CertPathValidatorUtilities.java revision c4fa740cf84a54fceb87964ca8ea666fd41b5b8f
1b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallampackage org.bouncycastle.jce.provider; 2b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 3b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.io.ByteArrayOutputStream; 4b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.io.IOException; 5c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.math.BigInteger; 6c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.GeneralSecurityException; 7c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.KeyFactory; 8b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.PublicKey; 9b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.CertPath; 10b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.CertPathValidatorException; 11b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.CertStore; 12b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.CertStoreException; 13c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.cert.Certificate; 14c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.cert.CertificateParsingException; 15b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.PKIXParameters; 16b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.PolicyQualifierInfo; 17b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.TrustAnchor; 18b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.X509CRL; 19b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.X509CRLSelector; 20b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.X509CertSelector; 21b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.security.cert.X509Certificate; 22c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.interfaces.DSAParams; 23c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.interfaces.DSAPublicKey; 24c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.security.spec.DSAPublicKeySpec; 25c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport java.text.ParseException; 26b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.util.ArrayList; 27b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.util.Arrays; 28b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.util.Collection; 29b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.util.Date; 30b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.util.Enumeration; 31b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.util.HashSet; 32b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.util.Iterator; 33b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.util.List; 34b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.util.Map; 35b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport java.util.Set; 36b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 37b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport javax.security.auth.x500.X500Principal; 38b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 39b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport org.bouncycastle.asn1.ASN1InputStream; 40c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.ASN1Object; 41b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport org.bouncycastle.asn1.ASN1OctetString; 42b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport org.bouncycastle.asn1.ASN1OutputStream; 43b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport org.bouncycastle.asn1.ASN1Sequence; 44c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.DEREnumerated; 45c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.DERGeneralizedTime; 46c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.DERIA5String; 47b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport org.bouncycastle.asn1.DERObject; 48b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport org.bouncycastle.asn1.DERObjectIdentifier; 49c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.DERSequence; 50c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.isismtt.ISISMTTObjectIdentifiers; 51b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport org.bouncycastle.asn1.x509.AlgorithmIdentifier; 52c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.CRLDistPoint; 53c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.CRLNumber; 54c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.CRLReason; 55c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.CertificateList; 56c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.DistributionPoint; 57c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.DistributionPointName; 58c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.GeneralName; 59c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.asn1.x509.GeneralNames; 60b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport org.bouncycastle.asn1.x509.PolicyInformation; 61b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; 62b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallamimport org.bouncycastle.asn1.x509.X509Extensions; 63c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// BEGIN android-removed 64c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// import org.bouncycastle.jce.X509LDAPCertStoreParameters; 65c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// END android-removed 66c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.jce.exception.ExtCertPathValidatorException; 67c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.util.Selector; 68c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.util.StoreException; 69c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.x509.ExtendedPKIXBuilderParameters; 70c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.x509.ExtendedPKIXParameters; 71c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// BEGIN android-removed 72c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// import org.bouncycastle.x509.X509AttributeCertStoreSelector; 73c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// END android-removed 74c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.x509.X509AttributeCertificate; 75c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.x509.X509CRLStoreSelector; 76c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.x509.X509CertStoreSelector; 77c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstromimport org.bouncycastle.x509.X509Store; 78b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 79b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallampublic class CertPathValidatorUtilities 80b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam{ 816e736056d64d0e33b26cf9f7c4e351b496241fdeBrian Carlstrom protected static final PKIXCRLUtil CRL_UTIL = new PKIXCRLUtil(); 826e736056d64d0e33b26cf9f7c4e351b496241fdeBrian Carlstrom 83b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final String CERTIFICATE_POLICIES = X509Extensions.CertificatePolicies.getId(); 84b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final String BASIC_CONSTRAINTS = X509Extensions.BasicConstraints.getId(); 85b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final String POLICY_MAPPINGS = X509Extensions.PolicyMappings.getId(); 86b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final String SUBJECT_ALTERNATIVE_NAME = X509Extensions.SubjectAlternativeName.getId(); 87b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final String NAME_CONSTRAINTS = X509Extensions.NameConstraints.getId(); 88b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final String KEY_USAGE = X509Extensions.KeyUsage.getId(); 89b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final String INHIBIT_ANY_POLICY = X509Extensions.InhibitAnyPolicy.getId(); 90b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final String ISSUING_DISTRIBUTION_POINT = X509Extensions.IssuingDistributionPoint.getId(); 91b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final String DELTA_CRL_INDICATOR = X509Extensions.DeltaCRLIndicator.getId(); 92b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final String POLICY_CONSTRAINTS = X509Extensions.PolicyConstraints.getId(); 93c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static final String FRESHEST_CRL = X509Extensions.FreshestCRL.getId(); 94c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static final String CRL_DISTRIBUTION_POINTS = X509Extensions.CRLDistributionPoints.getId(); 95c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static final String AUTHORITY_KEY_IDENTIFIER = X509Extensions.AuthorityKeyIdentifier.getId(); 96b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 97b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final String ANY_POLICY = "2.5.29.32.0"; 98b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 99b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final String CRL_NUMBER = X509Extensions.CRLNumber.getId(); 100b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 101b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam /* 102b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam * key usage bits 103b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam */ 104b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final int KEY_CERT_SIGN = 5; 105b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final int CRL_SIGN = 6; 106b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 107b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final String[] crlReasons = new String[] { 108b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam "unspecified", 109b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam "keyCompromise", 110b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam "cACompromise", 111b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam "affiliationChanged", 112b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam "superseded", 113b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam "cessationOfOperation", 114b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam "certificateHold", 115b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam "unknown", 116b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam "removeFromCRL", 117b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam "privilegeWithdrawn", 118b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam "aACompromise" }; 119b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 120c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom /** 121c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom * Search the given Set of TrustAnchor's for one that is the 122c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom * issuer of the given X509 certificate. Uses the default provider 123c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom * for signature verification. 124c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom * 125c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom * @param cert the X509 certificate 126c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom * @param trustAnchors a Set of TrustAnchor's 127c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom * 128c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom * @return the <code>TrustAnchor</code> object if found or 129c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom * <code>null</code> if not. 130c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom * 131c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom * @exception AnnotatedException 132c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom * if a TrustAnchor was found but the signature verification 133c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom * on the given certificate has thrown an exception. 134c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom */ 135c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom protected static TrustAnchor findTrustAnchor( 136c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom X509Certificate cert, 137c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom Set trustAnchors) 138c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom throws AnnotatedException 139c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom { 140c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom return findTrustAnchor(cert, trustAnchors, null); 141c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom } 142c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 143b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam /** 144b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam * Search the given Set of TrustAnchor's for one that is the 145c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom * issuer of the given X509 certificate. Uses the specified 146c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom * provider for signature verification, or the default provider 147c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom * if null. 148b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam * 149b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam * @param cert the X509 certificate 150c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom * @param trustAnchors a Set of TrustAnchor's 151c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom * @param sigProvider the provider to use for signature verification 152b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam * 153b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam * @return the <code>TrustAnchor</code> object if found or 154b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam * <code>null</code> if not. 155b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam * 156c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @exception AnnotatedException 157c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * if a TrustAnchor was found but the signature verification 158c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * on the given certificate has thrown an exception. 159c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 160c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static TrustAnchor findTrustAnchor( 161c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert, 162c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom Set trustAnchors, 163c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom String sigProvider) 164c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 165c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 166c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom TrustAnchor trust = null; 167b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PublicKey trustPublicKey = null; 168b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Exception invalidKeyEx = null; 169b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 170b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam X509CertSelector certSelectX509 = new X509CertSelector(); 171c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X500Principal certIssuer = getEncodedIssuerPrincipal(cert); 172b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 173b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam try 174b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 175c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certSelectX509.setSubject(certIssuer.getEncoded()); 176b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 177b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam catch (IOException ex) 178b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 179c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Cannot set subject search criteria for trust anchor.", ex); 180b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 181b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 182c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom Iterator iter = trustAnchors.iterator(); 183c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (iter.hasNext() && trust == null) 184b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 185c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom trust = (TrustAnchor) iter.next(); 18660f1dce097d78928597a5d057577596162e825fdBrian Carlstrom if (trust.getTrustedCert() != null) 187c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 18860f1dce097d78928597a5d057577596162e825fdBrian Carlstrom if (certSelectX509.match(trust.getTrustedCert())) 189b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 19060f1dce097d78928597a5d057577596162e825fdBrian Carlstrom trustPublicKey = trust.getTrustedCert().getPublicKey(); 191b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 192b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam else 193b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 194c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom trust = null; 195b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 196b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 197c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else if (trust.getCAName() != null 198c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom && trust.getCAPublicKey() != null) 199b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 200b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam try 201b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 202c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X500Principal caName = new X500Principal(trust.getCAName()); 203b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (certIssuer.equals(caName)) 204b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 205c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom trustPublicKey = trust.getCAPublicKey(); 206b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 207b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam else 208b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 209c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom trust = null; 210b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 211b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 212b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam catch (IllegalArgumentException ex) 213b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 214c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom trust = null; 215b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 216b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 217b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam else 218b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 219c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom trust = null; 220b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 221b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 222b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (trustPublicKey != null) 223b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 224b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam try 225b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 226c4fa740cf84a54fceb87964ca8ea666fd41b5b8fBrian Carlstrom verifyX509Certificate(cert, trustPublicKey, sigProvider); 227b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 228b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam catch (Exception ex) 229b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 230b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam invalidKeyEx = ex; 231c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom trust = null; 232b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 233b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 234b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 235b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 236c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (trust == null && invalidKeyEx != null) 237b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 238c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("TrustAnchor found but certificate validation failed.", invalidKeyEx); 239b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 240b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 241c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return trust; 242b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 243b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 244c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void addAdditionalStoresFromAltNames( 245c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert, 246c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ExtendedPKIXParameters pkixParams) 247c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws CertificateParsingException 248c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 249c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // if in the IssuerAltName extension an URI 250c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // is given, add an additinal X.509 store 251c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (cert.getIssuerAlternativeNames() != null) 252c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 253c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Iterator it = cert.getIssuerAlternativeNames().iterator(); 254c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (it.hasNext()) 255c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 256c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // look for URI 257c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List list = (List) it.next(); 258c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // BEGIN android-changed 259c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (list.get(0).equals(Integer.valueOf(GeneralName.uniformResourceIdentifier))) 260c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // END android-changed 261c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 262c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // found 263c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom String temp = (String) list.get(1); 264c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPathValidatorUtilities.addAdditionalStoreFromLocation(temp, pkixParams); 265c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 266c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 267c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 268c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 269c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /** 270c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * Returns the issuer of an attribute certificate or certificate. 271c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param cert The attribute certificate or certificate. 272c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @return The issuer as <code>X500Principal</code>. 273c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 274c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static X500Principal getEncodedIssuerPrincipal( 275c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Object cert) 276b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 277c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (cert instanceof X509Certificate) 278c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 279c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return ((X509Certificate)cert).getIssuerX500Principal(); 280c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 281c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 282c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 283c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return (X500Principal)((X509AttributeCertificate)cert).getIssuer().getPrincipals()[0]; 284c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 285b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 286b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 287b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static Date getValidDate(PKIXParameters paramsPKIX) 288b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 289b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Date validDate = paramsPKIX.getDate(); 290b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 291b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (validDate == null) 292b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 293b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam validDate = new Date(); 294b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 295b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 296b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return validDate; 297b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 298b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 299b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static X500Principal getSubjectPrincipal(X509Certificate cert) 300b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 301b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return cert.getSubjectX500Principal(); 302b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 303b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 304b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static boolean isSelfIssued(X509Certificate cert) 305b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 306b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return cert.getSubjectDN().equals(cert.getIssuerDN()); 307b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 308b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 309b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 310b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam /** 311c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * Extract the value of the given extension, if it exists. 312c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * 313c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param ext 314c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * The extension object. 315c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param oid 316c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * The object identifier to obtain. 317c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @throws AnnotatedException 318c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * if the extension cannot be read. 319b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam */ 320b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static DERObject getExtensionValue( 321b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam java.security.cert.X509Extension ext, 322b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam String oid) 323b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam throws AnnotatedException 324b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 325b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam byte[] bytes = ext.getExtensionValue(oid); 326b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (bytes == null) 327b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 328b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return null; 329b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 330b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 331b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return getObject(oid, bytes); 332b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 333b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 334b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam private static DERObject getObject( 335b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam String oid, 336b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam byte[] ext) 337b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam throws AnnotatedException 338b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 339b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam try 340b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 341b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam ASN1InputStream aIn = new ASN1InputStream(ext); 342b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam ASN1OctetString octs = (ASN1OctetString)aIn.readObject(); 343b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 344b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam aIn = new ASN1InputStream(octs.getOctets()); 345b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return aIn.readObject(); 346b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 347c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 348b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 349b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam throw new AnnotatedException("exception processing extension " + oid, e); 350b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 351b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 352b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 353b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static X500Principal getIssuerPrincipal(X509CRL crl) 354b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 355b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return crl.getIssuerX500Principal(); 356b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 357b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 358b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static AlgorithmIdentifier getAlgorithmIdentifier( 359b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PublicKey key) 360b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam throws CertPathValidatorException 361b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 362b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam try 363b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 364b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam ASN1InputStream aIn = new ASN1InputStream(key.getEncoded()); 365b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 366b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam SubjectPublicKeyInfo info = SubjectPublicKeyInfo.getInstance(aIn.readObject()); 367b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 368b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return info.getAlgorithmId(); 369b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 370c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 371b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 372c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException("Subject public key cannot be decoded.", e); 373b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 374b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 375c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 376c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // crl checking 377b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 378c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 379b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam // 380b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam // policy checking 381b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam // 382b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 383b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static final Set getQualifierSet(ASN1Sequence qualifiers) 384b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam throws CertPathValidatorException 385b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 386b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Set pq = new HashSet(); 387b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 388b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (qualifiers == null) 389b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 390b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return pq; 391b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 392b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 393b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam ByteArrayOutputStream bOut = new ByteArrayOutputStream(); 394b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam ASN1OutputStream aOut = new ASN1OutputStream(bOut); 395b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 396b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Enumeration e = qualifiers.getObjects(); 397b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 398b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam while (e.hasMoreElements()) 399b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 400b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam try 401b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 402b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam aOut.writeObject(e.nextElement()); 403b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 404b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam pq.add(new PolicyQualifierInfo(bOut.toByteArray())); 405b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 406b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam catch (IOException ex) 407b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 408c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException("Policy qualifier info cannot be decoded.", ex); 409b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 410b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 411b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam bOut.reset(); 412b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 413b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 414b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return pq; 415b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 416b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 417b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static PKIXPolicyNode removePolicyNode( 418b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode validPolicyTree, 419b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam List [] policyNodes, 420b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode _node) 421b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 422b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode _parent = (PKIXPolicyNode)_node.getParent(); 423b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 424b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (validPolicyTree == null) 425b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 426b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return null; 427b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 428b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 429b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (_parent == null) 430b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 431b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam for (int j = 0; j < policyNodes.length; j++) 432b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 433b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam policyNodes[j] = new ArrayList(); 434b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 435b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 436b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return null; 437b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 438b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam else 439b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 440b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam _parent.removeChild(_node); 441b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam removePolicyNodeRecurse(policyNodes, _node); 442b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 443b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return validPolicyTree; 444b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 445b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 446b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 447b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam private static void removePolicyNodeRecurse( 448b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam List [] policyNodes, 449b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode _node) 450b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 451b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam policyNodes[_node.getDepth()].remove(_node); 452b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 453b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (_node.hasChildren()) 454b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 455b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Iterator _iter = _node.getChildren(); 456b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam while (_iter.hasNext()) 457b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 458b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode _child = (PKIXPolicyNode)_iter.next(); 459b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam removePolicyNodeRecurse(policyNodes, _child); 460b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 461b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 462b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 463b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 464b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 465b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static boolean processCertD1i( 466b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam int index, 467b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam List [] policyNodes, 468b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam DERObjectIdentifier pOid, 469b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Set pq) 470b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 471b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam List policyNodeVec = policyNodes[index - 1]; 472b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 473b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam for (int j = 0; j < policyNodeVec.size(); j++) 474b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 475b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode node = (PKIXPolicyNode)policyNodeVec.get(j); 476b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Set expectedPolicies = node.getExpectedPolicies(); 477b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 478b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (expectedPolicies.contains(pOid.getId())) 479b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 480b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Set childExpectedPolicies = new HashSet(); 481b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam childExpectedPolicies.add(pOid.getId()); 482b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 483b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode child = new PKIXPolicyNode(new ArrayList(), 484b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam index, 485b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam childExpectedPolicies, 486b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam node, 487b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam pq, 488b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam pOid.getId(), 489b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam false); 490b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam node.addChild(child); 491b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam policyNodes[index].add(child); 492b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 493b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return true; 494b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 495b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 496b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 497b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return false; 498b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 499b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 500b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static void processCertD1ii( 501b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam int index, 502b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam List [] policyNodes, 503b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam DERObjectIdentifier _poid, 504b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Set _pq) 505b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 506b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam List policyNodeVec = policyNodes[index - 1]; 507b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 508b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam for (int j = 0; j < policyNodeVec.size(); j++) 509b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 510b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode _node = (PKIXPolicyNode)policyNodeVec.get(j); 511c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 512b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (ANY_POLICY.equals(_node.getValidPolicy())) 513b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 514b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Set _childExpectedPolicies = new HashSet(); 515b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam _childExpectedPolicies.add(_poid.getId()); 516b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 517b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode _child = new PKIXPolicyNode(new ArrayList(), 518b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam index, 519b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam _childExpectedPolicies, 520b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam _node, 521b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam _pq, 522b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam _poid.getId(), 523b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam false); 524b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam _node.addChild(_child); 525b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam policyNodes[index].add(_child); 526b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return; 527b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 528b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 529b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 530b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 531b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static void prepareNextCertB1( 532b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam int i, 533b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam List[] policyNodes, 534b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam String id_p, 535b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Map m_idp, 536b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam X509Certificate cert 537b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam ) throws AnnotatedException,CertPathValidatorException 538b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 539b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam boolean idp_found = false; 540b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Iterator nodes_i = policyNodes[i].iterator(); 541b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam while (nodes_i.hasNext()) 542b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 543b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode node = (PKIXPolicyNode)nodes_i.next(); 544b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (node.getValidPolicy().equals(id_p)) 545b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 546b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam idp_found = true; 547b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam node.expectedPolicies = (Set)m_idp.get(id_p); 548b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam break; 549b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 550b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 551b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 552b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (!idp_found) 553b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 554b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam nodes_i = policyNodes[i].iterator(); 555b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam while (nodes_i.hasNext()) 556b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 557b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode node = (PKIXPolicyNode)nodes_i.next(); 558b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (ANY_POLICY.equals(node.getValidPolicy())) 559b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 560b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Set pq = null; 561c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ASN1Sequence policies = null; 562c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 563c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 564c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom policies = DERSequence.getInstance(getExtensionValue(cert, CERTIFICATE_POLICIES)); 565c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 566c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 567c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 568c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw 569c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 570c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom new AnnotatedException("Certificate policies cannot be decoded.", e); 571c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 572b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Enumeration e = policies.getObjects(); 573b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam while (e.hasMoreElements()) 574b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 575c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PolicyInformation pinfo = null; 576c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 577c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 578c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 579c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom pinfo = PolicyInformation.getInstance(e.nextElement()); 580c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 581c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception ex) 582c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 583c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Policy information cannot be decoded.", ex); 584c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 585b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (ANY_POLICY.equals(pinfo.getPolicyIdentifier().getId())) 586b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 587c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 588c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 589b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam pq = getQualifierSet(pinfo.getPolicyQualifiers()); 590c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 591c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (CertPathValidatorException ex) 592c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 593c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new ExtCertPathValidatorException( 594c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Policy qualifier info set could not be built.", ex); 595c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 596b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam break; 597b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 598b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 599b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam boolean ci = false; 600b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (cert.getCriticalExtensionOIDs() != null) 601b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 602b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam ci = cert.getCriticalExtensionOIDs().contains(CERTIFICATE_POLICIES); 603b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 604b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 605b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode p_node = (PKIXPolicyNode)node.getParent(); 606b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (ANY_POLICY.equals(p_node.getValidPolicy())) 607b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 608b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode c_node = new PKIXPolicyNode( 609b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam new ArrayList(), i, 610b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam (Set)m_idp.get(id_p), 611b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam p_node, pq, id_p, ci); 612b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam p_node.addChild(c_node); 613b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam policyNodes[i].add(c_node); 614b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 615b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam break; 616b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 617b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 618b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 619b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 620b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 621b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static PKIXPolicyNode prepareNextCertB2( 622b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam int i, 623b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam List[] policyNodes, 624b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam String id_p, 625b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode validPolicyTree) 626b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 627b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Iterator nodes_i = policyNodes[i].iterator(); 628b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam while (nodes_i.hasNext()) 629b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 630b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode node = (PKIXPolicyNode)nodes_i.next(); 631b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (node.getValidPolicy().equals(id_p)) 632b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 633b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode p_node = (PKIXPolicyNode)node.getParent(); 634b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam p_node.removeChild(node); 635b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam nodes_i.remove(); 636b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam for (int k = (i - 1); k >= 0; k--) 637b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 638b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam List nodes = policyNodes[k]; 639b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam for (int l = 0; l < nodes.size(); l++) 640b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 641b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam PKIXPolicyNode node2 = (PKIXPolicyNode)nodes.get(l); 642b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (!node2.hasChildren()) 643b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 644b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam validPolicyTree = removePolicyNode(validPolicyTree, policyNodes, node2); 645b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam if (validPolicyTree == null) 646b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 647b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam break; 648b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 649b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 650b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 651b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 652b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 653b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 654b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return validPolicyTree; 655b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 656b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 657b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam protected static boolean isAnyPolicy( 658b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam Set policySet) 659b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam { 660b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam return policySet == null || policySet.contains(ANY_POLICY) || policySet.isEmpty(); 661b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam } 662b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam 663c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void addAdditionalStoreFromLocation(String location, 664c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ExtendedPKIXParameters pkixParams) 665c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 666c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (pkixParams.isAdditionalLocationsEnabled()) 667c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 668c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 669c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 670c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // BEGIN android-removed 671c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // if (location.startsWith("ldap://")) 672c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // { 673c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // // ldap://directory.d-trust.net/CN=D-TRUST 674c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // // Qualified CA 2003 1:PN,O=D-Trust GmbH,C=DE 675c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // // skip "ldap://" 676c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // location = location.substring(7); 677c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // // after first / baseDN starts 678c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // String base = null; 679c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // String url = null; 680c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // if (location.indexOf("/") != -1) 681c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // { 682c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // base = location.substring(location.indexOf("/")); 683c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // // URL 684c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // url = "ldap://" 685c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // + location.substring(0, location.indexOf("/")); 686c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // } 687c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // else 688c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // { 689c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // url = "ldap://" + location; 690c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // } 691c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // // use all purpose parameters 692c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // X509LDAPCertStoreParameters params = new X509LDAPCertStoreParameters.Builder( 693c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // url, base).build(); 694c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // pkixParams.addAdditionalStore(X509Store.getInstance( 6956e736056d64d0e33b26cf9f7c4e351b496241fdeBrian Carlstrom // "CERTIFICATE/LDAP", params, BouncyCastleProvider.PROVIDER_NAME)); 696c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // pkixParams.addAdditionalStore(X509Store.getInstance( 6976e736056d64d0e33b26cf9f7c4e351b496241fdeBrian Carlstrom // "CRL/LDAP", params, BouncyCastleProvider.PROVIDER_NAME)); 698c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // pkixParams.addAdditionalStore(X509Store.getInstance( 6996e736056d64d0e33b26cf9f7c4e351b496241fdeBrian Carlstrom // "ATTRIBUTECERTIFICATE/LDAP", params, BouncyCastleProvider.PROVIDER_NAME)); 700c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // pkixParams.addAdditionalStore(X509Store.getInstance( 7016e736056d64d0e33b26cf9f7c4e351b496241fdeBrian Carlstrom // "CERTIFICATEPAIR/LDAP", params, BouncyCastleProvider.PROVIDER_NAME)); 702c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // } 703c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // END android-removed 704c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 705c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 706c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 707c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // cannot happen 708c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new RuntimeException("Exception adding X.509 stores."); 709c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 710c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 711c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 712c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 713c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /** 714c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * Return a Collection of all certificates or attribute certificates found 715c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * in the X509Store's that are matching the certSelect criteriums. 716c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * 717c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param certSelect a {@link Selector} object that will be used to select 718c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * the certificates 719c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param certStores a List containing only {@link X509Store} objects. These 720c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * are used to search for certificates. 721c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * 722c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @return a Collection of all found {@link X509Certificate} or 723c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * {@link org.bouncycastle.x509.X509AttributeCertificate} objects. 724c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * May be empty but never <code>null</code>. 725c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 726c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static Collection findCertificates(X509CertStoreSelector certSelect, 727c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List certStores) throws AnnotatedException 728c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 729c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set certs = new HashSet(); 730c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Iterator iter = certStores.iterator(); 731c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 732c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (iter.hasNext()) 733c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 734c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Object obj = iter.next(); 735c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 736c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (obj instanceof X509Store) 737c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 738c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Store certStore = (X509Store)obj; 739c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 740c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 741c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certs.addAll(certStore.getMatches(certSelect)); 742c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 743c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (StoreException e) 744c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 745c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw 746c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 747c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom new AnnotatedException( 748c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Problem while picking certificates from X.509 store.", e); 749c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 750c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 751c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 752c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 753c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertStore certStore = (CertStore)obj; 754c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 755c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 756c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 757c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certs.addAll(certStore.getCertificates(certSelect)); 758c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 759c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (CertStoreException e) 760c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 761c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 762c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Problem while picking certificates from certificate store.", 763c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom e); 764c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 765c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 766c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 767c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return certs; 768c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 769c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 770c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // BEGIN android-removed 771c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // protected static Collection findCertificates(X509AttributeCertStoreSelector certSelect, 772c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // List certStores) 773c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // throws AnnotatedException 774c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // { 775c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // Set certs = new HashSet(); 776c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // Iterator iter = certStores.iterator(); 777c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 778c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // while (iter.hasNext()) 779c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // { 780c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // Object obj = iter.next(); 781c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 782c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // if (obj instanceof X509Store) 783c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // { 784c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // X509Store certStore = (X509Store)obj; 785c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // try 786c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // { 787c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // certs.addAll(certStore.getMatches(certSelect)); 788c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // } 789c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // catch (StoreException e) 790c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // { 791c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // throw 792c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 793c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // new AnnotatedException( 794c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // "Problem while picking certificates from X.509 store.", e); 795c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // } 796c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // } 797c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // } 798c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // return certs; 799c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // } 800c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // END android-removed 801c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 802c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void addAdditionalStoresFromCRLDistributionPoint( 803c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CRLDistPoint crldp, ExtendedPKIXParameters pkixParams) 804c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 805c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 806c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (crldp != null) 807c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 808c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DistributionPoint dps[] = null; 809c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 810c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 811c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom dps = crldp.getDistributionPoints(); 812c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 813c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 814c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 815c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 816c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Distribution points could not be read.", e); 817c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 818c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int i = 0; i < dps.length; i++) 819c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 820c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DistributionPointName dpn = dps[i].getDistributionPoint(); 821c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // look for URIs in fullName 822c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (dpn != null) 823c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 824c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (dpn.getType() == DistributionPointName.FULL_NAME) 825c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 826c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom GeneralName[] genNames = GeneralNames.getInstance( 827c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom dpn.getName()).getNames(); 828c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // look for an URI 829c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int j = 0; j < genNames.length; j++) 830c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 831c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (genNames[j].getTagNo() == GeneralName.uniformResourceIdentifier) 832c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 833c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom String location = DERIA5String.getInstance( 834c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom genNames[j].getName()).getString(); 835c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPathValidatorUtilities 836c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom .addAdditionalStoreFromLocation(location, 837c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom pkixParams); 838c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 839c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 840c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 841c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 842c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 843c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 844c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 845c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 846c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /** 847c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * Add the CRL issuers from the cRLIssuer field of the distribution point or 848c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * from the certificate if not given to the issuer criterion of the 849c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <code>selector</code>. 850c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <p> 851c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * The <code>issuerPrincipals</code> are a collection with a single 852c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <code>X500Principal</code> for <code>X509Certificate</code>s. For 853c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * {@link X509AttributeCertificate}s the issuer may contain more than one 854c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <code>X500Principal</code>. 855c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * 856c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param dp The distribution point. 857c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param issuerPrincipals The issuers of the certificate or attribute 858c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * certificate which contains the distribution point. 859c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param selector The CRL selector. 860c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param pkixParams The PKIX parameters containing the cert stores. 861c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @throws AnnotatedException if an exception occurs while processing. 862c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @throws ClassCastException if <code>issuerPrincipals</code> does not 863c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * contain only <code>X500Principal</code>s. 864c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 865c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void getCRLIssuersFromDistributionPoint( 866c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DistributionPoint dp, 867c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Collection issuerPrincipals, 868c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRLSelector selector, 869c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ExtendedPKIXParameters pkixParams) 870c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 871c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 872c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List issuers = new ArrayList(); 873c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // indirect CRL 874c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (dp.getCRLIssuer() != null) 875c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 876c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom GeneralName genNames[] = dp.getCRLIssuer().getNames(); 877c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // look for a DN 878c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int j = 0; j < genNames.length; j++) 879c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 880c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (genNames[j].getTagNo() == GeneralName.directoryName) 881c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 882c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 883c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 884c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom issuers.add(new X500Principal(genNames[j].getName() 885c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom .getDERObject().getEncoded())); 886c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 887c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (IOException e) 888c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 889c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 890c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "CRL issuer information from distribution point cannot be decoded.", 891c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom e); 892c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 893c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 894c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 895c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 896c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 897c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 898c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /* 899c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * certificate issuer is CRL issuer, distributionPoint field MUST be 900c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * present. 901c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 902c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (dp.getDistributionPoint() == null) 903c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 904c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 905c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "CRL issuer is omitted from distribution point but no distributionPoint field present."); 906c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 907c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // add and check issuer principals 908c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (Iterator it=issuerPrincipals.iterator(); it.hasNext();) 909c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 910c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom issuers.add((X500Principal)it.next()); 911c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 912c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 913c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // TODO: is not found although this should correctly add the rel name. selector of Sun is buggy here or PKI test case is invalid 914c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // distributionPoint 915c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// if (dp.getDistributionPoint() != null) 916c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// { 917c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// // look for nameRelativeToCRLIssuer 918c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// if (dp.getDistributionPoint().getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER) 919c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// { 920c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// // append fragment to issuer, only one 921c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// // issuer can be there, if this is given 922c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// if (issuers.size() != 1) 923c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// { 924c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// throw new AnnotatedException( 925c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// "nameRelativeToCRLIssuer field is given but more than one CRL issuer is given."); 926c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// } 927c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// DEREncodable relName = dp.getDistributionPoint().getName(); 928c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// Iterator it = issuers.iterator(); 929c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// List issuersTemp = new ArrayList(issuers.size()); 930c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// while (it.hasNext()) 931c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// { 932c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// Enumeration e = null; 933c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// try 934c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// { 935c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// e = ASN1Sequence.getInstance( 936c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// new ASN1InputStream(((X500Principal) it.next()) 937c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// .getEncoded()).readObject()).getObjects(); 938c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// } 939c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// catch (IOException ex) 940c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// { 941c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// throw new AnnotatedException( 942c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// "Cannot decode CRL issuer information.", ex); 943c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// } 944c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// ASN1EncodableVector v = new ASN1EncodableVector(); 945c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// while (e.hasMoreElements()) 946c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// { 947c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// v.add((DEREncodable) e.nextElement()); 948c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// } 949c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// v.add(relName); 950c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// issuersTemp.add(new X500Principal(new DERSequence(v) 951c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// .getDEREncoded())); 952c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// } 953c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// issuers.clear(); 954c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// issuers.addAll(issuersTemp); 955c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// } 956c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom// } 957c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Iterator it = issuers.iterator(); 958c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (it.hasNext()) 959c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 960c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 961c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 962c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom selector.addIssuerName(((X500Principal)it.next()).getEncoded()); 963c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 964c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (IOException ex) 965c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 966c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 967c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Cannot decode CRL issuer information.", ex); 968c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 969c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 970c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 971c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 972c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom private static BigInteger getSerialNumber( 973c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Object cert) 974c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 975c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (cert instanceof X509Certificate) 976c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 977c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return ((X509Certificate) cert).getSerialNumber(); 978c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 979c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 980c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 981c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return ((X509AttributeCertificate) cert).getSerialNumber(); 982c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 983c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 984c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 985c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void getCertStatus( 986c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Date validDate, 987c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRL crl, 988c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Object cert, 989c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertStatus certStatus) 990c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 991c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 992c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // use BC X509CRLObject so that indirect CRLs are supported 993c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRLObject bcCRL = null; 994c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 995c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 996c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom bcCRL = new X509CRLObject(new CertificateList((ASN1Sequence) ASN1Sequence.fromByteArray(crl.getEncoded()))); 997c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 998c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception exception) 999c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1000c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Bouncy Castle X509CRLObject could not be created.", exception); 1001c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1002c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // use BC X509CRLEntryObject, so that getCertificateIssuer() is 1003c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // supported. 1004c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRLEntryObject crl_entry = (X509CRLEntryObject) bcCRL.getRevokedCertificate(getSerialNumber(cert)); 1005c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (crl_entry != null 1006c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom && (getEncodedIssuerPrincipal(cert).equals(crl_entry.getCertificateIssuer()) || getEncodedIssuerPrincipal(cert) 1007c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom .equals(getIssuerPrincipal(crl)))) 1008c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1009c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DEREnumerated reasonCode = null; 1010c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (crl_entry.hasExtensions()) 1011c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1012c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1013c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1014c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom reasonCode = DEREnumerated 1015c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom .getInstance(CertPathValidatorUtilities 1016c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom .getExtensionValue(crl_entry, 1017c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Extensions.ReasonCode.getId())); 1018c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1019c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 1020c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1021c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom new AnnotatedException( 1022c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Reason code CRL entry extension could not be decoded.", 1023c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom e); 1024c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1025c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1026c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1027c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // for reason keyCompromise, caCompromise, aACompromise or 1028c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // unspecified 1029c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!(validDate.getTime() < crl_entry.getRevocationDate().getTime()) 1030c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom || reasonCode == null 1031c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom || reasonCode.getValue().intValue() == 0 1032c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom || reasonCode.getValue().intValue() == 1 1033c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom || reasonCode.getValue().intValue() == 2 1034c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom || reasonCode.getValue().intValue() == 8) 1035c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1036c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1037c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (i) or (j) (1) 1038c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (reasonCode != null) 1039c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1040c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certStatus.setCertStatus(reasonCode.getValue().intValue()); 1041c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1042c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // (i) or (j) (2) 1043c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 1044c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1045c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certStatus.setCertStatus(CRLReason.unspecified); 1046c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1047c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certStatus.setRevocationDate(crl_entry.getRevocationDate()); 1048c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1049c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1050c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1051c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1052c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /** 1053c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * Fetches delta CRLs according to RFC 3280 section 5.2.4. 1054c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * 1055c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param currentDate The date for which the delta CRLs must be valid. 1056c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param paramsPKIX The extended PKIX parameters. 1057c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param completeCRL The complete CRL the delta CRL is for. 1058c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @return A <code>Set</code> of <code>X509CRL</code>s with delta CRLs. 1059c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @throws AnnotatedException if an exception occurs while picking the delta 1060c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * CRLs. 1061c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 1062c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static Set getDeltaCRLs(Date currentDate, 1063c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ExtendedPKIXParameters paramsPKIX, X509CRL completeCRL) 1064c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 1065c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1066c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1067c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRLStoreSelector deltaSelect = new X509CRLStoreSelector(); 1068c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1069c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 5.2.4 (a) 1070c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1071c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1072c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom deltaSelect.addIssuerName(CertPathValidatorUtilities 1073c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom .getIssuerPrincipal(completeCRL).getEncoded()); 1074c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1075c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (IOException e) 1076c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1077c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom new AnnotatedException("Cannot extract issuer from CRL.", e); 1078c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1079c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1080c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom BigInteger completeCRLNumber = null; 1081c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1082c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1083c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DERObject derObject = CertPathValidatorUtilities.getExtensionValue(completeCRL, 1084c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CRL_NUMBER); 1085c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (derObject != null) 1086c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1087c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom completeCRLNumber = CRLNumber.getInstance(derObject).getPositiveValue(); 1088c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1089c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1090c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 1091c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1092c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 1093c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "CRL number extension could not be extracted from CRL.", e); 1094c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1095c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1096c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 5.2.4 (b) 1097c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom byte[] idp = null; 1098c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1099c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1100c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom idp = completeCRL.getExtensionValue(ISSUING_DISTRIBUTION_POINT); 1101c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1102c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception e) 1103c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1104c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 1105c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Issuing distribution point extension value could not be read.", 1106c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom e); 1107c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1108c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1109c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 5.2.4 (d) 1110c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1111c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom deltaSelect.setMinCRLNumber(completeCRLNumber == null ? null : completeCRLNumber 1112c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom .add(BigInteger.valueOf(1))); 1113c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1114c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom deltaSelect.setIssuingDistributionPoint(idp); 1115c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom deltaSelect.setIssuingDistributionPointEnabled(true); 1116c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1117c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // 5.2.4 (c) 1118c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom deltaSelect.setMaxBaseCRLNumber(completeCRLNumber); 1119c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1120c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // find delta CRLs 11216e736056d64d0e33b26cf9f7c4e351b496241fdeBrian Carlstrom Set temp = CRL_UTIL.findCRLs(deltaSelect, paramsPKIX, currentDate); 1122c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1123c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set result = new HashSet(); 1124c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1125c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (Iterator it = temp.iterator(); it.hasNext();) 1126c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1127c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRL crl = (X509CRL)it.next(); 1128c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1129c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (isDeltaCRL(crl)) 1130c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1131c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom result.add(crl); 1132c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1133c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1134c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1135c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return result; 1136c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1137c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1138c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom private static boolean isDeltaCRL(X509CRL crl) 1139c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1140c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set critical = crl.getCriticalExtensionOIDs(); 1141c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1142c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return critical.contains(RFC3280CertPathUtilities.DELTA_CRL_INDICATOR); 1143c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1144c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1145c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /** 1146c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * Fetches complete CRLs according to RFC 3280. 1147c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * 1148c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param dp The distribution point for which the complete CRL 1149c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param cert The <code>X509Certificate</code> or 1150c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * {@link org.bouncycastle.x509.X509AttributeCertificate} for 1151c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * which the CRL should be searched. 1152c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param currentDate The date for which the delta CRLs must be valid. 1153c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param paramsPKIX The extended PKIX parameters. 1154c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @return A <code>Set</code> of <code>X509CRL</code>s with complete 1155c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * CRLs. 1156c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @throws AnnotatedException if an exception occurs while picking the CRLs 1157c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * or no CRLs are found. 1158c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 1159c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static Set getCompleteCRLs(DistributionPoint dp, Object cert, 1160c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Date currentDate, ExtendedPKIXParameters paramsPKIX) 1161c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 1162c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1163c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CRLStoreSelector crlselect = new X509CRLStoreSelector(); 1164c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1165c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1166c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set issuers = new HashSet(); 1167c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (cert instanceof X509AttributeCertificate) 1168c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1169c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom issuers.add(((X509AttributeCertificate)cert) 1170c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom .getIssuer().getPrincipals()[0]); 1171c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1172c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 1173c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1174c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom issuers.add(getEncodedIssuerPrincipal(cert)); 1175c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1176c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom CertPathValidatorUtilities.getCRLIssuersFromDistributionPoint(dp, issuers, crlselect, paramsPKIX); 1177c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1178c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (AnnotatedException e) 1179c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1180c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom new AnnotatedException( 1181c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Could not get issuer information from distribution point.", e); 1182c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1183c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (cert instanceof X509Certificate) 1184c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1185c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom crlselect.setCertificateChecking((X509Certificate)cert); 1186c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1187c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else if (cert instanceof X509AttributeCertificate) 1188c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1189c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom crlselect.setAttrCertificateChecking((X509AttributeCertificate)cert); 1190c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1191c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 11926e736056d64d0e33b26cf9f7c4e351b496241fdeBrian Carlstrom 1193c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1194c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom crlselect.setCompleteCRLEnabled(true); 1195c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 11966e736056d64d0e33b26cf9f7c4e351b496241fdeBrian Carlstrom Set crls = CRL_UTIL.findCRLs(crlselect, paramsPKIX, currentDate); 11976e736056d64d0e33b26cf9f7c4e351b496241fdeBrian Carlstrom 1198c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (crls.isEmpty()) 1199c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1200c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (cert instanceof X509AttributeCertificate) 1201c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1202c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509AttributeCertificate aCert = (X509AttributeCertificate)cert; 1203c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1204c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("No CRLs found for issuer \"" + aCert.getIssuer().getPrincipals()[0] + "\""); 1205c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1206c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 1207c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1208c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate xCert = (X509Certificate)cert; 1209c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1210c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("No CRLs found for issuer \"" + xCert.getIssuerX500Principal() + "\""); 1211c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1212c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1213c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return crls; 1214c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1215c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1216c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static Date getValidCertDateFromValidityModel( 1217c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ExtendedPKIXParameters paramsPKIX, CertPath certPath, int index) 1218c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 1219c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1220c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (paramsPKIX.getValidityModel() == ExtendedPKIXParameters.CHAIN_VALIDITY_MODEL) 1221c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1222c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // if end cert use given signing/encryption/... time 1223c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (index <= 0) 1224c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1225c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return CertPathValidatorUtilities.getValidDate(paramsPKIX); 1226c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // else use time when previous cert was created 1227c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1228c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 1229c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1230c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (index - 1 == 0) 1231c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1232c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DERGeneralizedTime dateOfCertgen = null; 1233c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1234c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1235c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom byte[] extBytes = ((X509Certificate)certPath.getCertificates().get(index - 1)).getExtensionValue(ISISMTTObjectIdentifiers.id_isismtt_at_dateOfCertGen.getId()); 1236c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (extBytes != null) 1237c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1238c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom dateOfCertgen = DERGeneralizedTime.getInstance(ASN1Object.fromByteArray(extBytes)); 1239c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1240c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1241c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (IOException e) 1242c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1243c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 1244c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Date of cert gen extension could not be read."); 1245c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1246c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (IllegalArgumentException e) 1247c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1248c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 1249c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Date of cert gen extension could not be read."); 1250c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1251c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (dateOfCertgen != null) 1252c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1253c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1254c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1255c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return dateOfCertgen.getDate(); 1256c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1257c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (ParseException e) 1258c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1259c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 1260c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Date from date of cert gen extension could not be parsed.", 1261c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom e); 1262c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1263c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1264c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return ((X509Certificate) certPath.getCertificates().get( 1265c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom index - 1)).getNotBefore(); 1266c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1267c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 1268c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1269c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return ((X509Certificate) certPath.getCertificates().get( 1270c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom index - 1)).getNotBefore(); 1271c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1272c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1273c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1274c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 1275c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1276c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return getValidDate(paramsPKIX); 1277c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1278c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1279c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1280c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /** 1281c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * Return the next working key inheriting DSA parameters if necessary. 1282c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <p> 1283c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * This methods inherits DSA parameters from the indexed certificate or 1284c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * previous certificates in the certificate chain to the returned 1285c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <code>PublicKey</code>. The list is searched upwards, meaning the end 1286c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * certificate is at position 0 and previous certificates are following. 1287c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * </p> 1288c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <p> 1289c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * If the indexed certificate does not contain a DSA key this method simply 1290c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * returns the public key. If the DSA key already contains DSA parameters 1291c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * the key is also only returned. 1292c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * </p> 1293c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * 1294c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param certs The certification path. 1295c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param index The index of the certificate which contains the public key 1296c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * which should be extended with DSA parameters. 1297c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @return The public key of the certificate in list position 1298c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <code>index</code> extended with DSA parameters if applicable. 1299c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @throws AnnotatedException if DSA parameters cannot be inherited. 1300c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 1301c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static PublicKey getNextWorkingKey(List certs, int index) 1302c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws CertPathValidatorException 1303c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1304c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Certificate cert = (Certificate) certs.get(index); 1305c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom PublicKey pubKey = cert.getPublicKey(); 1306c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!(pubKey instanceof DSAPublicKey)) 1307c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1308c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return pubKey; 1309c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1310c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DSAPublicKey dsaPubKey = (DSAPublicKey) pubKey; 1311c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (dsaPubKey.getParams() != null) 1312c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1313c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return dsaPubKey; 1314c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1315c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom for (int i = index + 1; i < certs.size(); i++) 1316c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1317c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate parentCert = (X509Certificate)certs.get(i); 1318c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom pubKey = parentCert.getPublicKey(); 1319c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (!(pubKey instanceof DSAPublicKey)) 1320c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1321c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new CertPathValidatorException( 1322c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "DSA parameters cannot be inherited from previous certificate."); 1323c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1324c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DSAPublicKey prevDSAPubKey = (DSAPublicKey) pubKey; 1325c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (prevDSAPubKey.getParams() == null) 1326c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1327c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom continue; 1328c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1329c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DSAParams dsaParams = prevDSAPubKey.getParams(); 1330c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom DSAPublicKeySpec dsaPubKeySpec = new DSAPublicKeySpec( 1331c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom dsaPubKey.getY(), dsaParams.getP(), dsaParams.getQ(), dsaParams.getG()); 1332c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1333c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 13346e736056d64d0e33b26cf9f7c4e351b496241fdeBrian Carlstrom KeyFactory keyFactory = KeyFactory.getInstance("DSA", BouncyCastleProvider.PROVIDER_NAME); 1335c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return keyFactory.generatePublic(dsaPubKeySpec); 1336c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1337c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (Exception exception) 1338c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1339c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new RuntimeException(exception.getMessage()); 1340c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1341c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1342c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new CertPathValidatorException("DSA parameters cannot be inherited from previous certificate."); 1343c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1344c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1345c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom /** 1346c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * Find the issuer certificates of a given certificate. 1347c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * 1348c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param cert 1349c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * The certificate for which an issuer should be found. 1350c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @param pkixParams 1351c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @return A <code>Collection</code> object containing the issuer 1352c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * <code>X509Certificate</code>s. Never <code>null</code>. 1353c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * 1354c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * @exception AnnotatedException 1355c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom * if an error occurs. 1356c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom */ 1357c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static Collection findIssuerCerts( 1358c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate cert, 1359c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom ExtendedPKIXBuilderParameters pkixParams) 1360c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws AnnotatedException 1361c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1362c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509CertStoreSelector certSelect = new X509CertStoreSelector(); 1363c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Set certs = new HashSet(); 1364c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1365c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1366c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certSelect.setSubject(cert.getIssuerX500Principal().getEncoded()); 1367c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1368c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (IOException ex) 1369c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1370c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException( 1371c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom "Subject criteria for certificate selector to find issuer certificate could not be set.", ex); 1372c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1373c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1374c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom Iterator iter; 1375c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1376c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom try 1377c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1378c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom List matches = new ArrayList(); 1379c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1380c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom matches.addAll(CertPathValidatorUtilities.findCertificates(certSelect, pkixParams.getCertStores())); 1381c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom matches.addAll(CertPathValidatorUtilities.findCertificates(certSelect, pkixParams.getStores())); 1382c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom matches.addAll(CertPathValidatorUtilities.findCertificates(certSelect, pkixParams.getAdditionalStores())); 1383c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1384c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom iter = matches.iterator(); 1385c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1386c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom catch (AnnotatedException e) 1387c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1388c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throw new AnnotatedException("Issuer certificate cannot be searched.", e); 1389c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1390c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1391c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom X509Certificate issuer = null; 1392c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom while (iter.hasNext()) 1393c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1394c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom issuer = (X509Certificate) iter.next(); 1395c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // issuer cannot be verified because possible DSA inheritance 1396c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom // parameters are missing 1397c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom certs.add(issuer); 1398c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1399c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom return certs; 1400c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1401c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom 1402c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom protected static void verifyX509Certificate(X509Certificate cert, PublicKey publicKey, 1403c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom String sigProvider) 1404c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom throws GeneralSecurityException 1405c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1406c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom if (sigProvider == null) 1407c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1408c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom cert.verify(publicKey); 1409c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1410c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom else 1411c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom { 1412c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom cert.verify(publicKey, sigProvider); 1413c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1414c37f4a04ef89e73a39a59f3c5a179af8c8ab5974Brian Carlstrom } 1415b61a96e7ef1a78acf013bbf08fe537e5b5f129caPeter Hallam} 1416