private void verifyOCSPToken(OCSPToken token) { if (token == null) { throw CertificateValidationException.of("No token response is present"); } try { if (token.getStatus() != null) { if (!token.getStatus()) { LOGGER.debug("Certificate with DSS ID <{}> - status <{}>", token.getDSSIdAsString(), CRLReasonEnum.valueOf(token.getReason()) .name()); throw CertificateValidationException.of(CertificateValidationException.CertificateValidationStatus.REVOKED); } // Otherwise status is GOOD return; } if (StringUtils.isNotBlank(token.getReason())) { LOGGER.debug("Certificate with DSS ID <{}> - status <{}>", token.getDSSIdAsString(), CRLReasonEnum.valueOf(token.getReason()) .name()); throw CertificateValidationException.of(CertificateValidationException.CertificateValidationStatus.UNKNOWN); } } catch (CertificateValidationException e) { throw e; } catch (Exception e) { throw CertificateValidationException.of(e); } }
private void extractStatusInfo(SingleResp bestSingleResp) { CertificateStatus certStatus = bestSingleResp.getCertStatus(); if (CertificateStatus.GOOD == certStatus) { if (LOG.isInfoEnabled()) { LOG.info("OCSP status is good"); } status = true; } else if (certStatus instanceof RevokedStatus) { if (LOG.isInfoEnabled()) { LOG.info("OCSP status revoked"); } final RevokedStatus revokedStatus = (RevokedStatus) certStatus; status = false; revocationDate = revokedStatus.getRevocationTime(); int reasonId = 0; // unspecified if (revokedStatus.hasRevocationReason()) { reasonId = revokedStatus.getRevocationReason(); } reason = CRLReasonEnum.fromInt(reasonId); } else if (certStatus instanceof UnknownStatus) { if (LOG.isInfoEnabled()) { LOG.info("OCSP status unknown"); } reason = CRLReasonEnum.unknow; } else { LOG.info("OCSP certificate status: {}", certStatus); } }
@Override protected boolean process() { RevocationWrapper revocationData = certificate.getLatestRevocationData(); boolean isRevoked = (revocationData != null) && !revocationData.isStatus() && !CRLReasonEnum.certificateHold.name().equals(revocationData.getReason()); if (isRevoked) { isRevoked = revocationData.getRevocationDate() != null && currentTime.after(revocationData.getRevocationDate()); } return !isRevoked; }
@Override protected boolean process() { RevocationWrapper revocationData = certificate.getLatestRevocationData(); boolean isOnHold = (revocationData != null) && !revocationData.isStatus() && CRLReasonEnum.certificateHold.name().equals(revocationData.getReason()); if (isOnHold) { isOnHold = revocationData.getRevocationDate() != null && currentTime.after(revocationData.getRevocationDate()); } return !isOnHold; }
/** * @param certificateToken * the {@code CertificateToken} which is managed by this CRL. */ private void setRevocationStatus(final CertificateToken certificateToken) { final X500Principal issuerToken = certificateToken.getIssuerX500Principal(); CertificateToken crlSigner = crlValidity.getIssuerToken(); X500Principal crlSignerSubject = null; if (crlSigner != null) { crlSignerSubject = crlSigner.getSubjectX500Principal(); } if (!DSSUtils.x500PrincipalAreEquals(issuerToken, crlSignerSubject)) { if (!crlValidity.isSignatureIntact()) { throw new DSSException(crlValidity.getSignatureInvalidityReason()); } throw new DSSException("The CRLToken is not signed by the same issuer as the CertificateToken to be verified!"); } final BigInteger serialNumber = certificateToken.getSerialNumber(); X509CRLEntry crlEntry = CRLUtils.getRevocationInfo(crlValidity, serialNumber); status = null == crlEntry; if (!status) { revocationDate = crlEntry.getRevocationDate(); CRLReason revocationReason = crlEntry.getRevocationReason(); if (revocationReason != null) { reason = CRLReasonEnum.fromInt(revocationReason.ordinal()); } } }