420 }
421 }
422
423 private boolean isSoftFailException(CertPathValidatorException e) {
424 if (softFail &&
425 e.getReason() == BasicReason.UNDETERMINED_REVOCATION_STATUS)
426 {
427 // recreate exception with correct index
428 CertPathValidatorException e2 = new CertPathValidatorException(
429 e.getMessage(), e.getCause(), params.certPath(), certIndex,
430 e.getReason());
431 softFailExceptions.addFirst(e2);
432 return true;
433 }
434 return false;
435 }
436
437 private void updateState(X509Certificate cert)
438 throws CertPathValidatorException
439 {
440 issuerInfo = new OCSPResponse.IssuerInfo(cert);
441
442 // Make new public key if parameters are missing
443 PublicKey pubKey = cert.getPublicKey();
444 if (PKIX.isDSAPublicKeyWithoutParams(pubKey)) {
445 // pubKey needs to inherit DSA parameters from prev key
446 pubKey = BasicChecker.makeInheritedParamsKey(pubKey, prevPubKey);
447 }
448 prevPubKey = pubKey;
449 crlSignFlag = certCanSignCrl(cert);
450 if (certIndex > 0) {
451 certIndex--;
452 }
453 }
454
455 // Maximum clock skew in milliseconds (15 minutes) allowed when checking
456 // validity of CRLs
457 private static final long MAX_CLOCK_SKEW = 900000;
458 private void checkCRLs(X509Certificate cert,
459 Collection<String> unresolvedCritExts,
460 Set<X509Certificate> stackedCerts,
723 byte[] nonce = null;
724 for (Extension ext : ocspExtensions) {
725 if (ext.getId().equals("1.3.6.1.5.5.7.48.1.2")) {
726 nonce = ext.getValue();
727 }
728 }
729 response.verify(Collections.singletonList(certId), issuerInfo,
730 responderCert, params.date(), nonce);
731
732 } else {
733 URI responderURI = (this.responderURI != null)
734 ? this.responderURI
735 : OCSP.getResponderURI(currCert);
736 if (responderURI == null) {
737 throw new CertPathValidatorException(
738 "Certificate does not specify OCSP responder", null,
739 null, -1);
740 }
741
742 response = OCSP.check(Collections.singletonList(certId),
743 responderURI, issuerInfo,
744 responderCert, null, ocspExtensions);
745 }
746 } catch (IOException e) {
747 throw new CertPathValidatorException(
748 "Unable to determine revocation status due to network error",
749 e, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
750 }
751
752 RevocationStatus rs =
753 (RevocationStatus)response.getSingleResponse(certId);
754 RevocationStatus.CertStatus certStatus = rs.getCertStatus();
755 if (certStatus == RevocationStatus.CertStatus.REVOKED) {
756 Date revocationTime = rs.getRevocationTime();
757 if (revocationTime.before(params.date())) {
758 Throwable t = new CertificateRevokedException(
759 revocationTime, rs.getRevocationReason(),
760 response.getSignerCertificate().getSubjectX500Principal(),
761 rs.getSingleExtensions());
762 throw new CertPathValidatorException(t.getMessage(), t, null,
763 -1, BasicReason.REVOKED);
764 }
|
420 }
421 }
422
423 private boolean isSoftFailException(CertPathValidatorException e) {
424 if (softFail &&
425 e.getReason() == BasicReason.UNDETERMINED_REVOCATION_STATUS)
426 {
427 // recreate exception with correct index
428 CertPathValidatorException e2 = new CertPathValidatorException(
429 e.getMessage(), e.getCause(), params.certPath(), certIndex,
430 e.getReason());
431 softFailExceptions.addFirst(e2);
432 return true;
433 }
434 return false;
435 }
436
437 private void updateState(X509Certificate cert)
438 throws CertPathValidatorException
439 {
440 issuerInfo = new OCSPResponse.IssuerInfo(anchor, cert);
441
442 // Make new public key if parameters are missing
443 PublicKey pubKey = cert.getPublicKey();
444 if (PKIX.isDSAPublicKeyWithoutParams(pubKey)) {
445 // pubKey needs to inherit DSA parameters from prev key
446 pubKey = BasicChecker.makeInheritedParamsKey(pubKey, prevPubKey);
447 }
448 prevPubKey = pubKey;
449 crlSignFlag = certCanSignCrl(cert);
450 if (certIndex > 0) {
451 certIndex--;
452 }
453 }
454
455 // Maximum clock skew in milliseconds (15 minutes) allowed when checking
456 // validity of CRLs
457 private static final long MAX_CLOCK_SKEW = 900000;
458 private void checkCRLs(X509Certificate cert,
459 Collection<String> unresolvedCritExts,
460 Set<X509Certificate> stackedCerts,
723 byte[] nonce = null;
724 for (Extension ext : ocspExtensions) {
725 if (ext.getId().equals("1.3.6.1.5.5.7.48.1.2")) {
726 nonce = ext.getValue();
727 }
728 }
729 response.verify(Collections.singletonList(certId), issuerInfo,
730 responderCert, params.date(), nonce);
731
732 } else {
733 URI responderURI = (this.responderURI != null)
734 ? this.responderURI
735 : OCSP.getResponderURI(currCert);
736 if (responderURI == null) {
737 throw new CertPathValidatorException(
738 "Certificate does not specify OCSP responder", null,
739 null, -1);
740 }
741
742 response = OCSP.check(Collections.singletonList(certId),
743 responderURI, issuerInfo, responderCert, params.date(),
744 ocspExtensions);
745 }
746 } catch (IOException e) {
747 throw new CertPathValidatorException(
748 "Unable to determine revocation status due to network error",
749 e, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
750 }
751
752 RevocationStatus rs =
753 (RevocationStatus)response.getSingleResponse(certId);
754 RevocationStatus.CertStatus certStatus = rs.getCertStatus();
755 if (certStatus == RevocationStatus.CertStatus.REVOKED) {
756 Date revocationTime = rs.getRevocationTime();
757 if (revocationTime.before(params.date())) {
758 Throwable t = new CertificateRevokedException(
759 revocationTime, rs.getRevocationReason(),
760 response.getSignerCertificate().getSubjectX500Principal(),
761 rs.getSingleExtensions());
762 throw new CertPathValidatorException(t.getMessage(), t, null,
763 -1, BasicReason.REVOKED);
764 }
|