Package org.waveprotocol.wave.crypto

Source Code of org.waveprotocol.wave.crypto.CachedCertPathValidator

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements.  See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership.  The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License.  You may obtain a copy of the License at
*
*   http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied.  See the License for the
* specific language governing permissions and limitations
* under the License.
*/

package org.waveprotocol.wave.crypto;

import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Lists;

import java.security.GeneralSecurityException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.List;
import java.util.Set;

/**
* A cert path (aka cert chain) validator that stores validation results in
* a cache. It will also first attempt to look up validation results in the
* cache, before performing a full-blown cert chain verification.
*/
public class CachedCertPathValidator implements WaveCertPathValidator {

  private static final String VALIDATOR_TYPE = "PKIX";
  private static final String CERTIFICATE_TYPE = "X.509";

  // the cache that stores, for a limited amount of time, cert chain
  // verification result.
  private final VerifiedCertChainCache certPathCache;

  // source for current time, so that expiration of certificates can be checked
  private final TimeSource timeSource;

  // set of trusted Certification Authorities
  private final Set<TrustAnchor> trustRoots;

  public CachedCertPathValidator(VerifiedCertChainCache certPathCache,
      TimeSource timeSource, TrustRootsProvider trustRootsProvider) {
    this.certPathCache = certPathCache;
    this.timeSource = timeSource;
    this.trustRoots = getTrustRoots(trustRootsProvider);
  }

  @Override
  public void validate(List<? extends X509Certificate> certs) throws SignatureException {
    if (!certPathCache.contains(certs)) {
      validateNoCache(certs);

      // we don't get here if certs didn't validate
      certPathCache.add(certs);
    }
  }

  private Set<TrustAnchor> getTrustRoots(TrustRootsProvider provider) {
    List<TrustAnchor> anchors = Lists.newArrayList();
    for (X509Certificate c : provider.getTrustRoots()) {
      anchors.add(new TrustAnchor(c, null));
    }
    return ImmutableSet.copyOf(anchors);
  }

  private static WaveOidChecker WAVE_OID_CHECKER = new WaveOidChecker();

  private void validateNoCache(List<? extends X509Certificate> certs)
      throws SignatureException {
    try {
      CertPathValidator validator = CertPathValidator.getInstance(
          VALIDATOR_TYPE);
      PKIXParameters params = new PKIXParameters(trustRoots);
      params.addCertPathChecker(WAVE_OID_CHECKER);
      params.setDate(timeSource.now());

      // turn off default revocation-checking mechanism
      params.setRevocationEnabled(false);

      // TODO: add a way for clients to add certificate revocation checks,
      // perhaps by letting them pass in PKIXCertPathCheckers. This can also be
      // useful to check for Wave-specific certificate extensions.

      CertificateFactory certFactory = CertificateFactory.getInstance(
          CERTIFICATE_TYPE);
      CertPath certPath = certFactory.generateCertPath(certs);
      validator.validate(certPath, params);
    } catch (GeneralSecurityException e) {
      throw new SignatureException("Certificate validation failure", e);
    }
  }

  private static class WaveOidChecker extends PKIXCertPathChecker {

    private static final String WAVE_OID = "1.3.6.1.4.1.11129.2.1.1";
    private static final Set<String> SUPPORTED_EXTENSIONS =
        ImmutableSet.of(WAVE_OID);

    @Override
    public void check(Certificate cert, Collection<String> unresolvedCritExts) {
      // We know about the WAVE OID - if it's in the unresolved critical
      // extensions, that should not cause an error. In fact, in the future
      // we might _require_ this extension
      unresolvedCritExts.remove(WAVE_OID);
    }

    @Override
    public Set<String> getSupportedExtensions() {
      return SUPPORTED_EXTENSIONS;
    }

    @Override
    public void init(boolean forward) {
      // nothing to do
    }

    @Override
    public boolean isForwardCheckingSupported() {
      return true;
    }
  }
}
TOP

Related Classes of org.waveprotocol.wave.crypto.CachedCertPathValidator

  • org.waveprotocol.box.server.waveserver.CertificateManagerImplTest
  • org.waveprotocol.box.server.waveserver.WaveServerModule
  • java.security.cert.TrustAnchor
  • java.security.cert.PKIXParameters
  • java.security.cert.CertPath
  • java.security.cert.CertPathValidator
  • java.security.cert.CertificateFactory
    • TOP
    Copyright © 2018 www.massapi.com. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.