org.keycloak.common.util.OCSPUtils 連携図

クラス
interface	OCSPRevocationStatus

enum	RevocationStatus

静的公開メンバ関数
static OCSPRevocationStatus	check (X509Certificate cert, X509Certificate issuerCertificate, URI responderURI, X509Certificate responderCert, Date date) throws CertPathValidatorException

static OCSPRevocationStatus	check (X509Certificate cert, X509Certificate issuerCertificate, Date date, X509Certificate responderCert) throws CertPathValidatorException

static OCSPRevocationStatus	check (X509Certificate cert, X509Certificate issuerCertificate) throws CertPathValidatorException

静的関数
	[static initializer]

静的非公開メンバ関数
static OCSPResp	getResponse (OCSPReq ocspReq, URI responderUri) throws IOException

static OCSPRevocationStatus	check (X509Certificate cert, X509Certificate issuerCertificate, List< URI > responderURIs, X509Certificate responderCert, Date date) throws CertPathValidatorException

static OCSPRevocationStatus	processBasicOCSPResponse (X509Certificate issuerCertificate, X509Certificate responderCertificate, Date date, JcaCertificateID certificateID, BigInteger nounce, BasicOCSPResp basicOcspResponse) throws OCSPException, NoSuchProviderException, NoSuchAlgorithmException, CertificateNotYetValidException, CertificateExpiredException, CertPathValidatorException

static boolean	compareCertIDs (JcaCertificateID idLeft, CertificateID idRight)

static void	verifyResponse (BasicOCSPResp basicOcspResponse, X509Certificate issuerCertificate, X509Certificate responderCertificate, byte[] requestNonce, Date date) throws NoSuchProviderException, NoSuchAlgorithmException, CertificateNotYetValidException, CertificateExpiredException, CertPathValidatorException

static boolean	verifySignature (BasicOCSPResp basicOcspResponse, X509Certificate cert)

static OCSPRevocationStatus	unknownStatus ()

static OCSPRevocationStatus	singleResponseToRevocationStatus (final SingleResp singleResponse) throws CertPathValidatorException

static List< String >	getResponderURIs (X509Certificate cert) throws CertificateEncodingException

静的非公開変数類
static final Logger	logger = Logger.getLogger(""+OCSPUtils.class)

static int	OCSP_CONNECT_TIMEOUT = 10000

static final int	TIME_SKEW = 900000

詳解

著者: Peter Nalyvayko

バージョン

Revision: 1

から: 10/29/2016

クラス詳解

◆ org::keycloak::common::util::OCSPUtils::RevocationStatus

enum org::keycloak::common::util::OCSPUtils::RevocationStatus

org.keycloak.common.util.OCSPUtils.RevocationStatus 連携図

列挙値
GOOD
REVOKED
UNKNOWN

関数詳解

◆ [static initializer]()

org.keycloak.common.util.OCSPUtils.[static initializer] ( )

inlinestaticpackage

◆ check() [1/4]

static OCSPRevocationStatus org.keycloak.common.util.OCSPUtils.check	(	X509Certificate	cert,
		X509Certificate	issuerCertificate,
		URI	responderURI,
		X509Certificate	responderCert,
		Date	date
	)		throws CertPathValidatorException

inlinestatic

Requests certificate revocation status using OCSP.

引数

cert	the certificate to be checked
issuerCertificate	The issuer certificate
responderURI	an address of OCSP responder. Overrides any OCSP responder URIs stored in certificate's AIA extension
date
responderCert	a certificate that OCSP responder uses to sign OCSP responses

戻り値: revocation status

                                                                                                                                                                                                     {
         if (cert == null)
             throw new IllegalArgumentException("cert cannot be null");
         if (issuerCertificate == null)
             throw new IllegalArgumentException("issuerCertificate cannot be null");
         if (responderURI == null)
             throw new IllegalArgumentException("responderURI cannot be null");
 
         return check(cert, issuerCertificate, Collections.singletonList(responderURI), responderCert, date);
     }

◆ check() [2/4]

static OCSPRevocationStatus org.keycloak.common.util.OCSPUtils.check	(	X509Certificate	cert,
		X509Certificate	issuerCertificate,
		Date	date,
		X509Certificate	responderCert
	)		throws CertPathValidatorException

inlinestatic

Requests certificate revocation status using OCSP. The OCSP responder URI is obtained from the certificate's AIA extension.

引数

cert	the certificate to be checked
issuerCertificate	The issuer certificate
date

戻り値: revocation status

                                                                                                                                                                                   {
         List<String> responderURIs = null;
         try {
             responderURIs = getResponderURIs(cert);
         } catch (CertificateEncodingException e) {
             logger.log(Level.FINE, "CertificateEncodingException: {0}", e.getMessage());
             throw new CertPathValidatorException(e.getMessage(), e);
         }
         if (responderURIs.size() == 0) {
             logger.log(Level.INFO, "No OCSP responders in the specified certificate");
             throw new CertPathValidatorException("No OCSP Responder URI in certificate");
         }
 
         List<URI> uris = new LinkedList<>();
         for (String value : responderURIs) {
             try {
                 URI responderURI = URI.create(value);
                 uris.add(responderURI);
             } catch (IllegalArgumentException ex) {
                 logger.log(Level.FINE, "Malformed responder URI {0}", value);
             }
         }
         return check(cert, issuerCertificate, Collections.unmodifiableList(uris), responderCert, date);
     }

◆ check() [3/4]

static OCSPRevocationStatus org.keycloak.common.util.OCSPUtils.check	(	X509Certificate	cert,
		X509Certificate	issuerCertificate
	)		throws CertPathValidatorException

inlinestatic

Requests certificate revocation status using OCSP. The OCSP responder URI is obtained from the certificate's AIA extension.

引数

cert	the certificate to be checked
issuerCertificate	The issuer certificate

戻り値: revocation status

                                                                                                                                         {
         return check(cert, issuerCertificate, null, null);
     }

◆ check() [4/4]

static OCSPRevocationStatus org.keycloak.common.util.OCSPUtils.check	(	X509Certificate	cert,
		X509Certificate	issuerCertificate,
		List< URI >	responderURIs,
		X509Certificate	responderCert,
		Date	date
	)		throws CertPathValidatorException

inlinestaticprivate

Requests certificate revocation status using OCSP.

引数

cert	the certificate to be checked
issuerCertificate	the issuer certificate
responderURIs	the OCSP responder URIs
responderCert	the OCSP responder certificate
date	if null, the current time is used.

戻り値: a revocation status

例外

CertPathValidatorException

                                                                                                                                                                                                             {
         if (responderURIs == null || responderURIs.size() == 0)
             throw new IllegalArgumentException("Need at least one responder");
         try {
             DigestCalculator digCalc = new BcDigestCalculatorProvider()
                     .get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1));
 
             JcaCertificateID certificateID = new JcaCertificateID(digCalc, issuerCertificate, cert.getSerialNumber());
 
             // Create a nounce extension to protect against replay attacks
             SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
             BigInteger nounce = BigInteger.valueOf(Math.abs(random.nextInt()));
 
             DEROctetString derString = new DEROctetString(nounce.toByteArray());
             Extension nounceExtension = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, derString);
             Extensions extensions = new Extensions(nounceExtension);
 
             OCSPReq ocspReq = new OCSPReqBuilder().addRequest(certificateID, extensions).build();
 
             URI responderURI = responderURIs.get(0);
             logger.log(Level.INFO, "OCSP Responder {0}", responderURI);
 
             try {
                 OCSPResp resp = getResponse(ocspReq, responderURI);
                 logger.log(Level.FINE, "Received a response from OCSP responder {0}, the response status is {1}", new Object[]{responderURI, resp.getStatus()});
                 switch (resp.getStatus()) {
                     case OCSPResp.SUCCESSFUL:
                         if (resp.getResponseObject() instanceof BasicOCSPResp) {
                             return processBasicOCSPResponse(issuerCertificate, responderCert, date, certificateID, nounce, (BasicOCSPResp)resp.getResponseObject());
                         } else {
                             throw new CertPathValidatorException("OCSP responder returned an invalid or unknown OCSP response.");
                         }
 
                     case OCSPResp.INTERNAL_ERROR:
                     case OCSPResp.TRY_LATER:
                         throw new CertPathValidatorException("Internal error/try later. OCSP response error: " + resp.getStatus(), (Throwable) null, (CertPath) null, -1, CertPathValidatorException.BasicReason.UNDETERMINED_REVOCATION_STATUS);
 
                     case OCSPResp.SIG_REQUIRED:
                         throw new CertPathValidatorException("Invalid or missing signature. OCSP response error: " + resp.getStatus(), (Throwable) null, (CertPath) null, -1, CertPathValidatorException.BasicReason.INVALID_SIGNATURE);
 
                     case OCSPResp.UNAUTHORIZED:
                         throw new CertPathValidatorException("Unauthorized request. OCSP response error: " + resp.getStatus(), (Throwable) null, (CertPath) null, -1, CertPathValidatorException.BasicReason.UNSPECIFIED);
 
                     case OCSPResp.MALFORMED_REQUEST:
                     default:
                         throw new CertPathValidatorException("OCSP request is malformed. OCSP response error: " + resp.getStatus(), (Throwable) null, (CertPath) null, -1, CertPathValidatorException.BasicReason.UNSPECIFIED);
                 }
             }
             catch(IOException e) {
                 logger.log(Level.FINE, "OCSP Responder \"{0}\" failed to return a valid OCSP response\n{1}",
                         new Object[] {responderURI, e.getMessage()});
                 throw new CertPathValidatorException("OCSP check failed", e);
             }
         }
         catch(CertificateNotYetValidException | CertificateExpiredException | OperatorCreationException | OCSPException | CertificateEncodingException | NoSuchAlgorithmException | NoSuchProviderException e) {
             logger.log(Level.FINE, e.getMessage());
             throw new CertPathValidatorException(e.getMessage(), e);
         }
     }

◆ compareCertIDs()

static boolean org.keycloak.common.util.OCSPUtils.compareCertIDs	(	JcaCertificateID	idLeft,
		CertificateID	idRight
	)

inlinestaticprivate

                                                                                           {
         if (idLeft == idRight)
             return true;
         if (idLeft == null || idRight == null)
             return false;
 
         return Arrays.equals(idLeft.getIssuerKeyHash(), idRight.getIssuerKeyHash()) &&
                 Arrays.equals(idLeft.getIssuerNameHash(), idRight.getIssuerNameHash()) &&
                 idLeft.getSerialNumber().equals(idRight.getSerialNumber());
     }

◆ getResponderURIs()

static List<String> org.keycloak.common.util.OCSPUtils.getResponderURIs ( X509Certificate cert ) throws CertificateEncodingException

inlinestaticprivate

Extracts OCSP responder URI from X509 AIA v3 extension, if available. There can be multiple responder URIs encoded in the certificate.

引数

cert

戻り値: a list of available responder URIs.

例外

CertificateEncodingException

                                                                                                            {
 
         LinkedList<String> responderURIs = new LinkedList<>();
         JcaX509CertificateHolder holder = new JcaX509CertificateHolder(cert);
         Extension aia = holder.getExtension(Extension.authorityInfoAccess);
         if (aia != null) {
             try {
                 ASN1InputStream in = new ASN1InputStream(aia.getExtnValue().getOctetStream());
                 ASN1Sequence seq = (ASN1Sequence)in.readObject();
                 AuthorityInformationAccess authorityInfoAccess = AuthorityInformationAccess.getInstance(seq);
                 for (AccessDescription ad : authorityInfoAccess.getAccessDescriptions()) {
                     if (ad.getAccessMethod().equals(AccessDescription.id_ad_ocsp)) {
                         // See https://www.ietf.org/rfc/rfc2560.txt, 3.1 Certificate Content
                         if (ad.getAccessLocation().getTagNo() == GeneralName.uniformResourceIdentifier) {
                             DERIA5String value = DERIA5String.getInstance(ad.getAccessLocation().getName());
                             responderURIs.add(value.getString());
                         }
                     }
                 }
             } catch (IOException e) {
                 e.printStackTrace();
             }
         }
         return responderURIs;
     }

◆ getResponse()

static OCSPResp org.keycloak.common.util.OCSPUtils.getResponse	(	OCSPReq	ocspReq,
		URI	responderUri
	)		throws IOException

inlinestaticprivate

                                                                                               {
         DataOutputStream dataOut = null;
         InputStream in = null;
         try {
             byte[] array = ocspReq.getEncoded();
             URL urlt = responderUri.toURL();
             HttpURLConnection con = (HttpURLConnection) urlt.openConnection();
             con.setRequestMethod("POST");
             con.setConnectTimeout(OCSP_CONNECT_TIMEOUT);
             con.setReadTimeout(OCSP_CONNECT_TIMEOUT);
             con.setRequestProperty("Content-type", "application/ocsp-request");
             con.setRequestProperty("Content-length", String.valueOf(array.length));
 //        con.setRequestProperty("Accept", "application/ocsp-response");
 
             con.setDoOutput(true);
             con.setDoInput(true);
             OutputStream out = con.getOutputStream();
             dataOut = new DataOutputStream(new BufferedOutputStream(out));
             dataOut.write(array);
             dataOut.flush();
 
             if (con.getResponseCode() / 100 != 2) {
                 String errorMessage = String.format("Connection error, unable to obtain certificate revocation status using OCSP responder \"%s\", code \"%d\"",
                         responderUri.toString(), con.getResponseCode());
                 throw new IOException(errorMessage);
             }
             //Get Response
             in = (InputStream) con.getInputStream();
             int contentLen = con.getContentLength();
             if (contentLen == -1) {
                 contentLen = Integer.MAX_VALUE;
             }
             ByteArrayOutputStream baos = new ByteArrayOutputStream();
             int bytesRead = 0;
             byte[] buffer = new byte[2048];
             while ((bytesRead = in.read(buffer, 0, buffer.length)) >= 0) {
                 baos.write(buffer, 0, bytesRead);
             }
             baos.flush();
             byte[] data = baos.toByteArray();
             return new OCSPResp(data);
         } finally {
             if (dataOut != null) {
                 dataOut.close();
             }
             if (in != null) {
                 in.close();
             }
         }
     }

◆ processBasicOCSPResponse()

static OCSPRevocationStatus org.keycloak.common.util.OCSPUtils.processBasicOCSPResponse	(	X509Certificate	issuerCertificate,
		X509Certificate	responderCertificate,
		Date	date,
		JcaCertificateID	certificateID,
		BigInteger	nounce,
		BasicOCSPResp	basicOcspResponse
	)		throws OCSPException, NoSuchProviderException, NoSuchAlgorithmException, CertificateNotYetValidException, CertificateExpiredException, CertPathValidatorException

inlinestaticprivate

                                                                                                                                                                               {
         SingleResp expectedResponse = null;
         for (SingleResp singleResponse : basicOcspResponse.getResponses()) {
             if (compareCertIDs(certificateID, singleResponse.getCertID())) {
                 expectedResponse = singleResponse;
                 break;
             }
         }
 
         if (expectedResponse != null) {
             verifyResponse(basicOcspResponse, issuerCertificate, responderCertificate, nounce.toByteArray(), date);
             return singleResponseToRevocationStatus(expectedResponse);
         } else {
             throw new CertPathValidatorException("OCSP response does not include a response for a certificate supplied in the OCSP request");
         }
     }

◆ singleResponseToRevocationStatus()

static OCSPRevocationStatus org.keycloak.common.util.OCSPUtils.singleResponseToRevocationStatus ( final SingleResp singleResponse ) throws CertPathValidatorException

inlinestaticprivate

                                                                                                                                             {
         final CertificateStatus certStatus = singleResponse.getCertStatus();
 
         int revocationReason = CRLReason.unspecified;
         Date revocationTime = null;
         RevocationStatus status = RevocationStatus.UNKNOWN;
         if (certStatus == CertificateStatus.GOOD) {
             status = RevocationStatus.GOOD;
         } else if (certStatus instanceof RevokedStatus) {
             RevokedStatus revoked = (RevokedStatus)certStatus;
             revocationTime = revoked.getRevocationTime();
             status = RevocationStatus.REVOKED;
             if (revoked.hasRevocationReason()) {
                 revocationReason = revoked.getRevocationReason();
             }
         } else if (certStatus instanceof UnknownStatus) {
             status = RevocationStatus.UNKNOWN;
         } else {
             throw new CertPathValidatorException("Unrecognized revocation status received from OCSP.");
         }
 
         final RevocationStatus finalStatus = status;
         final Date finalRevocationTime = revocationTime;
         final int finalRevocationReason = revocationReason;
         return new OCSPRevocationStatus() {
             @Override
             public RevocationStatus getRevocationStatus() {
                 return finalStatus;
             }
 
             @Override
             public Date getRevocationTime() {
                 return finalRevocationTime;
             }
 
             @Override
             public CRLReason getRevocationReason() {
                 return CRLReason.lookup(finalRevocationReason);
             }
         };
     }

◆ unknownStatus()

static OCSPRevocationStatus org.keycloak.common.util.OCSPUtils.unknownStatus ( )

inlinestaticprivate

                                                         {
         return new OCSPRevocationStatus() {
             @Override
             public RevocationStatus getRevocationStatus() {
                 return RevocationStatus.UNKNOWN;
             }
 
             @Override
             public Date getRevocationTime() {
                 return new Date(System.currentTimeMillis());
             }
 
             @Override
             public CRLReason getRevocationReason() {
                 return CRLReason.lookup(CRLReason.unspecified);
             }
         };
     }

◆ verifyResponse()

static void org.keycloak.common.util.OCSPUtils.verifyResponse	(	BasicOCSPResp	basicOcspResponse,
		X509Certificate	issuerCertificate,
		X509Certificate	responderCertificate,
		byte []	requestNonce,
		Date	date
	)		throws NoSuchProviderException, NoSuchAlgorithmException, CertificateNotYetValidException, CertificateExpiredException, CertPathValidatorException

inlinestaticprivate

                                                                                                                                                                                                                                                                                                                                     {
 
         List<X509CertificateHolder> certs = new ArrayList<>(Arrays.asList(basicOcspResponse.getCerts()));
         X509Certificate signingCert = null;
 
         try {
             certs.add(new JcaX509CertificateHolder(issuerCertificate));
             if (responderCertificate != null) {
                 certs.add(new JcaX509CertificateHolder(responderCertificate));
             }
         } catch (CertificateEncodingException e) {
             e.printStackTrace();
         }
         if (certs.size() > 0) {
 
             X500Name responderName = basicOcspResponse.getResponderId().toASN1Primitive().getName();
             byte[] responderKey = basicOcspResponse.getResponderId().toASN1Primitive().getKeyHash();
 
             if (responderName != null) {
                 logger.log(Level.INFO, "Responder Name: {0}", responderName.toString());
                 for (X509CertificateHolder certHolder : certs) {
                     try {
                         X509Certificate tempCert = new JcaX509CertificateConverter()
                                 .setProvider("BC").getCertificate(certHolder);
                         X500Name respName = new X500Name(tempCert.getSubjectX500Principal().getName());
                         if (responderName.equals(respName)) {
                             signingCert = tempCert;
                             logger.log(Level.INFO, "Found a certificate whose principal \"{0}\" matches the responder name \"{1}\"",
                                     new Object[] {tempCert.getSubjectDN().getName(), responderName.toString()});
                             break;
                         }
                     } catch (CertificateException e) {
                         logger.log(Level.FINE, e.getMessage());
                     }
                 }
             } else if (responderKey != null) {
                 SubjectKeyIdentifier responderSubjectKey = new SubjectKeyIdentifier(responderKey);
                 logger.log(Level.INFO, "Responder Key: {0}", Arrays.toString(responderKey));
                 for (X509CertificateHolder certHolder : certs) {
                     try {
                         X509Certificate tempCert = new JcaX509CertificateConverter()
                                 .setProvider("BC").getCertificate(certHolder);
 
                         SubjectKeyIdentifier subjectKeyIdentifier = null;
                         if (certHolder.getExtensions() != null) {
                             subjectKeyIdentifier = SubjectKeyIdentifier.fromExtensions(certHolder.getExtensions());
                         }
 
                         if (subjectKeyIdentifier != null) {
                             logger.log(Level.INFO, "Certificate: {0}\nSubject Key Id: {1}",
                                     new Object[] {tempCert.getSubjectDN().getName(), Arrays.toString(subjectKeyIdentifier.getKeyIdentifier())});
                         }
 
                         if (subjectKeyIdentifier != null && responderSubjectKey.equals(subjectKeyIdentifier)) {
                             signingCert = tempCert;
                             logger.log(Level.INFO, "Found a signer certificate \"{0}\" with the subject key extension value matching the responder key",
                                     signingCert.getSubjectDN().getName());
 
                             break;
                         }
 
                         subjectKeyIdentifier = new JcaX509ExtensionUtils().createSubjectKeyIdentifier(tempCert.getPublicKey());
                         if (responderSubjectKey.equals(subjectKeyIdentifier)) {
                             signingCert = tempCert;
                             logger.log(Level.INFO, "Found a certificate \"{0}\" with the subject key matching the OCSP responder key", signingCert.getSubjectDN().getName());
                             break;
                         }
 
                     } catch (CertificateException e) {
                         logger.log(Level.FINE, e.getMessage());
                     }
                 }
             }
         }
         if (signingCert != null) {
             if (signingCert.equals(issuerCertificate)) {
                 logger.log(Level.INFO, "OCSP response is signed by the target\'s Issuing CA");
             } else if (responderCertificate != null && signingCert.equals(responderCertificate)) {
                 // https://www.ietf.org/rfc/rfc2560.txt
                 // 2.6  OCSP Signature Authority Delegation
                 // - The responder certificate is issued to the responder by CA
                 logger.log(Level.INFO, "OCSP response is signed by an authorized responder certificate");
             } else {
                 // 4.2.2.2  Authorized Responders
                 // 3. Includes a value of id-ad-ocspSigning in an ExtendedKeyUsage
                 // extension and is issued by the CA that issued the certificate in
                 // question."
                 if (!signingCert.getIssuerX500Principal().equals(issuerCertificate.getSubjectX500Principal())) {
                     logger.log(Level.INFO, "Signer certificate's Issuer: {0}\nIssuer certificate's Subject: {1}",
                             new Object[] {signingCert.getIssuerX500Principal().getName(), issuerCertificate.getSubjectX500Principal().getName()});
                     throw new CertPathValidatorException("Responder\'s certificate is not authorized to sign OCSP responses");
                 }
                 try {
                     List<String> purposes = signingCert.getExtendedKeyUsage();
                     if (purposes != null && !purposes.contains(KeyPurposeId.id_kp_OCSPSigning.getId())) {
                         logger.log(Level.INFO, "OCSPSigning extended usage is not set");
                         throw new CertPathValidatorException("Responder\'s certificate not valid for signing OCSP responses");
                     }
                 } catch (CertificateParsingException e) {
                     logger.log(Level.FINE, "Failed to get certificate's extended key usage extension\n{0}", e.getMessage());
                 }
                 if (date == null) {
                     signingCert.checkValidity();
                 } else {
                     signingCert.checkValidity(date);
                 }
                 try {
                     Extension noOCSPCheck = new JcaX509CertificateHolder(signingCert).getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck);
                     // TODO If the extension is present, the OCSP client can trust the
                     // responder's certificate for the lifetime of the certificate.
                     logger.log(Level.INFO, "OCSP no-check extension is {0} present", noOCSPCheck == null ? "not" : "");
                 } catch (CertificateEncodingException e) {
                     logger.log(Level.FINE, "Certificate encoding exception: {0}", e.getMessage());
                 }
 
                 try {
                     signingCert.verify(issuerCertificate.getPublicKey());
                     logger.log(Level.INFO, "OCSP response is signed by an Authorized Responder");
 
                 } catch (GeneralSecurityException ex) {
                     signingCert = null;
                 }
             }
         }
         if (signingCert == null) {
             throw new CertPathValidatorException("Unable to verify OCSP Response\'s signature");
         } else {
             if (!verifySignature(basicOcspResponse, signingCert)) {
                 throw new CertPathValidatorException("Error verifying OCSP Response\'s signature");
             } else {
                 Extension responseNonce = basicOcspResponse.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
                 if (responseNonce != null && requestNonce != null && !Arrays.equals(requestNonce, responseNonce.getExtnValue().getOctets())) {
                     throw new CertPathValidatorException("Nonces do not match.");
                 } else {
                     // See Sun's OCSP implementation.
                     // https://www.ietf.org/rfc/rfc2560.txt, if nextUpdate is not set,
                     // the responder is indicating that newer update is avilable all the time
                     long current = date == null ? System.currentTimeMillis() : date.getTime();
                     Date stop = new Date(current + (long) TIME_SKEW);
                     Date start = new Date(current - (long) TIME_SKEW);
 
                     Iterator<SingleResp> iter = Arrays.asList(basicOcspResponse.getResponses()).iterator();
                     SingleResp singleRes = null;
                     do {
                         if (!iter.hasNext()) {
                             return;
                         }
                         singleRes = iter.next();
                     }
                     while (!stop.before(singleRes.getThisUpdate()) &&
                             !start.after(singleRes.getNextUpdate() != null ? singleRes.getNextUpdate() : singleRes.getThisUpdate()));
 
                     throw new CertPathValidatorException("Response is unreliable: its validity interval is out-of-date");
                 }
             }
         }
     }

◆ verifySignature()

static boolean org.keycloak.common.util.OCSPUtils.verifySignature	(	BasicOCSPResp	basicOcspResponse,
		X509Certificate	cert
	)

inlinestaticprivate

                                                                                                   {
         try {
             ContentVerifierProvider contentVerifier = new JcaContentVerifierProviderBuilder()
                     .setProvider("BC").build(cert.getPublicKey());
             return basicOcspResponse.isSignatureValid(contentVerifier);
         } catch (OperatorCreationException e) {
             logger.log(Level.FINE, "Unable to construct OCSP content signature verifier\n{0}", e.getMessage());
         } catch (OCSPException e) {
             logger.log(Level.FINE, "Unable to validate OCSP response signature\n{0}", e.getMessage());
         }
         return false;
     }

メンバ詳解

◆ logger

final Logger org.keycloak.common.util.OCSPUtils.logger = Logger.getLogger(""+OCSPUtils.class)

staticprivate

◆ OCSP_CONNECT_TIMEOUT

int org.keycloak.common.util.OCSPUtils.OCSP_CONNECT_TIMEOUT = 10000

staticprivate

◆ TIME_SKEW

final int org.keycloak.common.util.OCSPUtils.TIME_SKEW = 900000

staticprivate

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/src/keycloak/src/main/java/org/keycloak/common/util/OCSPUtils.java

クラス

静的公開メンバ関数

静的関数

静的非公開メンバ関数

静的非公開変数類

詳解

クラス詳解

◆ org::keycloak::common::util::OCSPUtils::RevocationStatus

関数詳解

◆ [static initializer]()

◆ check() [1/4]

◆ check() [2/4]

◆ check() [3/4]

◆ check() [4/4]

◆ compareCertIDs()

◆ getResponderURIs()

◆ getResponse()

◆ processBasicOCSPResponse()

◆ singleResponseToRevocationStatus()

◆ unknownStatus()

◆ verifyResponse()

◆ verifySignature()

メンバ詳解

◆ logger

◆ OCSP_CONNECT_TIMEOUT

◆ TIME_SKEW