private static void permissionCheck() {
SecurityManager sec = System.getSecurityManager();
if (sec != null) {
sec.checkPermission(new RuntimePermission("useKeychainStore"));
}
}
public String toString() {
String LINE_SEP = System.getProperty("line.separator");
StringBuffer strbuf =
new StringBuffer(
"SunJCE Diffie-Hellman Public Key:"
+ LINE_SEP
+ "y:"
+ LINE_SEP
+ Debug.toHexString(this.y)
+ LINE_SEP
+ "p:"
+ LINE_SEP
+ Debug.toHexString(this.p)
+ LINE_SEP
+ "g:"
+ LINE_SEP
+ Debug.toHexString(this.g));
if (this.l != 0) strbuf.append(LINE_SEP + "l:" + LINE_SEP + " " + this.l);
return strbuf.toString();
}
void verify(List<CertId> certIds, X509Certificate responderCert, Date date, byte[] nonce)
throws CertPathValidatorException {
switch (responseStatus) {
case SUCCESSFUL:
break;
case TRY_LATER:
case INTERNAL_ERROR:
throw new CertPathValidatorException(
"OCSP response error: " + responseStatus,
null,
null,
-1,
BasicReason.UNDETERMINED_REVOCATION_STATUS);
case UNAUTHORIZED:
default:
throw new CertPathValidatorException("OCSP response error: " + responseStatus);
}
// Check that the response includes a response for all of the
// certs that were supplied in the request
for (CertId certId : certIds) {
SingleResponse sr = getSingleResponse(certId);
if (sr == null) {
if (debug != null) {
debug.println("No response found for CertId: " + certId);
}
throw new CertPathValidatorException(
"OCSP response does not include a response for a "
+ "certificate supplied in the OCSP request");
}
if (debug != null) {
debug.println(
"Status of certificate (with serial number "
+ certId.getSerialNumber()
+ ") is: "
+ sr.getCertStatus());
}
}
// Check whether the cert returned by the responder is trusted
if (!certs.isEmpty()) {
X509CertImpl cert = certs.get(0);
// First check if the cert matches the expected responder cert
if (cert.equals(responderCert)) {
// cert is trusted, now verify the signed response
// Next check if the cert was issued by the responder cert
// which was set locally.
} else if (cert.getIssuerX500Principal().equals(responderCert.getSubjectX500Principal())) {
// Check for the OCSPSigning key purpose
try {
List<String> keyPurposes = cert.getExtendedKeyUsage();
if (keyPurposes == null || !keyPurposes.contains(KP_OCSP_SIGNING_OID)) {
throw new CertPathValidatorException(
"Responder's certificate not valid for signing " + "OCSP responses");
}
} catch (CertificateParsingException cpe) {
// assume cert is not valid for signing
throw new CertPathValidatorException(
"Responder's certificate not valid for signing " + "OCSP responses", cpe);
}
// Check algorithm constraints specified in security property
// "jdk.certpath.disabledAlgorithms".
AlgorithmChecker algChecker = new AlgorithmChecker(new TrustAnchor(responderCert, null));
algChecker.init(false);
algChecker.check(cert, Collections.<String>emptySet());
// check the validity
try {
if (date == null) {
cert.checkValidity();
} else {
cert.checkValidity(date);
}
} catch (CertificateException e) {
throw new CertPathValidatorException(
"Responder's certificate not within the " + "validity period", e);
}
// check for revocation
//
// A CA may specify that an OCSP client can trust a
// responder for the lifetime of the responder's
// certificate. The CA does so by including the
// extension id-pkix-ocsp-nocheck.
//
Extension noCheck = cert.getExtension(PKIXExtensions.OCSPNoCheck_Id);
if (noCheck != null) {
if (debug != null) {
debug.println(
"Responder's certificate includes " + "the extension id-pkix-ocsp-nocheck.");
}
} else {
// we should do the revocation checking of the
// authorized responder in a future update.
}
// verify the signature
try {
cert.verify(responderCert.getPublicKey());
responderCert = cert;
// cert is trusted, now verify the signed response
} catch (GeneralSecurityException e) {
responderCert = null;
}
} else {
throw new CertPathValidatorException(
"Responder's certificate is not authorized to sign " + "OCSP responses");
}
}
// Confirm that the signed response was generated using the public
// key from the trusted responder cert
if (responderCert != null) {
// Check algorithm constraints specified in security property
// "jdk.certpath.disabledAlgorithms".
AlgorithmChecker.check(responderCert.getPublicKey(), sigAlgId);
if (!verifySignature(responderCert)) {
throw new CertPathValidatorException("Error verifying OCSP Response's signature");
}
} else {
// Need responder's cert in order to verify the signature
throw new CertPathValidatorException("Unable to verify OCSP Response's signature");
}
// Check freshness of OCSPResponse
if (nonce != null) {
if (responseNonce != null && !Arrays.equals(nonce, responseNonce)) {
throw new CertPathValidatorException("Nonces don't match");
}
}
long now = (date == null) ? System.currentTimeMillis() : date.getTime();
Date nowPlusSkew = new Date(now + MAX_CLOCK_SKEW);
Date nowMinusSkew = new Date(now - MAX_CLOCK_SKEW);
for (SingleResponse sr : singleResponseMap.values()) {
if (debug != null) {
String until = "";
if (sr.nextUpdate != null) {
until = " until " + sr.nextUpdate;
}
debug.println("Response's validity interval is from " + sr.thisUpdate + until);
}
// Check that the test date is within the validity interval
if ((sr.thisUpdate != null && nowPlusSkew.before(sr.thisUpdate))
|| (sr.nextUpdate != null && nowMinusSkew.after(sr.nextUpdate))) {
throw new CertPathValidatorException(
"Response is unreliable: its validity " + "interval is out-of-date");
}
}
}