/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/**
* OCSPChecker is a <code>PKIXCertPathChecker</code> that uses the
* Online Certificate Status Protocol (OCSP) as specified in RFC 2560
* <a href="http://www.ietf.org/rfc/rfc2560.txt">
*
* @author Ram Marti
*/
"ocsp.responderCertSubjectName";
"ocsp.responderCertSerialNumber";
private static final boolean dump = false;
private int remainingCerts;
private boolean onlyEECert = false;
/**
* Default Constructor
*
* @param certPath the X509 certification path
* @param pkixParams the input PKIX parameter set
* @throws CertPathValidatorException if OCSPChecker can not be created
*/
throws CertPathValidatorException {
this(certPath, pkixParams, false);
}
throws CertPathValidatorException {
this.pkixParams = pkixParams;
this.onlyEECert = onlyEECert;
init(false);
}
/**
* Initializes the internal state of the checker from parameters
* specified in the constructor
*/
if (!forward) {
} else {
throw new CertPathValidatorException(
"Forward checking not supported");
}
}
return false;
}
}
/**
* Sends an OCSPRequest for the certificate to the OCSP Server and
* processes the response back from the OCSP Server.
*
* @param cert the Certificate
* @param unresolvedCritExts the unresolved critical extensions
* @exception CertPathValidatorException Exception is thrown if the
* certificate has been revoked.
*/
throws CertPathValidatorException {
// Decrement the certificate counter
try {
} catch (CertificateException ce) {
throw new CertPathValidatorException(ce);
}
}
return;
}
/*
* OCSP security property values, in the following order:
* 1. ocsp.responderURL
* 2. ocsp.responderCertSubjectName
* 3. ocsp.responderCertIssuerName
* 4. ocsp.responderCertSerialNumber
*/
// should cache these properties to avoid calling every time?
// Check whether OCSP is feasible before seeking cert information
// properties are ignored
// remove colon or space separators
throw new CertPathValidatorException(
"Must specify both ocsp.responderCertIssuerName and " +
"ocsp.responderCertSerialNumber properties");
}
// If the OCSP responder cert properties are set then the
// identified cert must be located in the trust anchors or
// in the cert stores.
boolean seekResponderCert = false;
seekResponderCert = true;
}
// Set the issuer certificate to the next cert in the chain
// (unless we're processing the final cert).
boolean seekIssuerCert = true;
seekIssuerCert = false; // done
// By default, the OCSP responder's cert is the same as the
// issuer of the cert being validated.
if (!seekResponderCert) {
"as the issuer of the certificate being validated");
}
}
}
// Check anchor certs for:
// - the issuer cert (of the cert being validated)
// - the OCSP responder's cert
if (seekIssuerCert || seekResponderCert) {
"responder certificate");
}
// Extract the anchor certs
throw new CertPathValidatorException(
"Must specify at least one trust anchor");
}
byte[] certIssuerKeyId = null;
if (dump) {
}
// Check if anchor cert is the issuer cert
if (seekIssuerCert &&
// Retrieve the issuer's key identifier
if (certIssuerKeyId == null) {
if (certIssuerKeyId == null) {
+ "in the certificate being validated");
}
}
}
// Check that the key identifiers match, if both are present
byte[] anchorKeyId = null;
if (certIssuerKeyId != null &&
(anchorKeyId =
continue; // try next cert
}
}
}
seekIssuerCert = false; // done
// By default, the OCSP responder's cert is the same as
// the issuer of the cert being validated.
" same as the issuer of the certificate " +
"being validated");
}
}
}
// Check if anchor cert is the responder cert
if (seekResponderCert) {
// Satisfy the responder subject name property only, or
// satisfy the responder issuer name and serial number
// properties only
if ((responderSubjectName != null &&
(responderIssuerName != null &&
responderSerialNumber != null &&
anchorCert.getSerialNumber()))) {
}
}
}
if (issuerCert == null) {
throw new CertPathValidatorException(
}
// Check cert stores if responder cert has not yet been found
if (seekResponderCert) {
"certificate");
}
if (responderSubjectName != null) {
filter = new X509CertSelector();
} else if (responderIssuerName != null &&
responderSerialNumber != null) {
filter = new X509CertSelector();
}
try {
} catch (CertStoreException cse) {
// ignore and try next certStore
}
continue;
}
}
}
}
}
// Could not find the certificate identified in the OCSP properties
throw new CertPathValidatorException(
"Cannot find the responder's certificate " +
"(set using the OCSP security properties).");
}
" trusted responder certificate(s)");
}
// The algorithm constraints of the OCSP trusted responder certificate
// does not need to be checked in this code. The constraints will be
// checked when the responder's certificate is validated.
try {
} catch (Exception e) {
if (e instanceof CertPathValidatorException) {
throw (CertPathValidatorException) e;
} else {
// Wrap exceptions in CertPathValidatorException so that
// we can fallback to CRLs, if enabled.
throw new CertPathValidatorException(e);
}
}
Throwable t = new CertificateRevokedException(
throw new CertPathValidatorException(t.getMessage(), t,
throw new CertPathValidatorException(
(remainingCerts - 1),
}
}
/*
* The OCSP security property values are in the following order:
* 1. ocsp.responderURL
* 2. ocsp.responderCertSubjectName
* 3. ocsp.responderCertIssuerName
* 4. ocsp.responderCertSerialNumber
*/
if (responderURL != null) {
try {
return new URI(responderURL);
} catch (URISyntaxException e) {
throw new CertPathValidatorException(e);
}
}
// Examine the certificate's AuthorityInfoAccess extension
throw new CertPathValidatorException(
"Must specify the location of an OCSP Responder");
}
}
}
}
throw new CertPathValidatorException(
"Cannot find the location of the OCSP Responder");
}
/*
* Retrieves the values of the OCSP security properties.
*/
new PrivilegedAction<Void>() {
properties[1] =
properties[2] =
properties[3] =
return null;
}
});
return properties;
}
/*
* Removes any non-hexadecimal characters from a string.
*/
}
}
}
/*
* Returns the subject key identifier for the supplied certificate, or null
*/
byte[] certSubjectKeyId = null;
try {
if (certSubjectKeyId == null) {
"certificate (Subject: " +
}
}
} catch (CertificateException e) {
// Ignore certificate
}
}
return certSubjectKeyId;
}
}