Search in sources :

Example 1 with IssuingDistributionPoint

use of org.mozilla.jss.netscape.security.x509.IssuingDistributionPoint in project jss by dogtagpki.

the class ExtPrettyPrint method getIssuingDistributionPointExtension.

/**
 * String Representation of IssuerAlternativeName Extension
 */
private String getIssuingDistributionPointExtension() {
    StringBuffer sb = new StringBuffer();
    sb.append(pp.indent(mIndentSize) + mResource.getString(PrettyPrintResources.TOKEN_IDENTIFIER));
    sb.append(mResource.getString(PrettyPrintResources.TOKEN_ISSUING_DIST_POINT) + "- " + mExt.getExtensionId().toString() + "\n");
    sb.append(pp.indent(mIndentSize + 4) + mResource.getString(PrettyPrintResources.TOKEN_CRITICAL));
    if (mExt.isCritical()) {
        sb.append(mResource.getString(PrettyPrintResources.TOKEN_YES) + "\n");
    } else {
        sb.append(mResource.getString(PrettyPrintResources.TOKEN_NO) + "\n");
    }
    IssuingDistributionPointExtension ext = (IssuingDistributionPointExtension) mExt;
    IssuingDistributionPoint issuingDistributionPoint = ext.getIssuingDistributionPoint();
    if (issuingDistributionPoint != null) {
        GeneralNames fullNames = issuingDistributionPoint.getFullName();
        RDN relativeName = issuingDistributionPoint.getRelativeName();
        if (fullNames != null || relativeName != null) {
            sb.append(pp.indent(mIndentSize + 4) + mResource.getString(PrettyPrintResources.TOKEN_DIST_POINT_NAME) + "\n");
            if (fullNames != null) {
                sb.append(pp.indent(mIndentSize + 8) + mResource.getString(PrettyPrintResources.TOKEN_FULL_NAME) + "\n");
                for (int i = 0; i < fullNames.size(); i++) {
                    GeneralName fullName = (GeneralName) fullNames.elementAt(i);
                    if (fullName != null) {
                        sb.append(pp.indent(mIndentSize + 12) + fullName.toString() + "\n");
                    }
                }
            }
            if (relativeName != null) {
                sb.append(pp.indent(mIndentSize + 8) + mResource.getString(PrettyPrintResources.TOKEN_RELATIVE_NAME) + relativeName.toString() + "\n");
            }
        }
        sb.append(pp.indent(mIndentSize + 4) + mResource.getString(PrettyPrintResources.TOKEN_ONLY_USER_CERTS));
        if (issuingDistributionPoint.getOnlyContainsUserCerts()) {
            sb.append(mResource.getString(PrettyPrintResources.TOKEN_YES) + "\n");
        } else {
            sb.append(mResource.getString(PrettyPrintResources.TOKEN_NO) + "\n");
        }
        sb.append(pp.indent(mIndentSize + 4) + mResource.getString(PrettyPrintResources.TOKEN_ONLY_CA_CERTS));
        if (issuingDistributionPoint.getOnlyContainsCACerts()) {
            sb.append(mResource.getString(PrettyPrintResources.TOKEN_YES) + "\n");
        } else {
            sb.append(mResource.getString(PrettyPrintResources.TOKEN_NO) + "\n");
        }
        BitArray onlySomeReasons = issuingDistributionPoint.getOnlySomeReasons();
        if (onlySomeReasons != null) {
            sb.append(pp.indent(mIndentSize + 4) + mResource.getString(PrettyPrintResources.TOKEN_ONLY_SOME_REASONS));
            sb.append("0x" + pp.toHexString(onlySomeReasons.toByteArray()));
        }
        sb.append(pp.indent(mIndentSize + 4) + mResource.getString(PrettyPrintResources.TOKEN_INDIRECT_CRL));
        if (issuingDistributionPoint.getIndirectCRL()) {
            sb.append(mResource.getString(PrettyPrintResources.TOKEN_YES) + "\n");
        } else {
            sb.append(mResource.getString(PrettyPrintResources.TOKEN_NO) + "\n");
        }
    }
    return sb.toString();
}
Also used : IssuingDistributionPointExtension(org.mozilla.jss.netscape.security.x509.IssuingDistributionPointExtension) IssuingDistributionPoint(org.mozilla.jss.netscape.security.x509.IssuingDistributionPoint) GeneralNames(org.mozilla.jss.netscape.security.x509.GeneralNames) GeneralName(org.mozilla.jss.netscape.security.x509.GeneralName) RDN(org.mozilla.jss.netscape.security.x509.RDN) CRLDistributionPoint(org.mozilla.jss.netscape.security.x509.CRLDistributionPoint) IssuingDistributionPoint(org.mozilla.jss.netscape.security.x509.IssuingDistributionPoint)

Example 2 with IssuingDistributionPoint

use of org.mozilla.jss.netscape.security.x509.IssuingDistributionPoint in project XobotOS by xamarin.

the class RFC3280CertPathUtilities method processCRLC.

/**
     * If use-deltas is set, verify the issuer and scope of the delta CRL.
     *
     * @param deltaCRL    The delta CRL.
     * @param completeCRL The complete CRL.
     * @param pkixParams  The PKIX paramaters.
     * @throws AnnotatedException if an exception occurs.
     */
protected static void processCRLC(X509CRL deltaCRL, X509CRL completeCRL, ExtendedPKIXParameters pkixParams) throws AnnotatedException {
    if (deltaCRL == null) {
        return;
    }
    IssuingDistributionPoint completeidp = null;
    try {
        completeidp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(completeCRL, RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT));
    } catch (Exception e) {
        throw new AnnotatedException("Issuing distribution point extension could not be decoded.", e);
    }
    if (pkixParams.isUseDeltasEnabled()) {
        // (c) (1)
        if (!deltaCRL.getIssuerX500Principal().equals(completeCRL.getIssuerX500Principal())) {
            throw new AnnotatedException("Complete CRL issuer does not match delta CRL issuer.");
        }
        // (c) (2)
        IssuingDistributionPoint deltaidp = null;
        try {
            deltaidp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(deltaCRL, ISSUING_DISTRIBUTION_POINT));
        } catch (Exception e) {
            throw new AnnotatedException("Issuing distribution point extension from delta CRL could not be decoded.", e);
        }
        boolean match = false;
        if (completeidp == null) {
            if (deltaidp == null) {
                match = true;
            }
        } else {
            if (completeidp.equals(deltaidp)) {
                match = true;
            }
        }
        if (!match) {
            throw new AnnotatedException("Issuing distribution point extension from delta CRL and complete CRL does not match.");
        }
        // (c) (3)
        DERObject completeKeyIdentifier = null;
        try {
            completeKeyIdentifier = CertPathValidatorUtilities.getExtensionValue(completeCRL, AUTHORITY_KEY_IDENTIFIER);
        } catch (AnnotatedException e) {
            throw new AnnotatedException("Authority key identifier extension could not be extracted from complete CRL.", e);
        }
        DERObject deltaKeyIdentifier = null;
        try {
            deltaKeyIdentifier = CertPathValidatorUtilities.getExtensionValue(deltaCRL, AUTHORITY_KEY_IDENTIFIER);
        } catch (AnnotatedException e) {
            throw new AnnotatedException("Authority key identifier extension could not be extracted from delta CRL.", e);
        }
        if (completeKeyIdentifier == null) {
            throw new AnnotatedException("CRL authority key identifier is null.");
        }
        if (deltaKeyIdentifier == null) {
            throw new AnnotatedException("Delta CRL authority key identifier is null.");
        }
        if (!completeKeyIdentifier.equals(deltaKeyIdentifier)) {
            throw new AnnotatedException("Delta CRL authority key identifier does not match complete CRL authority key identifier.");
        }
    }
}
Also used : IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint) DERObject(org.bouncycastle.asn1.DERObject) CertificateExpiredException(java.security.cert.CertificateExpiredException) GeneralSecurityException(java.security.GeneralSecurityException) CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException) CertPathBuilderException(java.security.cert.CertPathBuilderException) IOException(java.io.IOException)

Example 3 with IssuingDistributionPoint

use of org.mozilla.jss.netscape.security.x509.IssuingDistributionPoint in project robovm by robovm.

the class RFC3280CertPathUtilities method processCRLB2.

/**
     * If the complete CRL includes an issuing distribution point (IDP) CRL
     * extension check the following:
     * <p/>
     * (i) If the distribution point name is present in the IDP CRL extension
     * and the distribution field is present in the DP, then verify that one of
     * the names in the IDP matches one of the names in the DP. If the
     * distribution point name is present in the IDP CRL extension and the
     * distribution field is omitted from the DP, then verify that one of the
     * names in the IDP matches one of the names in the cRLIssuer field of the
     * DP.
     * </p>
     * <p/>
     * (ii) If the onlyContainsUserCerts boolean is asserted in the IDP CRL
     * extension, verify that the certificate does not include the basic
     * constraints extension with the cA boolean asserted.
     * </p>
     * <p/>
     * (iii) If the onlyContainsCACerts boolean is asserted in the IDP CRL
     * extension, verify that the certificate includes the basic constraints
     * extension with the cA boolean asserted.
     * </p>
     * <p/>
     * (iv) Verify that the onlyContainsAttributeCerts boolean is not asserted.
     * </p>
     *
     * @param dp   The distribution point.
     * @param cert The certificate.
     * @param crl  The CRL.
     * @throws AnnotatedException if one of the conditions is not met or an error occurs.
     */
protected static void processCRLB2(DistributionPoint dp, Object cert, X509CRL crl) throws AnnotatedException {
    IssuingDistributionPoint idp = null;
    try {
        idp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(crl, RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT));
    } catch (Exception e) {
        throw new AnnotatedException("Issuing distribution point extension could not be decoded.", e);
    }
    // distribution point name is present
    if (idp != null) {
        if (idp.getDistributionPoint() != null) {
            // make list of names
            DistributionPointName dpName = IssuingDistributionPoint.getInstance(idp).getDistributionPoint();
            List names = new ArrayList();
            if (dpName.getType() == DistributionPointName.FULL_NAME) {
                GeneralName[] genNames = GeneralNames.getInstance(dpName.getName()).getNames();
                for (int j = 0; j < genNames.length; j++) {
                    names.add(genNames[j]);
                }
            }
            if (dpName.getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER) {
                ASN1EncodableVector vec = new ASN1EncodableVector();
                try {
                    Enumeration e = ASN1Sequence.getInstance(ASN1Sequence.fromByteArray(CertPathValidatorUtilities.getIssuerPrincipal(crl).getEncoded())).getObjects();
                    while (e.hasMoreElements()) {
                        vec.add((ASN1Encodable) e.nextElement());
                    }
                } catch (IOException e) {
                    throw new AnnotatedException("Could not read CRL issuer.", e);
                }
                vec.add(dpName.getName());
                names.add(new GeneralName(X509Name.getInstance(new DERSequence(vec))));
            }
            boolean matches = false;
            // of the names in the DP.
            if (dp.getDistributionPoint() != null) {
                dpName = dp.getDistributionPoint();
                GeneralName[] genNames = null;
                if (dpName.getType() == DistributionPointName.FULL_NAME) {
                    genNames = GeneralNames.getInstance(dpName.getName()).getNames();
                }
                if (dpName.getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER) {
                    if (dp.getCRLIssuer() != null) {
                        genNames = dp.getCRLIssuer().getNames();
                    } else {
                        genNames = new GeneralName[1];
                        try {
                            genNames[0] = new GeneralName(new X509Name((ASN1Sequence) ASN1Sequence.fromByteArray(CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert).getEncoded())));
                        } catch (IOException e) {
                            throw new AnnotatedException("Could not read certificate issuer.", e);
                        }
                    }
                    for (int j = 0; j < genNames.length; j++) {
                        Enumeration e = ASN1Sequence.getInstance(genNames[j].getName().toASN1Primitive()).getObjects();
                        ASN1EncodableVector vec = new ASN1EncodableVector();
                        while (e.hasMoreElements()) {
                            vec.add((ASN1Encodable) e.nextElement());
                        }
                        vec.add(dpName.getName());
                        genNames[j] = new GeneralName(new X509Name(new DERSequence(vec)));
                    }
                }
                if (genNames != null) {
                    for (int j = 0; j < genNames.length; j++) {
                        if (names.contains(genNames[j])) {
                            matches = true;
                            break;
                        }
                    }
                }
                if (!matches) {
                    throw new AnnotatedException("No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point.");
                }
            } else // verify that one of the names in
            // the IDP matches one of the names in the cRLIssuer field of
            // the DP
            {
                if (dp.getCRLIssuer() == null) {
                    throw new AnnotatedException("Either the cRLIssuer or the distributionPoint field must " + "be contained in DistributionPoint.");
                }
                GeneralName[] genNames = dp.getCRLIssuer().getNames();
                for (int j = 0; j < genNames.length; j++) {
                    if (names.contains(genNames[j])) {
                        matches = true;
                        break;
                    }
                }
                if (!matches) {
                    throw new AnnotatedException("No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point.");
                }
            }
        }
        BasicConstraints bc = null;
        try {
            bc = BasicConstraints.getInstance(CertPathValidatorUtilities.getExtensionValue((X509Extension) cert, BASIC_CONSTRAINTS));
        } catch (Exception e) {
            throw new AnnotatedException("Basic constraints extension could not be decoded.", e);
        }
        if (cert instanceof X509Certificate) {
            // (b) (2) (ii)
            if (idp.onlyContainsUserCerts() && (bc != null && bc.isCA())) {
                throw new AnnotatedException("CA Cert CRL only contains user certificates.");
            }
            // (b) (2) (iii)
            if (idp.onlyContainsCACerts() && (bc == null || !bc.isCA())) {
                throw new AnnotatedException("End CRL only contains CA certificates.");
            }
        }
        // (b) (2) (iv)
        if (idp.onlyContainsAttributeCerts()) {
            throw new AnnotatedException("onlyContainsAttributeCerts boolean is asserted.");
        }
    }
}
Also used : IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint) Enumeration(java.util.Enumeration) DistributionPointName(org.bouncycastle.asn1.x509.DistributionPointName) ArrayList(java.util.ArrayList) IOException(java.io.IOException) CertificateExpiredException(java.security.cert.CertificateExpiredException) GeneralSecurityException(java.security.GeneralSecurityException) CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException) CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException) CertPathBuilderException(java.security.cert.CertPathBuilderException) IOException(java.io.IOException) IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) X509Certificate(java.security.cert.X509Certificate) DERSequence(org.bouncycastle.asn1.DERSequence) X509Name(org.bouncycastle.asn1.x509.X509Name) ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector) List(java.util.List) ArrayList(java.util.ArrayList) GeneralName(org.bouncycastle.asn1.x509.GeneralName) BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)

Example 4 with IssuingDistributionPoint

use of org.mozilla.jss.netscape.security.x509.IssuingDistributionPoint in project LinLong-Java by zhenwei1108.

the class RFC3280CertPathUtilities method processCRLB2.

/**
 * If the complete CRL includes an issuing distribution point (IDP) CRL extension check the
 * following:
 * <p>
 * (i) If the distribution point name is present in the IDP CRL extension and the distribution
 * field is present in the DP, then verify that one of the names in the IDP matches one of the
 * names in the DP. If the distribution point name is present in the IDP CRL extension and the
 * distribution field is omitted from the DP, then verify that one of the names in the IDP matches
 * one of the names in the cRLIssuer field of the DP.
 * </p>
 * <p>
 * (ii) If the onlyContainsUserCerts boolean is asserted in the IDP CRL extension, verify that the
 * certificate does not include the basic constraints extension with the cA boolean asserted.
 * </p>
 * <p>
 * (iii) If the onlyContainsCACerts boolean is asserted in the IDP CRL extension, verify that the
 * certificate includes the basic constraints extension with the cA boolean asserted.
 * </p>
 * <p>
 * (iv) Verify that the onlyContainsAttributeCerts boolean is not asserted.
 * </p>
 *
 * @param dp   The distribution point.
 * @param cert The certificate.
 * @param crl  The CRL.
 * @throws AnnotatedException if one of the conditions is not met or an error occurs.
 */
protected static void processCRLB2(DistributionPoint dp, Object cert, X509CRL crl) throws AnnotatedException {
    IssuingDistributionPoint idp = null;
    try {
        idp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(crl, RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT));
    } catch (Exception e) {
        throw new AnnotatedException("Issuing distribution point extension could not be decoded.", e);
    }
    // distribution point name is present
    if (idp != null) {
        if (idp.getDistributionPoint() != null) {
            // make list of names
            DistributionPointName dpName = IssuingDistributionPoint.getInstance(idp).getDistributionPoint();
            List names = new ArrayList();
            if (dpName.getType() == DistributionPointName.FULL_NAME) {
                GeneralName[] genNames = GeneralNames.getInstance(dpName.getName()).getNames();
                for (int j = 0; j < genNames.length; j++) {
                    names.add(genNames[j]);
                }
            }
            if (dpName.getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER) {
                ASN1EncodableVector vec = new ASN1EncodableVector();
                try {
                    Enumeration e = ASN1Sequence.getInstance(PrincipalUtils.getIssuerPrincipal(crl)).getObjects();
                    while (e.hasMoreElements()) {
                        vec.add((ASN1Encodable) e.nextElement());
                    }
                } catch (Exception e) {
                    throw new AnnotatedException("Could not read CRL issuer.", e);
                }
                vec.add(dpName.getName());
                names.add(new GeneralName(X500Name.getInstance(new DERSequence(vec))));
            }
            boolean matches = false;
            // of the names in the DP.
            if (dp.getDistributionPoint() != null) {
                dpName = dp.getDistributionPoint();
                GeneralName[] genNames = null;
                if (dpName.getType() == DistributionPointName.FULL_NAME) {
                    genNames = GeneralNames.getInstance(dpName.getName()).getNames();
                }
                if (dpName.getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER) {
                    if (dp.getCRLIssuer() != null) {
                        genNames = dp.getCRLIssuer().getNames();
                    } else {
                        genNames = new GeneralName[1];
                        try {
                            genNames[0] = new GeneralName(PrincipalUtils.getEncodedIssuerPrincipal(cert));
                        } catch (Exception e) {
                            throw new AnnotatedException("Could not read certificate issuer.", e);
                        }
                    }
                    for (int j = 0; j < genNames.length; j++) {
                        Enumeration e = ASN1Sequence.getInstance(genNames[j].getName().toASN1Primitive()).getObjects();
                        ASN1EncodableVector vec = new ASN1EncodableVector();
                        while (e.hasMoreElements()) {
                            vec.add((ASN1Encodable) e.nextElement());
                        }
                        vec.add(dpName.getName());
                        genNames[j] = new GeneralName(X500Name.getInstance(new DERSequence(vec)));
                    }
                }
                if (genNames != null) {
                    for (int j = 0; j < genNames.length; j++) {
                        if (names.contains(genNames[j])) {
                            matches = true;
                            break;
                        }
                    }
                }
                if (!matches) {
                    throw new AnnotatedException("No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point.");
                }
            } else // verify that one of the names in
            // the IDP matches one of the names in the cRLIssuer field of
            // the DP
            {
                if (dp.getCRLIssuer() == null) {
                    throw new AnnotatedException("Either the cRLIssuer or the distributionPoint field must " + "be contained in DistributionPoint.");
                }
                GeneralName[] genNames = dp.getCRLIssuer().getNames();
                for (int j = 0; j < genNames.length; j++) {
                    if (names.contains(genNames[j])) {
                        matches = true;
                        break;
                    }
                }
                if (!matches) {
                    throw new AnnotatedException("No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point.");
                }
            }
        }
        BasicConstraints bc = null;
        try {
            bc = BasicConstraints.getInstance(CertPathValidatorUtilities.getExtensionValue((X509Extension) cert, BASIC_CONSTRAINTS));
        } catch (Exception e) {
            throw new AnnotatedException("Basic constraints extension could not be decoded.", e);
        }
        if (cert instanceof X509Certificate) {
            // (b) (2) (ii)
            if (idp.onlyContainsUserCerts() && (bc != null && bc.isCA())) {
                throw new AnnotatedException("CA Cert CRL only contains user certificates.");
            }
            // (b) (2) (iii)
            if (idp.onlyContainsCACerts() && (bc == null || !bc.isCA())) {
                throw new AnnotatedException("End CRL only contains CA certificates.");
            }
        }
        // (b) (2) (iv)
        if (idp.onlyContainsAttributeCerts()) {
            throw new AnnotatedException("onlyContainsAttributeCerts boolean is asserted.");
        }
    }
}
Also used : IssuingDistributionPoint(com.github.zhenwei.core.asn1.x509.IssuingDistributionPoint) Enumeration(java.util.Enumeration) DistributionPointName(com.github.zhenwei.core.asn1.x509.DistributionPointName) ArrayList(java.util.ArrayList) CertificateExpiredException(java.security.cert.CertificateExpiredException) GeneralSecurityException(java.security.GeneralSecurityException) CertPathValidatorException(java.security.cert.CertPathValidatorException) ExtCertPathValidatorException(com.github.zhenwei.provider.jce.exception.ExtCertPathValidatorException) CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException) CertPathBuilderException(java.security.cert.CertPathBuilderException) IOException(java.io.IOException) IssuingDistributionPoint(com.github.zhenwei.core.asn1.x509.IssuingDistributionPoint) CRLDistPoint(com.github.zhenwei.core.asn1.x509.CRLDistPoint) DistributionPoint(com.github.zhenwei.core.asn1.x509.DistributionPoint) X509Certificate(java.security.cert.X509Certificate) DERSequence(com.github.zhenwei.core.asn1.DERSequence) ASN1EncodableVector(com.github.zhenwei.core.asn1.ASN1EncodableVector) List(java.util.List) ArrayList(java.util.ArrayList) GeneralName(com.github.zhenwei.core.asn1.x509.GeneralName) BasicConstraints(com.github.zhenwei.core.asn1.x509.BasicConstraints)

Example 5 with IssuingDistributionPoint

use of org.mozilla.jss.netscape.security.x509.IssuingDistributionPoint in project LinLong-Java by zhenwei1108.

the class PKIXCertPathReviewer method checkCRLs.

protected void checkCRLs(PKIXParameters paramsPKIX, X509Certificate cert, Date validDate, X509Certificate sign, PublicKey workingPublicKey, Vector crlDistPointUrls, int index) throws CertPathReviewerException {
    X509CRLStoreSelector crlselect;
    crlselect = new X509CRLStoreSelector();
    try {
        crlselect.addIssuerName(getEncodedIssuerPrincipal(cert).getEncoded());
    } catch (IOException e) {
        ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.crlIssuerException");
        throw new CertPathReviewerException(msg, e);
    }
    crlselect.setCertificateChecking(cert);
    Iterator crl_iter;
    try {
        Collection crl_coll = PKIXCRLUtil.findCRLs(crlselect, paramsPKIX);
        crl_iter = crl_coll.iterator();
        if (crl_coll.isEmpty()) {
            // notification - no local crls found
            crl_coll = PKIXCRLUtil.findCRLs(new X509CRLStoreSelector(), paramsPKIX);
            Iterator it = crl_coll.iterator();
            List nonMatchingCrlNames = new ArrayList();
            while (it.hasNext()) {
                nonMatchingCrlNames.add(((X509CRL) it.next()).getIssuerX500Principal());
            }
            int numbOfCrls = nonMatchingCrlNames.size();
            ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.noCrlInCertstore", new Object[] { new UntrustedInput(crlselect.getIssuerNames()), new UntrustedInput(nonMatchingCrlNames), Integers.valueOf(numbOfCrls) });
            addNotification(msg, index);
        }
    } catch (AnnotatedException ae) {
        ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.crlExtractionError", new Object[] { ae.getCause().getMessage(), ae.getCause(), ae.getCause().getClass().getName() });
        addError(msg, index);
        crl_iter = new ArrayList().iterator();
    }
    boolean validCrlFound = false;
    X509CRL crl = null;
    while (crl_iter.hasNext()) {
        crl = (X509CRL) crl_iter.next();
        Date thisUpdate = crl.getThisUpdate();
        Date nextUpdate = crl.getNextUpdate();
        Object[] arguments = new Object[] { new TrustedInput(thisUpdate), new TrustedInput(nextUpdate) };
        if (nextUpdate == null || validDate.before(nextUpdate)) {
            validCrlFound = true;
            ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.localValidCRL", arguments);
            addNotification(msg, index);
            break;
        }
        ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.localInvalidCRL", arguments);
        addNotification(msg, index);
    }
    // crl distribution point
    if (!validCrlFound) {
        X500Principal certIssuer = cert.getIssuerX500Principal();
        X509CRL onlineCRL = null;
        Iterator urlIt = crlDistPointUrls.iterator();
        while (urlIt.hasNext()) {
            try {
                String location = (String) urlIt.next();
                onlineCRL = getCRL(location);
                if (onlineCRL != null) {
                    X500Principal crlIssuer = onlineCRL.getIssuerX500Principal();
                    // check if crl issuer is correct
                    if (!certIssuer.equals(crlIssuer)) {
                        ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.onlineCRLWrongCA", new Object[] { new UntrustedInput(crlIssuer.getName()), new UntrustedInput(certIssuer.getName()), new UntrustedUrlInput(location) });
                        addNotification(msg, index);
                        continue;
                    }
                    Date thisUpdate = onlineCRL.getThisUpdate();
                    Date nextUpdate = onlineCRL.getNextUpdate();
                    Object[] arguments = new Object[] { new TrustedInput(thisUpdate), new TrustedInput(nextUpdate), new UntrustedUrlInput(location) };
                    if (nextUpdate == null || validDate.before(nextUpdate)) {
                        validCrlFound = true;
                        ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.onlineValidCRL", arguments);
                        addNotification(msg, index);
                        crl = onlineCRL;
                        break;
                    }
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.onlineInvalidCRL", arguments);
                    addNotification(msg, index);
                }
            } catch (CertPathReviewerException cpre) {
                addNotification(cpre.getErrorMessage(), index);
            }
        }
    }
    // check the crl
    X509CRLEntry crl_entry;
    if (crl != null) {
        if (sign != null) {
            boolean[] keyUsage = sign.getKeyUsage();
            if (keyUsage != null && (keyUsage.length <= CRL_SIGN || !keyUsage[CRL_SIGN])) {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.noCrlSigningPermited");
                throw new CertPathReviewerException(msg);
            }
        }
        if (workingPublicKey != null) {
            try {
                crl.verify(workingPublicKey, "WeGoo");
            } catch (Exception e) {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.crlVerifyFailed");
                throw new CertPathReviewerException(msg, e);
            }
        } else // issuer public key not known
        {
            ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.crlNoIssuerPublicKey");
            throw new CertPathReviewerException(msg);
        }
        crl_entry = crl.getRevokedCertificate(cert.getSerialNumber());
        if (crl_entry != null) {
            String reason = null;
            if (crl_entry.hasExtensions()) {
                ASN1Enumerated reasonCode;
                try {
                    reasonCode = ASN1Enumerated.getInstance(getExtensionValue(crl_entry, Extension.reasonCode.getId()));
                } catch (AnnotatedException ae) {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.crlReasonExtError");
                    throw new CertPathReviewerException(msg, ae);
                }
                if (reasonCode != null) {
                    reason = crlReasons[reasonCode.intValueExact()];
                }
            }
            if (reason == null) {
                // unknown
                reason = crlReasons[7];
            }
            // i18n reason
            LocaleString ls = new LocaleString(RESOURCE_NAME, reason);
            if (!validDate.before(crl_entry.getRevocationDate())) {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.certRevoked", new Object[] { new TrustedInput(crl_entry.getRevocationDate()), ls });
                throw new CertPathReviewerException(msg);
            } else // cert was revoked after validation date
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.revokedAfterValidation", new Object[] { new TrustedInput(crl_entry.getRevocationDate()), ls });
                addNotification(msg, index);
            }
        } else // cert is not revoked
        {
            ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.notRevoked");
            addNotification(msg, index);
        }
        // 
        // warn if a new crl is available
        // 
        Date nextUpdate = crl.getNextUpdate();
        if (!(nextUpdate == null || validDate.before(nextUpdate))) {
            ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.crlUpdateAvailable", new Object[] { new TrustedInput(nextUpdate) });
            addNotification(msg, index);
        }
        // 
        // check the DeltaCRL indicator, base point and the issuing distribution point
        // 
        ASN1Primitive idp;
        try {
            idp = getExtensionValue(crl, ISSUING_DISTRIBUTION_POINT);
        } catch (AnnotatedException ae) {
            ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.distrPtExtError");
            throw new CertPathReviewerException(msg);
        }
        ASN1Primitive dci;
        try {
            dci = getExtensionValue(crl, DELTA_CRL_INDICATOR);
        } catch (AnnotatedException ae) {
            ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.deltaCrlExtError");
            throw new CertPathReviewerException(msg);
        }
        if (dci != null) {
            X509CRLStoreSelector baseSelect = new X509CRLStoreSelector();
            try {
                baseSelect.addIssuerName(getIssuerPrincipal(crl).getEncoded());
            } catch (IOException e) {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.crlIssuerException");
                throw new CertPathReviewerException(msg, e);
            }
            baseSelect.setMinCRLNumber(((ASN1Integer) dci).getPositiveValue());
            try {
                baseSelect.setMaxCRLNumber(((ASN1Integer) getExtensionValue(crl, CRL_NUMBER)).getPositiveValue().subtract(BigInteger.valueOf(1)));
            } catch (AnnotatedException ae) {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.crlNbrExtError");
                throw new CertPathReviewerException(msg, ae);
            }
            boolean foundBase = false;
            Iterator it;
            try {
                it = PKIXCRLUtil.findCRLs(baseSelect, paramsPKIX).iterator();
            } catch (AnnotatedException ae) {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.crlExtractionError");
                throw new CertPathReviewerException(msg, ae);
            }
            while (it.hasNext()) {
                X509CRL base = (X509CRL) it.next();
                ASN1Primitive baseIdp;
                try {
                    baseIdp = getExtensionValue(base, ISSUING_DISTRIBUTION_POINT);
                } catch (AnnotatedException ae) {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.distrPtExtError");
                    throw new CertPathReviewerException(msg, ae);
                }
                if (Objects.areEqual(idp, baseIdp)) {
                    foundBase = true;
                    break;
                }
            }
            if (!foundBase) {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.noBaseCRL");
                throw new CertPathReviewerException(msg);
            }
        }
        if (idp != null) {
            IssuingDistributionPoint p = IssuingDistributionPoint.getInstance(idp);
            BasicConstraints bc = null;
            try {
                bc = BasicConstraints.getInstance(getExtensionValue(cert, BASIC_CONSTRAINTS));
            } catch (AnnotatedException ae) {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.crlBCExtError");
                throw new CertPathReviewerException(msg, ae);
            }
            if (p.onlyContainsUserCerts() && (bc != null && bc.isCA())) {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.crlOnlyUserCert");
                throw new CertPathReviewerException(msg);
            }
            if (p.onlyContainsCACerts() && (bc == null || !bc.isCA())) {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.crlOnlyCaCert");
                throw new CertPathReviewerException(msg);
            }
            if (p.onlyContainsAttributeCerts()) {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.crlOnlyAttrCert");
                throw new CertPathReviewerException(msg);
            }
        }
    }
    if (!validCrlFound) {
        ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.noValidCrlFound");
        throw new CertPathReviewerException(msg);
    }
}
Also used : X509CRL(java.security.cert.X509CRL) IssuingDistributionPoint(com.github.zhenwei.core.asn1.x509.IssuingDistributionPoint) ArrayList(java.util.ArrayList) ASN1OctetString(com.github.zhenwei.core.asn1.ASN1OctetString) DEROctetString(com.github.zhenwei.core.asn1.DEROctetString) LocaleString(com.github.zhenwei.core.i18n.LocaleString) ASN1IA5String(com.github.zhenwei.core.asn1.ASN1IA5String) UntrustedUrlInput(com.github.zhenwei.core.i18n.filter.UntrustedUrlInput) X509CRLEntry(java.security.cert.X509CRLEntry) ASN1Enumerated(com.github.zhenwei.core.asn1.ASN1Enumerated) Iterator(java.util.Iterator) TrustedInput(com.github.zhenwei.core.i18n.filter.TrustedInput) List(java.util.List) ArrayList(java.util.ArrayList) UntrustedInput(com.github.zhenwei.core.i18n.filter.UntrustedInput) AnnotatedException(com.github.zhenwei.provider.jce.provider.AnnotatedException) LocaleString(com.github.zhenwei.core.i18n.LocaleString) IOException(java.io.IOException) ASN1Integer(com.github.zhenwei.core.asn1.ASN1Integer) IssuingDistributionPoint(com.github.zhenwei.core.asn1.x509.IssuingDistributionPoint) CRLDistPoint(com.github.zhenwei.core.asn1.x509.CRLDistPoint) DistributionPoint(com.github.zhenwei.core.asn1.x509.DistributionPoint) Date(java.util.Date) CertificateExpiredException(java.security.cert.CertificateExpiredException) GeneralSecurityException(java.security.GeneralSecurityException) CertPathValidatorException(java.security.cert.CertPathValidatorException) AnnotatedException(com.github.zhenwei.provider.jce.provider.AnnotatedException) SignatureException(java.security.SignatureException) CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException) PKIXNameConstraintValidatorException(com.github.zhenwei.provider.jce.provider.PKIXNameConstraintValidatorException) IOException(java.io.IOException) ErrorBundle(com.github.zhenwei.core.i18n.ErrorBundle) Collection(java.util.Collection) X500Principal(javax.security.auth.x500.X500Principal) ASN1TaggedObject(com.github.zhenwei.core.asn1.ASN1TaggedObject) ASN1Primitive(com.github.zhenwei.core.asn1.ASN1Primitive) BasicConstraints(com.github.zhenwei.core.asn1.x509.BasicConstraints)

Aggregations

IOException (java.io.IOException)10 CertPathValidatorException (java.security.cert.CertPathValidatorException)9 CertPathBuilderException (java.security.cert.CertPathBuilderException)8 GeneralSecurityException (java.security.GeneralSecurityException)7 CertificateExpiredException (java.security.cert.CertificateExpiredException)7 CertificateNotYetValidException (java.security.cert.CertificateNotYetValidException)7 IssuingDistributionPoint (org.bouncycastle.asn1.x509.IssuingDistributionPoint)7 ArrayList (java.util.ArrayList)6 IssuingDistributionPoint (com.github.zhenwei.core.asn1.x509.IssuingDistributionPoint)5 Enumeration (java.util.Enumeration)5 List (java.util.List)5 X509Certificate (java.security.cert.X509Certificate)4 ExtCertPathValidatorException (org.bouncycastle.jce.exception.ExtCertPathValidatorException)4 ASN1Primitive (com.github.zhenwei.core.asn1.ASN1Primitive)3 BasicConstraints (com.github.zhenwei.core.asn1.x509.BasicConstraints)3 CRLDistPoint (com.github.zhenwei.core.asn1.x509.CRLDistPoint)3 DistributionPoint (com.github.zhenwei.core.asn1.x509.DistributionPoint)3 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)3 ASN1EncodableVector (com.github.zhenwei.core.asn1.ASN1EncodableVector)2 DERSequence (com.github.zhenwei.core.asn1.DERSequence)2