PublicKey workingPublicKey,
Vector crlDistPointUrls,
int index)
throws CertPathReviewerException
{
X509CRLSelector crlselect;
crlselect = new X509CRLSelector();
try
{
crlselect.addIssuerName(getEncodedIssuerPrincipal(cert).getEncoded());
}
catch (IOException e)
{
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlIssuerException");
throw new CertPathReviewerException(msg,e);
}
crlselect.setCertificateChecking(cert);
Iterator crl_iter;
try
{
Collection crl_coll = findCRLs(crlselect, paramsPKIX.getCertStores());
crl_iter = crl_coll.iterator();
if (crl_coll.isEmpty())
{
// notifcation - no local crls found
crl_coll = findCRLs(new X509CRLSelector(),paramsPKIX.getCertStores());
Iterator it = crl_coll.iterator();
List nonMatchingCrlNames = new ArrayList();
while (it.hasNext())
{
nonMatchingCrlNames.add(((X509CRL) it.next()).getIssuerX500Principal());
}
int numbOfCrls = nonMatchingCrlNames.size();
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
"CertPathReviewer.noCrlInCertstore",
new Object[] {new UntrustedInput(crlselect.getIssuers()),
new UntrustedInput(nonMatchingCrlNames),
new Integer(numbOfCrls)});
addNotification(msg,index);
}
}
catch (AnnotatedException ae)
{
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlExtractionError",
new Object[] {ae.getCause().getMessage(),ae.getCause(),ae.getCause().getClass().getName()});
addError(msg,index);
crl_iter = new ArrayList().iterator();
}
boolean validCrlFound = false;
X509CRL crl = null;
while (crl_iter.hasNext())
{
crl = (X509CRL)crl_iter.next();
if (crl.getNextUpdate() == null
|| new Date().before(crl.getNextUpdate()))
{
validCrlFound = true;
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
"CertPathReviewer.localValidCRL",
new Object[] {crl.getThisUpdate(),crl.getNextUpdate()});
addNotification(msg,index);
break;
}
else
{
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
"CertPathReviewer.localInvalidCRL",
new Object[] {crl.getThisUpdate(),crl.getNextUpdate()});
addNotification(msg,index);
}
}
// if no valid crl was found in the CertStores try to get one from a
// crl distribution point
if (!validCrlFound)
{
X509CRL onlineCRL = null;
Iterator urlIt = crlDistPointUrls.iterator();
while (urlIt.hasNext())
{
try
{
String location = (String) urlIt.next();
onlineCRL = getCRL(location);
if (onlineCRL != null)
{
// check if crl issuer is correct
if (!cert.getIssuerX500Principal().equals(onlineCRL.getIssuerX500Principal()))
{
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
"CertPathReviewer.onlineCRLWrongCA",
new Object[] {new UntrustedInput(onlineCRL.getIssuerX500Principal().getName()),
new UntrustedInput(cert.getIssuerX500Principal().getName()),
new UntrustedInput(location)});
addNotification(msg,index);
continue;
}
if (onlineCRL.getNextUpdate() == null
|| new Date().before(onlineCRL.getNextUpdate()))
{
validCrlFound = true;
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
"CertPathReviewer.onlineValidCRL",
new Object[] {onlineCRL.getThisUpdate(),
onlineCRL.getNextUpdate(),
new UntrustedInput(location)});
addNotification(msg,index);
crl = onlineCRL;
break;
}
else
{
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
"CertPathReviewer.onlineInvalidCRL",
new Object[] {onlineCRL.getThisUpdate(),
onlineCRL.getNextUpdate(),
new UntrustedInput(location)});
addNotification(msg,index);
}
}
}
catch (CertPathReviewerException cpre)
{
addNotification(cpre.getErrorMessage(),index);
}
}
}
// check the crl
X509CRLEntry crl_entry;
if (crl != null)
{
if (sign != null)
{
boolean[] keyusage = sign.getKeyUsage();
if (keyusage != null
&& (keyusage.length < 7 || !keyusage[CRL_SIGN]))
{
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.noCrlSigningPermited");
throw new CertPathReviewerException(msg);
}
}
if (workingPublicKey != null)
{
try
{
crl.verify(workingPublicKey, "BC");
}
catch (Exception e)
{
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlVerifyFailed");
throw new CertPathReviewerException(msg,e);
}
}
else // issuer public key not known
{
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlNoIssuerPublicKey");
throw new CertPathReviewerException(msg);
}
crl_entry = crl.getRevokedCertificate(cert.getSerialNumber());
if (crl_entry != null)
{
String reason = null;
if (crl_entry.hasExtensions())
{
DEREnumerated reasonCode;
try
{
reasonCode = DEREnumerated.getInstance(getExtensionValue(crl_entry, X509Extensions.ReasonCode.getId()));
}
catch (AnnotatedException ae)
{
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlReasonExtError");
throw new CertPathReviewerException(msg,ae);
}
if (reasonCode != null)
{
reason = crlReasons[reasonCode.getValue().intValue()];
}
}
// FIXME reason not i18n
if (!validDate.before(crl_entry.getRevocationDate()))
{
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.certRevoked",
new Object[] {crl_entry.getRevocationDate(),reason});
throw new CertPathReviewerException(msg);
}
else // cert was revoked after validation date
{
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.revokedAfterValidation",
new Object[] {crl_entry.getRevocationDate(),reason});
addNotification(msg,index);
}
}
else // cert is not revoked
{
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.notRevoked");
addNotification(msg,index);
}
//
// warn if a new crl is available
//
if (crl.getNextUpdate() != null && crl.getNextUpdate().before(new Date()))
{
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlUpdateAvailable",
new Object[] {crl.getNextUpdate()});
addNotification(msg,index);
}
//
// check the DeltaCRL indicator, base point and the issuing distribution point
//
DERObject idp;
try
{
idp = getExtensionValue(crl, ISSUING_DISTRIBUTION_POINT);
}
catch (AnnotatedException ae)
{
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.distrPtExtError");
throw new CertPathReviewerException(msg);
}
DERObject dci;
try
{
dci = getExtensionValue(crl, DELTA_CRL_INDICATOR);
}
catch (AnnotatedException ae)
{
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.deltaCrlExtError");
throw new CertPathReviewerException(msg);
}
if (dci != null)
{
X509CRLSelector baseSelect = new X509CRLSelector();
try
{
baseSelect.addIssuerName(getIssuerPrincipal(crl).getEncoded());
}
catch (IOException e)
{
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlIssuerException");
throw new CertPathReviewerException(msg,e);
}
baseSelect.setMinCRLNumber(((DERInteger)dci).getPositiveValue());
try
{
baseSelect.setMaxCRLNumber(((DERInteger)getExtensionValue(crl, CRL_NUMBER)).getPositiveValue().subtract(BigInteger.valueOf(1)));
}
catch (AnnotatedException ae)
{
ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlNbrExtError");
throw new CertPathReviewerException(msg,ae);