1 /* 2 * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.x509; 27 28 import java.io.InputStream; 29 import java.io.OutputStream; 30 import java.io.IOException; 31 import java.math.BigInteger; 32 import java.security.Principal; 33 import java.security.PublicKey; 34 import java.security.PrivateKey; 35 import java.security.Provider; 36 import java.security.Signature; 37 import java.security.NoSuchAlgorithmException; 38 import java.security.InvalidKeyException; 39 import java.security.NoSuchProviderException; 40 import java.security.SignatureException; 41 import java.security.cert.Certificate; 42 import java.security.cert.X509CRL; 43 import java.security.cert.X509Certificate; 44 import java.security.cert.X509CRLEntry; 45 import java.security.cert.CRLException; 46 import java.util.*; 47 48 import javax.security.auth.x500.X500Principal; 49 50 import sun.security.provider.X509Factory; 51 import sun.security.util.*; 52 import sun.security.util.HexDumpEncoder; 53 54 /** 55 * <p> 56 * An implementation for X509 CRL (Certificate Revocation List). 57 * <p> 58 * The X.509 v2 CRL format is described below in ASN.1: 59 * <pre> 60 * CertificateList ::= SEQUENCE { 61 * tbsCertList TBSCertList, 62 * signatureAlgorithm AlgorithmIdentifier, 63 * signature BIT STRING } 64 * </pre> 65 * More information can be found in 66 * <a href="http://tools.ietf.org/html/rfc5280">RFC 5280: Internet X.509 67 * Public Key Infrastructure Certificate and CRL Profile</a>. 68 * <p> 69 * The ASN.1 definition of <code>tbsCertList</code> is: 70 * <pre> 71 * TBSCertList ::= SEQUENCE { 72 * version Version OPTIONAL, 367 368 if (sigProvider == null) { 369 sigProvider = ""; 370 } 371 if ((verifiedPublicKey != null) && verifiedPublicKey.equals(key)) { 372 // this CRL has already been successfully verified using 373 // this public key. Make sure providers match, too. 374 if (sigProvider.equals(verifiedProvider)) { 375 return; 376 } 377 } 378 if (signedCRL == null) { 379 throw new CRLException("Uninitialized CRL"); 380 } 381 Signature sigVerf = null; 382 if (sigProvider.length() == 0) { 383 sigVerf = Signature.getInstance(sigAlgId.getName()); 384 } else { 385 sigVerf = Signature.getInstance(sigAlgId.getName(), sigProvider); 386 } 387 sigVerf.initVerify(key); 388 389 if (tbsCertList == null) { 390 throw new CRLException("Uninitialized CRL"); 391 } 392 393 sigVerf.update(tbsCertList, 0, tbsCertList.length); 394 395 if (!sigVerf.verify(signature)) { 396 throw new SignatureException("Signature does not match."); 397 } 398 verifiedPublicKey = key; 399 verifiedProvider = sigProvider; 400 } 401 402 /** 403 * Verifies that this CRL was signed using the 404 * private key that corresponds to the given public key, 405 * and that the signature verification was computed by 406 * the given provider. Note that the specified Provider object 407 * does not have to be registered in the provider list. 408 * 411 * 412 * @exception NoSuchAlgorithmException on unsupported signature 413 * algorithms. 414 * @exception InvalidKeyException on incorrect key. 415 * @exception SignatureException on signature errors. 416 * @exception CRLException on encoding errors. 417 */ 418 public synchronized void verify(PublicKey key, Provider sigProvider) 419 throws CRLException, NoSuchAlgorithmException, InvalidKeyException, 420 SignatureException { 421 422 if (signedCRL == null) { 423 throw new CRLException("Uninitialized CRL"); 424 } 425 Signature sigVerf = null; 426 if (sigProvider == null) { 427 sigVerf = Signature.getInstance(sigAlgId.getName()); 428 } else { 429 sigVerf = Signature.getInstance(sigAlgId.getName(), sigProvider); 430 } 431 sigVerf.initVerify(key); 432 433 if (tbsCertList == null) { 434 throw new CRLException("Uninitialized CRL"); 435 } 436 437 sigVerf.update(tbsCertList, 0, tbsCertList.length); 438 439 if (!sigVerf.verify(signature)) { 440 throw new SignatureException("Signature does not match."); 441 } 442 verifiedPublicKey = key; 443 } 444 445 /** 446 * Encodes an X.509 CRL, and signs it using the given key. 447 * 448 * @param key the private key used for signing. 449 * @param algorithm the name of the signature algorithm used. 450 * 451 * @exception NoSuchAlgorithmException on unsupported signature | 1 /* 2 * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.x509; 27 28 import java.io.InputStream; 29 import java.io.OutputStream; 30 import java.io.IOException; 31 import java.math.BigInteger; 32 import java.security.cert.Certificate; 33 import java.security.cert.X509CRL; 34 import java.security.cert.X509Certificate; 35 import java.security.cert.X509CRLEntry; 36 import java.security.cert.CRLException; 37 import java.security.*; 38 import java.util.*; 39 40 import javax.security.auth.x500.X500Principal; 41 42 import sun.security.provider.X509Factory; 43 import sun.security.util.*; 44 45 /** 46 * <p> 47 * An implementation for X509 CRL (Certificate Revocation List). 48 * <p> 49 * The X.509 v2 CRL format is described below in ASN.1: 50 * <pre> 51 * CertificateList ::= SEQUENCE { 52 * tbsCertList TBSCertList, 53 * signatureAlgorithm AlgorithmIdentifier, 54 * signature BIT STRING } 55 * </pre> 56 * More information can be found in 57 * <a href="http://tools.ietf.org/html/rfc5280">RFC 5280: Internet X.509 58 * Public Key Infrastructure Certificate and CRL Profile</a>. 59 * <p> 60 * The ASN.1 definition of <code>tbsCertList</code> is: 61 * <pre> 62 * TBSCertList ::= SEQUENCE { 63 * version Version OPTIONAL, 358 359 if (sigProvider == null) { 360 sigProvider = ""; 361 } 362 if ((verifiedPublicKey != null) && verifiedPublicKey.equals(key)) { 363 // this CRL has already been successfully verified using 364 // this public key. Make sure providers match, too. 365 if (sigProvider.equals(verifiedProvider)) { 366 return; 367 } 368 } 369 if (signedCRL == null) { 370 throw new CRLException("Uninitialized CRL"); 371 } 372 Signature sigVerf = null; 373 if (sigProvider.length() == 0) { 374 sigVerf = Signature.getInstance(sigAlgId.getName()); 375 } else { 376 sigVerf = Signature.getInstance(sigAlgId.getName(), sigProvider); 377 } 378 379 sigVerf.initVerify(key); 380 381 // set parameters after Signature.initSign/initVerify call, 382 // so the deferred provider selection happens when key is set 383 try { 384 SignatureUtil.specialSetParameter(sigVerf, getSigAlgParams()); 385 } catch (ProviderException e) { 386 throw new CRLException(e.getMessage(), e.getCause()); 387 } catch (InvalidAlgorithmParameterException e) { 388 throw new CRLException(e); 389 } 390 391 if (tbsCertList == null) { 392 throw new CRLException("Uninitialized CRL"); 393 } 394 395 sigVerf.update(tbsCertList, 0, tbsCertList.length); 396 397 if (!sigVerf.verify(signature)) { 398 throw new SignatureException("Signature does not match."); 399 } 400 verifiedPublicKey = key; 401 verifiedProvider = sigProvider; 402 } 403 404 /** 405 * Verifies that this CRL was signed using the 406 * private key that corresponds to the given public key, 407 * and that the signature verification was computed by 408 * the given provider. Note that the specified Provider object 409 * does not have to be registered in the provider list. 410 * 413 * 414 * @exception NoSuchAlgorithmException on unsupported signature 415 * algorithms. 416 * @exception InvalidKeyException on incorrect key. 417 * @exception SignatureException on signature errors. 418 * @exception CRLException on encoding errors. 419 */ 420 public synchronized void verify(PublicKey key, Provider sigProvider) 421 throws CRLException, NoSuchAlgorithmException, InvalidKeyException, 422 SignatureException { 423 424 if (signedCRL == null) { 425 throw new CRLException("Uninitialized CRL"); 426 } 427 Signature sigVerf = null; 428 if (sigProvider == null) { 429 sigVerf = Signature.getInstance(sigAlgId.getName()); 430 } else { 431 sigVerf = Signature.getInstance(sigAlgId.getName(), sigProvider); 432 } 433 434 sigVerf.initVerify(key); 435 436 // set parameters after Signature.initSign/initVerify call, 437 // so the deferred provider selection happens when key is set 438 try { 439 SignatureUtil.specialSetParameter(sigVerf, getSigAlgParams()); 440 } catch (ProviderException e) { 441 throw new CRLException(e.getMessage(), e.getCause()); 442 } catch (InvalidAlgorithmParameterException e) { 443 throw new CRLException(e); 444 } 445 446 if (tbsCertList == null) { 447 throw new CRLException("Uninitialized CRL"); 448 } 449 450 sigVerf.update(tbsCertList, 0, tbsCertList.length); 451 452 if (!sigVerf.verify(signature)) { 453 throw new SignatureException("Signature does not match."); 454 } 455 verifiedPublicKey = key; 456 } 457 458 /** 459 * Encodes an X.509 CRL, and signs it using the given key. 460 * 461 * @param key the private key used for signing. 462 * @param algorithm the name of the signature algorithm used. 463 * 464 * @exception NoSuchAlgorithmException on unsupported signature |