1 /*
2 * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.x509;
27
28 import java.io.IOException;
29 import java.security.cert.CRLException;
30 import java.security.cert.CRLReason;
31 import java.security.cert.X509CRLEntry;
32 import java.math.BigInteger;
33 import java.util.*;
34
35 import javax.security.auth.x500.X500Principal;
36
37 import sun.security.util.*;
38 import sun.misc.HexDumpEncoder;
39
40 /**
41 * <p>Abstract class for a revoked certificate in a CRL.
42 * This class is for each entry in the <code>revokedCertificates</code>,
43 * so it deals with the inner <em>SEQUENCE</em>.
44 * The ASN.1 definition for this is:
45 * <pre>
46 * revokedCertificates SEQUENCE OF SEQUENCE {
47 * userCertificate CertificateSerialNumber,
48 * revocationDate ChoiceOfTime,
49 * crlEntryExtensions Extensions OPTIONAL
50 * -- if present, must be v2
51 * } OPTIONAL
52 *
53 * CertificateSerialNumber ::= INTEGER
54 *
55 * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
56 *
57 * Extension ::= SEQUENCE {
58 * extnId OBJECT IDENTIFIER,
59 * critical BOOLEAN DEFAULT FALSE,
60 * extnValue OCTET STRING
61 * -- contains a DER encoding of a value
62 * -- of the type registered for use with
63 * -- the extnId object identifier value
64 * }
65 * </pre>
66 *
67 * @author Hemma Prafullchandra
68 */
69
70 public class X509CRLEntryImpl extends X509CRLEntry
71 implements Comparable<X509CRLEntryImpl> {
72
73 private SerialNumber serialNumber = null;
74 private Date revocationDate = null;
75 private CRLExtensions extensions = null;
76 private byte[] revokedCert = null;
77 private X500Principal certIssuer;
78
79 private final static boolean isExplicit = false;
80 private static final long YR_2050 = 2524636800000L;
81
82 /**
83 * Constructs a revoked certificate entry using the given
84 * serial number and revocation date.
85 *
86 * @param num the serial number of the revoked certificate.
87 * @param date the Date on which revocation took place.
88 */
89 public X509CRLEntryImpl(BigInteger num, Date date) {
90 this.serialNumber = new SerialNumber(num);
91 this.revocationDate = date;
92 }
93
94 /**
95 * Constructs a revoked certificate entry using the given
96 * serial number, revocation date and the entry
97 * extensions.
98 *
99 * @param num the serial number of the revoked certificate.
100 * @param date the Date on which revocation took place.
101 * @param crlEntryExts the extensions for this entry.
102 */
103 public X509CRLEntryImpl(BigInteger num, Date date,
104 CRLExtensions crlEntryExts) {
105 this.serialNumber = new SerialNumber(num);
106 this.revocationDate = date;
107 this.extensions = crlEntryExts;
108 }
109
110 /**
111 * Unmarshals a revoked certificate from its encoded form.
112 *
113 * @param revokedCert the encoded bytes.
114 * @exception CRLException on parsing errors.
115 */
116 public X509CRLEntryImpl(byte[] revokedCert) throws CRLException {
117 try {
118 parse(new DerValue(revokedCert));
119 } catch (IOException e) {
120 this.revokedCert = null;
121 throw new CRLException("Parsing error: " + e.toString());
122 }
123 }
124
125 /**
126 * Unmarshals a revoked certificate from its encoded form.
127 *
128 * @param derVal the DER value containing the revoked certificate.
129 * @exception CRLException on parsing errors.
130 */
131 public X509CRLEntryImpl(DerValue derValue) throws CRLException {
132 try {
133 parse(derValue);
134 } catch (IOException e) {
135 revokedCert = null;
136 throw new CRLException("Parsing error: " + e.toString());
137 }
138 }
139
140 /**
141 * Returns true if this revoked certificate entry has
142 * extensions, otherwise false.
143 *
144 * @return true if this CRL entry has extensions, otherwise
145 * false.
146 */
147 public boolean hasExtensions() {
148 return (extensions != null);
149 }
150
151 /**
152 * Encodes the revoked certificate to an output stream.
153 *
154 * @param outStrm an output stream to which the encoded revoked
155 * certificate is written.
156 * @exception CRLException on encoding errors.
157 */
158 public void encode(DerOutputStream outStrm) throws CRLException {
159 try {
160 if (revokedCert == null) {
161 DerOutputStream tmp = new DerOutputStream();
162 // sequence { serialNumber, revocationDate, extensions }
163 serialNumber.encode(tmp);
164
165 if (revocationDate.getTime() < YR_2050) {
166 tmp.putUTCTime(revocationDate);
167 } else {
168 tmp.putGeneralizedTime(revocationDate);
169 }
170
171 if (extensions != null)
172 extensions.encode(tmp, isExplicit);
173
174 DerOutputStream seq = new DerOutputStream();
175 seq.write(DerValue.tag_Sequence, tmp);
176
177 revokedCert = seq.toByteArray();
178 }
179 outStrm.write(revokedCert);
180 } catch (IOException e) {
181 throw new CRLException("Encoding error: " + e.toString());
182 }
183 }
184
185 /**
186 * Returns the ASN.1 DER-encoded form of this CRL Entry,
187 * which corresponds to the inner SEQUENCE.
188 *
189 * @exception CRLException if an encoding error occurs.
190 */
191 public byte[] getEncoded() throws CRLException {
192 return getEncoded0().clone();
193 }
194
195 // Called internally to avoid clone
196 private byte[] getEncoded0() throws CRLException {
197 if (revokedCert == null)
198 this.encode(new DerOutputStream());
199 return revokedCert;
200 }
201
202 @Override
203 public X500Principal getCertificateIssuer() {
204 return certIssuer;
205 }
206
207 void setCertificateIssuer(X500Principal crlIssuer, X500Principal certIssuer) {
208 if (crlIssuer.equals(certIssuer)) {
209 this.certIssuer = null;
210 } else {
211 this.certIssuer = certIssuer;
212 }
213 }
214
215 /**
216 * Gets the serial number from this X509CRLEntry,
217 * i.e. the <em>userCertificate</em>.
218 *
219 * @return the serial number.
220 */
221 public BigInteger getSerialNumber() {
222 return serialNumber.getNumber();
223 }
224
225 /**
226 * Gets the revocation date from this X509CRLEntry,
227 * the <em>revocationDate</em>.
228 *
229 * @return the revocation date.
230 */
231 public Date getRevocationDate() {
232 return new Date(revocationDate.getTime());
233 }
234
235 /**
236 * This method is the overridden implementation of the getRevocationReason
237 * method in X509CRLEntry. It is better performance-wise since it returns
238 * cached values.
239 */
240 @Override
241 public CRLReason getRevocationReason() {
242 Extension ext = getExtension(PKIXExtensions.ReasonCode_Id);
243 if (ext == null) {
244 return null;
245 }
246 CRLReasonCodeExtension rcExt = (CRLReasonCodeExtension) ext;
247 return rcExt.getReasonCode();
248 }
249
250 /**
251 * This static method is the default implementation of the
252 * getRevocationReason method in X509CRLEntry.
253 */
254 public static CRLReason getRevocationReason(X509CRLEntry crlEntry) {
255 try {
256 byte[] ext = crlEntry.getExtensionValue("2.5.29.21");
257 if (ext == null) {
258 return null;
259 }
260 DerValue val = new DerValue(ext);
261 byte[] data = val.getOctetString();
262
263 CRLReasonCodeExtension rcExt =
264 new CRLReasonCodeExtension(Boolean.FALSE, data);
265 return rcExt.getReasonCode();
266 } catch (IOException ioe) {
267 return null;
268 }
269 }
270
271 /**
272 * get Reason Code from CRL entry.
273 *
274 * @returns Integer or null, if no such extension
275 * @throws IOException on error
276 */
277 public Integer getReasonCode() throws IOException {
278 Object obj = getExtension(PKIXExtensions.ReasonCode_Id);
279 if (obj == null)
280 return null;
281 CRLReasonCodeExtension reasonCode = (CRLReasonCodeExtension)obj;
282 return reasonCode.get(CRLReasonCodeExtension.REASON);
283 }
284
285 /**
286 * Returns a printable string of this revoked certificate.
287 *
288 * @return value of this revoked certificate in a printable form.
289 */
290 @Override
291 public String toString() {
292 StringBuilder sb = new StringBuilder();
293
294 sb.append(serialNumber.toString());
295 sb.append(" On: " + revocationDate.toString());
296 if (certIssuer != null) {
297 sb.append("\n Certificate issuer: " + certIssuer);
298 }
299 if (extensions != null) {
300 Collection<Extension> allEntryExts = extensions.getAllExtensions();
301 Extension[] exts = allEntryExts.toArray(new Extension[0]);
302
303 sb.append("\n CRL Entry Extensions: " + exts.length);
304 for (int i = 0; i < exts.length; i++) {
305 sb.append("\n [" + (i+1) + "]: ");
306 Extension ext = exts[i];
307 try {
308 if (OIDMap.getClass(ext.getExtensionId()) == null) {
309 sb.append(ext.toString());
310 byte[] extValue = ext.getExtensionValue();
311 if (extValue != null) {
312 DerOutputStream out = new DerOutputStream();
313 out.putOctetString(extValue);
314 extValue = out.toByteArray();
315 HexDumpEncoder enc = new HexDumpEncoder();
316 sb.append("Extension unknown: "
317 + "DER encoded OCTET string =\n"
318 + enc.encodeBuffer(extValue) + "\n");
319 }
320 } else
321 sb.append(ext.toString()); //sub-class exists
322 } catch (Exception e) {
323 sb.append(", Error parsing this extension");
324 }
325 }
326 }
327 sb.append("\n");
328 return sb.toString();
329 }
330
331 /**
332 * Return true if a critical extension is found that is
333 * not supported, otherwise return false.
334 */
335 public boolean hasUnsupportedCriticalExtension() {
336 if (extensions == null)
337 return false;
338 return extensions.hasUnsupportedCriticalExtension();
339 }
340
341 /**
342 * Gets a Set of the extension(s) marked CRITICAL in this
343 * X509CRLEntry. In the returned set, each extension is
344 * represented by its OID string.
345 *
346 * @return a set of the extension oid strings in the
347 * Object that are marked critical.
348 */
349 public Set<String> getCriticalExtensionOIDs() {
350 if (extensions == null) {
351 return null;
352 }
353 Set<String> extSet = new TreeSet<>();
354 for (Extension ex : extensions.getAllExtensions()) {
355 if (ex.isCritical()) {
356 extSet.add(ex.getExtensionId().toString());
357 }
358 }
359 return extSet;
360 }
361
362 /**
363 * Gets a Set of the extension(s) marked NON-CRITICAL in this
364 * X509CRLEntry. In the returned set, each extension is
365 * represented by its OID string.
366 *
367 * @return a set of the extension oid strings in the
368 * Object that are marked critical.
369 */
370 public Set<String> getNonCriticalExtensionOIDs() {
371 if (extensions == null) {
372 return null;
373 }
374 Set<String> extSet = new TreeSet<>();
375 for (Extension ex : extensions.getAllExtensions()) {
376 if (!ex.isCritical()) {
377 extSet.add(ex.getExtensionId().toString());
378 }
379 }
380 return extSet;
381 }
382
383 /**
384 * Gets the DER encoded OCTET string for the extension value
385 * (<em>extnValue</em>) identified by the passed in oid String.
386 * The <code>oid</code> string is
387 * represented by a set of positive whole number separated
388 * by ".", that means,<br>
389 * <positive whole number>.<positive whole number>.<positive
390 * whole number>.<...>
391 *
392 * @param oid the Object Identifier value for the extension.
393 * @return the DER encoded octet string of the extension value.
394 */
395 public byte[] getExtensionValue(String oid) {
396 if (extensions == null)
397 return null;
398 try {
399 String extAlias = OIDMap.getName(new ObjectIdentifier(oid));
400 Extension crlExt = null;
401
402 if (extAlias == null) { // may be unknown
403 ObjectIdentifier findOID = new ObjectIdentifier(oid);
404 Extension ex = null;
405 ObjectIdentifier inCertOID;
406 for (Enumeration<Extension> e = extensions.getElements();
407 e.hasMoreElements();) {
408 ex = e.nextElement();
409 inCertOID = ex.getExtensionId();
410 if (inCertOID.equals((Object)findOID)) {
411 crlExt = ex;
412 break;
413 }
414 }
415 } else
416 crlExt = extensions.get(extAlias);
417 if (crlExt == null)
418 return null;
419 byte[] extData = crlExt.getExtensionValue();
420 if (extData == null)
421 return null;
422
423 DerOutputStream out = new DerOutputStream();
424 out.putOctetString(extData);
425 return out.toByteArray();
426 } catch (Exception e) {
427 return null;
428 }
429 }
430
431 /**
432 * get an extension
433 *
434 * @param oid ObjectIdentifier of extension desired
435 * @returns Extension of type <extension> or null, if not found
436 */
437 public Extension getExtension(ObjectIdentifier oid) {
438 if (extensions == null)
439 return null;
440
441 // following returns null if no such OID in map
442 //XXX consider cloning this
443 return extensions.get(OIDMap.getName(oid));
444 }
445
446 private void parse(DerValue derVal)
447 throws CRLException, IOException {
448
449 if (derVal.tag != DerValue.tag_Sequence) {
450 throw new CRLException("Invalid encoded RevokedCertificate, " +
451 "starting sequence tag missing.");
452 }
453 if (derVal.data.available() == 0)
454 throw new CRLException("No data encoded for RevokedCertificates");
455
456 revokedCert = derVal.toByteArray();
457 // serial number
458 DerInputStream in = derVal.toDerInputStream();
459 DerValue val = in.getDerValue();
460 this.serialNumber = new SerialNumber(val);
461
462 // revocationDate
463 int nextByte = derVal.data.peekByte();
464 if ((byte)nextByte == DerValue.tag_UtcTime) {
465 this.revocationDate = derVal.data.getUTCTime();
466 } else if ((byte)nextByte == DerValue.tag_GeneralizedTime) {
467 this.revocationDate = derVal.data.getGeneralizedTime();
468 } else
469 throw new CRLException("Invalid encoding for revocation date");
470
471 if (derVal.data.available() == 0)
472 return; // no extensions
473
474 // crlEntryExtensions
475 this.extensions = new CRLExtensions(derVal.toDerInputStream());
476 }
477
478 /**
479 * Utility method to convert an arbitrary instance of X509CRLEntry
480 * to a X509CRLEntryImpl. Does a cast if possible, otherwise reparses
481 * the encoding.
482 */
483 public static X509CRLEntryImpl toImpl(X509CRLEntry entry)
484 throws CRLException {
485 if (entry instanceof X509CRLEntryImpl) {
486 return (X509CRLEntryImpl)entry;
487 } else {
488 return new X509CRLEntryImpl(entry.getEncoded());
489 }
490 }
491
492 /**
493 * Returns the CertificateIssuerExtension
494 *
495 * @return the CertificateIssuerExtension, or null if it does not exist
496 */
497 CertificateIssuerExtension getCertificateIssuerExtension() {
498 return (CertificateIssuerExtension)
499 getExtension(PKIXExtensions.CertificateIssuer_Id);
500 }
501
502 /**
503 * Returns all extensions for this entry in a map
504 * @return the extension map, can be empty, but not null
505 */
506 public Map<String, java.security.cert.Extension> getExtensions() {
507 if (extensions == null) {
508 return Collections.emptyMap();
509 }
510 Collection<Extension> exts = extensions.getAllExtensions();
511 Map<String, java.security.cert.Extension> map = new TreeMap<>();
512 for (Extension ext : exts) {
513 map.put(ext.getId(), ext);
514 }
515 return map;
516 }
517
518 @Override
519 public int compareTo(X509CRLEntryImpl that) {
520 int compSerial = getSerialNumber().compareTo(that.getSerialNumber());
521 if (compSerial != 0) {
522 return compSerial;
523 }
524 try {
525 byte[] thisEncoded = this.getEncoded0();
526 byte[] thatEncoded = that.getEncoded0();
527 for (int i=0; i<thisEncoded.length && i<thatEncoded.length; i++) {
528 int a = thisEncoded[i] & 0xff;
529 int b = thatEncoded[i] & 0xff;
530 if (a != b) return a-b;
531 }
532 return thisEncoded.length -thatEncoded.length;
533 } catch (CRLException ce) {
534 return -1;
535 }
536 }
537 }