Changeset 238ebc2


Ignore:
Timestamp:
Feb 19, 2016 1:37:41 AM (5 years ago)
Author:
zzz <zzz@…>
Branches:
master
Children:
451cb25
Parents:
910822e
Message:

Crypto: Check for revocation when reading in certificates

Location:
core/java/src/net/i2p/crypto
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • core/java/src/net/i2p/crypto/CertUtil.java

    r910822e r238ebc2  
    227227     *  Throws if the certificate is invalid (e.g. expired).
    228228     *
     229     *  This DOES check for revocation.
     230     *
    229231     *  @return non-null, throws on all errors including certificate invalid
    230232     *  @since 0.9.24 moved from SU3File private method
    231233     */
    232234    public static PublicKey loadKey(File kd) throws IOException, GeneralSecurityException {
    233         return loadCert(kd).getPublicKey();
     235        X509Certificate cert = loadCert(kd);
     236        if (isRevoked(cert))
     237            throw new CRLException("Certificate is revoked");
     238        return cert.getPublicKey();
    234239    }
    235240
     
    237242     *  Get the certificate from a X.509 certificate file.
    238243     *  Throws if the certificate is invalid (e.g. expired).
     244     *
     245     *  This does NOT check for revocation.
    239246     *
    240247     *  @return non-null, throws on all errors including certificate invalid
     
    315322     *  Does NOT close the stream.
    316323     *
     324     *  This does NOT check for revocation.
     325     *
    317326     *  @return non-null, non-empty, throws on all errors including certificate invalid
    318327     *  @since 0.9.25
     
    381390    /**
    382391     *  Is the certificate revoked?
     392     *  This loads the CRLs from disk.
     393     *  For efficiency, call loadCRLs() and then pass to isRevoked().
     394     *
     395     *  @since 0.9.25
     396     */
     397    public static boolean isRevoked(Certificate cert) {
     398        return isRevoked(I2PAppContext.getGlobalContext(), cert);
     399    }
     400
     401    /**
     402     *  Is the certificate revoked?
     403     *  This loads the CRLs from disk.
     404     *  For efficiency, call loadCRLs() and then pass to isRevoked().
    383405     *
    384406     *  @since 0.9.25
     
    402424        } catch (GeneralSecurityException gse) {}
    403425        return false;
     426    }
     427
     428    /**
     429     *  Load CRLs from standard locations.
     430     *
     431     *  @return non-null, possibly empty
     432     *  @since 0.9.25
     433     */
     434    public static CertStore loadCRLs() {
     435        return loadCRLs(I2PAppContext.getGlobalContext());
    404436    }
    405437
     
    424456            loadCRLs(crls, dir2);
    425457        }
     458        //System.out.println("Loaded " + crls.size() + " CRLs");
    426459        CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(crls);
    427460        try {
  • core/java/src/net/i2p/crypto/DirKeyRing.java

    r910822e r238ebc2  
    1313import java.security.PublicKey;
    1414import java.security.cert.CertificateFactory;
     15import java.security.cert.CRLException;
    1516import java.security.cert.X509Certificate;
    1617
     
    3536     *  and have a CN == keyName.
    3637     *
     38     *  This DOES do a revocation check.
     39     *
    3740     *  CN check unsupported on Android.
    3841     *
     
    5154            return null;
    5255        X509Certificate cert = CertUtil.loadCert(kd);
     56        if (CertUtil.isRevoked(cert))
     57            throw new CRLException("Certificate is revoked");
    5358        if (!SystemVersion.isAndroid()) {
    5459            // getSubjectValue() unsupported on Android.
  • core/java/src/net/i2p/crypto/KeyStoreUtil.java

    r910822e r238ebc2  
    1414import java.security.cert.CertificateExpiredException;
    1515import java.security.cert.CertificateNotYetValidException;
     16import java.security.cert.CertStore;
    1617import java.security.cert.X509Certificate;
    1718import java.security.cert.X509CRL;
     
    333334     *  trusted set of certificates in the key store
    334335     *
     336     *  This DOES check for revocation.
     337     *
    335338     *  @return number successfully added
    336339     *  @since 0.8.2, moved from SSLEepGet in 0.9.9
     
    342345            File[] files = dir.listFiles();
    343346            if (files != null) {
     347                CertStore cs = CertUtil.loadCRLs();
    344348                for (int i = 0; i < files.length; i++) {
    345349                    File f = files[i];
     
    355359                        alias.endsWith(".cer"))
    356360                        alias = alias.substring(0, alias.length() - 4);
    357                     boolean success = addCert(f, alias, ks);
     361                    boolean success = addCert(f, alias, ks, cs);
    358362                    if (success)
    359363                        added++;
     
    368372     *  trusted set of certificates in the key store
    369373     *
     374     *  This does NOT check for revocation.
     375     *
    370376     *  @return success
    371377     *  @since 0.8.2, moved from SSLEepGet in 0.9.9
    372378     */
    373379    public static boolean addCert(File file, String alias, KeyStore ks) {
     380        return addCert(file, alias, ks, null);
     381    }
     382
     383    /**
     384     *  Load an X509 Cert from a file and add it to the
     385     *  trusted set of certificates in the key store
     386     *
     387     *  This DOES check for revocation, IF cs is non-null.
     388     *
     389     *  @param cs may be null; if non-null, check for revocation
     390     *  @return success
     391     *  @since 0.9.25
     392     */
     393    public static boolean addCert(File file, String alias, KeyStore ks, CertStore cs) {
    374394        try {
    375395            X509Certificate cert = CertUtil.loadCert(file);
     
    379399                          "; Valid From: " + cert.getNotBefore() +
    380400                          " To: " + cert.getNotAfter());
     401            if (cs != null && CertUtil.isRevoked(cs, cert)) {
     402                error("Certificate is revoked: " + file, new Exception());
     403                return false;
     404            }
    381405            ks.setCertificateEntry(alias, cert);
    382406            info("Now trusting X509 Certificate, Issuer: " + cert.getIssuerX500Principal());
Note: See TracChangeset for help on using the changeset viewer.