author | phh |
Sat, 30 Nov 2019 14:33:05 -0800 | |
changeset 59330 | 5b96c12f909d |
parent 47216 | 71c04702a3d5 |
permissions | -rw-r--r-- |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
1 |
/* |
43701
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
41562
diff
changeset
|
2 |
* Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved. |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
4 |
* |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
5 |
* This code is free software; you can redistribute it and/or modify it |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
10 |
* |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
15 |
* accompanied this code). |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
16 |
* |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
17 |
* You should have received a copy of the GNU General Public License version |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
20 |
* |
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
24 |
*/ |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
25 |
package sun.security.provider.certpath; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
26 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
27 |
import java.io.InputStream; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
28 |
import java.io.IOException; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
29 |
import java.io.OutputStream; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
30 |
import java.net.URI; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
31 |
import java.net.URL; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
32 |
import java.net.HttpURLConnection; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
33 |
import java.security.cert.CertificateException; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
34 |
import java.security.cert.CertPathValidatorException; |
13596
897dea1b4c1f
7192896: Reason of CertPathValidatorException should be UNDETERMINED_REVOCATION_STATUS if OCSP request failed
mullan
parents:
12860
diff
changeset
|
35 |
import java.security.cert.CertPathValidatorException.BasicReason; |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
36 |
import java.security.cert.CRLReason; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
37 |
import java.security.cert.Extension; |
41562
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
38 |
import java.security.cert.TrustAnchor; |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
39 |
import java.security.cert.X509Certificate; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
40 |
import java.util.Arrays; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
41 |
import java.util.Collections; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
42 |
import java.util.Date; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
43 |
import java.util.List; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
44 |
import java.util.Map; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
45 |
|
14701
0c0578b802b1
7199143: RFE: OCSP revocation checker should provide possibility to specify connection timeout
mullan
parents:
13800
diff
changeset
|
46 |
import sun.security.action.GetIntegerAction; |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
47 |
import sun.security.util.Debug; |
43701
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
41562
diff
changeset
|
48 |
import sun.security.validator.Validator; |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
49 |
import sun.security.x509.AccessDescription; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
50 |
import sun.security.x509.AuthorityInfoAccessExtension; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
51 |
import sun.security.x509.GeneralName; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
52 |
import sun.security.x509.GeneralNameInterface; |
32032 | 53 |
import sun.security.x509.PKIXExtensions; |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
54 |
import sun.security.x509.URIName; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
55 |
import sun.security.x509.X509CertImpl; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
56 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
57 |
/** |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
58 |
* This is a class that checks the revocation status of a certificate(s) using |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
59 |
* OCSP. It is not a PKIXCertPathChecker and therefore can be used outside of |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
60 |
* the CertPathValidator framework. It is useful when you want to |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
61 |
* just check the revocation status of a certificate, and you don't want to |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
62 |
* incur the overhead of validating all of the certificates in the |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
63 |
* associated certificate chain. |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
64 |
* |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
65 |
* @author Sean Mullan |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
66 |
*/ |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
67 |
public final class OCSP { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
68 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
69 |
private static final Debug debug = Debug.getInstance("certpath"); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
70 |
|
14701
0c0578b802b1
7199143: RFE: OCSP revocation checker should provide possibility to specify connection timeout
mullan
parents:
13800
diff
changeset
|
71 |
private static final int DEFAULT_CONNECT_TIMEOUT = 15000; |
0c0578b802b1
7199143: RFE: OCSP revocation checker should provide possibility to specify connection timeout
mullan
parents:
13800
diff
changeset
|
72 |
|
0c0578b802b1
7199143: RFE: OCSP revocation checker should provide possibility to specify connection timeout
mullan
parents:
13800
diff
changeset
|
73 |
/** |
0c0578b802b1
7199143: RFE: OCSP revocation checker should provide possibility to specify connection timeout
mullan
parents:
13800
diff
changeset
|
74 |
* Integer value indicating the timeout length, in seconds, to be |
0c0578b802b1
7199143: RFE: OCSP revocation checker should provide possibility to specify connection timeout
mullan
parents:
13800
diff
changeset
|
75 |
* used for the OCSP check. A timeout of zero is interpreted as |
0c0578b802b1
7199143: RFE: OCSP revocation checker should provide possibility to specify connection timeout
mullan
parents:
13800
diff
changeset
|
76 |
* an infinite timeout. |
0c0578b802b1
7199143: RFE: OCSP revocation checker should provide possibility to specify connection timeout
mullan
parents:
13800
diff
changeset
|
77 |
*/ |
0c0578b802b1
7199143: RFE: OCSP revocation checker should provide possibility to specify connection timeout
mullan
parents:
13800
diff
changeset
|
78 |
private static final int CONNECT_TIMEOUT = initializeTimeout(); |
0c0578b802b1
7199143: RFE: OCSP revocation checker should provide possibility to specify connection timeout
mullan
parents:
13800
diff
changeset
|
79 |
|
0c0578b802b1
7199143: RFE: OCSP revocation checker should provide possibility to specify connection timeout
mullan
parents:
13800
diff
changeset
|
80 |
/** |
0c0578b802b1
7199143: RFE: OCSP revocation checker should provide possibility to specify connection timeout
mullan
parents:
13800
diff
changeset
|
81 |
* Initialize the timeout length by getting the OCSP timeout |
0c0578b802b1
7199143: RFE: OCSP revocation checker should provide possibility to specify connection timeout
mullan
parents:
13800
diff
changeset
|
82 |
* system property. If the property has not been set, or if its |
0c0578b802b1
7199143: RFE: OCSP revocation checker should provide possibility to specify connection timeout
mullan
parents:
13800
diff
changeset
|
83 |
* value is negative, set the timeout length to the default. |
0c0578b802b1
7199143: RFE: OCSP revocation checker should provide possibility to specify connection timeout
mullan
parents:
13800
diff
changeset
|
84 |
*/ |
0c0578b802b1
7199143: RFE: OCSP revocation checker should provide possibility to specify connection timeout
mullan
parents:
13800
diff
changeset
|
85 |
private static int initializeTimeout() { |
17043
ebd5b78aebe4
8011313: OCSP timeout set to wrong value if com.sun.security.ocsp.timeout not defined
mullan
parents:
16044
diff
changeset
|
86 |
Integer tmp = java.security.AccessController.doPrivileged( |
ebd5b78aebe4
8011313: OCSP timeout set to wrong value if com.sun.security.ocsp.timeout not defined
mullan
parents:
16044
diff
changeset
|
87 |
new GetIntegerAction("com.sun.security.ocsp.timeout")); |
ebd5b78aebe4
8011313: OCSP timeout set to wrong value if com.sun.security.ocsp.timeout not defined
mullan
parents:
16044
diff
changeset
|
88 |
if (tmp == null || tmp < 0) { |
16044
85f90a877d17
8006853: OCSP timeout set to wrong value if com.sun.security.ocsp.timeout < 0
juh
parents:
14701
diff
changeset
|
89 |
return DEFAULT_CONNECT_TIMEOUT; |
14701
0c0578b802b1
7199143: RFE: OCSP revocation checker should provide possibility to specify connection timeout
mullan
parents:
13800
diff
changeset
|
90 |
} |
0c0578b802b1
7199143: RFE: OCSP revocation checker should provide possibility to specify connection timeout
mullan
parents:
13800
diff
changeset
|
91 |
// Convert to milliseconds, as the system property will be |
0c0578b802b1
7199143: RFE: OCSP revocation checker should provide possibility to specify connection timeout
mullan
parents:
13800
diff
changeset
|
92 |
// specified in seconds |
0c0578b802b1
7199143: RFE: OCSP revocation checker should provide possibility to specify connection timeout
mullan
parents:
13800
diff
changeset
|
93 |
return tmp * 1000; |
0c0578b802b1
7199143: RFE: OCSP revocation checker should provide possibility to specify connection timeout
mullan
parents:
13800
diff
changeset
|
94 |
} |
4044
b2b2ee2ca90c
6885667: CertPath/CertPathValidatorTest/bugs/bug6383078 fails on jdk6u18/b02, jdk7/pit/b73 and passes on b72.
mullan
parents:
3841
diff
changeset
|
95 |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
96 |
private OCSP() {} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
97 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
98 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
99 |
/** |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
100 |
* Obtains the revocation status of a certificate using OCSP. |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
101 |
* |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
102 |
* @param cert the certificate to be checked |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
103 |
* @param issuerCert the issuer certificate |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
104 |
* @param responderURI the URI of the OCSP responder |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
105 |
* @param responderCert the OCSP responder's certificate |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
106 |
* @param date the time the validity of the OCSP responder's certificate |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
107 |
* should be checked against. If null, the current time is used. |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
108 |
* @return the RevocationStatus |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
109 |
* @throws IOException if there is an exception connecting to or |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
110 |
* communicating with the OCSP responder |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
111 |
* @throws CertPathValidatorException if an exception occurs while |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
112 |
* encoding the OCSP Request or validating the OCSP Response |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
113 |
*/ |
43701
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
41562
diff
changeset
|
114 |
|
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
41562
diff
changeset
|
115 |
// Called by com.sun.deploy.security.TrustDecider |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
116 |
public static RevocationStatus check(X509Certificate cert, |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
117 |
X509Certificate issuerCert, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
118 |
URI responderURI, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
119 |
X509Certificate responderCert, |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
120 |
Date date) |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
121 |
throws IOException, CertPathValidatorException |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
122 |
{ |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
123 |
return check(cert, issuerCert, responderURI, responderCert, date, |
43701
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
41562
diff
changeset
|
124 |
Collections.<Extension>emptyList(), Validator.VAR_GENERIC); |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
125 |
} |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
126 |
|
43701
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
41562
diff
changeset
|
127 |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
128 |
public static RevocationStatus check(X509Certificate cert, |
43701
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
41562
diff
changeset
|
129 |
X509Certificate issuerCert, URI responderURI, |
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
41562
diff
changeset
|
130 |
X509Certificate responderCert, Date date, List<Extension> extensions, |
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
41562
diff
changeset
|
131 |
String variant) |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
132 |
throws IOException, CertPathValidatorException |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
133 |
{ |
43701
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
41562
diff
changeset
|
134 |
return check(cert, responderURI, null, issuerCert, responderCert, date, |
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
41562
diff
changeset
|
135 |
extensions, variant); |
41562
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
136 |
} |
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
137 |
|
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
138 |
public static RevocationStatus check(X509Certificate cert, |
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
139 |
URI responderURI, TrustAnchor anchor, X509Certificate issuerCert, |
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
140 |
X509Certificate responderCert, Date date, |
43701
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
41562
diff
changeset
|
141 |
List<Extension> extensions, String variant) |
41562
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
142 |
throws IOException, CertPathValidatorException |
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
143 |
{ |
43701
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
41562
diff
changeset
|
144 |
CertId certId; |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
145 |
try { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
146 |
X509CertImpl certImpl = X509CertImpl.toImpl(cert); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
147 |
certId = new CertId(issuerCert, certImpl.getSerialNumberObject()); |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
148 |
} catch (CertificateException | IOException e) { |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
149 |
throw new CertPathValidatorException |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
150 |
("Exception while encoding OCSPRequest", e); |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
151 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
152 |
OCSPResponse ocspResponse = check(Collections.singletonList(certId), |
41562
1e040ccac110
8165274: SHA1 certpath constraint check fails with OCSP certificate
ascarpino
parents:
40946
diff
changeset
|
153 |
responderURI, new OCSPResponse.IssuerInfo(anchor, issuerCert), |
43701
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
41562
diff
changeset
|
154 |
responderCert, date, extensions, variant); |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
155 |
return (RevocationStatus) ocspResponse.getSingleResponse(certId); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
156 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
157 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
158 |
/** |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
159 |
* Checks the revocation status of a list of certificates using OCSP. |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
160 |
* |
32032 | 161 |
* @param certIds the CertIds to be checked |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
162 |
* @param responderURI the URI of the OCSP responder |
40946
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
32032
diff
changeset
|
163 |
* @param issuerInfo the issuer's certificate and/or subject and public key |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
164 |
* @param responderCert the OCSP responder's certificate |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
165 |
* @param date the time the validity of the OCSP responder's certificate |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
166 |
* should be checked against. If null, the current time is used. |
32032 | 167 |
* @param extensions zero or more OCSP extensions to be included in the |
168 |
* request. If no extensions are requested, an empty {@code List} must |
|
169 |
* be used. A {@code null} value is not allowed. |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
170 |
* @return the OCSPResponse |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
171 |
* @throws IOException if there is an exception connecting to or |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
172 |
* communicating with the OCSP responder |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
173 |
* @throws CertPathValidatorException if an exception occurs while |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
174 |
* encoding the OCSP Request or validating the OCSP Response |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
175 |
*/ |
43701
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
41562
diff
changeset
|
176 |
static OCSPResponse check(List<CertId> certIds, URI responderURI, |
40946
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
32032
diff
changeset
|
177 |
OCSPResponse.IssuerInfo issuerInfo, |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
178 |
X509Certificate responderCert, Date date, |
43701
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
41562
diff
changeset
|
179 |
List<Extension> extensions, String variant) |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
180 |
throws IOException, CertPathValidatorException |
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
181 |
{ |
32032 | 182 |
byte[] nonce = null; |
183 |
for (Extension ext : extensions) { |
|
184 |
if (ext.getId().equals(PKIXExtensions.OCSPNonce_Id.toString())) { |
|
185 |
nonce = ext.getValue(); |
|
186 |
} |
|
187 |
} |
|
188 |
||
189 |
OCSPResponse ocspResponse = null; |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
190 |
try { |
32032 | 191 |
byte[] response = getOCSPBytes(certIds, responderURI, extensions); |
192 |
ocspResponse = new OCSPResponse(response); |
|
193 |
||
194 |
// verify the response |
|
40946
362ab0ff2d9a
8132926: PKIXParameters built with public key form of TrustAnchor causes NPE during cert path building/validation
jnimeh
parents:
32032
diff
changeset
|
195 |
ocspResponse.verify(certIds, issuerInfo, responderCert, date, |
43701
fe8c324ba97c
8160655: Fix denyAfter and usage types for security properties
ascarpino
parents:
41562
diff
changeset
|
196 |
nonce, variant); |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
197 |
} catch (IOException ioe) { |
32032 | 198 |
throw new CertPathValidatorException( |
199 |
"Unable to determine revocation status due to network error", |
|
200 |
ioe, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS); |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
201 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
202 |
|
32032 | 203 |
return ocspResponse; |
204 |
} |
|
205 |
||
206 |
||
207 |
/** |
|
208 |
* Send an OCSP request, then read and return the OCSP response bytes. |
|
209 |
* |
|
210 |
* @param certIds the CertIds to be checked |
|
211 |
* @param responderURI the URI of the OCSP responder |
|
212 |
* @param extensions zero or more OCSP extensions to be included in the |
|
213 |
* request. If no extensions are requested, an empty {@code List} must |
|
214 |
* be used. A {@code null} value is not allowed. |
|
215 |
* |
|
216 |
* @return the OCSP response bytes |
|
217 |
* |
|
218 |
* @throws IOException if there is an exception connecting to or |
|
219 |
* communicating with the OCSP responder |
|
220 |
*/ |
|
221 |
public static byte[] getOCSPBytes(List<CertId> certIds, URI responderURI, |
|
222 |
List<Extension> extensions) throws IOException { |
|
223 |
OCSPRequest request = new OCSPRequest(certIds, extensions); |
|
224 |
byte[] bytes = request.encodeBytes(); |
|
225 |
||
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
226 |
InputStream in = null; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
227 |
OutputStream out = null; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
228 |
byte[] response = null; |
32032 | 229 |
|
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
230 |
try { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
231 |
URL url = responderURI.toURL(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
232 |
if (debug != null) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
233 |
debug.println("connecting to OCSP service at: " + url); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
234 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
235 |
HttpURLConnection con = (HttpURLConnection)url.openConnection(); |
4044
b2b2ee2ca90c
6885667: CertPath/CertPathValidatorTest/bugs/bug6383078 fails on jdk6u18/b02, jdk7/pit/b73 and passes on b72.
mullan
parents:
3841
diff
changeset
|
236 |
con.setConnectTimeout(CONNECT_TIMEOUT); |
b2b2ee2ca90c
6885667: CertPath/CertPathValidatorTest/bugs/bug6383078 fails on jdk6u18/b02, jdk7/pit/b73 and passes on b72.
mullan
parents:
3841
diff
changeset
|
237 |
con.setReadTimeout(CONNECT_TIMEOUT); |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
238 |
con.setDoOutput(true); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
239 |
con.setDoInput(true); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
240 |
con.setRequestMethod("POST"); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
241 |
con.setRequestProperty |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
242 |
("Content-type", "application/ocsp-request"); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
243 |
con.setRequestProperty |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
244 |
("Content-length", String.valueOf(bytes.length)); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
245 |
out = con.getOutputStream(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
246 |
out.write(bytes); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
247 |
out.flush(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
248 |
// Check the response |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
249 |
if (debug != null && |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
250 |
con.getResponseCode() != HttpURLConnection.HTTP_OK) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
251 |
debug.println("Received HTTP error: " + con.getResponseCode() |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
252 |
+ " - " + con.getResponseMessage()); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
253 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
254 |
in = con.getInputStream(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
255 |
int contentLength = con.getContentLength(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
256 |
if (contentLength == -1) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
257 |
contentLength = Integer.MAX_VALUE; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
258 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
259 |
response = new byte[contentLength > 2048 ? 2048 : contentLength]; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
260 |
int total = 0; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
261 |
while (total < contentLength) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
262 |
int count = in.read(response, total, response.length - total); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
263 |
if (count < 0) |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
264 |
break; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
265 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
266 |
total += count; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
267 |
if (total >= response.length && total < contentLength) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
268 |
response = Arrays.copyOf(response, total * 2); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
269 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
270 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
271 |
response = Arrays.copyOf(response, total); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
272 |
} finally { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
273 |
if (in != null) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
274 |
try { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
275 |
in.close(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
276 |
} catch (IOException ioe) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
277 |
throw ioe; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
278 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
279 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
280 |
if (out != null) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
281 |
try { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
282 |
out.close(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
283 |
} catch (IOException ioe) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
284 |
throw ioe; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
285 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
286 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
287 |
} |
32032 | 288 |
return response; |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
289 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
290 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
291 |
/** |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
292 |
* Returns the URI of the OCSP Responder as specified in the |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
293 |
* certificate's Authority Information Access extension, or null if |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
294 |
* not specified. |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
295 |
* |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
296 |
* @param cert the certificate |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
297 |
* @return the URI of the OCSP Responder, or null if not specified |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
298 |
*/ |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10336
diff
changeset
|
299 |
// Called by com.sun.deploy.security.TrustDecider |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
300 |
public static URI getResponderURI(X509Certificate cert) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
301 |
try { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
302 |
return getResponderURI(X509CertImpl.toImpl(cert)); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
303 |
} catch (CertificateException ce) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
304 |
// treat this case as if the cert had no extension |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
305 |
return null; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
306 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
307 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
308 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
309 |
static URI getResponderURI(X509CertImpl certImpl) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
310 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
311 |
// Examine the certificate's AuthorityInfoAccess extension |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
312 |
AuthorityInfoAccessExtension aia = |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
313 |
certImpl.getAuthorityInfoAccessExtension(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
314 |
if (aia == null) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
315 |
return null; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
316 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
317 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
318 |
List<AccessDescription> descriptions = aia.getAccessDescriptions(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
319 |
for (AccessDescription description : descriptions) { |
31426
9cd672654f97
8022444: Remove sun.security.util.ObjectIdentifier.equals(ObjectIdentifier other) method
juh
parents:
25859
diff
changeset
|
320 |
if (description.getAccessMethod().equals( |
3841
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
321 |
AccessDescription.Ad_OCSP_Id)) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
322 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
323 |
GeneralName generalName = description.getAccessLocation(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
324 |
if (generalName.getType() == GeneralNameInterface.NAME_URI) { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
325 |
URIName uri = (URIName) generalName.getName(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
326 |
return uri.getURI(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
327 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
328 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
329 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
330 |
return null; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
331 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
332 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
333 |
/** |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
334 |
* The Revocation Status of a certificate. |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
335 |
*/ |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
336 |
public static interface RevocationStatus { |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
337 |
public enum CertStatus { GOOD, REVOKED, UNKNOWN }; |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
338 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
339 |
/** |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
340 |
* Returns the revocation status. |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
341 |
*/ |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
342 |
CertStatus getCertStatus(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
343 |
/** |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
344 |
* Returns the time when the certificate was revoked, or null |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
345 |
* if it has not been revoked. |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
346 |
*/ |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
347 |
Date getRevocationTime(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
348 |
/** |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
349 |
* Returns the reason the certificate was revoked, or null if it |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
350 |
* has not been revoked. |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
351 |
*/ |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
352 |
CRLReason getRevocationReason(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
353 |
|
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
354 |
/** |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
355 |
* Returns a Map of additional extensions. |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
356 |
*/ |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
357 |
Map<String, Extension> getSingleExtensions(); |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
358 |
} |
6738c111d48f
6745437: Add option to only check revocation of end-entity certificate in a chain of certificates
mullan
parents:
diff
changeset
|
359 |
} |