rev 52979 : 8215281: Use String.isEmpty() when applicable in java.base
Reviewed-by: TBD

   1 /*
   2  * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package sun.security.x509;
  27 
  28 import java.io.InputStream;
  29 import java.io.OutputStream;
  30 import java.io.IOException;
  31 import java.math.BigInteger;
  32 import java.security.cert.Certificate;
  33 import java.security.cert.X509CRL;
  34 import java.security.cert.X509Certificate;
  35 import java.security.cert.X509CRLEntry;
  36 import java.security.cert.CRLException;
  37 import java.security.*;
  38 import java.util.*;
  39 
  40 import javax.security.auth.x500.X500Principal;
  41 
  42 import sun.security.provider.X509Factory;
  43 import sun.security.util.*;
  44 
  45 /**
  46  * <p>
  47  * An implementation for X509 CRL (Certificate Revocation List).
  48  * <p>
  49  * The X.509 v2 CRL format is described below in ASN.1:
  50  * <pre>
  51  * CertificateList  ::=  SEQUENCE  {
  52  *     tbsCertList          TBSCertList,
  53  *     signatureAlgorithm   AlgorithmIdentifier,
  54  *     signature            BIT STRING  }
  55  * </pre>
  56  * More information can be found in
  57  * <a href="http://tools.ietf.org/html/rfc5280">RFC 5280: Internet X.509
  58  * Public Key Infrastructure Certificate and CRL Profile</a>.
  59  * <p>
  60  * The ASN.1 definition of <code>tbsCertList</code> is:
  61  * <pre>
  62  * TBSCertList  ::=  SEQUENCE  {
  63  *     version                 Version OPTIONAL,
  64  *                             -- if present, must be v2
  65  *     signature               AlgorithmIdentifier,
  66  *     issuer                  Name,
  67  *     thisUpdate              ChoiceOfTime,
  68  *     nextUpdate              ChoiceOfTime OPTIONAL,
  69  *     revokedCertificates     SEQUENCE OF SEQUENCE  {
  70  *         userCertificate         CertificateSerialNumber,
  71  *         revocationDate          ChoiceOfTime,
  72  *         crlEntryExtensions      Extensions OPTIONAL
  73  *                                 -- if present, must be v2
  74  *         }  OPTIONAL,
  75  *     crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
  76  *                                  -- if present, must be v2
  77  *     }
  78  * </pre>
  79  *
  80  * @author Hemma Prafullchandra
  81  * @see X509CRL
  82  */
  83 public class X509CRLImpl extends X509CRL implements DerEncoder {
  84 
  85     // CRL data, and its envelope
  86     private byte[]      signedCRL = null; // DER encoded crl
  87     private byte[]      signature = null; // raw signature bits
  88     private byte[]      tbsCertList = null; // DER encoded "to-be-signed" CRL
  89     private AlgorithmId sigAlgId = null; // sig alg in CRL
  90 
  91     // crl information
  92     private int              version;
  93     private AlgorithmId      infoSigAlgId; // sig alg in "to-be-signed" crl
  94     private X500Name         issuer = null;
  95     private X500Principal    issuerPrincipal = null;
  96     private Date             thisUpdate = null;
  97     private Date             nextUpdate = null;
  98     private Map<X509IssuerSerial,X509CRLEntry> revokedMap = new TreeMap<>();
  99     private List<X509CRLEntry> revokedList = new LinkedList<>();
 100     private CRLExtensions    extensions = null;
 101     private static final boolean isExplicit = true;
 102     private static final long YR_2050 = 2524636800000L;
 103 
 104     private boolean readOnly = false;
 105 
 106     /**
 107      * PublicKey that has previously been used to successfully verify
 108      * the signature of this CRL. Null if the CRL has not
 109      * yet been verified (successfully).
 110      */
 111     private PublicKey verifiedPublicKey;
 112     /**
 113      * If verifiedPublicKey is not null, name of the provider used to
 114      * successfully verify the signature of this CRL, or the
 115      * empty String if no provider was explicitly specified.
 116      */
 117     private String verifiedProvider;
 118 
 119     /**
 120      * Not to be used. As it would lead to cases of uninitialized
 121      * CRL objects.
 122      */
 123     private X509CRLImpl() { }
 124 
 125     /**
 126      * Unmarshals an X.509 CRL from its encoded form, parsing the encoded
 127      * bytes.  This form of constructor is used by agents which
 128      * need to examine and use CRL contents. Note that the buffer
 129      * must include only one CRL, and no "garbage" may be left at
 130      * the end.
 131      *
 132      * @param crlData the encoded bytes, with no trailing padding.
 133      * @exception CRLException on parsing errors.
 134      */
 135     public X509CRLImpl(byte[] crlData) throws CRLException {
 136         try {
 137             parse(new DerValue(crlData));
 138         } catch (IOException e) {
 139             signedCRL = null;
 140             throw new CRLException("Parsing error: " + e.getMessage());
 141         }
 142     }
 143 
 144     /**
 145      * Unmarshals an X.509 CRL from an DER value.
 146      *
 147      * @param val a DER value holding at least one CRL
 148      * @exception CRLException on parsing errors.
 149      */
 150     public X509CRLImpl(DerValue val) throws CRLException {
 151         try {
 152             parse(val);
 153         } catch (IOException e) {
 154             signedCRL = null;
 155             throw new CRLException("Parsing error: " + e.getMessage());
 156         }
 157     }
 158 
 159     /**
 160      * Unmarshals an X.509 CRL from an input stream. Only one CRL
 161      * is expected at the end of the input stream.
 162      *
 163      * @param inStrm an input stream holding at least one CRL
 164      * @exception CRLException on parsing errors.
 165      */
 166     public X509CRLImpl(InputStream inStrm) throws CRLException {
 167         try {
 168             parse(new DerValue(inStrm));
 169         } catch (IOException e) {
 170             signedCRL = null;
 171             throw new CRLException("Parsing error: " + e.getMessage());
 172         }
 173     }
 174 
 175     /**
 176      * Initial CRL constructor, no revoked certs, and no extensions.
 177      *
 178      * @param issuer the name of the CA issuing this CRL.
 179      * @param thisDate the Date of this issue.
 180      * @param nextDate the Date of the next CRL.
 181      */
 182     public X509CRLImpl(X500Name issuer, Date thisDate, Date nextDate) {
 183         this.issuer = issuer;
 184         this.thisUpdate = thisDate;
 185         this.nextUpdate = nextDate;
 186     }
 187 
 188     /**
 189      * CRL constructor, revoked certs, no extensions.
 190      *
 191      * @param issuer the name of the CA issuing this CRL.
 192      * @param thisDate the Date of this issue.
 193      * @param nextDate the Date of the next CRL.
 194      * @param badCerts the array of CRL entries.
 195      *
 196      * @exception CRLException on parsing/construction errors.
 197      */
 198     public X509CRLImpl(X500Name issuer, Date thisDate, Date nextDate,
 199                        X509CRLEntry[] badCerts)
 200         throws CRLException
 201     {
 202         this.issuer = issuer;
 203         this.thisUpdate = thisDate;
 204         this.nextUpdate = nextDate;
 205         if (badCerts != null) {
 206             X500Principal crlIssuer = getIssuerX500Principal();
 207             X500Principal badCertIssuer = crlIssuer;
 208             for (int i = 0; i < badCerts.length; i++) {
 209                 X509CRLEntryImpl badCert = (X509CRLEntryImpl)badCerts[i];
 210                 try {
 211                     badCertIssuer = getCertIssuer(badCert, badCertIssuer);
 212                 } catch (IOException ioe) {
 213                     throw new CRLException(ioe);
 214                 }
 215                 badCert.setCertificateIssuer(crlIssuer, badCertIssuer);
 216                 X509IssuerSerial issuerSerial = new X509IssuerSerial
 217                     (badCertIssuer, badCert.getSerialNumber());
 218                 this.revokedMap.put(issuerSerial, badCert);
 219                 this.revokedList.add(badCert);
 220                 if (badCert.hasExtensions()) {
 221                     this.version = 1;
 222                 }
 223             }
 224         }
 225     }
 226 
 227     /**
 228      * CRL constructor, revoked certs and extensions.
 229      *
 230      * @param issuer the name of the CA issuing this CRL.
 231      * @param thisDate the Date of this issue.
 232      * @param nextDate the Date of the next CRL.
 233      * @param badCerts the array of CRL entries.
 234      * @param crlExts the CRL extensions.
 235      *
 236      * @exception CRLException on parsing/construction errors.
 237      */
 238     public X509CRLImpl(X500Name issuer, Date thisDate, Date nextDate,
 239                X509CRLEntry[] badCerts, CRLExtensions crlExts)
 240         throws CRLException
 241     {
 242         this(issuer, thisDate, nextDate, badCerts);
 243         if (crlExts != null) {
 244             this.extensions = crlExts;
 245             this.version = 1;
 246         }
 247     }
 248 
 249     /**
 250      * Returned the encoding as an uncloned byte array. Callers must
 251      * guarantee that they neither modify it nor expose it to untrusted
 252      * code.
 253      */
 254     public byte[] getEncodedInternal() throws CRLException {
 255         if (signedCRL == null) {
 256             throw new CRLException("Null CRL to encode");
 257         }
 258         return signedCRL;
 259     }
 260 
 261     /**
 262      * Returns the ASN.1 DER encoded form of this CRL.
 263      *
 264      * @exception CRLException if an encoding error occurs.
 265      */
 266     public byte[] getEncoded() throws CRLException {
 267         return getEncodedInternal().clone();
 268     }
 269 
 270     /**
 271      * Encodes the "to-be-signed" CRL to the OutputStream.
 272      *
 273      * @param out the OutputStream to write to.
 274      * @exception CRLException on encoding errors.
 275      */
 276     public void encodeInfo(OutputStream out) throws CRLException {
 277         try {
 278             DerOutputStream tmp = new DerOutputStream();
 279             DerOutputStream rCerts = new DerOutputStream();
 280             DerOutputStream seq = new DerOutputStream();
 281 
 282             if (version != 0) // v2 crl encode version
 283                 tmp.putInteger(version);
 284             infoSigAlgId.encode(tmp);
 285             if ((version == 0) && (issuer.toString() == null))
 286                 throw new CRLException("Null Issuer DN not allowed in v1 CRL");
 287             issuer.encode(tmp);
 288 
 289             if (thisUpdate.getTime() < YR_2050)
 290                 tmp.putUTCTime(thisUpdate);
 291             else
 292                 tmp.putGeneralizedTime(thisUpdate);
 293 
 294             if (nextUpdate != null) {
 295                 if (nextUpdate.getTime() < YR_2050)
 296                     tmp.putUTCTime(nextUpdate);
 297                 else
 298                     tmp.putGeneralizedTime(nextUpdate);
 299             }
 300 
 301             if (!revokedList.isEmpty()) {
 302                 for (X509CRLEntry entry : revokedList) {
 303                     ((X509CRLEntryImpl)entry).encode(rCerts);
 304                 }
 305                 tmp.write(DerValue.tag_Sequence, rCerts);
 306             }
 307 
 308             if (extensions != null)
 309                 extensions.encode(tmp, isExplicit);
 310 
 311             seq.write(DerValue.tag_Sequence, tmp);
 312 
 313             tbsCertList = seq.toByteArray();
 314             out.write(tbsCertList);
 315         } catch (IOException e) {
 316              throw new CRLException("Encoding error: " + e.getMessage());
 317         }
 318     }
 319 
 320     /**
 321      * Verifies that this CRL was signed using the
 322      * private key that corresponds to the given public key.
 323      *
 324      * @param key the PublicKey used to carry out the verification.
 325      *
 326      * @exception NoSuchAlgorithmException on unsupported signature
 327      * algorithms.
 328      * @exception InvalidKeyException on incorrect key.
 329      * @exception NoSuchProviderException if there's no default provider.
 330      * @exception SignatureException on signature errors.
 331      * @exception CRLException on encoding errors.
 332      */
 333     public void verify(PublicKey key)
 334     throws CRLException, NoSuchAlgorithmException, InvalidKeyException,
 335            NoSuchProviderException, SignatureException {
 336         verify(key, "");
 337     }
 338 
 339     /**
 340      * Verifies that this CRL was signed using the
 341      * private key that corresponds to the given public key,
 342      * and that the signature verification was computed by
 343      * the given provider.
 344      *
 345      * @param key the PublicKey used to carry out the verification.
 346      * @param sigProvider the name of the signature provider.
 347      *
 348      * @exception NoSuchAlgorithmException on unsupported signature
 349      * algorithms.
 350      * @exception InvalidKeyException on incorrect key.
 351      * @exception NoSuchProviderException on incorrect provider.
 352      * @exception SignatureException on signature errors.
 353      * @exception CRLException on encoding errors.
 354      */
 355     public synchronized void verify(PublicKey key, String sigProvider)
 356             throws CRLException, NoSuchAlgorithmException, InvalidKeyException,
 357             NoSuchProviderException, SignatureException {
 358 
 359         if (sigProvider == null) {
 360             sigProvider = "";
 361         }
 362         if ((verifiedPublicKey != null) && verifiedPublicKey.equals(key)) {
 363             // this CRL has already been successfully verified using
 364             // this public key. Make sure providers match, too.
 365             if (sigProvider.equals(verifiedProvider)) {
 366                 return;
 367             }
 368         }
 369         if (signedCRL == null) {
 370             throw new CRLException("Uninitialized CRL");
 371         }
 372         Signature   sigVerf = null;
 373         if (sigProvider.isEmpty()) {
 374             sigVerf = Signature.getInstance(sigAlgId.getName());
 375         } else {
 376             sigVerf = Signature.getInstance(sigAlgId.getName(), sigProvider);
 377         }
 378 
 379         sigVerf.initVerify(key);
 380 
 381         // set parameters after Signature.initSign/initVerify call,
 382         // so the deferred provider selection happens when key is set
 383         try {
 384             SignatureUtil.specialSetParameter(sigVerf, getSigAlgParams());
 385         } catch (ProviderException e) {
 386             throw new CRLException(e.getMessage(), e.getCause());
 387         } catch (InvalidAlgorithmParameterException e) {
 388             throw new CRLException(e);
 389         }
 390 
 391         if (tbsCertList == null) {
 392             throw new CRLException("Uninitialized CRL");
 393         }
 394 
 395         sigVerf.update(tbsCertList, 0, tbsCertList.length);
 396 
 397         if (!sigVerf.verify(signature)) {
 398             throw new SignatureException("Signature does not match.");
 399         }
 400         verifiedPublicKey = key;
 401         verifiedProvider = sigProvider;
 402     }
 403 
 404     /**
 405      * Verifies that this CRL was signed using the
 406      * private key that corresponds to the given public key,
 407      * and that the signature verification was computed by
 408      * the given provider. Note that the specified Provider object
 409      * does not have to be registered in the provider list.
 410      *
 411      * @param key the PublicKey used to carry out the verification.
 412      * @param sigProvider the signature provider.
 413      *
 414      * @exception NoSuchAlgorithmException on unsupported signature
 415      * algorithms.
 416      * @exception InvalidKeyException on incorrect key.
 417      * @exception SignatureException on signature errors.
 418      * @exception CRLException on encoding errors.
 419      */
 420     public synchronized void verify(PublicKey key, Provider sigProvider)
 421             throws CRLException, NoSuchAlgorithmException, InvalidKeyException,
 422             SignatureException {
 423 
 424         if (signedCRL == null) {
 425             throw new CRLException("Uninitialized CRL");
 426         }
 427         Signature sigVerf = null;
 428         if (sigProvider == null) {
 429             sigVerf = Signature.getInstance(sigAlgId.getName());
 430         } else {
 431             sigVerf = Signature.getInstance(sigAlgId.getName(), sigProvider);
 432         }
 433 
 434         sigVerf.initVerify(key);
 435 
 436         // set parameters after Signature.initSign/initVerify call,
 437         // so the deferred provider selection happens when key is set
 438         try {
 439             SignatureUtil.specialSetParameter(sigVerf, getSigAlgParams());
 440         } catch (ProviderException e) {
 441             throw new CRLException(e.getMessage(), e.getCause());
 442         } catch (InvalidAlgorithmParameterException e) {
 443             throw new CRLException(e);
 444         }
 445 
 446         if (tbsCertList == null) {
 447             throw new CRLException("Uninitialized CRL");
 448         }
 449 
 450         sigVerf.update(tbsCertList, 0, tbsCertList.length);
 451 
 452         if (!sigVerf.verify(signature)) {
 453             throw new SignatureException("Signature does not match.");
 454         }
 455         verifiedPublicKey = key;
 456     }
 457 
 458     /**
 459      * Encodes an X.509 CRL, and signs it using the given key.
 460      *
 461      * @param key the private key used for signing.
 462      * @param algorithm the name of the signature algorithm used.
 463      *
 464      * @exception NoSuchAlgorithmException on unsupported signature
 465      * algorithms.
 466      * @exception InvalidKeyException on incorrect key.
 467      * @exception NoSuchProviderException on incorrect provider.
 468      * @exception SignatureException on signature errors.
 469      * @exception CRLException if any mandatory data was omitted.
 470      */
 471     public void sign(PrivateKey key, String algorithm)
 472     throws CRLException, NoSuchAlgorithmException, InvalidKeyException,
 473         NoSuchProviderException, SignatureException {
 474         sign(key, algorithm, null);
 475     }
 476 
 477     /**
 478      * Encodes an X.509 CRL, and signs it using the given key.
 479      *
 480      * @param key the private key used for signing.
 481      * @param algorithm the name of the signature algorithm used.
 482      * @param provider the name of the provider.
 483      *
 484      * @exception NoSuchAlgorithmException on unsupported signature
 485      * algorithms.
 486      * @exception InvalidKeyException on incorrect key.
 487      * @exception NoSuchProviderException on incorrect provider.
 488      * @exception SignatureException on signature errors.
 489      * @exception CRLException if any mandatory data was omitted.
 490      */
 491     public void sign(PrivateKey key, String algorithm, String provider)
 492     throws CRLException, NoSuchAlgorithmException, InvalidKeyException,
 493         NoSuchProviderException, SignatureException {
 494         try {
 495             if (readOnly)
 496                 throw new CRLException("cannot over-write existing CRL");
 497             Signature sigEngine = null;
 498             if (provider == null || provider.isEmpty())
 499                 sigEngine = Signature.getInstance(algorithm);
 500             else
 501                 sigEngine = Signature.getInstance(algorithm, provider);
 502 
 503             sigEngine.initSign(key);
 504 
 505                                 // in case the name is reset
 506             sigAlgId = AlgorithmId.get(sigEngine.getAlgorithm());
 507             infoSigAlgId = sigAlgId;
 508 
 509             DerOutputStream out = new DerOutputStream();
 510             DerOutputStream tmp = new DerOutputStream();
 511 
 512             // encode crl info
 513             encodeInfo(tmp);
 514 
 515             // encode algorithm identifier
 516             sigAlgId.encode(tmp);
 517 
 518             // Create and encode the signature itself.
 519             sigEngine.update(tbsCertList, 0, tbsCertList.length);
 520             signature = sigEngine.sign();
 521             tmp.putBitString(signature);
 522 
 523             // Wrap the signed data in a SEQUENCE { data, algorithm, sig }
 524             out.write(DerValue.tag_Sequence, tmp);
 525             signedCRL = out.toByteArray();
 526             readOnly = true;
 527 
 528         } catch (IOException e) {
 529             throw new CRLException("Error while encoding data: " +
 530                                    e.getMessage());
 531         }
 532     }
 533 
 534     /**
 535      * Returns a printable string of this CRL.
 536      *
 537      * @return value of this CRL in a printable form.
 538      */
 539     public String toString() {
 540         return toStringWithAlgName("" + sigAlgId);
 541     }
 542 
 543     // Specifically created for keytool to append a (weak) label to sigAlg
 544     public String toStringWithAlgName(String name) {
 545         StringBuilder sb = new StringBuilder();
 546         sb.append("X.509 CRL v")
 547             .append(version+1)
 548             .append('\n');
 549         if (sigAlgId != null)
 550             sb.append("Signature Algorithm: ")
 551                 .append(name)
 552                 .append(", OID=")
 553                 .append(sigAlgId.getOID())
 554                 .append('\n');
 555         if (issuer != null)
 556             sb.append("Issuer: ")
 557                 .append(issuer)
 558                 .append('\n');
 559         if (thisUpdate != null)
 560             sb.append("\nThis Update: ")
 561                 .append(thisUpdate)
 562                 .append('\n');
 563         if (nextUpdate != null)
 564             sb.append("Next Update: ")
 565                 .append(nextUpdate)
 566                 .append('\n');
 567         if (revokedList.isEmpty())
 568             sb.append("\nNO certificates have been revoked\n");
 569         else {
 570             sb.append("\nRevoked Certificates: ")
 571                 .append(revokedList.size());
 572             int i = 1;
 573             for (X509CRLEntry entry: revokedList) {
 574                 sb.append("\n[")
 575                     .append(i++)
 576                     .append("] ")
 577                     .append(entry);
 578             }
 579         }
 580         if (extensions != null) {
 581             Collection<Extension> allExts = extensions.getAllExtensions();
 582             Object[] objs = allExts.toArray();
 583             sb.append("\nCRL Extensions: ")
 584                 .append(objs.length);
 585             for (int i = 0; i < objs.length; i++) {
 586                 sb.append("\n[").append(i+1).append("]: ");
 587                 Extension ext = (Extension)objs[i];
 588                 try {
 589                     if (OIDMap.getClass(ext.getExtensionId()) == null) {
 590                         sb.append(ext);
 591                         byte[] extValue = ext.getExtensionValue();
 592                         if (extValue != null) {
 593                             DerOutputStream out = new DerOutputStream();
 594                             out.putOctetString(extValue);
 595                             extValue = out.toByteArray();
 596                             HexDumpEncoder enc = new HexDumpEncoder();
 597                             sb.append("Extension unknown: ")
 598                                 .append("DER encoded OCTET string =\n")
 599                                 .append(enc.encodeBuffer(extValue))
 600                                 .append('\n');
 601                         }
 602                     } else {
 603                         sb.append(ext); // sub-class exists
 604                     }
 605                 } catch (Exception e) {
 606                     sb.append(", Error parsing this extension");
 607                 }
 608             }
 609         }
 610         if (signature != null) {
 611             HexDumpEncoder encoder = new HexDumpEncoder();
 612             sb.append("\nSignature:\n")
 613                 .append(encoder.encodeBuffer(signature))
 614                 .append('\n');
 615         } else {
 616             sb.append("NOT signed yet\n");
 617         }
 618         return sb.toString();
 619     }
 620 
 621     /**
 622      * Checks whether the given certificate is on this CRL.
 623      *
 624      * @param cert the certificate to check for.
 625      * @return true if the given certificate is on this CRL,
 626      * false otherwise.
 627      */
 628     public boolean isRevoked(Certificate cert) {
 629         if (revokedMap.isEmpty() || (!(cert instanceof X509Certificate))) {
 630             return false;
 631         }
 632         X509Certificate xcert = (X509Certificate) cert;
 633         X509IssuerSerial issuerSerial = new X509IssuerSerial(xcert);
 634         return revokedMap.containsKey(issuerSerial);
 635     }
 636 
 637     /**
 638      * Gets the version number from this CRL.
 639      * The ASN.1 definition for this is:
 640      * <pre>
 641      * Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
 642      *             -- v3 does not apply to CRLs but appears for consistency
 643      *             -- with definition of Version for certs
 644      * </pre>
 645      * @return the version number, i.e. 1 or 2.
 646      */
 647     public int getVersion() {
 648         return version+1;
 649     }
 650 
 651     /**
 652      * Gets the issuer distinguished name from this CRL.
 653      * The issuer name identifies the entity who has signed (and
 654      * issued the CRL). The issuer name field contains an
 655      * X.500 distinguished name (DN).
 656      * The ASN.1 definition for this is:
 657      * <pre>
 658      * issuer    Name
 659      *
 660      * Name ::= CHOICE { RDNSequence }
 661      * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
 662      * RelativeDistinguishedName ::=
 663      *     SET OF AttributeValueAssertion
 664      *
 665      * AttributeValueAssertion ::= SEQUENCE {
 666      *                               AttributeType,
 667      *                               AttributeValue }
 668      * AttributeType ::= OBJECT IDENTIFIER
 669      * AttributeValue ::= ANY
 670      * </pre>
 671      * The Name describes a hierarchical name composed of attributes,
 672      * such as country name, and corresponding values, such as US.
 673      * The type of the component AttributeValue is determined by the
 674      * AttributeType; in general it will be a directoryString.
 675      * A directoryString is usually one of PrintableString,
 676      * TeletexString or UniversalString.
 677      * @return the issuer name.
 678      */
 679     public Principal getIssuerDN() {
 680         return (Principal)issuer;
 681     }
 682 
 683     /**
 684      * Return the issuer as X500Principal. Overrides method in X509CRL
 685      * to provide a slightly more efficient version.
 686      */
 687     public X500Principal getIssuerX500Principal() {
 688         if (issuerPrincipal == null) {
 689             issuerPrincipal = issuer.asX500Principal();
 690         }
 691         return issuerPrincipal;
 692     }
 693 
 694     /**
 695      * Gets the thisUpdate date from the CRL.
 696      * The ASN.1 definition for this is:
 697      *
 698      * @return the thisUpdate date from the CRL.
 699      */
 700     public Date getThisUpdate() {
 701         return (new Date(thisUpdate.getTime()));
 702     }
 703 
 704     /**
 705      * Gets the nextUpdate date from the CRL.
 706      *
 707      * @return the nextUpdate date from the CRL, or null if
 708      * not present.
 709      */
 710     public Date getNextUpdate() {
 711         if (nextUpdate == null)
 712             return null;
 713         return (new Date(nextUpdate.getTime()));
 714     }
 715 
 716     /**
 717      * Gets the CRL entry with the given serial number from this CRL.
 718      *
 719      * @return the entry with the given serial number, or <code>null</code> if
 720      * no such entry exists in the CRL.
 721      * @see X509CRLEntry
 722      */
 723     public X509CRLEntry getRevokedCertificate(BigInteger serialNumber) {
 724         if (revokedMap.isEmpty()) {
 725             return null;
 726         }
 727         // assume this is a direct CRL entry (cert and CRL issuer are the same)
 728         X509IssuerSerial issuerSerial = new X509IssuerSerial
 729             (getIssuerX500Principal(), serialNumber);
 730         return revokedMap.get(issuerSerial);
 731     }
 732 
 733     /**
 734      * Gets the CRL entry for the given certificate.
 735      */
 736     public X509CRLEntry getRevokedCertificate(X509Certificate cert) {
 737         if (revokedMap.isEmpty()) {
 738             return null;
 739         }
 740         X509IssuerSerial issuerSerial = new X509IssuerSerial(cert);
 741         return revokedMap.get(issuerSerial);
 742     }
 743 
 744     /**
 745      * Gets all the revoked certificates from the CRL.
 746      * A Set of X509CRLEntry.
 747      *
 748      * @return all the revoked certificates or <code>null</code> if there are
 749      * none.
 750      * @see X509CRLEntry
 751      */
 752     public Set<X509CRLEntry> getRevokedCertificates() {
 753         if (revokedList.isEmpty()) {
 754             return null;
 755         } else {
 756             return new TreeSet<X509CRLEntry>(revokedList);
 757         }
 758     }
 759 
 760     /**
 761      * Gets the DER encoded CRL information, the
 762      * <code>tbsCertList</code> from this CRL.
 763      * This can be used to verify the signature independently.
 764      *
 765      * @return the DER encoded CRL information.
 766      * @exception CRLException on encoding errors.
 767      */
 768     public byte[] getTBSCertList() throws CRLException {
 769         if (tbsCertList == null)
 770             throw new CRLException("Uninitialized CRL");
 771         return tbsCertList.clone();
 772     }
 773 
 774     /**
 775      * Gets the raw Signature bits from the CRL.
 776      *
 777      * @return the signature.
 778      */
 779     public byte[] getSignature() {
 780         if (signature == null)
 781             return null;
 782         return signature.clone();
 783     }
 784 
 785     /**
 786      * Gets the signature algorithm name for the CRL
 787      * signature algorithm. For example, the string "SHA1withDSA".
 788      * The ASN.1 definition for this is:
 789      * <pre>
 790      * AlgorithmIdentifier  ::=  SEQUENCE  {
 791      *     algorithm               OBJECT IDENTIFIER,
 792      *     parameters              ANY DEFINED BY algorithm OPTIONAL  }
 793      *                             -- contains a value of the type
 794      *                             -- registered for use with the
 795      *                             -- algorithm object identifier value
 796      * </pre>
 797      *
 798      * @return the signature algorithm name.
 799      */
 800     public String getSigAlgName() {
 801         if (sigAlgId == null)
 802             return null;
 803         return sigAlgId.getName();
 804     }
 805 
 806     /**
 807      * Gets the signature algorithm OID string from the CRL.
 808      * An OID is represented by a set of positive whole number separated
 809      * by ".", that means,<br>
 810      * &lt;positive whole number&gt;.&lt;positive whole number&gt;.&lt;...&gt;
 811      * For example, the string "1.2.840.10040.4.3" identifies the SHA-1
 812      * with DSA signature algorithm defined in
 813      * <a href="http://www.ietf.org/rfc/rfc3279.txt">RFC 3279: Algorithms and
 814      * Identifiers for the Internet X.509 Public Key Infrastructure Certificate
 815      * and CRL Profile</a>.
 816      *
 817      * @return the signature algorithm oid string.
 818      */
 819     public String getSigAlgOID() {
 820         if (sigAlgId == null)
 821             return null;
 822         ObjectIdentifier oid = sigAlgId.getOID();
 823         return oid.toString();
 824     }
 825 
 826     /**
 827      * Gets the DER encoded signature algorithm parameters from this
 828      * CRL's signature algorithm. In most cases, the signature
 829      * algorithm parameters are null, the parameters are usually
 830      * supplied with the Public Key.
 831      *
 832      * @return the DER encoded signature algorithm parameters, or
 833      *         null if no parameters are present.
 834      */
 835     public byte[] getSigAlgParams() {
 836         if (sigAlgId == null)
 837             return null;
 838         try {
 839             return sigAlgId.getEncodedParams();
 840         } catch (IOException e) {
 841             return null;
 842         }
 843     }
 844 
 845     /**
 846      * Gets the signature AlgorithmId from the CRL.
 847      *
 848      * @return the signature AlgorithmId
 849      */
 850     public AlgorithmId getSigAlgId() {
 851         return sigAlgId;
 852     }
 853 
 854     /**
 855      * return the AuthorityKeyIdentifier, if any.
 856      *
 857      * @return AuthorityKeyIdentifier or null
 858      *         (if no AuthorityKeyIdentifierExtension)
 859      * @throws IOException on error
 860      */
 861     public KeyIdentifier getAuthKeyId() throws IOException {
 862         AuthorityKeyIdentifierExtension aki = getAuthKeyIdExtension();
 863         if (aki != null) {
 864             KeyIdentifier keyId = (KeyIdentifier)aki.get(
 865                     AuthorityKeyIdentifierExtension.KEY_ID);
 866             return keyId;
 867         } else {
 868             return null;
 869         }
 870     }
 871 
 872     /**
 873      * return the AuthorityKeyIdentifierExtension, if any.
 874      *
 875      * @return AuthorityKeyIdentifierExtension or null (if no such extension)
 876      * @throws IOException on error
 877      */
 878     public AuthorityKeyIdentifierExtension getAuthKeyIdExtension()
 879         throws IOException {
 880         Object obj = getExtension(PKIXExtensions.AuthorityKey_Id);
 881         return (AuthorityKeyIdentifierExtension)obj;
 882     }
 883 
 884     /**
 885      * return the CRLNumberExtension, if any.
 886      *
 887      * @return CRLNumberExtension or null (if no such extension)
 888      * @throws IOException on error
 889      */
 890     public CRLNumberExtension getCRLNumberExtension() throws IOException {
 891         Object obj = getExtension(PKIXExtensions.CRLNumber_Id);
 892         return (CRLNumberExtension)obj;
 893     }
 894 
 895     /**
 896      * return the CRL number from the CRLNumberExtension, if any.
 897      *
 898      * @return number or null (if no such extension)
 899      * @throws IOException on error
 900      */
 901     public BigInteger getCRLNumber() throws IOException {
 902         CRLNumberExtension numExt = getCRLNumberExtension();
 903         if (numExt != null) {
 904             BigInteger num = numExt.get(CRLNumberExtension.NUMBER);
 905             return num;
 906         } else {
 907             return null;
 908         }
 909     }
 910 
 911     /**
 912      * return the DeltaCRLIndicatorExtension, if any.
 913      *
 914      * @return DeltaCRLIndicatorExtension or null (if no such extension)
 915      * @throws IOException on error
 916      */
 917     public DeltaCRLIndicatorExtension getDeltaCRLIndicatorExtension()
 918         throws IOException {
 919 
 920         Object obj = getExtension(PKIXExtensions.DeltaCRLIndicator_Id);
 921         return (DeltaCRLIndicatorExtension)obj;
 922     }
 923 
 924     /**
 925      * return the base CRL number from the DeltaCRLIndicatorExtension, if any.
 926      *
 927      * @return number or null (if no such extension)
 928      * @throws IOException on error
 929      */
 930     public BigInteger getBaseCRLNumber() throws IOException {
 931         DeltaCRLIndicatorExtension dciExt = getDeltaCRLIndicatorExtension();
 932         if (dciExt != null) {
 933             BigInteger num = dciExt.get(DeltaCRLIndicatorExtension.NUMBER);
 934             return num;
 935         } else {
 936             return null;
 937         }
 938     }
 939 
 940     /**
 941      * return the IssuerAlternativeNameExtension, if any.
 942      *
 943      * @return IssuerAlternativeNameExtension or null (if no such extension)
 944      * @throws IOException on error
 945      */
 946     public IssuerAlternativeNameExtension getIssuerAltNameExtension()
 947         throws IOException {
 948         Object obj = getExtension(PKIXExtensions.IssuerAlternativeName_Id);
 949         return (IssuerAlternativeNameExtension)obj;
 950     }
 951 
 952     /**
 953      * return the IssuingDistributionPointExtension, if any.
 954      *
 955      * @return IssuingDistributionPointExtension or null
 956      *         (if no such extension)
 957      * @throws IOException on error
 958      */
 959     public IssuingDistributionPointExtension
 960         getIssuingDistributionPointExtension() throws IOException {
 961 
 962         Object obj = getExtension(PKIXExtensions.IssuingDistributionPoint_Id);
 963         return (IssuingDistributionPointExtension) obj;
 964     }
 965 
 966     /**
 967      * Return true if a critical extension is found that is
 968      * not supported, otherwise return false.
 969      */
 970     public boolean hasUnsupportedCriticalExtension() {
 971         if (extensions == null)
 972             return false;
 973         return extensions.hasUnsupportedCriticalExtension();
 974     }
 975 
 976     /**
 977      * Gets a Set of the extension(s) marked CRITICAL in the
 978      * CRL. In the returned set, each extension is represented by
 979      * its OID string.
 980      *
 981      * @return a set of the extension oid strings in the
 982      * CRL that are marked critical.
 983      */
 984     public Set<String> getCriticalExtensionOIDs() {
 985         if (extensions == null) {
 986             return null;
 987         }
 988         Set<String> extSet = new TreeSet<>();
 989         for (Extension ex : extensions.getAllExtensions()) {
 990             if (ex.isCritical()) {
 991                 extSet.add(ex.getExtensionId().toString());
 992             }
 993         }
 994         return extSet;
 995     }
 996 
 997     /**
 998      * Gets a Set of the extension(s) marked NON-CRITICAL in the
 999      * CRL. In the returned set, each extension is represented by
1000      * its OID string.
1001      *
1002      * @return a set of the extension oid strings in the
1003      * CRL that are NOT marked critical.
1004      */
1005     public Set<String> getNonCriticalExtensionOIDs() {
1006         if (extensions == null) {
1007             return null;
1008         }
1009         Set<String> extSet = new TreeSet<>();
1010         for (Extension ex : extensions.getAllExtensions()) {
1011             if (!ex.isCritical()) {
1012                 extSet.add(ex.getExtensionId().toString());
1013             }
1014         }
1015         return extSet;
1016     }
1017 
1018     /**
1019      * Gets the DER encoded OCTET string for the extension value
1020      * (<code>extnValue</code>) identified by the passed in oid String.
1021      * The <code>oid</code> string is
1022      * represented by a set of positive whole number separated
1023      * by ".", that means,<br>
1024      * &lt;positive whole number&gt;.&lt;positive whole number&gt;.&lt;...&gt;
1025      *
1026      * @param oid the Object Identifier value for the extension.
1027      * @return the der encoded octet string of the extension value.
1028      */
1029     public byte[] getExtensionValue(String oid) {
1030         if (extensions == null)
1031             return null;
1032         try {
1033             String extAlias = OIDMap.getName(new ObjectIdentifier(oid));
1034             Extension crlExt = null;
1035 
1036             if (extAlias == null) { // may be unknown
1037                 ObjectIdentifier findOID = new ObjectIdentifier(oid);
1038                 Extension ex = null;
1039                 ObjectIdentifier inCertOID;
1040                 for (Enumeration<Extension> e = extensions.getElements();
1041                                                  e.hasMoreElements();) {
1042                     ex = e.nextElement();
1043                     inCertOID = ex.getExtensionId();
1044                     if (inCertOID.equals(findOID)) {
1045                         crlExt = ex;
1046                         break;
1047                     }
1048                 }
1049             } else
1050                 crlExt = extensions.get(extAlias);
1051             if (crlExt == null)
1052                 return null;
1053             byte[] extData = crlExt.getExtensionValue();
1054             if (extData == null)
1055                 return null;
1056             DerOutputStream out = new DerOutputStream();
1057             out.putOctetString(extData);
1058             return out.toByteArray();
1059         } catch (Exception e) {
1060             return null;
1061         }
1062     }
1063 
1064     /**
1065      * get an extension
1066      *
1067      * @param oid ObjectIdentifier of extension desired
1068      * @return Object of type {@code <extension>} or null, if not found
1069      * @throws IOException on error
1070      */
1071     public Object getExtension(ObjectIdentifier oid) {
1072         if (extensions == null)
1073             return null;
1074 
1075         // XXX Consider cloning this
1076         return extensions.get(OIDMap.getName(oid));
1077     }
1078 
1079     /*
1080      * Parses an X.509 CRL, should be used only by constructors.
1081      */
1082     private void parse(DerValue val) throws CRLException, IOException {
1083         // check if can over write the certificate
1084         if (readOnly)
1085             throw new CRLException("cannot over-write existing CRL");
1086 
1087         if ( val.getData() == null || val.tag != DerValue.tag_Sequence)
1088             throw new CRLException("Invalid DER-encoded CRL data");
1089 
1090         signedCRL = val.toByteArray();
1091         DerValue[] seq = new DerValue[3];
1092 
1093         seq[0] = val.data.getDerValue();
1094         seq[1] = val.data.getDerValue();
1095         seq[2] = val.data.getDerValue();
1096 
1097         if (val.data.available() != 0)
1098             throw new CRLException("signed overrun, bytes = "
1099                                      + val.data.available());
1100 
1101         if (seq[0].tag != DerValue.tag_Sequence)
1102             throw new CRLException("signed CRL fields invalid");
1103 
1104         sigAlgId = AlgorithmId.parse(seq[1]);
1105         signature = seq[2].getBitString();
1106 
1107         if (seq[1].data.available() != 0)
1108             throw new CRLException("AlgorithmId field overrun");
1109 
1110         if (seq[2].data.available() != 0)
1111             throw new CRLException("Signature field overrun");
1112 
1113         // the tbsCertsList
1114         tbsCertList = seq[0].toByteArray();
1115 
1116         // parse the information
1117         DerInputStream derStrm = seq[0].data;
1118         DerValue       tmp;
1119         byte           nextByte;
1120 
1121         // version (optional if v1)
1122         version = 0;   // by default, version = v1 == 0
1123         nextByte = (byte)derStrm.peekByte();
1124         if (nextByte == DerValue.tag_Integer) {
1125             version = derStrm.getInteger();
1126             if (version != 1)  // i.e. v2
1127                 throw new CRLException("Invalid version");
1128         }
1129         tmp = derStrm.getDerValue();
1130 
1131         // signature
1132         AlgorithmId tmpId = AlgorithmId.parse(tmp);
1133 
1134         // the "inner" and "outer" signature algorithms must match
1135         if (! tmpId.equals(sigAlgId))
1136             throw new CRLException("Signature algorithm mismatch");
1137         infoSigAlgId = tmpId;
1138 
1139         // issuer
1140         issuer = new X500Name(derStrm);
1141         if (issuer.isEmpty()) {
1142             throw new CRLException("Empty issuer DN not allowed in X509CRLs");
1143         }
1144 
1145         // thisUpdate
1146         // check if UTCTime encoded or GeneralizedTime
1147 
1148         nextByte = (byte)derStrm.peekByte();
1149         if (nextByte == DerValue.tag_UtcTime) {
1150             thisUpdate = derStrm.getUTCTime();
1151         } else if (nextByte == DerValue.tag_GeneralizedTime) {
1152             thisUpdate = derStrm.getGeneralizedTime();
1153         } else {
1154             throw new CRLException("Invalid encoding for thisUpdate"
1155                                    + " (tag=" + nextByte + ")");
1156         }
1157 
1158         if (derStrm.available() == 0)
1159            return;     // done parsing no more optional fields present
1160 
1161         // nextUpdate (optional)
1162         nextByte = (byte)derStrm.peekByte();
1163         if (nextByte == DerValue.tag_UtcTime) {
1164             nextUpdate = derStrm.getUTCTime();
1165         } else if (nextByte == DerValue.tag_GeneralizedTime) {
1166             nextUpdate = derStrm.getGeneralizedTime();
1167         } // else it is not present
1168 
1169         if (derStrm.available() == 0)
1170             return;     // done parsing no more optional fields present
1171 
1172         // revokedCertificates (optional)
1173         nextByte = (byte)derStrm.peekByte();
1174         if ((nextByte == DerValue.tag_SequenceOf)
1175             && (! ((nextByte & 0x0c0) == 0x080))) {
1176             DerValue[] badCerts = derStrm.getSequence(4);
1177 
1178             X500Principal crlIssuer = getIssuerX500Principal();
1179             X500Principal badCertIssuer = crlIssuer;
1180             for (int i = 0; i < badCerts.length; i++) {
1181                 X509CRLEntryImpl entry = new X509CRLEntryImpl(badCerts[i]);
1182                 badCertIssuer = getCertIssuer(entry, badCertIssuer);
1183                 entry.setCertificateIssuer(crlIssuer, badCertIssuer);
1184                 X509IssuerSerial issuerSerial = new X509IssuerSerial
1185                     (badCertIssuer, entry.getSerialNumber());
1186                 revokedMap.put(issuerSerial, entry);
1187                 revokedList.add(entry);
1188             }
1189         }
1190 
1191         if (derStrm.available() == 0)
1192             return;     // done parsing no extensions
1193 
1194         // crlExtensions (optional)
1195         tmp = derStrm.getDerValue();
1196         if (tmp.isConstructed() && tmp.isContextSpecific((byte)0)) {
1197             extensions = new CRLExtensions(tmp.data);
1198         }
1199         readOnly = true;
1200     }
1201 
1202     /**
1203      * Extract the issuer X500Principal from an X509CRL. Parses the encoded
1204      * form of the CRL to preserve the principal's ASN.1 encoding.
1205      *
1206      * Called by java.security.cert.X509CRL.getIssuerX500Principal().
1207      */
1208     public static X500Principal getIssuerX500Principal(X509CRL crl) {
1209         try {
1210             byte[] encoded = crl.getEncoded();
1211             DerInputStream derIn = new DerInputStream(encoded);
1212             DerValue tbsCert = derIn.getSequence(3)[0];
1213             DerInputStream tbsIn = tbsCert.data;
1214 
1215             DerValue tmp;
1216             // skip version number if present
1217             byte nextByte = (byte)tbsIn.peekByte();
1218             if (nextByte == DerValue.tag_Integer) {
1219                 tmp = tbsIn.getDerValue();
1220             }
1221 
1222             tmp = tbsIn.getDerValue();  // skip signature
1223             tmp = tbsIn.getDerValue();  // issuer
1224             byte[] principalBytes = tmp.toByteArray();
1225             return new X500Principal(principalBytes);
1226         } catch (Exception e) {
1227             throw new RuntimeException("Could not parse issuer", e);
1228         }
1229     }
1230 
1231     /**
1232      * Returned the encoding of the given certificate for internal use.
1233      * Callers must guarantee that they neither modify it nor expose it
1234      * to untrusted code. Uses getEncodedInternal() if the certificate
1235      * is instance of X509CertImpl, getEncoded() otherwise.
1236      */
1237     public static byte[] getEncodedInternal(X509CRL crl) throws CRLException {
1238         if (crl instanceof X509CRLImpl) {
1239             return ((X509CRLImpl)crl).getEncodedInternal();
1240         } else {
1241             return crl.getEncoded();
1242         }
1243     }
1244 
1245     /**
1246      * Utility method to convert an arbitrary instance of X509CRL
1247      * to a X509CRLImpl. Does a cast if possible, otherwise reparses
1248      * the encoding.
1249      */
1250     public static X509CRLImpl toImpl(X509CRL crl)
1251             throws CRLException {
1252         if (crl instanceof X509CRLImpl) {
1253             return (X509CRLImpl)crl;
1254         } else {
1255             return X509Factory.intern(crl);
1256         }
1257     }
1258 
1259     /**
1260      * Returns the X500 certificate issuer DN of a CRL entry.
1261      *
1262      * @param entry the entry to check
1263      * @param prevCertIssuer the previous entry's certificate issuer
1264      * @return the X500Principal in a CertificateIssuerExtension, or
1265      *   prevCertIssuer if it does not exist
1266      */
1267     private X500Principal getCertIssuer(X509CRLEntryImpl entry,
1268         X500Principal prevCertIssuer) throws IOException {
1269 
1270         CertificateIssuerExtension ciExt =
1271             entry.getCertificateIssuerExtension();
1272         if (ciExt != null) {
1273             GeneralNames names = ciExt.get(CertificateIssuerExtension.ISSUER);
1274             X500Name issuerDN = (X500Name) names.get(0).getName();
1275             return issuerDN.asX500Principal();
1276         } else {
1277             return prevCertIssuer;
1278         }
1279     }
1280 
1281     @Override
1282     public void derEncode(OutputStream out) throws IOException {
1283         if (signedCRL == null)
1284             throw new IOException("Null CRL to encode");
1285         out.write(signedCRL.clone());
1286     }
1287 
1288     /**
1289      * Immutable X.509 Certificate Issuer DN and serial number pair
1290      */
1291     private static final class X509IssuerSerial
1292             implements Comparable<X509IssuerSerial> {
1293         final X500Principal issuer;
1294         final BigInteger serial;
1295         volatile int hashcode;
1296 
1297         /**
1298          * Create an X509IssuerSerial.
1299          *
1300          * @param issuer the issuer DN
1301          * @param serial the serial number
1302          */
1303         X509IssuerSerial(X500Principal issuer, BigInteger serial) {
1304             this.issuer = issuer;
1305             this.serial = serial;
1306         }
1307 
1308         /**
1309          * Construct an X509IssuerSerial from an X509Certificate.
1310          */
1311         X509IssuerSerial(X509Certificate cert) {
1312             this(cert.getIssuerX500Principal(), cert.getSerialNumber());
1313         }
1314 
1315         /**
1316          * Returns the issuer.
1317          *
1318          * @return the issuer
1319          */
1320         X500Principal getIssuer() {
1321             return issuer;
1322         }
1323 
1324         /**
1325          * Returns the serial number.
1326          *
1327          * @return the serial number
1328          */
1329         BigInteger getSerial() {
1330             return serial;
1331         }
1332 
1333         /**
1334          * Compares this X509Serial with another and returns true if they
1335          * are equivalent.
1336          *
1337          * @param o the other object to compare with
1338          * @return true if equal, false otherwise
1339          */
1340         public boolean equals(Object o) {
1341             if (o == this) {
1342                 return true;
1343             }
1344 
1345             if (!(o instanceof X509IssuerSerial)) {
1346                 return false;
1347             }
1348 
1349             X509IssuerSerial other = (X509IssuerSerial) o;
1350             if (serial.equals(other.getSerial()) &&
1351                 issuer.equals(other.getIssuer())) {
1352                 return true;
1353             }
1354             return false;
1355         }
1356 
1357         /**
1358          * Returns a hash code value for this X509IssuerSerial.
1359          *
1360          * @return the hash code value
1361          */
1362         public int hashCode() {
1363             int h = hashcode;
1364             if (h == 0) {
1365                 h = 17;
1366                 h = 37*h + issuer.hashCode();
1367                 h = 37*h + serial.hashCode();
1368                 if (h != 0) {
1369                     hashcode = h;
1370                 }
1371             }
1372             return h;
1373         }
1374 
1375         @Override
1376         public int compareTo(X509IssuerSerial another) {
1377             int cissuer = issuer.toString()
1378                     .compareTo(another.issuer.toString());
1379             if (cissuer != 0) return cissuer;
1380             return this.serial.compareTo(another.serial);
1381         }
1382     }
1383 }
--- EOF ---