private void checkConstraints(Set<CryptoPrimitive> primitives, CertConstraintParameters cp) throws CertPathValidatorException { X509Certificate cert = cp.getCertificate(); String algorithm = cert.getSigAlgName(); // Check signature algorithm is not disabled if (!permits(primitives, algorithm, null)) { throw new CertPathValidatorException( "Algorithm constraints check failed on disabled "+ "signature algorithm: " + algorithm, null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); } // Check key algorithm is not disabled if (!permits(primitives, cert.getPublicKey().getAlgorithm(), null)) { throw new CertPathValidatorException( "Algorithm constraints check failed on disabled "+ "public key algorithm: " + algorithm, null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); } // Check the certificate and key constraints algorithmConstraints.permits(cp); }
public void permits(CertConstraintParameters cp) throws CertPathValidatorException { if (debug != null) { debug.println("jdkCAConstraints.permits(): " + algorithm); } // Return false if the chain has a trust anchor in cacerts if (cp.isTrustedMatch()) { if (nextConstraint != null) { nextConstraint.permits(cp); return; } throw new CertPathValidatorException( "Algorithm constraints check failed on certificate " + "anchor limits", null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); } }
public static void main(String args[]) throws Exception { // MD5 is used in this test case, don't disable MD5 algorithm. Security.setProperty( "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024"); CertPath path = generateCertificatePath(); Set<TrustAnchor> anchors = generateTrustAnchors(); CertStore crls = generateCertificateStore(); PKIXParameters params = new PKIXParameters(anchors); // add the CRL store params.addCertStore(crls); // Activate certificate revocation checking params.setRevocationEnabled(true); // set the validation time params.setDate(new Date(109, 5, 1)); // 2009-05-01 // disable OCSP checker Security.setProperty("ocsp.enable", "false"); // enable CRL checker System.setProperty("com.sun.security.enableCRLDP", "true"); CertPathValidator validator = CertPathValidator.getInstance("PKIX"); try { validator.validate(path, params); } catch (CertPathValidatorException cpve) { if (cpve.getReason() != BasicReason.REVOKED) { throw new Exception( "unexpect exception, should be a REVOKED CPVE", cpve); } } }
/** * When a failure happens during certificate checking from an * {@link X509TrustManager}, determine what TLS alert description to use. * * @param cexc The exception thrown by the {@link X509TrustManager} * * @return A byte value corresponding to a TLS alert description number. */ private byte getCertificateAlert(CertificateException cexc) { // The specific reason for the failure will determine how to // set the alert description value byte alertDesc = Alerts.alert_certificate_unknown; Throwable baseCause = cexc.getCause(); if (baseCause instanceof CertPathValidatorException) { CertPathValidatorException cpve = (CertPathValidatorException)baseCause; Reason reason = cpve.getReason(); if (reason == BasicReason.REVOKED) { alertDesc = staplingActive ? Alerts.alert_bad_certificate_status_response : Alerts.alert_certificate_revoked; } else if (reason == BasicReason.UNDETERMINED_REVOCATION_STATUS) { alertDesc = staplingActive ? Alerts.alert_bad_certificate_status_response : Alerts.alert_certificate_unknown; } } return alertDesc; }
@Override public void permits(ConstraintsParameters cp) throws CertPathValidatorException { if (debug != null) { debug.println("jdkCAConstraints.permits(): " + algorithm); } // Check chain has a trust anchor in cacerts if (cp.isTrustedMatch()) { if (next(cp)) { return; } throw new CertPathValidatorException( "Algorithm constraints check failed on certificate " + "anchor limits. " + algorithm + extendedMsg(cp), null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); } }
@Override public void permits(ConstraintsParameters cp) throws CertPathValidatorException { Key key = null; if (cp.getPublicKey() != null) { key = cp.getPublicKey(); } else if (cp.getCertificate() != null) { key = cp.getCertificate().getPublicKey(); } if (key != null && !permitsImpl(key)) { if (nextConstraint != null) { nextConstraint.permits(cp); return; } throw new CertPathValidatorException( "Algorithm constraints check failed on keysize limits. " + algorithm + " " + KeyUtil.getKeySize(key) + "bit key" + extendedMsg(cp), null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); } }
public static void main(String args[]) throws Exception { // MD5 is used in this test case, don't disable MD5 algorithm. Security.setProperty( "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024"); CertPath path = generateCertificatePath(); Set<TrustAnchor> anchors = generateTrustAnchors(); CertStore crls = generateCertificateStore(); PKIXParameters params = new PKIXParameters(anchors); // add the CRL store params.addCertStore(crls); // Activate certificate revocation checking params.setRevocationEnabled(true); // Activate OCSP Security.setProperty("ocsp.enable", "true"); System.setProperty("com.sun.security.enableCRLDP", "true"); // Ensure that the ocsp.responderURL property is not set. if (Security.getProperty("ocsp.responderURL") != null) { throw new Exception("The ocsp.responderURL property must not be set"); } CertPathValidator validator = CertPathValidator.getInstance("PKIX"); try { validator.validate(path, params); } catch (CertPathValidatorException cpve) { if (cpve.getReason() != BasicReason.REVOKED) { throw new Exception( "unexpected exception, should be a REVOKED CPVE", cpve); } } }
/** * Checks a validation failure to see if it failed for the reason we think * it should. This comes in as an SSLException of some sort, but it * encapsulates a ValidatorException which in turn encapsulates the * CertPathValidatorException we are interested in. * * @param e the exception thrown at the top level * @param reason the underlying CertPathValidatorException BasicReason * we are expecting it to have. * * @return true if the reason matches up, false otherwise. */ static boolean checkClientValidationFailure(Exception e, BasicReason reason) { boolean result = false; if (e instanceof SSLException) { Throwable valExc = e.getCause(); if (valExc instanceof sun.security.validator.ValidatorException) { Throwable cause = valExc.getCause(); if (cause instanceof CertPathValidatorException) { CertPathValidatorException cpve = (CertPathValidatorException)cause; if (cpve.getReason() == reason) { result = true; } } } } return result; }
public void permits(CertConstraintParameters cp) throws CertPathValidatorException { if (debug != null) { debug.println("jdkCAConstraints.permits(): " + algorithm); } // Check chain has a trust anchor in cacerts if (cp.isTrustedMatch()) { if (next(cp)) { return; } throw new CertPathValidatorException( "Algorithm constraints check failed on certificate " + "anchor limits", null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); } }
@Override public void permits(CertConstraintParameters cp) throws CertPathValidatorException { Date currentDate; if (cp.getPKIXParamDate() != null) { currentDate = cp.getPKIXParamDate(); } else { currentDate = new Date(); } if (!denyAfterDate.after(currentDate)) { if (next(cp)) { return; } throw new CertPathValidatorException( "denyAfter constraint check failed. " + "Constraint date: " + dateFormat.format(denyAfterDate) + "; Cert date: " + dateFormat.format(currentDate), null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); } }
public void permits(ConstraintsParameters cp) throws CertPathValidatorException { if (debug != null) { debug.println("jdkCAConstraints.permits(): " + algorithm); } // Check chain has a trust anchor in cacerts if (cp.isTrustedMatch()) { if (next(cp)) { return; } throw new CertPathValidatorException( "Algorithm constraints check failed on certificate " + "anchor limits. " + algorithm + extendedMsg(cp), null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); } }
public void permits(ConstraintsParameters cp) throws CertPathValidatorException { Key key = null; if (cp.getPublicKey() != null) { key = cp.getPublicKey(); } else if (cp.getCertificate() != null) { key = cp.getCertificate().getPublicKey(); } if (key != null && !permitsImpl(key)) { if (nextConstraint != null) { nextConstraint.permits(cp); return; } throw new CertPathValidatorException( "Algorithm constraints check failed on keysize limits. " + algorithm + " " + size + "bit key" + extendedMsg(cp), null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); } }
public void permits(ConstraintsParameters cp) throws CertPathValidatorException { Key key = null; if (cp.getPublicKey() != null) { key = cp.getPublicKey(); } else if (cp.getCertificate() != null) { key = cp.getCertificate().getPublicKey(); } if (key != null && !permitsImpl(key)) { if (nextConstraint != null) { nextConstraint.permits(cp); return; } throw new CertPathValidatorException( "Algorithm constraints check failed on keysize limits. " + algorithm + " " + KeyUtil.getKeySize(key) + "bit key" + extendedMsg(cp), null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); } }
/** * Check the signature algorithm with the specified public key. * * @param key the public key to verify the CRL signature * @param crl the target CRL */ static void check(PublicKey key, AlgorithmId algorithmId) throws CertPathValidatorException { String sigAlgName = algorithmId.getName(); AlgorithmParameters sigAlgParams = algorithmId.getParameters(); if (!certPathDefaultConstraints.permits( SIGNATURE_PRIMITIVE_SET, sigAlgName, key, sigAlgParams)) { throw new CertPathValidatorException( "algorithm check failed: " + sigAlgName + " is disabled", null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); } }
private boolean isSoftFailException(CertPathValidatorException e) { if (softFail && e.getReason() == BasicReason.UNDETERMINED_REVOCATION_STATUS) { // recreate exception with correct index CertPathValidatorException e2 = new CertPathValidatorException( e.getMessage(), e.getCause(), params.certPath(), certIndex, e.getReason()); softFailExceptions.addFirst(e2); return true; } return false; }
/** * We have a cert whose revocation status couldn't be verified by * a CRL issued by the cert that issued the CRL. See if we can * find a valid CRL issued by a separate key that can verify the * revocation status of this certificate. * <p> * Note that this does not provide support for indirect CRLs, * only CRLs signed with a different key (but the same issuer * name) as the certificate being checked. * * @param currCert the <code>X509Certificate</code> to be checked * @param prevKey the <code>PublicKey</code> that failed * @param signFlag <code>true</code> if that key was trusted to sign CRLs * @param stackedCerts a <code>Set</code> of <code>X509Certificate</code>s> * whose revocation status depends on the * non-revoked status of this cert. To avoid * circular dependencies, we assume they're * revoked while checking the revocation * status of this cert. * @throws CertPathValidatorException if the cert's revocation status * cannot be verified successfully with another key */ private void verifyWithSeparateSigningKey(X509Certificate cert, PublicKey prevKey, boolean signFlag, Set<X509Certificate> stackedCerts) throws CertPathValidatorException { String msg = "revocation status"; if (debug != null) { debug.println( "RevocationChecker.verifyWithSeparateSigningKey()" + " ---checking " + msg + "..."); } // reject circular dependencies - RFC 3280 is not explicit on how // to handle this, so we feel it is safest to reject them until // the issue is resolved in the PKIX WG. if ((stackedCerts != null) && stackedCerts.contains(cert)) { if (debug != null) { debug.println( "RevocationChecker.verifyWithSeparateSigningKey()" + " circular dependency"); } throw new CertPathValidatorException ("Could not determine revocation status", null, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS); } // Try to find another key that might be able to sign // CRLs vouching for this cert. // If prevKey wasn't trusted, maybe we just didn't have the right // path to it. Don't rule that key out. if (!signFlag) { buildToNewKey(cert, null, stackedCerts); } else { buildToNewKey(cert, prevKey, stackedCerts); } }
/** * Check the signature algorithm with the specified public key. * * @param key the public key to verify the CRL signature * @param crl the target CRL */ static void check(PublicKey key, AlgorithmId algorithmId) throws CertPathValidatorException { String sigAlgName = algorithmId.getName(); AlgorithmParameters sigAlgParams = algorithmId.getParameters(); if (!certPathDefaultConstraints.permits( SIGNATURE_PRIMITIVE_SET, sigAlgName, key, sigAlgParams)) { throw new CertPathValidatorException( "Algorithm constraints check failed on signature algorithm: " + sigAlgName + " is disabled", null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); } }
public void permits(CertConstraintParameters cp) throws CertPathValidatorException { if (!permitsImpl(cp.getCertificate().getPublicKey())) { if (nextConstraint != null) { nextConstraint.permits(cp); return; } throw new CertPathValidatorException( "Algorithm constraints check failed on keysize limits", null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); } }
public static void main(String args[]) throws Exception { // MD5 is used in this test case, don't disable MD5 algorithm. Security.setProperty( "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024"); CertPath path = generateCertificatePath(); Set<TrustAnchor> anchors = generateTrustAnchors(); CertStore crls = generateCertificateStore(); PKIXParameters params = new PKIXParameters(anchors); // add the CRL store params.addCertStore(crls); // Activate certificate revocation checking params.setRevocationEnabled(true); // set the validation time params.setDate(new Date(109, 5, 1)); // 2009-05-01 // disable OCSP checker Security.setProperty("ocsp.enable", "false"); // enable CRL checker System.setProperty("com.sun.security.enableCRLDP", "true"); CertPathValidator validator = CertPathValidator.getInstance("PKIX"); try { validator.validate(path, params); throw new Exception("unexpected status, should be REVOKED"); } catch (CertPathValidatorException cpve) { if (cpve.getReason() != BasicReason.REVOKED) { throw new Exception( "unexpected exception, should be a REVOKED CPVE", cpve); } } }
public static void main(String args[]) throws Exception { // MD5 is used in this test case, don't disable MD5 algorithm. Security.setProperty( "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024"); CertPath path = generateCertificatePath(); Set<TrustAnchor> anchors = generateTrustAnchors(); CertStore crls = generateCertificateStore(); PKIXParameters params = new PKIXParameters(anchors); // add the CRL store params.addCertStore(crls); // Activate certificate revocation checking params.setRevocationEnabled(true); // set the validation time params.setDate(new Date(109, 5, 1)); // 2009-05-01 // disable OCSP checker Security.setProperty("ocsp.enable", "false"); // enable CRL checker System.setProperty("com.sun.security.enableCRLDP", "true"); CertPathValidator validator = CertPathValidator.getInstance("PKIX"); try { validator.validate(path, params); throw new Exception("unexpected status, should be REVOKED"); } catch (CertPathValidatorException cpve) { if (cpve.getReason() != BasicReason.REVOKED) { throw new Exception( "unexpect exception, should be a REVOKED CPVE", cpve); } } }
/** * Checks the revocation status of a list of certificates using OCSP. * * @param certIds the CertIds to be checked * @param responderURI the URI of the OCSP responder * @param issuerInfo the issuer's certificate and/or subject and public key * @param responderCert the OCSP responder's certificate * @param date the time the validity of the OCSP responder's certificate * should be checked against. If null, the current time is used. * @param extensions zero or more OCSP extensions to be included in the * request. If no extensions are requested, an empty {@code List} must * be used. A {@code null} value is not allowed. * @return the OCSPResponse * @throws IOException if there is an exception connecting to or * communicating with the OCSP responder * @throws CertPathValidatorException if an exception occurs while * encoding the OCSP Request or validating the OCSP Response */ static OCSPResponse check(List<CertId> certIds, URI responderURI, OCSPResponse.IssuerInfo issuerInfo, X509Certificate responderCert, Date date, List<Extension> extensions, String variant) throws IOException, CertPathValidatorException { byte[] nonce = null; for (Extension ext : extensions) { if (ext.getId().equals(PKIXExtensions.OCSPNonce_Id.toString())) { nonce = ext.getValue(); } } OCSPResponse ocspResponse = null; try { byte[] response = getOCSPBytes(certIds, responderURI, extensions); ocspResponse = new OCSPResponse(response); // verify the response ocspResponse.verify(certIds, issuerInfo, responderCert, date, nonce, variant); } catch (IOException ioe) { throw new CertPathValidatorException( "Unable to determine revocation status due to network error", ioe, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS); } return ocspResponse; }
/** * We have a cert whose revocation status couldn't be verified by * a CRL issued by the cert that issued the CRL. See if we can * find a valid CRL issued by a separate key that can verify the * revocation status of this certificate. * <p> * Note that this does not provide support for indirect CRLs, * only CRLs signed with a different key (but the same issuer * name) as the certificate being checked. * * @param currCert the <code>X509Certificate</code> to be checked * @param prevKey the <code>PublicKey</code> that failed * @param signFlag <code>true</code> if that key was trusted to sign CRLs * @param stackedCerts a <code>Set</code> of <code>X509Certificate</code>s> * whose revocation status depends on the * non-revoked status of this cert. To avoid * circular dependencies, we assume they're * revoked while checking the revocation * status of this cert. * @throws CertPathValidatorException if the cert's revocation status * cannot be verified successfully with another key */ private void verifyWithSeparateSigningKey(X509Certificate cert, PublicKey prevKey, boolean signFlag, Set<X509Certificate> stackedCerts) throws CertPathValidatorException { String msg = "revocation status"; if (debug != null) { debug.println( "RevocationChecker.verifyWithSeparateSigningKey()" + " ---checking " + msg + "..."); } // Reject circular dependencies - RFC 5280 is not explicit on how // to handle this, but does suggest that they can be a security // risk and can create unresolvable dependencies if ((stackedCerts != null) && stackedCerts.contains(cert)) { if (debug != null) { debug.println( "RevocationChecker.verifyWithSeparateSigningKey()" + " circular dependency"); } throw new CertPathValidatorException ("Could not determine revocation status", null, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS); } // Try to find another key that might be able to sign // CRLs vouching for this cert. // If prevKey wasn't trusted, maybe we just didn't have the right // path to it. Don't rule that key out. if (!signFlag) { buildToNewKey(cert, null, stackedCerts); } else { buildToNewKey(cert, prevKey, stackedCerts); } }
@Override public void permits(ConstraintsParameters cp) throws CertPathValidatorException { for (String usage : usages) { String v = null; if (usage.compareToIgnoreCase("TLSServer") == 0) { v = Validator.VAR_TLS_SERVER; } else if (usage.compareToIgnoreCase("TLSClient") == 0) { v = Validator.VAR_TLS_CLIENT; } else if (usage.compareToIgnoreCase("SignedJAR") == 0) { v = Validator.VAR_PLUGIN_CODE_SIGNING; } if (debug != null) { debug.println("Checking if usage constraint \"" + v + "\" matches \"" + cp.getVariant() + "\""); if (Debug.isVerbose()) { // Because usage checking can come from many places // a stack trace is very helpful. (new Exception()).printStackTrace(debug.getPrintStream()); } } if (cp.getVariant().compareTo(v) == 0) { if (next(cp)) { return; } throw new CertPathValidatorException("Usage constraint " + usage + " check failed: " + algorithm + extendedMsg(cp), null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); } } }
@Override public void permits(ConstraintsParameters cp) throws CertPathValidatorException { throw new CertPathValidatorException( "Algorithm constraints check failed on disabled " + "algorithm: " + algorithm + extendedMsg(cp), null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); }
public static void main(String[] args) throws Exception { // EE_CERT is signed with MD5withRSA Security.setProperty("jdk.certpath.disabledAlgorithms", ""); cf = CertificateFactory.getInstance("X.509"); X509Certificate taCert = getX509Cert(TRUST_ANCHOR); X509Certificate eeCert = getX509Cert(EE_CERT); CertPath cp = cf.generateCertPath(Collections.singletonList(eeCert)); CertPathValidator cpv = CertPathValidator.getInstance("PKIX"); PKIXRevocationChecker prc = (PKIXRevocationChecker)cpv.getRevocationChecker(); prc.setOptions(EnumSet.of(Option.SOFT_FAIL, Option.NO_FALLBACK)); byte[] response = base64Decoder.decode(OCSP_RESPONSE); prc.setOcspResponses(Collections.singletonMap(eeCert, response)); TrustAnchor ta = new TrustAnchor(taCert, null); PKIXParameters params = new PKIXParameters(Collections.singleton(ta)); params.addCertPathChecker(prc); try { cpv.validate(cp, params); throw new Exception("FAILED: expected CertPathValidatorException"); } catch (CertPathValidatorException cpve) { cpve.printStackTrace(); if (cpve.getReason() != BasicReason.UNSPECIFIED && !cpve.getMessage().contains("OCSP response error: UNAUTHORIZED")) { throw new Exception("FAILED: unexpected " + "CertPathValidatorException reason"); } } }
