List of usage examples for org.bouncycastle.jce.provider CertStatus getRevocationDate
public Date getRevocationDate()
From source file:eu.emi.security.authn.x509.helpers.pkipath.bc.RFC3280CertPathUtilitiesHelper.java
License:Open Source License
/** * Checks a certificate if it is revoked. * //from w w w . j a va2 s .c om * @param paramsPKIX PKIX parameters. * @param cert Certificate to check if it is revoked. * @param validDate The date when the certificate revocation status * should be checked. * @param sign The issuer certificate of the certificate * <code>cert</code>. * @param workingPublicKey The public key of the issuer certificate * <code>sign</code>. * @param certPathCerts The certificates of the certification path. * @throws AnnotatedException if the certificate is revoked or the * status cannot be checked or some error occurs. */ protected static void checkCRLs2(ExtPKIXParameters paramsPKIX, X509Certificate cert, Date validDate, X509Certificate sign, PublicKey workingPublicKey, List<?> certPathCerts) throws SimpleValidationErrorException { SimpleValidationErrorException lastException = null; CRLDistPoint crldp = null; try { crldp = CRLDistPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.CRL_DISTRIBUTION_POINTS)); } catch (Exception e) { throw new SimpleValidationErrorException(ValidationErrorCode.crlDistPtExtError, e); } try { CertPathValidatorUtilities.addAdditionalStoresFromCRLDistributionPoint(crldp, paramsPKIX); } catch (AnnotatedException e) { throw new SimpleValidationErrorException(ValidationErrorCode.crlDistPtExtError, e); } CertStatus certStatus = new CertStatus(); ReasonsMask reasonsMask = new ReasonsMask(); boolean validCrlFound = false; // for each distribution point if (crldp != null) { DistributionPoint dps[] = null; try { dps = crldp.getDistributionPoints(); } catch (Exception e) { throw new SimpleValidationErrorException(ValidationErrorCode.crlDistPtExtError, e); } if (dps != null) { for (int i = 0; i < dps.length && certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons(); i++) { ExtendedPKIXParameters paramsPKIXClone = (ExtendedPKIXParameters) paramsPKIX.clone(); try { checkCRL(dps[i], paramsPKIXClone, cert, validDate, sign, workingPublicKey, certStatus, reasonsMask, certPathCerts); validCrlFound = true; } catch (SimpleValidationErrorException e) { lastException = e; } } } } /* * If the revocation status has not been determined, repeat the * process above with any available CRLs not specified in a * distribution point but issued by the certificate issuer. */ if (certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons()) { try { /* * assume a DP with both the reasons and the * cRLIssuer fields omitted and a distribution * point name of the certificate issuer. */ ASN1Primitive issuer = null; try { issuer = new ASN1InputStream( CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert).getEncoded()).readObject(); } catch (Exception e) { throw new SimpleValidationErrorException(ValidationErrorCode.crlIssuerException, e); } DistributionPoint dp = new DistributionPoint(new DistributionPointName(0, new GeneralNames(new GeneralName(GeneralName.directoryName, issuer))), null, null); ExtendedPKIXParameters paramsPKIXClone = (ExtendedPKIXParameters) paramsPKIX.clone(); checkCRL(dp, paramsPKIXClone, cert, validDate, sign, workingPublicKey, certStatus, reasonsMask, certPathCerts); validCrlFound = true; } catch (SimpleValidationErrorException e) { lastException = e; } } if (!validCrlFound) throw lastException; if (certStatus.getCertStatus() != CertStatus.UNREVOKED) { throw new SimpleValidationErrorException(ValidationErrorCode.certRevoked, new TrustedInput(certStatus.getRevocationDate()), crlReasons[certStatus.getCertStatus()]); } if (!reasonsMask.isAllReasons() && certStatus.getCertStatus() == CertStatus.UNREVOKED) { certStatus.setCertStatus(CertStatus.UNDETERMINED); } if (certStatus.getCertStatus() == CertStatus.UNDETERMINED) { throw new SimpleValidationErrorException(ValidationErrorCode.noValidCrlFound); } }