author | mullan |
Thu, 31 May 2012 17:07:28 -0400 | |
changeset 12861 | 7aa4d0b3a8c7 |
parent 12860 | 9ffbd4e43413 |
child 13596 | 897dea1b4c1f |
permissions | -rw-r--r-- |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
1 |
/* |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
2 |
* Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved. |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
4 |
* |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
5 |
* This code is free software; you can redistribute it and/or modify it |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
10 |
* |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
15 |
* accompanied this code). |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
16 |
* |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
17 |
* You should have received a copy of the GNU General Public License version |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
20 |
* |
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
24 |
*/ |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
25 |
package sun.security.provider.certpath; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
26 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
27 |
import java.io.InputStream; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
28 |
import java.io.IOException; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
29 |
import java.io.OutputStream; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
30 |
import java.net.URI; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
31 |
import java.net.URL; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
32 |
import java.net.HttpURLConnection; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
33 |
import java.security.cert.CertificateException; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
34 |
import java.security.cert.CertPathValidatorException; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
35 |
import java.security.cert.CRLReason; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
36 |
import java.security.cert.Extension; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
37 |
import java.security.cert.X509Certificate; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
38 |
import java.util.Arrays; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
39 |
import java.util.Collections; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
40 |
import java.util.Date; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
41 |
import java.util.List; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
42 |
import java.util.Map; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
43 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
44 |
import static sun.security.provider.certpath.OCSPResponse.*; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
45 |
import sun.security.util.Debug; |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
46 |
import sun.security.util.ObjectIdentifier; |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
47 |
import sun.security.x509.AccessDescription; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
48 |
import sun.security.x509.AuthorityInfoAccessExtension; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
49 |
import sun.security.x509.GeneralName; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
50 |
import sun.security.x509.GeneralNameInterface; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
51 |
import sun.security.x509.URIName; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
52 |
import sun.security.x509.X509CertImpl; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
53 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
54 |
/** |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
55 |
* This is a class that checks the revocation status of a certificate(s) using |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
56 |
* OCSP. It is not a PKIXCertPathChecker and therefore can be used outside of |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
57 |
* the CertPathValidator framework. It is useful when you want to |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
58 |
* just check the revocation status of a certificate, and you don't want to |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
59 |
* incur the overhead of validating all of the certificates in the |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
60 |
* associated certificate chain. |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
61 |
* |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
62 |
* @author Sean Mullan |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
63 |
*/ |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
64 |
public final class OCSP { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
65 |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
66 |
static final ObjectIdentifier NONCE_EXTENSION_OID = |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
67 |
ObjectIdentifier.newInternal(new int[]{ 1, 3, 6, 1, 5, 5, 7, 48, 1, 2}); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
68 |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
69 |
private static final Debug debug = Debug.getInstance("certpath"); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
70 |
|
4044
b2b2ee2ca90c
6885667: CertPath/CertPathValidatorTest/bugs/bug6383078 fails on jdk6u18/b02, jdk7/pit/b73 and passes on b72.
mullan
parents:
3841
diff
changeset
|
71 |
private static final int CONNECT_TIMEOUT = 15000; // 15 seconds |
b2b2ee2ca90c
6885667: CertPath/CertPathValidatorTest/bugs/bug6383078 fails on jdk6u18/b02, jdk7/pit/b73 and passes on b72.
mullan
parents:
3841
diff
changeset
|
72 |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
73 |
private OCSP() {} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
74 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
75 |
/** |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
76 |
* Obtains the revocation status of a certificate using OCSP using the most |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
77 |
* common defaults. The OCSP responder URI is retrieved from the |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
78 |
* certificate's AIA extension. The OCSP responder certificate is assumed |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
79 |
* to be the issuer's certificate (or issued by the issuer CA). |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
80 |
* |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
81 |
* @param cert the certificate to be checked |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
82 |
* @param issuerCert the issuer certificate |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
83 |
* @return the RevocationStatus |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
84 |
* @throws IOException if there is an exception connecting to or |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
85 |
* communicating with the OCSP responder |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
86 |
* @throws CertPathValidatorException if an exception occurs while |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
87 |
* encoding the OCSP Request or validating the OCSP Response |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
88 |
*/ |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
89 |
public static RevocationStatus check(X509Certificate cert, |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
90 |
X509Certificate issuerCert) |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
91 |
throws IOException, CertPathValidatorException { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
92 |
CertId certId = null; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
93 |
URI responderURI = null; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
94 |
try { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
95 |
X509CertImpl certImpl = X509CertImpl.toImpl(cert); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
96 |
responderURI = getResponderURI(certImpl); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
97 |
if (responderURI == null) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
98 |
throw new CertPathValidatorException |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
99 |
("No OCSP Responder URI in certificate"); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
100 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
101 |
certId = new CertId(issuerCert, certImpl.getSerialNumberObject()); |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
102 |
} catch (CertificateException | IOException e) { |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
103 |
throw new CertPathValidatorException |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
104 |
("Exception while encoding OCSPRequest", e); |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
105 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
106 |
OCSPResponse ocspResponse = check(Collections.singletonList(certId), |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
107 |
responderURI, issuerCert, null, Collections.<Extension>emptyList()); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
108 |
return (RevocationStatus)ocspResponse.getSingleResponse(certId); |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
109 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
110 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
111 |
/** |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
112 |
* Obtains the revocation status of a certificate using OCSP. |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
113 |
* |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
114 |
* @param cert the certificate to be checked |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
115 |
* @param issuerCert the issuer certificate |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
116 |
* @param responderURI the URI of the OCSP responder |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
117 |
* @param responderCert the OCSP responder's certificate |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
118 |
* @param date the time the validity of the OCSP responder's certificate |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
119 |
* should be checked against. If null, the current time is used. |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
120 |
* @return the RevocationStatus |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
121 |
* @throws IOException if there is an exception connecting to or |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
122 |
* communicating with the OCSP responder |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
123 |
* @throws CertPathValidatorException if an exception occurs while |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
124 |
* encoding the OCSP Request or validating the OCSP Response |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
125 |
*/ |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
126 |
public static RevocationStatus check(X509Certificate cert, |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
127 |
X509Certificate issuerCert, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
128 |
URI responderURI, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
129 |
X509Certificate responderCert, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
130 |
Date date) |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
131 |
throws IOException, CertPathValidatorException |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
132 |
{ |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
133 |
return check(cert, issuerCert, responderURI, responderCert, date, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
134 |
Collections.<Extension>emptyList()); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
135 |
} |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
136 |
|
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
137 |
// Called by com.sun.deploy.security.TrustDecider |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
138 |
public static RevocationStatus check(X509Certificate cert, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
139 |
X509Certificate issuerCert, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
140 |
URI responderURI, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
141 |
X509Certificate responderCert, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
142 |
Date date, List<Extension> extensions) |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
143 |
throws IOException, CertPathValidatorException |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
144 |
{ |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
145 |
CertId certId = null; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
146 |
try { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
147 |
X509CertImpl certImpl = X509CertImpl.toImpl(cert); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
148 |
certId = new CertId(issuerCert, certImpl.getSerialNumberObject()); |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
149 |
} catch (CertificateException | IOException e) { |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
150 |
throw new CertPathValidatorException |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
151 |
("Exception while encoding OCSPRequest", e); |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
152 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
153 |
OCSPResponse ocspResponse = check(Collections.singletonList(certId), |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
154 |
responderURI, responderCert, date, extensions); |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
155 |
return (RevocationStatus) ocspResponse.getSingleResponse(certId); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
156 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
157 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
158 |
/** |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
159 |
* Checks the revocation status of a list of certificates using OCSP. |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
160 |
* |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
161 |
* @param certs the CertIds to be checked |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
162 |
* @param responderURI the URI of the OCSP responder |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
163 |
* @param responderCert the OCSP responder's certificate |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
164 |
* @param date the time the validity of the OCSP responder's certificate |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
165 |
* should be checked against. If null, the current time is used. |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
166 |
* @return the OCSPResponse |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
167 |
* @throws IOException if there is an exception connecting to or |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
168 |
* communicating with the OCSP responder |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
169 |
* @throws CertPathValidatorException if an exception occurs while |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
170 |
* encoding the OCSP Request or validating the OCSP Response |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
171 |
*/ |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
172 |
static OCSPResponse check(List<CertId> certIds, URI responderURI, |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
173 |
X509Certificate responderCert, Date date, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
174 |
List<Extension> extensions) |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
175 |
throws IOException, CertPathValidatorException |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
176 |
{ |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
177 |
byte[] bytes = null; |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
178 |
OCSPRequest request = null; |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
179 |
try { |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
180 |
request = new OCSPRequest(certIds, extensions); |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
181 |
bytes = request.encodeBytes(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
182 |
} catch (IOException ioe) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
183 |
throw new CertPathValidatorException |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
184 |
("Exception while encoding OCSPRequest", ioe); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
185 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
186 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
187 |
InputStream in = null; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
188 |
OutputStream out = null; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
189 |
byte[] response = null; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
190 |
try { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
191 |
URL url = responderURI.toURL(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
192 |
if (debug != null) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
193 |
debug.println("connecting to OCSP service at: " + url); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
194 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
195 |
HttpURLConnection con = (HttpURLConnection)url.openConnection(); |
4044
b2b2ee2ca90c
6885667: CertPath/CertPathValidatorTest/bugs/bug6383078 fails on jdk6u18/b02, jdk7/pit/b73 and passes on b72.
mullan
parents:
3841
diff
changeset
|
196 |
con.setConnectTimeout(CONNECT_TIMEOUT); |
b2b2ee2ca90c
6885667: CertPath/CertPathValidatorTest/bugs/bug6383078 fails on jdk6u18/b02, jdk7/pit/b73 and passes on b72.
mullan
parents:
3841
diff
changeset
|
197 |
con.setReadTimeout(CONNECT_TIMEOUT); |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
198 |
con.setDoOutput(true); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
199 |
con.setDoInput(true); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
200 |
con.setRequestMethod("POST"); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
201 |
con.setRequestProperty |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
202 |
("Content-type", "application/ocsp-request"); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
203 |
con.setRequestProperty |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
204 |
("Content-length", String.valueOf(bytes.length)); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
205 |
out = con.getOutputStream(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
206 |
out.write(bytes); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
207 |
out.flush(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
208 |
// Check the response |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
209 |
if (debug != null && |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
210 |
con.getResponseCode() != HttpURLConnection.HTTP_OK) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
211 |
debug.println("Received HTTP error: " + con.getResponseCode() |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
212 |
+ " - " + con.getResponseMessage()); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
213 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
214 |
in = con.getInputStream(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
215 |
int contentLength = con.getContentLength(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
216 |
if (contentLength == -1) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
217 |
contentLength = Integer.MAX_VALUE; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
218 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
219 |
response = new byte[contentLength > 2048 ? 2048 : contentLength]; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
220 |
int total = 0; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
221 |
while (total < contentLength) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
222 |
int count = in.read(response, total, response.length - total); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
223 |
if (count < 0) |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
224 |
break; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
225 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
226 |
total += count; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
227 |
if (total >= response.length && total < contentLength) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
228 |
response = Arrays.copyOf(response, total * 2); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
229 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
230 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
231 |
response = Arrays.copyOf(response, total); |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
232 |
} catch (IOException ioe) { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
233 |
throw new NetworkFailureException(ioe); |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
234 |
} finally { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
235 |
if (in != null) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
236 |
try { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
237 |
in.close(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
238 |
} catch (IOException ioe) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
239 |
throw ioe; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
240 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
241 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
242 |
if (out != null) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
243 |
try { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
244 |
out.close(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
245 |
} catch (IOException ioe) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
246 |
throw ioe; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
247 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
248 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
249 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
250 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
251 |
OCSPResponse ocspResponse = null; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
252 |
try { |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
253 |
ocspResponse = new OCSPResponse(response); |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
254 |
} catch (IOException ioe) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
255 |
// response decoding exception |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
256 |
throw new CertPathValidatorException(ioe); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
257 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
258 |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
259 |
// verify the response |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
260 |
ocspResponse.verify(certIds, responderCert, date, request.getNonce()); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
261 |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
262 |
return ocspResponse; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
263 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
264 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
265 |
/** |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
266 |
* Returns the URI of the OCSP Responder as specified in the |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
267 |
* certificate's Authority Information Access extension, or null if |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
268 |
* not specified. |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
269 |
* |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
270 |
* @param cert the certificate |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
271 |
* @return the URI of the OCSP Responder, or null if not specified |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
272 |
*/ |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
273 |
// Called by com.sun.deploy.security.TrustDecider |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
274 |
public static URI getResponderURI(X509Certificate cert) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
275 |
try { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
276 |
return getResponderURI(X509CertImpl.toImpl(cert)); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
277 |
} catch (CertificateException ce) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
278 |
// treat this case as if the cert had no extension |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
279 |
return null; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
280 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
281 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
282 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
283 |
static URI getResponderURI(X509CertImpl certImpl) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
284 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
285 |
// Examine the certificate's AuthorityInfoAccess extension |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
286 |
AuthorityInfoAccessExtension aia = |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
287 |
certImpl.getAuthorityInfoAccessExtension(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
288 |
if (aia == null) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
289 |
return null; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
290 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
291 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
292 |
List<AccessDescription> descriptions = aia.getAccessDescriptions(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
293 |
for (AccessDescription description : descriptions) { |
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
294 |
if (description.getAccessMethod().equals((Object) |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
295 |
AccessDescription.Ad_OCSP_Id)) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
296 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
297 |
GeneralName generalName = description.getAccessLocation(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
298 |
if (generalName.getType() == GeneralNameInterface.NAME_URI) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
299 |
URIName uri = (URIName) generalName.getName(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
300 |
return uri.getURI(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
301 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
302 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
303 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
304 |
return null; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
305 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
306 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
307 |
/** |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
308 |
* The Revocation Status of a certificate. |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
309 |
*/ |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
310 |
public static interface RevocationStatus { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
311 |
public enum CertStatus { GOOD, REVOKED, UNKNOWN }; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
312 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
313 |
/** |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
314 |
* Returns the revocation status. |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
315 |
*/ |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
316 |
CertStatus getCertStatus(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
317 |
/** |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
318 |
* Returns the time when the certificate was revoked, or null |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
319 |
* if it has not been revoked. |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
320 |
*/ |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
321 |
Date getRevocationTime(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
322 |
/** |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
323 |
* Returns the reason the certificate was revoked, or null if it |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
324 |
* has not been revoked. |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
325 |
*/ |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
326 |
CRLReason getRevocationReason(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
327 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
328 |
/** |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
329 |
* Returns a Map of additional extensions. |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
330 |
*/ |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
331 |
Map<String, Extension> getSingleExtensions(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
332 |
} |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
333 |
|
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
334 |
static class NetworkFailureException extends CertPathValidatorException { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
335 |
private static final long serialVersionUID = 0l; |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
336 |
|
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
337 |
private NetworkFailureException(IOException ioe) { |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
338 |
super(ioe); |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
339 |
} |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
340 |
} |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
341 |
} |