下面列出了java.security.cert.X509CRL#getIssuerX500Principal() 实例代码,或者点击链接到github查看源代码,也可以在右侧发表评论。
/**
* This method verifies: the signature of the CRL, the key usage of its signing certificate and the coherence
* between the subject names of the CRL signing
* certificate and the issuer name of the certificate for which the verification of the revocation data is carried
* out. A dedicated object based on
* {@code CRLValidity} is created and accordingly updated.
*
* @param crlBinary
* {@code CRLBinary} of the CRL to be created (cannot be null)
* @param issuerToken
* {@code CertificateToken} used to sign the {@code X509CRL} (cannot be null)
* @return {@code CRLValidity}
*/
@Override
public CRLValidity buildCRLValidity(final CRLBinary crlBinary, final CertificateToken issuerToken) throws IOException {
final X509CRLValidity crlValidity= new X509CRLValidity(crlBinary);
try (InputStream bais = crlValidity.toCRLInputStream()) {
X509CRL x509CRL = loadCRL(bais);
crlValidity.setX509CRL(x509CRL);
final String sigAlgOID = x509CRL.getSigAlgOID();
final byte[] sigAlgParams = x509CRL.getSigAlgParams();
crlValidity.setSignatureAlgorithm(SignatureAlgorithm.forOidAndParams(sigAlgOID, sigAlgParams));
crlValidity.setThisUpdate(x509CRL.getThisUpdate());
crlValidity.setNextUpdate(x509CRL.getNextUpdate());
final X500Principal x509CRLIssuerX500Principal = x509CRL.getIssuerX500Principal();
final X500Principal issuerTokenSubjectX500Principal = issuerToken.getSubject().getPrincipal();
if (x509CRLIssuerX500Principal.equals(issuerTokenSubjectX500Principal)) {
crlValidity.setIssuerX509PrincipalMatches(true);
}
crlValidity.setCriticalExtensionsOid(x509CRL.getCriticalExtensionOIDs());
extractIssuingDistributionPointBinary(crlValidity, x509CRL.getExtensionValue(Extension.issuingDistributionPoint.getId()));
extractExpiredCertsOnCRL(crlValidity, x509CRL.getExtensionValue(Extension.expiredCertsOnCRL.getId()));
checkSignatureValue(x509CRL, issuerToken, crlValidity);
if (crlValidity.isSignatureIntact()) {
crlValidity.setCrlSignKeyUsage(issuerToken.checkKeyUsage(KeyUsageBit.CRL_SIGN));
}
}
return crlValidity;
}
/**
* Check the signature on CRL and check if 1st certificate from the chain ((The actual certificate from the client)) is valid and not available on CRL.
*
* @param certs The 1st certificate is the actual certificate of the user. The other certificates represents the certificate chain
* @param crl Given CRL
* @throws GeneralSecurityException if some error in validation happens. Typically certificate not valid, or CRL signature not valid
*/
public static void check(X509Certificate[] certs, X509CRL crl, KeycloakSession session) throws GeneralSecurityException {
if (certs.length < 2) {
throw new GeneralSecurityException("Not possible to verify signature on CRL. X509 certificate doesn't have CA chain available on it");
}
X500Principal crlIssuerPrincipal = crl.getIssuerX500Principal();
X509Certificate crlSignatureCertificate = null;
// Try to find the certificate in the CA chain, which was used to sign the CRL
for (int i=1 ; i<certs.length ; i++) {
X509Certificate currentCACert = certs[i];
if (crlIssuerPrincipal.equals(currentCACert.getSubjectX500Principal())) {
crlSignatureCertificate = currentCACert;
log.tracef("Found certificate used to sign CRL in the CA chain of the certificate. CRL issuer: %s", crlIssuerPrincipal);
break;
}
}
// Try to find the CRL issuer certificate in the truststore
if (crlSignatureCertificate == null) {
log.tracef("Not found CRL issuer '%s' in the CA chain of the certificate. Fallback to lookup CRL issuer in the truststore", crlIssuerPrincipal);
crlSignatureCertificate = findCRLSignatureCertificateInTruststore(session, certs, crlIssuerPrincipal);
}
// Verify signature on CRL
// TODO: It will be nice to cache CRLs and also verify their signatures just once at the time when CRL is loaded, rather than in every request
crl.verify(crlSignatureCertificate.getPublicKey());
// Finally check if
if (crl.isRevoked(certs[0])) {
String message = String.format("Certificate has been revoked, certificate's subject: %s", certs[0].getSubjectDN().getName());
log.debug(message);
throw new GeneralSecurityException(message);
}
}
/**
* Adds the given CRL to the collection of CRLs held by this class.
*
* @param crl The crl to add
*/
protected void addCrl(final X509CRL crl) {
final X500Principal issuer = crl.getIssuerX500Principal();
logger.debug("Adding CRL for issuer {}", issuer);
this.crlIssuerMap.put(issuer, crl);
}
protected static X500Principal getIssuerPrincipal(X509CRL crl)
{
return crl.getIssuerX500Principal();
}
protected static X500Principal getIssuerPrincipal(X509CRL crl)
{
return crl.getIssuerX500Principal();
}