Search in sources :

Example 1 with X509CRLStoreSelector

use of org.bouncycastle.x509.X509CRLStoreSelector in project robovm by robovm.

the class CertPathValidatorUtilities method getDeltaCRLs.

/**
     * Fetches delta CRLs according to RFC 3280 section 5.2.4.
     *
     * @param currentDate The date for which the delta CRLs must be valid.
     * @param paramsPKIX  The extended PKIX parameters.
     * @param completeCRL The complete CRL the delta CRL is for.
     * @return A <code>Set</code> of <code>X509CRL</code>s with delta CRLs.
     * @throws AnnotatedException if an exception occurs while picking the delta
     * CRLs.
     */
protected static Set getDeltaCRLs(Date currentDate, ExtendedPKIXParameters paramsPKIX, X509CRL completeCRL) throws AnnotatedException {
    X509CRLStoreSelector deltaSelect = new X509CRLStoreSelector();
    // 5.2.4 (a)
    try {
        deltaSelect.addIssuerName(CertPathValidatorUtilities.getIssuerPrincipal(completeCRL).getEncoded());
    } catch (IOException e) {
        throw new AnnotatedException("Cannot extract issuer from CRL.", e);
    }
    BigInteger completeCRLNumber = null;
    try {
        ASN1Primitive derObject = CertPathValidatorUtilities.getExtensionValue(completeCRL, CRL_NUMBER);
        if (derObject != null) {
            completeCRLNumber = ASN1Integer.getInstance(derObject).getPositiveValue();
        }
    } catch (Exception e) {
        throw new AnnotatedException("CRL number extension could not be extracted from CRL.", e);
    }
    // 5.2.4 (b)
    byte[] idp = null;
    try {
        idp = completeCRL.getExtensionValue(ISSUING_DISTRIBUTION_POINT);
    } catch (Exception e) {
        throw new AnnotatedException("Issuing distribution point extension value could not be read.", e);
    }
    // 5.2.4 (d)
    deltaSelect.setMinCRLNumber(completeCRLNumber == null ? null : completeCRLNumber.add(BigInteger.valueOf(1)));
    deltaSelect.setIssuingDistributionPoint(idp);
    deltaSelect.setIssuingDistributionPointEnabled(true);
    // 5.2.4 (c)
    deltaSelect.setMaxBaseCRLNumber(completeCRLNumber);
    // find delta CRLs
    Set temp = CRL_UTIL.findCRLs(deltaSelect, paramsPKIX, currentDate);
    Set result = new HashSet();
    for (Iterator it = temp.iterator(); it.hasNext(); ) {
        X509CRL crl = (X509CRL) it.next();
        if (isDeltaCRL(crl)) {
            result.add(crl);
        }
    }
    return result;
}
Also used : X509CRLStoreSelector(org.bouncycastle.x509.X509CRLStoreSelector) Set(java.util.Set) HashSet(java.util.HashSet) X509CRL(java.security.cert.X509CRL) Iterator(java.util.Iterator) BigInteger(java.math.BigInteger) IOException(java.io.IOException) ASN1Primitive(org.bouncycastle.asn1.ASN1Primitive) GeneralSecurityException(java.security.GeneralSecurityException) CertPathValidatorException(java.security.cert.CertPathValidatorException) ParseException(java.text.ParseException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) CertStoreException(java.security.cert.CertStoreException) CRLException(java.security.cert.CRLException) CertificateParsingException(java.security.cert.CertificateParsingException) StoreException(org.bouncycastle.util.StoreException) IOException(java.io.IOException) HashSet(java.util.HashSet)

Example 2 with X509CRLStoreSelector

use of org.bouncycastle.x509.X509CRLStoreSelector in project robovm by robovm.

the class RFC3280CertPathUtilities method processCRLA1ii.

protected static Set[] processCRLA1ii(Date currentDate, ExtendedPKIXParameters paramsPKIX, X509Certificate cert, X509CRL crl) throws AnnotatedException {
    Set deltaSet = new HashSet();
    X509CRLStoreSelector crlselect = new X509CRLStoreSelector();
    crlselect.setCertificateChecking(cert);
    try {
        crlselect.addIssuerName(crl.getIssuerX500Principal().getEncoded());
    } catch (IOException e) {
        throw new AnnotatedException("Cannot extract issuer from CRL." + e, e);
    }
    crlselect.setCompleteCRLEnabled(true);
    Set completeSet = CRL_UTIL.findCRLs(crlselect, paramsPKIX, currentDate);
    if (paramsPKIX.isUseDeltasEnabled()) {
        // get delta CRL(s)
        try {
            deltaSet.addAll(CertPathValidatorUtilities.getDeltaCRLs(currentDate, paramsPKIX, crl));
        } catch (AnnotatedException e) {
            throw new AnnotatedException("Exception obtaining delta CRLs.", e);
        }
    }
    return new Set[] { completeSet, deltaSet };
}
Also used : X509CRLStoreSelector(org.bouncycastle.x509.X509CRLStoreSelector) Set(java.util.Set) HashSet(java.util.HashSet) IOException(java.io.IOException) HashSet(java.util.HashSet)

Example 3 with X509CRLStoreSelector

use of org.bouncycastle.x509.X509CRLStoreSelector in project XobotOS by xamarin.

the class PKIXCRLUtil method findCRLs.

/**
     * Return a Collection of all CRLs found in the X509Store's that are
     * matching the crlSelect criteriums.
     *
     * @param crlSelect a {@link X509CRLStoreSelector} object that will be used
     *            to select the CRLs
     * @param crlStores a List containing only
     *            {@link org.bouncycastle.x509.X509Store  X509Store} objects.
     *            These are used to search for CRLs
     *
     * @return a Collection of all found {@link java.security.cert.X509CRL X509CRL} objects. May be
     *         empty but never <code>null</code>.
     */
private final Collection findCRLs(X509CRLStoreSelector crlSelect, List crlStores) throws AnnotatedException {
    Set crls = new HashSet();
    Iterator iter = crlStores.iterator();
    AnnotatedException lastException = null;
    boolean foundValidStore = false;
    while (iter.hasNext()) {
        Object obj = iter.next();
        if (obj instanceof X509Store) {
            X509Store store = (X509Store) obj;
            try {
                crls.addAll(store.getMatches(crlSelect));
                foundValidStore = true;
            } catch (StoreException e) {
                lastException = new AnnotatedException("Exception searching in X.509 CRL store.", e);
            }
        } else {
            CertStore store = (CertStore) obj;
            try {
                crls.addAll(store.getCRLs(crlSelect));
                foundValidStore = true;
            } catch (CertStoreException e) {
                lastException = new AnnotatedException("Exception searching in X.509 CRL store.", e);
            }
        }
    }
    if (!foundValidStore && lastException != null) {
        throw lastException;
    }
    return crls;
}
Also used : X509Store(org.bouncycastle.x509.X509Store) Set(java.util.Set) HashSet(java.util.HashSet) CertStoreException(java.security.cert.CertStoreException) Iterator(java.util.Iterator) CertStore(java.security.cert.CertStore) HashSet(java.util.HashSet) StoreException(org.bouncycastle.util.StoreException) CertStoreException(java.security.cert.CertStoreException)

Example 4 with X509CRLStoreSelector

use of org.bouncycastle.x509.X509CRLStoreSelector in project XobotOS by xamarin.

the class RFC3280CertPathUtilities method processCRLA1ii.

protected static Set[] processCRLA1ii(Date currentDate, ExtendedPKIXParameters paramsPKIX, X509Certificate cert, X509CRL crl) throws AnnotatedException {
    Set deltaSet = new HashSet();
    X509CRLStoreSelector crlselect = new X509CRLStoreSelector();
    crlselect.setCertificateChecking(cert);
    try {
        crlselect.addIssuerName(crl.getIssuerX500Principal().getEncoded());
    } catch (IOException e) {
        throw new AnnotatedException("Cannot extract issuer from CRL." + e, e);
    }
    crlselect.setCompleteCRLEnabled(true);
    Set completeSet = CRL_UTIL.findCRLs(crlselect, paramsPKIX, currentDate);
    if (paramsPKIX.isUseDeltasEnabled()) {
        // get delta CRL(s)
        try {
            deltaSet.addAll(CertPathValidatorUtilities.getDeltaCRLs(currentDate, paramsPKIX, crl));
        } catch (AnnotatedException e) {
            throw new AnnotatedException("Exception obtaining delta CRLs.", e);
        }
    }
    return new Set[] { completeSet, deltaSet };
}
Also used : X509CRLStoreSelector(org.bouncycastle.x509.X509CRLStoreSelector) Set(java.util.Set) HashSet(java.util.HashSet) IOException(java.io.IOException) HashSet(java.util.HashSet)

Example 5 with X509CRLStoreSelector

use of org.bouncycastle.x509.X509CRLStoreSelector in project XobotOS by xamarin.

the class CertPathValidatorUtilities method getCompleteCRLs.

/**
     * Fetches complete CRLs according to RFC 3280.
     *
     * @param dp The distribution point for which the complete CRL
     * @param cert The <code>X509Certificate</code> or
     *            {@link org.bouncycastle.x509.X509AttributeCertificate} for
     *            which the CRL should be searched.
     * @param currentDate The date for which the delta CRLs must be valid.
     * @param paramsPKIX The extended PKIX parameters.
     * @return A <code>Set</code> of <code>X509CRL</code>s with complete
     *         CRLs.
     * @throws AnnotatedException if an exception occurs while picking the CRLs
     *             or no CRLs are found.
     */
protected static Set getCompleteCRLs(DistributionPoint dp, Object cert, Date currentDate, ExtendedPKIXParameters paramsPKIX) throws AnnotatedException {
    X509CRLStoreSelector crlselect = new X509CRLStoreSelector();
    try {
        Set issuers = new HashSet();
        if (cert instanceof X509AttributeCertificate) {
            issuers.add(((X509AttributeCertificate) cert).getIssuer().getPrincipals()[0]);
        } else {
            issuers.add(getEncodedIssuerPrincipal(cert));
        }
        CertPathValidatorUtilities.getCRLIssuersFromDistributionPoint(dp, issuers, crlselect, paramsPKIX);
    } catch (AnnotatedException e) {
        new AnnotatedException("Could not get issuer information from distribution point.", e);
    }
    if (cert instanceof X509Certificate) {
        crlselect.setCertificateChecking((X509Certificate) cert);
    } else if (cert instanceof X509AttributeCertificate) {
        crlselect.setAttrCertificateChecking((X509AttributeCertificate) cert);
    }
    crlselect.setCompleteCRLEnabled(true);
    Set crls = CRL_UTIL.findCRLs(crlselect, paramsPKIX, currentDate);
    if (crls.isEmpty()) {
        if (cert instanceof X509AttributeCertificate) {
            X509AttributeCertificate aCert = (X509AttributeCertificate) cert;
            throw new AnnotatedException("No CRLs found for issuer \"" + aCert.getIssuer().getPrincipals()[0] + "\"");
        } else {
            X509Certificate xCert = (X509Certificate) cert;
            throw new AnnotatedException("No CRLs found for issuer \"" + xCert.getIssuerX500Principal() + "\"");
        }
    }
    return crls;
}
Also used : X509CRLStoreSelector(org.bouncycastle.x509.X509CRLStoreSelector) Set(java.util.Set) HashSet(java.util.HashSet) X509AttributeCertificate(org.bouncycastle.x509.X509AttributeCertificate) X509Certificate(java.security.cert.X509Certificate) HashSet(java.util.HashSet)

Aggregations

HashSet (java.util.HashSet)8 Set (java.util.Set)8 X509CRLStoreSelector (org.bouncycastle.x509.X509CRLStoreSelector)6 IOException (java.io.IOException)4 CertStoreException (java.security.cert.CertStoreException)4 Iterator (java.util.Iterator)4 StoreException (org.bouncycastle.util.StoreException)4 BigInteger (java.math.BigInteger)2 GeneralSecurityException (java.security.GeneralSecurityException)2 CertPathValidatorException (java.security.cert.CertPathValidatorException)2 CertStore (java.security.cert.CertStore)2 CertificateParsingException (java.security.cert.CertificateParsingException)2 X509CRL (java.security.cert.X509CRL)2 X509Certificate (java.security.cert.X509Certificate)2 ParseException (java.text.ParseException)2 ExtCertPathValidatorException (org.bouncycastle.jce.exception.ExtCertPathValidatorException)2 X509AttributeCertificate (org.bouncycastle.x509.X509AttributeCertificate)2 X509Store (org.bouncycastle.x509.X509Store)2 CRLException (java.security.cert.CRLException)1 ASN1Primitive (org.bouncycastle.asn1.ASN1Primitive)1