📄 rfc3280certpathutilities.java
字号:
IssuingDistributionPoint idp = null; try { idp = IssuingDistributionPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(crl, RFC3280CertPathUtilities.ISSUING_DISTRIBUTION_POINT)); } catch (Exception e) { throw new AnnotatedException("Issuing distribution point extension could not be decoded.", e); } // (d) (1) if (idp != null && idp.getOnlySomeReasons() != null && dp.getReasons() != null) { return new ReasonsMask(dp.getReasons().intValue()).intersect(new ReasonsMask(idp.getOnlySomeReasons() .intValue())); } // (d) (4) if ((idp == null || idp.getOnlySomeReasons() == null) && dp.getReasons() == null) { return ReasonsMask.allReasons; } // (d) (2) and (d)(3) return (dp.getReasons() == null ? ReasonsMask.allReasons : new ReasonsMask(dp.getReasons().intValue())).intersect(idp == null ? ReasonsMask.allReasons : new ReasonsMask(idp.getOnlySomeReasons().intValue())); } protected static final String CERTIFICATE_POLICIES = X509Extensions.CertificatePolicies.getId(); protected static final String POLICY_MAPPINGS = X509Extensions.PolicyMappings.getId(); protected static final String INHIBIT_ANY_POLICY = X509Extensions.InhibitAnyPolicy.getId(); protected static final String ISSUING_DISTRIBUTION_POINT = X509Extensions.IssuingDistributionPoint.getId(); protected static final String FRESHEST_CRL = X509Extensions.FreshestCRL.getId(); protected static final String DELTA_CRL_INDICATOR = X509Extensions.DeltaCRLIndicator.getId(); protected static final String POLICY_CONSTRAINTS = X509Extensions.PolicyConstraints.getId(); protected static final String BASIC_CONSTRAINTS = X509Extensions.BasicConstraints.getId(); protected static final String CRL_DISTRIBUTION_POINTS = X509Extensions.CRLDistributionPoints.getId(); protected static final String SUBJECT_ALTERNATIVE_NAME = X509Extensions.SubjectAlternativeName.getId(); protected static final String NAME_CONSTRAINTS = X509Extensions.NameConstraints.getId(); protected static final String AUTHORITY_KEY_IDENTIFIER = X509Extensions.AuthorityKeyIdentifier.getId(); protected static final String KEY_USAGE = X509Extensions.KeyUsage.getId(); protected static final String CRL_NUMBER = X509Extensions.CRLNumber.getId(); protected static final String ANY_POLICY = "2.5.29.32.0"; /* * key usage bits */ protected static final int KEY_CERT_SIGN = 5; protected static final int CRL_SIGN = 6; /** * Obtain and validate the certification path for the complete CRL issuer. * If a key usage extension is present in the CRL issuer's certificate, * verify that the cRLSign bit is set. * * @param crl CRL which contains revocation information for the certificate * <code>cert</code>. * @param cert The attribute certificate or certificate to check if it is * revoked. * @param defaultCRLSignCert The issuer certificate of the certificate <code>cert</code>. * @param defaultCRLSignKey The public key of the issuer certificate * <code>defaultCRLSignCert</code>. * @param paramsPKIX paramsPKIX PKIX parameters. * @param certPathCerts The certificates on the certification path. * @return A <code>Set</code> with all keys of possible CRL issuer * certificates. * @throws AnnotatedException if the CRL is not valid or the status cannot be checked or * some error occurs. */ protected static Set processCRLF( X509CRL crl, Object cert, X509Certificate defaultCRLSignCert, PublicKey defaultCRLSignKey, ExtendedPKIXParameters paramsPKIX, List certPathCerts) throws AnnotatedException { // (f) // get issuer from CRL X509CertStoreSelector selector = new X509CertStoreSelector(); try { byte[] issuerPrincipal = CertPathValidatorUtilities.getIssuerPrincipal(crl).getEncoded(); selector.setSubject(issuerPrincipal); } catch (IOException e) { throw new AnnotatedException( "Subject criteria for certificate selector to find issuer certificate for CRL could not be set.", e); } // get CRL signing certs Collection coll; try { coll = CertPathValidatorUtilities.findCertificates(selector, paramsPKIX.getStores()); coll.addAll(CertPathValidatorUtilities.findCertificates(selector, paramsPKIX.getAdditionalStores())); coll.addAll(CertPathValidatorUtilities.findCertificates(selector, paramsPKIX.getCertStores())); } catch (AnnotatedException e) { throw new AnnotatedException("Issuer certificate for CRL cannot be searched.", e); } coll.add(defaultCRLSignCert); Iterator cert_it = coll.iterator(); List validCerts = new ArrayList(); List validKeys = new ArrayList(); while (cert_it.hasNext()) { X509Certificate signingCert = (X509Certificate)cert_it.next(); /* * CA of the certificate, for which this CRL is checked, has also * signed CRL, so skip the path validation, because is already done */ if (signingCert.equals(defaultCRLSignCert)) { validCerts.add(signingCert); validKeys.add(defaultCRLSignKey); continue; } try { CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC"); selector = new X509CertStoreSelector(); selector.setCertificate(signingCert); ExtendedPKIXParameters temp = (ExtendedPKIXParameters)paramsPKIX.clone(); temp.setTargetCertConstraints(selector); ExtendedPKIXBuilderParameters params = (ExtendedPKIXBuilderParameters)ExtendedPKIXBuilderParameters .getInstance(temp); /* * if signingCert is placed not higher on the cert path a * dependency loop results. CRL for cert is checked, but * signingCert is needed for checking the CRL which is dependent * on checking cert because it is higher in the cert path and so * signing signingCert transitively. so, revocation is disabled, * forgery attacks of the CRL are detected in this outer loop * for all other it must be enabled to prevent forgery attacks */ if (certPathCerts.contains(signingCert)) { params.setRevocationEnabled(false); } else { params.setRevocationEnabled(true); } List certs = builder.build(params).getCertPath().getCertificates(); validCerts.add(signingCert); validKeys.add(CertPathValidatorUtilities.getNextWorkingKey(certs, 0)); } catch (CertPathBuilderException e) { throw new AnnotatedException("Internal error.", e); } catch (CertPathValidatorException e) { throw new AnnotatedException("Public key of issuer certificate of CRL could not be retrieved.", e); } catch (Exception e) { throw new RuntimeException(e.getMessage()); } } Set checkKeys = new HashSet(); AnnotatedException lastException = null; for (int i = 0; i < validCerts.size(); i++) { X509Certificate signCert = (X509Certificate)validCerts.get(i); boolean[] keyusage = signCert.getKeyUsage(); if (keyusage != null && (keyusage.length < 7 || !keyusage[CRL_SIGN])) { lastException = new AnnotatedException( "Issuer certificate key usage extension does not permit CRL signing."); } else { checkKeys.add(validKeys.get(i)); } } if (checkKeys.isEmpty() && lastException == null) { throw new AnnotatedException("Cannot find a valid issuer certificate."); } if (checkKeys.isEmpty() && lastException != null) { throw lastException; } return checkKeys; } protected static PublicKey processCRLG( X509CRL crl, Set keys) throws AnnotatedException { Exception lastException = null; for (Iterator it = keys.iterator(); it.hasNext();) { PublicKey key = (PublicKey)it.next(); try { crl.verify(key); return key; } catch (Exception e) { lastException = e; } } throw new AnnotatedException("Cannot verify CRL.", lastException); } protected static X509CRL processCRLH( Set deltacrls, PublicKey key) throws AnnotatedException { Exception lastException = null; for (Iterator it = deltacrls.iterator(); it.hasNext();) { X509CRL crl = (X509CRL)it.next(); try { crl.verify(key); return crl; } catch (Exception e) { lastException = e; } } if (lastException != null) { throw new AnnotatedException("Cannot verify delta CRL.", lastException); } return null; } protected static Set processCRLA1i( Date currentDate, ExtendedPKIXParameters paramsPKIX, X509Certificate cert, X509CRL crl) throws AnnotatedException { Set set = new HashSet(); if (paramsPKIX.isUseDeltasEnabled()) { CRLDistPoint freshestCRL = null; try { freshestCRL = CRLDistPoint .getInstance(CertPathValidatorUtilities.getExtensionValue(cert, FRESHEST_CRL)); } catch (AnnotatedException e) { throw new AnnotatedException("Freshest CRL extension could not be decoded from certificate.", e); } if (freshestCRL == null) { try { freshestCRL = CRLDistPoint.getInstance(CertPathValidatorUtilities.getExtensionValue(crl, FRESHEST_CRL)); } catch (AnnotatedException e) { throw new AnnotatedException("Freshest CRL extension could not be decoded from CRL.", e); } } if (freshestCRL != null) { try { CertPathValidatorUtilities.addAdditionalStoresFromCRLDistributionPoint(freshestCRL, paramsPKIX); } catch (AnnotatedException e) { throw new AnnotatedException( "No new delta CRL locations could be added from Freshest CRL extension.", e); } // get delta CRL(s) try { set.addAll(CertPathValidatorUtilities.getDeltaCRLs(currentDate, paramsPKIX, crl)); } catch (AnnotatedException e) { throw new AnnotatedException("Exception obtaining delta CRLs.", e); } } } return set; } protected static Set[] processCRLA1ii( Date currentDate, ExtendedPKIXParameters paramsPKIX, X509Certificate cert, X509CRL crl) throws AnnotatedException { Set completeSet = new HashSet(); Set deltaSet = new HashSet(); X509CRLStoreSelector crlselect = new X509CRLStoreSelector(); crlselect.setCertificateChecking(cert); if (paramsPKIX.getDate() != null) { crlselect.setDateAndTime(paramsPKIX.getDate()); } else { crlselect.setDateAndTime(currentDate); }⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -