// // Decompiled by Procyon v0.6.0 // package org.bouncycastle.jce.provider; import org.bouncycastle.asn1.nist.NISTObjectIdentifiers; import org.bouncycastle.asn1.x9.X9ObjectIdentifiers; import org.bouncycastle.internal.asn1.isara.IsaraObjectIdentifiers; import org.bouncycastle.internal.asn1.eac.EACObjectIdentifiers; import org.bouncycastle.internal.asn1.bsi.BSIObjectIdentifiers; import org.bouncycastle.internal.asn1.rosstandart.RosstandartObjectIdentifiers; import org.bouncycastle.asn1.cryptopro.CryptoProObjectIdentifiers; import java.util.HashMap; import org.bouncycastle.asn1.pkcs.RSASSAPSSparams; import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.DEROctetString; import org.bouncycastle.jcajce.util.MessageDigestUtils; import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; import java.security.PublicKey; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; import java.security.MessageDigest; import org.bouncycastle.asn1.ocsp.ResponderID; import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.asn1.x500.style.BCStrictStyle; import java.security.Signature; import java.security.GeneralSecurityException; import org.bouncycastle.util.Arrays; import org.bouncycastle.asn1.x509.KeyPurposeId; import java.io.InputStream; import java.io.ByteArrayInputStream; import org.bouncycastle.asn1.x509.GeneralName; import org.bouncycastle.asn1.ASN1String; import org.bouncycastle.asn1.x509.AccessDescription; import org.bouncycastle.asn1.x509.AuthorityInformationAccess; import org.bouncycastle.asn1.ASN1OctetString; import org.bouncycastle.asn1.ASN1Encodable; import org.bouncycastle.asn1.DERNull; import org.bouncycastle.asn1.ASN1GeneralizedTime; import org.bouncycastle.asn1.ocsp.CertID; import org.bouncycastle.asn1.ASN1Sequence; import org.bouncycastle.asn1.ocsp.RevokedInfo; import org.bouncycastle.jce.exception.ExtCertPathValidatorException; import org.bouncycastle.asn1.ocsp.SingleResponse; import org.bouncycastle.asn1.ocsp.ResponseData; import org.bouncycastle.asn1.ocsp.BasicOCSPResponse; import org.bouncycastle.asn1.ASN1Primitive; import org.bouncycastle.asn1.ocsp.ResponseBytes; import org.bouncycastle.asn1.ocsp.OCSPResponse; import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers; import java.security.cert.Extension; import java.io.IOException; import org.bouncycastle.asn1.ASN1Integer; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; import org.bouncycastle.internal.asn1.oiw.OIWObjectIdentifiers; import java.net.URISyntaxException; import java.net.URI; import java.security.cert.X509Certificate; import java.security.cert.Certificate; import java.util.Set; import java.security.cert.CertPathValidatorException; import java.util.List; import org.bouncycastle.util.Properties; import org.bouncycastle.jcajce.PKIXCertRevocationCheckerParameters; import org.bouncycastle.jcajce.util.JcaJceHelper; import java.util.Map; import org.bouncycastle.jcajce.PKIXCertRevocationChecker; class ProvOcspRevocationChecker implements PKIXCertRevocationChecker { private static final int DEFAULT_OCSP_TIMEOUT = 15000; private static final int DEFAULT_OCSP_MAX_RESPONSE_SIZE = 32768; private static final Map oids; private final ProvRevocationChecker parent; private final JcaJceHelper helper; private PKIXCertRevocationCheckerParameters parameters; private boolean isEnabledOCSP; private String ocspURL; public ProvOcspRevocationChecker(final ProvRevocationChecker parent, final JcaJceHelper helper) { this.parent = parent; this.helper = helper; } @Override public void setParameter(final String s, final Object o) { } @Override public void initialize(final PKIXCertRevocationCheckerParameters parameters) { this.parameters = parameters; this.isEnabledOCSP = Properties.isOverrideSet("ocsp.enable"); this.ocspURL = Properties.getPropertyValue("ocsp.responderURL"); } public List getSoftFailExceptions() { return null; } public void init(final boolean b) throws CertPathValidatorException { if (b) { throw new CertPathValidatorException("forward checking not supported"); } this.parameters = null; this.isEnabledOCSP = Properties.isOverrideSet("ocsp.enable"); this.ocspURL = Properties.getPropertyValue("ocsp.responderURL"); } public boolean isForwardCheckingSupported() { return false; } public Set getSupportedExtensions() { return null; } @Override public void check(final Certificate certificate) throws CertPathValidatorException { final X509Certificate x509Certificate = (X509Certificate)certificate; final Map ocspResponses = this.parent.getOcspResponses(); URI uri = this.parent.getOcspResponder(); Label_0105: { if (uri == null) { if (this.ocspURL != null) { try { uri = new URI(this.ocspURL); break Label_0105; } catch (final URISyntaxException cause) { throw new CertPathValidatorException("configuration error: " + cause.getMessage(), cause, this.parameters.getCertPath(), this.parameters.getIndex()); } } uri = getOcspResponderURI(x509Certificate); } } byte[] array = null; boolean b = false; if (ocspResponses.get(x509Certificate) == null && uri != null) { if (this.ocspURL == null && this.parent.getOcspResponder() == null && !this.isEnabledOCSP) { throw new RecoverableCertPathValidatorException("OCSP disabled by \"ocsp.enable\" setting", null, this.parameters.getCertPath(), this.parameters.getIndex()); } final OCSPResponse ocspResponse = OcspCache.getOcspResponse(this.createCertID(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1), this.extractCert(), new ASN1Integer(x509Certificate.getSerialNumber())), this.parameters, uri, this.parent.getOcspResponderCert(), this.parent.getOcspExtensions(), this.helper); try { ocspResponses.put(x509Certificate, ocspResponse.getEncoded()); b = true; } catch (final IOException cause2) { throw new CertPathValidatorException("unable to encode OCSP response", cause2, this.parameters.getCertPath(), this.parameters.getIndex()); } } else { final List ocspExtensions = this.parent.getOcspExtensions(); for (int i = 0; i != ocspExtensions.size(); ++i) { final Extension extension = ocspExtensions.get(i); final byte[] value = extension.getValue(); if (OCSPObjectIdentifiers.id_pkix_ocsp_nonce.getId().equals(extension.getId())) { array = value; } } } if (ocspResponses.isEmpty()) { throw new RecoverableCertPathValidatorException("no OCSP response found for any certificate", null, this.parameters.getCertPath(), this.parameters.getIndex()); } final OCSPResponse instance = OCSPResponse.getInstance(ocspResponses.get(x509Certificate)); final ASN1Integer asn1Integer = new ASN1Integer(x509Certificate.getSerialNumber()); if (instance == null) { throw new RecoverableCertPathValidatorException("no OCSP response found for certificate", null, this.parameters.getCertPath(), this.parameters.getIndex()); } if (0 == instance.getResponseStatus().getIntValue()) { final ResponseBytes instance2 = ResponseBytes.getInstance(instance.getResponseBytes()); if (instance2.getResponseType().equals(OCSPObjectIdentifiers.id_pkix_ocsp_basic)) { try { final BasicOCSPResponse instance3 = BasicOCSPResponse.getInstance(instance2.getResponse().getOctets()); if (b || validatedOcspResponse(instance3, this.parameters, array, this.parent.getOcspResponderCert(), this.helper)) { final ASN1Sequence responses = ResponseData.getInstance(instance3.getTbsResponseData()).getResponses(); CertID certID = null; for (int j = 0; j != responses.size(); ++j) { final SingleResponse instance4 = SingleResponse.getInstance(responses.getObjectAt(j)); if (asn1Integer.equals(instance4.getCertID().getSerialNumber())) { final ASN1GeneralizedTime nextUpdate = instance4.getNextUpdate(); if (nextUpdate != null && this.parameters.getValidDate().after(nextUpdate.getDate())) { throw new ExtCertPathValidatorException("OCSP response expired"); } if (certID == null || !isEqualAlgId(certID.getHashAlgorithm(), instance4.getCertID().getHashAlgorithm())) { certID = this.createCertID(instance4.getCertID(), this.extractCert(), asn1Integer); } if (certID.equals(instance4.getCertID())) { if (instance4.getCertStatus().getTagNo() == 0) { return; } if (instance4.getCertStatus().getTagNo() == 1) { final RevokedInfo instance5 = RevokedInfo.getInstance(instance4.getCertStatus().getStatus()); throw new CertPathValidatorException("certificate revoked, reason=(" + instance5.getRevocationReason() + "), date=" + instance5.getRevocationTime().getDate(), null, this.parameters.getCertPath(), this.parameters.getIndex()); } throw new CertPathValidatorException("certificate revoked, details unknown", null, this.parameters.getCertPath(), this.parameters.getIndex()); } } } } } catch (final CertPathValidatorException ex) { throw ex; } catch (final Exception cause3) { throw new CertPathValidatorException("unable to process OCSP response", cause3, this.parameters.getCertPath(), this.parameters.getIndex()); } } return; } throw new CertPathValidatorException("OCSP response failed: " + instance.getResponseStatus().getValue(), null, this.parameters.getCertPath(), this.parameters.getIndex()); } private static boolean isEqualAlgId(final AlgorithmIdentifier algorithmIdentifier, final AlgorithmIdentifier algorithmIdentifier2) { if (algorithmIdentifier == algorithmIdentifier2 || algorithmIdentifier.equals(algorithmIdentifier2)) { return true; } if (!algorithmIdentifier.getAlgorithm().equals(algorithmIdentifier2.getAlgorithm())) { return false; } final ASN1Encodable parameters = algorithmIdentifier.getParameters(); final ASN1Encodable parameters2 = algorithmIdentifier2.getParameters(); if (parameters == parameters2) { return true; } if (parameters == null) { return DERNull.INSTANCE.equals(parameters2); } return (DERNull.INSTANCE.equals(parameters) && parameters2 == null) || parameters.equals(parameters2); } static URI getOcspResponderURI(final X509Certificate x509Certificate) { final byte[] extensionValue = x509Certificate.getExtensionValue(org.bouncycastle.asn1.x509.Extension.authorityInfoAccess.getId()); if (extensionValue == null) { return null; } final AccessDescription[] accessDescriptions = AuthorityInformationAccess.getInstance(ASN1OctetString.getInstance(extensionValue).getOctets()).getAccessDescriptions(); for (int i = 0; i != accessDescriptions.length; ++i) { final AccessDescription accessDescription = accessDescriptions[i]; if (AccessDescription.id_ad_ocsp.equals(accessDescription.getAccessMethod())) { final GeneralName accessLocation = accessDescription.getAccessLocation(); if (accessLocation.getTagNo() == 6) { try { return new URI(((ASN1String)accessLocation.getName()).getString()); } catch (final URISyntaxException ex) {} } } } return null; } static boolean validatedOcspResponse(final BasicOCSPResponse basicOCSPResponse, final PKIXCertRevocationCheckerParameters pkixCertRevocationCheckerParameters, final byte[] array, final X509Certificate x509Certificate, final JcaJceHelper jcaJceHelper) throws CertPathValidatorException { try { final ASN1Sequence certs = basicOCSPResponse.getCerts(); final Signature signature = jcaJceHelper.createSignature(getSignatureName(basicOCSPResponse.getSignatureAlgorithm())); final X509Certificate signerCert = getSignerCert(basicOCSPResponse, pkixCertRevocationCheckerParameters.getSigningCert(), x509Certificate, jcaJceHelper); if (signerCert == null && certs == null) { throw new CertPathValidatorException("OCSP responder certificate not found"); } if (signerCert != null) { signature.initVerify(signerCert.getPublicKey()); } else { final X509Certificate certificate = (X509Certificate)jcaJceHelper.createCertificateFactory("X.509").generateCertificate(new ByteArrayInputStream(certs.getObjectAt(0).toASN1Primitive().getEncoded())); certificate.verify(pkixCertRevocationCheckerParameters.getSigningCert().getPublicKey()); certificate.checkValidity(pkixCertRevocationCheckerParameters.getValidDate()); if (!responderMatches(basicOCSPResponse.getTbsResponseData().getResponderID(), certificate, jcaJceHelper)) { throw new CertPathValidatorException("responder certificate does not match responderID", null, pkixCertRevocationCheckerParameters.getCertPath(), pkixCertRevocationCheckerParameters.getIndex()); } final List extendedKeyUsage = certificate.getExtendedKeyUsage(); if (extendedKeyUsage == null || !extendedKeyUsage.contains(KeyPurposeId.id_kp_OCSPSigning.getId())) { throw new CertPathValidatorException("responder certificate not valid for signing OCSP responses", null, pkixCertRevocationCheckerParameters.getCertPath(), pkixCertRevocationCheckerParameters.getIndex()); } signature.initVerify(certificate); } signature.update(basicOCSPResponse.getTbsResponseData().getEncoded("DER")); if (!signature.verify(basicOCSPResponse.getSignature().getOctets())) { return false; } if (array != null && !Arrays.areEqual(array, basicOCSPResponse.getTbsResponseData().getResponseExtensions().getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce).getExtnValue().getOctets())) { throw new CertPathValidatorException("nonce mismatch in OCSP response", null, pkixCertRevocationCheckerParameters.getCertPath(), pkixCertRevocationCheckerParameters.getIndex()); } return true; } catch (final CertPathValidatorException ex) { throw ex; } catch (final GeneralSecurityException cause) { throw new CertPathValidatorException("OCSP response failure: " + cause.getMessage(), cause, pkixCertRevocationCheckerParameters.getCertPath(), pkixCertRevocationCheckerParameters.getIndex()); } catch (final IOException cause2) { throw new CertPathValidatorException("OCSP response failure: " + cause2.getMessage(), cause2, pkixCertRevocationCheckerParameters.getCertPath(), pkixCertRevocationCheckerParameters.getIndex()); } } private static X509Certificate getSignerCert(final BasicOCSPResponse basicOCSPResponse, final X509Certificate x509Certificate, final X509Certificate x509Certificate2, final JcaJceHelper jcaJceHelper) throws NoSuchProviderException, NoSuchAlgorithmException { final ResponderID responderID = basicOCSPResponse.getTbsResponseData().getResponderID(); final byte[] keyHash = responderID.getKeyHash(); if (keyHash != null) { final MessageDigest messageDigest = jcaJceHelper.createMessageDigest("SHA1"); if (x509Certificate2 != null && Arrays.areEqual(keyHash, calcKeyHash(messageDigest, x509Certificate2.getPublicKey()))) { return x509Certificate2; } if (x509Certificate != null && Arrays.areEqual(keyHash, calcKeyHash(messageDigest, x509Certificate.getPublicKey()))) { return x509Certificate; } } else { final X500Name instance = X500Name.getInstance(BCStrictStyle.INSTANCE, responderID.getName()); if (x509Certificate2 != null && instance.equals(X500Name.getInstance(BCStrictStyle.INSTANCE, x509Certificate2.getSubjectX500Principal().getEncoded()))) { return x509Certificate2; } if (x509Certificate != null && instance.equals(X500Name.getInstance(BCStrictStyle.INSTANCE, x509Certificate.getSubjectX500Principal().getEncoded()))) { return x509Certificate; } } return null; } private static boolean responderMatches(final ResponderID responderID, final X509Certificate x509Certificate, final JcaJceHelper jcaJceHelper) throws NoSuchProviderException, NoSuchAlgorithmException { final byte[] keyHash = responderID.getKeyHash(); if (keyHash != null) { return Arrays.areEqual(keyHash, calcKeyHash(jcaJceHelper.createMessageDigest("SHA1"), x509Certificate.getPublicKey())); } return X500Name.getInstance(BCStrictStyle.INSTANCE, responderID.getName()).equals(X500Name.getInstance(BCStrictStyle.INSTANCE, x509Certificate.getSubjectX500Principal().getEncoded())); } private static byte[] calcKeyHash(final MessageDigest messageDigest, final PublicKey publicKey) { return messageDigest.digest(SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()).getPublicKeyData().getBytes()); } private org.bouncycastle.asn1.x509.Certificate extractCert() throws CertPathValidatorException { try { return org.bouncycastle.asn1.x509.Certificate.getInstance(this.parameters.getSigningCert().getEncoded()); } catch (final Exception cause) { throw new CertPathValidatorException("cannot process signing cert: " + cause.getMessage(), cause, this.parameters.getCertPath(), this.parameters.getIndex()); } } private CertID createCertID(final CertID certID, final org.bouncycastle.asn1.x509.Certificate certificate, final ASN1Integer asn1Integer) throws CertPathValidatorException { return this.createCertID(certID.getHashAlgorithm(), certificate, asn1Integer); } private CertID createCertID(final AlgorithmIdentifier algorithmIdentifier, final org.bouncycastle.asn1.x509.Certificate certificate, final ASN1Integer asn1Integer) throws CertPathValidatorException { try { final MessageDigest messageDigest = this.helper.createMessageDigest(MessageDigestUtils.getDigestName(algorithmIdentifier.getAlgorithm())); return new CertID(algorithmIdentifier, new DEROctetString(messageDigest.digest(certificate.getSubject().getEncoded("DER"))), new DEROctetString(messageDigest.digest(certificate.getSubjectPublicKeyInfo().getPublicKeyData().getBytes())), asn1Integer); } catch (final Exception ex) { throw new CertPathValidatorException("problem creating ID: " + ex, ex); } } private static String getDigestName(final ASN1ObjectIdentifier asn1ObjectIdentifier) { final String digestName = MessageDigestUtils.getDigestName(asn1ObjectIdentifier); final int index = digestName.indexOf(45); if (index > 0 && !digestName.startsWith("SHA3")) { return digestName.substring(0, index) + digestName.substring(index + 1); } return digestName; } private static String getSignatureName(final AlgorithmIdentifier algorithmIdentifier) { final ASN1Encodable parameters = algorithmIdentifier.getParameters(); if (parameters != null && !DERNull.INSTANCE.equals(parameters) && algorithmIdentifier.getAlgorithm().equals(PKCSObjectIdentifiers.id_RSASSA_PSS)) { return getDigestName(RSASSAPSSparams.getInstance(parameters).getHashAlgorithm().getAlgorithm()) + "WITHRSAANDMGF1"; } if (ProvOcspRevocationChecker.oids.containsKey(algorithmIdentifier.getAlgorithm())) { return ProvOcspRevocationChecker.oids.get(algorithmIdentifier.getAlgorithm()); } return algorithmIdentifier.getAlgorithm().getId(); } static { (oids = new HashMap()).put(new ASN1ObjectIdentifier("1.2.840.113549.1.1.5"), "SHA1WITHRSA"); ProvOcspRevocationChecker.oids.put(PKCSObjectIdentifiers.sha224WithRSAEncryption, "SHA224WITHRSA"); ProvOcspRevocationChecker.oids.put(PKCSObjectIdentifiers.sha256WithRSAEncryption, "SHA256WITHRSA"); ProvOcspRevocationChecker.oids.put(PKCSObjectIdentifiers.sha384WithRSAEncryption, "SHA384WITHRSA"); ProvOcspRevocationChecker.oids.put(PKCSObjectIdentifiers.sha512WithRSAEncryption, "SHA512WITHRSA"); ProvOcspRevocationChecker.oids.put(CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_94, "GOST3411WITHGOST3410"); ProvOcspRevocationChecker.oids.put(CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_2001, "GOST3411WITHECGOST3410"); ProvOcspRevocationChecker.oids.put(RosstandartObjectIdentifiers.id_tc26_signwithdigest_gost_3410_12_256, "GOST3411-2012-256WITHECGOST3410-2012-256"); ProvOcspRevocationChecker.oids.put(RosstandartObjectIdentifiers.id_tc26_signwithdigest_gost_3410_12_512, "GOST3411-2012-512WITHECGOST3410-2012-512"); ProvOcspRevocationChecker.oids.put(BSIObjectIdentifiers.ecdsa_plain_SHA1, "SHA1WITHPLAIN-ECDSA"); ProvOcspRevocationChecker.oids.put(BSIObjectIdentifiers.ecdsa_plain_SHA224, "SHA224WITHPLAIN-ECDSA"); ProvOcspRevocationChecker.oids.put(BSIObjectIdentifiers.ecdsa_plain_SHA256, "SHA256WITHPLAIN-ECDSA"); ProvOcspRevocationChecker.oids.put(BSIObjectIdentifiers.ecdsa_plain_SHA384, "SHA384WITHPLAIN-ECDSA"); ProvOcspRevocationChecker.oids.put(BSIObjectIdentifiers.ecdsa_plain_SHA512, "SHA512WITHPLAIN-ECDSA"); ProvOcspRevocationChecker.oids.put(BSIObjectIdentifiers.ecdsa_plain_RIPEMD160, "RIPEMD160WITHPLAIN-ECDSA"); ProvOcspRevocationChecker.oids.put(EACObjectIdentifiers.id_TA_ECDSA_SHA_1, "SHA1WITHCVC-ECDSA"); ProvOcspRevocationChecker.oids.put(EACObjectIdentifiers.id_TA_ECDSA_SHA_224, "SHA224WITHCVC-ECDSA"); ProvOcspRevocationChecker.oids.put(EACObjectIdentifiers.id_TA_ECDSA_SHA_256, "SHA256WITHCVC-ECDSA"); ProvOcspRevocationChecker.oids.put(EACObjectIdentifiers.id_TA_ECDSA_SHA_384, "SHA384WITHCVC-ECDSA"); ProvOcspRevocationChecker.oids.put(EACObjectIdentifiers.id_TA_ECDSA_SHA_512, "SHA512WITHCVC-ECDSA"); ProvOcspRevocationChecker.oids.put(IsaraObjectIdentifiers.id_alg_xmss, "XMSS"); ProvOcspRevocationChecker.oids.put(IsaraObjectIdentifiers.id_alg_xmssmt, "XMSSMT"); ProvOcspRevocationChecker.oids.put(new ASN1ObjectIdentifier("1.2.840.113549.1.1.4"), "MD5WITHRSA"); ProvOcspRevocationChecker.oids.put(new ASN1ObjectIdentifier("1.2.840.113549.1.1.2"), "MD2WITHRSA"); ProvOcspRevocationChecker.oids.put(new ASN1ObjectIdentifier("1.2.840.10040.4.3"), "SHA1WITHDSA"); ProvOcspRevocationChecker.oids.put(X9ObjectIdentifiers.ecdsa_with_SHA1, "SHA1WITHECDSA"); ProvOcspRevocationChecker.oids.put(X9ObjectIdentifiers.ecdsa_with_SHA224, "SHA224WITHECDSA"); ProvOcspRevocationChecker.oids.put(X9ObjectIdentifiers.ecdsa_with_SHA256, "SHA256WITHECDSA"); ProvOcspRevocationChecker.oids.put(X9ObjectIdentifiers.ecdsa_with_SHA384, "SHA384WITHECDSA"); ProvOcspRevocationChecker.oids.put(X9ObjectIdentifiers.ecdsa_with_SHA512, "SHA512WITHECDSA"); ProvOcspRevocationChecker.oids.put(OIWObjectIdentifiers.sha1WithRSA, "SHA1WITHRSA"); ProvOcspRevocationChecker.oids.put(OIWObjectIdentifiers.dsaWithSHA1, "SHA1WITHDSA"); ProvOcspRevocationChecker.oids.put(NISTObjectIdentifiers.dsa_with_sha224, "SHA224WITHDSA"); ProvOcspRevocationChecker.oids.put(NISTObjectIdentifiers.dsa_with_sha256, "SHA256WITHDSA"); } }