gluu
公開メンバ関数 | 非公開メンバ関数 | 静的非公開メンバ関数 | 非公開変数類 | 静的非公開変数類 | 全メンバ一覧
org.xdi.oxauth.cert.validation.CRLCertificateVerifier クラス
org.xdi.oxauth.cert.validation.CRLCertificateVerifier の継承関係図
Inheritance graph
org.xdi.oxauth.cert.validation.CRLCertificateVerifier 連携図
Collaboration graph

公開メンバ関数

 CRLCertificateVerifier (final int maxCrlSize)
 
ValidationStatus validate (X509Certificate certificate, List< X509Certificate > issuers, Date validationDate)
 
X509CRL requestCRL (String url) throws IOException, MalformedURLException, CertificateException, CRLException
 
String getCrlUri (X509Certificate certificate) throws IOException
 
void destroy ()
 

非公開メンバ関数

boolean validateCRL (X509CRL x509crl, X509Certificate certificate, X509Certificate issuerCertificate, Date validationDate)
 
X509CRL getCrl (String url) throws CertificateException, CRLException, NoSuchProviderException, NoSuchParserException, StreamParsingException, MalformedURLException, IOException, ExecutionException
 
BigInteger getCrlNumber (X509CRL crl) throws IOException
 

静的非公開メンバ関数

static ASN1Primitive getExtensionValue (X509Certificate certificate, String oid) throws IOException
 

非公開変数類

int maxCrlSize
 
LoadingCache< String, X509CRL > crlCache
 

静的非公開変数類

static final Logger log = LoggerFactory.getLogger(CRLCertificateVerifier.class)
 

詳解

Certificate verifier based on CRL

著者
Yuriy Movchan
バージョン
March 10, 2016

構築子と解体子

◆ CRLCertificateVerifier()

org.xdi.oxauth.cert.validation.CRLCertificateVerifier.CRLCertificateVerifier ( final int  maxCrlSize)
inline
73  {
74  SecurityProviderUtility.installBCProvider(true);
75 
76  this.maxCrlSize = maxCrlSize;
77 
78  CacheLoader<String, X509CRL> checkedLoader = new CacheLoader<String, X509CRL>() {
79  public X509CRL load(String crlURL) throws CertificateException, CRLException, NoSuchProviderException, NoSuchParserException, StreamParsingException, MalformedURLException, IOException, ExecutionException {
80  X509CRL result = requestCRL(crlURL);
81  Preconditions.checkNotNull(result);
82 
83  return result;
84  }
85  };
86 
87  this.crlCache = CacheBuilder.newBuilder().maximumSize(10).expireAfterWrite(60, TimeUnit.MINUTES).build(checkedLoader);
88  }
org.xdi.oxauth.cert.validation.CRLCertificateVerifier.maxCrlSize
int maxCrlSize
Definition: CRLCertificateVerifier.java:69
org.xdi.oxauth.cert.validation.CRLCertificateVerifier.requestCRL
X509CRL requestCRL(String url)
Definition: CRLCertificateVerifier.java:199
org.xdi.oxauth.cert.validation.CRLCertificateVerifier.crlCache
LoadingCache< String, X509CRL > crlCache
Definition: CRLCertificateVerifier.java:71

関数詳解

◆ destroy()

void org.xdi.oxauth.cert.validation.CRLCertificateVerifier.destroy ( )
inline

org.xdi.oxauth.cert.validation.CertificateVerifierを実装しています。

297  {
298  crlCache.cleanUp();
299  }
org.xdi.oxauth.cert.validation.CRLCertificateVerifier.crlCache
LoadingCache< String, X509CRL > crlCache
Definition: CRLCertificateVerifier.java:71

◆ getCrl()

X509CRL org.xdi.oxauth.cert.validation.CRLCertificateVerifier.getCrl ( String  url) throws CertificateException, CRLException, NoSuchProviderException, NoSuchParserException, StreamParsingException, MalformedURLException, IOException, ExecutionException
inlineprivate
187  {
188  if (!(url.startsWith("http://") || url.startsWith("https://"))) {
189  log.error("It's possbile to download CRL via HTTP and HTTPS only");
190  return null;
191  }
192 
193  String cacheKey = url.toLowerCase();
194  X509CRL crl = crlCache.get(cacheKey);
195 
196  return crl;
197  }
org.xdi.oxauth.cert.validation.CRLCertificateVerifier.log
static final Logger log
Definition: CRLCertificateVerifier.java:67
org.xdi.oxauth.cert.validation.CRLCertificateVerifier.crlCache
LoadingCache< String, X509CRL > crlCache
Definition: CRLCertificateVerifier.java:71

◆ getCrlNumber()

BigInteger org.xdi.oxauth.cert.validation.CRLCertificateVerifier.getCrlNumber ( X509CRL  crl) throws IOException
inlineprivate
226  {
227  byte[] crlNumberExtensionValue = crl.getExtensionValue(X509Extensions.CRLNumber.getId());
228  if (crlNumberExtensionValue == null) {
229  return null;
230  }
231 
232  DEROctetString octetString = (DEROctetString) (new ASN1InputStream(new ByteArrayInputStream(crlNumberExtensionValue)).readObject());
233  byte[] octets = octetString.getOctets();
234  DERInteger integer = (DERInteger) new ASN1InputStream(octets).readObject();
235  BigInteger crlNumber = integer.getPositiveValue();
236 
237  return crlNumber;
238  }

◆ getCrlUri()

String org.xdi.oxauth.cert.validation.CRLCertificateVerifier.getCrlUri ( X509Certificate  certificate) throws IOException
inline
240  {
241  ASN1Primitive obj;
242  try {
243  obj = getExtensionValue(certificate, Extension.cRLDistributionPoints.getId());
244  } catch (IOException ex) {
245  log.error("Failed to get CRL URL", ex);
246  return null;
247  }
248 
249  if (obj == null) {
250  return null;
251  }
252 
253  CRLDistPoint distPoint = CRLDistPoint.getInstance(obj);
254 
255  DistributionPoint[] distributionPoints = distPoint.getDistributionPoints();
256  for (DistributionPoint distributionPoint : distributionPoints) {
257  DistributionPointName distributionPointName = distributionPoint.getDistributionPoint();
258  if (DistributionPointName.FULL_NAME != distributionPointName.getType()) {
259  continue;
260  }
261 
262  GeneralNames generalNames = (GeneralNames) distributionPointName.getName();
263  GeneralName[] names = generalNames.getNames();
264  for (GeneralName name : names) {
265  if (name.getTagNo() != GeneralName.uniformResourceIdentifier) {
266  continue;
267  }
268 
269  DERIA5String derStr = DERIA5String.getInstance((ASN1TaggedObject) name.toASN1Primitive(), false);
270  return derStr.getString();
271  }
272  }
273 
274  return null;
275  }
org.xdi.oxauth.cert.validation.CRLCertificateVerifier.log
static final Logger log
Definition: CRLCertificateVerifier.java:67
org.xdi.oxauth.cert.validation.CRLCertificateVerifier.getExtensionValue
static ASN1Primitive getExtensionValue(X509Certificate certificate, String oid)
Definition: CRLCertificateVerifier.java:285

◆ getExtensionValue()

static ASN1Primitive org.xdi.oxauth.cert.validation.CRLCertificateVerifier.getExtensionValue ( X509Certificate  certificate,
String  oid 
) throws IOException
inlinestaticprivate
引数
certificatethe certificate from which we need the ExtensionValue
oidthe Object Identifier value for the extension.
戻り値
the extension value as an ASN1Primitive object
例外
IOException
285  {
286  byte[] bytes = certificate.getExtensionValue(oid);
287  if (bytes == null) {
288  return null;
289  }
290  ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(bytes));
291  ASN1OctetString octs = (ASN1OctetString) aIn.readObject();
292  aIn = new ASN1InputStream(new ByteArrayInputStream(octs.getOctets()));
293  return aIn.readObject();
294  }

◆ requestCRL()

X509CRL org.xdi.oxauth.cert.validation.CRLCertificateVerifier.requestCRL ( String  url) throws IOException, MalformedURLException, CertificateException, CRLException
inline
199  {
200  HttpURLConnection con = (HttpURLConnection) new URL(url).openConnection();
201  try {
202  con.setUseCaches(false);
203 
204  InputStream in = new BoundedInputStream(con.getInputStream(), maxCrlSize);
205  try {
206  CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
207  X509CRL crl = (X509CRL) certificateFactory.generateCRL(in);
208  log.debug("CRL size: " + crl.getEncoded().length + " bytes");
209 
210  return crl;
211  } finally {
212  IOUtils.closeQuietly(in);
213  }
214  } catch (IOException ex) {
215  log.error("Failed to download CRL from '" + url + "'", ex);
216  } finally {
217  if (con != null) {
218  con.disconnect();
219  }
220  }
221 
222  return null;
223  }
org.xdi.oxauth.cert.validation.CRLCertificateVerifier.maxCrlSize
int maxCrlSize
Definition: CRLCertificateVerifier.java:69
org.xdi.oxauth.cert.validation.CRLCertificateVerifier.log
static final Logger log
Definition: CRLCertificateVerifier.java:67

◆ validate()

ValidationStatus org.xdi.oxauth.cert.validation.CRLCertificateVerifier.validate ( X509Certificate  certificate,
List< X509Certificate >  issuers,
Date  validationDate 
)
inline

org.xdi.oxauth.cert.validation.CertificateVerifierを実装しています。

91  {
92  X509Certificate issuer = issuers.get(0);
93  ValidationStatus status = new ValidationStatus(certificate, issuer, validationDate, ValidatorSourceType.CRL, CertificateValidity.UNKNOWN);
94 
95  try {
96  Principal subjectX500Principal = certificate.getSubjectX500Principal();
97 
98  String crlURL = getCrlUri(certificate);
99  if (crlURL == null) {
100  log.error("CRL's URL for '" + subjectX500Principal + "' is empty");
101  return status;
102  }
103 
104  log.debug("CRL's URL for '" + subjectX500Principal + "' is '" + crlURL + "'");
105 
106  X509CRL x509crl = getCrl(crlURL);
107  if (!validateCRL(x509crl, certificate, issuer, validationDate)) {
108  log.error("The CRL is not valid!");
109  status.setValidity(CertificateValidity.INVALID);
110  return status;
111  }
112 
113  X509CRLEntry crlEntry = x509crl.getRevokedCertificate(certificate.getSerialNumber());
114  if (crlEntry == null) {
115  log.debug("CRL status is valid for '" + subjectX500Principal + "'");
116  status.setValidity(CertificateValidity.VALID);
117  } else if (crlEntry.getRevocationDate().after(validationDate)) {
118  log.warn("CRL revocation time after the validation date, the certificate '" + subjectX500Principal + "' was valid at " + validationDate);
119  status.setRevocationObjectIssuingTime(x509crl.getThisUpdate());
120  status.setValidity(CertificateValidity.VALID);
121  } else {
122  log.info("CRL for certificate '" + subjectX500Principal + "' is revoked since " + crlEntry.getRevocationDate());
123  status.setRevocationObjectIssuingTime(x509crl.getThisUpdate());
124  status.setRevocationDate(crlEntry.getRevocationDate());
125  status.setValidity(CertificateValidity.REVOKED);
126  }
127  } catch (Exception ex) {
128  log.error("CRL exception: ", ex);
129  }
130 
131  return status;
132  }
org.xdi.oxauth.cert.validation.CRLCertificateVerifier.getCrlUri
String getCrlUri(X509Certificate certificate)
Definition: CRLCertificateVerifier.java:240
org.xdi.oxauth.cert.validation.CRLCertificateVerifier.log
static final Logger log
Definition: CRLCertificateVerifier.java:67
org.xdi.oxauth.cert.validation.CRLCertificateVerifier.validateCRL
boolean validateCRL(X509CRL x509crl, X509Certificate certificate, X509Certificate issuerCertificate, Date validationDate)
Definition: CRLCertificateVerifier.java:134
org.xdi.oxauth.cert.validation.CRLCertificateVerifier.getCrl
X509CRL getCrl(String url)
Definition: CRLCertificateVerifier.java:186

◆ validateCRL()

boolean org.xdi.oxauth.cert.validation.CRLCertificateVerifier.validateCRL ( X509CRL  x509crl,
X509Certificate  certificate,
X509Certificate  issuerCertificate,
Date  validationDate 
)
inlineprivate
134  {
135  Principal subjectX500Principal = certificate.getSubjectX500Principal();
136 
137  if (x509crl == null) {
138  log.error("No CRL found for certificate '" + subjectX500Principal + "'");
139  return false;
140  }
141 
142  if (log.isTraceEnabled()) {
143  try {
144  log.trace("CRL number: " + getCrlNumber(x509crl));
145  } catch (IOException ex) {
146  log.error("Failed to get CRL number", ex);
147  }
148  }
149 
150  if (!x509crl.getIssuerX500Principal().equals(issuerCertificate.getSubjectX500Principal())) {
151  log.error("The CRL must be signed by the issuer '" + subjectX500Principal + "' but instead is signed by '"
152  + x509crl.getIssuerX500Principal() + "'");
153  return false;
154  }
155 
156  try {
157  x509crl.verify(issuerCertificate.getPublicKey());
158  } catch (Exception ex) {
159  log.error("The signature verification for CRL cannot be performed", ex);
160  return false;
161  }
162 
163  log.debug("CRL validationDate: " + validationDate);
164  log.debug("CRL nextUpdate: " + x509crl.getThisUpdate());
165  log.debug("CRL thisUpdate: " + x509crl.getNextUpdate());
166 
167  if (x509crl.getNextUpdate() != null && validationDate.after(x509crl.getNextUpdate())) {
168  log.error("CRL is too old");
169  return false;
170  }
171 
172  if (issuerCertificate.getKeyUsage() == null) {
173  log.error("There is no KeyUsage extension for certificate '" + subjectX500Principal + "'");
174  return false;
175  }
176 
177  if (!issuerCertificate.getKeyUsage()[6]) {
178  log.error("cRLSign bit is not set for CRL certificate'" + subjectX500Principal + "'");
179  return false;
180  }
181 
182  return true;
183 
184  }
org.xdi.oxauth.cert.validation.CRLCertificateVerifier.getCrlNumber
BigInteger getCrlNumber(X509CRL crl)
Definition: CRLCertificateVerifier.java:226
org.xdi.oxauth.cert.validation.CRLCertificateVerifier.log
static final Logger log
Definition: CRLCertificateVerifier.java:67

メンバ詳解

◆ crlCache

LoadingCache<String, X509CRL> org.xdi.oxauth.cert.validation.CRLCertificateVerifier.crlCache
private

◆ log

final Logger org.xdi.oxauth.cert.validation.CRLCertificateVerifier.log = LoggerFactory.getLogger(CRLCertificateVerifier.class)
staticprivate

◆ maxCrlSize

int org.xdi.oxauth.cert.validation.CRLCertificateVerifier.maxCrlSize
private
このクラス詳解は次のファイルから抽出されました:
2018年09月30日(日) 14時45分42秒作成 - gluu / 構成:   doxygen 1.8.13