gluu
公開メンバ関数 | 非公開メンバ関数 | 静的非公開メンバ関数 | 静的非公開変数類 | 全メンバ一覧
org.xdi.oxauth.cert.validation.OCSPCertificateVerifier クラス
org.xdi.oxauth.cert.validation.OCSPCertificateVerifier の継承関係図
Inheritance graph
org.xdi.oxauth.cert.validation.OCSPCertificateVerifier 連携図
Collaboration graph

公開メンバ関数

 OCSPCertificateVerifier ()
 
ValidationStatus validate (X509Certificate certificate, List< X509Certificate > issuers, Date validationDate)
 
OCSPResp requestOCSPResponse (String url, OCSPReq ocspReq) throws IOException, MalformedURLException
 
void destroy ()
 

非公開メンバ関数

OCSPReq generateOCSPRequest (CertificateID certificateId) throws OCSPException, OperatorCreationException, CertificateEncodingException
 
String getOCSPUrl (X509Certificate certificate) throws IOException
 

静的非公開メンバ関数

static ASN1Primitive getExtensionValue (X509Certificate certificate, String oid) throws IOException
 

静的非公開変数類

static final Logger log = LoggerFactory.getLogger(OCSPCertificateVerifier.class)
 

詳解

Certificate verifier based on OCSP

著者
Yuriy Movchan
バージョン
March 10, 2016

構築子と解体子

◆ OCSPCertificateVerifier()

org.xdi.oxauth.cert.validation.OCSPCertificateVerifier.OCSPCertificateVerifier ( )
inline
63  {
64  SecurityProviderUtility.installBCProvider(true);
65  }

関数詳解

◆ destroy()

void org.xdi.oxauth.cert.validation.OCSPCertificateVerifier.destroy ( )
inline

org.xdi.oxauth.cert.validation.CertificateVerifierを実装しています。

241  {
242  }

◆ generateOCSPRequest()

OCSPReq org.xdi.oxauth.cert.validation.OCSPCertificateVerifier.generateOCSPRequest ( CertificateID  certificateId) throws OCSPException, OperatorCreationException, CertificateEncodingException
inlineprivate
145  {
146  OCSPReqBuilder ocspReqGenerator = new OCSPReqBuilder();
147 
148  ocspReqGenerator.addRequest(certificateId);
149 
150  OCSPReq ocspReq = ocspReqGenerator.build();
151  return ocspReq;
152  }

◆ getExtensionValue()

static ASN1Primitive org.xdi.oxauth.cert.validation.OCSPCertificateVerifier.getExtensionValue ( X509Certificate  certificate,
String  oid 
) throws IOException
inlinestaticprivate
引数
certificatethe certificate from which we need the ExtensionValue
oidthe Object Identifier value for the extension.
戻り値
the extension value as an ASN1Primitive object
例外
IOException
229  {
230  byte[] bytes = certificate.getExtensionValue(oid);
231  if (bytes == null) {
232  return null;
233  }
234  ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(bytes));
235  ASN1OctetString octs = (ASN1OctetString) aIn.readObject();
236  aIn = new ASN1InputStream(new ByteArrayInputStream(octs.getOctets()));
237  return aIn.readObject();
238  }

◆ getOCSPUrl()

String org.xdi.oxauth.cert.validation.OCSPCertificateVerifier.getOCSPUrl ( X509Certificate  certificate) throws IOException
inlineprivate
155  {
156  ASN1Primitive obj;
157  try {
158  obj = getExtensionValue(certificate, Extension.authorityInfoAccess.getId());
159  } catch (IOException ex) {
160  log.error("Failed to get OCSP URL", ex);
161  return null;
162  }
163 
164  if (obj == null) {
165  return null;
166  }
167 
168  AuthorityInformationAccess authorityInformationAccess = AuthorityInformationAccess.getInstance(obj);
169 
170  AccessDescription[] accessDescriptions = authorityInformationAccess.getAccessDescriptions();
171  for (AccessDescription accessDescription : accessDescriptions) {
172  boolean correctAccessMethod = accessDescription.getAccessMethod().equals(X509ObjectIdentifiers.ocspAccessMethod);
173  if (!correctAccessMethod) {
174  continue;
175  }
176 
177  GeneralName name = accessDescription.getAccessLocation();
178  if (name.getTagNo() != GeneralName.uniformResourceIdentifier) {
179  continue;
180  }
181 
182  DERIA5String derStr = DERIA5String.getInstance((ASN1TaggedObject) name.toASN1Primitive(), false);
183  return derStr.getString();
184  }
185 
186  return null;
187 
188  }
org.xdi.oxauth.cert.validation.OCSPCertificateVerifier.log
static final Logger log
Definition: OCSPCertificateVerifier.java:61
org.xdi.oxauth.cert.validation.OCSPCertificateVerifier.getExtensionValue
static ASN1Primitive getExtensionValue(X509Certificate certificate, String oid)
Definition: OCSPCertificateVerifier.java:229

◆ requestOCSPResponse()

OCSPResp org.xdi.oxauth.cert.validation.OCSPCertificateVerifier.requestOCSPResponse ( String  url,
OCSPReq  ocspReq 
) throws IOException, MalformedURLException
inline
190  {
191  byte[] ocspReqData = ocspReq.getEncoded();
192 
193  HttpURLConnection con = (HttpURLConnection) new URL(url).openConnection();
194  try {
195  con.setRequestProperty("Content-Type", "application/ocsp-request");
196  con.setRequestProperty("Accept", "application/ocsp-response");
197 
198  con.setDoInput(true);
199  con.setDoOutput(true);
200  con.setUseCaches(false);
201 
202  OutputStream out = con.getOutputStream();
203  try {
204  IOUtils.write(ocspReqData, out);
205  out.flush();
206  } finally {
207  IOUtils.closeQuietly(out);
208  }
209 
210  byte[] responseBytes = IOUtils.toByteArray(con.getInputStream());
211  OCSPResp ocspResp = new OCSPResp(responseBytes);
212 
213  return ocspResp;
214  } finally {
215  if (con != null) {
216  con.disconnect();
217  }
218  }
219  }

◆ validate()

ValidationStatus org.xdi.oxauth.cert.validation.OCSPCertificateVerifier.validate ( X509Certificate  certificate,
List< X509Certificate >  issuers,
Date  validationDate 
)
inline

org.xdi.oxauth.cert.validation.CertificateVerifierを実装しています。

68  {
69  X509Certificate issuer = issuers.get(0);
70  ValidationStatus status = new ValidationStatus(certificate, issuer, validationDate, ValidatorSourceType.OCSP, CertificateValidity.UNKNOWN);
71 
72  try {
73  Principal subjectX500Principal = certificate.getSubjectX500Principal();
74 
75  String ocspUrl = getOCSPUrl(certificate);
76  if (ocspUrl == null) {
77  log.error("OCSP URL for '" + subjectX500Principal + "' is empty");
78  return status;
79  }
80 
81  log.debug("OCSP URL for '" + subjectX500Principal + "' is '" + ocspUrl + "'");
82 
83  DigestCalculator digestCalculator = new JcaDigestCalculatorProviderBuilder().build().get(CertificateID.HASH_SHA1);
84  CertificateID certificateId = new CertificateID(digestCalculator, new JcaX509CertificateHolder(certificate), certificate.getSerialNumber());
85 
86  // Generate OCSP request
87  OCSPReq ocspReq = generateOCSPRequest(certificateId);
88 
89  // Get OCSP response from server
90  OCSPResp ocspResp = requestOCSPResponse(ocspUrl, ocspReq);
91  if (ocspResp.getStatus() != OCSPRespBuilder.SUCCESSFUL) {
92  log.error("OCSP response is invalid!");
93  status.setValidity(CertificateValidity.INVALID);
94  return status;
95  }
96 
97  boolean foundResponse = false;
98  BasicOCSPResp basicOCSPResp = (BasicOCSPResp) ocspResp.getResponseObject();
99  SingleResp[] singleResps = basicOCSPResp.getResponses();
100  for (SingleResp singleResp : singleResps) {
101  CertificateID responseCertificateId = singleResp.getCertID();
102  if (!certificateId.equals(responseCertificateId)) {
103  continue;
104  }
105 
106  foundResponse = true;
107 
108  log.debug("OCSP validationDate: " + validationDate);
109  log.debug("OCSP thisUpdate: " + singleResp.getThisUpdate());
110  log.debug("OCSP nextUpdate: " + singleResp.getNextUpdate());
111 
112  status.setRevocationObjectIssuingTime(basicOCSPResp.getProducedAt());
113 
114  Object certStatus = singleResp.getCertStatus();
115  if (certStatus == CertificateStatus.GOOD) {
116  log.debug("OCSP status is valid for '" + certificate.getSubjectX500Principal() + "'");
117  status.setValidity(CertificateValidity.VALID);
118  } else {
119  if (singleResp.getCertStatus() instanceof RevokedStatus) {
120  log.warn("OCSP status is revoked for: " + subjectX500Principal);
121  if (validationDate.before(((RevokedStatus) singleResp.getCertStatus()).getRevocationTime())) {
122  log.warn("OCSP revocation time after the validation date, the certificate '" + subjectX500Principal + "' was valid at " + validationDate);
123  status.setValidity(CertificateValidity.VALID);
124  } else {
125  Date revocationDate = ((RevokedStatus) singleResp.getCertStatus()).getRevocationTime();
126  log.info("OCSP for certificate '" + subjectX500Principal + "' is revoked since " + revocationDate);
127  status.setRevocationDate(revocationDate);
128  status.setRevocationObjectIssuingTime(singleResp.getThisUpdate());
129  status.setValidity(CertificateValidity.REVOKED);
130  }
131  }
132  }
133  }
134 
135  if (!foundResponse) {
136  log.error("There is no matching OCSP response entries");
137  }
138  } catch (Exception ex) {
139  log.error("OCSP exception: ", ex);
140  }
141 
142  return status;
143  }
org.xdi.oxauth.cert.validation.OCSPCertificateVerifier.getOCSPUrl
String getOCSPUrl(X509Certificate certificate)
Definition: OCSPCertificateVerifier.java:155
org.xdi.oxauth.cert.validation.OCSPCertificateVerifier.generateOCSPRequest
OCSPReq generateOCSPRequest(CertificateID certificateId)
Definition: OCSPCertificateVerifier.java:145
org.xdi.oxauth.cert.validation.OCSPCertificateVerifier.log
static final Logger log
Definition: OCSPCertificateVerifier.java:61
org.xdi.oxauth.cert.validation.OCSPCertificateVerifier.requestOCSPResponse
OCSPResp requestOCSPResponse(String url, OCSPReq ocspReq)
Definition: OCSPCertificateVerifier.java:190

メンバ詳解

◆ log

final Logger org.xdi.oxauth.cert.validation.OCSPCertificateVerifier.log = LoggerFactory.getLogger(OCSPCertificateVerifier.class)
staticprivate
このクラス詳解は次のファイルから抽出されました:
2018年09月30日(日) 14時45分43秒作成 - gluu / 構成:   doxygen 1.8.13