OCSPX509CertificateValidator.java

/*
 * JOSSO: Java Open Single Sign-On
 *
 * Copyright 2004-2009, Atricore, Inc.
 *
 * This is free software; you can redistribute it and/or modify it
 * under the terms of the GNU Lesser General Public License as
 * published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This software is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this software; if not, write to the Free
 * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
 * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
 *
 */
package org.josso.auth.scheme.validation;

import java.security.Security;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.CertStoreParameters;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.HashSet;
import java.util.Set;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/**
 * OCSP X509 Certificate validator.
 * 
 * @org.apache.xbean.XBean element="ocsp-validator"
 */
public class OCSPX509CertificateValidator extends AbstractX509CertificateValidator {

	private static final Log log = LogFactory
			.getLog(OCSPX509CertificateValidator.class);

	private String _ocspResponderCertificateAlias;
	private X509Certificate _ocspCert;
	
	public void validate(X509Certificate certificate)
			throws X509CertificateValidationException {

		try {
			if (_url != null) {
				log.debug("Using the OCSP server at: " + _url);
				Security.setProperty("ocsp.responderURL", _url);
			} else {
				log.debug("Using the OCSP server specified in the " +
						"Authority Info Access (AIA) extension " +
						"of the certificate");
			}
			
			 // configure the proxy
			if (_httpProxyHost != null && _httpProxyPort != null) {
				System.setProperty("http.proxyHost", _httpProxyHost);
				System.setProperty("http.proxyPort", _httpProxyPort);
			} else {
				System.clearProperty("http.proxyHost");
				System.clearProperty("http.proxyPort");
			}

			// get certificate path
			CertPath cp = generateCertificatePath(certificate);
			
			// get trust anchors
			Set<TrustAnchor> trustedCertsSet = generateTrustAnchors();
			
			// init PKIX parameters
			PKIXParameters params = new PKIXParameters(trustedCertsSet);
			
			// init cert store
			Set<X509Certificate> certSet = new HashSet<X509Certificate>();
			if (_ocspCert == null) {
				_ocspCert = getCertificate(_ocspResponderCertificateAlias);
			}
			if (_ocspCert != null) {
				certSet.add(_ocspCert);
				CertStoreParameters storeParams = new CollectionCertStoreParameters(
						certSet);
				CertStore store = CertStore.getInstance("Collection", storeParams);
				params.addCertStore(store);
				Security.setProperty("ocsp.responderCertSubjectName", _ocspCert
						.getSubjectX500Principal().getName());
			}
			
			// activate certificate revocation checking
			params.setRevocationEnabled(true);

			// activate OCSP
	        Security.setProperty("ocsp.enable", "true");

			// perform validation
			CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
			PKIXCertPathValidatorResult cpvResult = (PKIXCertPathValidatorResult) cpv
					.validate(cp, params);
			X509Certificate trustedCert = (X509Certificate) cpvResult
					.getTrustAnchor().getTrustedCert();

			if (trustedCert == null) {
				log.debug("Trsuted Cert = NULL");
			} else {
				log.debug("Trusted CA DN = " + trustedCert.getSubjectDN());
			}

		} catch (CertPathValidatorException e) {
			log.error(e, e);
			throw new X509CertificateValidationException(e);
		} catch (Exception e) {
			log.error(e, e);
			throw new X509CertificateValidationException(e);
		}
		log.debug("CERTIFICATE VALIDATION SUCCEEDED");
	}

	/**
	 * @return the ocspResponderCertificateAlias
	 */
	public String getOcspResponderCertificateAlias() {
		return _ocspResponderCertificateAlias;
	}

	/**
	 * @param ocspResponderCertificateAlias the ocspResponderCertificateAlias to set
	 */
	public void setOcspResponderCertificateAlias(
			String ocspResponderCertificateAlias) {
		_ocspResponderCertificateAlias = ocspResponderCertificateAlias;
	}
}