List of usage examples for org.bouncycastle.jce.provider ReasonsMask addReasons
void addReasons(ReasonsMask mask)
From source file:eu.emi.security.authn.x509.helpers.pkipath.bc.RFC3280CertPathUtilitiesHelper.java
License:Open Source License
/** * Checks a distribution point for revocation information for the * certificate <code>cert</code>. * /*from w w w . j a v a 2 s. c om*/ * @param dp The distribution point to consider. * @param paramsPKIX PKIX parameters. * @param cert Certificate to check if it is revoked. * @param validDate The date when the certificate revocation status * should be checked. * @param defaultCRLSignCert The issuer certificate of the certificate * <code>cert</code>. * @param defaultCRLSignKey The public key of the issuer certificate * <code>defaultCRLSignCert</code>. * @param certStatus The current certificate revocation status. * @param reasonMask The reasons mask which is already checked. * @param certPathCerts The certificates of the certification path. * @throws AnnotatedException if the certificate is revoked or the * status cannot be checked or some error occurs. */ private static void checkCRL(DistributionPoint dp, ExtendedPKIXParameters paramsPKIX, X509Certificate cert, Date validDate, X509Certificate defaultCRLSignCert, PublicKey defaultCRLSignKey, CertStatus certStatus, ReasonsMask reasonMask, List<?> certPathCerts) throws SimpleValidationErrorException { Date currentDate = new Date(System.currentTimeMillis()); if (validDate.getTime() > currentDate.getTime()) { throw new IllegalArgumentException("CRL validation time is in future: " + validDate); } // (a) /* * We always get timely valid CRLs, so there is no step (a) (1). * "locally cached" CRLs are assumed to be in getStore(), * additional CRLs must be enabled in the ExtendedPKIXParameters * and are in getAdditionalStore() */ Set<?> crls = CertPathValidatorUtilities.getCompleteCRLs2(dp, cert, currentDate, paramsPKIX); boolean validCrlFound = false; SimpleValidationErrorException lastException = null; Iterator<?> crl_iter = crls.iterator(); while (crl_iter.hasNext() && certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonMask.isAllReasons()) { try { X509CRL crl = (X509CRL) crl_iter.next(); // (d) ReasonsMask interimReasonsMask = processCRLD2(crl, dp); // (e) /* * The reasons mask is updated at the end, so * only valid CRLs can update it. If this CRL * does not contain new reasons it must be * ignored. */ if (!interimReasonsMask.hasNewReasons(reasonMask)) { continue; } // (f) Set<?> keys = processCRLF2(crl, cert, defaultCRLSignCert, defaultCRLSignKey, paramsPKIX, certPathCerts); // (g) PublicKey key = processCRLG2(crl, keys); X509CRL deltaCRL = null; if (paramsPKIX.isUseDeltasEnabled()) { // get delta CRLs Set<?> deltaCRLs = CertPathValidatorUtilities.getDeltaCRLs2(currentDate, paramsPKIX, crl); // we only want one valid delta CRL // (h) deltaCRL = processCRLH2(deltaCRLs, key); } /* * CRL must be be valid at the current time, not * the validation time. If a certificate is * revoked with reason keyCompromise, * cACompromise, it can be used for forgery, * also for the past. This reason may not be * contained in older CRLs. */ /* * in the chain model signatures stay valid also * after the certificate has been expired, so * they do not have to be in the CRL validity * time */ if (paramsPKIX.getValidityModel() != ExtendedPKIXParameters.CHAIN_VALIDITY_MODEL) { /* * if a certificate has expired, but was * revoked, it is not more in the CRL, * so it would be regarded as valid if * the first check is not done */ if (cert.getNotAfter().getTime() < crl.getThisUpdate().getTime()) { throw new SimpleValidationErrorException(ValidationErrorCode.noValidCrlFound); } } processCRLB1_2(dp, cert, crl); // (b) (2) processCRLB2_2(dp, cert, crl); // (c) processCRLC2(deltaCRL, crl, paramsPKIX); // (i) processCRLI(validDate, deltaCRL, cert, certStatus, paramsPKIX); // (j) processCRLJ(validDate, crl, cert, certStatus); // (k) if (certStatus.getCertStatus() == CRLReason.removeFromCRL) { certStatus.setCertStatus(CertStatus.UNREVOKED); } // update reasons mask reasonMask.addReasons(interimReasonsMask); Set<?> criticalExtensions = crl.getCriticalExtensionOIDs(); if (criticalExtensions != null) { criticalExtensions = new HashSet(criticalExtensions); criticalExtensions.remove(X509Extensions.IssuingDistributionPoint.getId()); criticalExtensions.remove(X509Extensions.DeltaCRLIndicator.getId()); if (!criticalExtensions.isEmpty()) { throw new SimpleValidationErrorException(ValidationErrorCode.crlUnknownCritExt, criticalExtensions.iterator().next()); } } if (deltaCRL != null) { criticalExtensions = deltaCRL.getCriticalExtensionOIDs(); if (criticalExtensions != null) { criticalExtensions = new HashSet(criticalExtensions); criticalExtensions.remove(X509Extensions.IssuingDistributionPoint.getId()); criticalExtensions.remove(X509Extensions.DeltaCRLIndicator.getId()); if (!criticalExtensions.isEmpty()) { throw new SimpleValidationErrorException(ValidationErrorCode.crlUnknownCritExt, criticalExtensions.iterator().next()); } } } validCrlFound = true; } catch (SimpleValidationErrorException e) { lastException = e; } } if (!validCrlFound) { throw lastException; } }