18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25 package sun.security.provider.certpath;
26
27 import java.io.InputStream;
28 import java.io.IOException;
29 import java.io.OutputStream;
30 import java.net.URI;
31 import java.net.URL;
32 import java.net.HttpURLConnection;
33 import java.security.cert.CertificateException;
34 import java.security.cert.CertPathValidatorException;
35 import java.security.cert.CertPathValidatorException.BasicReason;
36 import java.security.cert.CRLReason;
37 import java.security.cert.Extension;
38 import java.security.cert.X509Certificate;
39 import java.util.Arrays;
40 import java.util.Collections;
41 import java.util.Date;
42 import java.util.List;
43 import java.util.Map;
44
45 import sun.security.action.GetIntegerAction;
46 import sun.security.util.Debug;
47 import sun.security.x509.AccessDescription;
48 import sun.security.x509.AuthorityInfoAccessExtension;
49 import sun.security.x509.GeneralName;
50 import sun.security.x509.GeneralNameInterface;
51 import sun.security.x509.PKIXExtensions;
52 import sun.security.x509.URIName;
53 import sun.security.x509.X509CertImpl;
54
55 /**
56 * This is a class that checks the revocation status of a certificate(s) using
57 * OCSP. It is not a PKIXCertPathChecker and therefore can be used outside of
108 * encoding the OCSP Request or validating the OCSP Response
109 */
110 public static RevocationStatus check(X509Certificate cert,
111 X509Certificate issuerCert)
112 throws IOException, CertPathValidatorException {
113 CertId certId = null;
114 URI responderURI = null;
115 try {
116 X509CertImpl certImpl = X509CertImpl.toImpl(cert);
117 responderURI = getResponderURI(certImpl);
118 if (responderURI == null) {
119 throw new CertPathValidatorException
120 ("No OCSP Responder URI in certificate");
121 }
122 certId = new CertId(issuerCert, certImpl.getSerialNumberObject());
123 } catch (CertificateException | IOException e) {
124 throw new CertPathValidatorException
125 ("Exception while encoding OCSPRequest", e);
126 }
127 OCSPResponse ocspResponse = check(Collections.singletonList(certId),
128 responderURI, new OCSPResponse.IssuerInfo(issuerCert), null, null,
129 Collections.<Extension>emptyList());
130 return (RevocationStatus)ocspResponse.getSingleResponse(certId);
131 }
132
133 /**
134 * Obtains the revocation status of a certificate using OCSP.
135 *
136 * @param cert the certificate to be checked
137 * @param issuerCert the issuer certificate
138 * @param responderURI the URI of the OCSP responder
139 * @param responderCert the OCSP responder's certificate
140 * @param date the time the validity of the OCSP responder's certificate
141 * should be checked against. If null, the current time is used.
142 * @return the RevocationStatus
143 * @throws IOException if there is an exception connecting to or
144 * communicating with the OCSP responder
145 * @throws CertPathValidatorException if an exception occurs while
146 * encoding the OCSP Request or validating the OCSP Response
147 */
148 public static RevocationStatus check(X509Certificate cert,
149 X509Certificate issuerCert,
150 URI responderURI,
151 X509Certificate responderCert,
152 Date date)
153 throws IOException, CertPathValidatorException
154 {
155 return check(cert, issuerCert, responderURI, responderCert, date,
156 Collections.<Extension>emptyList());
157 }
158
159 // Called by com.sun.deploy.security.TrustDecider
160 public static RevocationStatus check(X509Certificate cert,
161 X509Certificate issuerCert,
162 URI responderURI,
163 X509Certificate responderCert,
164 Date date, List<Extension> extensions)
165 throws IOException, CertPathValidatorException
166 {
167 CertId certId = null;
168 try {
169 X509CertImpl certImpl = X509CertImpl.toImpl(cert);
170 certId = new CertId(issuerCert, certImpl.getSerialNumberObject());
171 } catch (CertificateException | IOException e) {
172 throw new CertPathValidatorException
173 ("Exception while encoding OCSPRequest", e);
174 }
175 OCSPResponse ocspResponse = check(Collections.singletonList(certId),
176 responderURI, new OCSPResponse.IssuerInfo(issuerCert),
177 responderCert, date, extensions);
178 return (RevocationStatus) ocspResponse.getSingleResponse(certId);
179 }
180
181 /**
182 * Checks the revocation status of a list of certificates using OCSP.
183 *
184 * @param certIds the CertIds to be checked
185 * @param responderURI the URI of the OCSP responder
186 * @param issuerInfo the issuer's certificate and/or subject and public key
187 * @param responderCert the OCSP responder's certificate
188 * @param date the time the validity of the OCSP responder's certificate
189 * should be checked against. If null, the current time is used.
190 * @param extensions zero or more OCSP extensions to be included in the
191 * request. If no extensions are requested, an empty {@code List} must
192 * be used. A {@code null} value is not allowed.
193 * @return the OCSPResponse
194 * @throws IOException if there is an exception connecting to or
195 * communicating with the OCSP responder
196 * @throws CertPathValidatorException if an exception occurs while
|
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25 package sun.security.provider.certpath;
26
27 import java.io.InputStream;
28 import java.io.IOException;
29 import java.io.OutputStream;
30 import java.net.URI;
31 import java.net.URL;
32 import java.net.HttpURLConnection;
33 import java.security.cert.CertificateException;
34 import java.security.cert.CertPathValidatorException;
35 import java.security.cert.CertPathValidatorException.BasicReason;
36 import java.security.cert.CRLReason;
37 import java.security.cert.Extension;
38 import java.security.cert.TrustAnchor;
39 import java.security.cert.X509Certificate;
40 import java.util.Arrays;
41 import java.util.Collections;
42 import java.util.Date;
43 import java.util.List;
44 import java.util.Map;
45
46 import sun.security.action.GetIntegerAction;
47 import sun.security.util.Debug;
48 import sun.security.x509.AccessDescription;
49 import sun.security.x509.AuthorityInfoAccessExtension;
50 import sun.security.x509.GeneralName;
51 import sun.security.x509.GeneralNameInterface;
52 import sun.security.x509.PKIXExtensions;
53 import sun.security.x509.URIName;
54 import sun.security.x509.X509CertImpl;
55
56 /**
57 * This is a class that checks the revocation status of a certificate(s) using
58 * OCSP. It is not a PKIXCertPathChecker and therefore can be used outside of
109 * encoding the OCSP Request or validating the OCSP Response
110 */
111 public static RevocationStatus check(X509Certificate cert,
112 X509Certificate issuerCert)
113 throws IOException, CertPathValidatorException {
114 CertId certId = null;
115 URI responderURI = null;
116 try {
117 X509CertImpl certImpl = X509CertImpl.toImpl(cert);
118 responderURI = getResponderURI(certImpl);
119 if (responderURI == null) {
120 throw new CertPathValidatorException
121 ("No OCSP Responder URI in certificate");
122 }
123 certId = new CertId(issuerCert, certImpl.getSerialNumberObject());
124 } catch (CertificateException | IOException e) {
125 throw new CertPathValidatorException
126 ("Exception while encoding OCSPRequest", e);
127 }
128 OCSPResponse ocspResponse = check(Collections.singletonList(certId),
129 responderURI, new OCSPResponse.IssuerInfo(null, issuerCert), null,
130 null, Collections.<Extension>emptyList());
131 return (RevocationStatus)ocspResponse.getSingleResponse(certId);
132 }
133
134 /**
135 * Obtains the revocation status of a certificate using OCSP.
136 *
137 * @param cert the certificate to be checked
138 * @param issuerCert the issuer certificate
139 * @param responderURI the URI of the OCSP responder
140 * @param responderCert the OCSP responder's certificate
141 * @param date the time the validity of the OCSP responder's certificate
142 * should be checked against. If null, the current time is used.
143 * @return the RevocationStatus
144 * @throws IOException if there is an exception connecting to or
145 * communicating with the OCSP responder
146 * @throws CertPathValidatorException if an exception occurs while
147 * encoding the OCSP Request or validating the OCSP Response
148 */
149 public static RevocationStatus check(X509Certificate cert,
150 X509Certificate issuerCert,
151 URI responderURI,
152 X509Certificate responderCert,
153 Date date)
154 throws IOException, CertPathValidatorException
155 {
156 return check(cert, issuerCert, responderURI, responderCert, date,
157 Collections.<Extension>emptyList());
158 }
159
160 // Called by com.sun.deploy.security.TrustDecider
161 public static RevocationStatus check(X509Certificate cert,
162 X509Certificate issuerCert,
163 URI responderURI,
164 X509Certificate responderCert,
165 Date date, List<Extension> extensions)
166 throws IOException, CertPathValidatorException
167 {
168 return check(cert, responderURI,
169 new TrustAnchor(issuerCert.getSubjectX500Principal(),
170 issuerCert.getPublicKey(), null),
171 issuerCert, responderCert, date, extensions);
172 }
173
174 public static RevocationStatus check(X509Certificate cert,
175 URI responderURI,
176 TrustAnchor anchor,
177 X509Certificate issuerCert,
178 X509Certificate responderCert,
179 Date date, List<Extension> extensions)
180 throws IOException, CertPathValidatorException
181 {
182 CertId certId = null;
183 try {
184 X509CertImpl certImpl = X509CertImpl.toImpl(cert);
185 certId = new CertId(issuerCert, certImpl.getSerialNumberObject());
186 } catch (CertificateException | IOException e) {
187 throw new CertPathValidatorException
188 ("Exception while encoding OCSPRequest", e);
189 }
190 OCSPResponse ocspResponse = check(Collections.singletonList(certId),
191 responderURI, new OCSPResponse.IssuerInfo(anchor, issuerCert),
192 responderCert, date, extensions);
193 return (RevocationStatus) ocspResponse.getSingleResponse(certId);
194 }
195
196 /**
197 * Checks the revocation status of a list of certificates using OCSP.
198 *
199 * @param certIds the CertIds to be checked
200 * @param responderURI the URI of the OCSP responder
201 * @param issuerInfo the issuer's certificate and/or subject and public key
202 * @param responderCert the OCSP responder's certificate
203 * @param date the time the validity of the OCSP responder's certificate
204 * should be checked against. If null, the current time is used.
205 * @param extensions zero or more OCSP extensions to be included in the
206 * request. If no extensions are requested, an empty {@code List} must
207 * be used. A {@code null} value is not allowed.
208 * @return the OCSPResponse
209 * @throws IOException if there is an exception connecting to or
210 * communicating with the OCSP responder
211 * @throws CertPathValidatorException if an exception occurs while
|