Examples with CRLException java.security.cert.CRLException used on opensource projects

Example 31 with CRLException

use of java.security.cert.CRLException in project jdk8u_jdk by JetBrains.

the class URICertStore method engineGetCRLs.

/**
     * Returns a <code>Collection</code> of <code>X509CRL</code>s that
     * match the specified selector. If no <code>X509CRL</code>s
     * match the selector, an empty <code>Collection</code> will be returned.
     *
     * @param selector A <code>CRLSelector</code> used to select which
     *  <code>X509CRL</code>s should be returned. Specify <code>null</code>
     *  to return all <code>X509CRL</code>s.
     * @return A <code>Collection</code> of <code>X509CRL</code>s that
     *         match the specified selector
     * @throws CertStoreException if an exception occurs
     */
@Override
@SuppressWarnings("unchecked")
public synchronized Collection<X509CRL> engineGetCRLs(CRLSelector selector) throws CertStoreException {
    // avoid LDAP DN matching issues (see LDAPCRLSelector for more info)
    if (ldap) {
        X509CRLSelector xsel = (X509CRLSelector) selector;
        try {
            xsel = ldapHelper.wrap(xsel, null, ldapPath);
        } catch (IOException ioe) {
            throw new CertStoreException(ioe);
        }
        // Safe cast since xsel is an X509 certificate selector.
        try {
            return (Collection<X509CRL>) ldapCertStore.getCRLs(xsel);
        } catch (CertStoreException cse) {
            throw new PKIX.CertStoreTypeException("LDAP", cse);
        }
    }
    // Return the CRLs for this entry. It returns the cached value
    // if it is still current and fetches the CRLs otherwise.
    // For the caching details, see the top of this class.
    long time = System.currentTimeMillis();
    if (time - lastChecked < CHECK_INTERVAL) {
        if (debug != null) {
            debug.println("Returning CRL from cache");
        }
        return getMatchingCRLs(crl, selector);
    }
    lastChecked = time;
    try {
        URLConnection connection = uri.toURL().openConnection();
        if (lastModified != 0) {
            connection.setIfModifiedSince(lastModified);
        }
        long oldLastModified = lastModified;
        connection.setConnectTimeout(CRL_CONNECT_TIMEOUT);
        try (InputStream in = connection.getInputStream()) {
            lastModified = connection.getLastModified();
            if (oldLastModified != 0) {
                if (oldLastModified == lastModified) {
                    if (debug != null) {
                        debug.println("Not modified, using cached copy");
                    }
                    return getMatchingCRLs(crl, selector);
                } else if (connection instanceof HttpURLConnection) {
                    // some proxy servers omit last modified
                    HttpURLConnection hconn = (HttpURLConnection) connection;
                    if (hconn.getResponseCode() == HttpURLConnection.HTTP_NOT_MODIFIED) {
                        if (debug != null) {
                            debug.println("Not modified, using cached copy");
                        }
                        return getMatchingCRLs(crl, selector);
                    }
                }
            }
            if (debug != null) {
                debug.println("Downloading new CRL...");
            }
            crl = (X509CRL) factory.generateCRL(in);
        }
        return getMatchingCRLs(crl, selector);
    } catch (IOException | CRLException e) {
        if (debug != null) {
            debug.println("Exception fetching CRL:");
            e.printStackTrace();
        }
        // exception, forget previous values
        lastModified = 0;
        crl = null;
        throw new PKIX.CertStoreTypeException("URI", new CertStoreException(e));
    }
}

Example 32 with CRLException

use of java.security.cert.CRLException in project jdk8u_jdk by JetBrains.

the class X509CRLEntryImpl method encode.

/**
     * Encodes the revoked certificate to an output stream.
     *
     * @param outStrm an output stream to which the encoded revoked
     * certificate is written.
     * @exception CRLException on encoding errors.
     */
public void encode(DerOutputStream outStrm) throws CRLException {
    try {
        if (revokedCert == null) {
            DerOutputStream tmp = new DerOutputStream();
            // sequence { serialNumber, revocationDate, extensions }
            serialNumber.encode(tmp);
            if (revocationDate.getTime() < YR_2050) {
                tmp.putUTCTime(revocationDate);
            } else {
                tmp.putGeneralizedTime(revocationDate);
            }
            if (extensions != null)
                extensions.encode(tmp, isExplicit);
            DerOutputStream seq = new DerOutputStream();
            seq.write(DerValue.tag_Sequence, tmp);
            revokedCert = seq.toByteArray();
        }
        outStrm.write(revokedCert);
    } catch (IOException e) {
        throw new CRLException("Encoding error: " + e.toString());
    }
}

Example 33 with CRLException

use of java.security.cert.CRLException in project jdk8u_jdk by JetBrains.

the class X509CRLImpl method verify.

/**
     * Verifies that this CRL was signed using the
     * private key that corresponds to the given public key,
     * and that the signature verification was computed by
     * the given provider.
     *
     * @param key the PublicKey used to carry out the verification.
     * @param sigProvider the name of the signature provider.
     *
     * @exception NoSuchAlgorithmException on unsupported signature
     * algorithms.
     * @exception InvalidKeyException on incorrect key.
     * @exception NoSuchProviderException on incorrect provider.
     * @exception SignatureException on signature errors.
     * @exception CRLException on encoding errors.
     */
public synchronized void verify(PublicKey key, String sigProvider) throws CRLException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException {
    if (sigProvider == null) {
        sigProvider = "";
    }
    if ((verifiedPublicKey != null) && verifiedPublicKey.equals(key)) {
        // this public key. Make sure providers match, too.
        if (sigProvider.equals(verifiedProvider)) {
            return;
        }
    }
    if (signedCRL == null) {
        throw new CRLException("Uninitialized CRL");
    }
    Signature sigVerf = null;
    if (sigProvider.length() == 0) {
        sigVerf = Signature.getInstance(sigAlgId.getName());
    } else {
        sigVerf = Signature.getInstance(sigAlgId.getName(), sigProvider);
    }
    sigVerf.initVerify(key);
    if (tbsCertList == null) {
        throw new CRLException("Uninitialized CRL");
    }
    sigVerf.update(tbsCertList, 0, tbsCertList.length);
    if (!sigVerf.verify(signature)) {
        throw new SignatureException("Signature does not match.");
    }
    verifiedPublicKey = key;
    verifiedProvider = sigProvider;
}

Example 34 with CRLException

use of java.security.cert.CRLException in project jdk8u_jdk by JetBrains.

the class X509CRLImpl method sign.

/**
     * Encodes an X.509 CRL, and signs it using the given key.
     *
     * @param key the private key used for signing.
     * @param algorithm the name of the signature algorithm used.
     * @param provider the name of the provider.
     *
     * @exception NoSuchAlgorithmException on unsupported signature
     * algorithms.
     * @exception InvalidKeyException on incorrect key.
     * @exception NoSuchProviderException on incorrect provider.
     * @exception SignatureException on signature errors.
     * @exception CRLException if any mandatory data was omitted.
     */
public void sign(PrivateKey key, String algorithm, String provider) throws CRLException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException {
    try {
        if (readOnly)
            throw new CRLException("cannot over-write existing CRL");
        Signature sigEngine = null;
        if ((provider == null) || (provider.length() == 0))
            sigEngine = Signature.getInstance(algorithm);
        else
            sigEngine = Signature.getInstance(algorithm, provider);
        sigEngine.initSign(key);
        // in case the name is reset
        sigAlgId = AlgorithmId.get(sigEngine.getAlgorithm());
        infoSigAlgId = sigAlgId;
        DerOutputStream out = new DerOutputStream();
        DerOutputStream tmp = new DerOutputStream();
        // encode crl info
        encodeInfo(tmp);
        // encode algorithm identifier
        sigAlgId.encode(tmp);
        // Create and encode the signature itself.
        sigEngine.update(tbsCertList, 0, tbsCertList.length);
        signature = sigEngine.sign();
        tmp.putBitString(signature);
        // Wrap the signed data in a SEQUENCE { data, algorithm, sig }
        out.write(DerValue.tag_Sequence, tmp);
        signedCRL = out.toByteArray();
        readOnly = true;
    } catch (IOException e) {
        throw new CRLException("Error while encoding data: " + e.getMessage());
    }
}

Example 35 with CRLException

use of java.security.cert.CRLException in project jdk8u_jdk by JetBrains.

the class X509CRLImpl method parse.

/*
     * Parses an X.509 CRL, should be used only by constructors.
     */
private void parse(DerValue val) throws CRLException, IOException {
    // check if can over write the certificate
    if (readOnly)
        throw new CRLException("cannot over-write existing CRL");
    if (val.getData() == null || val.tag != DerValue.tag_Sequence)
        throw new CRLException("Invalid DER-encoded CRL data");
    signedCRL = val.toByteArray();
    DerValue[] seq = new DerValue[3];
    seq[0] = val.data.getDerValue();
    seq[1] = val.data.getDerValue();
    seq[2] = val.data.getDerValue();
    if (val.data.available() != 0)
        throw new CRLException("signed overrun, bytes = " + val.data.available());
    if (seq[0].tag != DerValue.tag_Sequence)
        throw new CRLException("signed CRL fields invalid");
    sigAlgId = AlgorithmId.parse(seq[1]);
    signature = seq[2].getBitString();
    if (seq[1].data.available() != 0)
        throw new CRLException("AlgorithmId field overrun");
    if (seq[2].data.available() != 0)
        throw new CRLException("Signature field overrun");
    // the tbsCertsList
    tbsCertList = seq[0].toByteArray();
    // parse the information
    DerInputStream derStrm = seq[0].data;
    DerValue tmp;
    byte nextByte;
    // version (optional if v1)
    // by default, version = v1 == 0
    version = 0;
    nextByte = (byte) derStrm.peekByte();
    if (nextByte == DerValue.tag_Integer) {
        version = derStrm.getInteger();
        if (// i.e. v2
        version != 1)
            throw new CRLException("Invalid version");
    }
    tmp = derStrm.getDerValue();
    // signature
    AlgorithmId tmpId = AlgorithmId.parse(tmp);
    // the "inner" and "outer" signature algorithms must match
    if (!tmpId.equals(sigAlgId))
        throw new CRLException("Signature algorithm mismatch");
    infoSigAlgId = tmpId;
    // issuer
    issuer = new X500Name(derStrm);
    if (issuer.isEmpty()) {
        throw new CRLException("Empty issuer DN not allowed in X509CRLs");
    }
    // thisUpdate
    // check if UTCTime encoded or GeneralizedTime
    nextByte = (byte) derStrm.peekByte();
    if (nextByte == DerValue.tag_UtcTime) {
        thisUpdate = derStrm.getUTCTime();
    } else if (nextByte == DerValue.tag_GeneralizedTime) {
        thisUpdate = derStrm.getGeneralizedTime();
    } else {
        throw new CRLException("Invalid encoding for thisUpdate" + " (tag=" + nextByte + ")");
    }
    if (derStrm.available() == 0)
        // done parsing no more optional fields present
        return;
    // nextUpdate (optional)
    nextByte = (byte) derStrm.peekByte();
    if (nextByte == DerValue.tag_UtcTime) {
        nextUpdate = derStrm.getUTCTime();
    } else if (nextByte == DerValue.tag_GeneralizedTime) {
        nextUpdate = derStrm.getGeneralizedTime();
    }
    if (derStrm.available() == 0)
        // done parsing no more optional fields present
        return;
    // revokedCertificates (optional)
    nextByte = (byte) derStrm.peekByte();
    if ((nextByte == DerValue.tag_SequenceOf) && (!((nextByte & 0x0c0) == 0x080))) {
        DerValue[] badCerts = derStrm.getSequence(4);
        X500Principal crlIssuer = getIssuerX500Principal();
        X500Principal badCertIssuer = crlIssuer;
        for (int i = 0; i < badCerts.length; i++) {
            X509CRLEntryImpl entry = new X509CRLEntryImpl(badCerts[i]);
            badCertIssuer = getCertIssuer(entry, badCertIssuer);
            entry.setCertificateIssuer(crlIssuer, badCertIssuer);
            X509IssuerSerial issuerSerial = new X509IssuerSerial(badCertIssuer, entry.getSerialNumber());
            revokedMap.put(issuerSerial, entry);
            revokedList.add(entry);
        }
    }
    if (derStrm.available() == 0)
        // done parsing no extensions
        return;
    // crlExtensions (optional)
    tmp = derStrm.getDerValue();
    if (tmp.isConstructed() && tmp.isContextSpecific((byte) 0)) {
        extensions = new CRLExtensions(tmp.data);
    }
    readOnly = true;
}