| /* |
| * Licensed to the Apache Software Foundation (ASF) under one or more |
| * contributor license agreements. See the NOTICE file distributed with |
| * this work for additional information regarding copyright ownership. |
| * The ASF licenses this file to You under the Apache License, Version 2.0 |
| * (the "License"); you may not use this file except in compliance with |
| * the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| /** |
| * @author Alexander Y. Kleymenov |
| * @version $Revision$ |
| */ |
| |
| package org.apache.harmony.security.provider.cert; |
| |
| import java.io.IOException; |
| import java.io.InputStream; |
| import java.math.BigInteger; |
| import java.security.InvalidKeyException; |
| import java.security.NoSuchAlgorithmException; |
| import java.security.NoSuchProviderException; |
| import java.security.Principal; |
| import java.security.PublicKey; |
| import java.security.Signature; |
| import java.security.SignatureException; |
| import java.security.cert.CRLException; |
| import java.security.cert.Certificate; |
| import java.security.cert.X509CRL; |
| import java.security.cert.X509CRLEntry; |
| import java.security.cert.X509Certificate; |
| import java.util.ArrayList; |
| import java.util.Date; |
| import java.util.HashSet; |
| import java.util.List; |
| import java.util.Set; |
| import javax.security.auth.x500.X500Principal; |
| import org.apache.harmony.security.utils.AlgNameMapper; |
| import org.apache.harmony.security.x509.CertificateList; |
| import org.apache.harmony.security.x509.Extension; |
| import org.apache.harmony.security.x509.Extensions; |
| import org.apache.harmony.security.x509.TBSCertList; |
| |
| /** |
| * This class is an implementation of X509CRL. It wraps |
| * the instance of org.apache.harmony.security.x509.CertificateList |
| * built on the base of provided ASN.1 DER encoded form of |
| * CertificateList structure (as specified in RFC 3280 |
| * http://www.ietf.org/rfc/rfc3280.txt). |
| * Implementation supports work with indirect CRLs. |
| * @see org.apache.harmony.security.x509.CertificateList |
| * @see java.security.cert.X509CRL |
| */ |
| public class X509CRLImpl extends X509CRL { |
| |
| // the core object to be wrapped in X509CRL |
| private final CertificateList crl; |
| |
| // To speed up access to the info, the following fields |
| // cache values retrieved from the CertificateList object |
| private final TBSCertList tbsCertList; |
| private byte[] tbsCertListEncoding; |
| private final Extensions extensions; |
| private X500Principal issuer; |
| private ArrayList entries; |
| private int entriesSize; |
| private byte[] signature; |
| private String sigAlgOID; |
| private String sigAlgName; |
| private byte[] sigAlgParams; |
| |
| // encoded form of crl |
| private byte[] encoding; |
| |
| // indicates whether the signature algorithm parameters are null |
| private boolean nullSigAlgParams; |
| // indicates whether the crl entries have already been retrieved |
| // from CertificateList object (crl) |
| private boolean entriesRetrieved; |
| |
| // indicates whether this X.509 CRL is direct or indirect |
| // (see rfc 3280 http://www.ietf.org/rfc/rfc3280.txt, p 5.) |
| private boolean isIndirectCRL; |
| // if crl is indirect, this field holds an info about how |
| // many of the leading certificates in the list are issued |
| // by the same issuer as CRL. |
| private int nonIndirectEntriesSize; |
| |
| /** |
| * Creates X.509 CRL by wrapping of the specified CertificateList object. |
| */ |
| public X509CRLImpl(CertificateList crl) { |
| this.crl = crl; |
| this.tbsCertList = crl.getTbsCertList(); |
| this.extensions = tbsCertList.getCrlExtensions(); |
| } |
| |
| /** |
| * Creates X.509 CRL on the base of ASN.1 DER encoded form of |
| * the CRL (CertificateList structure described in RFC 3280) |
| * provided via input stream. |
| * @throws CRLException if decoding errors occur. |
| */ |
| public X509CRLImpl(InputStream in) throws CRLException { |
| try { |
| // decode CertificateList structure |
| this.crl = (CertificateList) CertificateList.ASN1.decode(in); |
| this.tbsCertList = crl.getTbsCertList(); |
| this.extensions = tbsCertList.getCrlExtensions(); |
| } catch (IOException e) { |
| throw new CRLException(e); |
| } |
| } |
| |
| /** |
| * Creates X.509 CRL on the base of ASN.1 DER encoded form of |
| * the CRL (CertificateList structure described in RFC 3280) |
| * provided via array of bytes. |
| * @throws IOException if decoding errors occur. |
| */ |
| public X509CRLImpl(byte[] encoding) throws IOException { |
| this((CertificateList) CertificateList.ASN1.decode(encoding)); |
| } |
| |
| // --------------------------------------------------------------------- |
| // ----- java.security.cert.X509CRL abstract method implementations ---- |
| // --------------------------------------------------------------------- |
| |
| /** |
| * @see java.security.cert.X509CRL#getEncoded() |
| * method documentation for more info |
| */ |
| public byte[] getEncoded() throws CRLException { |
| if (encoding == null) { |
| encoding = crl.getEncoded(); |
| } |
| byte[] result = new byte[encoding.length]; |
| System.arraycopy(encoding, 0, result, 0, encoding.length); |
| return result; |
| } |
| |
| /** |
| * @see java.security.cert.X509CRL#getVersion() |
| * method documentation for more info |
| */ |
| public int getVersion() { |
| return tbsCertList.getVersion(); |
| } |
| |
| /** |
| * @see java.security.cert.X509CRL#getIssuerDN() |
| * method documentation for more info |
| */ |
| public Principal getIssuerDN() { |
| if (issuer == null) { |
| issuer = tbsCertList.getIssuer().getX500Principal(); |
| } |
| return issuer; |
| } |
| |
| /** |
| * @see java.security.cert.X509CRL#getIssuerX500Principal() |
| * method documentation for more info |
| */ |
| public X500Principal getIssuerX500Principal() { |
| if (issuer == null) { |
| issuer = tbsCertList.getIssuer().getX500Principal(); |
| } |
| return issuer; |
| } |
| |
| /** |
| * @see java.security.cert.X509CRL#getThisUpdate() |
| * method documentation for more info |
| */ |
| public Date getThisUpdate() { |
| return tbsCertList.getThisUpdate(); |
| } |
| |
| /** |
| * @see java.security.cert.X509CRL#getNextUpdate() |
| * method documentation for more info |
| */ |
| public Date getNextUpdate() { |
| return tbsCertList.getNextUpdate(); |
| } |
| |
| /* |
| * Retrieves the crl entries (TBSCertList.RevokedCertificate objects) |
| * from the TBSCertList structure and converts them to the |
| * X509CRLEntryImpl objects |
| */ |
| private void retrieveEntries() { |
| entriesRetrieved = true; |
| List rcerts = tbsCertList.getRevokedCertificates(); |
| if (rcerts == null) { |
| return; |
| } |
| entriesSize = rcerts.size(); |
| entries = new ArrayList(entriesSize); |
| // null means that revoked certificate issuer is the same as CRL issuer |
| X500Principal rcertIssuer = null; |
| for (int i=0; i<entriesSize; i++) { |
| TBSCertList.RevokedCertificate rcert = |
| (TBSCertList.RevokedCertificate) rcerts.get(i); |
| X500Principal iss = rcert.getIssuer(); |
| if (iss != null) { |
| // certificate issuer differs from CRL issuer |
| // and CRL is indirect. |
| rcertIssuer = iss; |
| isIndirectCRL = true; |
| // remember how many leading revoked certificates in the |
| // list are issued by the same issuer as issuer of CRL |
| // (these certificates are first in the list) |
| nonIndirectEntriesSize = i; |
| } |
| entries.add(new X509CRLEntryImpl(rcert, rcertIssuer)); |
| } |
| } |
| |
| /** |
| * Searches for certificate in CRL. |
| * This method supports indirect CRLs: if CRL is indirect method takes |
| * into account serial number and issuer of the certificate, |
| * if CRL issued by CA (i.e. it is not indirect) search is done only |
| * by serial number of the specified certificate. |
| * @see java.security.cert.X509CRL#getRevokedCertificate(X509Certificate) |
| * method documentation for more info |
| */ |
| public X509CRLEntry getRevokedCertificate(X509Certificate certificate) { |
| if (certificate == null) { |
| throw new NullPointerException(); |
| } |
| if (!entriesRetrieved) { |
| retrieveEntries(); |
| } |
| if (entries == null) { |
| return null; |
| } |
| BigInteger serialN = certificate.getSerialNumber(); |
| if (isIndirectCRL) { |
| // search in indirect crl |
| X500Principal certIssuer = certificate.getIssuerX500Principal(); |
| if (certIssuer.equals(getIssuerX500Principal())) { |
| // certificate issuer is CRL issuer |
| certIssuer = null; |
| } |
| for (int i=0; i<entriesSize; i++) { |
| X509CRLEntry entry = (X509CRLEntry) entries.get(i); |
| // check the serial number of revoked certificate |
| if (serialN.equals(entry.getSerialNumber())) { |
| // revoked certificate issuer |
| X500Principal iss = entry.getCertificateIssuer(); |
| // check the issuer of revoked certificate |
| if (certIssuer != null) { |
| // certificate issuer is not a CRL issuer, so |
| // check issuers for equality |
| if (certIssuer.equals(iss)) { |
| return entry; |
| } |
| } else if (iss == null) { |
| // both certificates was issued by CRL issuer |
| return entry; |
| } |
| } |
| } |
| } else { |
| // search in CA's (non indirect) crl: just look up the serial number |
| for (int i=0; i<entriesSize; i++) { |
| X509CRLEntry entry = (X509CRLEntry) entries.get(i); |
| if (serialN.equals(entry.getSerialNumber())) { |
| return entry; |
| } |
| } |
| } |
| return null; |
| } |
| |
| /** |
| * Method searches for CRL entry with specified serial number. |
| * The method will search only certificate issued by CRL's issuer. |
| * @see java.security.cert.X509CRL#getRevokedCertificate(BigInteger) |
| * method documentation for more info |
| */ |
| public X509CRLEntry getRevokedCertificate(BigInteger serialNumber) { |
| if (!entriesRetrieved) { |
| retrieveEntries(); |
| } |
| if (entries == null) { |
| return null; |
| } |
| for (int i=0; i<nonIndirectEntriesSize; i++) { |
| X509CRLEntry entry = (X509CRLEntry) entries.get(i); |
| if (serialNumber.equals(entry.getSerialNumber())) { |
| return entry; |
| } |
| } |
| return null; |
| } |
| |
| /** |
| * @see java.security.cert.X509CRL#getRevokedCertificates() |
| * method documentation for more info |
| */ |
| public Set<? extends X509CRLEntry> getRevokedCertificates() { |
| if (!entriesRetrieved) { |
| retrieveEntries(); |
| } |
| if (entries == null) { |
| return null; |
| } |
| return new HashSet(entries); |
| } |
| |
| /** |
| * @see java.security.cert.X509CRL#getTBSCertList() |
| * method documentation for more info |
| */ |
| public byte[] getTBSCertList() throws CRLException { |
| if (tbsCertListEncoding == null) { |
| tbsCertListEncoding = tbsCertList.getEncoded(); |
| } |
| byte[] result = new byte[tbsCertListEncoding.length]; |
| System.arraycopy(tbsCertListEncoding, 0, |
| result, 0, tbsCertListEncoding.length); |
| return result; |
| } |
| |
| /** |
| * @see java.security.cert.X509CRL#getSignature() |
| * method documentation for more info |
| */ |
| public byte[] getSignature() { |
| if (signature == null) { |
| signature = crl.getSignatureValue(); |
| } |
| byte[] result = new byte[signature.length]; |
| System.arraycopy(signature, 0, result, 0, signature.length); |
| return result; |
| } |
| |
| /** |
| * @see java.security.cert.X509CRL#getSigAlgName() |
| * method documentation for more info |
| */ |
| public String getSigAlgName() { |
| if (sigAlgOID == null) { |
| sigAlgOID = tbsCertList.getSignature().getAlgorithm(); |
| sigAlgName = AlgNameMapper.map2AlgName(sigAlgOID); |
| if (sigAlgName == null) { |
| sigAlgName = sigAlgOID; |
| } |
| } |
| return sigAlgName; |
| } |
| |
| /** |
| * @see java.security.cert.X509CRL#getSigAlgOID() |
| * method documentation for more info |
| */ |
| public String getSigAlgOID() { |
| if (sigAlgOID == null) { |
| sigAlgOID = tbsCertList.getSignature().getAlgorithm(); |
| sigAlgName = AlgNameMapper.map2AlgName(sigAlgOID); |
| if (sigAlgName == null) { |
| sigAlgName = sigAlgOID; |
| } |
| } |
| return sigAlgOID; |
| } |
| |
| /** |
| * @see java.security.cert.X509CRL#getSigAlgParams() |
| * method documentation for more info |
| */ |
| public byte[] getSigAlgParams() { |
| if (nullSigAlgParams) { |
| return null; |
| } |
| if (sigAlgParams == null) { |
| sigAlgParams = tbsCertList.getSignature().getParameters(); |
| if (sigAlgParams == null) { |
| nullSigAlgParams = true; |
| return null; |
| } |
| } |
| return sigAlgParams; |
| } |
| |
| /** |
| * @see java.security.cert.X509CRL#verify(PublicKey key) |
| * method documentation for more info |
| */ |
| public void verify(PublicKey key) |
| throws CRLException, NoSuchAlgorithmException, |
| InvalidKeyException, NoSuchProviderException, |
| SignatureException { |
| Signature signature = Signature.getInstance(getSigAlgName()); |
| signature.initVerify(key); |
| byte[] tbsEncoding = tbsCertList.getEncoded(); |
| signature.update(tbsEncoding, 0, tbsEncoding.length); |
| if (!signature.verify(crl.getSignatureValue())) { |
| throw new SignatureException("Signature was not verified"); |
| } |
| } |
| |
| /** |
| * @see java.security.cert.X509CRL#verify(PublicKey key, String sigProvider) |
| * method documentation for more info |
| */ |
| public void verify(PublicKey key, String sigProvider) |
| throws CRLException, NoSuchAlgorithmException, |
| InvalidKeyException, NoSuchProviderException, |
| SignatureException { |
| Signature signature = Signature.getInstance( |
| getSigAlgName(), sigProvider); |
| signature.initVerify(key); |
| byte[] tbsEncoding = tbsCertList.getEncoded(); |
| signature.update(tbsEncoding, 0, tbsEncoding.length); |
| if (!signature.verify(crl.getSignatureValue())) { |
| throw new SignatureException("Signature was not verified"); |
| } |
| } |
| |
| // --------------------------------------------------------------------- |
| // ------ java.security.cert.CRL abstract method implementations ------- |
| // --------------------------------------------------------------------- |
| |
| /** |
| * @see java.security.cert.CRL#isRevoked(Certificate) |
| * method documentation for more info |
| */ |
| public boolean isRevoked(Certificate cert) { |
| if (!(cert instanceof X509Certificate)) { |
| return false; |
| } |
| return getRevokedCertificate((X509Certificate) cert) != null; |
| } |
| |
| /** |
| * @see java.security.cert.CRL#toString() |
| * method documentation for more info |
| */ |
| public String toString() { |
| return crl.toString(); |
| } |
| |
| // --------------------------------------------------------------------- |
| // ------ java.security.cert.X509Extension method implementations ------ |
| // --------------------------------------------------------------------- |
| |
| /** |
| * @see java.security.cert.X509Extension#getNonCriticalExtensionOIDs() |
| * method documentation for more info |
| */ |
| public Set getNonCriticalExtensionOIDs() { |
| if (extensions == null) { |
| return null; |
| } |
| return extensions.getNonCriticalExtensions(); |
| } |
| |
| /** |
| * @see java.security.cert.X509Extension#getCriticalExtensionOIDs() |
| * method documentation for more info |
| */ |
| public Set getCriticalExtensionOIDs() { |
| if (extensions == null) { |
| return null; |
| } |
| return extensions.getCriticalExtensions(); |
| } |
| |
| /** |
| * @see java.security.cert.X509Extension#getExtensionValue(String) |
| * method documentation for more info |
| */ |
| public byte[] getExtensionValue(String oid) { |
| if (extensions == null) { |
| return null; |
| } |
| Extension ext = extensions.getExtensionByOID(oid); |
| return (ext == null) ? null : ext.getRawExtnValue(); |
| } |
| |
| /** |
| * @see java.security.cert.X509Extension#hasUnsupportedCriticalExtension() |
| * method documentation for more info |
| */ |
| public boolean hasUnsupportedCriticalExtension() { |
| if (extensions == null) { |
| return false; |
| } |
| return extensions.hasUnsupportedCritical(); |
| } |
| } |
