下面列出了java.security.cert.CertPathValidatorException.Reason#java.security.cert.CertPathValidatorException.BasicReason 实例代码,或者点击链接到github查看源代码,也可以在右侧发表评论。
/**
* When a failure happens during certificate checking from an
* {@link X509TrustManager}, determine what TLS alert description
* to use.
*
* @param cexc The exception thrown by the {@link X509TrustManager}
*
* @return A byte value corresponding to a TLS alert description number.
*/
private static Alert getCertificateAlert(
ClientHandshakeContext chc, CertificateException cexc) {
// The specific reason for the failure will determine how to
// set the alert description value
Alert alert = Alert.CERTIFICATE_UNKNOWN;
Throwable baseCause = cexc.getCause();
if (baseCause instanceof CertPathValidatorException) {
CertPathValidatorException cpve =
(CertPathValidatorException)baseCause;
Reason reason = cpve.getReason();
if (reason == BasicReason.REVOKED) {
alert = chc.staplingActive ?
Alert.BAD_CERT_STATUS_RESPONSE :
Alert.CERTIFICATE_REVOKED;
} else if (
reason == BasicReason.UNDETERMINED_REVOCATION_STATUS) {
alert = chc.staplingActive ?
Alert.BAD_CERT_STATUS_RESPONSE :
Alert.CERTIFICATE_UNKNOWN;
}
}
return alert;
}
@Override
public void permits(ConstraintsParameters cp)
throws CertPathValidatorException {
if (debug != null) {
debug.println("jdkCAConstraints.permits(): " + algorithm);
}
// Check chain has a trust anchor in cacerts
if (cp.isTrustedMatch()) {
if (next(cp)) {
return;
}
throw new CertPathValidatorException(
"Algorithm constraints check failed on certificate " +
"anchor limits. " + algorithm + extendedMsg(cp),
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
}
@Override
public void permits(ConstraintsParameters cp)
throws CertPathValidatorException {
Key key = null;
if (cp.getPublicKey() != null) {
key = cp.getPublicKey();
} else if (cp.getCertificate() != null) {
key = cp.getCertificate().getPublicKey();
}
if (key != null && !permitsImpl(key)) {
if (nextConstraint != null) {
nextConstraint.permits(cp);
return;
}
throw new CertPathValidatorException(
"Algorithm constraints check failed on keysize limits. " +
algorithm + " " + KeyUtil.getKeySize(key) + "bit key" +
extendedMsg(cp),
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
}
@Override
public void permits(ConstraintsParameters cp)
throws CertPathValidatorException {
Key key = null;
if (cp.getPublicKey() != null) {
key = cp.getPublicKey();
} else if (cp.getCertificate() != null) {
key = cp.getCertificate().getPublicKey();
}
if (key != null && !permitsImpl(key)) {
if (nextConstraint != null) {
nextConstraint.permits(cp);
return;
}
throw new CertPathValidatorException(
"Algorithm constraints check failed on keysize limits. " +
algorithm + " " + KeyUtil.getKeySize(key) + "bit key" +
extendedMsg(cp),
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
}
@Override
public void permits(ConstraintsParameters cp)
throws CertPathValidatorException {
if (debug != null) {
debug.println("jdkCAConstraints.permits(): " + algorithm);
}
// Check chain has a trust anchor in cacerts
if (cp.isTrustedMatch()) {
if (next(cp)) {
return;
}
throw new CertPathValidatorException(
"Algorithm constraints check failed on certificate " +
"anchor limits. " + algorithm + extendedMsg(cp),
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
}
public void permits(CertConstraintParameters cp)
throws CertPathValidatorException {
if (debug != null) {
debug.println("jdkCAConstraints.permits(): " + algorithm);
}
// Return false if the chain has a trust anchor in cacerts
if (cp.isTrustedMatch()) {
if (nextConstraint != null) {
nextConstraint.permits(cp);
return;
}
throw new CertPathValidatorException(
"Algorithm constraints check failed on certificate " +
"anchor limits",
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
}
public final void permits(String algorithm, ConstraintsParameters cp)
throws CertPathValidatorException {
// Check if named curves in the ConstraintParameters are disabled.
if (cp.getNamedCurve() != null) {
for (String curve : cp.getNamedCurve()) {
if (!checkAlgorithm(disabledAlgorithms, curve, decomposer)) {
throw new CertPathValidatorException(
"Algorithm constraints check failed on disabled " +
"algorithm: " + curve,
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
}
}
algorithmConstraints.permits(algorithm, cp);
}
/**
* When a failure happens during certificate checking from an
* {@link X509TrustManager}, determine what TLS alert description
* to use.
*
* @param cexc The exception thrown by the {@link X509TrustManager}
*
* @return A byte value corresponding to a TLS alert description number.
*/
private static Alert getCertificateAlert(
ClientHandshakeContext chc, CertificateException cexc) {
// The specific reason for the failure will determine how to
// set the alert description value
Alert alert = Alert.CERTIFICATE_UNKNOWN;
Throwable baseCause = cexc.getCause();
if (baseCause instanceof CertPathValidatorException) {
CertPathValidatorException cpve =
(CertPathValidatorException)baseCause;
Reason reason = cpve.getReason();
if (reason == BasicReason.REVOKED) {
alert = chc.staplingActive ?
Alert.BAD_CERT_STATUS_RESPONSE :
Alert.CERTIFICATE_REVOKED;
} else if (
reason == BasicReason.UNDETERMINED_REVOCATION_STATUS) {
alert = chc.staplingActive ?
Alert.BAD_CERT_STATUS_RESPONSE :
Alert.CERTIFICATE_UNKNOWN;
}
}
return alert;
}
private boolean isSoftFailException(CertPathValidatorException e) {
if (softFail &&
e.getReason() == BasicReason.UNDETERMINED_REVOCATION_STATUS)
{
// recreate exception with correct index
CertPathValidatorException e2 = new CertPathValidatorException(
e.getMessage(), e.getCause(), params.certPath(), certIndex,
e.getReason());
softFailExceptions.addFirst(e2);
return true;
}
return false;
}
private boolean isSoftFailException(CertPathValidatorException e) {
if (softFail &&
e.getReason() == BasicReason.UNDETERMINED_REVOCATION_STATUS)
{
// recreate exception with correct index
CertPathValidatorException e2 = new CertPathValidatorException(
e.getMessage(), e.getCause(), params.certPath(), certIndex,
e.getReason());
softFailExceptions.addFirst(e2);
return true;
}
return false;
}
private boolean isSoftFailException(CertPathValidatorException e) {
if (softFail &&
e.getReason() == BasicReason.UNDETERMINED_REVOCATION_STATUS)
{
// recreate exception with correct index
CertPathValidatorException e2 = new CertPathValidatorException(
e.getMessage(), e.getCause(), params.certPath(), certIndex,
e.getReason());
softFailExceptions.addFirst(e2);
return true;
}
return false;
}
/**
* We have a cert whose revocation status couldn't be verified by
* a CRL issued by the cert that issued the CRL. See if we can
* find a valid CRL issued by a separate key that can verify the
* revocation status of this certificate.
* <p>
* Note that this does not provide support for indirect CRLs,
* only CRLs signed with a different key (but the same issuer
* name) as the certificate being checked.
*
* @param currCert the <code>X509Certificate</code> to be checked
* @param prevKey the <code>PublicKey</code> that failed
* @param signFlag <code>true</code> if that key was trusted to sign CRLs
* @param stackedCerts a <code>Set</code> of <code>X509Certificate</code>s>
* whose revocation status depends on the
* non-revoked status of this cert. To avoid
* circular dependencies, we assume they're
* revoked while checking the revocation
* status of this cert.
* @throws CertPathValidatorException if the cert's revocation status
* cannot be verified successfully with another key
*/
private void verifyWithSeparateSigningKey(X509Certificate cert,
PublicKey prevKey,
boolean signFlag,
Set<X509Certificate> stackedCerts)
throws CertPathValidatorException
{
String msg = "revocation status";
if (debug != null) {
debug.println(
"RevocationChecker.verifyWithSeparateSigningKey()" +
" ---checking " + msg + "...");
}
// Reject circular dependencies - RFC 5280 is not explicit on how
// to handle this, but does suggest that they can be a security
// risk and can create unresolvable dependencies
if ((stackedCerts != null) && stackedCerts.contains(cert)) {
if (debug != null) {
debug.println(
"RevocationChecker.verifyWithSeparateSigningKey()" +
" circular dependency");
}
throw new CertPathValidatorException
("Could not determine revocation status", null, null, -1,
BasicReason.UNDETERMINED_REVOCATION_STATUS);
}
// Try to find another key that might be able to sign
// CRLs vouching for this cert.
// If prevKey wasn't trusted, maybe we just didn't have the right
// path to it. Don't rule that key out.
if (!signFlag) {
buildToNewKey(cert, null, stackedCerts);
} else {
buildToNewKey(cert, prevKey, stackedCerts);
}
}
public static void main(String args[]) throws Exception {
// MD5 is used in this test case, don't disable MD5 algorithm.
Security.setProperty(
"jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// set the validation time
params.setDate(new Date(109, 5, 1)); // 2009-05-01
// disable OCSP checker
Security.setProperty("ocsp.enable", "false");
// enable CRL checker
System.setProperty("com.sun.security.enableCRLDP", "true");
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
throw new Exception("unexpected status, should be REVOKED");
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpect exception, should be a REVOKED CPVE", cpve);
}
}
}
public static void main(String args[]) throws Exception {
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// set the validation time
params.setDate(new Date(109, 5, 1)); // 2009-05-01
// disable OCSP checker
Security.setProperty("ocsp.enable", "false");
// enable CRL checker
System.setProperty("com.sun.security.enableCRLDP", "true");
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpect exception, should be a REVOKED CPVE", cpve);
}
}
}
public static void main(String args[]) throws Exception {
// MD5 is used in this test case, don't disable MD5 algorithm.
Security.setProperty(
"jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// set the validation time
params.setDate(new Date(109, 5, 1)); // 2009-05-01
// disable OCSP checker
Security.setProperty("ocsp.enable", "false");
// enable CRL checker
System.setProperty("com.sun.security.enableCRLDP", "true");
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
throw new Exception("unexpected status, should be REVOKED");
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpected exception, should be a REVOKED CPVE", cpve);
}
}
}
public static void main(String args[]) throws Exception {
// MD5 is used in this test case, don't disable MD5 algorithm.
Security.setProperty(
"jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// set the validation time
params.setDate(new Date(109, 5, 1)); // 2009-05-01
// disable OCSP checker
Security.setProperty("ocsp.enable", "false");
// enable CRL checker
System.setProperty("com.sun.security.enableCRLDP", "true");
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpect exception, should be a REVOKED CPVE", cpve);
}
}
}
public static void main(String args[]) throws Exception {
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// set the validation time
params.setDate(new Date(109, 5, 1)); // 2009-05-01
// disable OCSP checker
Security.setProperty("ocsp.enable", "false");
// enable CRL checker
System.setProperty("com.sun.security.enableCRLDP", "true");
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpect exception, should be a REVOKED CPVE", cpve);
}
}
}
public static void main(String args[]) throws Exception {
// MD5 is used in this test case, don't disable MD5 algorithm.
Security.setProperty(
"jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// Activate OCSP
Security.setProperty("ocsp.enable", "true");
System.setProperty("com.sun.security.enableCRLDP", "true");
// Ensure that the ocsp.responderURL property is not set.
if (Security.getProperty("ocsp.responderURL") != null) {
throw new
Exception("The ocsp.responderURL property must not be set");
}
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpected exception, should be a REVOKED CPVE", cpve);
}
}
}
public static void main(String args[]) throws Exception {
// MD5 is used in this test case, don't disable MD5 algorithm.
Security.setProperty(
"jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// set the validation time
params.setDate(new Date(109, 5, 1)); // 2009-05-01
// disable OCSP checker
Security.setProperty("ocsp.enable", "false");
// enable CRL checker
System.setProperty("com.sun.security.enableCRLDP", "true");
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
throw new Exception("unexpected status, should be REVOKED");
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpected exception, should be a REVOKED CPVE", cpve);
}
}
}
private boolean isSoftFailException(CertPathValidatorException e) {
if (softFail &&
e.getReason() == BasicReason.UNDETERMINED_REVOCATION_STATUS)
{
// recreate exception with correct index
CertPathValidatorException e2 = new CertPathValidatorException(
e.getMessage(), e.getCause(), params.certPath(), certIndex,
e.getReason());
softFailExceptions.addFirst(e2);
return true;
}
return false;
}
public static void main(String args[]) throws Exception {
// MD5 is used in this test case, don't disable MD5 algorithm.
Security.setProperty(
"jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// Activate OCSP
Security.setProperty("ocsp.enable", "true");
System.setProperty("com.sun.security.enableCRLDP", "true");
// Ensure that the ocsp.responderURL property is not set.
if (Security.getProperty("ocsp.responderURL") != null) {
throw new
Exception("The ocsp.responderURL property must not be set");
}
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpected exception, should be a REVOKED CPVE", cpve);
}
}
}
/**
* Check the signature algorithm with the specified public key.
*
* @param key the public key to verify the CRL signature
* @param crl the target CRL
*/
static void check(PublicKey key, AlgorithmId algorithmId)
throws CertPathValidatorException {
String sigAlgName = algorithmId.getName();
AlgorithmParameters sigAlgParams = algorithmId.getParameters();
if (!certPathDefaultConstraints.permits(
SIGNATURE_PRIMITIVE_SET, sigAlgName, key, sigAlgParams)) {
throw new CertPathValidatorException(
"Algorithm constraints check failed on signature algorithm: " +
sigAlgName + " is disabled",
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
}
@Override
public void permits(ConstraintsParameters cp)
throws CertPathValidatorException {
for (String usage : usages) {
String v = null;
if (usage.compareToIgnoreCase("TLSServer") == 0) {
v = Validator.VAR_TLS_SERVER;
} else if (usage.compareToIgnoreCase("TLSClient") == 0) {
v = Validator.VAR_TLS_CLIENT;
} else if (usage.compareToIgnoreCase("SignedJAR") == 0) {
v = Validator.VAR_PLUGIN_CODE_SIGNING;
}
if (debug != null) {
debug.println("Checking if usage constraint \"" + v +
"\" matches \"" + cp.getVariant() + "\"");
// Because usage checking can come from many places
// a stack trace is very helpful.
ByteArrayOutputStream ba = new ByteArrayOutputStream();
PrintStream ps = new PrintStream(ba);
(new Exception()).printStackTrace(ps);
debug.println(ba.toString());
}
if (cp.getVariant().compareTo(v) == 0) {
if (next(cp)) {
return;
}
throw new CertPathValidatorException("Usage constraint " +
usage + " check failed: " + algorithm +
extendedMsg(cp),
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
}
}
public static void main(String args[]) throws Exception {
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// set the validation time
params.setDate(new Date(109, 5, 1)); // 2009-05-01
// disable OCSP checker
Security.setProperty("ocsp.enable", "false");
// enable CRL checker
System.setProperty("com.sun.security.enableCRLDP", "true");
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpect exception, should be a REVOKED CPVE", cpve);
}
}
}
public static void main(String args[]) throws Exception {
// MD5 is used in this test case, don't disable MD5 algorithm.
Security.setProperty(
"jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// set the validation time
params.setDate(new Date(109, 5, 1)); // 2009-05-01
// disable OCSP checker
Security.setProperty("ocsp.enable", "false");
// enable CRL checker
System.setProperty("com.sun.security.enableCRLDP", "true");
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpect exception, should be a REVOKED CPVE", cpve);
}
}
}
public static void main(String args[]) throws Exception {
// MD5 is used in this test case, don't disable MD5 algorithm.
Security.setProperty(
"jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// set the validation time
params.setDate(new Date(109, 5, 1)); // 2009-05-01
// disable OCSP checker
Security.setProperty("ocsp.enable", "false");
// enable CRL checker
System.setProperty("com.sun.security.enableCRLDP", "true");
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpect exception, should be a REVOKED CPVE", cpve);
}
}
}
public static void main(String args[]) throws Exception {
// MD5 is used in this test case, don't disable MD5 algorithm.
Security.setProperty(
"jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// Activate OCSP
Security.setProperty("ocsp.enable", "true");
System.setProperty("com.sun.security.enableCRLDP", "true");
// Ensure that the ocsp.responderURL property is not set.
if (Security.getProperty("ocsp.responderURL") != null) {
throw new
Exception("The ocsp.responderURL property must not be set");
}
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpected exception, should be a REVOKED CPVE", cpve);
}
}
}
public static void main(String args[]) throws Exception {
// MD5 is used in this test case, don't disable MD5 algorithm.
Security.setProperty(
"jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
CertPath path = generateCertificatePath();
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore crls = generateCertificateStore();
PKIXParameters params = new PKIXParameters(anchors);
// add the CRL store
params.addCertStore(crls);
// Activate certificate revocation checking
params.setRevocationEnabled(true);
// set the validation time
params.setDate(new Date(109, 5, 1)); // 2009-05-01
// disable OCSP checker
Security.setProperty("ocsp.enable", "false");
// enable CRL checker
System.setProperty("com.sun.security.enableCRLDP", "true");
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
try {
validator.validate(path, params);
throw new Exception("unexpected status, should be REVOKED");
} catch (CertPathValidatorException cpve) {
if (cpve.getReason() != BasicReason.REVOKED) {
throw new Exception(
"unexpected exception, should be a REVOKED CPVE", cpve);
}
}
}
/**
* Checks the revocation status of a list of certificates using OCSP.
*
* @param certIds the CertIds to be checked
* @param responderURI the URI of the OCSP responder
* @param issuerInfo the issuer's certificate and/or subject and public key
* @param responderCert the OCSP responder's certificate
* @param date the time the validity of the OCSP responder's certificate
* should be checked against. If null, the current time is used.
* @param extensions zero or more OCSP extensions to be included in the
* request. If no extensions are requested, an empty {@code List} must
* be used. A {@code null} value is not allowed.
* @return the OCSPResponse
* @throws IOException if there is an exception connecting to or
* communicating with the OCSP responder
* @throws CertPathValidatorException if an exception occurs while
* encoding the OCSP Request or validating the OCSP Response
*/
static OCSPResponse check(List<CertId> certIds, URI responderURI,
OCSPResponse.IssuerInfo issuerInfo,
X509Certificate responderCert, Date date,
List<Extension> extensions, String variant)
throws IOException, CertPathValidatorException
{
byte[] nonce = null;
for (Extension ext : extensions) {
if (ext.getId().equals(PKIXExtensions.OCSPNonce_Id.toString())) {
nonce = ext.getValue();
}
}
OCSPResponse ocspResponse = null;
try {
byte[] response = getOCSPBytes(certIds, responderURI, extensions);
ocspResponse = new OCSPResponse(response);
// verify the response
ocspResponse.verify(certIds, issuerInfo, responderCert, date,
nonce, variant);
} catch (IOException ioe) {
throw new CertPathValidatorException(
"Unable to determine revocation status due to network error",
ioe, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
}
return ocspResponse;
}
/**
* We have a cert whose revocation status couldn't be verified by
* a CRL issued by the cert that issued the CRL. See if we can
* find a valid CRL issued by a separate key that can verify the
* revocation status of this certificate.
* <p>
* Note that this does not provide support for indirect CRLs,
* only CRLs signed with a different key (but the same issuer
* name) as the certificate being checked.
*
* @param currCert the <code>X509Certificate</code> to be checked
* @param prevKey the <code>PublicKey</code> that failed
* @param signFlag <code>true</code> if that key was trusted to sign CRLs
* @param stackedCerts a <code>Set</code> of <code>X509Certificate</code>s>
* whose revocation status depends on the
* non-revoked status of this cert. To avoid
* circular dependencies, we assume they're
* revoked while checking the revocation
* status of this cert.
* @throws CertPathValidatorException if the cert's revocation status
* cannot be verified successfully with another key
*/
private void verifyWithSeparateSigningKey(X509Certificate cert,
PublicKey prevKey,
boolean signFlag,
Set<X509Certificate> stackedCerts)
throws CertPathValidatorException
{
String msg = "revocation status";
if (debug != null) {
debug.println(
"RevocationChecker.verifyWithSeparateSigningKey()" +
" ---checking " + msg + "...");
}
// Reject circular dependencies - RFC 5280 is not explicit on how
// to handle this, but does suggest that they can be a security
// risk and can create unresolvable dependencies
if ((stackedCerts != null) && stackedCerts.contains(cert)) {
if (debug != null) {
debug.println(
"RevocationChecker.verifyWithSeparateSigningKey()" +
" circular dependency");
}
throw new CertPathValidatorException
("Could not determine revocation status", null, null, -1,
BasicReason.UNDETERMINED_REVOCATION_STATUS);
}
// Try to find another key that might be able to sign
// CRLs vouching for this cert.
// If prevKey wasn't trusted, maybe we just didn't have the right
// path to it. Don't rule that key out.
if (!signFlag) {
buildToNewKey(cert, null, stackedCerts);
} else {
buildToNewKey(cert, prevKey, stackedCerts);
}
}