.append("SingleResponse:\n"); |
2 | 962 |
sb.append(certId); |
32032 | 963 |
sb.append("\nCertStatus: ").append(certStatus).append("\n"); |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
3314
diff
changeset
|
964 |
if (certStatus == CertStatus.REVOKED) { |
32032 | 965 |
sb.append("revocationTime is "); |
966 |
sb.append(revocationTime).append("\n"); |
|
967 |
sb.append("revocationReason is "); |
|
968 |
sb.append(revocationReason).append("\n"); |
|
2 | 969 |
} |
32032 | 970 |
sb.append("thisUpdate is ").append(thisUpdate).append("\n"); |
2 | 971 |
if (nextUpdate != null) { |
32032 | 972 |
sb.append("nextUpdate is ").append(nextUpdate).append("\n"); |
2 | 973 |
} |
31704
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
974 |
for (java.security.cert.Extension ext : singleExtensions.values()) { |
32032 | 975 |
sb.append("singleExtension: "); |
976 |
sb.append(ext.toString()).append("\n"); |
|
31704
4727673aaa92
8077546: Restore the change to OCSPResponse in the fix for JDK-8074064
vinnie
parents:
31703
diff
changeset
|
977 |
} |
2 | 978 |
return sb.toString(); |
979 |
} |
|
980 |
} |
|
40946
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
981 |
|
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
982 |
/** |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
983 |
* Helper class that allows consumers to pass in issuer information. This |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
984 |
* will always consist of the issuer's name and public key, but may also |
41562
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
985 |
* contain a certificate if the originating data is in that form. The |
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
986 |
* trust anchor for the certificate chain will be included for certpath |
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
987 |
* disabled algorithm checking. |
40946
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
988 |
*/ |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
989 |
static final class IssuerInfo { |
41562
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
990 |
private final TrustAnchor anchor; |
40946
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
991 |
private final X509Certificate certificate; |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
992 |
private final X500Principal name; |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
993 |
private final PublicKey pubKey; |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
994 |
|
41562
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
995 |
IssuerInfo(TrustAnchor anchor) { |
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
996 |
this(anchor, (anchor != null) ? anchor.getTrustedCert() : null); |
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
997 |
} |
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
998 |
|
40946
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
999 |
IssuerInfo(X509Certificate issuerCert) { |
41562
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
1000 |
this(null, issuerCert); |
40946
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1001 |
} |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1002 |
|
41562
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
1003 |
IssuerInfo(TrustAnchor anchor, X509Certificate issuerCert) { |
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
1004 |
if (anchor == null && issuerCert == null) { |
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
1005 |
throw new NullPointerException("TrustAnchor and issuerCert " + |
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
1006 |
"cannot be null"); |
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
1007 |
} |
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
1008 |
this.anchor = anchor; |
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
1009 |
if (issuerCert != null) { |
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
1010 |
name = issuerCert.getSubjectX500Principal(); |
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
1011 |
pubKey = issuerCert.getPublicKey(); |
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
1012 |
certificate = issuerCert; |
40946
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1013 |
} else { |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1014 |
name = anchor.getCA(); |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1015 |
pubKey = anchor.getCAPublicKey(); |
41562
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
1016 |
certificate = anchor.getTrustedCert(); |
40946
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1017 |
} |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1018 |
} |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1019 |
|
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1020 |
/** |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1021 |
* Get the certificate in this IssuerInfo if present. |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1022 |
* |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1023 |
* @return the {@code X509Certificate} used to create this IssuerInfo |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1024 |
* object, or {@code null} if a certificate was not used in its |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1025 |
* creation. |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1026 |
*/ |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1027 |
X509Certificate getCertificate() { |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1028 |
return certificate; |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1029 |
} |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1030 |
|
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1031 |
/** |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1032 |
* Get the name of this issuer. |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1033 |
* |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1034 |
* @return an {@code X500Principal} corresponding to this issuer's |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1035 |
* name. If derived from an issuer's {@code X509Certificate} this |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1036 |
* would be equivalent to the certificate subject name. |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1037 |
*/ |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1038 |
X500Principal getName() { |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1039 |
return name; |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1040 |
} |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1041 |
|
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1042 |
/** |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1043 |
* Get the public key for this issuer. |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1044 |
* |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1045 |
* @return a {@code PublicKey} for this issuer. |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1046 |
*/ |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1047 |
PublicKey getPublicKey() { |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1048 |
return pubKey; |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1049 |
} |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1050 |
|
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1051 |
/** |
41562
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
1052 |
* Get the TrustAnchor for the certificate chain. |
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
1053 |
* |
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
1054 |
* @return a {@code TrustAnchor}. |
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
1055 |
*/ |
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
1056 |
TrustAnchor getAnchor() { |
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
1057 |
return anchor; |
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
1058 |
} |
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
1059 |
|
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
1060 |
/** |
40946
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1061 |
* Create a string representation of this IssuerInfo. |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1062 |
* |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1063 |
* @return a {@code String} form of this IssuerInfo object. |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1064 |
*/ |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1065 |
@Override |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1066 |
public String toString() { |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1067 |
StringBuilder sb = new StringBuilder(); |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1068 |
sb.append("Issuer Info:\n"); |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1069 |
sb.append("Name: ").append(name.toString()).append("\n"); |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1070 |
sb.append("Public Key:\n").append(pubKey.toString()).append("\n"); |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1071 |
return sb.toString(); |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1072 |
} |
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
34687
diff
changeset
|
1073 |
} |
2 | 1074 |
} |