Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance. Project price only 1 $
You can buy this project and download/modify it how often you want.
/*
This file is part of the iText (R) project.
Copyright (c) 1998-2024 Apryse Group NV
Authors: Apryse Software.
This program is offered under a commercial and under the AGPL license.
For commercial licensing, contact us at https://itextpdf.com/sales. For AGPL licensing, see below.
AGPL licensing:
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see .
*/
package com.itextpdf.signatures;
import com.itextpdf.commons.bouncycastle.cert.ocsp.IBasicOCSPResp;
import com.itextpdf.commons.bouncycastle.tsp.ITimeStampToken;
import com.itextpdf.commons.utils.DateTimeUtil;
import com.itextpdf.signatures.exceptions.SignExceptionMessageConstant;
import com.itextpdf.signatures.logs.SignLogMessageConstant;
import java.security.cert.CertificateEncodingException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.security.KeyStore;
import java.security.cert.CRL;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Collection;
import java.util.List;
/**
* This class consists of some methods that allow you to verify certificates.
*/
public class CertificateVerification {
public static final String HAS_UNSUPPORTED_EXTENSIONS = "Has unsupported critical extension";
public static final String CERTIFICATE_REVOKED = "Certificate revoked";
/**
* The Logger instance.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(CertificateVerification.class);
/**
* Verifies a single certificate for the current date.
*
* @param cert the certificate to verify
* @param crls the certificate revocation list or null
* @return a String with the error description or null
* if no error
*/
public static String verifyCertificate(X509Certificate cert, Collection crls) {
return verifyCertificate(cert, crls, DateTimeUtil.getCurrentTimeCalendar());
}
/**
* Verifies a single certificate.
*
* @param cert the certificate to verify
* @param crls the certificate revocation list or null
* @param calendar the date, shall not be null
* @return a String with the error description or null
* if no error
*/
public static String verifyCertificate(X509Certificate cert, Collection crls, Calendar calendar) {
if (SignUtils.hasUnsupportedCriticalExtension(cert)) {
return CertificateVerification.HAS_UNSUPPORTED_EXTENSIONS;
}
try {
cert.checkValidity(calendar.getTime());
} catch (Exception e) {
return e.getMessage();
}
if (crls != null) {
for (CRL crl : crls) {
if (crl.isRevoked(cert)) {
return CertificateVerification.CERTIFICATE_REVOKED;
}
}
}
return null;
}
/**
* Verifies a certificate chain against a KeyStore for the current date.
*
* @param certs the certificate chain
* @param keystore the KeyStore
* @param crls the certificate revocation list or null
* @return empty list if the certificate chain could be validated or a
* Object[]{cert,error} where cert is the
* failed certificate and error is the error message
* @throws CertificateEncodingException if an encoding error occurs in {@link Certificate}.
*/
public static List verifyCertificates(Certificate[] certs, KeyStore keystore,
Collection crls) throws CertificateEncodingException {
return verifyCertificates(certs, keystore, crls, DateTimeUtil.getCurrentTimeCalendar());
}
/**
* Verifies a certificate chain against a KeyStore.
*
* @param certs the certificate chain
* @param keystore the KeyStore
* @param crls the certificate revocation list or null
* @param calendar the date, shall not be null
* @return empty list if the certificate chain could be validated or a
* Object[]{cert,error} where cert is the
* failed certificate and error is the error message
* @throws CertificateEncodingException if an encoding error occurs in {@link Certificate}.
*/
public static List verifyCertificates(Certificate[] certs, KeyStore keystore,
Collection crls, Calendar calendar) throws CertificateEncodingException {
List result = new ArrayList<>();
for (int k = 0; k < certs.length; ++k) {
X509Certificate cert = (X509Certificate) certs[k];
String err = verifyCertificate(cert, crls, calendar);
if (err != null) {
result.add(new VerificationException(cert, err));
}
try {
for (X509Certificate certStoreX509 : SignUtils.getCertificates(keystore)) {
try {
if (verifyCertificate(certStoreX509, crls, calendar) != null) {
continue;
}
try {
cert.verify(certStoreX509.getPublicKey());
return result;
} catch (Exception e) {
// do nothing and continue
}
} catch (Exception ex) {
// Do nothing.
}
}
} catch (Exception e) {
// Do nothing.
}
int j;
for (j = 0; j < certs.length; ++j) {
if (j == k) {
continue;
}
X509Certificate certNext = (X509Certificate) certs[j];
try {
cert.verify(certNext.getPublicKey());
break;
} catch (Exception e) {
// Do nothing.
}
}
if (j == certs.length) {
result.add(new VerificationException(cert,
SignExceptionMessageConstant.CANNOT_BE_VERIFIED_CERTIFICATE_CHAIN));
}
}
if (result.size() == 0) {
result.add(new VerificationException((Certificate) null,
SignExceptionMessageConstant.INVALID_STATE_WHILE_CHECKING_CERT_CHAIN));
}
return result;
}
/**
* Verifies a certificate chain against a KeyStore for the current date.
*
* @param certs the certificate chain
* @param keystore the KeyStore
* @return null if the certificate chain could be validated or a
* Object[]{cert,error} where cert is the
* failed certificate and error is the error message
* @throws CertificateEncodingException if an encoding error occurs in {@link Certificate}.
*/
public static List verifyCertificates(Certificate[] certs, KeyStore keystore)
throws CertificateEncodingException {
return verifyCertificates(certs, keystore, DateTimeUtil.getCurrentTimeCalendar());
}
/**
* Verifies a certificate chain against a KeyStore.
*
* @param certs the certificate chain
* @param keystore the KeyStore
* @param calendar the date, shall not be null
* @return null if the certificate chain could be validated or a
* Object[]{cert,error} where cert is the
* failed certificate and error is the error message
* @throws CertificateEncodingException if an encoding error occurs in {@link Certificate}.
*/
public static List verifyCertificates(Certificate[] certs, KeyStore keystore,
Calendar calendar) throws CertificateEncodingException {
return verifyCertificates(certs, keystore, null, calendar);
}
/**
* Verifies an OCSP response against a KeyStore.
*
* @param ocsp the OCSP response
* @param keystore the KeyStore
* @param provider the provider or null to use the BouncyCastle provider
* @return true is a certificate was found
*/
public static boolean verifyOcspCertificates(IBasicOCSPResp ocsp, KeyStore keystore, String provider) {
List exceptionsThrown = new ArrayList<>();
try {
for (X509Certificate certStoreX509 : SignUtils.getCertificates(keystore)) {
try {
if (SignUtils.isSignatureValid(ocsp, certStoreX509, provider)) {
return true;
}
} catch (Exception ex) {
exceptionsThrown.add(ex);
}
}
} catch (Exception e) {
exceptionsThrown.add(e);
}
logExceptionMessages(exceptionsThrown);
return false;
}
/**
* Verifies a time stamp against a KeyStore.
*
* @param ts the time stamp
* @param keystore the KeyStore
* @param provider the provider or null to use the BouncyCastle provider
* @return true is a certificate was found
*/
public static boolean verifyTimestampCertificates(ITimeStampToken ts, KeyStore keystore, String provider) {
List exceptionsThrown = new ArrayList<>();
try {
for (X509Certificate certStoreX509 : SignUtils.getCertificates(keystore)) {
try {
SignUtils.isSignatureValid(ts, certStoreX509, provider);
return true;
} catch (Exception ex) {
exceptionsThrown.add(ex);
}
}
} catch (Exception e) {
exceptionsThrown.add(e);
}
logExceptionMessages(exceptionsThrown);
return false;
}
private static void logExceptionMessages(List exceptionsThrown) {
for (Exception ex : exceptionsThrown) {
LOGGER.error(ex.getMessage() == null
? SignLogMessageConstant.EXCEPTION_WITHOUT_MESSAGE
: ex.getMessage(),
ex);
}
}
}
