use of java.security.cert.X509CRL in project XobotOS by xamarin.
the class CertPathValidatorUtilities method getDeltaCRLs.
/**
* Fetches delta CRLs according to RFC 3280 section 5.2.4.
*
* @param currentDate The date for which the delta CRLs must be valid.
* @param paramsPKIX The extended PKIX parameters.
* @param completeCRL The complete CRL the delta CRL is for.
* @return A <code>Set</code> of <code>X509CRL</code>s with delta CRLs.
* @throws AnnotatedException if an exception occurs while picking the delta
* CRLs.
*/
protected static Set getDeltaCRLs(Date currentDate, ExtendedPKIXParameters paramsPKIX, X509CRL completeCRL) throws AnnotatedException {
X509CRLStoreSelector deltaSelect = new X509CRLStoreSelector();
// 5.2.4 (a)
try {
deltaSelect.addIssuerName(CertPathValidatorUtilities.getIssuerPrincipal(completeCRL).getEncoded());
} catch (IOException e) {
new AnnotatedException("Cannot extract issuer from CRL.", e);
}
BigInteger completeCRLNumber = null;
try {
DERObject derObject = CertPathValidatorUtilities.getExtensionValue(completeCRL, CRL_NUMBER);
if (derObject != null) {
completeCRLNumber = CRLNumber.getInstance(derObject).getPositiveValue();
}
} catch (Exception e) {
throw new AnnotatedException("CRL number extension could not be extracted from CRL.", e);
}
// 5.2.4 (b)
byte[] idp = null;
try {
idp = completeCRL.getExtensionValue(ISSUING_DISTRIBUTION_POINT);
} catch (Exception e) {
throw new AnnotatedException("Issuing distribution point extension value could not be read.", e);
}
// 5.2.4 (d)
deltaSelect.setMinCRLNumber(completeCRLNumber == null ? null : completeCRLNumber.add(BigInteger.valueOf(1)));
deltaSelect.setIssuingDistributionPoint(idp);
deltaSelect.setIssuingDistributionPointEnabled(true);
// 5.2.4 (c)
deltaSelect.setMaxBaseCRLNumber(completeCRLNumber);
// find delta CRLs
Set temp = CRL_UTIL.findCRLs(deltaSelect, paramsPKIX, currentDate);
Set result = new HashSet();
for (Iterator it = temp.iterator(); it.hasNext(); ) {
X509CRL crl = (X509CRL) it.next();
if (isDeltaCRL(crl)) {
result.add(crl);
}
}
return result;
}
use of java.security.cert.X509CRL in project XobotOS by xamarin.
the class PKIXCRLUtil method findCRLs.
public Set findCRLs(X509CRLStoreSelector crlselect, ExtendedPKIXParameters paramsPKIX, Date currentDate) throws AnnotatedException {
Set initialSet = new HashSet();
// get complete CRL(s)
try {
initialSet.addAll(findCRLs(crlselect, paramsPKIX.getAdditionalStores()));
initialSet.addAll(findCRLs(crlselect, paramsPKIX.getStores()));
initialSet.addAll(findCRLs(crlselect, paramsPKIX.getCertStores()));
} catch (AnnotatedException e) {
throw new AnnotatedException("Exception obtaining complete CRLs.", e);
}
Set finalSet = new HashSet();
Date validityDate = currentDate;
if (paramsPKIX.getDate() != null) {
validityDate = paramsPKIX.getDate();
}
// based on RFC 5280 6.3.3
for (Iterator it = initialSet.iterator(); it.hasNext(); ) {
X509CRL crl = (X509CRL) it.next();
if (crl.getNextUpdate().after(validityDate)) {
X509Certificate cert = crlselect.getCertificateChecking();
if (cert != null) {
if (crl.getThisUpdate().before(cert.getNotAfter())) {
finalSet.add(crl);
}
} else {
finalSet.add(crl);
}
}
}
return finalSet;
}
use of java.security.cert.X509CRL in project XobotOS by xamarin.
the class X509CertFactoryImpl method getCRL.
/**
* Returns the CRL object corresponding to the encoding provided
* by the stream.
* Resulting object is retrieved from the cache
* if it contains such correspondence
* and is constructed on the base of encoding
* and stored in the cache otherwise.
* @throws IOException if some decoding errors occur
* (in the case of cache miss).
*/
private static CRL getCRL(InputStream inStream) throws CRLException, IOException {
synchronized (CRL_CACHE) {
inStream.mark(CRL_CACHE_SEED_LENGTH);
byte[] buff = readBytes(inStream, CRL_CACHE_SEED_LENGTH);
// read the prefix of the encoding
inStream.reset();
if (buff == null) {
throw new CRLException("InputStream doesn't contain enough data");
}
long hash = CRL_CACHE.getHash(buff);
if (CRL_CACHE.contains(hash)) {
byte[] encoding = new byte[BerInputStream.getLength(buff)];
if (encoding.length < CRL_CACHE_SEED_LENGTH) {
throw new CRLException("Bad CRL encoding");
}
Streams.readFully(inStream, encoding);
CRL res = (CRL) CRL_CACHE.get(hash, encoding);
if (res != null) {
return res;
}
res = new X509CRLImpl(encoding);
CRL_CACHE.put(hash, encoding, res);
return res;
} else {
X509CRL res = new X509CRLImpl(inStream);
CRL_CACHE.put(hash, res.getEncoded(), res);
return res;
}
}
}
use of java.security.cert.X509CRL in project XobotOS by xamarin.
the class RFC3280CertPathUtilities method checkCRL.
/**
* Checks a distribution point for revocation information for the
* certificate <code>cert</code>.
*
* @param dp The distribution point to consider.
* @param paramsPKIX PKIX parameters.
* @param cert Certificate to check if it is revoked.
* @param validDate The date when the certificate revocation status should be
* checked.
* @param defaultCRLSignCert The issuer certificate of the certificate <code>cert</code>.
* @param defaultCRLSignKey The public key of the issuer certificate
* <code>defaultCRLSignCert</code>.
* @param certStatus The current certificate revocation status.
* @param reasonMask The reasons mask which is already checked.
* @param certPathCerts The certificates of the certification path.
* @throws AnnotatedException if the certificate is revoked or the status cannot be checked
* or some error occurs.
*/
private static void checkCRL(DistributionPoint dp, ExtendedPKIXParameters paramsPKIX, X509Certificate cert, Date validDate, X509Certificate defaultCRLSignCert, PublicKey defaultCRLSignKey, CertStatus certStatus, ReasonsMask reasonMask, List certPathCerts) throws AnnotatedException {
Date currentDate = new Date(System.currentTimeMillis());
if (validDate.getTime() > currentDate.getTime()) {
throw new AnnotatedException("Validation time is in future.");
}
// (a)
/*
* We always get timely valid CRLs, so there is no step (a) (1).
* "locally cached" CRLs are assumed to be in getStore(), additional
* CRLs must be enabled in the ExtendedPKIXParameters and are in
* getAdditionalStore()
*/
Set crls = CertPathValidatorUtilities.getCompleteCRLs(dp, cert, currentDate, paramsPKIX);
boolean validCrlFound = false;
AnnotatedException lastException = null;
Iterator crl_iter = crls.iterator();
while (crl_iter.hasNext() && certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonMask.isAllReasons()) {
try {
X509CRL crl = (X509CRL) crl_iter.next();
// (d)
ReasonsMask interimReasonsMask = RFC3280CertPathUtilities.processCRLD(crl, dp);
/*
* The reasons mask is updated at the end, so only valid CRLs
* can update it. If this CRL does not contain new reasons it
* must be ignored.
*/
if (!interimReasonsMask.hasNewReasons(reasonMask)) {
continue;
}
// (f)
Set keys = RFC3280CertPathUtilities.processCRLF(crl, cert, defaultCRLSignCert, defaultCRLSignKey, paramsPKIX, certPathCerts);
// (g)
PublicKey key = RFC3280CertPathUtilities.processCRLG(crl, keys);
X509CRL deltaCRL = null;
if (paramsPKIX.isUseDeltasEnabled()) {
// get delta CRLs
Set deltaCRLs = CertPathValidatorUtilities.getDeltaCRLs(currentDate, paramsPKIX, crl);
// we only want one valid delta CRL
// (h)
deltaCRL = RFC3280CertPathUtilities.processCRLH(deltaCRLs, key);
}
if (paramsPKIX.getValidityModel() != ExtendedPKIXParameters.CHAIN_VALIDITY_MODEL) {
/*
* if a certificate has expired, but was revoked, it is not
* more in the CRL, so it would be regarded as valid if the
* first check is not done
*/
if (cert.getNotAfter().getTime() < crl.getThisUpdate().getTime()) {
throw new AnnotatedException("No valid CRL for current time found.");
}
}
RFC3280CertPathUtilities.processCRLB1(dp, cert, crl);
// (b) (2)
RFC3280CertPathUtilities.processCRLB2(dp, cert, crl);
// (c)
RFC3280CertPathUtilities.processCRLC(deltaCRL, crl, paramsPKIX);
// (i)
RFC3280CertPathUtilities.processCRLI(validDate, deltaCRL, cert, certStatus, paramsPKIX);
// (j)
RFC3280CertPathUtilities.processCRLJ(validDate, crl, cert, certStatus);
// (k)
if (certStatus.getCertStatus() == CRLReason.removeFromCRL) {
certStatus.setCertStatus(CertStatus.UNREVOKED);
}
// update reasons mask
reasonMask.addReasons(interimReasonsMask);
Set criticalExtensions = crl.getCriticalExtensionOIDs();
if (criticalExtensions != null) {
criticalExtensions = new HashSet(criticalExtensions);
criticalExtensions.remove(X509Extensions.IssuingDistributionPoint.getId());
criticalExtensions.remove(X509Extensions.DeltaCRLIndicator.getId());
if (!criticalExtensions.isEmpty()) {
throw new AnnotatedException("CRL contains unsupported critical extensions.");
}
}
if (deltaCRL != null) {
criticalExtensions = deltaCRL.getCriticalExtensionOIDs();
if (criticalExtensions != null) {
criticalExtensions = new HashSet(criticalExtensions);
criticalExtensions.remove(X509Extensions.IssuingDistributionPoint.getId());
criticalExtensions.remove(X509Extensions.DeltaCRLIndicator.getId());
if (!criticalExtensions.isEmpty()) {
throw new AnnotatedException("Delta CRL contains unsupported critical extension.");
}
}
}
validCrlFound = true;
} catch (AnnotatedException e) {
lastException = e;
}
}
if (!validCrlFound) {
throw lastException;
}
}
use of java.security.cert.X509CRL in project XobotOS by xamarin.
the class X509CRLStoreSelector method match.
public boolean match(Object obj) {
if (!(obj instanceof X509CRL)) {
return false;
}
X509CRL crl = (X509CRL) obj;
DERInteger dci = null;
try {
byte[] bytes = crl.getExtensionValue(X509Extensions.DeltaCRLIndicator.getId());
if (bytes != null) {
dci = DERInteger.getInstance(X509ExtensionUtil.fromExtensionValue(bytes));
}
} catch (Exception e) {
return false;
}
if (isDeltaCRLIndicatorEnabled()) {
if (dci == null) {
return false;
}
}
if (isCompleteCRLEnabled()) {
if (dci != null) {
return false;
}
}
if (dci != null) {
if (maxBaseCRLNumber != null) {
if (dci.getPositiveValue().compareTo(maxBaseCRLNumber) == 1) {
return false;
}
}
}
if (issuingDistributionPointEnabled) {
byte[] idp = crl.getExtensionValue(X509Extensions.IssuingDistributionPoint.getId());
if (issuingDistributionPoint == null) {
if (idp != null) {
return false;
}
} else {
if (!Arrays.areEqual(idp, issuingDistributionPoint)) {
return false;
}
}
}
return super.match((X509CRL) obj);
}
Aggregations