Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance. Project price only 1 $
You can buy this project and download/modify it how often you want.
/*
This file is part of the iText (R) project.
Copyright (c) 1998-2023 Apryse Group NV
Authors: Apryse Software.
This program is offered under a commercial and under the AGPL license.
For commercial licensing, contact us at https://itextpdf.com/sales. For AGPL licensing, see below.
AGPL licensing:
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see .
*/
package com.itextpdf.signatures;
import com.itextpdf.io.util.DateTimeUtil;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.tsp.TimeStampToken;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.security.KeyStore;
import java.security.cert.CRL;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Collection;
import java.util.List;
/**
* This class consists of some methods that allow you to verify certificates.
*/
public class CertificateVerification {
/**
* The Logger instance.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(CrlClientOnline.class);
/**
* Verifies a single certificate for the current date.
*
* @param cert the certificate to verify
* @param crls the certificate revocation list or null
* @return a String with the error description or null
* if no error
*/
public static String verifyCertificate(X509Certificate cert, Collection crls) {
return verifyCertificate(cert, crls, DateTimeUtil.getCurrentTimeCalendar());
}
/**
* Verifies a single certificate.
*
* @param cert the certificate to verify
* @param crls the certificate revocation list or null
* @param calendar the date, shall not be null
* @return a String with the error description or null
* if no error
*/
public static String verifyCertificate(X509Certificate cert, Collection crls, Calendar calendar) {
if (SignUtils.hasUnsupportedCriticalExtension(cert))
return "Has unsupported critical extension";
try {
cert.checkValidity(calendar.getTime());
} catch (Exception e) {
return e.getMessage();
}
if (crls != null) {
for (CRL crl : crls) {
if (crl.isRevoked(cert))
return "Certificate revoked";
}
}
return null;
}
/**
* Verifies a certificate chain against a KeyStore for the current date.
*
* @param certs the certificate chain
* @param keystore the KeyStore
* @param crls the certificate revocation list or null
* @return empty list if the certificate chain could be validated or a
* Object[]{cert,error} where cert is the
* failed certificate and error is the error message
*/
public static List verifyCertificates(Certificate[] certs, KeyStore keystore, Collection crls) {
return verifyCertificates(certs, keystore, crls, DateTimeUtil.getCurrentTimeCalendar());
}
/**
* Verifies a certificate chain against a KeyStore.
*
* @param certs the certificate chain
* @param keystore the KeyStore
* @param crls the certificate revocation list or null
* @param calendar the date, shall not be null
* @return empty list if the certificate chain could be validated or a
* Object[]{cert,error} where cert is the
* failed certificate and error is the error message
*/
public static List verifyCertificates(Certificate[] certs, KeyStore keystore, Collection crls, Calendar calendar) {
List result = new ArrayList<>();
for (int k = 0; k < certs.length; ++k) {
X509Certificate cert = (X509Certificate) certs[k];
String err = verifyCertificate(cert, crls, calendar);
if (err != null)
result.add(new VerificationException(cert, err));
try {
for (X509Certificate certStoreX509 : SignUtils.getCertificates(keystore)) {
try {
if (verifyCertificate(certStoreX509, crls, calendar) != null)
continue;
try {
cert.verify(certStoreX509.getPublicKey());
return result;
} catch (Exception e) {
continue;
}
} catch (Exception ex) {
}
}
} catch (Exception e) {
}
int j;
for (j = 0; j < certs.length; ++j) {
if (j == k)
continue;
X509Certificate certNext = (X509Certificate) certs[j];
try {
cert.verify(certNext.getPublicKey());
break;
} catch (Exception e) {
}
}
if (j == certs.length) {
result.add(new VerificationException(cert, "Cannot be verified against the KeyStore or the certificate chain"));
}
}
if (result.size() == 0)
result.add(new VerificationException((Certificate) null, "Invalid state. Possible circular certificate chain"));
return result;
}
/**
* Verifies a certificate chain against a KeyStore for the current date.
*
* @param certs the certificate chain
* @param keystore the KeyStore
* @return null if the certificate chain could be validated or a
* Object[]{cert,error} where cert is the
* failed certificate and error is the error message
*/
public static List verifyCertificates(Certificate[] certs, KeyStore keystore) {
return verifyCertificates(certs, keystore, DateTimeUtil.getCurrentTimeCalendar());
}
/**
* Verifies a certificate chain against a KeyStore.
*
* @param certs the certificate chain
* @param keystore the KeyStore
* @param calendar the date, shall not be null
* @return null if the certificate chain could be validated or a
* Object[]{cert,error} where cert is the
* failed certificate and error is the error message
*/
public static List verifyCertificates(Certificate[] certs, KeyStore keystore, Calendar calendar) {
return verifyCertificates(certs, keystore, null, calendar);
}
/**
* Verifies an OCSP response against a KeyStore.
*
* @param ocsp the OCSP response
* @param keystore the KeyStore
* @param provider the provider or null to use the BouncyCastle provider
* @return true is a certificate was found
*/
public static boolean verifyOcspCertificates(BasicOCSPResp ocsp, KeyStore keystore, String provider) {
List exceptionsThrown = new ArrayList<>();
try {
for (X509Certificate certStoreX509 : SignUtils.getCertificates(keystore)) {
try {
return SignUtils.isSignatureValid(ocsp, certStoreX509, provider);
} catch (Exception ex) {
exceptionsThrown.add(ex);
}
}
} catch (Exception e) {
exceptionsThrown.add(e);
}
for (Exception ex : exceptionsThrown) {
LOGGER.error(ex.getMessage(), ex);
}
return false;
}
/**
* Verifies a time stamp against a KeyStore.
*
* @param ts the time stamp
* @param keystore the KeyStore
* @param provider the provider or null to use the BouncyCastle provider
* @return true is a certificate was found
*/
public static boolean verifyTimestampCertificates(TimeStampToken ts, KeyStore keystore, String provider) {
List exceptionsThrown = new ArrayList<>();
try {
for (X509Certificate certStoreX509 : SignUtils.getCertificates(keystore)) {
try {
SignUtils.isSignatureValid(ts, certStoreX509, provider);
return true;
} catch (Exception ex) {
exceptionsThrown.add(ex);
}
}
} catch (Exception e) {
exceptionsThrown.add(e);
}
for (Exception ex : exceptionsThrown) {
LOGGER.error(ex.getMessage(), ex);
}
return false;
}
}
