/*
*
* This file is part of the iText (R) project.
Copyright (c) 1998-2017 iText Group NV
* Authors: Bruno Lowagie, Paulo Soares, et al.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License version 3
* as published by the Free Software Foundation with the addition of the
* following permission added to Section 15 as permitted in Section 7(a):
* FOR ANY PART OF THE COVERED WORK IN WHICH THE COPYRIGHT IS OWNED BY
* ITEXT GROUP. ITEXT GROUP DISCLAIMS THE WARRANTY OF NON INFRINGEMENT
* OF THIRD PARTY RIGHTS
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU Affero General Public License for more details.
* You should have received a copy of the GNU Affero General Public License
* along with this program; if not, see http://www.gnu.org/licenses or write to
* the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
* Boston, MA, 02110-1301 USA, or download the license from the following URL:
* http://itextpdf.com/terms-of-use/
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License.
*
* In accordance with Section 7(b) of the GNU Affero General Public License,
* a covered work must retain the producer line in every PDF that is created
* or manipulated using iText.
*
* You can be released from the requirements of the license by purchasing
* a commercial license. Buying such a license is mandatory as soon as you
* develop commercial activities involving the iText software without
* disclosing the source code of your own applications.
* These activities include: offering paid services to customers as an ASP,
* serving PDFs on the fly in a web application, shipping iText with a closed
* source product.
*
* For more information, please contact iText Software Corp. at this
* address: sales@itextpdf.com
*/
package com.itextpdf.text.pdf.security;
import java.io.IOException;
import java.net.URL;
import java.security.GeneralSecurityException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.Enumeration;
import java.util.List;
import com.itextpdf.text.log.Logger;
import com.itextpdf.text.log.LoggerFactory;
/**
* Class that allows you to verify a certificate against
* one or more Certificate Revocation Lists.
*/
public class CRLVerifier extends RootStoreVerifier {
/** The Logger instance */
protected final static Logger LOGGER = LoggerFactory.getLogger(CRLVerifier.class);
/** The list of CRLs to check for revocation date. */
List<X509CRL> crls;
/**
* Creates a CRLVerifier instance.
* @param verifier the next verifier in the chain
* @param crls a list of CRLs
*/
public CRLVerifier(CertificateVerifier verifier, List<X509CRL> crls) {
super(verifier);
this.crls = crls;
}
/**
* Verifies if a a valid CRL is found for the certificate.
* If this method returns false, it doesn't mean the certificate isn't valid.
* It means we couldn't verify it against any CRL that was available.
* @param signCert the certificate that needs to be checked
* @param issuerCert its issuer
* @return a list of <code>VerificationOK</code> objects.
* The list will be empty if the certificate couldn't be verified.
* @see com.itextpdf.text.pdf.security.RootStoreVerifier#verify(java.security.cert.X509Certificate, java.security.cert.X509Certificate, java.util.Date)
*/
public List<VerificationOK> verify(X509Certificate signCert, X509Certificate issuerCert, Date signDate)
throws GeneralSecurityException, IOException {
List<VerificationOK> result = new ArrayList<VerificationOK>();
int validCrlsFound = 0;
// first check the list of CRLs that is provided
if (crls != null) {
for (X509CRL crl : crls) {
if (verify(crl, signCert, issuerCert, signDate))
validCrlsFound++;
}
}
// then check online if allowed
boolean online = false;
if (onlineCheckingAllowed && validCrlsFound == 0) {
if (verify(getCRL(signCert, issuerCert), signCert, issuerCert, signDate)) {
validCrlsFound++;
online = true;
}
}
// show how many valid CRLs were found
LOGGER.info("Valid CRLs found: " + validCrlsFound);
if (validCrlsFound > 0) {
result.add(new VerificationOK(signCert, this.getClass(), "Valid CRLs found: " + validCrlsFound + (online ? " (online)" : "")));
}
if (verifier != null)
result.addAll(verifier.verify(signCert, issuerCert, signDate));
// verify using the previous verifier in the chain (if any)
return result;
}
/**
* Verifies a certificate against a single CRL.
* @param crl the Certificate Revocation List
* @param signCert a certificate that needs to be verified
* @param issuerCert its issuer
* @param signDate the sign date
* @return true if the verification succeeded
* @throws GeneralSecurityException
*/
public boolean verify(X509CRL crl, X509Certificate signCert, X509Certificate issuerCert, Date signDate) throws GeneralSecurityException {
if (crl == null || signDate == null)
return false;
// We only check CRLs valid on the signing date for which the issuer matches
if (crl.getIssuerX500Principal().equals(signCert.getIssuerX500Principal())
&& signDate.after(crl.getThisUpdate()) && signDate.before(crl.getNextUpdate())) {
// the signing certificate may not be revoked
if (isSignatureValid(crl, issuerCert) && crl.isRevoked(signCert)) {
throw new VerificationException(signCert, "The certificate has been revoked.");
}
return true;
}
return false;
}
/**
* Fetches a CRL for a specific certificate online (without further checking).
* @param signCert the certificate
* @param issuerCert its issuer
* @return an X509CRL object
*/
public X509CRL getCRL(X509Certificate signCert, X509Certificate issuerCert) {
if (issuerCert == null)
issuerCert = signCert;
try {
// gets the URL from the certificate
String crlurl = CertificateUtil.getCRLURL(signCert);
if (crlurl == null)
return null;
LOGGER.info("Getting CRL from " + crlurl);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
// Creates the CRL
return (X509CRL) cf.generateCRL(new URL(crlurl).openStream());
}
catch(IOException e) {
return null;
}
catch(GeneralSecurityException e) {
return null;
}
}
/**
* Checks if a CRL verifies against the issuer certificate or a trusted anchor.
* @param crl the CRL
* @param crlIssuer the trusted anchor
* @return true if the CRL can be trusted
*/
public boolean isSignatureValid(X509CRL crl, X509Certificate crlIssuer) {
// check if the CRL was issued by the issuer
if (crlIssuer != null) {
try {
crl.verify(crlIssuer.getPublicKey());
return true;
} catch (GeneralSecurityException e) {
LOGGER.warn("CRL not issued by the same authority as the certificate that is being checked");
}
}
// check the CRL against trusted anchors
if (rootStore == null)
return false;
try {
// loop over the certificate in the key store
for (Enumeration<String> aliases = rootStore.aliases(); aliases.hasMoreElements();) {
String alias = aliases.nextElement();
try {
if (!rootStore.isCertificateEntry(alias))
continue;
// check if the crl was signed by a trusted party (indirect CRLs)
X509Certificate anchor = (X509Certificate)rootStore.getCertificate(alias);
crl.verify(anchor.getPublicKey());
return true;
} catch (GeneralSecurityException e) {
continue;
}
}
}
catch (GeneralSecurityException e) {
return false;
}
return false;
}
}