CertPathValidatorUtilities.java revision c37f4a04ef89e73a39a59f3c5a179af8c8ab5974
1b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallampackage org.bouncycastle.jce.provider; 2b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 3b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.io.ByteArrayOutputStream; 4b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.io.IOException; 5c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.math.BigInteger; 6c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.GeneralSecurityException; 7c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.KeyFactory; 8b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.PublicKey; 9b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.CertPath; 10b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.CertPathValidatorException; 11b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.CertStore; 12b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.CertStoreException; 13c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.cert.Certificate; 14c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.cert.CertificateParsingException; 15b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.PKIXParameters; 16b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.PolicyQualifierInfo; 17b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.TrustAnchor; 18b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.X509CRL; 19b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.X509CRLSelector; 20b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.X509CertSelector; 21b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.X509Certificate; 22c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.interfaces.DSAParams; 23c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.interfaces.DSAPublicKey; 24c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.spec.DSAPublicKeySpec; 25c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.text.ParseException; 26b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.util.ArrayList; 27b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.util.Arrays; 28b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.util.Collection; 29b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.util.Date; 30b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.util.Enumeration; 31b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.util.HashSet; 32b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.util.Iterator; 33b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.util.List; 34b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.util.Map; 35b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.util.Set; 36b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 37b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport javax.security.auth.x500.X500Principal; 38b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 39b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport org.bouncycastle.asn1.ASN1InputStream; 40c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.ASN1Object; 41b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport org.bouncycastle.asn1.ASN1OctetString; 42b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport org.bouncycastle.asn1.ASN1OutputStream; 43b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport org.bouncycastle.asn1.ASN1Sequence; 44c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.DEREnumerated; 45c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.DERGeneralizedTime; 46c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.DERIA5String; 47b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport org.bouncycastle.asn1.DERObject; 48b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport org.bouncycastle.asn1.DERObjectIdentifier; 49c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.DERSequence; 50c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.isismtt.ISISMTTObjectIdentifiers; 51b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport org.bouncycastle.asn1.x509.AlgorithmIdentifier; 52c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.CRLDistPoint; 53c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.CRLNumber; 54c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.CRLReason; 55c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.CertificateList; 56c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.DistributionPoint; 57c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.DistributionPointName; 58c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.GeneralName; 59c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.GeneralNames; 60b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport org.bouncycastle.asn1.x509.PolicyInformation; 61b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; 62b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport org.bouncycastle.asn1.x509.X509Extensions; 63c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// BEGIN android-removed 64c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// import org.bouncycastle.jce.X509LDAPCertStoreParameters; 65c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// END android-removed 66c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.jce.exception.ExtCertPathValidatorException; 67c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.util.Selector; 68c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.util.StoreException; 69c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.x509.ExtendedPKIXBuilderParameters; 70c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.x509.ExtendedPKIXParameters; 71c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// BEGIN android-removed 72c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// import org.bouncycastle.x509.X509AttributeCertStoreSelector; 73c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// END android-removed 74c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.x509.X509AttributeCertificate; 75c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.x509.X509CRLStoreSelector; 76c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.x509.X509CertStoreSelector; 77c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.x509.X509Store; 78b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 79b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallampublic class CertPathValidatorUtilities 80b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam{ 81b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final String CERTIFICATE_POLICIES = X509Extensions.CertificatePolicies.getId(); 82b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final String BASIC_CONSTRAINTS = X509Extensions.BasicConstraints.getId(); 83b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final String POLICY_MAPPINGS = X509Extensions.PolicyMappings.getId(); 84b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final String SUBJECT_ALTERNATIVE_NAME = X509Extensions.SubjectAlternativeName.getId(); 85b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final String NAME_CONSTRAINTS = X509Extensions.NameConstraints.getId(); 86b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final String KEY_USAGE = X509Extensions.KeyUsage.getId(); 87b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final String INHIBIT_ANY_POLICY = X509Extensions.InhibitAnyPolicy.getId(); 88b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final String ISSUING_DISTRIBUTION_POINT = X509Extensions.IssuingDistributionPoint.getId(); 89b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final String DELTA_CRL_INDICATOR = X509Extensions.DeltaCRLIndicator.getId(); 90b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final String POLICY_CONSTRAINTS = X509Extensions.PolicyConstraints.getId(); 91c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static final String FRESHEST_CRL = X509Extensions.FreshestCRL.getId(); 92c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static final String CRL_DISTRIBUTION_POINTS = X509Extensions.CRLDistributionPoints.getId(); 93c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static final String AUTHORITY_KEY_IDENTIFIER = X509Extensions.AuthorityKeyIdentifier.getId(); 94b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 95b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final String ANY_POLICY = "2.5.29.32.0"; 96b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 97b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final String CRL_NUMBER = X509Extensions.CRLNumber.getId(); 98b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 99b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam /* 100b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam * key usage bits 101b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam */ 102b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final int KEY_CERT_SIGN = 5; 103b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final int CRL_SIGN = 6; 104b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 105b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final String[] crlReasons = new String[] { 106b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam "unspecified", 107b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam "keyCompromise", 108b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam "cACompromise", 109b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam "affiliationChanged", 110b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam "superseded", 111b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam "cessationOfOperation", 112b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam "certificateHold", 113b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam "unknown", 114b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam "removeFromCRL", 115b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam "privilegeWithdrawn", 116b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam "aACompromise" }; 117b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 118c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // BEGIN android-removed 119c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // /** 120c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // * Search the given Set of TrustAnchor's for one that is the 121c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // * issuer of the given X509 certificate. Uses the default provider 122c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // * for signature verification. 123c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // * 124c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // * @param cert the X509 certificate 125c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // * @param trustAnchors a Set of TrustAnchor's 126c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // * 127c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // * @return the <code>TrustAnchor</code> object if found or 128c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // * <code>null</code> if not. 129c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // * 130c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // * @exception AnnotatedException 131c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // * if a TrustAnchor was found but the signature verification 132c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // * on the given certificate has thrown an exception. 133c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // */ 134c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // protected static TrustAnchor findTrustAnchor( 135c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // X509Certificate cert, 136c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // Set trustAnchors) 137c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // throws AnnotatedException 138c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // { 139c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // return findTrustAnchor(cert, trustAnchors, null); 140c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // } 141c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // END android-removed 142c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 143c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // BEGIN android-changed 144b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam /** 145b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam * Search the given Set of TrustAnchor's for one that is the 146c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * issuer of the given X509 certificate. Uses the specified 147c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * provider for signature verification, or the default provider 148c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * if null. 149b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam * 150b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam * @param cert the X509 certificate 151c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param params used to find the trust anchors and signature provider 152b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam * 153b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam * @return the <code>TrustAnchor</code> object if found or 154b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam * <code>null</code> if not. 155b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam * 156c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @exception AnnotatedException 157c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * if a TrustAnchor was found but the signature verification 158c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * on the given certificate has thrown an exception. 159c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 160c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static TrustAnchor findTrustAnchor( 161c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert, 162c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PKIXParameters params) 163c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 164c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // END android-changed 165c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 166c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // BEGIN android-changed 167b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam // If we have a trust anchor index, use it. 168b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (params instanceof IndexedPKIXParameters) { 169b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam IndexedPKIXParameters indexed = (IndexedPKIXParameters) params; 170c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return indexed.findTrustAnchor(cert); 171b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 172c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // END android-changed 173c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom TrustAnchor trust = null; 174b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PublicKey trustPublicKey = null; 175b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Exception invalidKeyEx = null; 176b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 177b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam X509CertSelector certSelectX509 = new X509CertSelector(); 178c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X500Principal certIssuer = getEncodedIssuerPrincipal(cert); 179b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 180b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam try 181b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 182c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certSelectX509.setSubject(certIssuer.getEncoded()); 183b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 184b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam catch (IOException ex) 185b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 186c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Cannot set subject search criteria for trust anchor.", ex); 187b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 188b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 189c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // BEGIN android-changed 190c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Iterator iter = params.getTrustAnchors().iterator(); 191c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // END android-changed 192c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // BEGIN android-added 193b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam byte[] certBytes = null; 194b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam try { 195b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam certBytes = cert.getEncoded(); 196b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } catch (Exception e) { 197b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam // ignore, just continue 198b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 199c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // END android-added 200c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (iter.hasNext() && trust == null) 201b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 202c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom trust = (TrustAnchor) iter.next(); 203c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // BEGIN android-changed 204c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate trustCert = trust.getTrustedCert(); 205c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // END android-changed 206c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // BEGIN android-added 207c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // If the trust anchor is identical to the certificate we're 208c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // done. Just return the anchor. 209c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // There is similar code in PKIXCertPathValidatorSpi. 210c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try { 211c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom byte[] trustBytes = trustCert.getEncoded(); 212c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (certBytes != null && Arrays.equals(trustBytes, certBytes)) { 213c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return trust; 214b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 215c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } catch (Exception e) { 216c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // ignore, continue and verify the certificate 217c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 218c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // END android-added 219c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // BEGIN android-changed 220c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (trustCert != null) 221c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 222c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (certSelectX509.match(trustCert)) 223b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 224c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom trustPublicKey = trustCert.getPublicKey(); 225b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 226b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam else 227b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 228c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom trust = null; 229b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 230b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 231c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // END android-changed 232c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else if (trust.getCAName() != null 233c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom && trust.getCAPublicKey() != null) 234b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 235b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam try 236b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 237c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X500Principal caName = new X500Principal(trust.getCAName()); 238b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (certIssuer.equals(caName)) 239b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 240c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom trustPublicKey = trust.getCAPublicKey(); 241b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 242b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam else 243b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 244c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom trust = null; 245b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 246b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 247b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam catch (IllegalArgumentException ex) 248b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 249c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom trust = null; 250b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 251b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 252b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam else 253b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 254c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom trust = null; 255b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 256b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 257b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (trustPublicKey != null) 258b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 259b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam try 260b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 261c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // BEGIN android-changed 262c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom verifyX509Certificate(cert, trustPublicKey, params.getSigProvider()); 263c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // END android-changed 264b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 265b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam catch (Exception ex) 266b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 267b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam invalidKeyEx = ex; 268c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom trust = null; 269b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 270b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 271b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 272b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 273c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (trust == null && invalidKeyEx != null) 274b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 275c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("TrustAnchor found but certificate validation failed.", invalidKeyEx); 276b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 277b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 278c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return trust; 279b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 280b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 281c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void addAdditionalStoresFromAltNames( 282c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert, 283c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ExtendedPKIXParameters pkixParams) 284c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws CertificateParsingException 285c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 286c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // if in the IssuerAltName extension an URI 287c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // is given, add an additinal X.509 store 288c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (cert.getIssuerAlternativeNames() != null) 289c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 290c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Iterator it = cert.getIssuerAlternativeNames().iterator(); 291c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (it.hasNext()) 292c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 293c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // look for URI 294c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List list = (List) it.next(); 295c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // BEGIN android-changed 296c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (list.get(0).equals(Integer.valueOf(GeneralName.uniformResourceIdentifier))) 297c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // END android-changed 298c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 299c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // found 300c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom String temp = (String) list.get(1); 301c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPathValidatorUtilities.addAdditionalStoreFromLocation(temp, pkixParams); 302c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 303c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 304c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 305c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 306c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /** 307c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * Returns the issuer of an attribute certificate or certificate. 308c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param cert The attribute certificate or certificate. 309c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @return The issuer as <code>X500Principal</code>. 310c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 311c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static X500Principal getEncodedIssuerPrincipal( 312c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Object cert) 313b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 314c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (cert instanceof X509Certificate) 315c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 316c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return ((X509Certificate)cert).getIssuerX500Principal(); 317c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 318c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 319c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 320c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return (X500Principal)((X509AttributeCertificate)cert).getIssuer().getPrincipals()[0]; 321c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 322b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 323b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 324b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static Date getValidDate(PKIXParameters paramsPKIX) 325b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 326b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Date validDate = paramsPKIX.getDate(); 327b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 328b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (validDate == null) 329b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 330b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam validDate = new Date(); 331b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 332b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 333b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return validDate; 334b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 335b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 336b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static X500Principal getSubjectPrincipal(X509Certificate cert) 337b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 338b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return cert.getSubjectX500Principal(); 339b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 340b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 341b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static boolean isSelfIssued(X509Certificate cert) 342b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 343b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return cert.getSubjectDN().equals(cert.getIssuerDN()); 344b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 345b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 346b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 347b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam /** 348c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * Extract the value of the given extension, if it exists. 349c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * 350c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param ext 351c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * The extension object. 352c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param oid 353c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * The object identifier to obtain. 354c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @throws AnnotatedException 355c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * if the extension cannot be read. 356b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam */ 357b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static DERObject getExtensionValue( 358b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam java.security.cert.X509Extension ext, 359b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam String oid) 360b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam throws AnnotatedException 361b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 362b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam byte[] bytes = ext.getExtensionValue(oid); 363b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (bytes == null) 364b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 365b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return null; 366b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 367b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 368b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return getObject(oid, bytes); 369b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 370b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 371b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam private static DERObject getObject( 372b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam String oid, 373b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam byte[] ext) 374b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam throws AnnotatedException 375b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 376b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam try 377b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 378b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam ASN1InputStream aIn = new ASN1InputStream(ext); 379b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam ASN1OctetString octs = (ASN1OctetString)aIn.readObject(); 380b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 381b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam aIn = new ASN1InputStream(octs.getOctets()); 382b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return aIn.readObject(); 383b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 384c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 385b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 386b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam throw new AnnotatedException("exception processing extension " + oid, e); 387b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 388b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 389b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 390b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static X500Principal getIssuerPrincipal(X509CRL crl) 391b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 392b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return crl.getIssuerX500Principal(); 393b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 394b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 395b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static AlgorithmIdentifier getAlgorithmIdentifier( 396b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PublicKey key) 397b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam throws CertPathValidatorException 398b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 399b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam try 400b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 401b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam ASN1InputStream aIn = new ASN1InputStream(key.getEncoded()); 402b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 403b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam SubjectPublicKeyInfo info = SubjectPublicKeyInfo.getInstance(aIn.readObject()); 404b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 405b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return info.getAlgorithmId(); 406b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 407c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 408b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 409c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException("Subject public key cannot be decoded.", e); 410b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 411b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 412c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 413c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // crl checking 414b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 415c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /** 416c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * Return a Collection of all CRLs found in the X509Store's that are 417c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * matching the crlSelect criteriums. 418c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * 419c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param crlSelect a {@link X509CRLStoreSelector} object that will be used 420c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * to select the CRLs 421c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param crlStores a List containing only 422c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * {@link org.bouncycastle.x509.X509Store X509Store} objects. 423c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * These are used to search for CRLs 424c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * 425c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @return a Collection of all found {@link X509CRL X509CRL} objects. May be 426c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * empty but never <code>null</code>. 427c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 428c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static final Collection findCRLs(X509CRLStoreSelector crlSelect, 429c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List crlStores) throws AnnotatedException 430b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 431c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set crls = new HashSet(); 432c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Iterator iter = crlStores.iterator(); 433b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 434c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom AnnotatedException lastException = null; 435c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom boolean foundValidStore = false; 436b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 437c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (iter.hasNext()) 438b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 439c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Object obj = iter.next(); 440b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 441c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (obj instanceof X509Store) 442b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 443c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Store store = (X509Store)obj; 444b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 445c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 446b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 447c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom crls.addAll(store.getMatches(crlSelect)); 448c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom foundValidStore = true; 449b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 450c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (StoreException e) 451b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 452c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom lastException = new AnnotatedException( 453c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Exception searching in X.509 CRL store.", e); 454b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 455b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 456c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 457b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 458c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertStore store = (CertStore)obj; 459b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 460c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 461b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 462c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom crls.addAll(store.getCRLs(crlSelect)); 463c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom foundValidStore = true; 464b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 465c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (CertStoreException e) 466b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 467c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom lastException = new AnnotatedException( 468c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Exception searching in X.509 CRL store.", e); 469b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 470b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 471b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 472c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!foundValidStore && lastException != null) 473b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 474c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw lastException; 475b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 476b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return crls; 477b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 478c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 479b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam // 480b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam // policy checking 481b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam // 482b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 483b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final Set getQualifierSet(ASN1Sequence qualifiers) 484b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam throws CertPathValidatorException 485b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 486b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Set pq = new HashSet(); 487b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 488b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (qualifiers == null) 489b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 490b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return pq; 491b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 492b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 493b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam ByteArrayOutputStream bOut = new ByteArrayOutputStream(); 494b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam ASN1OutputStream aOut = new ASN1OutputStream(bOut); 495b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 496b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Enumeration e = qualifiers.getObjects(); 497b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 498b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam while (e.hasMoreElements()) 499b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 500b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam try 501b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 502b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam aOut.writeObject(e.nextElement()); 503b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 504b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam pq.add(new PolicyQualifierInfo(bOut.toByteArray())); 505b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 506b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam catch (IOException ex) 507b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 508c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException("Policy qualifier info cannot be decoded.", ex); 509b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 510b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 511b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam bOut.reset(); 512b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 513b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 514b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return pq; 515b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 516b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 517b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static PKIXPolicyNode removePolicyNode( 518b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode validPolicyTree, 519b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam List [] policyNodes, 520b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode _node) 521b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 522b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode _parent = (PKIXPolicyNode)_node.getParent(); 523b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 524b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (validPolicyTree == null) 525b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 526b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return null; 527b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 528b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 529b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (_parent == null) 530b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 531b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam for (int j = 0; j < policyNodes.length; j++) 532b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 533b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam policyNodes[j] = new ArrayList(); 534b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 535b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 536b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return null; 537b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 538b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam else 539b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 540b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam _parent.removeChild(_node); 541b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam removePolicyNodeRecurse(policyNodes, _node); 542b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 543b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return validPolicyTree; 544b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 545b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 546b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 547b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam private static void removePolicyNodeRecurse( 548b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam List [] policyNodes, 549b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode _node) 550b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 551b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam policyNodes[_node.getDepth()].remove(_node); 552b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 553b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (_node.hasChildren()) 554b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 555b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Iterator _iter = _node.getChildren(); 556b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam while (_iter.hasNext()) 557b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 558b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode _child = (PKIXPolicyNode)_iter.next(); 559b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam removePolicyNodeRecurse(policyNodes, _child); 560b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 561b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 562b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 563b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 564b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 565b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static boolean processCertD1i( 566b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam int index, 567b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam List [] policyNodes, 568b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam DERObjectIdentifier pOid, 569b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Set pq) 570b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 571b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam List policyNodeVec = policyNodes[index - 1]; 572b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 573b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam for (int j = 0; j < policyNodeVec.size(); j++) 574b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 575b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode node = (PKIXPolicyNode)policyNodeVec.get(j); 576b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Set expectedPolicies = node.getExpectedPolicies(); 577b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 578b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (expectedPolicies.contains(pOid.getId())) 579b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 580b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Set childExpectedPolicies = new HashSet(); 581b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam childExpectedPolicies.add(pOid.getId()); 582b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 583b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode child = new PKIXPolicyNode(new ArrayList(), 584b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam index, 585b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam childExpectedPolicies, 586b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam node, 587b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam pq, 588b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam pOid.getId(), 589b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam false); 590b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam node.addChild(child); 591b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam policyNodes[index].add(child); 592b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 593b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return true; 594b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 595b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 596b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 597b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return false; 598b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 599b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 600b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static void processCertD1ii( 601b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam int index, 602b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam List [] policyNodes, 603b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam DERObjectIdentifier _poid, 604b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Set _pq) 605b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 606b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam List policyNodeVec = policyNodes[index - 1]; 607b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 608b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam for (int j = 0; j < policyNodeVec.size(); j++) 609b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 610b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode _node = (PKIXPolicyNode)policyNodeVec.get(j); 611c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 612b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (ANY_POLICY.equals(_node.getValidPolicy())) 613b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 614b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Set _childExpectedPolicies = new HashSet(); 615b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam _childExpectedPolicies.add(_poid.getId()); 616b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 617b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode _child = new PKIXPolicyNode(new ArrayList(), 618b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam index, 619b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam _childExpectedPolicies, 620b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam _node, 621b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam _pq, 622b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam _poid.getId(), 623b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam false); 624b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam _node.addChild(_child); 625b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam policyNodes[index].add(_child); 626b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return; 627b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 628b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 629b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 630b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 631b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static void prepareNextCertB1( 632b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam int i, 633b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam List[] policyNodes, 634b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam String id_p, 635b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Map m_idp, 636b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam X509Certificate cert 637b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam ) throws AnnotatedException,CertPathValidatorException 638b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 639b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam boolean idp_found = false; 640b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Iterator nodes_i = policyNodes[i].iterator(); 641b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam while (nodes_i.hasNext()) 642b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 643b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode node = (PKIXPolicyNode)nodes_i.next(); 644b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (node.getValidPolicy().equals(id_p)) 645b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 646b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam idp_found = true; 647b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam node.expectedPolicies = (Set)m_idp.get(id_p); 648b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam break; 649b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 650b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 651b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 652b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (!idp_found) 653b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 654b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam nodes_i = policyNodes[i].iterator(); 655b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam while (nodes_i.hasNext()) 656b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 657b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode node = (PKIXPolicyNode)nodes_i.next(); 658b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (ANY_POLICY.equals(node.getValidPolicy())) 659b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 660b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Set pq = null; 661c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ASN1Sequence policies = null; 662c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 663c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 664c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom policies = DERSequence.getInstance(getExtensionValue(cert, CERTIFICATE_POLICIES)); 665c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 666c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 667c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 668c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw 669c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 670c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom new AnnotatedException("Certificate policies cannot be decoded.", e); 671c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 672b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Enumeration e = policies.getObjects(); 673b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam while (e.hasMoreElements()) 674b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 675c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PolicyInformation pinfo = null; 676c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 677c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 678c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 679c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom pinfo = PolicyInformation.getInstance(e.nextElement()); 680c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 681c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception ex) 682c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 683c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Policy information cannot be decoded.", ex); 684c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 685b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (ANY_POLICY.equals(pinfo.getPolicyIdentifier().getId())) 686b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 687c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 688c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 689b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam pq = getQualifierSet(pinfo.getPolicyQualifiers()); 690c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 691c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (CertPathValidatorException ex) 692c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 693c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException( 694c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Policy qualifier info set could not be built.", ex); 695c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 696b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam break; 697b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 698b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 699b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam boolean ci = false; 700b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (cert.getCriticalExtensionOIDs() != null) 701b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 702b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam ci = cert.getCriticalExtensionOIDs().contains(CERTIFICATE_POLICIES); 703b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 704b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 705b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode p_node = (PKIXPolicyNode)node.getParent(); 706b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (ANY_POLICY.equals(p_node.getValidPolicy())) 707b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 708b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode c_node = new PKIXPolicyNode( 709b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam new ArrayList(), i, 710b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam (Set)m_idp.get(id_p), 711b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam p_node, pq, id_p, ci); 712b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam p_node.addChild(c_node); 713b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam policyNodes[i].add(c_node); 714b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 715b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam break; 716b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 717b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 718b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 719b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 720b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 721b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static PKIXPolicyNode prepareNextCertB2( 722b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam int i, 723b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam List[] policyNodes, 724b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam String id_p, 725b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode validPolicyTree) 726b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 727b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Iterator nodes_i = policyNodes[i].iterator(); 728b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam while (nodes_i.hasNext()) 729b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 730b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode node = (PKIXPolicyNode)nodes_i.next(); 731b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (node.getValidPolicy().equals(id_p)) 732b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 733b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode p_node = (PKIXPolicyNode)node.getParent(); 734b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam p_node.removeChild(node); 735b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam nodes_i.remove(); 736b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam for (int k = (i - 1); k >= 0; k--) 737b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 738b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam List nodes = policyNodes[k]; 739b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam for (int l = 0; l < nodes.size(); l++) 740b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 741b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode node2 = (PKIXPolicyNode)nodes.get(l); 742b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (!node2.hasChildren()) 743b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 744b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam validPolicyTree = removePolicyNode(validPolicyTree, policyNodes, node2); 745b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (validPolicyTree == null) 746b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 747b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam break; 748b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 749b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 750b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 751b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 752b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 753b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 754b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return validPolicyTree; 755b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 756b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 757b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static boolean isAnyPolicy( 758b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Set policySet) 759b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 760b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return policySet == null || policySet.contains(ANY_POLICY) || policySet.isEmpty(); 761b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 762b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 763c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void addAdditionalStoreFromLocation(String location, 764c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ExtendedPKIXParameters pkixParams) 765c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 766c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (pkixParams.isAdditionalLocationsEnabled()) 767c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 768c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 769c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 770c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // BEGIN android-removed 771c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // if (location.startsWith("ldap://")) 772c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // { 773c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // // ldap://directory.d-trust.net/CN=D-TRUST 774c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // // Qualified CA 2003 1:PN,O=D-Trust GmbH,C=DE 775c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // // skip "ldap://" 776c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // location = location.substring(7); 777c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // // after first / baseDN starts 778c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // String base = null; 779c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // String url = null; 780c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // if (location.indexOf("/") != -1) 781c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // { 782c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // base = location.substring(location.indexOf("/")); 783c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // // URL 784c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // url = "ldap://" 785c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // + location.substring(0, location.indexOf("/")); 786c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // } 787c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // else 788c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // { 789c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // url = "ldap://" + location; 790c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // } 791c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // // use all purpose parameters 792c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // X509LDAPCertStoreParameters params = new X509LDAPCertStoreParameters.Builder( 793c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // url, base).build(); 794c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // pkixParams.addAdditionalStore(X509Store.getInstance( 795c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // "CERTIFICATE/LDAP", params, "BC")); 796c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // pkixParams.addAdditionalStore(X509Store.getInstance( 797c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // "CRL/LDAP", params, "BC")); 798c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // pkixParams.addAdditionalStore(X509Store.getInstance( 799c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // "ATTRIBUTECERTIFICATE/LDAP", params, "BC")); 800c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // pkixParams.addAdditionalStore(X509Store.getInstance( 801c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // "CERTIFICATEPAIR/LDAP", params, "BC")); 802c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // } 803c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // END android-removed 804c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 805c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 806c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 807c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // cannot happen 808c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new RuntimeException("Exception adding X.509 stores."); 809c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 810c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 811c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 812c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 813c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /** 814c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * Return a Collection of all certificates or attribute certificates found 815c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * in the X509Store's that are matching the certSelect criteriums. 816c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * 817c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param certSelect a {@link Selector} object that will be used to select 818c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * the certificates 819c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param certStores a List containing only {@link X509Store} objects. These 820c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * are used to search for certificates. 821c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * 822c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @return a Collection of all found {@link X509Certificate} or 823c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * {@link org.bouncycastle.x509.X509AttributeCertificate} objects. 824c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * May be empty but never <code>null</code>. 825c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 826c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static Collection findCertificates(X509CertStoreSelector certSelect, 827c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List certStores) throws AnnotatedException 828c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 829c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set certs = new HashSet(); 830c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Iterator iter = certStores.iterator(); 831c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 832c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (iter.hasNext()) 833c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 834c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Object obj = iter.next(); 835c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 836c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (obj instanceof X509Store) 837c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 838c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Store certStore = (X509Store)obj; 839c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 840c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 841c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certs.addAll(certStore.getMatches(certSelect)); 842c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 843c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (StoreException e) 844c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 845c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw 846c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 847c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom new AnnotatedException( 848c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Problem while picking certificates from X.509 store.", e); 849c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 850c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 851c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 852c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 853c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertStore certStore = (CertStore)obj; 854c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 855c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 856c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 857c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certs.addAll(certStore.getCertificates(certSelect)); 858c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 859c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (CertStoreException e) 860c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 861c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 862c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Problem while picking certificates from certificate store.", 863c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom e); 864c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 865c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 866c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 867c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return certs; 868c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 869c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 870c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // BEGIN android-removed 871c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // protected static Collection findCertificates(X509AttributeCertStoreSelector certSelect, 872c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // List certStores) 873c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // throws AnnotatedException 874c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // { 875c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // Set certs = new HashSet(); 876c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // Iterator iter = certStores.iterator(); 877c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 878c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // while (iter.hasNext()) 879c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // { 880c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // Object obj = iter.next(); 881c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 882c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // if (obj instanceof X509Store) 883c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // { 884c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // X509Store certStore = (X509Store)obj; 885c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // try 886c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // { 887c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // certs.addAll(certStore.getMatches(certSelect)); 888c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // } 889c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // catch (StoreException e) 890c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // { 891c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // throw 892c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 893c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // new AnnotatedException( 894c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // "Problem while picking certificates from X.509 store.", e); 895c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // } 896c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // } 897c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // } 898c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // return certs; 899c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // } 900c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // END android-removed 901c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 902c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void addAdditionalStoresFromCRLDistributionPoint( 903c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CRLDistPoint crldp, ExtendedPKIXParameters pkixParams) 904c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 905c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 906c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (crldp != null) 907c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 908c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DistributionPoint dps[] = null; 909c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 910c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 911c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom dps = crldp.getDistributionPoints(); 912c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 913c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 914c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 915c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 916c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Distribution points could not be read.", e); 917c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 918c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int i = 0; i < dps.length; i++) 919c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 920c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DistributionPointName dpn = dps[i].getDistributionPoint(); 921c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // look for URIs in fullName 922c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (dpn != null) 923c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 924c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (dpn.getType() == DistributionPointName.FULL_NAME) 925c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 926c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom GeneralName[] genNames = GeneralNames.getInstance( 927c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom dpn.getName()).getNames(); 928c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // look for an URI 929c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int j = 0; j < genNames.length; j++) 930c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 931c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (genNames[j].getTagNo() == GeneralName.uniformResourceIdentifier) 932c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 933c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom String location = DERIA5String.getInstance( 934c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom genNames[j].getName()).getString(); 935c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPathValidatorUtilities 936c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom .addAdditionalStoreFromLocation(location, 937c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom pkixParams); 938c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 939c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 940c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 941c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 942c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 943c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 944c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 945c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 946c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /** 947c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * Add the CRL issuers from the cRLIssuer field of the distribution point or 948c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * from the certificate if not given to the issuer criterion of the 949c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <code>selector</code>. 950c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <p> 951c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * The <code>issuerPrincipals</code> are a collection with a single 952c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <code>X500Principal</code> for <code>X509Certificate</code>s. For 953c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * {@link X509AttributeCertificate}s the issuer may contain more than one 954c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <code>X500Principal</code>. 955c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * 956c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param dp The distribution point. 957c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param issuerPrincipals The issuers of the certificate or attribute 958c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * certificate which contains the distribution point. 959c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param selector The CRL selector. 960c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param pkixParams The PKIX parameters containing the cert stores. 961c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @throws AnnotatedException if an exception occurs while processing. 962c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @throws ClassCastException if <code>issuerPrincipals</code> does not 963c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * contain only <code>X500Principal</code>s. 964c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 965c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void getCRLIssuersFromDistributionPoint( 966c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DistributionPoint dp, 967c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Collection issuerPrincipals, 968c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRLSelector selector, 969c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ExtendedPKIXParameters pkixParams) 970c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 971c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 972c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List issuers = new ArrayList(); 973c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // indirect CRL 974c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (dp.getCRLIssuer() != null) 975c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 976c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom GeneralName genNames[] = dp.getCRLIssuer().getNames(); 977c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // look for a DN 978c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int j = 0; j < genNames.length; j++) 979c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 980c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (genNames[j].getTagNo() == GeneralName.directoryName) 981c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 982c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 983c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 984c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom issuers.add(new X500Principal(genNames[j].getName() 985c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom .getDERObject().getEncoded())); 986c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 987c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (IOException e) 988c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 989c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 990c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "CRL issuer information from distribution point cannot be decoded.", 991c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom e); 992c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 993c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 994c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 995c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 996c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 997c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 998c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /* 999c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * certificate issuer is CRL issuer, distributionPoint field MUST be 1000c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * present. 1001c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 1002c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (dp.getDistributionPoint() == null) 1003c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1004c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 1005c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "CRL issuer is omitted from distribution point but no distributionPoint field present."); 1006c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1007c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // add and check issuer principals 1008c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (Iterator it=issuerPrincipals.iterator(); it.hasNext();) 1009c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1010c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom issuers.add((X500Principal)it.next()); 1011c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1012c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1013c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // TODO: is not found although this should correctly add the rel name. selector of Sun is buggy here or PKI test case is invalid 1014c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // distributionPoint 1015c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// if (dp.getDistributionPoint() != null) 1016c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// { 1017c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// // look for nameRelativeToCRLIssuer 1018c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// if (dp.getDistributionPoint().getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER) 1019c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// { 1020c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// // append fragment to issuer, only one 1021c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// // issuer can be there, if this is given 1022c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// if (issuers.size() != 1) 1023c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// { 1024c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// throw new AnnotatedException( 1025c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// "nameRelativeToCRLIssuer field is given but more than one CRL issuer is given."); 1026c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// } 1027c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// DEREncodable relName = dp.getDistributionPoint().getName(); 1028c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// Iterator it = issuers.iterator(); 1029c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// List issuersTemp = new ArrayList(issuers.size()); 1030c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// while (it.hasNext()) 1031c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// { 1032c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// Enumeration e = null; 1033c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// try 1034c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// { 1035c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// e = ASN1Sequence.getInstance( 1036c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// new ASN1InputStream(((X500Principal) it.next()) 1037c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// .getEncoded()).readObject()).getObjects(); 1038c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// } 1039c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// catch (IOException ex) 1040c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// { 1041c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// throw new AnnotatedException( 1042c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// "Cannot decode CRL issuer information.", ex); 1043c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// } 1044c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// ASN1EncodableVector v = new ASN1EncodableVector(); 1045c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// while (e.hasMoreElements()) 1046c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// { 1047c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// v.add((DEREncodable) e.nextElement()); 1048c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// } 1049c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// v.add(relName); 1050c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// issuersTemp.add(new X500Principal(new DERSequence(v) 1051c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// .getDEREncoded())); 1052c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// } 1053c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// issuers.clear(); 1054c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// issuers.addAll(issuersTemp); 1055c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// } 1056c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// } 1057c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Iterator it = issuers.iterator(); 1058c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (it.hasNext()) 1059c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1060c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1061c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1062c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom selector.addIssuerName(((X500Principal)it.next()).getEncoded()); 1063c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1064c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (IOException ex) 1065c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1066c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 1067c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Cannot decode CRL issuer information.", ex); 1068c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1069c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1070c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1071c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1072c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom private static BigInteger getSerialNumber( 1073c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Object cert) 1074c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1075c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (cert instanceof X509Certificate) 1076c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1077c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return ((X509Certificate) cert).getSerialNumber(); 1078c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1079c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 1080c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1081c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return ((X509AttributeCertificate) cert).getSerialNumber(); 1082c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1083c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1084c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1085c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void getCertStatus( 1086c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Date validDate, 1087c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRL crl, 1088c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Object cert, 1089c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertStatus certStatus) 1090c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 1091c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1092c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // use BC X509CRLObject so that indirect CRLs are supported 1093c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRLObject bcCRL = null; 1094c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1095c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1096c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom bcCRL = new X509CRLObject(new CertificateList((ASN1Sequence) ASN1Sequence.fromByteArray(crl.getEncoded()))); 1097c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1098c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception exception) 1099c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1100c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Bouncy Castle X509CRLObject could not be created.", exception); 1101c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1102c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // use BC X509CRLEntryObject, so that getCertificateIssuer() is 1103c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // supported. 1104c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRLEntryObject crl_entry = (X509CRLEntryObject) bcCRL.getRevokedCertificate(getSerialNumber(cert)); 1105c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (crl_entry != null 1106c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom && (getEncodedIssuerPrincipal(cert).equals(crl_entry.getCertificateIssuer()) || getEncodedIssuerPrincipal(cert) 1107c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom .equals(getIssuerPrincipal(crl)))) 1108c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1109c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DEREnumerated reasonCode = null; 1110c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (crl_entry.hasExtensions()) 1111c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1112c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1113c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1114c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom reasonCode = DEREnumerated 1115c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom .getInstance(CertPathValidatorUtilities 1116c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom .getExtensionValue(crl_entry, 1117c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Extensions.ReasonCode.getId())); 1118c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1119c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 1120c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1121c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom new AnnotatedException( 1122c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Reason code CRL entry extension could not be decoded.", 1123c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom e); 1124c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1125c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1126c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1127c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // for reason keyCompromise, caCompromise, aACompromise or 1128c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // unspecified 1129c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!(validDate.getTime() < crl_entry.getRevocationDate().getTime()) 1130c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom || reasonCode == null 1131c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom || reasonCode.getValue().intValue() == 0 1132c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom || reasonCode.getValue().intValue() == 1 1133c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom || reasonCode.getValue().intValue() == 2 1134c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom || reasonCode.getValue().intValue() == 8) 1135c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1136c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1137c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (i) or (j) (1) 1138c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (reasonCode != null) 1139c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1140c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certStatus.setCertStatus(reasonCode.getValue().intValue()); 1141c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1142c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (i) or (j) (2) 1143c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 1144c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1145c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certStatus.setCertStatus(CRLReason.unspecified); 1146c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1147c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certStatus.setRevocationDate(crl_entry.getRevocationDate()); 1148c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1149c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1150c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1151c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1152c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /** 1153c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * Fetches delta CRLs according to RFC 3280 section 5.2.4. 1154c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * 1155c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param currentDate The date for which the delta CRLs must be valid. 1156c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param paramsPKIX The extended PKIX parameters. 1157c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param completeCRL The complete CRL the delta CRL is for. 1158c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @return A <code>Set</code> of <code>X509CRL</code>s with delta CRLs. 1159c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @throws AnnotatedException if an exception occurs while picking the delta 1160c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * CRLs. 1161c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 1162c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static Set getDeltaCRLs(Date currentDate, 1163c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ExtendedPKIXParameters paramsPKIX, X509CRL completeCRL) 1164c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 1165c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1166c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1167c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRLStoreSelector deltaSelect = new X509CRLStoreSelector(); 1168c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1169c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (paramsPKIX.getDate() != null) 1170c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1171c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom deltaSelect.setDateAndTime(paramsPKIX.getDate()); 1172c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1173c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 1174c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1175c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom deltaSelect.setDateAndTime(currentDate); 1176c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1177c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1178c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 5.2.4 (a) 1179c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1180c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1181c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom deltaSelect.addIssuerName(CertPathValidatorUtilities 1182c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom .getIssuerPrincipal(completeCRL).getEncoded()); 1183c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1184c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (IOException e) 1185c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1186c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom new AnnotatedException("Cannot extract issuer from CRL.", e); 1187c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1188c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1189c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom BigInteger completeCRLNumber = null; 1190c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1191c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1192c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DERObject derObject = CertPathValidatorUtilities.getExtensionValue(completeCRL, 1193c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CRL_NUMBER); 1194c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (derObject != null) 1195c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1196c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom completeCRLNumber = CRLNumber.getInstance(derObject).getPositiveValue(); 1197c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1198c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1199c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 1200c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1201c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 1202c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "CRL number extension could not be extracted from CRL.", e); 1203c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1204c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1205c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 5.2.4 (b) 1206c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom byte[] idp = null; 1207c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1208c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1209c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom idp = completeCRL.getExtensionValue(ISSUING_DISTRIBUTION_POINT); 1210c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1211c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 1212c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1213c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 1214c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Issuing distribution point extension value could not be read.", 1215c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom e); 1216c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1217c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1218c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 5.2.4 (d) 1219c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1220c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom deltaSelect.setMinCRLNumber(completeCRLNumber == null ? null : completeCRLNumber 1221c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom .add(BigInteger.valueOf(1))); 1222c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1223c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom deltaSelect.setIssuingDistributionPoint(idp); 1224c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom deltaSelect.setIssuingDistributionPointEnabled(true); 1225c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1226c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 5.2.4 (c) 1227c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom deltaSelect.setMaxBaseCRLNumber(completeCRLNumber); 1228c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1229c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set temp = new HashSet(); 1230c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // find delta CRLs 1231c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1232c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1233c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom temp.addAll(CertPathValidatorUtilities.findCRLs(deltaSelect, paramsPKIX.getAdditionalStores())); 1234c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom temp.addAll(CertPathValidatorUtilities.findCRLs(deltaSelect, paramsPKIX.getStores())); 1235c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom temp.addAll(CertPathValidatorUtilities.findCRLs(deltaSelect, paramsPKIX.getCertStores())); 1236c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1237c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (AnnotatedException e) 1238c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1239c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Could not search for delta CRLs.", e); 1240c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1241c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1242c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set result = new HashSet(); 1243c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1244c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (Iterator it = temp.iterator(); it.hasNext();) 1245c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1246c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRL crl = (X509CRL)it.next(); 1247c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1248c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (isDeltaCRL(crl)) 1249c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1250c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom result.add(crl); 1251c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1252c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1253c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1254c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return result; 1255c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1256c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1257c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom private static boolean isDeltaCRL(X509CRL crl) 1258c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1259c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set critical = crl.getCriticalExtensionOIDs(); 1260c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1261c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return critical.contains(RFC3280CertPathUtilities.DELTA_CRL_INDICATOR); 1262c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1263c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1264c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /** 1265c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * Fetches complete CRLs according to RFC 3280. 1266c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * 1267c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param dp The distribution point for which the complete CRL 1268c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param cert The <code>X509Certificate</code> or 1269c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * {@link org.bouncycastle.x509.X509AttributeCertificate} for 1270c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * which the CRL should be searched. 1271c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param currentDate The date for which the delta CRLs must be valid. 1272c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param paramsPKIX The extended PKIX parameters. 1273c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @return A <code>Set</code> of <code>X509CRL</code>s with complete 1274c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * CRLs. 1275c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @throws AnnotatedException if an exception occurs while picking the CRLs 1276c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * or no CRLs are found. 1277c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 1278c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static Set getCompleteCRLs(DistributionPoint dp, Object cert, 1279c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Date currentDate, ExtendedPKIXParameters paramsPKIX) 1280c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 1281c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1282c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRLStoreSelector crlselect = new X509CRLStoreSelector(); 1283c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1284c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1285c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set issuers = new HashSet(); 1286c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (cert instanceof X509AttributeCertificate) 1287c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1288c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom issuers.add(((X509AttributeCertificate)cert) 1289c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom .getIssuer().getPrincipals()[0]); 1290c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1291c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 1292c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1293c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom issuers.add(getEncodedIssuerPrincipal(cert)); 1294c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1295c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPathValidatorUtilities.getCRLIssuersFromDistributionPoint(dp, issuers, crlselect, paramsPKIX); 1296c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1297c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (AnnotatedException e) 1298c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1299c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom new AnnotatedException( 1300c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Could not get issuer information from distribution point.", e); 1301c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1302c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (cert instanceof X509Certificate) 1303c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1304c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom crlselect.setCertificateChecking((X509Certificate)cert); 1305c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1306c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else if (cert instanceof X509AttributeCertificate) 1307c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1308c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom crlselect.setAttrCertificateChecking((X509AttributeCertificate)cert); 1309c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1310c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1311c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (paramsPKIX.getDate() != null) 1312c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1313c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom crlselect.setDateAndTime(paramsPKIX.getDate()); 1314c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1315c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 1316c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1317c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom crlselect.setDateAndTime(currentDate); 1318c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1319c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1320c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom crlselect.setCompleteCRLEnabled(true); 1321c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1322c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set crls = new HashSet(); 1323c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1324c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1325c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom crls.addAll(CertPathValidatorUtilities.findCRLs(crlselect, paramsPKIX.getStores())); 1326c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom crls.addAll(CertPathValidatorUtilities.findCRLs(crlselect, paramsPKIX.getAdditionalStores())); 1327c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom crls.addAll(CertPathValidatorUtilities.findCRLs(crlselect, paramsPKIX.getCertStores())); 1328c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1329c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (AnnotatedException e) 1330c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1331c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Could not search for CRLs.", e); 1332c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1333c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (crls.isEmpty()) 1334c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1335c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (cert instanceof X509AttributeCertificate) 1336c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1337c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509AttributeCertificate aCert = (X509AttributeCertificate)cert; 1338c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1339c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("No CRLs found for issuer \"" + aCert.getIssuer().getPrincipals()[0] + "\""); 1340c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1341c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 1342c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1343c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate xCert = (X509Certificate)cert; 1344c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1345c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("No CRLs found for issuer \"" + xCert.getIssuerX500Principal() + "\""); 1346c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1347c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1348c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return crls; 1349c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1350c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1351c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static Date getValidCertDateFromValidityModel( 1352c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ExtendedPKIXParameters paramsPKIX, CertPath certPath, int index) 1353c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 1354c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1355c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (paramsPKIX.getValidityModel() == ExtendedPKIXParameters.CHAIN_VALIDITY_MODEL) 1356c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1357c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // if end cert use given signing/encryption/... time 1358c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (index <= 0) 1359c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1360c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return CertPathValidatorUtilities.getValidDate(paramsPKIX); 1361c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // else use time when previous cert was created 1362c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1363c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 1364c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1365c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (index - 1 == 0) 1366c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1367c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DERGeneralizedTime dateOfCertgen = null; 1368c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1369c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1370c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom byte[] extBytes = ((X509Certificate)certPath.getCertificates().get(index - 1)).getExtensionValue(ISISMTTObjectIdentifiers.id_isismtt_at_dateOfCertGen.getId()); 1371c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (extBytes != null) 1372c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1373c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom dateOfCertgen = DERGeneralizedTime.getInstance(ASN1Object.fromByteArray(extBytes)); 1374c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1375c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1376c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (IOException e) 1377c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1378c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 1379c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Date of cert gen extension could not be read."); 1380c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1381c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (IllegalArgumentException e) 1382c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1383c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 1384c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Date of cert gen extension could not be read."); 1385c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1386c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (dateOfCertgen != null) 1387c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1388c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1389c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1390c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return dateOfCertgen.getDate(); 1391c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1392c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (ParseException e) 1393c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1394c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 1395c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Date from date of cert gen extension could not be parsed.", 1396c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom e); 1397c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1398c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1399c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return ((X509Certificate) certPath.getCertificates().get( 1400c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom index - 1)).getNotBefore(); 1401c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1402c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 1403c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1404c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return ((X509Certificate) certPath.getCertificates().get( 1405c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom index - 1)).getNotBefore(); 1406c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1407c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1408c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1409c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 1410c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1411c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return getValidDate(paramsPKIX); 1412c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1413c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1414c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1415c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /** 1416c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * Return the next working key inheriting DSA parameters if necessary. 1417c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <p> 1418c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * This methods inherits DSA parameters from the indexed certificate or 1419c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * previous certificates in the certificate chain to the returned 1420c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <code>PublicKey</code>. The list is searched upwards, meaning the end 1421c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * certificate is at position 0 and previous certificates are following. 1422c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * </p> 1423c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <p> 1424c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * If the indexed certificate does not contain a DSA key this method simply 1425c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * returns the public key. If the DSA key already contains DSA parameters 1426c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * the key is also only returned. 1427c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * </p> 1428c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * 1429c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param certs The certification path. 1430c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param index The index of the certificate which contains the public key 1431c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * which should be extended with DSA parameters. 1432c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @return The public key of the certificate in list position 1433c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <code>index</code> extended with DSA parameters if applicable. 1434c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @throws AnnotatedException if DSA parameters cannot be inherited. 1435c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 1436c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static PublicKey getNextWorkingKey(List certs, int index) 1437c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws CertPathValidatorException 1438c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1439c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Certificate cert = (Certificate) certs.get(index); 1440c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PublicKey pubKey = cert.getPublicKey(); 1441c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!(pubKey instanceof DSAPublicKey)) 1442c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1443c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return pubKey; 1444c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1445c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DSAPublicKey dsaPubKey = (DSAPublicKey) pubKey; 1446c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (dsaPubKey.getParams() != null) 1447c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1448c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return dsaPubKey; 1449c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1450c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int i = index + 1; i < certs.size(); i++) 1451c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1452c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate parentCert = (X509Certificate)certs.get(i); 1453c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom pubKey = parentCert.getPublicKey(); 1454c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!(pubKey instanceof DSAPublicKey)) 1455c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1456c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new CertPathValidatorException( 1457c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "DSA parameters cannot be inherited from previous certificate."); 1458c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1459c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DSAPublicKey prevDSAPubKey = (DSAPublicKey) pubKey; 1460c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (prevDSAPubKey.getParams() == null) 1461c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1462c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom continue; 1463c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1464c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DSAParams dsaParams = prevDSAPubKey.getParams(); 1465c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DSAPublicKeySpec dsaPubKeySpec = new DSAPublicKeySpec( 1466c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom dsaPubKey.getY(), dsaParams.getP(), dsaParams.getQ(), dsaParams.getG()); 1467c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1468c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1469c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom KeyFactory keyFactory = KeyFactory.getInstance("DSA", "BC"); 1470c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return keyFactory.generatePublic(dsaPubKeySpec); 1471c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1472c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception exception) 1473c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1474c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new RuntimeException(exception.getMessage()); 1475c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1476c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1477c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new CertPathValidatorException("DSA parameters cannot be inherited from previous certificate."); 1478c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1479c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1480c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /** 1481c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * Find the issuer certificates of a given certificate. 1482c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * 1483c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param cert 1484c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * The certificate for which an issuer should be found. 1485c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param pkixParams 1486c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @return A <code>Collection</code> object containing the issuer 1487c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <code>X509Certificate</code>s. Never <code>null</code>. 1488c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * 1489c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @exception AnnotatedException 1490c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * if an error occurs. 1491c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 1492c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static Collection findIssuerCerts( 1493c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert, 1494c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ExtendedPKIXBuilderParameters pkixParams) 1495c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 1496c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1497c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CertStoreSelector certSelect = new X509CertStoreSelector(); 1498c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set certs = new HashSet(); 1499c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1500c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1501c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certSelect.setSubject(cert.getIssuerX500Principal().getEncoded()); 1502c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1503c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (IOException ex) 1504c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1505c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 1506c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Subject criteria for certificate selector to find issuer certificate could not be set.", ex); 1507c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1508c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1509c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Iterator iter; 1510c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1511c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1512c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1513c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List matches = new ArrayList(); 1514c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1515c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom matches.addAll(CertPathValidatorUtilities.findCertificates(certSelect, pkixParams.getCertStores())); 1516c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom matches.addAll(CertPathValidatorUtilities.findCertificates(certSelect, pkixParams.getStores())); 1517c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom matches.addAll(CertPathValidatorUtilities.findCertificates(certSelect, pkixParams.getAdditionalStores())); 1518c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1519c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom iter = matches.iterator(); 1520c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1521c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (AnnotatedException e) 1522c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1523c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Issuer certificate cannot be searched.", e); 1524c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1525c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1526c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate issuer = null; 1527c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (iter.hasNext()) 1528c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1529c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom issuer = (X509Certificate) iter.next(); 1530c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // issuer cannot be verified because possible DSA inheritance 1531c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // parameters are missing 1532c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certs.add(issuer); 1533c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1534c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return certs; 1535c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1536c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1537c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void verifyX509Certificate(X509Certificate cert, PublicKey publicKey, 1538c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom String sigProvider) 1539c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws GeneralSecurityException 1540c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1541c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (sigProvider == null) 1542c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1543c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom cert.verify(publicKey); 1544c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1545c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 1546c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1547c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom cert.verify(publicKey, sigProvider); 1548c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1549c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1550b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam} 1551