static URI getResponderURI(X509CertImpl certImpl) { // Examine the certificate's AuthorityInfoAccess extension AuthorityInfoAccessExtension aia = certImpl.getAuthorityInfoAccessExtension(); if (aia == null) { return null; } List<AccessDescription> descriptions = aia.getAccessDescriptions(); for (AccessDescription description : descriptions) { if (description.getAccessMethod().equals((Object) AccessDescription.Ad_OCSP_Id)) { GeneralName generalName = description.getAccessLocation(); if (generalName.getType() == GeneralNameInterface.NAME_URI) { URIName uri = (URIName) generalName.getName(); return uri.getURI(); } } } return null; }
/** * Compares this certificate for equality with the specified * object. If the {@code other} object is an * {@code instanceof} {@code Certificate}, then * its encoded form is retrieved and compared with the * encoded form of this certificate. * * @param other the object to test for equality with this certificate. * @return true iff the encoded forms of the two certificates * match, false otherwise. */ public boolean equals(Object other) { if (this == other) { return true; } if (!(other instanceof Certificate)) { return false; } try { byte[] thisCert = X509CertImpl.getEncodedInternal(this); byte[] otherCert = X509CertImpl.getEncodedInternal((Certificate)other); return Arrays.equals(thisCert, otherCert); } catch (CertificateException e) { return false; } }
/** * Obtains the revocation status of a certificate using OCSP using the most * common defaults. The OCSP responder URI is retrieved from the * certificate's AIA extension. The OCSP responder certificate is assumed * to be the issuer's certificate (or issued by the issuer CA). * * @param cert the certificate to be checked * @param issuerCert the issuer certificate * @return the RevocationStatus * @throws IOException if there is an exception connecting to or * communicating with the OCSP responder * @throws CertPathValidatorException if an exception occurs while * encoding the OCSP Request or validating the OCSP Response */ public static RevocationStatus check(X509Certificate cert, X509Certificate issuerCert) throws IOException, CertPathValidatorException { CertId certId = null; URI responderURI = null; try { X509CertImpl certImpl = X509CertImpl.toImpl(cert); responderURI = getResponderURI(certImpl); if (responderURI == null) { throw new CertPathValidatorException ("No OCSP Responder URI in certificate"); } certId = new CertId(issuerCert, certImpl.getSerialNumberObject()); } catch (CertificateException | IOException e) { throw new CertPathValidatorException ("Exception while encoding OCSPRequest", e); } OCSPResponse ocspResponse = check(Collections.singletonList(certId), responderURI, issuerCert, null, null, Collections.<Extension>emptyList()); return (RevocationStatus)ocspResponse.getSingleResponse(certId); }
public static RevocationStatus check(X509Certificate cert, X509Certificate issuerCert, URI responderURI, X509Certificate responderCert, Date date, List<Extension> extensions) throws IOException, CertPathValidatorException { CertId certId = null; try { X509CertImpl certImpl = X509CertImpl.toImpl(cert); certId = new CertId(issuerCert, certImpl.getSerialNumberObject()); } catch (CertificateException | IOException e) { throw new CertPathValidatorException ("Exception while encoding OCSPRequest", e); } OCSPResponse ocspResponse = check(Collections.singletonList(certId), responderURI, issuerCert, responderCert, date, extensions); return (RevocationStatus) ocspResponse.getSingleResponse(certId); }
/** * Checks if a certificate is untrusted. * * @param cert the certificate to check * @return true if the certificate is untrusted. */ public static boolean isUntrusted(X509Certificate cert) { if (algorithm == null) { return false; } String key; if (cert instanceof X509CertImpl) { key = ((X509CertImpl)cert).getFingerprint(algorithm); } else { try { key = new X509CertImpl(cert.getEncoded()).getFingerprint(algorithm); } catch (CertificateException cee) { return false; } } return props.containsKey(key); }
/** * Returns an X509CertSelector for matching on the authority key * identifier, or null if not applicable. */ private X509CertSelector getSelector(X509CertImpl previousCert) throws IOException { if (previousCert != null) { AuthorityKeyIdentifierExtension akidExt = previousCert.getAuthorityKeyIdentifierExtension(); if (akidExt != null) { byte[] skid = akidExt.getEncodedKeyIdentifier(); if (skid != null) { X509CertSelector selector = new X509CertSelector(); selector.setSubjectKeyIdentifier(skid); return selector; } } } return null; }
public static void main(String[] args) throws Exception { X509CertImpl cert = loadCert(CERT_FILENAME); /* Compute the hash in the same way as CertId constructor */ MessageDigest hash = MessageDigest.getInstance("SHA1"); hash.update(cert.getSubjectX500Principal().getEncoded()); byte[] expectedHash = hash.digest(); CertId certId = new CertId(cert, null); byte[] receivedHash = certId.getIssuerNameHash(); if (! Arrays.equals(expectedHash, receivedHash)) { throw new Exception("Bad hash value for issuer name in CertId object"); } }
public static RevocationStatus check(X509Certificate cert, URI responderURI, TrustAnchor anchor, X509Certificate issuerCert, X509Certificate responderCert, Date date, List<Extension> extensions, String variant) throws IOException, CertPathValidatorException { CertId certId; try { X509CertImpl certImpl = X509CertImpl.toImpl(cert); certId = new CertId(issuerCert, certImpl.getSerialNumberObject()); } catch (CertificateException | IOException e) { throw new CertPathValidatorException ("Exception while encoding OCSPRequest", e); } OCSPResponse ocspResponse = check(Collections.singletonList(certId), responderURI, new OCSPResponse.IssuerInfo(anchor, issuerCert), responderCert, date, extensions, variant); return (RevocationStatus) ocspResponse.getSingleResponse(certId); }
static URI getResponderURI(X509CertImpl certImpl) { // Examine the certificate's AuthorityInfoAccess extension AuthorityInfoAccessExtension aia = certImpl.getAuthorityInfoAccessExtension(); if (aia == null) { return null; } List<AccessDescription> descriptions = aia.getAccessDescriptions(); for (AccessDescription description : descriptions) { if (description.getAccessMethod().equals( AccessDescription.Ad_OCSP_Id)) { GeneralName generalName = description.getAccessLocation(); if (generalName.getType() == GeneralNameInterface.NAME_URI) { URIName uri = (URIName) generalName.getName(); return uri.getURI(); } } } return null; }
public void removeCertFromKeyStore(File certFile, File keyStoreFile) throws KeyStoreException { try { X509CertImpl cert = (X509CertImpl) certFactory.getCertByFile(certFile); String alias = certFactory.getCertSubjectName(cert); FileInputStream fis = new FileInputStream(keyStoreFile); KeyStore keyStore = KeyStore.getInstance(KEYSTORE_FORMAT); keyStore.load(fis, pass); fis.close(); keyStore.deleteEntry(alias); FileOutputStream fos = new FileOutputStream(keyStoreFile); keyStore.store(fos, pass); LOGGER.info("Certificate with filename {} deleted from keyStore with filename {}", certFile.getAbsolutePath(), keyStoreFile.getAbsolutePath()); fos.close(); persistHelper.deleteCertificate(alias); } catch (Exception e) { LOGGER.error("Exception: ", e); throw new KeyStoreException("Caused by: ", e); } }
public void storeCertToKeyStore(File certFile, File keyStoreFile) throws KeyStoreException { try { X509CertImpl cert = (X509CertImpl) certFactory.getCertByFile(certFile); String alias = certFactory.getCertSubjectName(cert); LOGGER.info("Certificate with filename {} has Subject name {}", certFile.getAbsolutePath(), alias); FileInputStream fis = new FileInputStream(keyStoreFile); KeyStore keyStore = KeyStore.getInstance(KEYSTORE_FORMAT); keyStore.load(fis, pass); LOGGER.info("KeyStore load successful"); fis.close(); keyStore.setCertificateEntry(alias, cert); FileOutputStream fos = new FileOutputStream(keyStoreFile); keyStore.store(fos, pass); LOGGER.info("Certificate with filename {} stored in keyStore with filename {}", certFile.getAbsolutePath(), keyStoreFile.getAbsolutePath()); fos.close(); } catch (Exception e) { LOGGER.error("Exception: ", e); throw new KeyStoreException("Caused by: ", e); } }
