Search in sources :

Example 51 with X509CRL

use of java.security.cert.X509CRL in project XobotOS by xamarin.

the class CertPathValidatorUtilities method getDeltaCRLs.

/**
     * Fetches delta CRLs according to RFC 3280 section 5.2.4.
     *
     * @param currentDate The date for which the delta CRLs must be valid.
     * @param paramsPKIX The extended PKIX parameters.
     * @param completeCRL The complete CRL the delta CRL is for.
     * @return A <code>Set</code> of <code>X509CRL</code>s with delta CRLs.
     * @throws AnnotatedException if an exception occurs while picking the delta
     *             CRLs.
     */
protected static Set getDeltaCRLs(Date currentDate, ExtendedPKIXParameters paramsPKIX, X509CRL completeCRL) throws AnnotatedException {
    X509CRLStoreSelector deltaSelect = new X509CRLStoreSelector();
    // 5.2.4 (a)
    try {
        deltaSelect.addIssuerName(CertPathValidatorUtilities.getIssuerPrincipal(completeCRL).getEncoded());
    } catch (IOException e) {
        new AnnotatedException("Cannot extract issuer from CRL.", e);
    }
    BigInteger completeCRLNumber = null;
    try {
        DERObject derObject = CertPathValidatorUtilities.getExtensionValue(completeCRL, CRL_NUMBER);
        if (derObject != null) {
            completeCRLNumber = CRLNumber.getInstance(derObject).getPositiveValue();
        }
    } catch (Exception e) {
        throw new AnnotatedException("CRL number extension could not be extracted from CRL.", e);
    }
    // 5.2.4 (b)
    byte[] idp = null;
    try {
        idp = completeCRL.getExtensionValue(ISSUING_DISTRIBUTION_POINT);
    } catch (Exception e) {
        throw new AnnotatedException("Issuing distribution point extension value could not be read.", e);
    }
    // 5.2.4 (d)
    deltaSelect.setMinCRLNumber(completeCRLNumber == null ? null : completeCRLNumber.add(BigInteger.valueOf(1)));
    deltaSelect.setIssuingDistributionPoint(idp);
    deltaSelect.setIssuingDistributionPointEnabled(true);
    // 5.2.4 (c)
    deltaSelect.setMaxBaseCRLNumber(completeCRLNumber);
    // find delta CRLs
    Set temp = CRL_UTIL.findCRLs(deltaSelect, paramsPKIX, currentDate);
    Set result = new HashSet();
    for (Iterator it = temp.iterator(); it.hasNext(); ) {
        X509CRL crl = (X509CRL) it.next();
        if (isDeltaCRL(crl)) {
            result.add(crl);
        }
    }
    return result;
}
Also used : X509CRLStoreSelector(org.bouncycastle.x509.X509CRLStoreSelector) DERObject(org.bouncycastle.asn1.DERObject) Set(java.util.Set) HashSet(java.util.HashSet) X509CRL(java.security.cert.X509CRL) Iterator(java.util.Iterator) BigInteger(java.math.BigInteger) IOException(java.io.IOException) GeneralSecurityException(java.security.GeneralSecurityException) CertPathValidatorException(java.security.cert.CertPathValidatorException) ParseException(java.text.ParseException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) CertStoreException(java.security.cert.CertStoreException) CertificateParsingException(java.security.cert.CertificateParsingException) StoreException(org.bouncycastle.util.StoreException) IOException(java.io.IOException) HashSet(java.util.HashSet)

Example 52 with X509CRL

use of java.security.cert.X509CRL in project XobotOS by xamarin.

the class PKIXCRLUtil method findCRLs.

public Set findCRLs(X509CRLStoreSelector crlselect, ExtendedPKIXParameters paramsPKIX, Date currentDate) throws AnnotatedException {
    Set initialSet = new HashSet();
    // get complete CRL(s)
    try {
        initialSet.addAll(findCRLs(crlselect, paramsPKIX.getAdditionalStores()));
        initialSet.addAll(findCRLs(crlselect, paramsPKIX.getStores()));
        initialSet.addAll(findCRLs(crlselect, paramsPKIX.getCertStores()));
    } catch (AnnotatedException e) {
        throw new AnnotatedException("Exception obtaining complete CRLs.", e);
    }
    Set finalSet = new HashSet();
    Date validityDate = currentDate;
    if (paramsPKIX.getDate() != null) {
        validityDate = paramsPKIX.getDate();
    }
    // based on RFC 5280 6.3.3
    for (Iterator it = initialSet.iterator(); it.hasNext(); ) {
        X509CRL crl = (X509CRL) it.next();
        if (crl.getNextUpdate().after(validityDate)) {
            X509Certificate cert = crlselect.getCertificateChecking();
            if (cert != null) {
                if (crl.getThisUpdate().before(cert.getNotAfter())) {
                    finalSet.add(crl);
                }
            } else {
                finalSet.add(crl);
            }
        }
    }
    return finalSet;
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) X509CRL(java.security.cert.X509CRL) Iterator(java.util.Iterator) Date(java.util.Date) X509Certificate(java.security.cert.X509Certificate) HashSet(java.util.HashSet)

Example 53 with X509CRL

use of java.security.cert.X509CRL in project XobotOS by xamarin.

the class X509CertFactoryImpl method getCRL.

/**
     * Returns the CRL object corresponding to the encoding provided
     * by the stream.
     * Resulting object is retrieved from the cache
     * if it contains such correspondence
     * and is constructed on the base of encoding
     * and stored in the cache otherwise.
     * @throws IOException if some decoding errors occur
     * (in the case of cache miss).
     */
private static CRL getCRL(InputStream inStream) throws CRLException, IOException {
    synchronized (CRL_CACHE) {
        inStream.mark(CRL_CACHE_SEED_LENGTH);
        byte[] buff = readBytes(inStream, CRL_CACHE_SEED_LENGTH);
        // read the prefix of the encoding
        inStream.reset();
        if (buff == null) {
            throw new CRLException("InputStream doesn't contain enough data");
        }
        long hash = CRL_CACHE.getHash(buff);
        if (CRL_CACHE.contains(hash)) {
            byte[] encoding = new byte[BerInputStream.getLength(buff)];
            if (encoding.length < CRL_CACHE_SEED_LENGTH) {
                throw new CRLException("Bad CRL encoding");
            }
            Streams.readFully(inStream, encoding);
            CRL res = (CRL) CRL_CACHE.get(hash, encoding);
            if (res != null) {
                return res;
            }
            res = new X509CRLImpl(encoding);
            CRL_CACHE.put(hash, encoding, res);
            return res;
        } else {
            X509CRL res = new X509CRLImpl(inStream);
            CRL_CACHE.put(hash, res.getEncoded(), res);
            return res;
        }
    }
}
Also used : X509CRL(java.security.cert.X509CRL) X509CRL(java.security.cert.X509CRL) CRL(java.security.cert.CRL) CRLException(java.security.cert.CRLException)

Example 54 with X509CRL

use of java.security.cert.X509CRL in project XobotOS by xamarin.

the class RFC3280CertPathUtilities method checkCRL.

/**
     * Checks a distribution point for revocation information for the
     * certificate <code>cert</code>.
     *
     * @param dp                 The distribution point to consider.
     * @param paramsPKIX         PKIX parameters.
     * @param cert               Certificate to check if it is revoked.
     * @param validDate          The date when the certificate revocation status should be
     *                           checked.
     * @param defaultCRLSignCert The issuer certificate of the certificate <code>cert</code>.
     * @param defaultCRLSignKey  The public key of the issuer certificate
     *                           <code>defaultCRLSignCert</code>.
     * @param certStatus         The current certificate revocation status.
     * @param reasonMask         The reasons mask which is already checked.
     * @param certPathCerts      The certificates of the certification path.
     * @throws AnnotatedException if the certificate is revoked or the status cannot be checked
     *                            or some error occurs.
     */
private static void checkCRL(DistributionPoint dp, ExtendedPKIXParameters paramsPKIX, X509Certificate cert, Date validDate, X509Certificate defaultCRLSignCert, PublicKey defaultCRLSignKey, CertStatus certStatus, ReasonsMask reasonMask, List certPathCerts) throws AnnotatedException {
    Date currentDate = new Date(System.currentTimeMillis());
    if (validDate.getTime() > currentDate.getTime()) {
        throw new AnnotatedException("Validation time is in future.");
    }
    // (a)
    /*
         * We always get timely valid CRLs, so there is no step (a) (1).
         * "locally cached" CRLs are assumed to be in getStore(), additional
         * CRLs must be enabled in the ExtendedPKIXParameters and are in
         * getAdditionalStore()
         */
    Set crls = CertPathValidatorUtilities.getCompleteCRLs(dp, cert, currentDate, paramsPKIX);
    boolean validCrlFound = false;
    AnnotatedException lastException = null;
    Iterator crl_iter = crls.iterator();
    while (crl_iter.hasNext() && certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonMask.isAllReasons()) {
        try {
            X509CRL crl = (X509CRL) crl_iter.next();
            // (d)
            ReasonsMask interimReasonsMask = RFC3280CertPathUtilities.processCRLD(crl, dp);
            /*
                 * The reasons mask is updated at the end, so only valid CRLs
                 * can update it. If this CRL does not contain new reasons it
                 * must be ignored.
                 */
            if (!interimReasonsMask.hasNewReasons(reasonMask)) {
                continue;
            }
            // (f)
            Set keys = RFC3280CertPathUtilities.processCRLF(crl, cert, defaultCRLSignCert, defaultCRLSignKey, paramsPKIX, certPathCerts);
            // (g)
            PublicKey key = RFC3280CertPathUtilities.processCRLG(crl, keys);
            X509CRL deltaCRL = null;
            if (paramsPKIX.isUseDeltasEnabled()) {
                // get delta CRLs
                Set deltaCRLs = CertPathValidatorUtilities.getDeltaCRLs(currentDate, paramsPKIX, crl);
                // we only want one valid delta CRL
                // (h)
                deltaCRL = RFC3280CertPathUtilities.processCRLH(deltaCRLs, key);
            }
            if (paramsPKIX.getValidityModel() != ExtendedPKIXParameters.CHAIN_VALIDITY_MODEL) {
                /*
                     * if a certificate has expired, but was revoked, it is not
                     * more in the CRL, so it would be regarded as valid if the
                     * first check is not done
                     */
                if (cert.getNotAfter().getTime() < crl.getThisUpdate().getTime()) {
                    throw new AnnotatedException("No valid CRL for current time found.");
                }
            }
            RFC3280CertPathUtilities.processCRLB1(dp, cert, crl);
            // (b) (2)
            RFC3280CertPathUtilities.processCRLB2(dp, cert, crl);
            // (c)
            RFC3280CertPathUtilities.processCRLC(deltaCRL, crl, paramsPKIX);
            // (i)
            RFC3280CertPathUtilities.processCRLI(validDate, deltaCRL, cert, certStatus, paramsPKIX);
            // (j)
            RFC3280CertPathUtilities.processCRLJ(validDate, crl, cert, certStatus);
            // (k)
            if (certStatus.getCertStatus() == CRLReason.removeFromCRL) {
                certStatus.setCertStatus(CertStatus.UNREVOKED);
            }
            // update reasons mask
            reasonMask.addReasons(interimReasonsMask);
            Set criticalExtensions = crl.getCriticalExtensionOIDs();
            if (criticalExtensions != null) {
                criticalExtensions = new HashSet(criticalExtensions);
                criticalExtensions.remove(X509Extensions.IssuingDistributionPoint.getId());
                criticalExtensions.remove(X509Extensions.DeltaCRLIndicator.getId());
                if (!criticalExtensions.isEmpty()) {
                    throw new AnnotatedException("CRL contains unsupported critical extensions.");
                }
            }
            if (deltaCRL != null) {
                criticalExtensions = deltaCRL.getCriticalExtensionOIDs();
                if (criticalExtensions != null) {
                    criticalExtensions = new HashSet(criticalExtensions);
                    criticalExtensions.remove(X509Extensions.IssuingDistributionPoint.getId());
                    criticalExtensions.remove(X509Extensions.DeltaCRLIndicator.getId());
                    if (!criticalExtensions.isEmpty()) {
                        throw new AnnotatedException("Delta CRL contains unsupported critical extension.");
                    }
                }
            }
            validCrlFound = true;
        } catch (AnnotatedException e) {
            lastException = e;
        }
    }
    if (!validCrlFound) {
        throw lastException;
    }
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) X509CRL(java.security.cert.X509CRL) PublicKey(java.security.PublicKey) Iterator(java.util.Iterator) Date(java.util.Date) HashSet(java.util.HashSet)

Example 55 with X509CRL

use of java.security.cert.X509CRL in project XobotOS by xamarin.

the class X509CRLStoreSelector method match.

public boolean match(Object obj) {
    if (!(obj instanceof X509CRL)) {
        return false;
    }
    X509CRL crl = (X509CRL) obj;
    DERInteger dci = null;
    try {
        byte[] bytes = crl.getExtensionValue(X509Extensions.DeltaCRLIndicator.getId());
        if (bytes != null) {
            dci = DERInteger.getInstance(X509ExtensionUtil.fromExtensionValue(bytes));
        }
    } catch (Exception e) {
        return false;
    }
    if (isDeltaCRLIndicatorEnabled()) {
        if (dci == null) {
            return false;
        }
    }
    if (isCompleteCRLEnabled()) {
        if (dci != null) {
            return false;
        }
    }
    if (dci != null) {
        if (maxBaseCRLNumber != null) {
            if (dci.getPositiveValue().compareTo(maxBaseCRLNumber) == 1) {
                return false;
            }
        }
    }
    if (issuingDistributionPointEnabled) {
        byte[] idp = crl.getExtensionValue(X509Extensions.IssuingDistributionPoint.getId());
        if (issuingDistributionPoint == null) {
            if (idp != null) {
                return false;
            }
        } else {
            if (!Arrays.areEqual(idp, issuingDistributionPoint)) {
                return false;
            }
        }
    }
    return super.match((X509CRL) obj);
}
Also used : X509CRL(java.security.cert.X509CRL) IOException(java.io.IOException) DERInteger(org.bouncycastle.asn1.DERInteger)

Aggregations

X509CRL (java.security.cert.X509CRL)78 IOException (java.io.IOException)24 CRLException (java.security.cert.CRLException)16 X509Certificate (java.security.cert.X509Certificate)15 File (java.io.File)13 CertificateException (java.security.cert.CertificateException)10 CertificateFactory (java.security.cert.CertificateFactory)9 GeneralSecurityException (java.security.GeneralSecurityException)8 CRL (java.security.cert.CRL)7 ArrayList (java.util.ArrayList)7 Iterator (java.util.Iterator)7 ByteArrayInputStream (java.io.ByteArrayInputStream)6 InputStream (java.io.InputStream)6 Calendar (java.util.Calendar)6 HashSet (java.util.HashSet)6 Set (java.util.Set)6 Date (java.util.Date)5 LocalizedIllegalArgumentException (org.forgerock.i18n.LocalizedIllegalArgumentException)5 LdapException (org.forgerock.opendj.ldap.LdapException)5 FileInputStream (java.io.FileInputStream)4