📄 certpathvalidatorutilities.java
字号:
{ deltaSelect.setDateAndTime(paramsPKIX.getDate()); } else { deltaSelect.setDateAndTime(currentDate); } // 5.2.4 (a) try { deltaSelect.addIssuerName(CertPathValidatorUtilities .getIssuerPrincipal(completeCRL).getEncoded()); } catch (IOException e) { new AnnotatedException("Cannot extract issuer from CRL.", e); } BigInteger completeCRLNumber = null; try { DERObject derObject = CertPathValidatorUtilities.getExtensionValue(completeCRL, CRL_NUMBER); if (derObject != null) { completeCRLNumber = CRLNumber.getInstance(derObject).getPositiveValue(); } } catch (Exception e) { throw new AnnotatedException( "CRL number extension could not be extracted from CRL.", e); } // 5.2.4 (b) byte[] idp = null; try { idp = completeCRL.getExtensionValue(ISSUING_DISTRIBUTION_POINT); } catch (Exception e) { throw new AnnotatedException( "Issuing distribution point extension value could not be read.", e); } // 5.2.4 (d) deltaSelect.setMinCRLNumber(completeCRLNumber == null ? null : completeCRLNumber .add(BigInteger.valueOf(1))); deltaSelect.setIssuingDistributionPoint(idp); deltaSelect.setIssuingDistributionPointEnabled(true); // 5.2.4 (c) deltaSelect.setMaxBaseCRLNumber(completeCRLNumber); Set temp = new HashSet(); // find delta CRLs try { temp.addAll(CertPathValidatorUtilities.findCRLs(deltaSelect, paramsPKIX.getAdditionalStores())); temp.addAll(CertPathValidatorUtilities.findCRLs(deltaSelect, paramsPKIX.getStores())); temp.addAll(CertPathValidatorUtilities.findCRLs(deltaSelect, paramsPKIX.getCertStores())); } catch (AnnotatedException e) { throw new AnnotatedException("Could not search for delta CRLs.", e); } Set result = new HashSet(); for (Iterator it = temp.iterator(); it.hasNext();) { X509CRL crl = (X509CRL)it.next(); if (isDeltaCRL(crl)) { result.add(crl); } } return result; } private static boolean isDeltaCRL(X509CRL crl) { Set critical = crl.getCriticalExtensionOIDs(); return critical.contains(RFC3280CertPathUtilities.DELTA_CRL_INDICATOR); } /** * Fetches complete CRLs according to RFC 3280. * * @param dp The distribution point for which the complete CRL * @param cert The <code>X509Certificate</code> or * {@link org.bouncycastle.x509.X509AttributeCertificate} for * which the CRL should be searched. * @param currentDate The date for which the delta CRLs must be valid. * @param paramsPKIX The extended PKIX parameters. * @return A <code>Set</code> of <code>X509CRL</code>s with complete * CRLs. * @throws AnnotatedException if an exception occurs while picking the CRLs * or no CRLs are found. */ protected static Set getCompleteCRLs(DistributionPoint dp, Object cert, Date currentDate, ExtendedPKIXParameters paramsPKIX) throws AnnotatedException { X509CRLStoreSelector crlselect = new X509CRLStoreSelector(); try { Set issuers = new HashSet(); if (cert instanceof X509AttributeCertificate) { issuers.add(((X509AttributeCertificate) cert) .getIssuer().getPrincipals()[0]); } else { issuers.add(getEncodedIssuerPrincipal(cert)); } CertPathValidatorUtilities.getCRLIssuersFromDistributionPoint(dp, issuers, crlselect, paramsPKIX); } catch (AnnotatedException e) { new AnnotatedException( "Could not get issuer information from distribution point.", e); } if (cert instanceof X509Certificate) { crlselect.setCertificateChecking((X509Certificate)cert); } else if (cert instanceof X509AttributeCertificate) { crlselect.setAttrCertificateChecking((X509AttributeCertificate)cert); } if (paramsPKIX.getDate() != null) { crlselect.setDateAndTime(paramsPKIX.getDate()); } else { crlselect.setDateAndTime(currentDate); } crlselect.setCompleteCRLEnabled(true); Set crls = new HashSet(); try { crls.addAll(CertPathValidatorUtilities.findCRLs(crlselect, paramsPKIX.getStores())); crls.addAll(CertPathValidatorUtilities.findCRLs(crlselect, paramsPKIX.getAdditionalStores())); crls.addAll(CertPathValidatorUtilities.findCRLs(crlselect, paramsPKIX.getCertStores())); } catch (AnnotatedException e) { throw new AnnotatedException("Could not search for CRLs.", e); } if (crls.isEmpty()) { throw new AnnotatedException("No CRLs found."); } return crls; } protected static Date getValidCertDateFromValidityModel( ExtendedPKIXParameters paramsPKIX, CertPath certPath, int index) throws AnnotatedException { if (paramsPKIX.getValidityModel() == ExtendedPKIXParameters.CHAIN_VALIDITY_MODEL) { // if end cert use given signing/encryption/... time if (index <= 0) { return CertPathValidatorUtilities.getValidDate(paramsPKIX); // else use time when previous cert was created } else { if (index - 1 == 0) { DERGeneralizedTime dateOfCertgen = null; try { byte[] extBytes = ((X509Certificate)certPath.getCertificates().get(index - 1)).getExtensionValue(ISISMTTObjectIdentifiers.id_isismtt_at_dateOfCertGen.getId()); if (extBytes != null) { dateOfCertgen = DERGeneralizedTime.getInstance(ASN1Object.fromByteArray(extBytes)); } } catch (IOException e) { throw new AnnotatedException( "Date of cert gen extension could not be read."); } catch (IllegalArgumentException e) { throw new AnnotatedException( "Date of cert gen extension could not be read."); } if (dateOfCertgen != null) { try { return dateOfCertgen.getDate(); } catch (ParseException e) { throw new AnnotatedException( "Date from date of cert gen extension could not be parsed.", e); } } return ((X509Certificate) certPath.getCertificates().get( index - 1)).getNotBefore(); } else { return ((X509Certificate) certPath.getCertificates().get( index - 1)).getNotBefore(); } } } else { return getValidDate(paramsPKIX); } } /** * Return the next working key inheriting DSA parameters if necessary. * <p> * This methods inherits DSA parameters from the indexed certificate or * previous certificates in the certificate chain to the returned * <code>PublicKey</code>. The list is searched upwards, meaning the end * certificate is at position 0 and previous certificates are following. * </p> * <p> * If the indexed certificate does not contain a DSA key this method simply * returns the public key. If the DSA key already contains DSA parameters * the key is also only returned. * </p> * * @param certs The certification path. * @param index The index of the certificate which contains the public key * which should be extended with DSA parameters. * @return The public key of the certificate in list position * <code>index</code> extended with DSA parameters if applicable. * @throws AnnotatedException if DSA parameters cannot be inherited. */ protected static PublicKey getNextWorkingKey(List certs, int index) throws CertPathValidatorException { Certificate cert = (Certificate) certs.get(index); PublicKey pubKey = cert.getPublicKey(); if (!(pubKey instanceof DSAPublicKey)) { return pubKey; } DSAPublicKey dsaPubKey = (DSAPublicKey) pubKey; if (dsaPubKey.getParams() != null) { return dsaPubKey; } for (int i = index + 1; i < certs.size(); i++) { X509Certificate parentCert = (X509Certificate)certs.get(i); pubKey = parentCert.getPublicKey(); if (!(pubKey instanceof DSAPublicKey)) { throw new CertPathValidatorException( "DSA parameters cannot be inherited from previous certificate."); } DSAPublicKey prevDSAPubKey = (DSAPublicKey) pubKey; if (prevDSAPubKey.getParams() == null) { continue; } DSAParams dsaParams = prevDSAPubKey.getParams(); DSAPublicKeySpec dsaPubKeySpec = new DSAPublicKeySpec( dsaPubKey.getY(), dsaParams.getP(), dsaParams.getQ(), dsaParams.getG()); try { KeyFactory keyFactory = KeyFactory.getInstance("DSA", "BC"); return keyFactory.generatePublic(dsaPubKeySpec); } catch (Exception exception) { throw new RuntimeException(exception.getMessage()); } } throw new CertPathValidatorException("DSA parameters cannot be inherited from previous certificate."); } /** * Find the issuer certificates of a given certificate. * * @param cert * The certificate for which an issuer should be found. * @param pkixParams * @return A <code>Collection</code> object containing the issuer * <code>X509Certificate</code>s. Never <code>null</code>. * * @exception AnnotatedException * if an error occurs. */ protected static Collection findIssuerCerts( X509Certificate cert, ExtendedPKIXBuilderParameters pkixParams) throws AnnotatedException { X509CertStoreSelector certSelect = new X509CertStoreSelector(); Set certs = new HashSet(); try { certSelect.setSubject(cert.getIssuerX500Principal().getEncoded()); } catch (IOException ex) { throw new AnnotatedException( "Subject criteria for certificate selector to find issuer certificate could not be set.", ex); } Iterator iter; try { List matches = new ArrayList(); matches.addAll(CertPathValidatorUtilities.findCertificates(certSelect, pkixParams.getCertStores())); matches.addAll(CertPathValidatorUtilities.findCertificates(certSelect, pkixParams.getStores())); matches.addAll(CertPathValidatorUtilities.findCertificates(certSelect, pkixParams.getAdditionalStores())); iter = matches.iterator(); } catch (AnnotatedException e) { throw new AnnotatedException("Issuer certificate cannot be searched.", e); } X509Certificate issuer = null; while (iter.hasNext()) { issuer = (X509Certificate) iter.next(); // issuer cannot be verified because possible DSA inheritance // parameters are missing certs.add(issuer); } return certs; } protected static void verifyX509Certificate(X509Certificate cert, PublicKey publicKey, String sigProvider) throws GeneralSecurityException { if (sigProvider == null) { cert.verify(publicKey); } else { cert.verify(publicKey, sigProvider); } }}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -