下面列出了java.security.cert.X509CRL#verify() 实例代码,或者点击链接到github查看源代码,也可以在右侧发表评论。
protected static PublicKey processCRLG(
X509CRL crl,
Set keys)
throws AnnotatedException
{
Exception lastException = null;
for (Iterator it = keys.iterator(); it.hasNext();)
{
PublicKey key = (PublicKey)it.next();
try
{
crl.verify(key);
return key;
}
catch (Exception e)
{
lastException = e;
}
}
throw new AnnotatedException("Cannot verify CRL.", lastException);
}
protected static PublicKey processCRLG(
X509CRL crl,
Set keys)
throws AnnotatedException
{
Exception lastException = null;
for (Iterator it = keys.iterator(); it.hasNext();)
{
PublicKey key = (PublicKey)it.next();
try
{
crl.verify(key);
return key;
}
catch (Exception e)
{
lastException = e;
}
}
throw new AnnotatedException("Cannot verify CRL.", lastException);
}
/**
* Checks if an X.509 CRL you downloaded can safely replace your current CRL.
*
* <p>This routine makes sure {@code newCrl} is signed by {@code rootCert} and that its timestamps
* are correct with respect to {@code now}.
*
* @throws GeneralSecurityException for unsupported protocols, certs not signed by the TMCH,
* incorrect keys, and for invalid, old, not-yet-valid or revoked certificates.
*/
public static void verifyCrl(
X509Certificate rootCert, X509CRL oldCrl, @Tainted X509CRL newCrl, Date now)
throws GeneralSecurityException {
if (newCrl.getThisUpdate().before(oldCrl.getThisUpdate())) {
throw new CRLException(String.format(
"New CRL is more out of date than our current CRL. %s < %s\n%s",
newCrl.getThisUpdate(), oldCrl.getThisUpdate(), newCrl));
}
if (newCrl.getNextUpdate().before(now)) {
throw new CRLException("CRL has expired.\n" + newCrl);
}
newCrl.verify(rootCert.getPublicKey());
}
@Override
public X509CRL load(final TmchCaMode tmchCaMode) throws GeneralSecurityException {
TmchCrl storedCrl = TmchCrl.get();
String crlContents;
if (storedCrl == null) {
String file = (tmchCaMode == PILOT) ? CRL_PILOT_FILE : CRL_FILE;
crlContents = readResourceUtf8(TmchCertificateAuthority.class, file);
} else {
crlContents = storedCrl.getCrl();
}
X509CRL crl = X509Utils.loadCrl(crlContents);
crl.verify(ROOT_CERTS.get(tmchCaMode).getPublicKey());
return crl;
}
private void checkSignatureValue(final X509CRL x509CRL, final CertificateToken issuerToken, final CRLValidity crlValidity) {
try {
x509CRL.verify(issuerToken.getPublicKey());
crlValidity.setSignatureIntact(true);
crlValidity.setIssuerToken(issuerToken);
} catch (GeneralSecurityException e) {
String msg = String.format("CRL Signature cannot be validated : %s", e.getMessage());
if (LOG.isTraceEnabled()) {
LOG.trace(msg, e);
} else {
LOG.warn(msg);
}
crlValidity.setSignatureInvalidityReason(msg);
}
}
protected static X509CRL processCRLH(
Set deltacrls,
PublicKey key)
throws AnnotatedException
{
Exception lastException = null;
for (Iterator it = deltacrls.iterator(); it.hasNext();)
{
X509CRL crl = (X509CRL)it.next();
try
{
crl.verify(key);
return crl;
}
catch (Exception e)
{
lastException = e;
}
}
if (lastException != null)
{
throw new AnnotatedException("Cannot verify delta CRL.", lastException);
}
return null;
}
/**
* Check the signature on CRL and check if 1st certificate from the chain ((The actual certificate from the client)) is valid and not available on CRL.
*
* @param certs The 1st certificate is the actual certificate of the user. The other certificates represents the certificate chain
* @param crl Given CRL
* @throws GeneralSecurityException if some error in validation happens. Typically certificate not valid, or CRL signature not valid
*/
public static void check(X509Certificate[] certs, X509CRL crl, KeycloakSession session) throws GeneralSecurityException {
if (certs.length < 2) {
throw new GeneralSecurityException("Not possible to verify signature on CRL. X509 certificate doesn't have CA chain available on it");
}
X500Principal crlIssuerPrincipal = crl.getIssuerX500Principal();
X509Certificate crlSignatureCertificate = null;
// Try to find the certificate in the CA chain, which was used to sign the CRL
for (int i=1 ; i<certs.length ; i++) {
X509Certificate currentCACert = certs[i];
if (crlIssuerPrincipal.equals(currentCACert.getSubjectX500Principal())) {
crlSignatureCertificate = currentCACert;
log.tracef("Found certificate used to sign CRL in the CA chain of the certificate. CRL issuer: %s", crlIssuerPrincipal);
break;
}
}
// Try to find the CRL issuer certificate in the truststore
if (crlSignatureCertificate == null) {
log.tracef("Not found CRL issuer '%s' in the CA chain of the certificate. Fallback to lookup CRL issuer in the truststore", crlIssuerPrincipal);
crlSignatureCertificate = findCRLSignatureCertificateInTruststore(session, certs, crlIssuerPrincipal);
}
// Verify signature on CRL
// TODO: It will be nice to cache CRLs and also verify their signatures just once at the time when CRL is loaded, rather than in every request
crl.verify(crlSignatureCertificate.getPublicKey());
// Finally check if
if (crl.isRevoked(certs[0])) {
String message = String.format("Certificate has been revoked, certificate's subject: %s", certs[0].getSubjectDN().getName());
log.debug(message);
throw new GeneralSecurityException(message);
}
}
protected static X509CRL processCRLH(
Set deltacrls,
PublicKey key)
throws AnnotatedException
{
Exception lastException = null;
for (Iterator it = deltacrls.iterator(); it.hasNext();)
{
X509CRL crl = (X509CRL)it.next();
try
{
crl.verify(key);
return crl;
}
catch (Exception e)
{
lastException = e;
}
}
if (lastException != null)
{
throw new AnnotatedException("Cannot verify delta CRL.", lastException);
}
return null;
}
/**
* This static method is the default implementation of the
* verify(PublicKey key, Provider sigProvider) method in X509CRL.
* Called from java.security.cert.X509CRL.verify(PublicKey key,
* Provider sigProvider)
*/
public static void verify(X509CRL crl, PublicKey key,
Provider sigProvider) throws CRLException,
NoSuchAlgorithmException, InvalidKeyException, SignatureException {
crl.verify(key, sigProvider);
}
/**
* This static method is the default implementation of the
* verify(PublicKey key, Provider sigProvider) method in X509CRL.
* Called from java.security.cert.X509CRL.verify(PublicKey key,
* Provider sigProvider)
*/
public static void verify(X509CRL crl, PublicKey key,
Provider sigProvider) throws CRLException,
NoSuchAlgorithmException, InvalidKeyException, SignatureException {
crl.verify(key, sigProvider);
}
/**
* This static method is the default implementation of the
* verify(PublicKey key, Provider sigProvider) method in X509CRL.
* Called from java.security.cert.X509CRL.verify(PublicKey key,
* Provider sigProvider)
*/
public static void verify(X509CRL crl, PublicKey key,
Provider sigProvider) throws CRLException,
NoSuchAlgorithmException, InvalidKeyException, SignatureException {
crl.verify(key, sigProvider);
}
/**
* This static method is the default implementation of the
* verify(PublicKey key, Provider sigProvider) method in X509CRL.
* Called from java.security.cert.X509CRL.verify(PublicKey key,
* Provider sigProvider)
*/
public static void verify(X509CRL crl, PublicKey key,
Provider sigProvider) throws CRLException,
NoSuchAlgorithmException, InvalidKeyException, SignatureException {
crl.verify(key, sigProvider);
}
/**
* This static method is the default implementation of the
* verify(PublicKey key, Provider sigProvider) method in X509CRL.
* Called from java.security.cert.X509CRL.verify(PublicKey key,
* Provider sigProvider)
*/
public static void verify(X509CRL crl, PublicKey key,
Provider sigProvider) throws CRLException,
NoSuchAlgorithmException, InvalidKeyException, SignatureException {
crl.verify(key, sigProvider);
}
/**
* This static method is the default implementation of the
* verify(PublicKey key, Provider sigProvider) method in X509CRL.
* Called from java.security.cert.X509CRL.verify(PublicKey key,
* Provider sigProvider)
*/
public static void verify(X509CRL crl, PublicKey key,
Provider sigProvider) throws CRLException,
NoSuchAlgorithmException, InvalidKeyException, SignatureException {
crl.verify(key, sigProvider);
}
/**
* This static method is the default implementation of the
* verify(PublicKey key, Provider sigProvider) method in X509CRL.
* Called from java.security.cert.X509CRL.verify(PublicKey key,
* Provider sigProvider)
*/
public static void verify(X509CRL crl, PublicKey key,
Provider sigProvider) throws CRLException,
NoSuchAlgorithmException, InvalidKeyException, SignatureException {
crl.verify(key, sigProvider);
}
/**
* This static method is the default implementation of the
* verify(PublicKey key, Provider sigProvider) method in X509CRL.
* Called from java.security.cert.X509CRL.verify(PublicKey key,
* Provider sigProvider)
*/
public static void verify(X509CRL crl, PublicKey key,
Provider sigProvider) throws CRLException,
NoSuchAlgorithmException, InvalidKeyException, SignatureException {
crl.verify(key, sigProvider);
}
/**
* This static method is the default implementation of the
* verify(PublicKey key, Provider sigProvider) method in X509CRL.
* Called from java.security.cert.X509CRL.verify(PublicKey key,
* Provider sigProvider)
*/
public static void verify(X509CRL crl, PublicKey key,
Provider sigProvider) throws CRLException,
NoSuchAlgorithmException, InvalidKeyException, SignatureException {
crl.verify(key, sigProvider);
}
/**
* This static method is the default implementation of the
* verify(PublicKey key, Provider sigProvider) method in X509CRL.
* Called from java.security.cert.X509CRL.verify(PublicKey key,
* Provider sigProvider)
*/
public static void verify(X509CRL crl, PublicKey key,
Provider sigProvider) throws CRLException,
NoSuchAlgorithmException, InvalidKeyException, SignatureException {
crl.verify(key, sigProvider);
}
/**
* This static method is the default implementation of the
* verify(PublicKey key, Provider sigProvider) method in X509CRL.
* Called from java.security.cert.X509CRL.verify(PublicKey key,
* Provider sigProvider)
*/
public static void verify(X509CRL crl, PublicKey key,
Provider sigProvider) throws CRLException,
NoSuchAlgorithmException, InvalidKeyException, SignatureException {
crl.verify(key, sigProvider);
}