Example usage for org.bouncycastle.jce.provider RFC3280CertPathUtilities CRL_DISTRIBUTION_POINTS

List of usage examples for org.bouncycastle.jce.provider RFC3280CertPathUtilities CRL_DISTRIBUTION_POINTS

  1. HOME
  2. Java
  3. org.bouncycastle
  4. org.bouncycastle.jce.provider.*
  5. RFC3280CertPathUtilities
  6. CRL_DISTRIBUTION_POINTS

Introduction

In this page you can find the example usage for org.bouncycastle.jce.provider RFC3280CertPathUtilities CRL_DISTRIBUTION_POINTS.

Prototype

String CRL_DISTRIBUTION_POINTS

To view the source code for org.bouncycastle.jce.provider RFC3280CertPathUtilities CRL_DISTRIBUTION_POINTS.

Click Source Link

Usage

From source file:eu.emi.security.authn.x509.helpers.pkipath.bc.RFC3280CertPathUtilitiesHelper.java

License:Open Source License

/**
 * Checks a certificate if it is revoked.
 * /*from  w  ww.ja  v a  2  s.  c o m*/
 * @param paramsPKIX PKIX parameters.
 * @param cert Certificate to check if it is revoked.
 * @param validDate The date when the certificate revocation status
 *                should be checked.
 * @param sign The issuer certificate of the certificate
 *                <code>cert</code>.
 * @param workingPublicKey The public key of the issuer certificate
 *                <code>sign</code>.
 * @param certPathCerts The certificates of the certification path.
 * @throws AnnotatedException if the certificate is revoked or the
 *                 status cannot be checked or some error occurs.
 */
protected static void checkCRLs2(ExtPKIXParameters paramsPKIX, X509Certificate cert, Date validDate,
        X509Certificate sign, PublicKey workingPublicKey, List<?> certPathCerts)
        throws SimpleValidationErrorException {
    SimpleValidationErrorException lastException = null;
    CRLDistPoint crldp = null;
    try {
        crldp = CRLDistPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(cert,
                RFC3280CertPathUtilities.CRL_DISTRIBUTION_POINTS));
    } catch (Exception e) {
        throw new SimpleValidationErrorException(ValidationErrorCode.crlDistPtExtError, e);
    }
    try {
        CertPathValidatorUtilities.addAdditionalStoresFromCRLDistributionPoint(crldp, paramsPKIX);
    } catch (AnnotatedException e) {
        throw new SimpleValidationErrorException(ValidationErrorCode.crlDistPtExtError, e);
    }
    CertStatus certStatus = new CertStatus();
    ReasonsMask reasonsMask = new ReasonsMask();

    boolean validCrlFound = false;
    // for each distribution point
    if (crldp != null) {
        DistributionPoint dps[] = null;
        try {
            dps = crldp.getDistributionPoints();
        } catch (Exception e) {
            throw new SimpleValidationErrorException(ValidationErrorCode.crlDistPtExtError, e);
        }
        if (dps != null) {
            for (int i = 0; i < dps.length && certStatus.getCertStatus() == CertStatus.UNREVOKED
                    && !reasonsMask.isAllReasons(); i++) {
                ExtendedPKIXParameters paramsPKIXClone = (ExtendedPKIXParameters) paramsPKIX.clone();
                try {
                    checkCRL(dps[i], paramsPKIXClone, cert, validDate, sign, workingPublicKey, certStatus,
                            reasonsMask, certPathCerts);
                    validCrlFound = true;
                } catch (SimpleValidationErrorException e) {
                    lastException = e;
                }
            }
        }
    }

    /*
     * If the revocation status has not been determined, repeat the
     * process above with any available CRLs not specified in a
     * distribution point but issued by the certificate issuer.
     */

    if (certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons()) {
        try {
            /*
             * assume a DP with both the reasons and the
             * cRLIssuer fields omitted and a distribution
             * point name of the certificate issuer.
             */
            ASN1Primitive issuer = null;
            try {
                issuer = new ASN1InputStream(
                        CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert).getEncoded()).readObject();
            } catch (Exception e) {
                throw new SimpleValidationErrorException(ValidationErrorCode.crlIssuerException, e);
            }
            DistributionPoint dp = new DistributionPoint(new DistributionPointName(0,
                    new GeneralNames(new GeneralName(GeneralName.directoryName, issuer))), null, null);
            ExtendedPKIXParameters paramsPKIXClone = (ExtendedPKIXParameters) paramsPKIX.clone();
            checkCRL(dp, paramsPKIXClone, cert, validDate, sign, workingPublicKey, certStatus, reasonsMask,
                    certPathCerts);
            validCrlFound = true;
        } catch (SimpleValidationErrorException e) {
            lastException = e;
        }
    }

    if (!validCrlFound)
        throw lastException;
    if (certStatus.getCertStatus() != CertStatus.UNREVOKED) {
        throw new SimpleValidationErrorException(ValidationErrorCode.certRevoked,
                new TrustedInput(certStatus.getRevocationDate()), crlReasons[certStatus.getCertStatus()]);
    }
    if (!reasonsMask.isAllReasons() && certStatus.getCertStatus() == CertStatus.UNREVOKED) {
        certStatus.setCertStatus(CertStatus.UNDETERMINED);
    }
    if (certStatus.getCertStatus() == CertStatus.UNDETERMINED) {
        throw new SimpleValidationErrorException(ValidationErrorCode.noValidCrlFound);
    }
}