Package org.bouncycastle.i18n.filter

Examples of org.bouncycastle.i18n.filter.TrustedInput

699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
        X500Principal trustPrincipal = null;
       
        // validation date
        {
            ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.certPathValidDate",
                    new Object[] {new TrustedInput(validDate), new TrustedInput(new Date())});
            addNotification(msg);
        }
       
        // find trust anchors
        try
        {
            X509Certificate cert = (X509Certificate) certs.get(certs.size() - 1);
            Collection trustColl = getTrustAnchors(cert,pkixParams.getTrustAnchors());
            if (trustColl.size() > 1)
            {
                // conflicting trust anchors               
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
                        "CertPathReviewer.conflictingTrustAnchors",
                        new Object[]{Integers.valueOf(trustColl.size()),
                            new UntrustedInput(cert.getIssuerX500Principal())});
                addError(msg);
            }
            else if (trustColl.isEmpty())
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
                        "CertPathReviewer.noTrustAnchorFound",
                        new Object[]{new UntrustedInput(cert.getIssuerX500Principal()),
                            Integers.valueOf(pkixParams.getTrustAnchors().size())});
                addError(msg);
            }
            else
            {
                PublicKey trustPublicKey;
                trust = (TrustAnchor) trustColl.iterator().next();
                if (trust.getTrustedCert() != null)
                {
                    trustPublicKey = trust.getTrustedCert().getPublicKey();
                }
                else
                {
                    trustPublicKey = trust.getCAPublicKey();
                }
                try
                {
                    CertPathValidatorUtilities.verifyX509Certificate(cert, trustPublicKey,
                        pkixParams.getSigProvider());
                }
                catch (SignatureException e)
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.trustButInvalidCert");
                    addError(msg);
                }
                catch (Exception e)
                {
                    // do nothing, error occurs again later
                }
            }
        }
        catch (CertPathReviewerException cpre)
        {
            addError(cpre.getErrorMessage());
        }
        catch (Throwable t)
        {
            ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
                    "CertPathReviewer.unknown",
                    new Object[] {new UntrustedInput(t.getMessage()), new UntrustedInput(t)});
            addError(msg);
        }
       
        if (trust != null)
        {
            // get the name of the trustAnchor
            X509Certificate sign = trust.getTrustedCert();
            try
            {
                if (sign != null)
                {
                    trustPrincipal = getSubjectPrincipal(sign);
                }
                else
                {
                    trustPrincipal = new X500Principal(trust.getCAName());
                }
            }
            catch (IllegalArgumentException ex)
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.trustDNInvalid",
                        new Object[] {new UntrustedInput(trust.getCAName())});
                addError(msg);
            }
           
            // test key usages of the trust anchor
            if (sign != null)
            {
                boolean[] ku = sign.getKeyUsage();
                if (ku != null && !ku[5])
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.trustKeyUsage");
                    addNotification(msg);
                }
            }
        }
       
        // 1.6.2 - Initialization
       
        PublicKey workingPublicKey = null;
        X500Principal workingIssuerName = trustPrincipal;
       
        X509Certificate sign = null;

        AlgorithmIdentifier workingAlgId = null;
        DERObjectIdentifier workingPublicKeyAlgorithm = null;
        ASN1Encodable workingPublicKeyParameters = null;
       
        if (trust != null)
        {
            sign = trust.getTrustedCert();
           
            if (sign != null)
            {
                workingPublicKey = sign.getPublicKey();
            }
            else
            {
                workingPublicKey = trust.getCAPublicKey();
            }
       
            try
            {
                workingAlgId = getAlgorithmIdentifier(workingPublicKey);
                workingPublicKeyAlgorithm = workingAlgId.getObjectId();
                workingPublicKeyParameters = workingAlgId.getParameters();
            }
            catch (CertPathValidatorException ex)
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.trustPubKeyError");
                addError(msg);
                workingAlgId = null;
            }
           
        }

        // Basic cert checks

        X509Certificate cert = null;
        int i;

        for (int index = certs.size() - 1; index >= 0; index--)
        {
            //
            // i as defined in the algorithm description
            //
            i = n - index;

            //
            // set certificate to be checked in this round
            // sign and workingPublicKey and workingIssuerName are set
            // at the end of the for loop and initialied the
            // first time from the TrustAnchor
            //
            cert = (X509Certificate) certs.get(index);

            // verify signature
            if (workingPublicKey != null)
            {
                try
                {
                    CertPathValidatorUtilities.verifyX509Certificate(cert, workingPublicKey,
                        pkixParams.getSigProvider());
                }
                catch (GeneralSecurityException ex)
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.signatureNotVerified",
                            new Object[] {ex.getMessage(),ex,ex.getClass().getName()});
                    addError(msg,index);
                }
            }
            else if (isSelfIssued(cert))
            {
                try
                {
                    CertPathValidatorUtilities.verifyX509Certificate(cert, cert.getPublicKey(),
                        pkixParams.getSigProvider());
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.rootKeyIsValidButNotATrustAnchor");
                    addError(msg, index);
                }
                catch (GeneralSecurityException ex)
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.signatureNotVerified",
                            new Object[] {ex.getMessage(),ex,ex.getClass().getName()});
                    addError(msg,index);
                }
            }
            else
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.NoIssuerPublicKey");
                // if there is an authority key extension add the serial and issuer of the missing certificate
                byte[] akiBytes = cert.getExtensionValue(X509Extensions.AuthorityKeyIdentifier.getId());
                if (akiBytes != null)
                {
                    try
                    {
                        AuthorityKeyIdentifier aki = AuthorityKeyIdentifier.getInstance(
                            X509ExtensionUtil.fromExtensionValue(akiBytes));
                        GeneralNames issuerNames = aki.getAuthorityCertIssuer();
                        if (issuerNames != null)
                        {
                            GeneralName name = issuerNames.getNames()[0];
                            BigInteger serial = aki.getAuthorityCertSerialNumber();
                            if (serial != null)
                            {
                                Object[] extraArgs = {new LocaleString(RESOURCE_NAME, "missingIssuer"), " \"", name ,
                                        "\" ", new LocaleString(RESOURCE_NAME, "missingSerial") , " ", serial};
                                msg.setExtraArguments(extraArgs);
                            }
                        }
                    }
                    catch (IOException e)
                    {
                        // ignore
                    }
                }
                addError(msg,index);
            }

            // certificate valid?
            try
            {
                cert.checkValidity(validDate);
            }
            catch (CertificateNotYetValidException cnve)
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.certificateNotYetValid",
                        new Object[] {new TrustedInput(cert.getNotBefore())});
                addError(msg,index);
            }
            catch (CertificateExpiredException cee)
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.certificateExpired",
                        new Object[] {new TrustedInput(cert.getNotAfter())});
                addError(msg,index);
            }

            // certificate revoked?
            if (pkixParams.isRevocationEnabled())
View Full Code Here
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
                    ErrorBundle msg;
                    if (limit.getCurrency().isAlphabetic())
                    {
                        msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.QcLimitValueAlpha",
                                new Object[] {limit.getCurrency().getAlphabetic(),
                                              new TrustedInput(new Double(value)),
                                              limit});
                    }
                    else
                    {
                        msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.QcLimitValueNum",
                                new Object[]{Integers.valueOf(limit.getCurrency().getNumeric()),
                                    new TrustedInput(new Double(value)),
                                    limit});
                    }
                    addNotification(msg,index);
                }
                else
View Full Code Here
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
                || paramsPKIX.getDate().before(crl.getNextUpdate()))
            {
                validCrlFound = true;
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
                        "CertPathReviewer.localValidCRL",
                        new Object[] {new TrustedInput(crl.getThisUpdate()), new TrustedInput(crl.getNextUpdate())});
                addNotification(msg,index);
                break;
            }
            else
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
                        "CertPathReviewer.localInvalidCRL",
                        new Object[] {new TrustedInput(crl.getThisUpdate()), new TrustedInput(crl.getNextUpdate())});
                addNotification(msg,index);
            }
        }
       
        // if no valid crl was found in the CertStores try to get one from a
        // crl distribution point
        if (!validCrlFound)
        {
            X509CRL onlineCRL = null;
            Iterator urlIt = crlDistPointUrls.iterator();
            while (urlIt.hasNext())
            {
                try
                {
                    String location = (String) urlIt.next();
                    onlineCRL = getCRL(location);
                    if (onlineCRL != null)
                    {
                        // check if crl issuer is correct
                        if (!cert.getIssuerX500Principal().equals(onlineCRL.getIssuerX500Principal()))
                        {
                            ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
                                        "CertPathReviewer.onlineCRLWrongCA",
                                        new Object[] {new UntrustedInput(onlineCRL.getIssuerX500Principal().getName()),
                                                      new UntrustedInput(cert.getIssuerX500Principal().getName()),
                                                      new UntrustedUrlInput(location)});
                            addNotification(msg,index);
                            continue;
                        }
                       
                        if (onlineCRL.getNextUpdate() == null
                            || pkixParams.getDate().before(onlineCRL.getNextUpdate()))
                        {
                            validCrlFound = true;
                            ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
                                    "CertPathReviewer.onlineValidCRL",
                                    new Object[] {new TrustedInput(onlineCRL.getThisUpdate()),
                                                  new TrustedInput(onlineCRL.getNextUpdate()),
                                                  new UntrustedUrlInput(location)});
                            addNotification(msg,index);
                            crl = onlineCRL;
                            break;
                        }
                        else
                        {
                            ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
                                    "CertPathReviewer.onlineInvalidCRL",
                                    new Object[] {new TrustedInput(onlineCRL.getThisUpdate()),
                                                  new TrustedInput(onlineCRL.getNextUpdate()),
                                                  new UntrustedUrlInput(location)});
                            addNotification(msg,index);
                        }
                    }
                }
                catch (CertPathReviewerException cpre)
                {
                    addNotification(cpre.getErrorMessage(),index);
                }
            }
        }
       
        // check the crl
        X509CRLEntry crl_entry;
        if (crl != null)
        {
            if (sign != null)
            {
                boolean[] keyusage = sign.getKeyUsage();

                if (keyusage != null
                    && (keyusage.length < 7 || !keyusage[CRL_SIGN]))
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.noCrlSigningPermited");
                    throw new CertPathReviewerException(msg);
                }
            }

            if (workingPublicKey != null)
            {
                try
                {
                    crl.verify(workingPublicKey, "BC");
                }
                catch (Exception e)
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlVerifyFailed");
                    throw new CertPathReviewerException(msg,e);
                }
            }
            else // issuer public key not known
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlNoIssuerPublicKey");
                throw new CertPathReviewerException(msg);
            }

            crl_entry = crl.getRevokedCertificate(cert.getSerialNumber());
            if (crl_entry != null)
            {
                String reason = null;
               
                if (crl_entry.hasExtensions())
                {
                    DEREnumerated reasonCode;
                    try
                    {
                        reasonCode = DEREnumerated.getInstance(getExtensionValue(crl_entry, X509Extensions.ReasonCode.getId()));
                    }
                    catch (AnnotatedException ae)
                    {
                        ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlReasonExtError");
                        throw new CertPathReviewerException(msg,ae);
                    }
                    if (reasonCode != null)
                    {
                        reason = crlReasons[reasonCode.getValue().intValue()];
                    }
                }

                if (reason == null)
                {
                    reason = crlReasons[7]; // unknown
                }

                // i18n reason
                LocaleString ls = new LocaleString(RESOURCE_NAME, reason);
               
                if (!validDate.before(crl_entry.getRevocationDate()))
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.certRevoked",
                            new Object[] {new TrustedInput(crl_entry.getRevocationDate()),ls});
                    throw new CertPathReviewerException(msg);
                }
                else // cert was revoked after validation date
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.revokedAfterValidation",
                            new Object[] {new TrustedInput(crl_entry.getRevocationDate()),ls});
                    addNotification(msg,index);
                }
            }
            else // cert is not revoked
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.notRevoked");
                addNotification(msg,index);
            }
           
            //
            // warn if a new crl is available
            //
            if (crl.getNextUpdate() != null && crl.getNextUpdate().before(pkixParams.getDate()))
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlUpdateAvailable",
                        new Object[] {new TrustedInput(crl.getNextUpdate())});
                addNotification(msg,index);
            }
           
            //
            // check the DeltaCRL indicator, base point and the issuing distribution point
View Full Code Here
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
        X500Principal trustPrincipal = null;
       
        // validation date
        {
            ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.certPathValidDate",
                    new Object[] {new TrustedInput(validDate), new TrustedInput(new Date())});
            addNotification(msg);
        }
       
        // find trust anchors
        try
        {
            X509Certificate cert = (X509Certificate) certs.get(certs.size() - 1);
            Collection trustColl = getTrustAnchors(cert,pkixParams.getTrustAnchors());
            if (trustColl.size() > 1)
            {
                // conflicting trust anchors               
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
                        "CertPathReviewer.conflictingTrustAnchors",
                        new Object[] {new Integer(trustColl.size()),
                                      new UntrustedInput(cert.getIssuerX500Principal())});
                addError(msg);
            }
            else if (trustColl.isEmpty())
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
                        "CertPathReviewer.noTrustAnchorFound",
                        new Object[] {new UntrustedInput(cert.getIssuerX500Principal()),
                                      new Integer(pkixParams.getTrustAnchors().size())});
                addError(msg);
            }
            else
            {
                PublicKey trustPublicKey;
                trust = (TrustAnchor) trustColl.iterator().next();
                if (trust.getTrustedCert() != null)
                {
                    trustPublicKey = trust.getTrustedCert().getPublicKey();
                }
                else
                {
                    trustPublicKey = trust.getCAPublicKey();
                }
                try
                {
                    CertPathValidatorUtilities.verifyX509Certificate(cert, trustPublicKey,
                        pkixParams.getSigProvider());
                }
                catch (SignatureException e)
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.trustButInvalidCert");
                    addError(msg);
                }
                catch (Exception e)
                {
                    // do nothing, error occurs again later
                }
            }
        }
        catch (CertPathReviewerException cpre)
        {
            addError(cpre.getErrorMessage());
        }
       
        if (trust != null)
        {
            // get the name of the trustAnchor
            X509Certificate sign = trust.getTrustedCert();
            try
            {
                if (sign != null)
                {
                    trustPrincipal = getSubjectPrincipal(sign);
                }
                else
                {
                    trustPrincipal = new X500Principal(trust.getCAName());
                }
            }
            catch (IllegalArgumentException ex)
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.trustDNInvalid",
                        new Object[] {new UntrustedInput(trust.getCAName())});
                addError(msg);
            }
           
            // test key usages of the trust anchor
            if (sign != null)
            {
                boolean[] ku = sign.getKeyUsage();
                if (ku != null && !ku[5])
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.trustKeyUsage");
                    addNotification(msg);
                }
            }
        }
       
        // 1.6.2 - Initialization
       
        PublicKey workingPublicKey = null;
        X500Principal workingIssuerName = trustPrincipal;
       
        X509Certificate sign = null;

        AlgorithmIdentifier workingAlgId = null;
        DERObjectIdentifier workingPublicKeyAlgorithm = null;
        DEREncodable workingPublicKeyParameters = null;
       
        if (trust != null)
        {
            sign = trust.getTrustedCert();
           
            if (sign != null)
            {
                workingPublicKey = sign.getPublicKey();
            }
            else
            {
                workingPublicKey = trust.getCAPublicKey();
            }
       
            try
            {
                workingAlgId = getAlgorithmIdentifier(workingPublicKey);
                workingPublicKeyAlgorithm = workingAlgId.getObjectId();
                workingPublicKeyParameters = workingAlgId.getParameters();
            }
            catch (CertPathValidatorException ex)
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.trustPubKeyError");
                addError(msg);
                workingAlgId = null;
            }
           
        }

        // Basic cert checks

        X509Certificate cert = null;
        int i;

        for (int index = certs.size() - 1; index >= 0; index--)
        {
            //
            // i as defined in the algorithm description
            //
            i = n - index;

            //
            // set certificate to be checked in this round
            // sign and workingPublicKey and workingIssuerName are set
            // at the end of the for loop and initialied the
            // first time from the TrustAnchor
            //
            cert = (X509Certificate) certs.get(index);

            // verify signature
            if (workingPublicKey != null)
            {
                try
                {
                    CertPathValidatorUtilities.verifyX509Certificate(cert, workingPublicKey,
                        pkixParams.getSigProvider());
                }
                catch (GeneralSecurityException ex)
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.signatureNotVerified",
                            new Object[] {ex.getMessage(),ex,ex.getClass().getName()});
                    addError(msg,index);
                }
            }
            else if (isSelfIssued(cert))
            {
                try
                {
                    CertPathValidatorUtilities.verifyX509Certificate(cert, cert.getPublicKey(),
                        pkixParams.getSigProvider());
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.rootKeyIsValidButNotATrustAnchor");
                    addError(msg, index);
                }
                catch (GeneralSecurityException ex)
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.signatureNotVerified",
                            new Object[] {ex.getMessage(),ex,ex.getClass().getName()});
                    addError(msg,index);
                }
            }
            else
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.NoIssuerPublicKey");
                // if there is an authority key extension add the serial and issuer of the missing certificate
                byte[] akiBytes = cert.getExtensionValue(X509Extensions.AuthorityKeyIdentifier.getId());
                if (akiBytes != null)
                {
                    try
                    {
                        AuthorityKeyIdentifier aki = AuthorityKeyIdentifier.getInstance(
                            X509ExtensionUtil.fromExtensionValue(akiBytes));
                        GeneralNames issuerNames = aki.getAuthorityCertIssuer();
                        if (issuerNames != null)
                        {
                            GeneralName name = issuerNames.getNames()[0];
                            BigInteger serial = aki.getAuthorityCertSerialNumber();
                            if (serial != null)
                            {
                                Object[] extraArgs = {new LocaleString(RESOURCE_NAME, "missingIssuer"), " \"", name ,
                                        "\" ", new LocaleString(RESOURCE_NAME, "missingSerial") , " ", serial};
                                msg.setExtraArguments(extraArgs);
                            }
                        }
                    }
                    catch (IOException e)
                    {
                        // ignore
                    }
                }
                addError(msg,index);
            }

            // certificate valid?
            try
            {
                cert.checkValidity(validDate);
            }
            catch (CertificateNotYetValidException cnve)
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.certificateNotYetValid",
                        new Object[] {new TrustedInput(cert.getNotBefore())});
                addError(msg,index);
            }
            catch (CertificateExpiredException cee)
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.certificateExpired",
                        new Object[] {new TrustedInput(cert.getNotAfter())});
                addError(msg,index);
            }

            // certificate revoked?
            if (pkixParams.isRevocationEnabled())
View Full Code Here
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
                    ErrorBundle msg;
                    if (limit.getCurrency().isAlphabetic())
                    {
                        msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.QcLimitValueAlpha",
                                new Object[] {limit.getCurrency().getAlphabetic(),
                                              new TrustedInput(new Double(value)),
                                              limit});
                    }
                    else
                    {
                        msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.QcLimitValueNum",
                                new Object[] {new Integer(limit.getCurrency().getNumeric()),
                                              new TrustedInput(new Double(value)),
                                              limit});
                    }
                    addNotification(msg,index);
                }
                else
View Full Code Here
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
                || new Date().before(crl.getNextUpdate()))
            {
                validCrlFound = true;
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
                        "CertPathReviewer.localValidCRL",
                        new Object[] {new TrustedInput(crl.getThisUpdate()), new TrustedInput(crl.getNextUpdate())});
                addNotification(msg,index);
                break;
            }
            else
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
                        "CertPathReviewer.localInvalidCRL",
                        new Object[] {new TrustedInput(crl.getThisUpdate()), new TrustedInput(crl.getNextUpdate())});
                addNotification(msg,index);
            }
        }
       
        // if no valid crl was found in the CertStores try to get one from a
        // crl distribution point
        if (!validCrlFound)
        {
            X509CRL onlineCRL = null;
            Iterator urlIt = crlDistPointUrls.iterator();
            while (urlIt.hasNext())
            {
                try
                {
                    String location = (String) urlIt.next();
                    onlineCRL = getCRL(location);
                    if (onlineCRL != null)
                    {
                        // check if crl issuer is correct
                        if (!cert.getIssuerX500Principal().equals(onlineCRL.getIssuerX500Principal()))
                        {
                            ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
                                        "CertPathReviewer.onlineCRLWrongCA",
                                        new Object[] {new UntrustedInput(onlineCRL.getIssuerX500Principal().getName()),
                                                      new UntrustedInput(cert.getIssuerX500Principal().getName()),
                                                      new UntrustedUrlInput(location)});
                            addNotification(msg,index);
                            continue;
                        }
                       
                        if (onlineCRL.getNextUpdate() == null
                            || new Date().before(onlineCRL.getNextUpdate()))
                        {
                            validCrlFound = true;
                            ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
                                    "CertPathReviewer.onlineValidCRL",
                                    new Object[] {new TrustedInput(onlineCRL.getThisUpdate()),
                                                  new TrustedInput(onlineCRL.getNextUpdate()),
                                                  new UntrustedUrlInput(location)});
                            addNotification(msg,index);
                            crl = onlineCRL;
                            break;
                        }
                        else
                        {
                            ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
                                    "CertPathReviewer.onlineInvalidCRL",
                                    new Object[] {new TrustedInput(onlineCRL.getThisUpdate()),
                                                  new TrustedInput(onlineCRL.getNextUpdate()),
                                                  new UntrustedUrlInput(location)});
                            addNotification(msg,index);
                        }
                    }
                }
                catch (CertPathReviewerException cpre)
                {
                    addNotification(cpre.getErrorMessage(),index);
                }
            }
        }
       
        // check the crl
        X509CRLEntry crl_entry;
        if (crl != null)
        {
            if (sign != null)
            {
                boolean[] keyusage = sign.getKeyUsage();

                if (keyusage != null
                    && (keyusage.length < 7 || !keyusage[CRL_SIGN]))
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.noCrlSigningPermited");
                    throw new CertPathReviewerException(msg);
                }
            }

            if (workingPublicKey != null)
            {
                try
                {
                    crl.verify(workingPublicKey, "BC");
                }
                catch (Exception e)
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlVerifyFailed");
                    throw new CertPathReviewerException(msg,e);
                }
            }
            else // issuer public key not known
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlNoIssuerPublicKey");
                throw new CertPathReviewerException(msg);
            }

            crl_entry = crl.getRevokedCertificate(cert.getSerialNumber());
            if (crl_entry != null)
            {
                String reason = null;
               
                if (crl_entry.hasExtensions())
                {
                    DEREnumerated reasonCode;
                    try
                    {
                        reasonCode = DEREnumerated.getInstance(getExtensionValue(crl_entry, X509Extensions.ReasonCode.getId()));
                    }
                    catch (AnnotatedException ae)
                    {
                        ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlReasonExtError");
                        throw new CertPathReviewerException(msg,ae);
                    }
                    if (reasonCode != null)
                    {
                        reason = crlReasons[reasonCode.getValue().intValue()];
                    }
                    else
                    {
                        reason = crlReasons[7];
                    }
                }
               
                // i18n reason
                LocaleString ls = new LocaleString(RESOURCE_NAME, reason);
               
                if (!validDate.before(crl_entry.getRevocationDate()))
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.certRevoked",
                            new Object[] {new TrustedInput(crl_entry.getRevocationDate()),ls});
                    throw new CertPathReviewerException(msg);
                }
                else // cert was revoked after validation date
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.revokedAfterValidation",
                            new Object[] {new TrustedInput(crl_entry.getRevocationDate()),ls});
                    addNotification(msg,index);
                }
            }
            else // cert is not revoked
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.notRevoked");
                addNotification(msg,index);
            }
           
            //
            // warn if a new crl is available
            //
            if (crl.getNextUpdate() != null && crl.getNextUpdate().before(new Date()))
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlUpdateAvailable",
                        new Object[] {new TrustedInput(crl.getNextUpdate())});
                addNotification(msg,index);
            }
           
            //
            // check the DeltaCRL indicator, base point and the issuing distribution point
View Full Code Here
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
        X500Principal trustPrincipal = null;
       
        // validation date
        {
            ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.certPathValidDate",
                    new Object[] {new TrustedInput(validDate), new TrustedInput(new Date())});
            addNotification(msg);
        }
       
        // find trust anchors
        try
        {
            X509Certificate cert = (X509Certificate) certs.get(certs.size() - 1);
            Collection trustColl = getTrustAnchors(cert,pkixParams.getTrustAnchors());
            if (trustColl.size() > 1)
            {
                // conflicting trust anchors               
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
                        "CertPathReviewer.conflictingTrustAnchors",
                        new Object[] {new Integer(trustColl.size()),
                                      new UntrustedInput(cert.getIssuerX500Principal())});
                addError(msg);
            }
            else if (trustColl.isEmpty())
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
                        "CertPathReviewer.noTrustAnchorFound",
                        new Object[] {new UntrustedInput(cert.getIssuerX500Principal()),
                                      new Integer(pkixParams.getTrustAnchors().size())});
                addError(msg);
            }
            else
            {
                PublicKey trustPublicKey;
                trust = (TrustAnchor) trustColl.iterator().next();
                if (trust.getTrustedCert() != null)
                {
                    trustPublicKey = trust.getTrustedCert().getPublicKey();
                }
                else
                {
                    trustPublicKey = trust.getCAPublicKey();
                }
                try
                {
                    CertPathValidatorUtilities.verifyX509Certificate(cert, trustPublicKey,
                        pkixParams.getSigProvider());
                }
                catch (SignatureException e)
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.trustButInvalidCert");
                    addError(msg);
                }
                catch (Exception e)
                {
                    // do nothing, error occurs again later
                }
            }
        }
        catch (CertPathReviewerException cpre)
        {
            addError(cpre.getErrorMessage());
        }
        catch (Throwable t)
        {
            ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
                    "CertPathReviewer.unknown",
                    new Object[] {new UntrustedInput(t.getMessage()), new UntrustedInput(t)});
            addError(msg);
        }
       
        if (trust != null)
        {
            // get the name of the trustAnchor
            X509Certificate sign = trust.getTrustedCert();
            try
            {
                if (sign != null)
                {
                    trustPrincipal = getSubjectPrincipal(sign);
                }
                else
                {
                    trustPrincipal = new X500Principal(trust.getCAName());
                }
            }
            catch (IllegalArgumentException ex)
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.trustDNInvalid",
                        new Object[] {new UntrustedInput(trust.getCAName())});
                addError(msg);
            }
           
            // test key usages of the trust anchor
            if (sign != null)
            {
                boolean[] ku = sign.getKeyUsage();
                if (ku != null && !ku[5])
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.trustKeyUsage");
                    addNotification(msg);
                }
            }
        }
       
        // 1.6.2 - Initialization
       
        PublicKey workingPublicKey = null;
        X500Principal workingIssuerName = trustPrincipal;
       
        X509Certificate sign = null;

        AlgorithmIdentifier workingAlgId = null;
        DERObjectIdentifier workingPublicKeyAlgorithm = null;
        DEREncodable workingPublicKeyParameters = null;
       
        if (trust != null)
        {
            sign = trust.getTrustedCert();
           
            if (sign != null)
            {
                workingPublicKey = sign.getPublicKey();
            }
            else
            {
                workingPublicKey = trust.getCAPublicKey();
            }
       
            try
            {
                workingAlgId = getAlgorithmIdentifier(workingPublicKey);
                workingPublicKeyAlgorithm = workingAlgId.getObjectId();
                workingPublicKeyParameters = workingAlgId.getParameters();
            }
            catch (CertPathValidatorException ex)
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.trustPubKeyError");
                addError(msg);
                workingAlgId = null;
            }
           
        }

        // Basic cert checks

        X509Certificate cert = null;
        int i;

        for (int index = certs.size() - 1; index >= 0; index--)
        {
            //
            // i as defined in the algorithm description
            //
            i = n - index;

            //
            // set certificate to be checked in this round
            // sign and workingPublicKey and workingIssuerName are set
            // at the end of the for loop and initialied the
            // first time from the TrustAnchor
            //
            cert = (X509Certificate) certs.get(index);

            // verify signature
            if (workingPublicKey != null)
            {
                try
                {
                    CertPathValidatorUtilities.verifyX509Certificate(cert, workingPublicKey,
                        pkixParams.getSigProvider());
                }
                catch (GeneralSecurityException ex)
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.signatureNotVerified",
                            new Object[] {ex.getMessage(),ex,ex.getClass().getName()});
                    addError(msg,index);
                }
            }
            else if (isSelfIssued(cert))
            {
                try
                {
                    CertPathValidatorUtilities.verifyX509Certificate(cert, cert.getPublicKey(),
                        pkixParams.getSigProvider());
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.rootKeyIsValidButNotATrustAnchor");
                    addError(msg, index);
                }
                catch (GeneralSecurityException ex)
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.signatureNotVerified",
                            new Object[] {ex.getMessage(),ex,ex.getClass().getName()});
                    addError(msg,index);
                }
            }
            else
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.NoIssuerPublicKey");
                // if there is an authority key extension add the serial and issuer of the missing certificate
                byte[] akiBytes = cert.getExtensionValue(X509Extensions.AuthorityKeyIdentifier.getId());
                if (akiBytes != null)
                {
                    try
                    {
                        AuthorityKeyIdentifier aki = AuthorityKeyIdentifier.getInstance(
                            X509ExtensionUtil.fromExtensionValue(akiBytes));
                        GeneralNames issuerNames = aki.getAuthorityCertIssuer();
                        if (issuerNames != null)
                        {
                            GeneralName name = issuerNames.getNames()[0];
                            BigInteger serial = aki.getAuthorityCertSerialNumber();
                            if (serial != null)
                            {
                                Object[] extraArgs = {new LocaleString(RESOURCE_NAME, "missingIssuer"), " \"", name ,
                                        "\" ", new LocaleString(RESOURCE_NAME, "missingSerial") , " ", serial};
                                msg.setExtraArguments(extraArgs);
                            }
                        }
                    }
                    catch (IOException e)
                    {
                        // ignore
                    }
                }
                addError(msg,index);
            }

            // certificate valid?
            try
            {
                cert.checkValidity(validDate);
            }
            catch (CertificateNotYetValidException cnve)
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.certificateNotYetValid",
                        new Object[] {new TrustedInput(cert.getNotBefore())});
                addError(msg,index);
            }
            catch (CertificateExpiredException cee)
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.certificateExpired",
                        new Object[] {new TrustedInput(cert.getNotAfter())});
                addError(msg,index);
            }

            // certificate revoked?
            if (pkixParams.isRevocationEnabled())
View Full Code Here
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
                    ErrorBundle msg;
                    if (limit.getCurrency().isAlphabetic())
                    {
                        msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.QcLimitValueAlpha",
                                new Object[] {limit.getCurrency().getAlphabetic(),
                                              new TrustedInput(new Double(value)),
                                              limit});
                    }
                    else
                    {
                        msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.QcLimitValueNum",
                                new Object[] {new Integer(limit.getCurrency().getNumeric()),
                                              new TrustedInput(new Double(value)),
                                              limit});
                    }
                    addNotification(msg,index);
                }
                else
View Full Code Here
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
                || new Date().before(crl.getNextUpdate()))
            {
                validCrlFound = true;
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
                        "CertPathReviewer.localValidCRL",
                        new Object[] {new TrustedInput(crl.getThisUpdate()), new TrustedInput(crl.getNextUpdate())});
                addNotification(msg,index);
                break;
            }
            else
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
                        "CertPathReviewer.localInvalidCRL",
                        new Object[] {new TrustedInput(crl.getThisUpdate()), new TrustedInput(crl.getNextUpdate())});
                addNotification(msg,index);
            }
        }
       
        // if no valid crl was found in the CertStores try to get one from a
        // crl distribution point
        if (!validCrlFound)
        {
            X509CRL onlineCRL = null;
            Iterator urlIt = crlDistPointUrls.iterator();
            while (urlIt.hasNext())
            {
                try
                {
                    String location = (String) urlIt.next();
                    onlineCRL = getCRL(location);
                    if (onlineCRL != null)
                    {
                        // check if crl issuer is correct
                        if (!cert.getIssuerX500Principal().equals(onlineCRL.getIssuerX500Principal()))
                        {
                            ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
                                        "CertPathReviewer.onlineCRLWrongCA",
                                        new Object[] {new UntrustedInput(onlineCRL.getIssuerX500Principal().getName()),
                                                      new UntrustedInput(cert.getIssuerX500Principal().getName()),
                                                      new UntrustedUrlInput(location)});
                            addNotification(msg,index);
                            continue;
                        }
                       
                        if (onlineCRL.getNextUpdate() == null
                            || new Date().before(onlineCRL.getNextUpdate()))
                        {
                            validCrlFound = true;
                            ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
                                    "CertPathReviewer.onlineValidCRL",
                                    new Object[] {new TrustedInput(onlineCRL.getThisUpdate()),
                                                  new TrustedInput(onlineCRL.getNextUpdate()),
                                                  new UntrustedUrlInput(location)});
                            addNotification(msg,index);
                            crl = onlineCRL;
                            break;
                        }
                        else
                        {
                            ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
                                    "CertPathReviewer.onlineInvalidCRL",
                                    new Object[] {new TrustedInput(onlineCRL.getThisUpdate()),
                                                  new TrustedInput(onlineCRL.getNextUpdate()),
                                                  new UntrustedUrlInput(location)});
                            addNotification(msg,index);
                        }
                    }
                }
                catch (CertPathReviewerException cpre)
                {
                    addNotification(cpre.getErrorMessage(),index);
                }
            }
        }
       
        // check the crl
        X509CRLEntry crl_entry;
        if (crl != null)
        {
            if (sign != null)
            {
                boolean[] keyusage = sign.getKeyUsage();

                if (keyusage != null
                    && (keyusage.length < 7 || !keyusage[CRL_SIGN]))
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.noCrlSigningPermited");
                    throw new CertPathReviewerException(msg);
                }
            }

            if (workingPublicKey != null)
            {
                try
                {
                    crl.verify(workingPublicKey, "BC");
                }
                catch (Exception e)
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlVerifyFailed");
                    throw new CertPathReviewerException(msg,e);
                }
            }
            else // issuer public key not known
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlNoIssuerPublicKey");
                throw new CertPathReviewerException(msg);
            }

            crl_entry = crl.getRevokedCertificate(cert.getSerialNumber());
            if (crl_entry != null)
            {
                String reason = null;
               
                if (crl_entry.hasExtensions())
                {
                    DEREnumerated reasonCode;
                    try
                    {
                        reasonCode = DEREnumerated.getInstance(getExtensionValue(crl_entry, X509Extensions.ReasonCode.getId()));
                    }
                    catch (AnnotatedException ae)
                    {
                        ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlReasonExtError");
                        throw new CertPathReviewerException(msg,ae);
                    }
                    if (reasonCode != null)
                    {
                        reason = crlReasons[reasonCode.getValue().intValue()];
                    }
                    else
                    {
                        reason = crlReasons[7];
                    }
                }
               
                // i18n reason
                LocaleString ls = new LocaleString(RESOURCE_NAME, reason);
               
                if (!validDate.before(crl_entry.getRevocationDate()))
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.certRevoked",
                            new Object[] {new TrustedInput(crl_entry.getRevocationDate()),ls});
                    throw new CertPathReviewerException(msg);
                }
                else // cert was revoked after validation date
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.revokedAfterValidation",
                            new Object[] {new TrustedInput(crl_entry.getRevocationDate()),ls});
                    addNotification(msg,index);
                }
            }
            else // cert is not revoked
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.notRevoked");
                addNotification(msg,index);
            }
           
            //
            // warn if a new crl is available
            //
            if (crl.getNextUpdate() != null && crl.getNextUpdate().before(new Date()))
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlUpdateAvailable",
                        new Object[] {new TrustedInput(crl.getNextUpdate())});
                addNotification(msg,index);
            }
           
            //
            // check the DeltaCRL indicator, base point and the issuing distribution point
View Full Code Here
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
        X500Principal trustPrincipal = null;
       
        // validation date
        {
            ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.certPathValidDate",
                    new Object[] {new TrustedInput(validDate), new TrustedInput(new Date())});
            addNotification(msg);
        }
       
        // find trust anchors
        try
        {
            X509Certificate cert = (X509Certificate) certs.get(certs.size() - 1);
            Collection trustColl = getTrustAnchors(cert,pkixParams.getTrustAnchors());
            if (trustColl.size() > 1)
            {
                // conflicting trust anchors               
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
                        "CertPathReviewer.conflictingTrustAnchors",
                        new Object[] {new Integer(trustColl.size()),
                                      new UntrustedInput(cert.getIssuerX500Principal())});
                addError(msg);
            }
            else if (trustColl.isEmpty())
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
                        "CertPathReviewer.noTrustAnchorFound",
                        new Object[] {new UntrustedInput(cert.getIssuerX500Principal()),
                                      new Integer(pkixParams.getTrustAnchors().size())});
                addError(msg);
            }
            else
            {
                PublicKey trustPublicKey;
                trust = (TrustAnchor) trustColl.iterator().next();
                if (trust.getTrustedCert() != null)
                {
                    trustPublicKey = trust.getTrustedCert().getPublicKey();
                }
                else
                {
                    trustPublicKey = trust.getCAPublicKey();
                }
                try
                {
                    CertPathValidatorUtilities.verifyX509Certificate(cert, trustPublicKey,
                        pkixParams.getSigProvider());
                }
                catch (SignatureException e)
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.trustButInvalidCert");
                    addError(msg);
                }
                catch (Exception e)
                {
                    // do nothing, error occurs again later
                }
            }
        }
        catch (CertPathReviewerException cpre)
        {
            addError(cpre.getErrorMessage());
        }
       
        if (trust != null)
        {
            // get the name of the trustAnchor
            X509Certificate sign = trust.getTrustedCert();
            try
            {
                if (sign != null)
                {
                    trustPrincipal = getSubjectPrincipal(sign);
                }
                else
                {
                    trustPrincipal = new X500Principal(trust.getCAName());
                }
            }
            catch (IllegalArgumentException ex)
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.trustDNInvalid",
                        new Object[] {new UntrustedInput(trust.getCAName())});
                addError(msg);
            }
           
            // test key usages of the trust anchor
            if (sign != null)
            {
                boolean[] ku = sign.getKeyUsage();
                if (ku != null && !ku[5])
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.trustKeyUsage");
                    addNotification(msg);
                }
            }
        }
       
        // 1.6.2 - Initialization
       
        PublicKey workingPublicKey = null;
        X500Principal workingIssuerName = trustPrincipal;
       
        X509Certificate sign = null;

        AlgorithmIdentifier workingAlgId = null;
        DERObjectIdentifier workingPublicKeyAlgorithm = null;
        DEREncodable workingPublicKeyParameters = null;
       
        if (trust != null)
        {
            sign = trust.getTrustedCert();
           
            if (sign != null)
            {
                workingPublicKey = sign.getPublicKey();
            }
            else
            {
                workingPublicKey = trust.getCAPublicKey();
            }
       
            try
            {
                workingAlgId = getAlgorithmIdentifier(workingPublicKey);
                workingPublicKeyAlgorithm = workingAlgId.getObjectId();
                workingPublicKeyParameters = workingAlgId.getParameters();
            }
            catch (CertPathValidatorException ex)
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.trustPubKeyError");
                addError(msg);
                workingAlgId = null;
            }
           
        }

        // Basic cert checks

        X509Certificate cert = null;
        int i;

        for (int index = certs.size() - 1; index >= 0; index--)
        {
            //
            // i as defined in the algorithm description
            //
            i = n - index;

            //
            // set certificate to be checked in this round
            // sign and workingPublicKey and workingIssuerName are set
            // at the end of the for loop and initialied the
            // first time from the TrustAnchor
            //
            cert = (X509Certificate) certs.get(index);

            // verify signature
            if (workingPublicKey != null)
            {
                try
                {
                    CertPathValidatorUtilities.verifyX509Certificate(cert, workingPublicKey,
                        pkixParams.getSigProvider());
                }
                catch (GeneralSecurityException ex)
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.signatureNotVerified",
                            new Object[] {ex.getMessage(),ex,ex.getClass().getName()});
                    addError(msg,index);
                }
            }
            else if (isSelfIssued(cert))
            {
                try
                {
                    CertPathValidatorUtilities.verifyX509Certificate(cert, cert.getPublicKey(),
                        pkixParams.getSigProvider());
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.rootKeyIsValidButNotATrustAnchor");
                    addError(msg, index);
                }
                catch (GeneralSecurityException ex)
                {
                    ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.signatureNotVerified",
                            new Object[] {ex.getMessage(),ex,ex.getClass().getName()});
                    addError(msg,index);
                }
            }
            else
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.NoIssuerPublicKey");
                // if there is an authority key extension add the serial and issuer of the missing certificate
                byte[] akiBytes = cert.getExtensionValue(X509Extensions.AuthorityKeyIdentifier.getId());
                if (akiBytes != null)
                {
                    try
                    {
                        AuthorityKeyIdentifier aki = AuthorityKeyIdentifier.getInstance(
                            X509ExtensionUtil.fromExtensionValue(akiBytes));
                        GeneralNames issuerNames = aki.getAuthorityCertIssuer();
                        if (issuerNames != null)
                        {
                            GeneralName name = issuerNames.getNames()[0];
                            BigInteger serial = aki.getAuthorityCertSerialNumber();
                            if (serial != null)
                            {
                                Object[] extraArgs = {new LocaleString(RESOURCE_NAME, "missingIssuer"), " \"", name ,
                                        "\" ", new LocaleString(RESOURCE_NAME, "missingSerial") , " ", serial};
                                msg.setExtraArguments(extraArgs);
                            }
                        }
                    }
                    catch (IOException e)
                    {
                        // ignore
                    }
                }
                addError(msg,index);
            }

            // certificate valid?
            try
            {
                cert.checkValidity(validDate);
            }
            catch (CertificateNotYetValidException cnve)
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.certificateNotYetValid",
                        new Object[] {new TrustedInput(cert.getNotBefore())});
                addError(msg,index);
            }
            catch (CertificateExpiredException cee)
            {
                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.certificateExpired",
                        new Object[] {new TrustedInput(cert.getNotAfter())});
                addError(msg,index);
            }

            // certificate revoked?
            if (pkixParams.isRevocationEnabled())
View Full Code Here
TOP

Related Classes of org.bouncycastle.i18n.filter.TrustedInput

  • org.bouncycastle.mail.smime.validator.SignedMailValidator
  • org.bouncycastle.x509.PKIXCertPathReviewer
    • Copyright © 2018 www.massapicom. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.