1 /*
2 * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.x509;
27
28 import java.io.InputStream;
29 import java.io.OutputStream;
30 import java.io.IOException;
31 import java.math.BigInteger;
32 import java.security.Principal;
33 import java.security.PublicKey;
34 import java.security.PrivateKey;
35 import java.security.Provider;
36 import java.security.Signature;
37 import java.security.NoSuchAlgorithmException;
38 import java.security.InvalidKeyException;
39 import java.security.NoSuchProviderException;
40 import java.security.SignatureException;
41 import java.security.cert.Certificate;
42 import java.security.cert.X509CRL;
43 import java.security.cert.X509Certificate;
44 import java.security.cert.X509CRLEntry;
45 import java.security.cert.CRLException;
46 import java.util.*;
47
48 import javax.security.auth.x500.X500Principal;
49
50 import sun.security.provider.X509Factory;
51 import sun.security.util.*;
52 import sun.misc.HexDumpEncoder;
53
54 /**
55 * <p>
56 * An implementation for X509 CRL (Certificate Revocation List).
57 * <p>
58 * The X.509 v2 CRL format is described below in ASN.1:
59 * <pre>
60 * CertificateList ::= SEQUENCE {
61 * tbsCertList TBSCertList,
62 * signatureAlgorithm AlgorithmIdentifier,
63 * signature BIT STRING }
64 * </pre>
65 * More information can be found in
66 * <a href="http://www.ietf.org/rfc/rfc3280.txt">RFC 3280: Internet X.509
67 * Public Key Infrastructure Certificate and CRL Profile</a>.
68 * <p>
69 * The ASN.1 definition of <code>tbsCertList</code> is:
70 * <pre>
71 * TBSCertList ::= SEQUENCE {
72 * version Version OPTIONAL,
73 * -- if present, must be v2
74 * signature AlgorithmIdentifier,
75 * issuer Name,
76 * thisUpdate ChoiceOfTime,
77 * nextUpdate ChoiceOfTime OPTIONAL,
78 * revokedCertificates SEQUENCE OF SEQUENCE {
79 * userCertificate CertificateSerialNumber,
80 * revocationDate ChoiceOfTime,
81 * crlEntryExtensions Extensions OPTIONAL
82 * -- if present, must be v2
83 * } OPTIONAL,
84 * crlExtensions [0] EXPLICIT Extensions OPTIONAL
85 * -- if present, must be v2
86 * }
87 * </pre>
88 *
89 * @author Hemma Prafullchandra
90 * @see X509CRL
91 */
92 public class X509CRLImpl extends X509CRL implements DerEncoder {
93
94 // CRL data, and its envelope
95 private byte[] signedCRL = null; // DER encoded crl
96 private byte[] signature = null; // raw signature bits
97 private byte[] tbsCertList = null; // DER encoded "to-be-signed" CRL
98 private AlgorithmId sigAlgId = null; // sig alg in CRL
99
100 // crl information
101 private int version;
102 private AlgorithmId infoSigAlgId; // sig alg in "to-be-signed" crl
103 private X500Name issuer = null;
104 private X500Principal issuerPrincipal = null;
105 private Date thisUpdate = null;
106 private Date nextUpdate = null;
107 private Map<X509IssuerSerial,X509CRLEntry> revokedMap = new TreeMap<>();
108 private List<X509CRLEntry> revokedList = new LinkedList<>();
109 private CRLExtensions extensions = null;
110 private final static boolean isExplicit = true;
111 private static final long YR_2050 = 2524636800000L;
112
113 private boolean readOnly = false;
114
115 /**
116 * PublicKey that has previously been used to successfully verify
117 * the signature of this CRL. Null if the CRL has not
118 * yet been verified (successfully).
119 */
120 private PublicKey verifiedPublicKey;
121 /**
122 * If verifiedPublicKey is not null, name of the provider used to
123 * successfully verify the signature of this CRL, or the
124 * empty String if no provider was explicitly specified.
125 */
126 private String verifiedProvider;
127
128 /**
129 * Not to be used. As it would lead to cases of uninitialized
130 * CRL objects.
131 */
132 private X509CRLImpl() { }
133
134 /**
135 * Unmarshals an X.509 CRL from its encoded form, parsing the encoded
136 * bytes. This form of constructor is used by agents which
137 * need to examine and use CRL contents. Note that the buffer
138 * must include only one CRL, and no "garbage" may be left at
139 * the end.
140 *
141 * @param crlData the encoded bytes, with no trailing padding.
142 * @exception CRLException on parsing errors.
143 */
144 public X509CRLImpl(byte[] crlData) throws CRLException {
145 try {
146 parse(new DerValue(crlData));
147 } catch (IOException e) {
148 signedCRL = null;
149 throw new CRLException("Parsing error: " + e.getMessage());
150 }
151 }
152
153 /**
154 * Unmarshals an X.509 CRL from an DER value.
155 *
156 * @param val a DER value holding at least one CRL
157 * @exception CRLException on parsing errors.
158 */
159 public X509CRLImpl(DerValue val) throws CRLException {
160 try {
161 parse(val);
162 } catch (IOException e) {
163 signedCRL = null;
164 throw new CRLException("Parsing error: " + e.getMessage());
165 }
166 }
167
168 /**
169 * Unmarshals an X.509 CRL from an input stream. Only one CRL
170 * is expected at the end of the input stream.
171 *
172 * @param inStrm an input stream holding at least one CRL
173 * @exception CRLException on parsing errors.
174 */
175 public X509CRLImpl(InputStream inStrm) throws CRLException {
176 try {
177 parse(new DerValue(inStrm));
178 } catch (IOException e) {
179 signedCRL = null;
180 throw new CRLException("Parsing error: " + e.getMessage());
181 }
182 }
183
184 /**
185 * Initial CRL constructor, no revoked certs, and no extensions.
186 *
187 * @param issuer the name of the CA issuing this CRL.
188 * @param thisUpdate the Date of this issue.
189 * @param nextUpdate the Date of the next CRL.
190 */
191 public X509CRLImpl(X500Name issuer, Date thisDate, Date nextDate) {
192 this.issuer = issuer;
193 this.thisUpdate = thisDate;
194 this.nextUpdate = nextDate;
195 }
196
197 /**
198 * CRL constructor, revoked certs, no extensions.
199 *
200 * @param issuer the name of the CA issuing this CRL.
201 * @param thisUpdate the Date of this issue.
202 * @param nextUpdate the Date of the next CRL.
203 * @param badCerts the array of CRL entries.
204 *
205 * @exception CRLException on parsing/construction errors.
206 */
207 public X509CRLImpl(X500Name issuer, Date thisDate, Date nextDate,
208 X509CRLEntry[] badCerts)
209 throws CRLException
210 {
211 this.issuer = issuer;
212 this.thisUpdate = thisDate;
213 this.nextUpdate = nextDate;
214 if (badCerts != null) {
215 X500Principal crlIssuer = getIssuerX500Principal();
216 X500Principal badCertIssuer = crlIssuer;
217 for (int i = 0; i < badCerts.length; i++) {
218 X509CRLEntryImpl badCert = (X509CRLEntryImpl)badCerts[i];
219 try {
220 badCertIssuer = getCertIssuer(badCert, badCertIssuer);
221 } catch (IOException ioe) {
222 throw new CRLException(ioe);
223 }
224 badCert.setCertificateIssuer(crlIssuer, badCertIssuer);
225 X509IssuerSerial issuerSerial = new X509IssuerSerial
226 (badCertIssuer, badCert.getSerialNumber());
227 this.revokedMap.put(issuerSerial, badCert);
228 this.revokedList.add(badCert);
229 if (badCert.hasExtensions()) {
230 this.version = 1;
231 }
232 }
233 }
234 }
235
236 /**
237 * CRL constructor, revoked certs and extensions.
238 *
239 * @param issuer the name of the CA issuing this CRL.
240 * @param thisUpdate the Date of this issue.
241 * @param nextUpdate the Date of the next CRL.
242 * @param badCerts the array of CRL entries.
243 * @param crlExts the CRL extensions.
244 *
245 * @exception CRLException on parsing/construction errors.
246 */
247 public X509CRLImpl(X500Name issuer, Date thisDate, Date nextDate,
248 X509CRLEntry[] badCerts, CRLExtensions crlExts)
249 throws CRLException
250 {
251 this(issuer, thisDate, nextDate, badCerts);
252 if (crlExts != null) {
253 this.extensions = crlExts;
254 this.version = 1;
255 }
256 }
257
258 /**
259 * Returned the encoding as an uncloned byte array. Callers must
260 * guarantee that they neither modify it nor expose it to untrusted
261 * code.
262 */
263 public byte[] getEncodedInternal() throws CRLException {
264 if (signedCRL == null) {
265 throw new CRLException("Null CRL to encode");
266 }
267 return signedCRL;
268 }
269
270 /**
271 * Returns the ASN.1 DER encoded form of this CRL.
272 *
273 * @exception CRLException if an encoding error occurs.
274 */
275 public byte[] getEncoded() throws CRLException {
276 return getEncodedInternal().clone();
277 }
278
279 /**
280 * Encodes the "to-be-signed" CRL to the OutputStream.
281 *
282 * @param out the OutputStream to write to.
283 * @exception CRLException on encoding errors.
284 */
285 public void encodeInfo(OutputStream out) throws CRLException {
286 try {
287 DerOutputStream tmp = new DerOutputStream();
288 DerOutputStream rCerts = new DerOutputStream();
289 DerOutputStream seq = new DerOutputStream();
290
291 if (version != 0) // v2 crl encode version
292 tmp.putInteger(version);
293 infoSigAlgId.encode(tmp);
294 if ((version == 0) && (issuer.toString() == null))
295 throw new CRLException("Null Issuer DN not allowed in v1 CRL");
296 issuer.encode(tmp);
297
298 if (thisUpdate.getTime() < YR_2050)
299 tmp.putUTCTime(thisUpdate);
300 else
301 tmp.putGeneralizedTime(thisUpdate);
302
303 if (nextUpdate != null) {
304 if (nextUpdate.getTime() < YR_2050)
305 tmp.putUTCTime(nextUpdate);
306 else
307 tmp.putGeneralizedTime(nextUpdate);
308 }
309
310 if (!revokedList.isEmpty()) {
311 for (X509CRLEntry entry : revokedList) {
312 ((X509CRLEntryImpl)entry).encode(rCerts);
313 }
314 tmp.write(DerValue.tag_Sequence, rCerts);
315 }
316
317 if (extensions != null)
318 extensions.encode(tmp, isExplicit);
319
320 seq.write(DerValue.tag_Sequence, tmp);
321
322 tbsCertList = seq.toByteArray();
323 out.write(tbsCertList);
324 } catch (IOException e) {
325 throw new CRLException("Encoding error: " + e.getMessage());
326 }
327 }
328
329 /**
330 * Verifies that this CRL was signed using the
331 * private key that corresponds to the given public key.
332 *
333 * @param key the PublicKey used to carry out the verification.
334 *
335 * @exception NoSuchAlgorithmException on unsupported signature
336 * algorithms.
337 * @exception InvalidKeyException on incorrect key.
338 * @exception NoSuchProviderException if there's no default provider.
339 * @exception SignatureException on signature errors.
340 * @exception CRLException on encoding errors.
341 */
342 public void verify(PublicKey key)
343 throws CRLException, NoSuchAlgorithmException, InvalidKeyException,
344 NoSuchProviderException, SignatureException {
345 verify(key, "");
346 }
347
348 /**
349 * Verifies that this CRL was signed using the
350 * private key that corresponds to the given public key,
351 * and that the signature verification was computed by
352 * the given provider.
353 *
354 * @param key the PublicKey used to carry out the verification.
355 * @param sigProvider the name of the signature provider.
356 *
357 * @exception NoSuchAlgorithmException on unsupported signature
358 * algorithms.
359 * @exception InvalidKeyException on incorrect key.
360 * @exception NoSuchProviderException on incorrect provider.
361 * @exception SignatureException on signature errors.
362 * @exception CRLException on encoding errors.
363 */
364 public synchronized void verify(PublicKey key, String sigProvider)
365 throws CRLException, NoSuchAlgorithmException, InvalidKeyException,
366 NoSuchProviderException, SignatureException {
367
368 if (sigProvider == null) {
369 sigProvider = "";
370 }
371 if ((verifiedPublicKey != null) && verifiedPublicKey.equals(key)) {
372 // this CRL has already been successfully verified using
373 // this public key. Make sure providers match, too.
374 if (sigProvider.equals(verifiedProvider)) {
375 return;
376 }
377 }
378 if (signedCRL == null) {
379 throw new CRLException("Uninitialized CRL");
380 }
381 Signature sigVerf = null;
382 if (sigProvider.length() == 0) {
383 sigVerf = Signature.getInstance(sigAlgId.getName());
384 } else {
385 sigVerf = Signature.getInstance(sigAlgId.getName(), sigProvider);
386 }
387 sigVerf.initVerify(key);
388
389 if (tbsCertList == null) {
390 throw new CRLException("Uninitialized CRL");
391 }
392
393 sigVerf.update(tbsCertList, 0, tbsCertList.length);
394
395 if (!sigVerf.verify(signature)) {
396 throw new SignatureException("Signature does not match.");
397 }
398 verifiedPublicKey = key;
399 verifiedProvider = sigProvider;
400 }
401
402 /**
403 * Verifies that this CRL was signed using the
404 * private key that corresponds to the given public key,
405 * and that the signature verification was computed by
406 * the given provider. Note that the specified Provider object
407 * does not have to be registered in the provider list.
408 *
409 * @param key the PublicKey used to carry out the verification.
410 * @param sigProvider the signature provider.
411 *
412 * @exception NoSuchAlgorithmException on unsupported signature
413 * algorithms.
414 * @exception InvalidKeyException on incorrect key.
415 * @exception SignatureException on signature errors.
416 * @exception CRLException on encoding errors.
417 */
418 public synchronized void verify(PublicKey key, Provider sigProvider)
419 throws CRLException, NoSuchAlgorithmException, InvalidKeyException,
420 SignatureException {
421
422 if (signedCRL == null) {
423 throw new CRLException("Uninitialized CRL");
424 }
425 Signature sigVerf = null;
426 if (sigProvider == null) {
427 sigVerf = Signature.getInstance(sigAlgId.getName());
428 } else {
429 sigVerf = Signature.getInstance(sigAlgId.getName(), sigProvider);
430 }
431 sigVerf.initVerify(key);
432
433 if (tbsCertList == null) {
434 throw new CRLException("Uninitialized CRL");
435 }
436
437 sigVerf.update(tbsCertList, 0, tbsCertList.length);
438
439 if (!sigVerf.verify(signature)) {
440 throw new SignatureException("Signature does not match.");
441 }
442 verifiedPublicKey = key;
443 }
444
445 /**
446 * This static method is the default implementation of the
447 * verify(PublicKey key, Provider sigProvider) method in X509CRL.
448 * Called from java.security.cert.X509CRL.verify(PublicKey key,
449 * Provider sigProvider)
450 */
451 public static void verify(X509CRL crl, PublicKey key,
452 Provider sigProvider) throws CRLException,
453 NoSuchAlgorithmException, InvalidKeyException, SignatureException {
454 crl.verify(key, sigProvider);
455 }
456
457 /**
458 * Encodes an X.509 CRL, and signs it using the given key.
459 *
460 * @param key the private key used for signing.
461 * @param algorithm the name of the signature algorithm used.
462 *
463 * @exception NoSuchAlgorithmException on unsupported signature
464 * algorithms.
465 * @exception InvalidKeyException on incorrect key.
466 * @exception NoSuchProviderException on incorrect provider.
467 * @exception SignatureException on signature errors.
468 * @exception CRLException if any mandatory data was omitted.
469 */
470 public void sign(PrivateKey key, String algorithm)
471 throws CRLException, NoSuchAlgorithmException, InvalidKeyException,
472 NoSuchProviderException, SignatureException {
473 sign(key, algorithm, null);
474 }
475
476 /**
477 * Encodes an X.509 CRL, and signs it using the given key.
478 *
479 * @param key the private key used for signing.
480 * @param algorithm the name of the signature algorithm used.
481 * @param provider the name of the provider.
482 *
483 * @exception NoSuchAlgorithmException on unsupported signature
484 * algorithms.
485 * @exception InvalidKeyException on incorrect key.
486 * @exception NoSuchProviderException on incorrect provider.
487 * @exception SignatureException on signature errors.
488 * @exception CRLException if any mandatory data was omitted.
489 */
490 public void sign(PrivateKey key, String algorithm, String provider)
491 throws CRLException, NoSuchAlgorithmException, InvalidKeyException,
492 NoSuchProviderException, SignatureException {
493 try {
494 if (readOnly)
495 throw new CRLException("cannot over-write existing CRL");
496 Signature sigEngine = null;
497 if ((provider == null) || (provider.length() == 0))
498 sigEngine = Signature.getInstance(algorithm);
499 else
500 sigEngine = Signature.getInstance(algorithm, provider);
501
502 sigEngine.initSign(key);
503
504 // in case the name is reset
505 sigAlgId = AlgorithmId.get(sigEngine.getAlgorithm());
506 infoSigAlgId = sigAlgId;
507
508 DerOutputStream out = new DerOutputStream();
509 DerOutputStream tmp = new DerOutputStream();
510
511 // encode crl info
512 encodeInfo(tmp);
513
514 // encode algorithm identifier
515 sigAlgId.encode(tmp);
516
517 // Create and encode the signature itself.
518 sigEngine.update(tbsCertList, 0, tbsCertList.length);
519 signature = sigEngine.sign();
520 tmp.putBitString(signature);
521
522 // Wrap the signed data in a SEQUENCE { data, algorithm, sig }
523 out.write(DerValue.tag_Sequence, tmp);
524 signedCRL = out.toByteArray();
525 readOnly = true;
526
527 } catch (IOException e) {
528 throw new CRLException("Error while encoding data: " +
529 e.getMessage());
530 }
531 }
532
533 /**
534 * Returns a printable string of this CRL.
535 *
536 * @return value of this CRL in a printable form.
537 */
538 public String toString() {
539 return toStringWithAlgName("" + sigAlgId);
540 }
541
542 // Specifically created for keytool to append a (weak) label to sigAlg
543 public String toStringWithAlgName(String name) {
544 StringBuffer sb = new StringBuffer();
545 sb.append("X.509 CRL v" + (version+1) + "\n");
546 if (sigAlgId != null)
547 sb.append("Signature Algorithm: " + name.toString() +
548 ", OID=" + (sigAlgId.getOID()).toString() + "\n");
549 if (issuer != null)
550 sb.append("Issuer: " + issuer.toString() + "\n");
551 if (thisUpdate != null)
552 sb.append("\nThis Update: " + thisUpdate.toString() + "\n");
553 if (nextUpdate != null)
554 sb.append("Next Update: " + nextUpdate.toString() + "\n");
555 if (revokedList.isEmpty())
556 sb.append("\nNO certificates have been revoked\n");
557 else {
558 sb.append("\nRevoked Certificates: " + revokedList.size());
559 int i = 1;
560 for (X509CRLEntry entry: revokedList) {
561 sb.append("\n[" + i++ + "] " + entry.toString());
562 }
563 }
564 if (extensions != null) {
565 Collection<Extension> allExts = extensions.getAllExtensions();
566 Object[] objs = allExts.toArray();
567 sb.append("\nCRL Extensions: " + objs.length);
568 for (int i = 0; i < objs.length; i++) {
569 sb.append("\n[" + (i+1) + "]: ");
570 Extension ext = (Extension)objs[i];
571 try {
572 if (OIDMap.getClass(ext.getExtensionId()) == null) {
573 sb.append(ext.toString());
574 byte[] extValue = ext.getExtensionValue();
575 if (extValue != null) {
576 DerOutputStream out = new DerOutputStream();
577 out.putOctetString(extValue);
578 extValue = out.toByteArray();
579 HexDumpEncoder enc = new HexDumpEncoder();
580 sb.append("Extension unknown: "
581 + "DER encoded OCTET string =\n"
582 + enc.encodeBuffer(extValue) + "\n");
583 }
584 } else
585 sb.append(ext.toString()); // sub-class exists
586 } catch (Exception e) {
587 sb.append(", Error parsing this extension");
588 }
589 }
590 }
591 if (signature != null) {
592 HexDumpEncoder encoder = new HexDumpEncoder();
593 sb.append("\nSignature:\n" + encoder.encodeBuffer(signature)
594 + "\n");
595 } else
596 sb.append("NOT signed yet\n");
597 return sb.toString();
598 }
599
600 /**
601 * Checks whether the given certificate is on this CRL.
602 *
603 * @param cert the certificate to check for.
604 * @return true if the given certificate is on this CRL,
605 * false otherwise.
606 */
607 public boolean isRevoked(Certificate cert) {
608 if (revokedMap.isEmpty() || (!(cert instanceof X509Certificate))) {
609 return false;
610 }
611 X509Certificate xcert = (X509Certificate) cert;
612 X509IssuerSerial issuerSerial = new X509IssuerSerial(xcert);
613 return revokedMap.containsKey(issuerSerial);
614 }
615
616 /**
617 * Gets the version number from this CRL.
618 * The ASN.1 definition for this is:
619 * <pre>
620 * Version ::= INTEGER { v1(0), v2(1), v3(2) }
621 * -- v3 does not apply to CRLs but appears for consistency
622 * -- with definition of Version for certs
623 * </pre>
624 * @return the version number, i.e. 1 or 2.
625 */
626 public int getVersion() {
627 return version+1;
628 }
629
630 /**
631 * Gets the issuer distinguished name from this CRL.
632 * The issuer name identifies the entity who has signed (and
633 * issued the CRL). The issuer name field contains an
634 * X.500 distinguished name (DN).
635 * The ASN.1 definition for this is:
636 * <pre>
637 * issuer Name
638 *
639 * Name ::= CHOICE { RDNSequence }
640 * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
641 * RelativeDistinguishedName ::=
642 * SET OF AttributeValueAssertion
643 *
644 * AttributeValueAssertion ::= SEQUENCE {
645 * AttributeType,
646 * AttributeValue }
647 * AttributeType ::= OBJECT IDENTIFIER
648 * AttributeValue ::= ANY
649 * </pre>
650 * The Name describes a hierarchical name composed of attributes,
651 * such as country name, and corresponding values, such as US.
652 * The type of the component AttributeValue is determined by the
653 * AttributeType; in general it will be a directoryString.
654 * A directoryString is usually one of PrintableString,
655 * TeletexString or UniversalString.
656 * @return the issuer name.
657 */
658 public Principal getIssuerDN() {
659 return (Principal)issuer;
660 }
661
662 /**
663 * Return the issuer as X500Principal. Overrides method in X509CRL
664 * to provide a slightly more efficient version.
665 */
666 public X500Principal getIssuerX500Principal() {
667 if (issuerPrincipal == null) {
668 issuerPrincipal = issuer.asX500Principal();
669 }
670 return issuerPrincipal;
671 }
672
673 /**
674 * Gets the thisUpdate date from the CRL.
675 * The ASN.1 definition for this is:
676 *
677 * @return the thisUpdate date from the CRL.
678 */
679 public Date getThisUpdate() {
680 return (new Date(thisUpdate.getTime()));
681 }
682
683 /**
684 * Gets the nextUpdate date from the CRL.
685 *
686 * @return the nextUpdate date from the CRL, or null if
687 * not present.
688 */
689 public Date getNextUpdate() {
690 if (nextUpdate == null)
691 return null;
692 return (new Date(nextUpdate.getTime()));
693 }
694
695 /**
696 * Gets the CRL entry with the given serial number from this CRL.
697 *
698 * @return the entry with the given serial number, or <code>null</code> if
699 * no such entry exists in the CRL.
700 * @see X509CRLEntry
701 */
702 public X509CRLEntry getRevokedCertificate(BigInteger serialNumber) {
703 if (revokedMap.isEmpty()) {
704 return null;
705 }
706 // assume this is a direct CRL entry (cert and CRL issuer are the same)
707 X509IssuerSerial issuerSerial = new X509IssuerSerial
708 (getIssuerX500Principal(), serialNumber);
709 return revokedMap.get(issuerSerial);
710 }
711
712 /**
713 * Gets the CRL entry for the given certificate.
714 */
715 public X509CRLEntry getRevokedCertificate(X509Certificate cert) {
716 if (revokedMap.isEmpty()) {
717 return null;
718 }
719 X509IssuerSerial issuerSerial = new X509IssuerSerial(cert);
720 return revokedMap.get(issuerSerial);
721 }
722
723 /**
724 * Gets all the revoked certificates from the CRL.
725 * A Set of X509CRLEntry.
726 *
727 * @return all the revoked certificates or <code>null</code> if there are
728 * none.
729 * @see X509CRLEntry
730 */
731 public Set<X509CRLEntry> getRevokedCertificates() {
732 if (revokedList.isEmpty()) {
733 return null;
734 } else {
735 return new TreeSet<X509CRLEntry>(revokedList);
736 }
737 }
738
739 /**
740 * Gets the DER encoded CRL information, the
741 * <code>tbsCertList</code> from this CRL.
742 * This can be used to verify the signature independently.
743 *
744 * @return the DER encoded CRL information.
745 * @exception CRLException on encoding errors.
746 */
747 public byte[] getTBSCertList() throws CRLException {
748 if (tbsCertList == null)
749 throw new CRLException("Uninitialized CRL");
750 return tbsCertList.clone();
751 }
752
753 /**
754 * Gets the raw Signature bits from the CRL.
755 *
756 * @return the signature.
757 */
758 public byte[] getSignature() {
759 if (signature == null)
760 return null;
761 return signature.clone();
762 }
763
764 /**
765 * Gets the signature algorithm name for the CRL
766 * signature algorithm. For example, the string "SHA1withDSA".
767 * The ASN.1 definition for this is:
768 * <pre>
769 * AlgorithmIdentifier ::= SEQUENCE {
770 * algorithm OBJECT IDENTIFIER,
771 * parameters ANY DEFINED BY algorithm OPTIONAL }
772 * -- contains a value of the type
773 * -- registered for use with the
774 * -- algorithm object identifier value
775 * </pre>
776 *
777 * @return the signature algorithm name.
778 */
779 public String getSigAlgName() {
780 if (sigAlgId == null)
781 return null;
782 return sigAlgId.getName();
783 }
784
785 /**
786 * Gets the signature algorithm OID string from the CRL.
787 * An OID is represented by a set of positive whole number separated
788 * by ".", that means,<br>
789 * <positive whole number>.<positive whole number>.<...>
790 * For example, the string "1.2.840.10040.4.3" identifies the SHA-1
791 * with DSA signature algorithm defined in
792 * <a href="http://www.ietf.org/rfc/rfc3279.txt">RFC 3279: Algorithms and
793 * Identifiers for the Internet X.509 Public Key Infrastructure Certificate
794 * and CRL Profile</a>.
795 *
796 * @return the signature algorithm oid string.
797 */
798 public String getSigAlgOID() {
799 if (sigAlgId == null)
800 return null;
801 ObjectIdentifier oid = sigAlgId.getOID();
802 return oid.toString();
803 }
804
805 /**
806 * Gets the DER encoded signature algorithm parameters from this
807 * CRL's signature algorithm. In most cases, the signature
808 * algorithm parameters are null, the parameters are usually
809 * supplied with the Public Key.
810 *
811 * @return the DER encoded signature algorithm parameters, or
812 * null if no parameters are present.
813 */
814 public byte[] getSigAlgParams() {
815 if (sigAlgId == null)
816 return null;
817 try {
818 return sigAlgId.getEncodedParams();
819 } catch (IOException e) {
820 return null;
821 }
822 }
823
824 /**
825 * Gets the signature AlgorithmId from the CRL.
826 *
827 * @return the signature AlgorithmId
828 */
829 public AlgorithmId getSigAlgId() {
830 return sigAlgId;
831 }
832
833 /**
834 * return the AuthorityKeyIdentifier, if any.
835 *
836 * @returns AuthorityKeyIdentifier or null
837 * (if no AuthorityKeyIdentifierExtension)
838 * @throws IOException on error
839 */
840 public KeyIdentifier getAuthKeyId() throws IOException {
841 AuthorityKeyIdentifierExtension aki = getAuthKeyIdExtension();
842 if (aki != null) {
843 KeyIdentifier keyId = (KeyIdentifier)aki.get(
844 AuthorityKeyIdentifierExtension.KEY_ID);
845 return keyId;
846 } else {
847 return null;
848 }
849 }
850
851 /**
852 * return the AuthorityKeyIdentifierExtension, if any.
853 *
854 * @returns AuthorityKeyIdentifierExtension or null (if no such extension)
855 * @throws IOException on error
856 */
857 public AuthorityKeyIdentifierExtension getAuthKeyIdExtension()
858 throws IOException {
859 Object obj = getExtension(PKIXExtensions.AuthorityKey_Id);
860 return (AuthorityKeyIdentifierExtension)obj;
861 }
862
863 /**
864 * return the CRLNumberExtension, if any.
865 *
866 * @returns CRLNumberExtension or null (if no such extension)
867 * @throws IOException on error
868 */
869 public CRLNumberExtension getCRLNumberExtension() throws IOException {
870 Object obj = getExtension(PKIXExtensions.CRLNumber_Id);
871 return (CRLNumberExtension)obj;
872 }
873
874 /**
875 * return the CRL number from the CRLNumberExtension, if any.
876 *
877 * @returns number or null (if no such extension)
878 * @throws IOException on error
879 */
880 public BigInteger getCRLNumber() throws IOException {
881 CRLNumberExtension numExt = getCRLNumberExtension();
882 if (numExt != null) {
883 BigInteger num = numExt.get(CRLNumberExtension.NUMBER);
884 return num;
885 } else {
886 return null;
887 }
888 }
889
890 /**
891 * return the DeltaCRLIndicatorExtension, if any.
892 *
893 * @returns DeltaCRLIndicatorExtension or null (if no such extension)
894 * @throws IOException on error
895 */
896 public DeltaCRLIndicatorExtension getDeltaCRLIndicatorExtension()
897 throws IOException {
898
899 Object obj = getExtension(PKIXExtensions.DeltaCRLIndicator_Id);
900 return (DeltaCRLIndicatorExtension)obj;
901 }
902
903 /**
904 * return the base CRL number from the DeltaCRLIndicatorExtension, if any.
905 *
906 * @returns number or null (if no such extension)
907 * @throws IOException on error
908 */
909 public BigInteger getBaseCRLNumber() throws IOException {
910 DeltaCRLIndicatorExtension dciExt = getDeltaCRLIndicatorExtension();
911 if (dciExt != null) {
912 BigInteger num = dciExt.get(DeltaCRLIndicatorExtension.NUMBER);
913 return num;
914 } else {
915 return null;
916 }
917 }
918
919 /**
920 * return the IssuerAlternativeNameExtension, if any.
921 *
922 * @returns IssuerAlternativeNameExtension or null (if no such extension)
923 * @throws IOException on error
924 */
925 public IssuerAlternativeNameExtension getIssuerAltNameExtension()
926 throws IOException {
927 Object obj = getExtension(PKIXExtensions.IssuerAlternativeName_Id);
928 return (IssuerAlternativeNameExtension)obj;
929 }
930
931 /**
932 * return the IssuingDistributionPointExtension, if any.
933 *
934 * @returns IssuingDistributionPointExtension or null
935 * (if no such extension)
936 * @throws IOException on error
937 */
938 public IssuingDistributionPointExtension
939 getIssuingDistributionPointExtension() throws IOException {
940
941 Object obj = getExtension(PKIXExtensions.IssuingDistributionPoint_Id);
942 return (IssuingDistributionPointExtension) obj;
943 }
944
945 /**
946 * Return true if a critical extension is found that is
947 * not supported, otherwise return false.
948 */
949 public boolean hasUnsupportedCriticalExtension() {
950 if (extensions == null)
951 return false;
952 return extensions.hasUnsupportedCriticalExtension();
953 }
954
955 /**
956 * Gets a Set of the extension(s) marked CRITICAL in the
957 * CRL. In the returned set, each extension is represented by
958 * its OID string.
959 *
960 * @return a set of the extension oid strings in the
961 * CRL that are marked critical.
962 */
963 public Set<String> getCriticalExtensionOIDs() {
964 if (extensions == null) {
965 return null;
966 }
967 Set<String> extSet = new TreeSet<>();
968 for (Extension ex : extensions.getAllExtensions()) {
969 if (ex.isCritical()) {
970 extSet.add(ex.getExtensionId().toString());
971 }
972 }
973 return extSet;
974 }
975
976 /**
977 * Gets a Set of the extension(s) marked NON-CRITICAL in the
978 * CRL. In the returned set, each extension is represented by
979 * its OID string.
980 *
981 * @return a set of the extension oid strings in the
982 * CRL that are NOT marked critical.
983 */
984 public Set<String> getNonCriticalExtensionOIDs() {
985 if (extensions == null) {
986 return null;
987 }
988 Set<String> extSet = new TreeSet<>();
989 for (Extension ex : extensions.getAllExtensions()) {
990 if (!ex.isCritical()) {
991 extSet.add(ex.getExtensionId().toString());
992 }
993 }
994 return extSet;
995 }
996
997 /**
998 * Gets the DER encoded OCTET string for the extension value
999 * (<code>extnValue</code>) identified by the passed in oid String.
1000 * The <code>oid</code> string is
1001 * represented by a set of positive whole number separated
1002 * by ".", that means,<br>
1003 * <positive whole number>.<positive whole number>.<...>
1004 *
1005 * @param oid the Object Identifier value for the extension.
1006 * @return the der encoded octet string of the extension value.
1007 */
1008 public byte[] getExtensionValue(String oid) {
1009 if (extensions == null)
1010 return null;
1011 try {
1012 String extAlias = OIDMap.getName(new ObjectIdentifier(oid));
1013 Extension crlExt = null;
1014
1015 if (extAlias == null) { // may be unknown
1016 ObjectIdentifier findOID = new ObjectIdentifier(oid);
1017 Extension ex = null;
1018 ObjectIdentifier inCertOID;
1019 for (Enumeration<Extension> e = extensions.getElements();
1020 e.hasMoreElements();) {
1021 ex = e.nextElement();
1022 inCertOID = ex.getExtensionId();
1023 if (inCertOID.equals((Object)findOID)) {
1024 crlExt = ex;
1025 break;
1026 }
1027 }
1028 } else
1029 crlExt = extensions.get(extAlias);
1030 if (crlExt == null)
1031 return null;
1032 byte[] extData = crlExt.getExtensionValue();
1033 if (extData == null)
1034 return null;
1035 DerOutputStream out = new DerOutputStream();
1036 out.putOctetString(extData);
1037 return out.toByteArray();
1038 } catch (Exception e) {
1039 return null;
1040 }
1041 }
1042
1043 /**
1044 * get an extension
1045 *
1046 * @param oid ObjectIdentifier of extension desired
1047 * @returns Object of type <extension> or null, if not found
1048 * @throws IOException on error
1049 */
1050 public Object getExtension(ObjectIdentifier oid) {
1051 if (extensions == null)
1052 return null;
1053
1054 // XXX Consider cloning this
1055 return extensions.get(OIDMap.getName(oid));
1056 }
1057
1058 /*
1059 * Parses an X.509 CRL, should be used only by constructors.
1060 */
1061 private void parse(DerValue val) throws CRLException, IOException {
1062 // check if can over write the certificate
1063 if (readOnly)
1064 throw new CRLException("cannot over-write existing CRL");
1065
1066 if ( val.getData() == null || val.tag != DerValue.tag_Sequence)
1067 throw new CRLException("Invalid DER-encoded CRL data");
1068
1069 signedCRL = val.toByteArray();
1070 DerValue seq[] = new DerValue[3];
1071
1072 seq[0] = val.data.getDerValue();
1073 seq[1] = val.data.getDerValue();
1074 seq[2] = val.data.getDerValue();
1075
1076 if (val.data.available() != 0)
1077 throw new CRLException("signed overrun, bytes = "
1078 + val.data.available());
1079
1080 if (seq[0].tag != DerValue.tag_Sequence)
1081 throw new CRLException("signed CRL fields invalid");
1082
1083 sigAlgId = AlgorithmId.parse(seq[1]);
1084 signature = seq[2].getBitString();
1085
1086 if (seq[1].data.available() != 0)
1087 throw new CRLException("AlgorithmId field overrun");
1088
1089 if (seq[2].data.available() != 0)
1090 throw new CRLException("Signature field overrun");
1091
1092 // the tbsCertsList
1093 tbsCertList = seq[0].toByteArray();
1094
1095 // parse the information
1096 DerInputStream derStrm = seq[0].data;
1097 DerValue tmp;
1098 byte nextByte;
1099
1100 // version (optional if v1)
1101 version = 0; // by default, version = v1 == 0
1102 nextByte = (byte)derStrm.peekByte();
1103 if (nextByte == DerValue.tag_Integer) {
1104 version = derStrm.getInteger();
1105 if (version != 1) // i.e. v2
1106 throw new CRLException("Invalid version");
1107 }
1108 tmp = derStrm.getDerValue();
1109
1110 // signature
1111 AlgorithmId tmpId = AlgorithmId.parse(tmp);
1112
1113 // the "inner" and "outer" signature algorithms must match
1114 if (! tmpId.equals(sigAlgId))
1115 throw new CRLException("Signature algorithm mismatch");
1116 infoSigAlgId = tmpId;
1117
1118 // issuer
1119 issuer = new X500Name(derStrm);
1120 if (issuer.isEmpty()) {
1121 throw new CRLException("Empty issuer DN not allowed in X509CRLs");
1122 }
1123
1124 // thisUpdate
1125 // check if UTCTime encoded or GeneralizedTime
1126
1127 nextByte = (byte)derStrm.peekByte();
1128 if (nextByte == DerValue.tag_UtcTime) {
1129 thisUpdate = derStrm.getUTCTime();
1130 } else if (nextByte == DerValue.tag_GeneralizedTime) {
1131 thisUpdate = derStrm.getGeneralizedTime();
1132 } else {
1133 throw new CRLException("Invalid encoding for thisUpdate"
1134 + " (tag=" + nextByte + ")");
1135 }
1136
1137 if (derStrm.available() == 0)
1138 return; // done parsing no more optional fields present
1139
1140 // nextUpdate (optional)
1141 nextByte = (byte)derStrm.peekByte();
1142 if (nextByte == DerValue.tag_UtcTime) {
1143 nextUpdate = derStrm.getUTCTime();
1144 } else if (nextByte == DerValue.tag_GeneralizedTime) {
1145 nextUpdate = derStrm.getGeneralizedTime();
1146 } // else it is not present
1147
1148 if (derStrm.available() == 0)
1149 return; // done parsing no more optional fields present
1150
1151 // revokedCertificates (optional)
1152 nextByte = (byte)derStrm.peekByte();
1153 if ((nextByte == DerValue.tag_SequenceOf)
1154 && (! ((nextByte & 0x0c0) == 0x080))) {
1155 DerValue[] badCerts = derStrm.getSequence(4);
1156
1157 X500Principal crlIssuer = getIssuerX500Principal();
1158 X500Principal badCertIssuer = crlIssuer;
1159 for (int i = 0; i < badCerts.length; i++) {
1160 X509CRLEntryImpl entry = new X509CRLEntryImpl(badCerts[i]);
1161 badCertIssuer = getCertIssuer(entry, badCertIssuer);
1162 entry.setCertificateIssuer(crlIssuer, badCertIssuer);
1163 X509IssuerSerial issuerSerial = new X509IssuerSerial
1164 (badCertIssuer, entry.getSerialNumber());
1165 revokedMap.put(issuerSerial, entry);
1166 revokedList.add(entry);
1167 }
1168 }
1169
1170 if (derStrm.available() == 0)
1171 return; // done parsing no extensions
1172
1173 // crlExtensions (optional)
1174 tmp = derStrm.getDerValue();
1175 if (tmp.isConstructed() && tmp.isContextSpecific((byte)0)) {
1176 extensions = new CRLExtensions(tmp.data);
1177 }
1178 readOnly = true;
1179 }
1180
1181 /**
1182 * Extract the issuer X500Principal from an X509CRL. Parses the encoded
1183 * form of the CRL to preserve the principal's ASN.1 encoding.
1184 *
1185 * Called by java.security.cert.X509CRL.getIssuerX500Principal().
1186 */
1187 public static X500Principal getIssuerX500Principal(X509CRL crl) {
1188 try {
1189 byte[] encoded = crl.getEncoded();
1190 DerInputStream derIn = new DerInputStream(encoded);
1191 DerValue tbsCert = derIn.getSequence(3)[0];
1192 DerInputStream tbsIn = tbsCert.data;
1193
1194 DerValue tmp;
1195 // skip version number if present
1196 byte nextByte = (byte)tbsIn.peekByte();
1197 if (nextByte == DerValue.tag_Integer) {
1198 tmp = tbsIn.getDerValue();
1199 }
1200
1201 tmp = tbsIn.getDerValue(); // skip signature
1202 tmp = tbsIn.getDerValue(); // issuer
1203 byte[] principalBytes = tmp.toByteArray();
1204 return new X500Principal(principalBytes);
1205 } catch (Exception e) {
1206 throw new RuntimeException("Could not parse issuer", e);
1207 }
1208 }
1209
1210 /**
1211 * Returned the encoding of the given certificate for internal use.
1212 * Callers must guarantee that they neither modify it nor expose it
1213 * to untrusted code. Uses getEncodedInternal() if the certificate
1214 * is instance of X509CertImpl, getEncoded() otherwise.
1215 */
1216 public static byte[] getEncodedInternal(X509CRL crl) throws CRLException {
1217 if (crl instanceof X509CRLImpl) {
1218 return ((X509CRLImpl)crl).getEncodedInternal();
1219 } else {
1220 return crl.getEncoded();
1221 }
1222 }
1223
1224 /**
1225 * Utility method to convert an arbitrary instance of X509CRL
1226 * to a X509CRLImpl. Does a cast if possible, otherwise reparses
1227 * the encoding.
1228 */
1229 public static X509CRLImpl toImpl(X509CRL crl)
1230 throws CRLException {
1231 if (crl instanceof X509CRLImpl) {
1232 return (X509CRLImpl)crl;
1233 } else {
1234 return X509Factory.intern(crl);
1235 }
1236 }
1237
1238 /**
1239 * Returns the X500 certificate issuer DN of a CRL entry.
1240 *
1241 * @param entry the entry to check
1242 * @param prevCertIssuer the previous entry's certificate issuer
1243 * @return the X500Principal in a CertificateIssuerExtension, or
1244 * prevCertIssuer if it does not exist
1245 */
1246 private X500Principal getCertIssuer(X509CRLEntryImpl entry,
1247 X500Principal prevCertIssuer) throws IOException {
1248
1249 CertificateIssuerExtension ciExt =
1250 entry.getCertificateIssuerExtension();
1251 if (ciExt != null) {
1252 GeneralNames names = ciExt.get(CertificateIssuerExtension.ISSUER);
1253 X500Name issuerDN = (X500Name) names.get(0).getName();
1254 return issuerDN.asX500Principal();
1255 } else {
1256 return prevCertIssuer;
1257 }
1258 }
1259
1260 @Override
1261 public void derEncode(OutputStream out) throws IOException {
1262 if (signedCRL == null)
1263 throw new IOException("Null CRL to encode");
1264 out.write(signedCRL.clone());
1265 }
1266
1267 /**
1268 * Immutable X.509 Certificate Issuer DN and serial number pair
1269 */
1270 private final static class X509IssuerSerial
1271 implements Comparable<X509IssuerSerial> {
1272 final X500Principal issuer;
1273 final BigInteger serial;
1274 volatile int hashcode = 0;
1275
1276 /**
1277 * Create an X509IssuerSerial.
1278 *
1279 * @param issuer the issuer DN
1280 * @param serial the serial number
1281 */
1282 X509IssuerSerial(X500Principal issuer, BigInteger serial) {
1283 this.issuer = issuer;
1284 this.serial = serial;
1285 }
1286
1287 /**
1288 * Construct an X509IssuerSerial from an X509Certificate.
1289 */
1290 X509IssuerSerial(X509Certificate cert) {
1291 this(cert.getIssuerX500Principal(), cert.getSerialNumber());
1292 }
1293
1294 /**
1295 * Returns the issuer.
1296 *
1297 * @return the issuer
1298 */
1299 X500Principal getIssuer() {
1300 return issuer;
1301 }
1302
1303 /**
1304 * Returns the serial number.
1305 *
1306 * @return the serial number
1307 */
1308 BigInteger getSerial() {
1309 return serial;
1310 }
1311
1312 /**
1313 * Compares this X509Serial with another and returns true if they
1314 * are equivalent.
1315 *
1316 * @param o the other object to compare with
1317 * @return true if equal, false otherwise
1318 */
1319 public boolean equals(Object o) {
1320 if (o == this) {
1321 return true;
1322 }
1323
1324 if (!(o instanceof X509IssuerSerial)) {
1325 return false;
1326 }
1327
1328 X509IssuerSerial other = (X509IssuerSerial) o;
1329 if (serial.equals(other.getSerial()) &&
1330 issuer.equals(other.getIssuer())) {
1331 return true;
1332 }
1333 return false;
1334 }
1335
1336 /**
1337 * Returns a hash code value for this X509IssuerSerial.
1338 *
1339 * @return the hash code value
1340 */
1341 public int hashCode() {
1342 if (hashcode == 0) {
1343 int result = 17;
1344 result = 37*result + issuer.hashCode();
1345 result = 37*result + serial.hashCode();
1346 hashcode = result;
1347 }
1348 return hashcode;
1349 }
1350
1351 @Override
1352 public int compareTo(X509IssuerSerial another) {
1353 int cissuer = issuer.toString()
1354 .compareTo(another.issuer.toString());
1355 if (cissuer != 0) return cissuer;
1356 return this.serial.compareTo(another.serial);
1357 }
1358 }
1359 }