All Downloads are FREE. Search and download functionalities are using the official Maven repository.

com.itextpdf.text.pdf.security.OCSPVerifier Maven / Gradle / Ivy

/*
 * $Id: e99ff6e863568684d1b44ceb6190eefd66d8b062 $
 *
 * This file is part of the iText (R) project.
 * Copyright (c) 1998-2016 iText Group NV
 * Authors: Bruno Lowagie, Paulo Soares, et al.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License version 3
 * as published by the Free Software Foundation with the addition of the
 * following permission added to Section 15 as permitted in Section 7(a):
 * FOR ANY PART OF THE COVERED WORK IN WHICH THE COPYRIGHT IS OWNED BY
 * ITEXT GROUP. ITEXT GROUP DISCLAIMS THE WARRANTY OF NON INFRINGEMENT
 * OF THIRD PARTY RIGHTS
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.
 * See the GNU Affero General Public License for more details.
 * You should have received a copy of the GNU Affero General Public License
 * along with this program; if not, see http://www.gnu.org/licenses or write to
 * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
 * Boston, MA, 02110-1301 USA, or download the license from the following URL:
 * http://itextpdf.com/terms-of-use/
 *
 * The interactive user interfaces in modified source and object code versions
 * of this program must display Appropriate Legal Notices, as required under
 * Section 5 of the GNU Affero General Public License.
 *
 * In accordance with Section 7(b) of the GNU Affero General Public License,
 * a covered work must retain the producer line in every PDF that is created
 * or manipulated using iText.
 *
 * You can be released from the requirements of the license by purchasing
 * a commercial license. Buying such a license is mandatory as soon as you
 * develop commercial activities involving the iText software without
 * disclosing the source code of your own applications.
 * These activities include: offering paid services to customers as an ASP,
 * serving PDFs on the fly in a web application, shipping iText with a closed
 * source product.
 *
 * For more information, please contact iText Software Corp. at this
 * address: [email protected]
 */
package com.itextpdf.text.pdf.security;

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStoreException;
import java.security.cert.CRL;
import java.security.cert.Certificate;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.Enumeration;
import java.util.List;

import org.spongycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.spongycastle.cert.X509CertificateHolder;
import org.spongycastle.cert.jcajce.JcaX509CertificateConverter;
import org.spongycastle.cert.ocsp.BasicOCSPResp;
import org.spongycastle.cert.ocsp.CertificateStatus;
import org.spongycastle.cert.ocsp.OCSPException;
import org.spongycastle.cert.ocsp.SingleResp;
import org.spongycastle.operator.ContentVerifierProvider;
import org.spongycastle.operator.OperatorCreationException;
import org.spongycastle.operator.bc.BcDigestCalculatorProvider;
import org.spongycastle.operator.jcajce.JcaContentVerifierProviderBuilder;

import com.itextpdf.text.log.Logger;
import com.itextpdf.text.log.LoggerFactory;

/**
 * Class that allows you to verify a certificate against
 * one or more OCSP responses.
 */
public class OCSPVerifier extends RootStoreVerifier {
	
	/** The Logger instance */
	protected final static Logger LOGGER = LoggerFactory.getLogger(OCSPVerifier.class);

    protected final static String id_kp_OCSPSigning = "1.3.6.1.5.5.7.3.9";
	
	/** The list of OCSP responses. */
	protected List ocsps;
	
	/**
	 * Creates an OCSPVerifier instance.
	 * @param verifier	the next verifier in the chain
	 * @param ocsps a list of OCSP responses
	 */
	public OCSPVerifier(CertificateVerifier verifier, List ocsps) {
		super(verifier);
		this.ocsps = ocsps;
	}

	/**
	 * Verifies if a a valid OCSP response is found for the certificate.
	 * If this method returns false, it doesn't mean the certificate isn't valid.
	 * It means we couldn't verify it against any OCSP response that was available.
	 * @param signCert	the certificate that needs to be checked
	 * @param issuerCert	its issuer
	 * @return a list of VerificationOK objects.
	 * The list will be empty if the certificate couldn't be verified.
	 * @see com.itextpdf.text.pdf.security.RootStoreVerifier#verify(java.security.cert.X509Certificate, java.security.cert.X509Certificate, java.util.Date)
	 */
	public List verify(X509Certificate signCert,
			X509Certificate issuerCert, Date signDate)
			throws GeneralSecurityException, IOException {
		List result = new ArrayList();
		int validOCSPsFound = 0;
		// first check in the list of OCSP responses that was provided
		if (ocsps != null) {
            for (BasicOCSPResp ocspResp : ocsps) {
                if (verify(ocspResp, signCert, issuerCert, signDate))
                    validOCSPsFound++;
            }
        }
		// then check online if allowed
		boolean online = false;
		if (onlineCheckingAllowed && validOCSPsFound == 0) {
			if (verify(getOcspResponse(signCert, issuerCert), signCert, issuerCert, signDate)) {
				validOCSPsFound++;
				online = true;
			}
		}
		// show how many valid OCSP responses were found
		LOGGER.info("Valid OCSPs found: " + validOCSPsFound);
		if (validOCSPsFound > 0)
			result.add(new VerificationOK(signCert, this.getClass(), "Valid OCSPs Found: " + validOCSPsFound + (online ? " (online)" : "")));
		if (verifier != null)
			result.addAll(verifier.verify(signCert, issuerCert, signDate));
		// verify using the previous verifier in the chain (if any)
		return result;
	}
	
	
	/**
	 * Verifies a certificate against a single OCSP response
	 * @param ocspResp the OCSP response
	 * @param signCert the certificate that needs to be checked
	 * @param issuerCert the certificate of CA
	 * @param signDate sign date
	 * @return {@code true}, in case successful check, otherwise false.
	 * @throws GeneralSecurityException
	 * @throws IOException
	 */
	public boolean verify(BasicOCSPResp ocspResp, X509Certificate signCert, X509Certificate issuerCert, Date signDate) throws GeneralSecurityException, IOException {
		if (ocspResp == null)
			return false;
		// Getting the responses
		SingleResp[] resp = ocspResp.getResponses();
		for (int i = 0; i < resp.length; i++) {
			// check if the serial number corresponds
			if (!signCert.getSerialNumber().equals(resp[i].getCertID().getSerialNumber())) {
				continue;
			}
			// check if the issuer matches
			try {
				if (issuerCert == null) issuerCert = signCert;
				if (!resp[i].getCertID().matchesIssuer(new X509CertificateHolder(issuerCert.getEncoded()), new BcDigestCalculatorProvider())) {
					LOGGER.info("OCSP: Issuers doesn't match.");
					continue;
				}
			} catch (OCSPException e) {
				continue;
			}
			// check if the OCSP response was valid at the time of signing
			Date nextUpdate = resp[i].getNextUpdate();
			if (nextUpdate == null) {
				nextUpdate = new Date(resp[i].getThisUpdate().getTime() + 180000l);
				LOGGER.info(String.format("No 'next update' for OCSP Response; assuming %s", nextUpdate));
			}
			if (signDate.after(nextUpdate)) {
				LOGGER.info(String.format("OCSP no longer valid: %s after %s", signDate, nextUpdate));
				continue;
			}
			// check the status of the certificate
			Object status = resp[i].getCertStatus();
			if (status == CertificateStatus.GOOD) {
				// check if the OCSP response was genuine
				isValidResponse(ocspResp, issuerCert);
				return true;
			}
		}
		return false;
	}
	
	/**
	 * Verifies if an OCSP response is genuine
 	 * If it doesn't verify against the issuer certificate and response's certificates, it may verify
     * using a trusted anchor or cert.
     * @param ocspResp the OCSP response
	 * @param issuerCert the issuer certificate
	 * @throws GeneralSecurityException
	 * @throws IOException
	 */
	public void isValidResponse(BasicOCSPResp ocspResp, X509Certificate issuerCert) throws GeneralSecurityException, IOException {
        //OCSP response might be signed by the issuer certificate or
        //the Authorized OCSP responder certificate containing the id-kp-OCSPSigning extended key usage extension
        X509Certificate responderCert = null;

        //first check if the issuer certificate signed the response
        //since it is expected to be the most common case
        if (isSignatureValid(ocspResp, issuerCert)) {
            responderCert = issuerCert;
        }

        //if the issuer certificate didn't sign the ocsp response, look for authorized ocsp responses
        // from properties or from certificate chain received with response
        if (responderCert == null) {
            if (ocspResp.getCerts() != null) {
                //look for existence of Authorized OCSP responder inside the cert chain in ocsp response
                X509CertificateHolder[] certs = ocspResp.getCerts();
                for (X509CertificateHolder cert : certs) {
                    X509Certificate tempCert;
                    try {
                        tempCert = new JcaX509CertificateConverter().getCertificate(cert);
                    } catch (Exception ex) {
                        continue;
                    }
                    List keyPurposes = null;
                    try {
                        keyPurposes = tempCert.getExtendedKeyUsage();
                        if ((keyPurposes != null) && keyPurposes.contains(id_kp_OCSPSigning) && isSignatureValid(ocspResp, tempCert)) {
                            responderCert = tempCert;
                            break;
                        }
                    } catch (CertificateParsingException ignored) {
                    }
                }
                // Certificate signing the ocsp response is not found in ocsp response's certificate chain received
                // and is not signed by the issuer certificate.
                if (responderCert == null) {
                    throw new VerificationException(issuerCert, "OCSP response could not be verified");
                }
            } else {
                //certificate chain is not present in response received
                //try to verify using rootStore
                if (rootStore != null) {
                    try {
                        for (Enumeration aliases = rootStore.aliases(); aliases.hasMoreElements(); ) {
                            String alias = aliases.nextElement();
                            try {
                                if (!rootStore.isCertificateEntry(alias))
                                    continue;
                                X509Certificate anchor = (X509Certificate) rootStore.getCertificate(alias);
                                if (isSignatureValid(ocspResp, anchor)) {
                                    responderCert = anchor;
                                    break;
                                }
                            } catch (GeneralSecurityException ignored) {
                            }
                        }
                    } catch (KeyStoreException e) {
                        responderCert = null;
                    }
                }

                // OCSP Response does not contain certificate chain, and response is not signed by any
                // of the rootStore or the issuer certificate.
                if (responderCert == null) {
                    throw new VerificationException(issuerCert, "OCSP response could not be verified");
                }
            }
        }

        //check "This certificate MUST be issued directly by the CA that issued the certificate in question".
        responderCert.verify(issuerCert.getPublicKey());

        // validating ocsp signers certificate
        // Check if responders certificate has id-pkix-ocsp-nocheck extension,
        // in which case we do not validate (perform revocation check on) ocsp certs for lifetime of certificate
        if (responderCert.getExtensionValue(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck.getId()) == null) {
            CRL crl;
            try {
                crl = CertificateUtil.getCRL(responderCert);
            } catch (Exception ignored) {
                crl = null;
            }
            if (crl != null && crl instanceof X509CRL) {
                CRLVerifier crlVerifier = new CRLVerifier(null, null);
                crlVerifier.setRootStore(rootStore);
                crlVerifier.setOnlineCheckingAllowed(onlineCheckingAllowed);
                crlVerifier.verify((X509CRL)crl, responderCert, issuerCert, new Date());
                return;
            }
        }

        //check if lifetime of certificate is ok
        responderCert.checkValidity();
	}
	
	/**
	 * Verifies if the response is valid.
	 * If it doesn't verify against the issuer certificate and response's certificates, it may verify
	 * using a trusted anchor or cert.
     * NOTE. Use {@code isValidResponse()} instead.
	 * @param ocspResp	the response object
	 * @param issuerCert the issuer certificate
	 * @return	true if the response can be trusted
	 */
    @Deprecated
	public boolean verifyResponse(BasicOCSPResp ocspResp, X509Certificate issuerCert) {
        try {
            isValidResponse(ocspResp, issuerCert);
            return true;
        } catch (Exception e) {
            return false;
        }
	}
	
	/**
	 * Checks if an OCSP response is genuine
	 * @param ocspResp	the OCSP response
	 * @param responderCert	the responder certificate
	 * @return	true if the OCSP response verifies against the responder certificate
	 */
	public boolean isSignatureValid(BasicOCSPResp ocspResp, Certificate responderCert) {
		try {
			ContentVerifierProvider verifierProvider = new JcaContentVerifierProviderBuilder()
					.setProvider("BC").build(responderCert.getPublicKey());
			return ocspResp.isSignatureValid(verifierProvider);
		} catch (OperatorCreationException e) {
			return false;
		} catch (OCSPException e) {
			return false;
		}
	}
	
	/**
	 * Gets an OCSP response online and returns it if the status is GOOD
	 * (without further checking).
	 * @param signCert	the signing certificate
	 * @param issuerCert	the issuer certificate
	 * @return an OCSP response
	 */
	public BasicOCSPResp getOcspResponse(X509Certificate signCert, X509Certificate issuerCert) {
		if (signCert == null && issuerCert == null) {
			return null;
		}
		OcspClientBouncyCastle ocsp = new OcspClientBouncyCastle();
		BasicOCSPResp ocspResp = ocsp.getBasicOCSPResp(signCert, issuerCert, null);
		if (ocspResp == null) {
			return null;
		}
		SingleResp[] resp = ocspResp.getResponses();
		for (int i = 0; i < resp.length; i++) {
			Object status = resp[i].getCertStatus();
			if (status == CertificateStatus.GOOD) {
				return ocspResp;
			}
		}
		return null;
	}
}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy