Author: hans
Date: Wed Mar 29 10:57:17 2006
New Revision: 389866
URL: http://svn.apache.org/viewcvs?rev=389866&view=rev
Log:
Enhance trust verifiers to perform timestamp based
certificate and crl verifications (patch by Gopikrishna
Santhanakrishnan, VeriSign)
Modified:
incubator/tsik/trunk/src/org/apache/tsik/crl/CRLTrustVerifie
r.java
incubator/tsik/trunk/src/org/apache/tsik/verifier/AllPermiss
iveTrustVerifier.java
incubator/tsik/trunk/src/org/apache/tsik/verifier/AndTrustVe
rifier.java
incubator/tsik/trunk/src/org/apache/tsik/verifier/CachingTru
stVerifier.java
incubator/tsik/trunk/src/org/apache/tsik/verifier/CaptureTru
stVerifier.java
incubator/tsik/trunk/src/org/apache/tsik/verifier/NotTrustVe
rifier.java
incubator/tsik/trunk/src/org/apache/tsik/verifier/NotifyingT
rustVerifier.java
incubator/tsik/trunk/src/org/apache/tsik/verifier/OrTrustVer
ifier.java
incubator/tsik/trunk/src/org/apache/tsik/verifier/SimpleTrus
tVerifier.java
incubator/tsik/trunk/src/org/apache/tsik/verifier/TrustVerif
ier.java
incubator/tsik/trunk/src/org/apache/tsik/verifier/X509TrustV
erifier.java
incubator/tsik/trunk/test/src/org/apache/tsik/crl/test/TestC
rl.java
incubator/tsik/trunk/test/src/org/apache/tsik/verifier/test/
AndOrNotTests.java
incubator/tsik/trunk/test/src/org/apache/tsik/verifier/test/
CachingTests.java
incubator/tsik/trunk/test/src/org/apache/tsik/verifier/test/
SSLAndHttpsTests.java
Modified:
incubator/tsik/trunk/src/org/apache/tsik/crl/CRLTrustVerifie
r.java
URL: http://svn.apache.org/v
iewcvs/incubator/tsik/trunk/src/org/apache/tsik/crl/CRLTrust
Verifier.java?rev=389866&r1=389865&r2=389866&vie
w=diff
============================================================
==================
---
incubator/tsik/trunk/src/org/apache/tsik/crl/CRLTrustVerifie
r.java (original)
+++
incubator/tsik/trunk/src/org/apache/tsik/crl/CRLTrustVerifie
r.java Wed Mar 29 10:57:17 2006
 -25,11
+25,13
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
+import java.security.cert.X509CRLEntry;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Collection;
import java.util.Collections;
+import java.util.Date;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Iterator;
-115,6
+117,12
public void verifyTrust(X509Certificate[] chain)
throws TrustVerificationException
{
+ verifyTrust(chain,
Calendar.getInstance().getTime());
+ }
+
+ public void verifyTrust(X509Certificate[] chain, Date
date)
+ throws TrustVerificationException
+ {
X509Certificate cert = chain[0];
boolean refreshCRL = true;
-225,9
+233,21
}
}
- if (crl.isRevoked(cert)) {
- throw new TrustVerificationException(
- certName + "is revoked according to
CRL found at " + cdp);
+ if (date != null) {
+ X509CRLEntry crlEntry =
crl.getRevokedCertificate(cert
+ .getSerialNumber());
+ if (crlEntry != null) {
+ Date revocationDate =
crlEntry.getRevocationDate();
+ if (revocationDate != null &&
!revocationDate.after(date))
+ throw new
TrustVerificationException(certName
+ + "is revoked before
[" + date
+ + "]according to CRL
found at " + cdp);
+ }
+ } else {
+ if (crl.isRevoked(cert)) {
+ throw new
TrustVerificationException(certName
+ + "is revoked according to
CRL found at " + cdp);
+ }
}
}
Modified:
incubator/tsik/trunk/src/org/apache/tsik/verifier/AllPermiss
iveTrustVerifier.java
URL: http://s
vn.apache.org/viewcvs/incubator/tsik/trunk/src/org/apache/ts
ik/verifier/AllPermissiveTrustVerifier.java?rev=389866&r
1=389865&r2=389866&view=diff
============================================================
==================
---
incubator/tsik/trunk/src/org/apache/tsik/verifier/AllPermiss
iveTrustVerifier.java (original)
+++
incubator/tsik/trunk/src/org/apache/tsik/verifier/AllPermiss
iveTrustVerifier.java Wed Mar 29 10:57:17 2006
-20,6
+20,7
import java.security.PublicKey;
import java.security.cert.X509Certificate;
+import java.util.Date;
/**
* A trivial TrustVerifier implementation that trusts
anything and everything.
-52,4
+53,9
throws TrustVerificationException
{
}
+
+ public void verifyTrust(X509Certificate[] chain, Date
date)
+ throws TrustVerificationException
+ {
+ }
}
Modified:
incubator/tsik/trunk/src/org/apache/tsik/verifier/AndTrustVe
rifier.java
URL: http://svn.apache.
org/viewcvs/incubator/tsik/trunk/src/org/apache/tsik/verifie
r/AndTrustVerifier.java?rev=389866&r1=389865&r2=3898
66&view=diff
============================================================
==================
---
incubator/tsik/trunk/src/org/apache/tsik/verifier/AndTrustVe
rifier.java (original)
+++
incubator/tsik/trunk/src/org/apache/tsik/verifier/AndTrustVe
rifier.java Wed Mar 29 10:57:17 2006
-20,6
+20,8
import java.security.PublicKey;
import java.security.cert.X509Certificate;
+import java.util.Calendar;
+import java.util.Date;
/**
* Uses an array of other verifiers to determine whether to
trust a key or
-66,8
+68,15
public void verifyTrust(X509Certificate[] chain)
throws TrustVerificationException
{
+ verifyTrust(chain,
Calendar.getInstance().getTime());
+ }
+
+ public void verifyTrust(X509Certificate[] chain, Date
date)
+ throws TrustVerificationException
+ {
for (int i = 0; i < verifiers.length; i += 1) {
- verifiers[i].verifyTrust(chain);
+ verifiers[i].verifyTrust(chain, date);
}
}
+
}
Modified:
incubator/tsik/trunk/src/org/apache/tsik/verifier/CachingTru
stVerifier.java
URL: http://svn.apa
che.org/viewcvs/incubator/tsik/trunk/src/org/apache/tsik/ver
ifier/CachingTrustVerifier.java?rev=389866&r1=389865&
;r2=389866&view=diff
============================================================
==================
---
incubator/tsik/trunk/src/org/apache/tsik/verifier/CachingTru
stVerifier.java (original)
+++
incubator/tsik/trunk/src/org/apache/tsik/verifier/CachingTru
stVerifier.java Wed Mar 29 10:57:17 2006
-22,6
+22,8
import java.security.Principal;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
+import java.util.Calendar;
+import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import org.apache.tsik.datatypes.HashedByteArray;
-126,6
+128,12
public void verifyTrust(X509Certificate[] chain)
throws TrustVerificationException
{
+ verifyTrust(chain,
Calendar.getInstance().getTime());
+ }
+
+ public void verifyTrust(X509Certificate[] chain, Date
date)
+ throws TrustVerificationException
+ {
StringBuffer certKey = new StringBuffer(200 *
chain.length);
for (int i = 0; i < chain.length; i += 1) {
Principal issuerDN = chain[i].getIssuerDN();
-136,7
+144,7
Entry entry = getEntry(certMap,
certKey.toString());
if (shouldVerifyNow(entry)) {
try {
- verifier.verifyTrust(chain);
+ verifier.verifyTrust(chain, date);
entry.exception = null;
} catch (TrustVerificationException e) {
entry.exception = e;
Modified:
incubator/tsik/trunk/src/org/apache/tsik/verifier/CaptureTru
stVerifier.java
URL: http://svn.apa
che.org/viewcvs/incubator/tsik/trunk/src/org/apache/tsik/ver
ifier/CaptureTrustVerifier.java?rev=389866&r1=389865&
;r2=389866&view=diff
============================================================
==================
---
incubator/tsik/trunk/src/org/apache/tsik/verifier/CaptureTru
stVerifier.java (original)
+++
incubator/tsik/trunk/src/org/apache/tsik/verifier/CaptureTru
stVerifier.java Wed Mar 29 10:57:17 2006
-21,6
+21,8
import org.apache.tsik.xmlsig.KeyInfo;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
+import java.util.Calendar;
+import java.util.Date;
/**
* Captures key information during trust verifications.
-80,6
+82,12
public void verifyTrust(X509Certificate[] chain)
throws TrustVerificationException
+ {
+ verifyTrust(chain,
Calendar.getInstance().getTime());
+ }
+
+ public void verifyTrust(X509Certificate[] chain, Date
date)
+ throws TrustVerificationException
{
keyInfo = new KeyInfo();
keyInfo.setCertificateChain(chain);
Modified:
incubator/tsik/trunk/src/org/apache/tsik/verifier/NotTrustVe
rifier.java
URL: http://svn.apache.
org/viewcvs/incubator/tsik/trunk/src/org/apache/tsik/verifie
r/NotTrustVerifier.java?rev=389866&r1=389865&r2=3898
66&view=diff
============================================================
==================
---
incubator/tsik/trunk/src/org/apache/tsik/verifier/NotTrustVe
rifier.java (original)
+++
incubator/tsik/trunk/src/org/apache/tsik/verifier/NotTrustVe
rifier.java Wed Mar 29 10:57:17 2006
-20,6
+20,8
import java.security.PublicKey;
import java.security.cert.X509Certificate;
+import java.util.Date;
+import java.util.Calendar;
/**
* Negates another verifier to determine whether to trust a
key or certificate.
-75,8
+77,14
public void verifyTrust(X509Certificate[] chain)
throws TrustVerificationException
{
+ verifyTrust(chain,
Calendar.getInstance().getTime());
+ }
+
+ public void verifyTrust(X509Certificate[] chain, Date
date)
+ throws TrustVerificationException
+ {
try {
- verifier.verifyTrust(chain);
+ verifier.verifyTrust(chain, date);
} catch (TrustVerificationException e) {
return;
}
Modified:
incubator/tsik/trunk/src/org/apache/tsik/verifier/NotifyingT
rustVerifier.java
URL: http://svn.a
pache.org/viewcvs/incubator/tsik/trunk/src/org/apache/tsik/v
erifier/NotifyingTrustVerifier.java?rev=389866&r1=389865
&r2=389866&view=diff
============================================================
==================
---
incubator/tsik/trunk/src/org/apache/tsik/verifier/NotifyingT
rustVerifier.java (original)
+++
incubator/tsik/trunk/src/org/apache/tsik/verifier/NotifyingT
rustVerifier.java Wed Mar 29 10:57:17 2006
-20,6
+20,8
import java.security.PublicKey;
import java.security.cert.X509Certificate;
+import java.util.Calendar;
+import java.util.Date;
/**
* Filters trust verifications while calling a notify
method.
-76,8
+78,14
public void verifyTrust(X509Certificate[] chain)
throws TrustVerificationException
{
+ verifyTrust(chain,
Calendar.getInstance().getTime());
+ }
+
+ public void verifyTrust(X509Certificate[] chain, Date
date)
+ throws TrustVerificationException
+ {
try {
- verifier.verifyTrust(chain);
+ verifier.verifyTrust(chain, date);
notify(chain, null, null, null);
} catch (TrustVerificationException e) {
notify(chain, null, null, e);
Modified:
incubator/tsik/trunk/src/org/apache/tsik/verifier/OrTrustVer
ifier.java
URL: http://svn.apache.o
rg/viewcvs/incubator/tsik/trunk/src/org/apache/tsik/verifier
/OrTrustVerifier.java?rev=389866&r1=389865&r2=389866
&view=diff
============================================================
==================
---
incubator/tsik/trunk/src/org/apache/tsik/verifier/OrTrustVer
ifier.java (original)
+++
incubator/tsik/trunk/src/org/apache/tsik/verifier/OrTrustVer
ifier.java Wed Mar 29 10:57:17 2006
-20,6
+20,8
import java.security.PublicKey;
import java.security.cert.X509Certificate;
+import java.util.Calendar;
+import java.util.Date;
/**
* Uses an array of other verifiers to determine whether to
trust a key or
-87,10
+89,16
public void verifyTrust(X509Certificate[] chain)
throws TrustVerificationException
{
+ verifyTrust(chain,
Calendar.getInstance().getTime());
+ }
+
+ public void verifyTrust(X509Certificate[] chain, Date
date)
+ throws TrustVerificationException
+ {
TrustVerificationException lastException = null;
for (int i = 0; i < verifiers.length; i += 1) {
try {
- verifiers[i].verifyTrust(chain);
+ verifiers[i].verifyTrust(chain, date);
return;
} catch (TrustVerificationException e) {
lastException = e;
Modified:
incubator/tsik/trunk/src/org/apache/tsik/verifier/SimpleTrus
tVerifier.java
URL: http://svn.apac
he.org/viewcvs/incubator/tsik/trunk/src/org/apache/tsik/veri
fier/SimpleTrustVerifier.java?rev=389866&r1=389865&r
2=389866&view=diff
============================================================
==================
---
incubator/tsik/trunk/src/org/apache/tsik/verifier/SimpleTrus
tVerifier.java (original)
+++
incubator/tsik/trunk/src/org/apache/tsik/verifier/SimpleTrus
tVerifier.java Wed Mar 29 10:57:17 2006
-22,6
+22,7
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
+import java.util.Date;
import java.util.Iterator;
/**
-83,4
+84,11
{
verifyTrust(chain[0].getPublicKey());
}
+
+ public void verifyTrust(X509Certificate[] chain, Date
date)
+ throws TrustVerificationException
+ {
+ verifyTrust(chain[0].getPublicKey());
+ }
+
}
Modified:
incubator/tsik/trunk/src/org/apache/tsik/verifier/TrustVerif
ier.java
URL: http://svn.apache.org
/viewcvs/incubator/tsik/trunk/src/org/apache/tsik/verifier/T
rustVerifier.java?rev=389866&r1=389865&r2=389866&
;view=diff
============================================================
==================
---
incubator/tsik/trunk/src/org/apache/tsik/verifier/TrustVerif
ier.java (original)
+++
incubator/tsik/trunk/src/org/apache/tsik/verifier/TrustVerif
ier.java Wed Mar 29 10:57:17 2006
-20,6
+20,7
import java.security.PublicKey;
import java.security.cert.X509Certificate;
+import java.util.Date;
/**
* Checks whether a given public key or certificate chain
is trusted. Using
-58,6
+59,27
*/
void verifyTrust(X509Certificate[] chain)
throws TrustVerificationException;
+
+ /**
+ * Verifies that a certificate chain is trusted. The
chain must be
+ * presented in order from leaf entity toward root CA,
such that for all
+ * <code>i</code>, <code>0 <=
i < (chain.length
+ * - 1)</code>
+ * implies
<code>chain[i].verify(chain[i+1].getPublicKey())</c
ode> will
+ * succeed. Returns silently if the chain is trusted,
or throws an
+ * exception indicating the reason if not.
+ *
+ * param chain
+ * is the certificate chain to check.
+ * param date
+ * is the timestamp to check against.
+ *
+ * throws TrustVerificationException
+ * if the given chain cannot be trusted, or if
an error occurs
+ * while trying to determine trust.
+ */
+ void verifyTrust(X509Certificate[] chain, Date date)
+ throws TrustVerificationException;
/**
* Verifies that a public key is trusted, also using an
XML Signature key
Modified:
incubator/tsik/trunk/src/org/apache/tsik/verifier/X509TrustV
erifier.java
URL: http://svn.apache
.org/viewcvs/incubator/tsik/trunk/src/org/apache/tsik/verifi
er/X509TrustVerifier.java?rev=389866&r1=389865&r2=38
9866&view=diff
============================================================
==================
---
incubator/tsik/trunk/src/org/apache/tsik/verifier/X509TrustV
erifier.java (original)
+++
incubator/tsik/trunk/src/org/apache/tsik/verifier/X509TrustV
erifier.java Wed Mar 29 10:57:17 2006
-25,7
+25,9
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
+import java.util.Calendar;
import java.util.Collection;
+import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
-130,8
+132,18
public synchronized void verifyTrust(X509Certificate[]
chain)
throws TrustVerificationException
{
+ verifyTrust(chain,
Calendar.getInstance().getTime());
+ }
+
+ // inherit javadoc
+ public synchronized void verifyTrust(X509Certificate[]
chain, Date date)
+ throws TrustVerificationException {
+
try {
- verifyTrust(chain, 0);
+ if (date != null)
+ verifyTrust(chain, 0, date);
+ else
+ verifyTrust(chain, 0,
Calendar.getInstance().getTime());
} catch (TrustVerificationException e) {
throw e;
} catch (GeneralSecurityException e) {
-157,7
+169,7
}
}
- private void verifyTrust(Certificate[] certChain, int
depth)
+ private void verifyTrust(Certificate[] certChain, int
depth, Date date)
throws GeneralSecurityException
{
GeneralSecurityException cause_ex = null;
-178,7
+190,7
log.debug("checking cert: " + cert);
if (xcert != null) {
- checkX509Certificate(xcert, depth);
+ checkX509Certificate(xcert, depth, date);
}
// plan A: if this a known trusted cert, we trust
it.
-193,7
+205,7
//
try {
log.debug("recursing");
- verifyTrust(certChain, depth + 1);
+ verifyTrust(certChain, depth + 1, date);
cert.verify(certChain[depth +
1].getPublicKey());
addCert(cert);
return;
-213,7
+225,7
X509Certificate signer = (X509Certificate)
certsBySubjectDN.get(xcert.getIssuerDN());
if(signer != null) {
- checkX509Certificate(signer, depth +
1);
+ checkX509Certificate(signer, depth + 1,
date);
cert.verify(signer.getPublicKey());
log.debug("X.509 match
succeeded");
addCert(cert);
-230,12
+242,12
throw cause_ex;
}
- private void checkX509Certificate(X509Certificate
xcert, int depth)
- throws GeneralSecurityException,
TrustVerificationException
+ private void checkX509Certificate(X509Certificate
xcert, int depth,
+ Date date) throws GeneralSecurityException,
TrustVerificationException
{
// check expiration
//
- xcert.checkValidity();
+ xcert.checkValidity(date);
// check cert chain path length constraints
//
Modified:
incubator/tsik/trunk/test/src/org/apache/tsik/crl/test/TestC
rl.java
URL: http://svn.apache.org/
viewcvs/incubator/tsik/trunk/test/src/org/apache/tsik/crl/te
st/TestCrl.java?rev=389866&r1=389865&r2=389866&v
iew=diff
============================================================
==================
---
incubator/tsik/trunk/test/src/org/apache/tsik/crl/test/TestC
rl.java (original)
+++
incubator/tsik/trunk/test/src/org/apache/tsik/crl/test/TestC
rl.java Wed Mar 29 10:57:17 2006
-24,6
+24,8
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
+import java.util.Calendar;
+
import junit.framework.Test;
import junit.framework.TestCase;
import junit.framework.TestSuite;
-298,6
+300,6
CRLTrustVerifier ctv = new CRLTrustVerifier();
ctv.addCRLsigners(cas);
- ctv.verifyTrust(chain);
+ ctv.verifyTrust(chain,
Calendar.getInstance().getTime());
}
}
Modified:
incubator/tsik/trunk/test/src/org/apache/tsik/verifier/test/
AndOrNotTests.java
URL: http://svn.
apache.org/viewcvs/incubator/tsik/trunk/test/src/org/apache/
tsik/verifier/test/AndOrNotTests.java?rev=389866&r1=3898
65&r2=389866&view=diff
============================================================
==================
---
incubator/tsik/trunk/test/src/org/apache/tsik/verifier/test/
AndOrNotTests.java (original)
+++
incubator/tsik/trunk/test/src/org/apache/tsik/verifier/test/
AndOrNotTests.java Wed Mar 29 10:57:17 2006
-21,6
+21,7
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
+import java.util.Date;
import java.util.StringTokenizer;
import junit.framework.Test;
-209,6
+210,12
public void verifyTrust(X509Certificate[] chain)
throws TrustVerificationException
+ {
+ verifyTrust();
+ }
+
+ public void verifyTrust(X509Certificate[] chain,
Date date)
+ throws TrustVerificationException
{
verifyTrust();
}
Modified:
incubator/tsik/trunk/test/src/org/apache/tsik/verifier/test/
CachingTests.java
URL: http://svn.a
pache.org/viewcvs/incubator/tsik/trunk/test/src/org/apache/t
sik/verifier/test/CachingTests.java?rev=389866&r1=389865
&r2=389866&view=diff
============================================================
==================
---
incubator/tsik/trunk/test/src/org/apache/tsik/verifier/test/
CachingTests.java (original)
+++
incubator/tsik/trunk/test/src/org/apache/tsik/verifier/test/
CachingTests.java Wed Mar 29 10:57:17 2006
-30,6
+30,7
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.ArrayList;
+import java.util.Date;
import java.util.Enumeration;
import java.util.StringTokenizer;
import junit.framework.Test;
-262,6
+263,12
{
throw new UnsupportedOperationException();
}
+
+ public void verifyTrust(X509Certificate[] chain,
Date date)
+ throws TrustVerificationException
+ {
+ throw new UnsupportedOperationException();
+ }
}
private static class CertVerifier
-328,6
+335,12
if (failed) {
throw new
TrustVerificationException("expected failure");
}
+ }
+
+ public void verifyTrust(X509Certificate[] chain,
Date date)
+ throws TrustVerificationException
+ {
+ verifyTrust(chain);
}
}
}
Modified:
incubator/tsik/trunk/test/src/org/apache/tsik/verifier/test/
SSLAndHttpsTests.java
URL: http://s
vn.apache.org/viewcvs/incubator/tsik/trunk/test/src/org/apac
he/tsik/verifier/test/SSLAndHttpsTests.java?rev=389866&r
1=389865&r2=389866&view=diff
============================================================
==================
---
incubator/tsik/trunk/test/src/org/apache/tsik/verifier/test/
SSLAndHttpsTests.java (original)
+++
incubator/tsik/trunk/test/src/org/apache/tsik/verifier/test/
SSLAndHttpsTests.java Wed Mar 29 10:57:17 2006
-40,6
+40,8
import javax.net.ssl.SSLException;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
+import java.util.Date;
+
import junit.framework.Test;
public class SSLAndHttpsTests extends DataDrivenTestCase
-345,6
+347,12
" but got " + gotSubject);
}
//System.out.println("Trusted cert
subject: " + gotSubject);
+ }
+
+ public void verifyTrust(X509Certificate[] chain,
Date date)
+ throws TrustVerificationException
+ {
+ verifyTrust(chain);
}
}
}
------------------------------------------------------------
---------
To unsubscribe, e-mail: tsik-dev-unsubscribews.apache.org
For additional commands, e-mail: tsik-dev-helpws.apache.org
|