📄 rfc3280certpathutilities.java
字号:
package org.bouncycastle.jce.provider;import org.bouncycastle.asn1.ASN1EncodableVector;import org.bouncycastle.asn1.ASN1InputStream;import org.bouncycastle.asn1.ASN1Sequence;import org.bouncycastle.asn1.ASN1TaggedObject;import org.bouncycastle.asn1.DEREncodable;import org.bouncycastle.asn1.DERInteger;import org.bouncycastle.asn1.DERObject;import org.bouncycastle.asn1.DERObjectIdentifier;import org.bouncycastle.asn1.DERSequence;import org.bouncycastle.asn1.x509.BasicConstraints;import org.bouncycastle.asn1.x509.CRLDistPoint;import org.bouncycastle.asn1.x509.CRLReason;import org.bouncycastle.asn1.x509.DistributionPoint;import org.bouncycastle.asn1.x509.DistributionPointName;import org.bouncycastle.asn1.x509.GeneralName;import org.bouncycastle.asn1.x509.GeneralNames;import org.bouncycastle.asn1.x509.GeneralSubtree;import org.bouncycastle.asn1.x509.IssuingDistributionPoint;import org.bouncycastle.asn1.x509.NameConstraints;import org.bouncycastle.asn1.x509.PolicyInformation;import org.bouncycastle.asn1.x509.X509Extensions;import org.bouncycastle.asn1.x509.X509Name;import org.bouncycastle.jce.exception.ExtCertPathValidatorException;import org.bouncycastle.util.Arrays;import org.bouncycastle.x509.ExtendedPKIXBuilderParameters;import org.bouncycastle.x509.ExtendedPKIXParameters;import org.bouncycastle.x509.X509CRLStoreSelector;import org.bouncycastle.x509.X509CertStoreSelector;import java.io.IOException;import java.math.BigInteger;import java.security.GeneralSecurityException;import java.security.PublicKey;import java.security.cert.CertPath;import java.security.cert.CertPathBuilder;import java.security.cert.CertPathBuilderException;import java.security.cert.CertPathValidatorException;import java.security.cert.CertificateExpiredException;import java.security.cert.CertificateNotYetValidException;import java.security.cert.PKIXCertPathChecker;import java.security.cert.X509CRL;import java.security.cert.X509Certificate;import java.security.cert.X509Extension;import java.util.ArrayList;import java.util.Collection;import java.util.Date;import java.util.Enumeration;import java.util.HashMap;import java.util.HashSet;import java.util.Iterator;import java.util.List;import java.util.Map;import java.util.Set;import java.util.Vector;import javax.security.auth.x500.X500Principal;public class RFC3280CertPathUtilities{ /** * If the complete CRL includes an issuing distribution point (IDP) CRL * extension check the following: * <p/> * (i) If the distribution point name is present in the IDP CRL extension * and the distribution field is present in the DP, then verify that one of * the names in the IDP matches one of the names in the DP. If the * distribution point name is present in the IDP CRL extension and the * distribution field is omitted from the DP, then verify that one of the * names in the IDP matches one of the names in the cRLIssuer field of the * DP. * </p> * <p/> * (ii) If the onlyContainsUserCerts boolean is asserted in the IDP CRL * extension, verify that the certificate does not include the basic * constraints extension with the cA boolean asserted. * </p> * <p/> * (iii) If the onlyContainsCACerts boolean is asserted in the IDP CRL * extension, verify that the certificate includes the basic constraints * extension with the cA boolean asserted. * </p> * <p/> * (iv) Verify that the onlyContainsAttributeCerts boolean is not asserted. * </p> * * @param dp The distribution point. * @param cert The certificate. * @param crl The CRL. * @throws AnnotatedException if one of the conditions is not met or an error occurs. */ protected static void processCRLB2( DistributionPoint dp, Object cert, X509CRL crl) throws AnnotatedException { IssuingDistributionPoint idp = null; try { idp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(crl, RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT)); } catch (Exception e) { throw new AnnotatedException("Issuing distribution point extension could not be decoded.", e); } // (b) (2) (i) // distribution point name is present if (idp != null) { if (idp.getDistributionPoint() != null) { // make list of names DistributionPointName dpName = IssuingDistributionPoint.getInstance(idp).getDistributionPoint(); List names = new ArrayList(); if (dpName.getType() == DistributionPointName.FULL_NAME) { GeneralName[] genNames = GeneralNames.getInstance(dpName.getName()).getNames(); for (int j = 0; j < genNames.length; j++) { names.add(genNames[j]); } } if (dpName.getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER) { ASN1EncodableVector vec = new ASN1EncodableVector(); try { Enumeration e = ASN1Sequence.getInstance( ASN1Sequence.fromByteArray(CertPathValidatorUtilities.getIssuerPrincipal(crl) .getEncoded())).getObjects(); while (e.hasMoreElements()) { vec.add((DEREncodable)e.nextElement()); } } catch (IOException e) { throw new AnnotatedException("Could not read CRL issuer.", e); } vec.add(dpName.getName()); names.add(new GeneralName(X509Name.getInstance(new DERSequence(vec)))); } boolean matches = false; // verify that one of the names in the IDP matches one // of the names in the DP. if (dp.getDistributionPoint() != null) { dpName = dp.getDistributionPoint(); GeneralName[] genNames = null; if (dpName.getType() == DistributionPointName.FULL_NAME) { genNames = GeneralNames.getInstance(dpName.getName()).getNames(); } if (dpName.getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER) { if (dp.getCRLIssuer() != null) { genNames = dp.getCRLIssuer().getNames(); } else { genNames = new GeneralName[1]; try { genNames[0] = new GeneralName(new X509Name( (ASN1Sequence)ASN1Sequence.fromByteArray(CertPathValidatorUtilities .getEncodedIssuerPrincipal(cert).getEncoded()))); } catch (IOException e) { throw new AnnotatedException("Could not read certificate issuer.", e); } } for (int j = 0; j < genNames.length; j++) { Enumeration e = ASN1Sequence.getInstance(genNames[j].getName().getDERObject()).getObjects(); ASN1EncodableVector vec = new ASN1EncodableVector(); while (e.hasMoreElements()) { vec.add((DEREncodable)e.nextElement()); } vec.add(dpName.getName()); genNames[j] = new GeneralName(new X509Name(new DERSequence(vec))); } } if (genNames != null) { for (int j = 0; j < genNames.length; j++) { if (names.contains(genNames[j])) { matches = true; break; } } } if (!matches) { throw new AnnotatedException( "No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point."); } } // verify that one of the names in // the IDP matches one of the names in the cRLIssuer field of // the DP else { if (dp.getCRLIssuer() == null) { throw new AnnotatedException("Either the cRLIssuer or the distributionPoint field must " + "be contained in DistributionPoint."); } GeneralName[] genNames = dp.getCRLIssuer().getNames(); for (int j = 0; j < genNames.length; j++) { if (names.contains(genNames[j])) { matches = true; break; } } if (!matches) { throw new AnnotatedException( "No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point."); } } } BasicConstraints bc = null; try { bc = BasicConstraints.getInstance(CertPathValidatorUtilities.getExtensionValue((X509Extension)cert, BASIC_CONSTRAINTS)); } catch (Exception e) { throw new AnnotatedException("Basic constraints extension could not be decoded.", e); } if (cert instanceof X509Certificate) { // (b) (2) (ii) if (idp.onlyContainsUserCerts() && (bc != null && bc.isCA())) { throw new AnnotatedException("CA Cert CRL only contains user certificates."); } // (b) (2) (iii) if (idp.onlyContainsCACerts() && (bc == null || !bc.isCA())) { throw new AnnotatedException("End CRL only contains CA certificates."); } } // (b) (2) (iv) if (idp.onlyContainsAttributeCerts()) { throw new AnnotatedException("onlyContainsAttributeCerts boolean is asserted."); } } } /** * If the DP includes cRLIssuer, then verify that the issuer field in the * complete CRL matches cRLIssuer in the DP and that the complete CRL * contains an issuing distribution point extension with the indirectCRL * boolean asserted. Otherwise, verify that the CRL issuer matches the * certificate issuer. * * @param dp The distribution point. * @param cert The certificate ot attribute certificate. * @param crl The CRL for <code>cert</code>. * @throws AnnotatedException if one of the above conditions does not apply or an error * occurs. */ protected static void processCRLB1( DistributionPoint dp, Object cert, X509CRL crl) throws AnnotatedException { DERObject idp = CertPathValidatorUtilities.getExtensionValue(crl, ISSUING_DISTRIBUTION_POINT); boolean isIndirect = false; if (idp != null) { if (IssuingDistributionPoint.getInstance(idp).isIndirectCRL()) { isIndirect = true; } } byte[] issuerBytes = CertPathValidatorUtilities.getIssuerPrincipal(crl).getEncoded(); boolean matchIssuer = false; if (dp.getCRLIssuer() != null) { GeneralName genNames[] = dp.getCRLIssuer().getNames(); for (int j = 0; j < genNames.length; j++) { if (genNames[j].getTagNo() == GeneralName.directoryName) { try { if (Arrays.areEqual(genNames[j].getName().getDERObject().getEncoded(), issuerBytes)) { matchIssuer = true; } } catch (IOException e) { throw new AnnotatedException( "CRL issuer information from distribution point cannot be decoded.", e); } } } if (matchIssuer && !isIndirect) { throw new AnnotatedException("Distribution point contains cRLIssuer field but CRL is not indirect."); } if (!matchIssuer) { throw new AnnotatedException("CRL issuer of CRL does not match CRL issuer of distribution point."); } } else { if (CertPathValidatorUtilities.getIssuerPrincipal(crl).equals( CertPathValidatorUtilities.getEncodedIssuerPrincipal(cert))) { matchIssuer = true; } } if (!matchIssuer) { throw new AnnotatedException("Cannot find matching CRL issuer for certificate."); } } protected static ReasonsMask processCRLD( X509CRL crl, DistributionPoint dp) throws AnnotatedException {⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -