1b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallampackage org.bouncycastle.jce.provider; 2b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 3b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.io.ByteArrayOutputStream; 4b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.io.IOException; 5c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.math.BigInteger; 6c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.GeneralSecurityException; 7c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.KeyFactory; 8b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.PublicKey; 94c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstromimport java.security.cert.CRLException; 10b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.CertPath; 11b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.CertPathValidatorException; 12b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.CertStore; 13b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.CertStoreException; 14c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.cert.Certificate; 15c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.cert.CertificateParsingException; 16b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.PKIXParameters; 17b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.PolicyQualifierInfo; 18b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.TrustAnchor; 19b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.X509CRL; 204c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstromimport java.security.cert.X509CRLEntry; 21b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.X509CRLSelector; 22b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.X509CertSelector; 23b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.X509Certificate; 24c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.interfaces.DSAParams; 25c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.interfaces.DSAPublicKey; 26c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.spec.DSAPublicKeySpec; 27c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.text.ParseException; 28b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.util.ArrayList; 29b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.util.Collection; 30b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.util.Date; 31b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.util.Enumeration; 32b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.util.HashSet; 33b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.util.Iterator; 34b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.util.List; 35b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.util.Map; 36b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.util.Set; 37b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 38b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport javax.security.auth.x500.X500Principal; 39b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 404c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstromimport org.bouncycastle.asn1.ASN1Encodable; 41b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport org.bouncycastle.asn1.ASN1InputStream; 424c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstromimport org.bouncycastle.asn1.ASN1Integer; 43b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport org.bouncycastle.asn1.ASN1OctetString; 44b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport org.bouncycastle.asn1.ASN1OutputStream; 454c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstromimport org.bouncycastle.asn1.ASN1Primitive; 46b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport org.bouncycastle.asn1.ASN1Sequence; 47c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.DEREnumerated; 48c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.DERGeneralizedTime; 49c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.DERIA5String; 50b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport org.bouncycastle.asn1.DERObjectIdentifier; 51c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.DERSequence; 52c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.isismtt.ISISMTTObjectIdentifiers; 53b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport org.bouncycastle.asn1.x509.AlgorithmIdentifier; 54c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.CRLDistPoint; 55c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.CRLReason; 56c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.DistributionPoint; 57c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.DistributionPointName; 5870c8287138e69a98c2f950036f9f703ee37228c8Brian Carlstromimport org.bouncycastle.asn1.x509.Extension; 59c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.GeneralName; 60c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.GeneralNames; 61b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport org.bouncycastle.asn1.x509.PolicyInformation; 62b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; 634c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstromimport org.bouncycastle.asn1.x509.X509Extension; 64c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// BEGIN android-removed 65c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// import org.bouncycastle.jce.X509LDAPCertStoreParameters; 66c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// END android-removed 67c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.jce.exception.ExtCertPathValidatorException; 6870c8287138e69a98c2f950036f9f703ee37228c8Brian Carlstromimport org.bouncycastle.util.Integers; 69c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.util.Selector; 70c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.util.StoreException; 71c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.x509.ExtendedPKIXBuilderParameters; 72c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.x509.ExtendedPKIXParameters; 73c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// BEGIN android-removed 74c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// import org.bouncycastle.x509.X509AttributeCertStoreSelector; 75c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// END android-removed 76c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.x509.X509AttributeCertificate; 77c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.x509.X509CRLStoreSelector; 78c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.x509.X509CertStoreSelector; 795db505e1f6a68c8d5dfdb0fed0b8607dea7bed96Kenny Root// BEGIN android-removed 805db505e1f6a68c8d5dfdb0fed0b8607dea7bed96Kenny Root// import org.bouncycastle.x509.X509Store; 815db505e1f6a68c8d5dfdb0fed0b8607dea7bed96Kenny Root// END android-removed 82b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 83b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallampublic class CertPathValidatorUtilities 84b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam{ 856e736056d64d0e33b26cf9f7c4e351b496241fdeBrian Carlstrom protected static final PKIXCRLUtil CRL_UTIL = new PKIXCRLUtil(); 866e736056d64d0e33b26cf9f7c4e351b496241fdeBrian Carlstrom 8770c8287138e69a98c2f950036f9f703ee37228c8Brian Carlstrom protected static final String CERTIFICATE_POLICIES = Extension.certificatePolicies.getId(); 8870c8287138e69a98c2f950036f9f703ee37228c8Brian Carlstrom protected static final String BASIC_CONSTRAINTS = Extension.basicConstraints.getId(); 8970c8287138e69a98c2f950036f9f703ee37228c8Brian Carlstrom protected static final String POLICY_MAPPINGS = Extension.policyMappings.getId(); 9070c8287138e69a98c2f950036f9f703ee37228c8Brian Carlstrom protected static final String SUBJECT_ALTERNATIVE_NAME = Extension.subjectAlternativeName.getId(); 9170c8287138e69a98c2f950036f9f703ee37228c8Brian Carlstrom protected static final String NAME_CONSTRAINTS = Extension.nameConstraints.getId(); 9270c8287138e69a98c2f950036f9f703ee37228c8Brian Carlstrom protected static final String KEY_USAGE = Extension.keyUsage.getId(); 9370c8287138e69a98c2f950036f9f703ee37228c8Brian Carlstrom protected static final String INHIBIT_ANY_POLICY = Extension.inhibitAnyPolicy.getId(); 9470c8287138e69a98c2f950036f9f703ee37228c8Brian Carlstrom protected static final String ISSUING_DISTRIBUTION_POINT = Extension.issuingDistributionPoint.getId(); 9570c8287138e69a98c2f950036f9f703ee37228c8Brian Carlstrom protected static final String DELTA_CRL_INDICATOR = Extension.deltaCRLIndicator.getId(); 9670c8287138e69a98c2f950036f9f703ee37228c8Brian Carlstrom protected static final String POLICY_CONSTRAINTS = Extension.policyConstraints.getId(); 9770c8287138e69a98c2f950036f9f703ee37228c8Brian Carlstrom protected static final String FRESHEST_CRL = Extension.freshestCRL.getId(); 9870c8287138e69a98c2f950036f9f703ee37228c8Brian Carlstrom protected static final String CRL_DISTRIBUTION_POINTS = Extension.cRLDistributionPoints.getId(); 9970c8287138e69a98c2f950036f9f703ee37228c8Brian Carlstrom protected static final String AUTHORITY_KEY_IDENTIFIER = Extension.authorityKeyIdentifier.getId(); 100b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 101b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final String ANY_POLICY = "2.5.29.32.0"; 1024c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 10370c8287138e69a98c2f950036f9f703ee37228c8Brian Carlstrom protected static final String CRL_NUMBER = Extension.cRLNumber.getId(); 1044c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 105b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam /* 1064c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * key usage bits 1074c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom */ 1084c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom protected static final int KEY_CERT_SIGN = 5; 1094c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom protected static final int CRL_SIGN = 6; 110b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 1114c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom protected static final String[] crlReasons = new String[]{ 112b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam "unspecified", 113b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam "keyCompromise", 114b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam "cACompromise", 115b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam "affiliationChanged", 116b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam "superseded", 117b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam "cessationOfOperation", 118b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam "certificateHold", 119b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam "unknown", 120b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam "removeFromCRL", 121b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam "privilegeWithdrawn", 1224c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom "aACompromise"}; 1234c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 124c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom /** 125c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom * Search the given Set of TrustAnchor's for one that is the 126c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom * issuer of the given X509 certificate. Uses the default provider 127c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom * for signature verification. 128c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom * 1294c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * @param cert the X509 certificate 130c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom * @param trustAnchors a Set of TrustAnchor's 131c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom * @return the <code>TrustAnchor</code> object if found or 1324c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * <code>null</code> if not. 1334c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * @throws AnnotatedException if a TrustAnchor was found but the signature verification 1344c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * on the given certificate has thrown an exception. 135c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom */ 136c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom protected static TrustAnchor findTrustAnchor( 137c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom X509Certificate cert, 1384c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom Set trustAnchors) 1394c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom throws AnnotatedException 140c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom { 141c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom return findTrustAnchor(cert, trustAnchors, null); 142c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom } 1434c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 144b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam /** 145b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam * Search the given Set of TrustAnchor's for one that is the 146c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom * issuer of the given X509 certificate. Uses the specified 147c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom * provider for signature verification, or the default provider 148c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom * if null. 149b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam * 1504c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * @param cert the X509 certificate 151c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom * @param trustAnchors a Set of TrustAnchor's 1524c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * @param sigProvider the provider to use for signature verification 153b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam * @return the <code>TrustAnchor</code> object if found or 1544c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * <code>null</code> if not. 1554c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * @throws AnnotatedException if a TrustAnchor was found but the signature verification 1564c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * on the given certificate has thrown an exception. 157c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 158c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static TrustAnchor findTrustAnchor( 159c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert, 1604c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom Set trustAnchors, 1614c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom String sigProvider) 1624c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom throws AnnotatedException 163c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 164c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom TrustAnchor trust = null; 165b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PublicKey trustPublicKey = null; 166b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Exception invalidKeyEx = null; 167b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 168b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam X509CertSelector certSelectX509 = new X509CertSelector(); 169c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X500Principal certIssuer = getEncodedIssuerPrincipal(cert); 170b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 171b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam try 172b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 173c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certSelectX509.setSubject(certIssuer.getEncoded()); 174b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 175b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam catch (IOException ex) 176b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 177c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Cannot set subject search criteria for trust anchor.", ex); 178b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 179b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 180c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom Iterator iter = trustAnchors.iterator(); 181c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (iter.hasNext() && trust == null) 182b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 1834c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom trust = (TrustAnchor)iter.next(); 18460f1dce097d78928597a5d057577596162e825fdBrian Carlstrom if (trust.getTrustedCert() != null) 185c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 18660f1dce097d78928597a5d057577596162e825fdBrian Carlstrom if (certSelectX509.match(trust.getTrustedCert())) 187b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 18860f1dce097d78928597a5d057577596162e825fdBrian Carlstrom trustPublicKey = trust.getTrustedCert().getPublicKey(); 189b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 190b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam else 191b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 192c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom trust = null; 193b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 194b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 195c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else if (trust.getCAName() != null 1964c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom && trust.getCAPublicKey() != null) 197b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 198b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam try 199b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 200c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X500Principal caName = new X500Principal(trust.getCAName()); 201b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (certIssuer.equals(caName)) 202b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 203c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom trustPublicKey = trust.getCAPublicKey(); 204b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 205b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam else 206b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 207c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom trust = null; 208b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 209b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 210b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam catch (IllegalArgumentException ex) 211b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 212c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom trust = null; 213b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 214b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 215b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam else 216b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 217c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom trust = null; 218b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 219b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 220b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (trustPublicKey != null) 221b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 222b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam try 223b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 224c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom verifyX509Certificate(cert, trustPublicKey, sigProvider); 225b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 226b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam catch (Exception ex) 227b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 228b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam invalidKeyEx = ex; 229c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom trust = null; 2304c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom trustPublicKey = null; 231b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 232b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 233b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 234b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 235c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (trust == null && invalidKeyEx != null) 236b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 237c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("TrustAnchor found but certificate validation failed.", invalidKeyEx); 238b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 239b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 240c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return trust; 241b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 242b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 243c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void addAdditionalStoresFromAltNames( 2444c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom X509Certificate cert, 2454c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom ExtendedPKIXParameters pkixParams) 2464c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom throws CertificateParsingException 247c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 248c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // if in the IssuerAltName extension an URI 249c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // is given, add an additinal X.509 store 250c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (cert.getIssuerAlternativeNames() != null) 251c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 252c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Iterator it = cert.getIssuerAlternativeNames().iterator(); 253c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (it.hasNext()) 254c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 255c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // look for URI 2564c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom List list = (List)it.next(); 25770c8287138e69a98c2f950036f9f703ee37228c8Brian Carlstrom if (list.get(0).equals(Integers.valueOf(GeneralName.uniformResourceIdentifier))) 258c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 259c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // found 2604c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom String temp = (String)list.get(1); 261c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPathValidatorUtilities.addAdditionalStoreFromLocation(temp, pkixParams); 262c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 263c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 264c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 265c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 2664c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 267c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /** 268c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * Returns the issuer of an attribute certificate or certificate. 2694c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * 270c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param cert The attribute certificate or certificate. 271c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @return The issuer as <code>X500Principal</code>. 272c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 273c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static X500Principal getEncodedIssuerPrincipal( 274c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Object cert) 275b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 276c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (cert instanceof X509Certificate) 277c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 278c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return ((X509Certificate)cert).getIssuerX500Principal(); 279c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 280c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 281c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 282c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return (X500Principal)((X509AttributeCertificate)cert).getIssuer().getPrincipals()[0]; 283c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 284b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 285b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 286b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static Date getValidDate(PKIXParameters paramsPKIX) 287b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 288b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Date validDate = paramsPKIX.getDate(); 289b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 290b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (validDate == null) 291b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 292b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam validDate = new Date(); 293b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 294b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 295b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return validDate; 296b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 297b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 298b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static X500Principal getSubjectPrincipal(X509Certificate cert) 299b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 300b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return cert.getSubjectX500Principal(); 301b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 3024c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 303b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static boolean isSelfIssued(X509Certificate cert) 304b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 305b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return cert.getSubjectDN().equals(cert.getIssuerDN()); 306b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 3074c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 3084c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 309b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam /** 310c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * Extract the value of the given extension, if it exists. 3114c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * 3124c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * @param ext The extension object. 3134c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * @param oid The object identifier to obtain. 3144c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * @throws AnnotatedException if the extension cannot be read. 315b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam */ 3164c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom protected static ASN1Primitive getExtensionValue( 3174c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom java.security.cert.X509Extension ext, 3184c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom String oid) 319b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam throws AnnotatedException 320b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 3214c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom byte[] bytes = ext.getExtensionValue(oid); 322b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (bytes == null) 323b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 324b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return null; 325b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 326b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 327b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return getObject(oid, bytes); 328b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 3294c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 3304c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom private static ASN1Primitive getObject( 3314c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom String oid, 3324c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom byte[] ext) 3334c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom throws AnnotatedException 334b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 335b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam try 336b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 337b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam ASN1InputStream aIn = new ASN1InputStream(ext); 338b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam ASN1OctetString octs = (ASN1OctetString)aIn.readObject(); 339b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 340b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam aIn = new ASN1InputStream(octs.getOctets()); 341b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return aIn.readObject(); 342b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 343c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 344b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 345b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam throw new AnnotatedException("exception processing extension " + oid, e); 346b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 347b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 3484c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 349b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static X500Principal getIssuerPrincipal(X509CRL crl) 350b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 351b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return crl.getIssuerX500Principal(); 352b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 3534c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 354b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static AlgorithmIdentifier getAlgorithmIdentifier( 355b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PublicKey key) 356b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam throws CertPathValidatorException 357b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 358b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam try 359b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 3604c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom ASN1InputStream aIn = new ASN1InputStream(key.getEncoded()); 361b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 362b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam SubjectPublicKeyInfo info = SubjectPublicKeyInfo.getInstance(aIn.readObject()); 363b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 364b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return info.getAlgorithmId(); 365b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 366c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 367b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 368c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException("Subject public key cannot be decoded.", e); 369b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 370b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 3714c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 372c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // crl checking 373b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 374c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 375b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam // 376b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam // policy checking 377b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam // 3784c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 3794c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom protected static final Set getQualifierSet(ASN1Sequence qualifiers) 380b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam throws CertPathValidatorException 381b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 3824c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom Set pq = new HashSet(); 3834c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 384b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (qualifiers == null) 385b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 386b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return pq; 387b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 3884c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 3894c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom ByteArrayOutputStream bOut = new ByteArrayOutputStream(); 3904c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom ASN1OutputStream aOut = new ASN1OutputStream(bOut); 3914c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 392b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Enumeration e = qualifiers.getObjects(); 3934c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 394b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam while (e.hasMoreElements()) 395b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 396b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam try 397b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 3984c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom aOut.writeObject((ASN1Encodable)e.nextElement()); 3994c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 400b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam pq.add(new PolicyQualifierInfo(bOut.toByteArray())); 401b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 402b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam catch (IOException ex) 403b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 404c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException("Policy qualifier info cannot be decoded.", ex); 405b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 4064c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 407b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam bOut.reset(); 408b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 4094c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 410b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return pq; 411b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 4124c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 413b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static PKIXPolicyNode removePolicyNode( 4144c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom PKIXPolicyNode validPolicyTree, 4154c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom List[] policyNodes, 416b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode _node) 417b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 418b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode _parent = (PKIXPolicyNode)_node.getParent(); 4194c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 420b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (validPolicyTree == null) 421b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 422b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return null; 423b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 424b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 425b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (_parent == null) 426b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 427b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam for (int j = 0; j < policyNodes.length; j++) 428b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 429b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam policyNodes[j] = new ArrayList(); 430b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 431b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 432b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return null; 433b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 434b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam else 435b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 436b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam _parent.removeChild(_node); 437b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam removePolicyNodeRecurse(policyNodes, _node); 438b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 439b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return validPolicyTree; 440b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 441b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 4424c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 443b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam private static void removePolicyNodeRecurse( 4444c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom List[] policyNodes, 4454c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom PKIXPolicyNode _node) 446b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 447b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam policyNodes[_node.getDepth()].remove(_node); 448b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 449b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (_node.hasChildren()) 450b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 451b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Iterator _iter = _node.getChildren(); 452b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam while (_iter.hasNext()) 453b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 454b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode _child = (PKIXPolicyNode)_iter.next(); 455b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam removePolicyNodeRecurse(policyNodes, _child); 456b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 457b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 458b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 4594c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 4604c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 461b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static boolean processCertD1i( 4624c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom int index, 4634c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom List[] policyNodes, 464b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam DERObjectIdentifier pOid, 4654c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom Set pq) 466b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 4674c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom List policyNodeVec = policyNodes[index - 1]; 468b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 469b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam for (int j = 0; j < policyNodeVec.size(); j++) 470b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 471b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode node = (PKIXPolicyNode)policyNodeVec.get(j); 4724c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom Set expectedPolicies = node.getExpectedPolicies(); 4734c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 474b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (expectedPolicies.contains(pOid.getId())) 475b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 476b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Set childExpectedPolicies = new HashSet(); 477b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam childExpectedPolicies.add(pOid.getId()); 4784c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 479b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode child = new PKIXPolicyNode(new ArrayList(), 4804c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom index, 4814c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom childExpectedPolicies, 4824c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom node, 4834c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom pq, 4844c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom pOid.getId(), 4854c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom false); 486b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam node.addChild(child); 487b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam policyNodes[index].add(child); 4884c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 489b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return true; 490b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 491b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 4924c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 493b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return false; 494b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 495b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 496b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static void processCertD1ii( 4974c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom int index, 4984c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom List[] policyNodes, 499b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam DERObjectIdentifier _poid, 500b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Set _pq) 501b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 5024c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom List policyNodeVec = policyNodes[index - 1]; 503b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 504b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam for (int j = 0; j < policyNodeVec.size(); j++) 505b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 506b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode _node = (PKIXPolicyNode)policyNodeVec.get(j); 507c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 508b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (ANY_POLICY.equals(_node.getValidPolicy())) 509b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 510b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Set _childExpectedPolicies = new HashSet(); 511b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam _childExpectedPolicies.add(_poid.getId()); 5124c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 513b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode _child = new PKIXPolicyNode(new ArrayList(), 5144c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom index, 5154c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom _childExpectedPolicies, 5164c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom _node, 5174c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom _pq, 5184c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom _poid.getId(), 5194c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom false); 520b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam _node.addChild(_child); 521b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam policyNodes[index].add(_child); 522b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return; 523b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 524b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 525b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 5264c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 527b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static void prepareNextCertB1( 5284c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom int i, 5294c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom List[] policyNodes, 5304c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom String id_p, 5314c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom Map m_idp, 5324c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom X509Certificate cert 5334c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom ) 5344c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom throws AnnotatedException, CertPathValidatorException 535b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 536b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam boolean idp_found = false; 537b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Iterator nodes_i = policyNodes[i].iterator(); 538b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam while (nodes_i.hasNext()) 539b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 540b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode node = (PKIXPolicyNode)nodes_i.next(); 541b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (node.getValidPolicy().equals(id_p)) 542b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 543b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam idp_found = true; 544b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam node.expectedPolicies = (Set)m_idp.get(id_p); 545b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam break; 546b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 547b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 548b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 549b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (!idp_found) 550b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 551b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam nodes_i = policyNodes[i].iterator(); 552b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam while (nodes_i.hasNext()) 553b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 554b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode node = (PKIXPolicyNode)nodes_i.next(); 555b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (ANY_POLICY.equals(node.getValidPolicy())) 556b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 557b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Set pq = null; 558c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ASN1Sequence policies = null; 559c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 560c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 561c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom policies = DERSequence.getInstance(getExtensionValue(cert, CERTIFICATE_POLICIES)); 562c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 563c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 564c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 5654c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom throw new AnnotatedException("Certificate policies cannot be decoded.", e); 566c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 567b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Enumeration e = policies.getObjects(); 568b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam while (e.hasMoreElements()) 569b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 570c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PolicyInformation pinfo = null; 571c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 572c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 573c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 574c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom pinfo = PolicyInformation.getInstance(e.nextElement()); 575c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 576c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception ex) 577c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 578c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Policy information cannot be decoded.", ex); 579c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 580b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (ANY_POLICY.equals(pinfo.getPolicyIdentifier().getId())) 581b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 582c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 583c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 5844c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom pq = getQualifierSet(pinfo.getPolicyQualifiers()); 585c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 586c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (CertPathValidatorException ex) 587c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 588c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException( 5894c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom "Policy qualifier info set could not be built.", ex); 590c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 591b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam break; 592b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 593b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 594b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam boolean ci = false; 595b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (cert.getCriticalExtensionOIDs() != null) 596b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 597b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam ci = cert.getCriticalExtensionOIDs().contains(CERTIFICATE_POLICIES); 598b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 599b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 600b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode p_node = (PKIXPolicyNode)node.getParent(); 601b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (ANY_POLICY.equals(p_node.getValidPolicy())) 602b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 603b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode c_node = new PKIXPolicyNode( 6044c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom new ArrayList(), i, 6054c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom (Set)m_idp.get(id_p), 6064c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom p_node, pq, id_p, ci); 607b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam p_node.addChild(c_node); 608b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam policyNodes[i].add(c_node); 609b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 610b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam break; 611b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 612b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 613b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 614b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 6154c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 616b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static PKIXPolicyNode prepareNextCertB2( 6174c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom int i, 6184c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom List[] policyNodes, 6194c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom String id_p, 6204c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom PKIXPolicyNode validPolicyTree) 621b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 622b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Iterator nodes_i = policyNodes[i].iterator(); 623b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam while (nodes_i.hasNext()) 624b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 625b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode node = (PKIXPolicyNode)nodes_i.next(); 626b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (node.getValidPolicy().equals(id_p)) 627b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 628b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode p_node = (PKIXPolicyNode)node.getParent(); 629b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam p_node.removeChild(node); 630b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam nodes_i.remove(); 631b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam for (int k = (i - 1); k >= 0; k--) 632b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 633b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam List nodes = policyNodes[k]; 634b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam for (int l = 0; l < nodes.size(); l++) 635b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 636b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode node2 = (PKIXPolicyNode)nodes.get(l); 637b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (!node2.hasChildren()) 638b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 639b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam validPolicyTree = removePolicyNode(validPolicyTree, policyNodes, node2); 640b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (validPolicyTree == null) 641b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 642b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam break; 643b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 644b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 645b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 646b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 647b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 648b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 649b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return validPolicyTree; 650b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 6514c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 652b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static boolean isAnyPolicy( 653b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Set policySet) 654b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 655b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return policySet == null || policySet.contains(ANY_POLICY) || policySet.isEmpty(); 656b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 6574c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 658c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void addAdditionalStoreFromLocation(String location, 6594c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom ExtendedPKIXParameters pkixParams) 660c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 661c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (pkixParams.isAdditionalLocationsEnabled()) 662c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 663c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 664c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 665c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // BEGIN android-removed 666c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // if (location.startsWith("ldap://")) 667c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // { 668c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // // ldap://directory.d-trust.net/CN=D-TRUST 669c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // // Qualified CA 2003 1:PN,O=D-Trust GmbH,C=DE 670c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // // skip "ldap://" 671c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // location = location.substring(7); 672c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // // after first / baseDN starts 673c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // String base = null; 674c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // String url = null; 675c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // if (location.indexOf("/") != -1) 676c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // { 677c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // base = location.substring(location.indexOf("/")); 678c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // // URL 679c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // url = "ldap://" 680c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // + location.substring(0, location.indexOf("/")); 681c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // } 682c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // else 683c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // { 684c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // url = "ldap://" + location; 685c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // } 686c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // // use all purpose parameters 687c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // X509LDAPCertStoreParameters params = new X509LDAPCertStoreParameters.Builder( 688c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // url, base).build(); 689c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // pkixParams.addAdditionalStore(X509Store.getInstance( 6906e736056d64d0e33b26cf9f7c4e351b496241fdeBrian Carlstrom // "CERTIFICATE/LDAP", params, BouncyCastleProvider.PROVIDER_NAME)); 691c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // pkixParams.addAdditionalStore(X509Store.getInstance( 6926e736056d64d0e33b26cf9f7c4e351b496241fdeBrian Carlstrom // "CRL/LDAP", params, BouncyCastleProvider.PROVIDER_NAME)); 693c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // pkixParams.addAdditionalStore(X509Store.getInstance( 6946e736056d64d0e33b26cf9f7c4e351b496241fdeBrian Carlstrom // "ATTRIBUTECERTIFICATE/LDAP", params, BouncyCastleProvider.PROVIDER_NAME)); 695c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // pkixParams.addAdditionalStore(X509Store.getInstance( 6966e736056d64d0e33b26cf9f7c4e351b496241fdeBrian Carlstrom // "CERTIFICATEPAIR/LDAP", params, BouncyCastleProvider.PROVIDER_NAME)); 697c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // } 698c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // END android-removed 699c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 700c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 701c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 702c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // cannot happen 703c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new RuntimeException("Exception adding X.509 stores."); 704c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 705c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 706c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 707c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 708c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /** 709c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * Return a Collection of all certificates or attribute certificates found 710c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * in the X509Store's that are matching the certSelect criteriums. 711c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * 712c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param certSelect a {@link Selector} object that will be used to select 7134c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * the certificates 714c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param certStores a List containing only {@link X509Store} objects. These 7154c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * are used to search for certificates. 716c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @return a Collection of all found {@link X509Certificate} or 717c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * {@link org.bouncycastle.x509.X509AttributeCertificate} objects. 718c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * May be empty but never <code>null</code>. 719c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 720c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static Collection findCertificates(X509CertStoreSelector certSelect, 7214c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom List certStores) 7224c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom throws AnnotatedException 723c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 724c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set certs = new HashSet(); 725c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Iterator iter = certStores.iterator(); 726c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 727c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (iter.hasNext()) 728c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 729c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Object obj = iter.next(); 730c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 7315db505e1f6a68c8d5dfdb0fed0b8607dea7bed96Kenny Root // BEGIN android-removed 7325db505e1f6a68c8d5dfdb0fed0b8607dea7bed96Kenny Root // if (obj instanceof X509Store) 7335db505e1f6a68c8d5dfdb0fed0b8607dea7bed96Kenny Root // { 7345db505e1f6a68c8d5dfdb0fed0b8607dea7bed96Kenny Root // X509Store certStore = (X509Store)obj; 7355db505e1f6a68c8d5dfdb0fed0b8607dea7bed96Kenny Root // try 7365db505e1f6a68c8d5dfdb0fed0b8607dea7bed96Kenny Root // { 7375db505e1f6a68c8d5dfdb0fed0b8607dea7bed96Kenny Root // certs.addAll(certStore.getMatches(certSelect)); 7385db505e1f6a68c8d5dfdb0fed0b8607dea7bed96Kenny Root // } 7395db505e1f6a68c8d5dfdb0fed0b8607dea7bed96Kenny Root // catch (StoreException e) 7405db505e1f6a68c8d5dfdb0fed0b8607dea7bed96Kenny Root // { 7415db505e1f6a68c8d5dfdb0fed0b8607dea7bed96Kenny Root // throw new AnnotatedException( 7425db505e1f6a68c8d5dfdb0fed0b8607dea7bed96Kenny Root // "Problem while picking certificates from X.509 store.", e); 7435db505e1f6a68c8d5dfdb0fed0b8607dea7bed96Kenny Root // } 7445db505e1f6a68c8d5dfdb0fed0b8607dea7bed96Kenny Root // } 7455db505e1f6a68c8d5dfdb0fed0b8607dea7bed96Kenny Root // else 7465db505e1f6a68c8d5dfdb0fed0b8607dea7bed96Kenny Root // END android-removed 747c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 748c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertStore certStore = (CertStore)obj; 749c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 750c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 751c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 752c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certs.addAll(certStore.getCertificates(certSelect)); 753c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 754c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (CertStoreException e) 755c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 756c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 757c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Problem while picking certificates from certificate store.", 758c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom e); 759c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 760c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 761c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 762c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return certs; 763c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 764c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 765c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // BEGIN android-removed 766c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // protected static Collection findCertificates(X509AttributeCertStoreSelector certSelect, 767c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // List certStores) 7684c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom // throws AnnotatedException 769c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // { 770c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // Set certs = new HashSet(); 771c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // Iterator iter = certStores.iterator(); 772c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 773c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // while (iter.hasNext()) 774c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // { 775c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // Object obj = iter.next(); 776c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 777c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // if (obj instanceof X509Store) 778c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // { 779c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // X509Store certStore = (X509Store)obj; 780c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // try 781c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // { 782c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // certs.addAll(certStore.getMatches(certSelect)); 783c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // } 784c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // catch (StoreException e) 785c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // { 7864c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom // throw new AnnotatedException( 787c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // "Problem while picking certificates from X.509 store.", e); 788c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // } 789c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // } 790c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // } 791c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // return certs; 792c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // } 793c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // END android-removed 794c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 795c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void addAdditionalStoresFromCRLDistributionPoint( 796c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CRLDistPoint crldp, ExtendedPKIXParameters pkixParams) 797c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 798c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 799c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (crldp != null) 800c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 801c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DistributionPoint dps[] = null; 802c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 803c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 804c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom dps = crldp.getDistributionPoints(); 805c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 806c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 807c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 808c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 809c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Distribution points could not be read.", e); 810c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 811c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int i = 0; i < dps.length; i++) 812c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 813c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DistributionPointName dpn = dps[i].getDistributionPoint(); 814c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // look for URIs in fullName 815c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (dpn != null) 816c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 817c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (dpn.getType() == DistributionPointName.FULL_NAME) 818c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 819c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom GeneralName[] genNames = GeneralNames.getInstance( 820c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom dpn.getName()).getNames(); 821c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // look for an URI 822c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int j = 0; j < genNames.length; j++) 823c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 824c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (genNames[j].getTagNo() == GeneralName.uniformResourceIdentifier) 825c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 826c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom String location = DERIA5String.getInstance( 827c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom genNames[j].getName()).getString(); 828c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPathValidatorUtilities 829c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom .addAdditionalStoreFromLocation(location, 830c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom pkixParams); 831c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 832c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 833c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 834c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 835c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 836c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 837c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 838c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 839c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /** 840c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * Add the CRL issuers from the cRLIssuer field of the distribution point or 841c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * from the certificate if not given to the issuer criterion of the 842c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <code>selector</code>. 8434c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * <p/> 844c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * The <code>issuerPrincipals</code> are a collection with a single 845c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <code>X500Principal</code> for <code>X509Certificate</code>s. For 846c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * {@link X509AttributeCertificate}s the issuer may contain more than one 847c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <code>X500Principal</code>. 848c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * 8494c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * @param dp The distribution point. 850c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param issuerPrincipals The issuers of the certificate or attribute 8514c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * certificate which contains the distribution point. 8524c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * @param selector The CRL selector. 8534c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * @param pkixParams The PKIX parameters containing the cert stores. 854c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @throws AnnotatedException if an exception occurs while processing. 855c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @throws ClassCastException if <code>issuerPrincipals</code> does not 856c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * contain only <code>X500Principal</code>s. 857c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 858c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void getCRLIssuersFromDistributionPoint( 859c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DistributionPoint dp, 860c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Collection issuerPrincipals, 861c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRLSelector selector, 862c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ExtendedPKIXParameters pkixParams) 863c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 864c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 865c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List issuers = new ArrayList(); 866c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // indirect CRL 867c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (dp.getCRLIssuer() != null) 868c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 869c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom GeneralName genNames[] = dp.getCRLIssuer().getNames(); 870c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // look for a DN 871c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int j = 0; j < genNames.length; j++) 872c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 873c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (genNames[j].getTagNo() == GeneralName.directoryName) 874c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 875c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 876c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 877c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom issuers.add(new X500Principal(genNames[j].getName() 8784c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom .toASN1Primitive().getEncoded())); 879c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 880c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (IOException e) 881c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 882c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 883c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "CRL issuer information from distribution point cannot be decoded.", 884c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom e); 885c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 886c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 887c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 888c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 889c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 890c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 891c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /* 892c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * certificate issuer is CRL issuer, distributionPoint field MUST be 893c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * present. 894c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 895c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (dp.getDistributionPoint() == null) 896c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 897c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 898c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "CRL issuer is omitted from distribution point but no distributionPoint field present."); 899c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 900c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // add and check issuer principals 9014c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom for (Iterator it = issuerPrincipals.iterator(); it.hasNext(); ) 902c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 903c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom issuers.add((X500Principal)it.next()); 904c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 905c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 906c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // TODO: is not found although this should correctly add the rel name. selector of Sun is buggy here or PKI test case is invalid 907c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // distributionPoint 908c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// if (dp.getDistributionPoint() != null) 909c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// { 910c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// // look for nameRelativeToCRLIssuer 911c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// if (dp.getDistributionPoint().getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER) 912c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// { 913c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// // append fragment to issuer, only one 914c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// // issuer can be there, if this is given 915c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// if (issuers.size() != 1) 916c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// { 917c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// throw new AnnotatedException( 918c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// "nameRelativeToCRLIssuer field is given but more than one CRL issuer is given."); 919c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// } 9204c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom// ASN1Encodable relName = dp.getDistributionPoint().getName(); 921c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// Iterator it = issuers.iterator(); 922c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// List issuersTemp = new ArrayList(issuers.size()); 923c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// while (it.hasNext()) 924c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// { 925c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// Enumeration e = null; 926c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// try 927c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// { 928c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// e = ASN1Sequence.getInstance( 929c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// new ASN1InputStream(((X500Principal) it.next()) 930c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// .getEncoded()).readObject()).getObjects(); 931c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// } 932c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// catch (IOException ex) 933c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// { 934c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// throw new AnnotatedException( 935c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// "Cannot decode CRL issuer information.", ex); 936c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// } 937c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// ASN1EncodableVector v = new ASN1EncodableVector(); 938c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// while (e.hasMoreElements()) 939c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// { 9404c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom// v.add((ASN1Encodable) e.nextElement()); 941c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// } 942c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// v.add(relName); 943c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// issuersTemp.add(new X500Principal(new DERSequence(v) 944c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// .getDEREncoded())); 945c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// } 946c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// issuers.clear(); 947c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// issuers.addAll(issuersTemp); 948c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// } 949c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// } 950c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Iterator it = issuers.iterator(); 951c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (it.hasNext()) 952c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 953c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 954c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 955c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom selector.addIssuerName(((X500Principal)it.next()).getEncoded()); 956c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 957c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (IOException ex) 958c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 959c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 960c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Cannot decode CRL issuer information.", ex); 961c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 962c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 963c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 964c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 965c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom private static BigInteger getSerialNumber( 9664c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom Object cert) 967c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 968c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (cert instanceof X509Certificate) 969c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 9704c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom return ((X509Certificate)cert).getSerialNumber(); 971c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 972c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 973c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 9744c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom return ((X509AttributeCertificate)cert).getSerialNumber(); 975c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 976c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 9774c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 978c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void getCertStatus( 9794c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom Date validDate, 9804c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom X509CRL crl, 9814c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom Object cert, 9824c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom CertStatus certStatus) 983c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 984c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 9854c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom X509CRLEntry crl_entry = null; 9864c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 9874c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom boolean isIndirect; 988c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 989c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 9904c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom isIndirect = X509CRLObject.isIndirectCRL(crl); 991c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 9924c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom catch (CRLException exception) 993c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 9944c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom throw new AnnotatedException("Failed check for indirect CRL.", exception); 995c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 9964c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 9974c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom if (isIndirect) 998c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 9994c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom crl_entry = crl.getRevokedCertificate(getSerialNumber(cert)); 10004c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 10014c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom if (crl_entry == null) 1002c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 10034c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom return; 1004c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1005c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 10064c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom X500Principal certIssuer = crl_entry.getCertificateIssuer(); 10074c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 10084c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom if (certIssuer == null) 1009c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 10104c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom certIssuer = getIssuerPrincipal(crl); 10114c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom } 1012c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 10134c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom if (!getEncodedIssuerPrincipal(cert).equals(certIssuer)) 10144c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom { 10154c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom return; 10164c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom } 10174c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom } 10184c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom else if (!getEncodedIssuerPrincipal(cert).equals(getIssuerPrincipal(crl))) 10194c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom { 10204c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom return; // not for our issuer, ignore 10214c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom } 10224c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom else 10234c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom { 10244c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom crl_entry = crl.getRevokedCertificate(getSerialNumber(cert)); 10254c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 10264c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom if (crl_entry == null) 10274c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom { 10284c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom return; 10294c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom } 10304c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom } 10314c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 10324c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom DEREnumerated reasonCode = null; 10334c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom if (crl_entry.hasExtensions()) 10344c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom { 10354c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom try 10364c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom { 10374c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom reasonCode = DEREnumerated 10384c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom .getInstance(CertPathValidatorUtilities 10394c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom .getExtensionValue(crl_entry, 10404c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom X509Extension.reasonCode.getId())); 10414c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom } 10424c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom catch (Exception e) 10434c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom { 10444c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom throw new AnnotatedException( 10454c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom "Reason code CRL entry extension could not be decoded.", 10464c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom e); 1047c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1048c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 10494c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 10504c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom // for reason keyCompromise, caCompromise, aACompromise or 10514c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom // unspecified 10524c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom if (!(validDate.getTime() < crl_entry.getRevocationDate().getTime()) 10534c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom || reasonCode == null 10544c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom || reasonCode.getValue().intValue() == 0 10554c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom || reasonCode.getValue().intValue() == 1 10564c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom || reasonCode.getValue().intValue() == 2 10574c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom || reasonCode.getValue().intValue() == 8) 10584c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom { 10594c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 10604c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom // (i) or (j) (1) 10614c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom if (reasonCode != null) 10624c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom { 10634c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom certStatus.setCertStatus(reasonCode.getValue().intValue()); 10644c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom } 10654c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom // (i) or (j) (2) 10664c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom else 10674c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom { 10684c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom certStatus.setCertStatus(CRLReason.unspecified); 10694c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom } 10704c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom certStatus.setRevocationDate(crl_entry.getRevocationDate()); 10714c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom } 1072c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1073c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1074c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /** 1075c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * Fetches delta CRLs according to RFC 3280 section 5.2.4. 1076c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * 1077c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param currentDate The date for which the delta CRLs must be valid. 10784c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * @param paramsPKIX The extended PKIX parameters. 1079c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param completeCRL The complete CRL the delta CRL is for. 1080c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @return A <code>Set</code> of <code>X509CRL</code>s with delta CRLs. 1081c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @throws AnnotatedException if an exception occurs while picking the delta 10824c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * CRLs. 1083c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 1084c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static Set getDeltaCRLs(Date currentDate, 10854c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom ExtendedPKIXParameters paramsPKIX, X509CRL completeCRL) 1086c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 1087c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1088c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1089c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRLStoreSelector deltaSelect = new X509CRLStoreSelector(); 1090c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1091c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 5.2.4 (a) 1092c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1093c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1094c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom deltaSelect.addIssuerName(CertPathValidatorUtilities 1095c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom .getIssuerPrincipal(completeCRL).getEncoded()); 1096c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1097c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (IOException e) 1098c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 10994c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom throw new AnnotatedException("Cannot extract issuer from CRL.", e); 1100c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1101c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1102c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom BigInteger completeCRLNumber = null; 1103c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1104c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 11054c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom ASN1Primitive derObject = CertPathValidatorUtilities.getExtensionValue(completeCRL, 11064c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom CRL_NUMBER); 1107c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (derObject != null) 1108c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 11094c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom completeCRLNumber = ASN1Integer.getInstance(derObject).getPositiveValue(); 1110c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1111c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1112c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 1113c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1114c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 1115c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "CRL number extension could not be extracted from CRL.", e); 1116c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1117c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1118c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 5.2.4 (b) 1119c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom byte[] idp = null; 1120c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1121c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1122c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom idp = completeCRL.getExtensionValue(ISSUING_DISTRIBUTION_POINT); 1123c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1124c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 1125c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1126c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 1127c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Issuing distribution point extension value could not be read.", 1128c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom e); 1129c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1130c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1131c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 5.2.4 (d) 1132c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1133c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom deltaSelect.setMinCRLNumber(completeCRLNumber == null ? null : completeCRLNumber 1134c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom .add(BigInteger.valueOf(1))); 1135c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1136c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom deltaSelect.setIssuingDistributionPoint(idp); 1137c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom deltaSelect.setIssuingDistributionPointEnabled(true); 1138c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1139c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 5.2.4 (c) 1140c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom deltaSelect.setMaxBaseCRLNumber(completeCRLNumber); 1141c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1142c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // find delta CRLs 11436e736056d64d0e33b26cf9f7c4e351b496241fdeBrian Carlstrom Set temp = CRL_UTIL.findCRLs(deltaSelect, paramsPKIX, currentDate); 1144c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1145c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set result = new HashSet(); 1146c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 11474c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom for (Iterator it = temp.iterator(); it.hasNext(); ) 1148c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1149c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRL crl = (X509CRL)it.next(); 11504c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 1151c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (isDeltaCRL(crl)) 1152c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1153c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom result.add(crl); 1154c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1155c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1156c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1157c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return result; 1158c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1159c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1160c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom private static boolean isDeltaCRL(X509CRL crl) 1161c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1162c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set critical = crl.getCriticalExtensionOIDs(); 1163c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 11644c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom if (critical == null) 11654c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom { 11664c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom return false; 11674c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom } 11684c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 1169c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return critical.contains(RFC3280CertPathUtilities.DELTA_CRL_INDICATOR); 1170c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1171c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1172c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /** 1173c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * Fetches complete CRLs according to RFC 3280. 1174c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * 11754c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * @param dp The distribution point for which the complete CRL 11764c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * @param cert The <code>X509Certificate</code> or 11774c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * {@link org.bouncycastle.x509.X509AttributeCertificate} for 11784c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * which the CRL should be searched. 1179c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param currentDate The date for which the delta CRLs must be valid. 11804c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * @param paramsPKIX The extended PKIX parameters. 1181c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @return A <code>Set</code> of <code>X509CRL</code>s with complete 1182c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * CRLs. 1183c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @throws AnnotatedException if an exception occurs while picking the CRLs 11844c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * or no CRLs are found. 1185c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 1186c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static Set getCompleteCRLs(DistributionPoint dp, Object cert, 11874c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom Date currentDate, ExtendedPKIXParameters paramsPKIX) 1188c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 1189c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1190c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRLStoreSelector crlselect = new X509CRLStoreSelector(); 1191c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1192c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1193c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set issuers = new HashSet(); 1194c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (cert instanceof X509AttributeCertificate) 1195c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1196c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom issuers.add(((X509AttributeCertificate)cert) 1197c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom .getIssuer().getPrincipals()[0]); 1198c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1199c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 1200c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1201c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom issuers.add(getEncodedIssuerPrincipal(cert)); 1202c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1203c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPathValidatorUtilities.getCRLIssuersFromDistributionPoint(dp, issuers, crlselect, paramsPKIX); 1204c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1205c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (AnnotatedException e) 1206c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 12074c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom throw new AnnotatedException( 1208c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Could not get issuer information from distribution point.", e); 1209c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1210c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (cert instanceof X509Certificate) 1211c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1212c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom crlselect.setCertificateChecking((X509Certificate)cert); 1213c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1214c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else if (cert instanceof X509AttributeCertificate) 1215c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1216c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom crlselect.setAttrCertificateChecking((X509AttributeCertificate)cert); 1217c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1218c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 12196e736056d64d0e33b26cf9f7c4e351b496241fdeBrian Carlstrom 1220c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom crlselect.setCompleteCRLEnabled(true); 1221c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 12226e736056d64d0e33b26cf9f7c4e351b496241fdeBrian Carlstrom Set crls = CRL_UTIL.findCRLs(crlselect, paramsPKIX, currentDate); 12236e736056d64d0e33b26cf9f7c4e351b496241fdeBrian Carlstrom 1224c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (crls.isEmpty()) 1225c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1226c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (cert instanceof X509AttributeCertificate) 1227c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1228c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509AttributeCertificate aCert = (X509AttributeCertificate)cert; 1229c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1230c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("No CRLs found for issuer \"" + aCert.getIssuer().getPrincipals()[0] + "\""); 1231c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1232c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 1233c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1234c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate xCert = (X509Certificate)cert; 1235c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1236c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("No CRLs found for issuer \"" + xCert.getIssuerX500Principal() + "\""); 1237c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1238c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1239c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return crls; 1240c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1241c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1242c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static Date getValidCertDateFromValidityModel( 1243c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ExtendedPKIXParameters paramsPKIX, CertPath certPath, int index) 1244c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 1245c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1246c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (paramsPKIX.getValidityModel() == ExtendedPKIXParameters.CHAIN_VALIDITY_MODEL) 1247c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1248c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // if end cert use given signing/encryption/... time 1249c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (index <= 0) 1250c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1251c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return CertPathValidatorUtilities.getValidDate(paramsPKIX); 1252c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // else use time when previous cert was created 1253c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1254c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 1255c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1256c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (index - 1 == 0) 1257c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1258c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DERGeneralizedTime dateOfCertgen = null; 1259c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1260c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1261c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom byte[] extBytes = ((X509Certificate)certPath.getCertificates().get(index - 1)).getExtensionValue(ISISMTTObjectIdentifiers.id_isismtt_at_dateOfCertGen.getId()); 1262c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (extBytes != null) 1263c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 12644c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom dateOfCertgen = DERGeneralizedTime.getInstance(ASN1Primitive.fromByteArray(extBytes)); 1265c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1266c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1267c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (IOException e) 1268c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1269c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 1270c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Date of cert gen extension could not be read."); 1271c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1272c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (IllegalArgumentException e) 1273c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1274c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 1275c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Date of cert gen extension could not be read."); 1276c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1277c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (dateOfCertgen != null) 1278c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1279c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1280c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1281c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return dateOfCertgen.getDate(); 1282c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1283c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (ParseException e) 1284c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1285c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 1286c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Date from date of cert gen extension could not be parsed.", 1287c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom e); 1288c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1289c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 12904c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom return ((X509Certificate)certPath.getCertificates().get( 1291c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom index - 1)).getNotBefore(); 1292c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1293c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 1294c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 12954c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom return ((X509Certificate)certPath.getCertificates().get( 1296c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom index - 1)).getNotBefore(); 1297c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1298c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1299c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1300c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 1301c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1302c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return getValidDate(paramsPKIX); 1303c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1304c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1305c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1306c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /** 1307c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * Return the next working key inheriting DSA parameters if necessary. 1308c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <p> 1309c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * This methods inherits DSA parameters from the indexed certificate or 1310c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * previous certificates in the certificate chain to the returned 1311c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <code>PublicKey</code>. The list is searched upwards, meaning the end 1312c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * certificate is at position 0 and previous certificates are following. 1313c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * </p> 1314c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <p> 1315c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * If the indexed certificate does not contain a DSA key this method simply 1316c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * returns the public key. If the DSA key already contains DSA parameters 1317c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * the key is also only returned. 1318c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * </p> 13194c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * 1320c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param certs The certification path. 1321c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param index The index of the certificate which contains the public key 13224c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * which should be extended with DSA parameters. 1323c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @return The public key of the certificate in list position 1324c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <code>index</code> extended with DSA parameters if applicable. 1325c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @throws AnnotatedException if DSA parameters cannot be inherited. 1326c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 1327c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static PublicKey getNextWorkingKey(List certs, int index) 1328c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws CertPathValidatorException 1329c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 13304c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom Certificate cert = (Certificate)certs.get(index); 1331c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PublicKey pubKey = cert.getPublicKey(); 1332c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!(pubKey instanceof DSAPublicKey)) 1333c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1334c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return pubKey; 1335c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 13364c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom DSAPublicKey dsaPubKey = (DSAPublicKey)pubKey; 1337c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (dsaPubKey.getParams() != null) 1338c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1339c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return dsaPubKey; 1340c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1341c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int i = index + 1; i < certs.size(); i++) 1342c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1343c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate parentCert = (X509Certificate)certs.get(i); 1344c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom pubKey = parentCert.getPublicKey(); 1345c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!(pubKey instanceof DSAPublicKey)) 1346c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1347c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new CertPathValidatorException( 1348c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "DSA parameters cannot be inherited from previous certificate."); 1349c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 13504c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom DSAPublicKey prevDSAPubKey = (DSAPublicKey)pubKey; 1351c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (prevDSAPubKey.getParams() == null) 1352c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1353c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom continue; 1354c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1355c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DSAParams dsaParams = prevDSAPubKey.getParams(); 1356c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DSAPublicKeySpec dsaPubKeySpec = new DSAPublicKeySpec( 1357c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom dsaPubKey.getY(), dsaParams.getP(), dsaParams.getQ(), dsaParams.getG()); 1358c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1359c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 13606e736056d64d0e33b26cf9f7c4e351b496241fdeBrian Carlstrom KeyFactory keyFactory = KeyFactory.getInstance("DSA", BouncyCastleProvider.PROVIDER_NAME); 1361c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return keyFactory.generatePublic(dsaPubKeySpec); 1362c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1363c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception exception) 1364c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1365c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new RuntimeException(exception.getMessage()); 1366c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1367c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1368c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new CertPathValidatorException("DSA parameters cannot be inherited from previous certificate."); 1369c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 13704c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom 1371c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /** 1372c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * Find the issuer certificates of a given certificate. 13734c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * 13744c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * @param cert The certificate for which an issuer should be found. 1375c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param pkixParams 1376c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @return A <code>Collection</code> object containing the issuer 1377c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <code>X509Certificate</code>s. Never <code>null</code>. 13784c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom * @throws AnnotatedException if an error occurs. 1379c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 1380c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static Collection findIssuerCerts( 1381c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert, 1382c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ExtendedPKIXBuilderParameters pkixParams) 13834c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom throws AnnotatedException 1384c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1385c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CertStoreSelector certSelect = new X509CertStoreSelector(); 1386c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set certs = new HashSet(); 1387c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1388c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1389c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certSelect.setSubject(cert.getIssuerX500Principal().getEncoded()); 1390c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1391c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (IOException ex) 1392c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1393c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 13944c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom "Subject criteria for certificate selector to find issuer certificate could not be set.", ex); 1395c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1396c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1397c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Iterator iter; 1398c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1399c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1400c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1401c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List matches = new ArrayList(); 1402c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1403c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom matches.addAll(CertPathValidatorUtilities.findCertificates(certSelect, pkixParams.getCertStores())); 1404c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom matches.addAll(CertPathValidatorUtilities.findCertificates(certSelect, pkixParams.getStores())); 1405c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom matches.addAll(CertPathValidatorUtilities.findCertificates(certSelect, pkixParams.getAdditionalStores())); 1406c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1407c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom iter = matches.iterator(); 1408c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1409c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (AnnotatedException e) 1410c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1411c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Issuer certificate cannot be searched.", e); 1412c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1413c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1414c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate issuer = null; 1415c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (iter.hasNext()) 1416c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 14174c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom issuer = (X509Certificate)iter.next(); 1418c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // issuer cannot be verified because possible DSA inheritance 1419c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // parameters are missing 1420c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certs.add(issuer); 1421c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1422c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return certs; 1423c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1424c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1425c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void verifyX509Certificate(X509Certificate cert, PublicKey publicKey, 14264c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom String sigProvider) 14274c111300c39cb2e27f07fc2ae3b00e23ed4443b2Brian Carlstrom throws GeneralSecurityException 1428c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1429c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (sigProvider == null) 1430c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1431c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom cert.verify(publicKey); 1432c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1433c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 1434c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1435c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom cert.verify(publicKey, sigProvider); 1436c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1437c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1438b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam} 1439