List of usage examples for java.security.cert CRL isRevoked
public abstract boolean isRevoked(Certificate cert);
From source file:controller.CCInstance.java
public final ArrayList<SignatureValidation> validatePDF(final String file, final ValidationListener vl) throws IOException, DocumentException, GeneralSecurityException { this.validating = true; final PdfReader reader = new PdfReader(file); final AcroFields af = reader.getAcroFields(); final ArrayList names = af.getSignatureNames(); final ArrayList<SignatureValidation> validateList = new ArrayList<>(); X509Certificate x509c = null; Security.setProperty("ocsp.enable", "true"); System.setProperty("com.sun.security.enableCRLDP", "true"); boolean nextValid = true; for (Object o : names) { if (!validating) { return null; }// w w w .ja v a 2 s .c o m final String name = (String) o; final PdfPKCS7 pk = af.verifySignature(name, "BC"); final Certificate pkc[] = pk.getCertificates(); x509c = (X509Certificate) pkc[pkc.length - 1]; final Certificate[] aL = pkc;//getCompleteCertificateChain(x509c); if (null == aL || 0 == aL.length) { return null; } CertificateStatus ocspCertificateStatus = CertificateStatus.UNCHECKED; BasicOCSPResp ocspResp = pk.getOcsp(); if (null != ocspResp && pk.isRevocationValid()) { for (SingleResp singleResp : ocspResp.getResponses()) { if (null == singleResp.getCertStatus()) { ocspCertificateStatus = CertificateStatus.OK; } else if (singleResp.getCertStatus() instanceof RevokedStatus) { if (ocspResp.getProducedAt() .before(((RevokedStatus) singleResp.getCertStatus()).getRevocationTime())) { ocspCertificateStatus = CertificateStatus.OK; } else { ocspCertificateStatus = CertificateStatus.REVOKED; } } else if (singleResp.getCertStatus() instanceof UnknownStatus) { ocspCertificateStatus = CertificateStatus.UNKNOWN; } } } CertificateStatus crlCertificateStatus = CertificateStatus.UNCHECKED; Collection<CRL> crlResp = pk.getCRLs(); if (null != crlResp) { boolean revoked = false; for (CRL crl : crlResp) { if (crl.isRevoked(x509c)) { revoked = true; } } crlCertificateStatus = revoked ? CertificateStatus.REVOKED : CertificateStatus.OK; } if (ocspCertificateStatus.equals(CertificateStatus.UNCHECKED) && crlCertificateStatus.equals(CertificateStatus.UNCHECKED)) { if (pkc.length == 1) { Certificate[] completeChain = getCompleteTrustedCertificateChain(x509c); if (completeChain.length == 1) { ocspCertificateStatus = CertificateStatus.UNCHAINED; } else { ocspCertificateStatus = CertificateStatus.CHAINED_LOCALLY; } } } final TimeStampToken tst = pk.getTimeStampToken(); boolean validTimestamp = false; if (null != tst) { final boolean hasTimestamp = pk.verifyTimestampImprint(); validTimestamp = hasTimestamp && CertificateVerification.verifyTimestampCertificates(tst, ks, null); } PdfDictionary pdfDic = reader.getAcroFields().getSignatureDictionary(name); SignaturePermissions sp = new SignaturePermissions(pdfDic, null); boolean isValid; if (nextValid) { isValid = pk.verify(); } else { isValid = false; } List<AcroFields.FieldPosition> posList = af.getFieldPositions(name); final SignatureValidation signature = new SignatureValidation(file, name, pk, !pk.verify(), af.signatureCoversWholeDocument(name), af.getRevision(name), af.getTotalRevisions(), reader.getCertificationLevel(), ocspCertificateStatus, crlCertificateStatus, validTimestamp, posList, sp, isValid); validateList.add(signature); if (null != vl) { vl.onValidationComplete(signature); } if (!sp.isFillInAllowed()) { nextValid = false; } } return validateList; }
From source file:org.cesecore.util.PKIXCertRevocationStatusChecker.java
/** * Check the revocation status of 'cert' using a CRL * @param cert the certificate whose revocation status is to be checked * @throws CertPathValidatorException/*from w ww . j a v a 2 s . c om*/ */ private void fallBackToCrl(final Certificate cert, final String issuerDN) throws CertPathValidatorException { final ArrayList<URL> crlUrls = getCrlUrl(cert); if (crlUrls.isEmpty()) { final String errmsg = "Failed to verify certificate status using the fallback CRL method. Could not find a CRL URL"; log.info(errmsg); throw new CertPathValidatorException(errmsg); } if (log.isDebugEnabled()) { log.debug("Found " + crlUrls.size() + " CRL URLs"); } CRL crl = null; for (URL url : crlUrls) { crl = getCRL(url); if (crl != null) { if (isCorrectCRL(crl, issuerDN)) { final boolean isRevoked = crl.isRevoked(cert); this.crl = crl; if (isRevoked) { throw new CertPathValidatorException("Certificate with serialnumber " + CertTools.getSerialNumberAsString(cert) + " was revoked"); } break; } } } if (this.crl == null) { throw new CertPathValidatorException( "Failed to verify certificate status using CRL. Could not find a CRL issued by " + issuerDN + " reasonably lately"); } }
From source file:org.roda.common.certification.ODFSignatureUtils.java
private static void verifyCertificates(Path input, Node signatureNode) throws MarshalException, XMLSignatureException, NoSuchAlgorithmException, CertificateException, FileNotFoundException, IOException, KeyStoreException { XMLSignatureFactory xmlSignatureFactory = XMLSignatureFactory.getInstance("DOM"); DOMValidateContext domValidateContext = new DOMValidateContext(new KeyInfoKeySelector(), signatureNode); XMLSignature xmlSignature = xmlSignatureFactory.unmarshalXMLSignature(domValidateContext); xmlSignature.getSignatureValue().validate(domValidateContext); // xmlSignature.validate(domValidateContext); KeyInfo keyInfo = xmlSignature.getKeyInfo(); Iterator<?> it = keyInfo.getContent().iterator(); List<X509Certificate> certs = new ArrayList<X509Certificate>(); List<CRL> crls = new ArrayList<CRL>(); while (it.hasNext()) { XMLStructure content = (XMLStructure) it.next(); if (content instanceof X509Data) { X509Data certdata = (X509Data) content; Object[] entries = certdata.getContent().toArray(); for (int i = 0; i < entries.length; i++) { if (entries[i] instanceof X509CRL) { X509CRL crl = (X509CRL) entries[i]; crls.add(crl);/*from w w w . java 2 s. com*/ } if (entries[i] instanceof X509Certificate) { X509Certificate cert = (X509Certificate) entries[i]; cert.checkValidity(); certs.add(cert); } } } } for (CRL c : crls) { for (X509Certificate cert : certs) { if (c.isRevoked(cert)) throw new CertificateRevokedException(null, null, null, null); } } }
From source file:org.roda.common.certification.PDFSignatureUtils.java
public static String runDigitalSignatureVerify(Path input) throws IOException, GeneralSecurityException { Security.addProvider(new BouncyCastleProvider()); PdfReader reader = new PdfReader(input.toString()); AcroFields fields = reader.getAcroFields(); ArrayList<String> names = fields.getSignatureNames(); String result = "Passed"; for (int i = 0; i < names.size(); i++) { String name = names.get(i); try {/*from w w w . j a v a2s . c o m*/ PdfPKCS7 pk = fields.verifySignature(name); X509Certificate certificate = pk.getSigningCertificate(); certificate.checkValidity(); if (!SignatureUtils.isCertificateSelfSigned(certificate)) { Set<Certificate> trustedRootCerts = new HashSet<Certificate>(); Set<Certificate> intermediateCerts = new HashSet<Certificate>(); for (Certificate c : pk.getSignCertificateChain()) { X509Certificate cert = (X509Certificate) c; cert.checkValidity(); if (SignatureUtils.isCertificateSelfSigned(c)) trustedRootCerts.add(c); else intermediateCerts.add(c); } SignatureUtils.verifyCertificateChain(trustedRootCerts, intermediateCerts, certificate); if (pk.getCRLs() != null) { for (CRL crl : pk.getCRLs()) { if (crl.isRevoked(certificate)) { result = "Signing certificate is included on a Certificate Revocation List"; } } } } } catch (NoSuchFieldError e) { result = "Missing signature timestamp field"; } catch (CertificateExpiredException e) { result = "Contains expired certificates"; } catch (CertificateNotYetValidException e) { result = "Contains certificates not yet valid"; } } reader.close(); return result; }
From source file:org.roda.core.plugins.plugins.characterization.ODFSignatureUtils.java
private static void verifyCertificates(Node signatureNode) throws MarshalException, XMLSignatureException, NoSuchAlgorithmException, CertificateException, IOException, KeyStoreException { XMLSignatureFactory xmlSignatureFactory = XMLSignatureFactory.getInstance("DOM"); DOMValidateContext domValidateContext = new DOMValidateContext(new KeyInfoKeySelector(), signatureNode); XMLSignature xmlSignature = xmlSignatureFactory.unmarshalXMLSignature(domValidateContext); xmlSignature.getSignatureValue().validate(domValidateContext); // xmlSignature.validate(domValidateContext); KeyInfo keyInfo = xmlSignature.getKeyInfo(); Iterator<?> it = keyInfo.getContent().iterator(); List<X509Certificate> certs = new ArrayList<>(); List<CRL> crls = new ArrayList<>(); while (it.hasNext()) { XMLStructure content = (XMLStructure) it.next(); if (content instanceof X509Data) { X509Data certdata = (X509Data) content; Object[] entries = certdata.getContent().toArray(); for (int i = 0; i < entries.length; i++) { if (entries[i] instanceof X509CRL) { X509CRL crl = (X509CRL) entries[i]; crls.add(crl);//from ww w . ja v a 2 s. co m } if (entries[i] instanceof X509Certificate) { X509Certificate cert = (X509Certificate) entries[i]; cert.checkValidity(); certs.add(cert); } } } } for (CRL c : crls) { for (X509Certificate cert : certs) { if (c.isRevoked(cert)) throw new CertificateRevokedException(null, null, null, null); } } }