Commit 9f2412d3 authored by Boris Lucas's avatar Boris Lucas
Browse files

Launch CRL verifications with priviledged access when within IE applet

parent 5ed57900
......@@ -5,15 +5,16 @@ import coop.libriciel.util.CertUtils;
import coop.libriciel.util.CertVerifier;
import coop.libriciel.util.JSONUtils;
import org.adullact.parapheur.applets.splittedsign.Base64;
import org.adullact.parapheur.applets.splittedsign.CRLNotFoundException;
import org.adullact.parapheur.applets.splittedsign.CertListUtil;
import org.adullact.parapheur.applets.splittedsign.CertificateInfosExtractor;
import java.io.*;
import java.security.AccessController;
import java.security.NoSuchAlgorithmException;
import java.security.PrivilegedAction;
import java.security.cert.*;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.*;
public class ListCertsAction {
......@@ -111,14 +112,16 @@ public class ListCertsAction {
for (String rootKeystoreName : certifyingRootList) {
System.out.println("getCertificates - browsing detected AC : " + rootKeystoreName);
try {
CertVerifier.isCRLCheckOk(cer, rootKeystoreName, Collections.EMPTY_LIST);
} catch (CertificateException e) {
System.out.println(String.format("Certificate with CN '%s' revoked according to root '%s'", certDetail.get("CN"), rootKeystoreName));
certIsValid = false;
break;
} catch (CRLNotFoundException | CRLException e) {
System.err.println(String.format("CRL not found or invalid for certificate '%s' and AC '%s'", certDetail.get("CN"), rootKeystoreName));
e.printStackTrace();
CertVerifier.isCRLCheckOkWithPriveleged(cer, rootKeystoreName, Collections.EMPTY_LIST);
} catch (RuntimeException re) {
System.out.println("getCertificates - Caught runtime exception while checking crl");
System.out.println(" Cause : " + re.getCause());
if (re.getCause() != null && re.getCause() instanceof CertificateException) {
certIsValid = false;
break;
} else {
re.printStackTrace();
}
}
}
......@@ -130,7 +133,6 @@ public class ListCertsAction {
}
}
obj.put("certs", arrayCerts);
return JSONUtils.mapToJSONString(obj);
}
......
......@@ -9,8 +9,10 @@ import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.AccessController;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.PrivilegedAction;
import java.security.cert.*;
import java.util.ArrayList;
import java.util.HashMap;
......@@ -125,7 +127,24 @@ public class CertVerifier {
return true;
}
public static boolean isCRLCheckOk(X509Certificate certificate, String keystoreName, List<String> invalidsCRL) throws CertificateException, CRLNotFoundException, CRLException {
public static boolean isCRLCheckOkWithPriveleged(final X509Certificate certificate, final String keystoreName, final List<String> invalidsCRL) {
System.out.println("isCRLCheckOkWithPriveleged");
return AccessController.doPrivileged(new PrivilegedAction<Boolean>() {
@Override
public Boolean run() {
try {
return CertVerifier.isCRLCheckOk(certificate, keystoreName, invalidsCRL);
} catch (CertificateException e) {
throw new RuntimeException(e);
}
}
});
}
public static boolean isCRLCheckOk(X509Certificate certificate, String keystoreName, List<String> invalidsCRL) throws CertificateException {
System.out.println("isCRLCheckOk");
if (!rootKeystores.containsKey(keystoreName)) {
System.err.println("Invalid root keystore name : " + keystoreName);
......@@ -135,17 +154,16 @@ public class CertVerifier {
return CertVerifier.checkCrlWithKeystore(certificate, rootKeystores.get(keystoreName), invalidsCRL);
}
private static boolean checkCrlWithKeystore(X509Certificate certificate, KeyStore keystore, List<String> invalidsCRL) throws CertificateException, CRLException {
private static boolean checkCrlWithKeystore(final X509Certificate certificate, final KeyStore keystore, final List<String> invalidsCRL) throws CertificateException {
System.out.println("checkCrlWithKeystore");
/* Input stream containing the CRLs' URL (one per line)*/
InputStream crlConfIs = new ByteArrayInputStream(crlListContent);
try {
ArrayList<X509Extension> certAndCrls = CertificateVerifier.loadCRLsFromStreamAndCheckCert(certificate, crlConfIs, invalidsCRL);
} catch (CRLNotFoundException e) {
} catch (CRLNotFoundException | CRLException e) {
e.printStackTrace();
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment