List of usage examples for org.bouncycastle.jce.provider ReasonsMask isAllReasons
boolean isAllReasons()
true if this reasons mask contains all possible reasons. From source file:eu.emi.security.authn.x509.helpers.pkipath.bc.RFC3280CertPathUtilitiesHelper.java
License:Open Source License
/** * Checks a certificate if it is revoked. * //from w w w . j av a 2 s .com * @param paramsPKIX PKIX parameters. * @param cert Certificate to check if it is revoked. * @param validDate The date when the certificate revocation status * should be checked. * @param sign The issuer certificate of the certificate * <code>cert</code>. * @param workingPublicKey The public key of the issuer certificate * <code>sign</code>. * @param certPathCerts The certificates of the certification path. * @throws AnnotatedException if the certificate is revoked or the * status cannot be checked or some error occurs. */ protected static void checkCRLs2(ExtPKIXParameters paramsPKIX, X509Certificate cert, Date validDate, X509Certificate sign, PublicKey workingPublicKey, List<?> certPathCerts) throws SimpleValidationErrorException { SimpleValidationErrorException lastException = null; CRLDistPoint crldp = null; try { crldp = CRLDistPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.CRL_DISTRIBUTION_POINTS)); } catch (Exception e) { throw new SimpleValidationErrorException(ValidationErrorCode.crlDistPtExtError, e); } try { CertPathValidatorUtilities.addAdditionalStoresFromCRLDistributionPoint(crldp, paramsPKIX); } catch (AnnotatedException e) { throw new SimpleValidationErrorException(ValidationErrorCode.crlDistPtExtError, e); } CertStatus certStatus = new CertStatus(); ReasonsMask reasonsMask = new ReasonsMask(); boolean validCrlFound = false; // for each distribution point if (crldp != null) { DistributionPoint dps[] = null; try { dps = crldp.getDistributionPoints(); } catch (Exception e) { throw new SimpleValidationErrorException(ValidationErrorCode.crlDistPtExtError, e); } if (dps != null) { for (int i = 0; i < dps.length && certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons(); i++) { ExtendedPKIXParameters paramsPKIXClone = (ExtendedPKIXParameters) paramsPKIX.clone(); try { checkCRL(dps[i], paramsPKIXClone, cert, validDate, sign, workingPublicKey, certStatus, reasonsMask, certPathCerts); validCrlFound = true; } catch (SimpleValidationErrorException e) { lastException = e; } } } } /* * If the revocation status has not been determined, repeat the * process above with any available CRLs not specified in a * distribution point but issued by the certificate issuer. */ if (certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons()) { try { /* * assume a DP with both the reasons and the * cRLIssuer fields omitted and a distribution * point name of the certificate issuer. */ ASN1Primitive issuer = null; try { issuer = new ASN1InputStream( CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert).getEncoded()).readObject(); } catch (Exception e) { throw new SimpleValidationErrorException(ValidationErrorCode.crlIssuerException, e); } DistributionPoint dp = new DistributionPoint(new DistributionPointName(0, new GeneralNames(new GeneralName(GeneralName.directoryName, issuer))), null, null); ExtendedPKIXParameters paramsPKIXClone = (ExtendedPKIXParameters) paramsPKIX.clone(); checkCRL(dp, paramsPKIXClone, cert, validDate, sign, workingPublicKey, certStatus, reasonsMask, certPathCerts); validCrlFound = true; } catch (SimpleValidationErrorException e) { lastException = e; } } if (!validCrlFound) throw lastException; if (certStatus.getCertStatus() != CertStatus.UNREVOKED) { throw new SimpleValidationErrorException(ValidationErrorCode.certRevoked, new TrustedInput(certStatus.getRevocationDate()), crlReasons[certStatus.getCertStatus()]); } if (!reasonsMask.isAllReasons() && certStatus.getCertStatus() == CertStatus.UNREVOKED) { certStatus.setCertStatus(CertStatus.UNDETERMINED); } if (certStatus.getCertStatus() == CertStatus.UNDETERMINED) { throw new SimpleValidationErrorException(ValidationErrorCode.noValidCrlFound); } }
From source file:eu.emi.security.authn.x509.helpers.pkipath.bc.RFC3280CertPathUtilitiesHelper.java
License:Open Source License
/** * Checks a distribution point for revocation information for the * certificate <code>cert</code>. * //w w w. ja v a2 s . com * @param dp The distribution point to consider. * @param paramsPKIX PKIX parameters. * @param cert Certificate to check if it is revoked. * @param validDate The date when the certificate revocation status * should be checked. * @param defaultCRLSignCert The issuer certificate of the certificate * <code>cert</code>. * @param defaultCRLSignKey The public key of the issuer certificate * <code>defaultCRLSignCert</code>. * @param certStatus The current certificate revocation status. * @param reasonMask The reasons mask which is already checked. * @param certPathCerts The certificates of the certification path. * @throws AnnotatedException if the certificate is revoked or the * status cannot be checked or some error occurs. */ private static void checkCRL(DistributionPoint dp, ExtendedPKIXParameters paramsPKIX, X509Certificate cert, Date validDate, X509Certificate defaultCRLSignCert, PublicKey defaultCRLSignKey, CertStatus certStatus, ReasonsMask reasonMask, List<?> certPathCerts) throws SimpleValidationErrorException { Date currentDate = new Date(System.currentTimeMillis()); if (validDate.getTime() > currentDate.getTime()) { throw new IllegalArgumentException("CRL validation time is in future: " + validDate); } // (a) /* * We always get timely valid CRLs, so there is no step (a) (1). * "locally cached" CRLs are assumed to be in getStore(), * additional CRLs must be enabled in the ExtendedPKIXParameters * and are in getAdditionalStore() */ Set<?> crls = CertPathValidatorUtilities.getCompleteCRLs2(dp, cert, currentDate, paramsPKIX); boolean validCrlFound = false; SimpleValidationErrorException lastException = null; Iterator<?> crl_iter = crls.iterator(); while (crl_iter.hasNext() && certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonMask.isAllReasons()) { try { X509CRL crl = (X509CRL) crl_iter.next(); // (d) ReasonsMask interimReasonsMask = processCRLD2(crl, dp); // (e) /* * The reasons mask is updated at the end, so * only valid CRLs can update it. If this CRL * does not contain new reasons it must be * ignored. */ if (!interimReasonsMask.hasNewReasons(reasonMask)) { continue; } // (f) Set<?> keys = processCRLF2(crl, cert, defaultCRLSignCert, defaultCRLSignKey, paramsPKIX, certPathCerts); // (g) PublicKey key = processCRLG2(crl, keys); X509CRL deltaCRL = null; if (paramsPKIX.isUseDeltasEnabled()) { // get delta CRLs Set<?> deltaCRLs = CertPathValidatorUtilities.getDeltaCRLs2(currentDate, paramsPKIX, crl); // we only want one valid delta CRL // (h) deltaCRL = processCRLH2(deltaCRLs, key); } /* * CRL must be be valid at the current time, not * the validation time. If a certificate is * revoked with reason keyCompromise, * cACompromise, it can be used for forgery, * also for the past. This reason may not be * contained in older CRLs. */ /* * in the chain model signatures stay valid also * after the certificate has been expired, so * they do not have to be in the CRL validity * time */ if (paramsPKIX.getValidityModel() != ExtendedPKIXParameters.CHAIN_VALIDITY_MODEL) { /* * if a certificate has expired, but was * revoked, it is not more in the CRL, * so it would be regarded as valid if * the first check is not done */ if (cert.getNotAfter().getTime() < crl.getThisUpdate().getTime()) { throw new SimpleValidationErrorException(ValidationErrorCode.noValidCrlFound); } } processCRLB1_2(dp, cert, crl); // (b) (2) processCRLB2_2(dp, cert, crl); // (c) processCRLC2(deltaCRL, crl, paramsPKIX); // (i) processCRLI(validDate, deltaCRL, cert, certStatus, paramsPKIX); // (j) processCRLJ(validDate, crl, cert, certStatus); // (k) if (certStatus.getCertStatus() == CRLReason.removeFromCRL) { certStatus.setCertStatus(CertStatus.UNREVOKED); } // update reasons mask reasonMask.addReasons(interimReasonsMask); Set<?> criticalExtensions = crl.getCriticalExtensionOIDs(); if (criticalExtensions != null) { criticalExtensions = new HashSet(criticalExtensions); criticalExtensions.remove(X509Extensions.IssuingDistributionPoint.getId()); criticalExtensions.remove(X509Extensions.DeltaCRLIndicator.getId()); if (!criticalExtensions.isEmpty()) { throw new SimpleValidationErrorException(ValidationErrorCode.crlUnknownCritExt, criticalExtensions.iterator().next()); } } if (deltaCRL != null) { criticalExtensions = deltaCRL.getCriticalExtensionOIDs(); if (criticalExtensions != null) { criticalExtensions = new HashSet(criticalExtensions); criticalExtensions.remove(X509Extensions.IssuingDistributionPoint.getId()); criticalExtensions.remove(X509Extensions.DeltaCRLIndicator.getId()); if (!criticalExtensions.isEmpty()) { throw new SimpleValidationErrorException(ValidationErrorCode.crlUnknownCritExt, criticalExtensions.iterator().next()); } } } validCrlFound = true; } catch (SimpleValidationErrorException e) { lastException = e; } } if (!validCrlFound) { throw lastException; } }