suspend fun CheckCertificateRevocationStatusAsync()

in jvm/src/main/kotlin/com/jetbrains/signatureverifier/crypt/OcspVerifier.kt [53:108]

• 51 lines of code
• 12 McCabe index (conditional complexity)

  suspend fun CheckCertificateRevocationStatusAsync(
    @NotNull targetCert: X509CertificateHolder,
    @NotNull issuerCert: X509CertificateHolder
  ): VerifySignatureResult {
    val ocspUrl = targetCert.GetOcspUrl()
    if (ocspUrl == null) {
      _logger.Warning("The OCSP access data is empty in certificate ${targetCert.FormatId()}")
      _logger.Error(Messages.unable_determin_certificate_revocation_status)
      return VerifySignatureResult.InvalidChain(Messages.unable_determin_certificate_revocation_status)
    }

    val ocspReqGenerator = OCSPReqBuilder()
    val digestCalculatorProvider = org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder().build()
    val digestCalculator = digestCalculatorProvider.get(AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1))
    val certificateIdReq = CertificateID(digestCalculator, issuerCert, targetCert.serialNumber)
    ocspReqGenerator.addRequest(certificateIdReq)
    val ocspReq = ocspReqGenerator.build()
    val ocspRes = getOcspResponceAsync(ocspUrl, ocspReq, _ocspResponseTimeout)

    if (ocspRes == null || ocspRes.status != OCSPResp.SUCCESSFUL) {
      _logger.Error("OCSP response status: ${ocspRes?.status}")
      return VerifySignatureResult.InvalidChain(Messages.unable_determin_certificate_revocation_status)
    }
    val basicOcspResp = ocspRes.responseObject as BasicOCSPResp
    if (basicOcspResp == null) {
      _logger.Error("Unknown OCSP response type")
      return VerifySignatureResult.InvalidChain(Messages.unable_determin_certificate_revocation_status)
    }
    if (!validateOcspResponse(basicOcspResp))
      return VerifySignatureResult.InvalidChain(Messages.invalid_ocsp_response)

    val singleResponses = basicOcspResp.responses.filter { w -> w.certID.equals(certificateIdReq) }.toList()
    if (singleResponses.count() < 1) {
      _logger.Error("OCSP response not correspond to request")
      return VerifySignatureResult.InvalidChain(Messages.invalid_ocsp_response)
    }
    for (singleResp in singleResponses) {
      if (!validateSingleOcspResponse(singleResp))
        return VerifySignatureResult.InvalidChain(Messages.invalid_ocsp_response)

      val certStatus = singleResp.certStatus
      //null is good
      if (certStatus == null) {
        continue
      } else if (certStatus is UnknownStatus) {
        _logger.Warning(Messages.unknown_certificate_revocation_status)
        return VerifySignatureResult.InvalidChain(Messages.unknown_certificate_revocation_status)
      } else if (certStatus is RevokedStatus) {
        val certRevStatus = certStatus
        val msg = formatRevokedStatus(certRevStatus)
        _logger.Warning(msg)
        return VerifySignatureResult.InvalidChain(msg)
      }
    }
    return VerifySignatureResult.Valid
  }