You are viewing a plain text version of this content. The canonical link for it is here.
Posted to tsik-dev@ws.apache.org by ha...@apache.org on 2006/03/29 20:57:18 UTC
svn commit: r389866 - in /incubator/tsik/trunk: src/org/apache/tsik/crl/
src/org/apache/tsik/verifier/ test/src/org/apache/tsik/crl/test/
test/src/org/apache/tsik/verifier/test/
Author: hans
Date: Wed Mar 29 10:57:17 2006
New Revision: 389866
URL: http://svn.apache.org/viewcvs?rev=389866&view=rev
Log:
Enhance trust verifiers to perform timestamp based certificate and crl verifications (patch by Gopikrishna Santhanakrishnan, VeriSign)
Modified:
incubator/tsik/trunk/src/org/apache/tsik/crl/CRLTrustVerifier.java
incubator/tsik/trunk/src/org/apache/tsik/verifier/AllPermissiveTrustVerifier.java
incubator/tsik/trunk/src/org/apache/tsik/verifier/AndTrustVerifier.java
incubator/tsik/trunk/src/org/apache/tsik/verifier/CachingTrustVerifier.java
incubator/tsik/trunk/src/org/apache/tsik/verifier/CaptureTrustVerifier.java
incubator/tsik/trunk/src/org/apache/tsik/verifier/NotTrustVerifier.java
incubator/tsik/trunk/src/org/apache/tsik/verifier/NotifyingTrustVerifier.java
incubator/tsik/trunk/src/org/apache/tsik/verifier/OrTrustVerifier.java
incubator/tsik/trunk/src/org/apache/tsik/verifier/SimpleTrustVerifier.java
incubator/tsik/trunk/src/org/apache/tsik/verifier/TrustVerifier.java
incubator/tsik/trunk/src/org/apache/tsik/verifier/X509TrustVerifier.java
incubator/tsik/trunk/test/src/org/apache/tsik/crl/test/TestCrl.java
incubator/tsik/trunk/test/src/org/apache/tsik/verifier/test/AndOrNotTests.java
incubator/tsik/trunk/test/src/org/apache/tsik/verifier/test/CachingTests.java
incubator/tsik/trunk/test/src/org/apache/tsik/verifier/test/SSLAndHttpsTests.java
Modified: incubator/tsik/trunk/src/org/apache/tsik/crl/CRLTrustVerifier.java
URL: http://svn.apache.org/viewcvs/incubator/tsik/trunk/src/org/apache/tsik/crl/CRLTrustVerifier.java?rev=389866&r1=389865&r2=389866&view=diff
==============================================================================
--- incubator/tsik/trunk/src/org/apache/tsik/crl/CRLTrustVerifier.java (original)
+++ incubator/tsik/trunk/src/org/apache/tsik/crl/CRLTrustVerifier.java Wed Mar 29 10:57:17 2006
@@ -25,11 +25,13 @@
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
+import java.security.cert.X509CRLEntry;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Collection;
import java.util.Collections;
+import java.util.Date;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Iterator;
@@ -115,6 +117,12 @@
public void verifyTrust(X509Certificate[] chain)
throws TrustVerificationException
{
+ verifyTrust(chain, Calendar.getInstance().getTime());
+ }
+
+ public void verifyTrust(X509Certificate[] chain, Date date)
+ throws TrustVerificationException
+ {
X509Certificate cert = chain[0];
boolean refreshCRL = true;
@@ -225,9 +233,21 @@
}
}
- if (crl.isRevoked(cert)) {
- throw new TrustVerificationException(
- certName + "is revoked according to CRL found at " + cdp);
+ if (date != null) {
+ X509CRLEntry crlEntry = crl.getRevokedCertificate(cert
+ .getSerialNumber());
+ if (crlEntry != null) {
+ Date revocationDate = crlEntry.getRevocationDate();
+ if (revocationDate != null && !revocationDate.after(date))
+ throw new TrustVerificationException(certName
+ + "is revoked before [" + date
+ + "]according to CRL found at " + cdp);
+ }
+ } else {
+ if (crl.isRevoked(cert)) {
+ throw new TrustVerificationException(certName
+ + "is revoked according to CRL found at " + cdp);
+ }
}
}
Modified: incubator/tsik/trunk/src/org/apache/tsik/verifier/AllPermissiveTrustVerifier.java
URL: http://svn.apache.org/viewcvs/incubator/tsik/trunk/src/org/apache/tsik/verifier/AllPermissiveTrustVerifier.java?rev=389866&r1=389865&r2=389866&view=diff
==============================================================================
--- incubator/tsik/trunk/src/org/apache/tsik/verifier/AllPermissiveTrustVerifier.java (original)
+++ incubator/tsik/trunk/src/org/apache/tsik/verifier/AllPermissiveTrustVerifier.java Wed Mar 29 10:57:17 2006
@@ -20,6 +20,7 @@
import java.security.PublicKey;
import java.security.cert.X509Certificate;
+import java.util.Date;
/**
* A trivial TrustVerifier implementation that trusts anything and everything.
@@ -52,4 +53,9 @@
throws TrustVerificationException
{
}
+
+ public void verifyTrust(X509Certificate[] chain, Date date)
+ throws TrustVerificationException
+ {
+ }
}
Modified: incubator/tsik/trunk/src/org/apache/tsik/verifier/AndTrustVerifier.java
URL: http://svn.apache.org/viewcvs/incubator/tsik/trunk/src/org/apache/tsik/verifier/AndTrustVerifier.java?rev=389866&r1=389865&r2=389866&view=diff
==============================================================================
--- incubator/tsik/trunk/src/org/apache/tsik/verifier/AndTrustVerifier.java (original)
+++ incubator/tsik/trunk/src/org/apache/tsik/verifier/AndTrustVerifier.java Wed Mar 29 10:57:17 2006
@@ -20,6 +20,8 @@
import java.security.PublicKey;
import java.security.cert.X509Certificate;
+import java.util.Calendar;
+import java.util.Date;
/**
* Uses an array of other verifiers to determine whether to trust a key or
@@ -66,8 +68,15 @@
public void verifyTrust(X509Certificate[] chain)
throws TrustVerificationException
{
+ verifyTrust(chain, Calendar.getInstance().getTime());
+ }
+
+ public void verifyTrust(X509Certificate[] chain, Date date)
+ throws TrustVerificationException
+ {
for (int i = 0; i < verifiers.length; i += 1) {
- verifiers[i].verifyTrust(chain);
+ verifiers[i].verifyTrust(chain, date);
}
}
+
}
Modified: incubator/tsik/trunk/src/org/apache/tsik/verifier/CachingTrustVerifier.java
URL: http://svn.apache.org/viewcvs/incubator/tsik/trunk/src/org/apache/tsik/verifier/CachingTrustVerifier.java?rev=389866&r1=389865&r2=389866&view=diff
==============================================================================
--- incubator/tsik/trunk/src/org/apache/tsik/verifier/CachingTrustVerifier.java (original)
+++ incubator/tsik/trunk/src/org/apache/tsik/verifier/CachingTrustVerifier.java Wed Mar 29 10:57:17 2006
@@ -22,6 +22,8 @@
import java.security.Principal;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
+import java.util.Calendar;
+import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import org.apache.tsik.datatypes.HashedByteArray;
@@ -126,6 +128,12 @@
public void verifyTrust(X509Certificate[] chain)
throws TrustVerificationException
{
+ verifyTrust(chain, Calendar.getInstance().getTime());
+ }
+
+ public void verifyTrust(X509Certificate[] chain, Date date)
+ throws TrustVerificationException
+ {
StringBuffer certKey = new StringBuffer(200 * chain.length);
for (int i = 0; i < chain.length; i += 1) {
Principal issuerDN = chain[i].getIssuerDN();
@@ -136,7 +144,7 @@
Entry entry = getEntry(certMap, certKey.toString());
if (shouldVerifyNow(entry)) {
try {
- verifier.verifyTrust(chain);
+ verifier.verifyTrust(chain, date);
entry.exception = null;
} catch (TrustVerificationException e) {
entry.exception = e;
Modified: incubator/tsik/trunk/src/org/apache/tsik/verifier/CaptureTrustVerifier.java
URL: http://svn.apache.org/viewcvs/incubator/tsik/trunk/src/org/apache/tsik/verifier/CaptureTrustVerifier.java?rev=389866&r1=389865&r2=389866&view=diff
==============================================================================
--- incubator/tsik/trunk/src/org/apache/tsik/verifier/CaptureTrustVerifier.java (original)
+++ incubator/tsik/trunk/src/org/apache/tsik/verifier/CaptureTrustVerifier.java Wed Mar 29 10:57:17 2006
@@ -21,6 +21,8 @@
import org.apache.tsik.xmlsig.KeyInfo;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
+import java.util.Calendar;
+import java.util.Date;
/**
* Captures key information during trust verifications.
@@ -80,6 +82,12 @@
public void verifyTrust(X509Certificate[] chain)
throws TrustVerificationException
+ {
+ verifyTrust(chain, Calendar.getInstance().getTime());
+ }
+
+ public void verifyTrust(X509Certificate[] chain, Date date)
+ throws TrustVerificationException
{
keyInfo = new KeyInfo();
keyInfo.setCertificateChain(chain);
Modified: incubator/tsik/trunk/src/org/apache/tsik/verifier/NotTrustVerifier.java
URL: http://svn.apache.org/viewcvs/incubator/tsik/trunk/src/org/apache/tsik/verifier/NotTrustVerifier.java?rev=389866&r1=389865&r2=389866&view=diff
==============================================================================
--- incubator/tsik/trunk/src/org/apache/tsik/verifier/NotTrustVerifier.java (original)
+++ incubator/tsik/trunk/src/org/apache/tsik/verifier/NotTrustVerifier.java Wed Mar 29 10:57:17 2006
@@ -20,6 +20,8 @@
import java.security.PublicKey;
import java.security.cert.X509Certificate;
+import java.util.Date;
+import java.util.Calendar;
/**
* Negates another verifier to determine whether to trust a key or certificate.
@@ -75,8 +77,14 @@
public void verifyTrust(X509Certificate[] chain)
throws TrustVerificationException
{
+ verifyTrust(chain, Calendar.getInstance().getTime());
+ }
+
+ public void verifyTrust(X509Certificate[] chain, Date date)
+ throws TrustVerificationException
+ {
try {
- verifier.verifyTrust(chain);
+ verifier.verifyTrust(chain, date);
} catch (TrustVerificationException e) {
return;
}
Modified: incubator/tsik/trunk/src/org/apache/tsik/verifier/NotifyingTrustVerifier.java
URL: http://svn.apache.org/viewcvs/incubator/tsik/trunk/src/org/apache/tsik/verifier/NotifyingTrustVerifier.java?rev=389866&r1=389865&r2=389866&view=diff
==============================================================================
--- incubator/tsik/trunk/src/org/apache/tsik/verifier/NotifyingTrustVerifier.java (original)
+++ incubator/tsik/trunk/src/org/apache/tsik/verifier/NotifyingTrustVerifier.java Wed Mar 29 10:57:17 2006
@@ -20,6 +20,8 @@
import java.security.PublicKey;
import java.security.cert.X509Certificate;
+import java.util.Calendar;
+import java.util.Date;
/**
* Filters trust verifications while calling a notify method.
@@ -76,8 +78,14 @@
public void verifyTrust(X509Certificate[] chain)
throws TrustVerificationException
{
+ verifyTrust(chain, Calendar.getInstance().getTime());
+ }
+
+ public void verifyTrust(X509Certificate[] chain, Date date)
+ throws TrustVerificationException
+ {
try {
- verifier.verifyTrust(chain);
+ verifier.verifyTrust(chain, date);
notify(chain, null, null, null);
} catch (TrustVerificationException e) {
notify(chain, null, null, e);
Modified: incubator/tsik/trunk/src/org/apache/tsik/verifier/OrTrustVerifier.java
URL: http://svn.apache.org/viewcvs/incubator/tsik/trunk/src/org/apache/tsik/verifier/OrTrustVerifier.java?rev=389866&r1=389865&r2=389866&view=diff
==============================================================================
--- incubator/tsik/trunk/src/org/apache/tsik/verifier/OrTrustVerifier.java (original)
+++ incubator/tsik/trunk/src/org/apache/tsik/verifier/OrTrustVerifier.java Wed Mar 29 10:57:17 2006
@@ -20,6 +20,8 @@
import java.security.PublicKey;
import java.security.cert.X509Certificate;
+import java.util.Calendar;
+import java.util.Date;
/**
* Uses an array of other verifiers to determine whether to trust a key or
@@ -87,10 +89,16 @@
public void verifyTrust(X509Certificate[] chain)
throws TrustVerificationException
{
+ verifyTrust(chain, Calendar.getInstance().getTime());
+ }
+
+ public void verifyTrust(X509Certificate[] chain, Date date)
+ throws TrustVerificationException
+ {
TrustVerificationException lastException = null;
for (int i = 0; i < verifiers.length; i += 1) {
try {
- verifiers[i].verifyTrust(chain);
+ verifiers[i].verifyTrust(chain, date);
return;
} catch (TrustVerificationException e) {
lastException = e;
Modified: incubator/tsik/trunk/src/org/apache/tsik/verifier/SimpleTrustVerifier.java
URL: http://svn.apache.org/viewcvs/incubator/tsik/trunk/src/org/apache/tsik/verifier/SimpleTrustVerifier.java?rev=389866&r1=389865&r2=389866&view=diff
==============================================================================
--- incubator/tsik/trunk/src/org/apache/tsik/verifier/SimpleTrustVerifier.java (original)
+++ incubator/tsik/trunk/src/org/apache/tsik/verifier/SimpleTrustVerifier.java Wed Mar 29 10:57:17 2006
@@ -22,6 +22,7 @@
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
+import java.util.Date;
import java.util.Iterator;
/**
@@ -83,4 +84,11 @@
{
verifyTrust(chain[0].getPublicKey());
}
+
+ public void verifyTrust(X509Certificate[] chain, Date date)
+ throws TrustVerificationException
+ {
+ verifyTrust(chain[0].getPublicKey());
+ }
+
}
Modified: incubator/tsik/trunk/src/org/apache/tsik/verifier/TrustVerifier.java
URL: http://svn.apache.org/viewcvs/incubator/tsik/trunk/src/org/apache/tsik/verifier/TrustVerifier.java?rev=389866&r1=389865&r2=389866&view=diff
==============================================================================
--- incubator/tsik/trunk/src/org/apache/tsik/verifier/TrustVerifier.java (original)
+++ incubator/tsik/trunk/src/org/apache/tsik/verifier/TrustVerifier.java Wed Mar 29 10:57:17 2006
@@ -20,6 +20,7 @@
import java.security.PublicKey;
import java.security.cert.X509Certificate;
+import java.util.Date;
/**
* Checks whether a given public key or certificate chain is trusted. Using
@@ -58,6 +59,27 @@
*/
void verifyTrust(X509Certificate[] chain)
throws TrustVerificationException;
+
+ /**
+ * Verifies that a certificate chain is trusted. The chain must be
+ * presented in order from leaf entity toward root CA, such that for all
+ * <code>i</code>, <code>0 <= i < (chain.length
+ * - 1)</code>
+ * implies <code>chain[i].verify(chain[i+1].getPublicKey())</code> will
+ * succeed. Returns silently if the chain is trusted, or throws an
+ * exception indicating the reason if not.
+ *
+ * @param chain
+ * is the certificate chain to check.
+ * @param date
+ * is the timestamp to check against.
+ *
+ * @throws TrustVerificationException
+ * if the given chain cannot be trusted, or if an error occurs
+ * while trying to determine trust.
+ */
+ void verifyTrust(X509Certificate[] chain, Date date)
+ throws TrustVerificationException;
/**
* Verifies that a public key is trusted, also using an XML Signature key
Modified: incubator/tsik/trunk/src/org/apache/tsik/verifier/X509TrustVerifier.java
URL: http://svn.apache.org/viewcvs/incubator/tsik/trunk/src/org/apache/tsik/verifier/X509TrustVerifier.java?rev=389866&r1=389865&r2=389866&view=diff
==============================================================================
--- incubator/tsik/trunk/src/org/apache/tsik/verifier/X509TrustVerifier.java (original)
+++ incubator/tsik/trunk/src/org/apache/tsik/verifier/X509TrustVerifier.java Wed Mar 29 10:57:17 2006
@@ -25,7 +25,9 @@
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
+import java.util.Calendar;
import java.util.Collection;
+import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
@@ -130,8 +132,18 @@
public synchronized void verifyTrust(X509Certificate[] chain)
throws TrustVerificationException
{
+ verifyTrust(chain, Calendar.getInstance().getTime());
+ }
+
+ // inherit javadoc
+ public synchronized void verifyTrust(X509Certificate[] chain, Date date)
+ throws TrustVerificationException {
+
try {
- verifyTrust(chain, 0);
+ if (date != null)
+ verifyTrust(chain, 0, date);
+ else
+ verifyTrust(chain, 0, Calendar.getInstance().getTime());
} catch (TrustVerificationException e) {
throw e;
} catch (GeneralSecurityException e) {
@@ -157,7 +169,7 @@
}
}
- private void verifyTrust(Certificate[] certChain, int depth)
+ private void verifyTrust(Certificate[] certChain, int depth, Date date)
throws GeneralSecurityException
{
GeneralSecurityException cause_ex = null;
@@ -178,7 +190,7 @@
log.debug("checking cert: " + cert);
if (xcert != null) {
- checkX509Certificate(xcert, depth);
+ checkX509Certificate(xcert, depth, date);
}
// plan A: if this a known trusted cert, we trust it.
@@ -193,7 +205,7 @@
//
try {
log.debug("recursing");
- verifyTrust(certChain, depth + 1);
+ verifyTrust(certChain, depth + 1, date);
cert.verify(certChain[depth + 1].getPublicKey());
addCert(cert);
return;
@@ -213,7 +225,7 @@
X509Certificate signer = (X509Certificate)
certsBySubjectDN.get(xcert.getIssuerDN());
if(signer != null) {
- checkX509Certificate(signer, depth + 1);
+ checkX509Certificate(signer, depth + 1, date);
cert.verify(signer.getPublicKey());
log.debug("X.509 match succeeded");
addCert(cert);
@@ -230,12 +242,12 @@
throw cause_ex;
}
- private void checkX509Certificate(X509Certificate xcert, int depth)
- throws GeneralSecurityException, TrustVerificationException
+ private void checkX509Certificate(X509Certificate xcert, int depth,
+ Date date) throws GeneralSecurityException, TrustVerificationException
{
// check expiration
//
- xcert.checkValidity();
+ xcert.checkValidity(date);
// check cert chain path length constraints
//
Modified: incubator/tsik/trunk/test/src/org/apache/tsik/crl/test/TestCrl.java
URL: http://svn.apache.org/viewcvs/incubator/tsik/trunk/test/src/org/apache/tsik/crl/test/TestCrl.java?rev=389866&r1=389865&r2=389866&view=diff
==============================================================================
--- incubator/tsik/trunk/test/src/org/apache/tsik/crl/test/TestCrl.java (original)
+++ incubator/tsik/trunk/test/src/org/apache/tsik/crl/test/TestCrl.java Wed Mar 29 10:57:17 2006
@@ -24,6 +24,8 @@
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
+import java.util.Calendar;
+
import junit.framework.Test;
import junit.framework.TestCase;
import junit.framework.TestSuite;
@@ -298,6 +300,6 @@
CRLTrustVerifier ctv = new CRLTrustVerifier();
ctv.addCRLsigners(cas);
- ctv.verifyTrust(chain);
+ ctv.verifyTrust(chain, Calendar.getInstance().getTime());
}
}
Modified: incubator/tsik/trunk/test/src/org/apache/tsik/verifier/test/AndOrNotTests.java
URL: http://svn.apache.org/viewcvs/incubator/tsik/trunk/test/src/org/apache/tsik/verifier/test/AndOrNotTests.java?rev=389866&r1=389865&r2=389866&view=diff
==============================================================================
--- incubator/tsik/trunk/test/src/org/apache/tsik/verifier/test/AndOrNotTests.java (original)
+++ incubator/tsik/trunk/test/src/org/apache/tsik/verifier/test/AndOrNotTests.java Wed Mar 29 10:57:17 2006
@@ -21,6 +21,7 @@
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
+import java.util.Date;
import java.util.StringTokenizer;
import junit.framework.Test;
@@ -209,6 +210,12 @@
public void verifyTrust(X509Certificate[] chain)
throws TrustVerificationException
+ {
+ verifyTrust();
+ }
+
+ public void verifyTrust(X509Certificate[] chain, Date date)
+ throws TrustVerificationException
{
verifyTrust();
}
Modified: incubator/tsik/trunk/test/src/org/apache/tsik/verifier/test/CachingTests.java
URL: http://svn.apache.org/viewcvs/incubator/tsik/trunk/test/src/org/apache/tsik/verifier/test/CachingTests.java?rev=389866&r1=389865&r2=389866&view=diff
==============================================================================
--- incubator/tsik/trunk/test/src/org/apache/tsik/verifier/test/CachingTests.java (original)
+++ incubator/tsik/trunk/test/src/org/apache/tsik/verifier/test/CachingTests.java Wed Mar 29 10:57:17 2006
@@ -30,6 +30,7 @@
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.ArrayList;
+import java.util.Date;
import java.util.Enumeration;
import java.util.StringTokenizer;
import junit.framework.Test;
@@ -262,6 +263,12 @@
{
throw new UnsupportedOperationException();
}
+
+ public void verifyTrust(X509Certificate[] chain, Date date)
+ throws TrustVerificationException
+ {
+ throw new UnsupportedOperationException();
+ }
}
private static class CertVerifier
@@ -328,6 +335,12 @@
if (failed) {
throw new TrustVerificationException("expected failure");
}
+ }
+
+ public void verifyTrust(X509Certificate[] chain, Date date)
+ throws TrustVerificationException
+ {
+ verifyTrust(chain);
}
}
}
Modified: incubator/tsik/trunk/test/src/org/apache/tsik/verifier/test/SSLAndHttpsTests.java
URL: http://svn.apache.org/viewcvs/incubator/tsik/trunk/test/src/org/apache/tsik/verifier/test/SSLAndHttpsTests.java?rev=389866&r1=389865&r2=389866&view=diff
==============================================================================
--- incubator/tsik/trunk/test/src/org/apache/tsik/verifier/test/SSLAndHttpsTests.java (original)
+++ incubator/tsik/trunk/test/src/org/apache/tsik/verifier/test/SSLAndHttpsTests.java Wed Mar 29 10:57:17 2006
@@ -40,6 +40,8 @@
import javax.net.ssl.SSLException;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
+import java.util.Date;
+
import junit.framework.Test;
public class SSLAndHttpsTests extends DataDrivenTestCase
@@ -345,6 +347,12 @@
" but got " + gotSubject);
}
//System.out.println("Trusted cert subject: " + gotSubject);
+ }
+
+ public void verifyTrust(X509Certificate[] chain, Date date)
+ throws TrustVerificationException
+ {
+ verifyTrust(chain);
}
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: tsik-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: tsik-dev-help@ws.apache.org