/*
* This file is modified by Ivan Maidanski <ivmai@ivmaisoft.com>
* Project name: JCGO (http://www.ivmaisoft.com/jcgo/)
* Class root location: $(JCGO)/goclsp/clsp_fix
* Origin: GNU Classpath v0.93
*/
/* X509CRL.java -- X.509 certificate revocation list.
Copyright (C) 2003, 2004 Free Software Foundation, Inc.
This file is part of GNU Classpath.
GNU Classpath is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2, or (at your option)
any later version.
GNU Classpath is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received a copy of the GNU General Public License
along with GNU Classpath; see the file COPYING. If not, write to the
Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301 USA.
Linking this library statically or dynamically with other modules is
making a combined work based on this library. Thus, the terms and
conditions of the GNU General Public License cover the whole
combination.
As a special exception, the copyright holders of this library give you
permission to link this library with independent modules to produce an
executable, regardless of the license terms of these independent
modules, and to copy and distribute the resulting executable under
terms of your choice, provided that you also meet, for each linked
independent module, the terms and conditions of the license of that
module. An independent module is a module which is not derived from
or based on this library. If you modify this library, you may extend
this exception to your version of the library, but you are not
obligated to do so. If you do not wish to do so, delete this
exception statement from your version. */
package gnu.java.security.x509;
import gnu.java.security.Configuration;
import gnu.java.security.OID;
import gnu.java.security.der.BitString;
import gnu.java.security.der.DER;
import gnu.java.security.der.DERReader;
import gnu.java.security.der.DERValue;
import gnu.java.security.x509.ext.Extension;
import java.io.IOException;
import java.io.InputStream;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Principal;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CRLException;
import java.security.cert.Certificate;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.logging.Logger;
import javax.security.auth.x500.X500Principal;
/**
* X.509 certificate revocation lists.
*
* @author Casey Marshall (rsdio@metastatic.org)
*/
public class X509CRL extends java.security.cert.X509CRL
implements GnuPKIExtension
{
private static final Logger log =
Configuration.DEBUG ? Logger.getLogger(X509CRL.class.getName()) : null;
private static final OID ID_DSA = new OID("1.2.840.10040.4.1");
private static final OID ID_DSA_WITH_SHA1 = new OID("1.2.840.10040.4.3");
private static final OID ID_RSA = new OID("1.2.840.113549.1.1.1");
private static final OID ID_RSA_WITH_MD2 = new OID("1.2.840.113549.1.1.2");
private static final OID ID_RSA_WITH_MD5 = new OID("1.2.840.113549.1.1.4");
private static final OID ID_RSA_WITH_SHA1 = new OID("1.2.840.113549.1.1.5");
private byte[] encoded;
private byte[] tbsCRLBytes;
private int version;
private OID algId;
private byte[] algParams;
private Date thisUpdate;
private Date nextUpdate;
private X500DistinguishedName issuerDN;
private HashMap revokedCerts;
private HashMap extensions;
private OID sigAlg;
private byte[] sigAlgParams;
private byte[] rawSig;
private byte[] signature;
// Constructors.
// ------------------------------------------------------------------------
/**
* Create a new X.509 CRL.
*
* @param encoded The DER encoded CRL.
* @throws CRLException If the input bytes are incorrect.
* @throws IOException If the input bytes cannot be read.
*/
public X509CRL(InputStream encoded) throws CRLException, IOException
{
super();
revokedCerts = new HashMap();
extensions = new HashMap();
try
{
parse(encoded);
}
catch (IOException ioe)
{
ioe.printStackTrace();
throw ioe;
}
catch (Exception x)
{
x.printStackTrace();
throw new CRLException(x.toString());
}
}
// X509CRL methods.
// ------------------------------------------------------------------------
public boolean equals(Object o)
{
if (!(o instanceof X509CRL))
return false;
return ((X509CRL) o).getRevokedCertificates().equals(revokedCerts.values());
}
public int hashCode()
{
return revokedCerts.hashCode();
}
public byte[] getEncoded() throws CRLException
{
return (byte[]) encoded.clone();
}
public void verify(PublicKey key)
throws CRLException, NoSuchAlgorithmException, InvalidKeyException,
NoSuchProviderException, SignatureException
{
Signature sig = Signature.getInstance(sigAlg.toString());
doVerify(sig, key);
}
public void verify(PublicKey key, String provider)
throws CRLException, NoSuchAlgorithmException, InvalidKeyException,
NoSuchProviderException, SignatureException
{
Signature sig = Signature.getInstance(sigAlg.toString(), provider);
doVerify(sig, key);
}
public int getVersion()
{
return version;
}
public Principal getIssuerDN()
{
return issuerDN;
}
public X500Principal getIssuerX500Principal()
{
return new X500Principal(issuerDN.getDer());
}
public Date getThisUpdate()
{
return (Date) thisUpdate.clone();
}
public Date getNextUpdate()
{
if (nextUpdate != null)
return (Date) nextUpdate.clone();
return null;
}
public java.security.cert.X509CRLEntry getRevokedCertificate(BigInteger serialNo)
{
return (java.security.cert.X509CRLEntry) revokedCerts.get(serialNo);
}
public Set getRevokedCertificates()
{
return Collections.unmodifiableSet(new HashSet(revokedCerts.values()));
}
public byte[] getTBSCertList() throws CRLException
{
return (byte[]) tbsCRLBytes.clone();
}
public byte[] getSignature()
{
return (byte[]) rawSig.clone();
}
public String getSigAlgName()
{
if (sigAlg.equals(ID_DSA_WITH_SHA1))
return "SHA1withDSA";
if (sigAlg.equals(ID_RSA_WITH_MD2))
return "MD2withRSA";
if (sigAlg.equals(ID_RSA_WITH_MD5))
return "MD5withRSA";
if (sigAlg.equals(ID_RSA_WITH_SHA1))
return "SHA1withRSA";
return "unknown";
}
public String getSigAlgOID()
{
return sigAlg.toString();
}
public byte[] getSigAlgParams()
{
if (sigAlgParams != null)
return (byte[]) sigAlgParams.clone();
return null;
}
// X509Extension methods.
// ------------------------------------------------------------------------
public boolean hasUnsupportedCriticalExtension()
{
for (Iterator it = extensions.values().iterator(); it.hasNext(); )
{
Extension e = (Extension) it.next();
if (e.isCritical() && !e.isSupported())
return true;
}
return false;
}
public Set getCriticalExtensionOIDs()
{
HashSet s = new HashSet();
for (Iterator it = extensions.values().iterator(); it.hasNext(); )
{
Extension e = (Extension) it.next();
if (e.isCritical())
s.add(e.getOid().toString());
}
return Collections.unmodifiableSet(s);
}
public Set getNonCriticalExtensionOIDs()
{
HashSet s = new HashSet();
for (Iterator it = extensions.values().iterator(); it.hasNext(); )
{
Extension e = (Extension) it.next();
if (!e.isCritical())
s.add(e.getOid().toString());
}
return Collections.unmodifiableSet(s);
}
public byte[] getExtensionValue(String oid)
{
Extension e = getExtension(new OID(oid));
if (e != null)
{
return e.getValue().getEncoded();
}
return null;
}
// GnuPKIExtension method.
// -------------------------------------------------------------------------
public Extension getExtension(OID oid)
{
return (Extension) extensions.get(oid);
}
public Collection getExtensions()
{
return extensions.values();
}
// CRL methods.
// -------------------------------------------------------------------------
public String toString()
{
return X509CRL.class.getName();
}
public boolean isRevoked(Certificate cert)
{
if (!(cert instanceof java.security.cert.X509Certificate))
throw new IllegalArgumentException("not a X.509 certificate");
BigInteger certSerial =
((java.security.cert.X509Certificate) cert).getSerialNumber();
X509CRLEntry ent = (X509CRLEntry) revokedCerts.get(certSerial);
if (ent == null)
return false;
return ent.getRevocationDate().compareTo(new Date()) < 0;
}
// Own methods.
// ------------------------------------------------------------------------
private void doVerify(Signature sig, PublicKey key)
throws CRLException, InvalidKeyException, SignatureException
{
sig.initVerify(key);
sig.update(tbsCRLBytes);
if (!sig.verify(signature))
throw new CRLException("signature not verified");
}
private void parse(InputStream in) throws Exception
{
// CertificateList ::= SEQUENCE {
DERReader der = new DERReader(in);
DERValue val = der.read();
if (Configuration.DEBUG)
log.fine("start CertificateList len == " + val.getLength());
if (!val.isConstructed())
throw new IOException("malformed CertificateList");
encoded = val.getEncoded();
// tbsCertList ::= SEQUENCE { -- TBSCertList
val = der.read();
if (!val.isConstructed())
throw new IOException("malformed TBSCertList");
if (Configuration.DEBUG)
log.fine("start tbsCertList len == " + val.getLength());
tbsCRLBytes = val.getEncoded();
// version Version OPTIONAL,
// -- If present must be v2
val = der.read();
if (val.getValue() instanceof BigInteger)
{
version = ((BigInteger) val.getValue()).intValue() + 1;
val = der.read();
}
else
version = 1;
if (Configuration.DEBUG)
log.fine("read version == " + version);
// signature AlgorithmIdentifier,
if (Configuration.DEBUG)
log.fine("start AlgorithmIdentifier len == " + val.getLength());
if (!val.isConstructed())
throw new IOException("malformed AlgorithmIdentifier");
DERValue algIdVal = der.read();
algId = (OID) algIdVal.getValue();
if (Configuration.DEBUG)
log.fine("read object identifier == " + algId);
if (val.getLength() > algIdVal.getEncodedLength())
{
val = der.read();
if (Configuration.DEBUG)
log.fine("read parameters len == " + val.getEncodedLength());
algParams = val.getEncoded();
if (val.isConstructed())
in.skip(val.getLength());
}
// issuer Name,
val = der.read();
issuerDN = new X500DistinguishedName(val.getEncoded());
der.skip(val.getLength());
if (Configuration.DEBUG)
log.fine("read issuer == " + issuerDN);
// thisUpdate Time,
thisUpdate = (Date) der.read().getValue();
if (Configuration.DEBUG)
log.fine("read thisUpdate == " + thisUpdate);
// nextUpdate Time OPTIONAL,
val = der.read();
if (val.getValue() instanceof Date)
{
nextUpdate = (Date) val.getValue();
if (Configuration.DEBUG)
log.fine("read nextUpdate == " + nextUpdate);
val = der.read();
}
// revokedCertificates SEQUENCE OF SEQUENCE {
// -- X509CRLEntry objects...
// } OPTIONAL,
if (val.getTag() != 0)
{
int len = 0;
while (len < val.getLength())
{
X509CRLEntry entry = new X509CRLEntry(version, der);
revokedCerts.put(entry.getSerialNumber(), entry);
len += entry.getEncoded().length;
}
val = der.read();
}
// crlExtensions [0] EXPLICIT Extensions OPTIONAL
// -- if present MUST be v2
if (val.getTagClass() != DER.UNIVERSAL && val.getTag() == 0)
{
if (version < 2)
throw new IOException("extra data in CRL");
DERValue exts = der.read();
if (!exts.isConstructed())
throw new IOException("malformed Extensions");
if (Configuration.DEBUG)
log.fine("start Extensions len == " + exts.getLength());
int len = 0;
while (len < exts.getLength())
{
DERValue ext = der.read();
if (!ext.isConstructed())
throw new IOException("malformed Extension");
Extension e = new Extension(ext.getEncoded());
extensions.put(e.getOid(), e);
der.skip(ext.getLength());
len += ext.getEncodedLength();
if (Configuration.DEBUG)
log.fine("current count == " + len);
}
val = der.read();
}
if (Configuration.DEBUG)
log.fine("read tag == " + val.getTag());
if (!val.isConstructed())
throw new IOException("malformed AlgorithmIdentifier");
if (Configuration.DEBUG)
log.fine("start AlgorithmIdentifier len == " + val.getLength());
DERValue sigAlgVal = der.read();
if (Configuration.DEBUG)
log.fine("read tag == " + sigAlgVal.getTag());
if (sigAlgVal.getTag() != DER.OBJECT_IDENTIFIER)
throw new IOException("malformed AlgorithmIdentifier");
sigAlg = (OID) sigAlgVal.getValue();
if (Configuration.DEBUG)
{
log.fine("signature id == " + sigAlg);
log.fine("sigAlgVal length == " + sigAlgVal.getEncodedLength());
}
if (val.getLength() > sigAlgVal.getEncodedLength())
{
val = der.read();
if (Configuration.DEBUG)
log.fine("sig params tag = " + val.getTag() + " len == "
+ val.getEncodedLength());
sigAlgParams = (byte[]) val.getEncoded();
if (val.isConstructed())
in.skip(val.getLength());
}
val = der.read();
if (Configuration.DEBUG)
log.fine("read tag = " + val.getTag());
rawSig = val.getEncoded();
signature = ((BitString) val.getValue()).toByteArray();
}
}