📄 certpathvalidatorutilities.java
字号:
pkixParams.addAddionalStore(X509Store.getInstance( "CERTIFICATE/LDAP", params, "BC")); pkixParams.addAddionalStore(X509Store.getInstance( "CRL/LDAP", params, "BC")); pkixParams.addAddionalStore(X509Store.getInstance( "ATTRIBUTECERTIFICATE/LDAP", params, "BC")); pkixParams.addAddionalStore(X509Store.getInstance( "CERTIFICATEPAIR/LDAP", params, "BC")); } } catch (Exception e) { // cannot happen throw new RuntimeException("Exception adding X.509 stores."); } } } /** * Return a Collection of all certificates or attribute certificates found * in the X509Store's that are matching the certSelect criteriums. * * @param certSelect a {@link Selector} object that will be used to select * the certificates * @param certStores a List containing only {@link X509Store} objects. These * are used to search for certificates. * * @return a Collection of all found {@link X509Certificate} or * {@link org.bouncycastle.x509.X509AttributeCertificate} objects. * May be empty but never <code>null</code>. */ protected static Collection findCertificates(X509CertStoreSelector certSelect, List certStores) throws AnnotatedException { Set certs = new HashSet(); Iterator iter = certStores.iterator(); while (iter.hasNext()) { Object obj = iter.next(); if (obj instanceof X509Store) { X509Store certStore = (X509Store)obj; try { certs.addAll(certStore.getMatches(certSelect)); } catch (StoreException e) { throw new AnnotatedException( "Problem while picking certificates from X.509 store.", e); } } else { CertStore certStore = (CertStore)obj; try { certs.addAll(certStore.getCertificates(certSelect)); } catch (CertStoreException e) { throw new AnnotatedException( "Problem while picking certificates from certificate store.", e); } } } return certs; } protected static Collection findCertificates(X509AttributeCertStoreSelector certSelect, List certStores) throws AnnotatedException { Set certs = new HashSet(); Iterator iter = certStores.iterator(); while (iter.hasNext()) { Object obj = iter.next(); if (obj instanceof X509Store) { X509Store certStore = (X509Store)obj; try { certs.addAll(certStore.getMatches(certSelect)); } catch (StoreException e) { throw new AnnotatedException( "Problem while picking certificates from X.509 store.", e); } } } return certs; } protected static void addAdditionalStoresFromCRLDistributionPoint( CRLDistPoint crldp, ExtendedPKIXParameters pkixParams) throws AnnotatedException { if (crldp != null) { DistributionPoint dps[] = null; try { dps = crldp.getDistributionPoints(); } catch (Exception e) { throw new AnnotatedException( "Distribution points could not be read.", e); } for (int i = 0; i < dps.length; i++) { DistributionPointName dpn = dps[i].getDistributionPoint(); // look for URIs in fullName if (dpn != null) { if (dpn.getType() == DistributionPointName.FULL_NAME) { GeneralName[] genNames = GeneralNames.getInstance( dpn.getName()).getNames(); // look for an URI for (int j = 0; j < genNames.length; j++) { if (genNames[j].getTagNo() == GeneralName.uniformResourceIdentifier) { String location = DERIA5String.getInstance( genNames[j].getName()).getString(); CertPathValidatorUtilities .addAdditionalStoreFromLocation(location, pkixParams); } } } } } } } /** * Add the CRL issuers from the cRLIssuer field of the distribution point or * from the certificate if not given to the issuer criterion of the * <code>selector</code>. * <p> * The <code>issuerPrincipals</code> are a collection with a single * <code>X500Principal</code> for <code>X509Certificate</code>s. For * {@link X509AttributeCertificate}s the issuer may contain more than one * <code>X500Principal</code>. * * @param dp The distribution point. * @param issuerPrincipals The issuers of the certificate or attribute * certificate which contains the distribution point. * @param selector The CRL selector. * @param pkixParams The PKIX parameters containing the cert stores. * @throws AnnotatedException if an exception occurs while processing. * @throws ClassCastException if <code>issuerPrincipals</code> does not * contain only <code>X500Principal</code>s. */ protected static void getCRLIssuersFromDistributionPoint( DistributionPoint dp, Collection issuerPrincipals, X509CRLSelector selector, ExtendedPKIXParameters pkixParams) throws AnnotatedException { List issuers = new ArrayList(); // indirect CRL if (dp.getCRLIssuer() != null) { GeneralName genNames[] = dp.getCRLIssuer().getNames(); // look for a DN for (int j = 0; j < genNames.length; j++) { if (genNames[j].getTagNo() == GeneralName.directoryName) { try { issuers.add(new X500Principal(genNames[j].getName() .getDERObject().getEncoded())); } catch (IOException e) { throw new AnnotatedException( "CRL issuer information from distribution point cannot be decoded.", e); } } } } else { /* * certificate issuer is CRL issuer, distributionPoint field MUST be * present. */ if (dp.getDistributionPoint() == null) { throw new AnnotatedException( "CRL issuer is omitted from distribution point but no distributionPoint field present."); } // add and check issuer principals for (Iterator it=issuerPrincipals.iterator(); it.hasNext();) { issuers.add((X500Principal)it.next()); } } // TODO: is not found although this should correctly add the rel name. selector of Sun is buggy here or PKI test case is invalid // distributionPoint// if (dp.getDistributionPoint() != null)// {// // look for nameRelativeToCRLIssuer// if (dp.getDistributionPoint().getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER)// {// // append fragment to issuer, only one// // issuer can be there, if this is given// if (issuers.size() != 1)// {// throw new AnnotatedException(// "nameRelativeToCRLIssuer field is given but more than one CRL issuer is given.");// }// DEREncodable relName = dp.getDistributionPoint().getName();// Iterator it = issuers.iterator();// List issuersTemp = new ArrayList(issuers.size());// while (it.hasNext())// {// Enumeration e = null;// try// {// e = ASN1Sequence.getInstance(// new ASN1InputStream(((X500Principal) it.next())// .getEncoded()).readObject()).getObjects();// }// catch (IOException ex)// {// throw new AnnotatedException(// "Cannot decode CRL issuer information.", ex);// }// ASN1EncodableVector v = new ASN1EncodableVector();// while (e.hasMoreElements())// {// v.add((DEREncodable) e.nextElement());// }// v.add(relName);// issuersTemp.add(new X500Principal(new DERSequence(v)// .getDEREncoded()));// }// issuers.clear();// issuers.addAll(issuersTemp);// }// } Iterator it = issuers.iterator(); while (it.hasNext()) { try { selector.addIssuerName(((X500Principal)it.next()).getEncoded()); } catch (IOException ex) { throw new AnnotatedException( "Cannot decode CRL issuer information.", ex); } } } private static BigInteger getSerialNumber( Object cert) { if (cert instanceof X509Certificate) { return ((X509Certificate) cert).getSerialNumber(); } else { return ((X509AttributeCertificate) cert).getSerialNumber(); } } protected static void getCertStatus( Date validDate, X509CRL crl, Object cert, CertStatus certStatus) throws AnnotatedException { // use BC X509CRLObject so that indirect CRLs are supported X509CRLObject bcCRL = null; try { bcCRL = new X509CRLObject(new CertificateList((ASN1Sequence) ASN1Sequence.fromByteArray(crl.getEncoded()))); } catch (Exception exception) { throw new AnnotatedException("Bouncy Castle X509CRLObject could not be created.", exception); } // use BC X509CRLEntryObject, so that getCertificateIssuer() is // supported. X509CRLEntryObject crl_entry = (X509CRLEntryObject) bcCRL.getRevokedCertificate(getSerialNumber(cert)); if (crl_entry != null && (getEncodedIssuerPrincipal(cert).equals(crl_entry.getCertificateIssuer()) || getEncodedIssuerPrincipal(cert) .equals(getIssuerPrincipal(crl)))) { DEREnumerated reasonCode = null; if (crl_entry.hasExtensions()) { try { reasonCode = DEREnumerated .getInstance(CertPathValidatorUtilities .getExtensionValue(crl_entry, X509Extensions.ReasonCode.getId())); } catch (Exception e) { new AnnotatedException( "Reason code CRL entry extension could not be decoded.", e); } } // for reason keyCompromise, caCompromise, aACompromise or // unspecified if (!(validDate.getTime() < crl_entry.getRevocationDate().getTime()) || reasonCode == null || reasonCode.getValue().intValue() == 0 || reasonCode.getValue().intValue() == 1 || reasonCode.getValue().intValue() == 2 || reasonCode.getValue().intValue() == 8) { // (i) or (j) (1) if (reasonCode != null) { certStatus.setCertStatus(reasonCode.getValue().intValue()); } // (i) or (j) (2) else { certStatus.setCertStatus(CRLReason.unspecified); } certStatus.setRevocationDate(crl_entry.getRevocationDate()); } } } /** * Fetches delta CRLs according to RFC 3280 section 5.2.4. * * @param currentDate The date for which the delta CRLs must be valid. * @param paramsPKIX The extended PKIX parameters. * @param completeCRL The complete CRL the delta CRL is for. * @return A <code>Set</code> of <code>X509CRL</code>s with delta CRLs. * @throws AnnotatedException if an exception occurs while picking the delta * CRLs. */ protected static Set getDeltaCRLs(Date currentDate, ExtendedPKIXParameters paramsPKIX, X509CRL completeCRL) throws AnnotatedException { X509CRLStoreSelector deltaSelect = new X509CRLStoreSelector(); if (paramsPKIX.getDate() != null)⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -