1 /*
2 * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.x509;
27
28 import java.io.InputStream;
29 import java.io.OutputStream;
30 import java.io.IOException;
31 import java.math.BigInteger;
32 import java.security.Principal;
33 import java.security.PublicKey;
34 import java.security.PrivateKey;
35 import java.security.Provider;
36 import java.security.Signature;
37 import java.security.NoSuchAlgorithmException;
38 import java.security.InvalidKeyException;
39 import java.security.NoSuchProviderException;
40 import java.security.SignatureException;
41 import java.security.cert.Certificate;
42 import java.security.cert.X509CRL;
43 import java.security.cert.X509Certificate;
44 import java.security.cert.X509CRLEntry;
45 import java.security.cert.CRLException;
46 import java.util.*;
47
48 import javax.security.auth.x500.X500Principal;
49
50 import sun.security.provider.X509Factory;
51 import sun.security.util.*;
52 import sun.security.util.HexDumpEncoder;
53
54 /**
55 * <p>
56 * An implementation for X509 CRL (Certificate Revocation List).
57 * <p>
58 * The X.509 v2 CRL format is described below in ASN.1:
59 * <pre>
60 * CertificateList ::= SEQUENCE {
61 * tbsCertList TBSCertList,
62 * signatureAlgorithm AlgorithmIdentifier,
63 * signature BIT STRING }
64 * </pre>
65 * More information can be found in
66 * <a href="http://tools.ietf.org/html/rfc5280">RFC 5280: Internet X.509
67 * Public Key Infrastructure Certificate and CRL Profile</a>.
68 * <p>
69 * The ASN.1 definition of <code>tbsCertList</code> is:
70 * <pre>
71 * TBSCertList ::= SEQUENCE {
72 * version Version OPTIONAL,
367
368 if (sigProvider == null) {
369 sigProvider = "";
370 }
371 if ((verifiedPublicKey != null) && verifiedPublicKey.equals(key)) {
372 // this CRL has already been successfully verified using
373 // this public key. Make sure providers match, too.
374 if (sigProvider.equals(verifiedProvider)) {
375 return;
376 }
377 }
378 if (signedCRL == null) {
379 throw new CRLException("Uninitialized CRL");
380 }
381 Signature sigVerf = null;
382 if (sigProvider.length() == 0) {
383 sigVerf = Signature.getInstance(sigAlgId.getName());
384 } else {
385 sigVerf = Signature.getInstance(sigAlgId.getName(), sigProvider);
386 }
387 sigVerf.initVerify(key);
388
389 if (tbsCertList == null) {
390 throw new CRLException("Uninitialized CRL");
391 }
392
393 sigVerf.update(tbsCertList, 0, tbsCertList.length);
394
395 if (!sigVerf.verify(signature)) {
396 throw new SignatureException("Signature does not match.");
397 }
398 verifiedPublicKey = key;
399 verifiedProvider = sigProvider;
400 }
401
402 /**
403 * Verifies that this CRL was signed using the
404 * private key that corresponds to the given public key,
405 * and that the signature verification was computed by
406 * the given provider. Note that the specified Provider object
407 * does not have to be registered in the provider list.
408 *
411 *
412 * @exception NoSuchAlgorithmException on unsupported signature
413 * algorithms.
414 * @exception InvalidKeyException on incorrect key.
415 * @exception SignatureException on signature errors.
416 * @exception CRLException on encoding errors.
417 */
418 public synchronized void verify(PublicKey key, Provider sigProvider)
419 throws CRLException, NoSuchAlgorithmException, InvalidKeyException,
420 SignatureException {
421
422 if (signedCRL == null) {
423 throw new CRLException("Uninitialized CRL");
424 }
425 Signature sigVerf = null;
426 if (sigProvider == null) {
427 sigVerf = Signature.getInstance(sigAlgId.getName());
428 } else {
429 sigVerf = Signature.getInstance(sigAlgId.getName(), sigProvider);
430 }
431 sigVerf.initVerify(key);
432
433 if (tbsCertList == null) {
434 throw new CRLException("Uninitialized CRL");
435 }
436
437 sigVerf.update(tbsCertList, 0, tbsCertList.length);
438
439 if (!sigVerf.verify(signature)) {
440 throw new SignatureException("Signature does not match.");
441 }
442 verifiedPublicKey = key;
443 }
444
445 /**
446 * Encodes an X.509 CRL, and signs it using the given key.
447 *
448 * @param key the private key used for signing.
449 * @param algorithm the name of the signature algorithm used.
450 *
451 * @exception NoSuchAlgorithmException on unsupported signature
|
1 /*
2 * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.x509;
27
28 import java.io.InputStream;
29 import java.io.OutputStream;
30 import java.io.IOException;
31 import java.math.BigInteger;
32 import java.security.cert.Certificate;
33 import java.security.cert.X509CRL;
34 import java.security.cert.X509Certificate;
35 import java.security.cert.X509CRLEntry;
36 import java.security.cert.CRLException;
37 import java.security.*;
38 import java.util.*;
39
40 import javax.security.auth.x500.X500Principal;
41
42 import sun.security.provider.X509Factory;
43 import sun.security.util.*;
44
45 /**
46 * <p>
47 * An implementation for X509 CRL (Certificate Revocation List).
48 * <p>
49 * The X.509 v2 CRL format is described below in ASN.1:
50 * <pre>
51 * CertificateList ::= SEQUENCE {
52 * tbsCertList TBSCertList,
53 * signatureAlgorithm AlgorithmIdentifier,
54 * signature BIT STRING }
55 * </pre>
56 * More information can be found in
57 * <a href="http://tools.ietf.org/html/rfc5280">RFC 5280: Internet X.509
58 * Public Key Infrastructure Certificate and CRL Profile</a>.
59 * <p>
60 * The ASN.1 definition of <code>tbsCertList</code> is:
61 * <pre>
62 * TBSCertList ::= SEQUENCE {
63 * version Version OPTIONAL,
358
359 if (sigProvider == null) {
360 sigProvider = "";
361 }
362 if ((verifiedPublicKey != null) && verifiedPublicKey.equals(key)) {
363 // this CRL has already been successfully verified using
364 // this public key. Make sure providers match, too.
365 if (sigProvider.equals(verifiedProvider)) {
366 return;
367 }
368 }
369 if (signedCRL == null) {
370 throw new CRLException("Uninitialized CRL");
371 }
372 Signature sigVerf = null;
373 if (sigProvider.length() == 0) {
374 sigVerf = Signature.getInstance(sigAlgId.getName());
375 } else {
376 sigVerf = Signature.getInstance(sigAlgId.getName(), sigProvider);
377 }
378
379 sigVerf.initVerify(key);
380
381 // set parameters after Signature.initSign/initVerify call,
382 // so the deferred provider selection happens when key is set
383 try {
384 SignatureUtil.specialSetParameter(sigVerf, getSigAlgParams());
385 } catch (ProviderException e) {
386 throw new CRLException(e.getMessage(), e.getCause());
387 } catch (InvalidAlgorithmParameterException e) {
388 throw new CRLException(e);
389 }
390
391 if (tbsCertList == null) {
392 throw new CRLException("Uninitialized CRL");
393 }
394
395 sigVerf.update(tbsCertList, 0, tbsCertList.length);
396
397 if (!sigVerf.verify(signature)) {
398 throw new SignatureException("Signature does not match.");
399 }
400 verifiedPublicKey = key;
401 verifiedProvider = sigProvider;
402 }
403
404 /**
405 * Verifies that this CRL was signed using the
406 * private key that corresponds to the given public key,
407 * and that the signature verification was computed by
408 * the given provider. Note that the specified Provider object
409 * does not have to be registered in the provider list.
410 *
413 *
414 * @exception NoSuchAlgorithmException on unsupported signature
415 * algorithms.
416 * @exception InvalidKeyException on incorrect key.
417 * @exception SignatureException on signature errors.
418 * @exception CRLException on encoding errors.
419 */
420 public synchronized void verify(PublicKey key, Provider sigProvider)
421 throws CRLException, NoSuchAlgorithmException, InvalidKeyException,
422 SignatureException {
423
424 if (signedCRL == null) {
425 throw new CRLException("Uninitialized CRL");
426 }
427 Signature sigVerf = null;
428 if (sigProvider == null) {
429 sigVerf = Signature.getInstance(sigAlgId.getName());
430 } else {
431 sigVerf = Signature.getInstance(sigAlgId.getName(), sigProvider);
432 }
433
434 sigVerf.initVerify(key);
435
436 // set parameters after Signature.initSign/initVerify call,
437 // so the deferred provider selection happens when key is set
438 try {
439 SignatureUtil.specialSetParameter(sigVerf, getSigAlgParams());
440 } catch (ProviderException e) {
441 throw new CRLException(e.getMessage(), e.getCause());
442 } catch (InvalidAlgorithmParameterException e) {
443 throw new CRLException(e);
444 }
445
446 if (tbsCertList == null) {
447 throw new CRLException("Uninitialized CRL");
448 }
449
450 sigVerf.update(tbsCertList, 0, tbsCertList.length);
451
452 if (!sigVerf.verify(signature)) {
453 throw new SignatureException("Signature does not match.");
454 }
455 verifiedPublicKey = key;
456 }
457
458 /**
459 * Encodes an X.509 CRL, and signs it using the given key.
460 *
461 * @param key the private key used for signing.
462 * @param algorithm the name of the signature algorithm used.
463 *
464 * @exception NoSuchAlgorithmException on unsupported signature
|