001: /*
002: * Licensed to the Apache Software Foundation (ASF) under one or more
003: * contributor license agreements. See the NOTICE file distributed with
004: * this work for additional information regarding copyright ownership.
005: * The ASF licenses this file to You under the Apache License, Version 2.0
006: * (the "License"); you may not use this file except in compliance with
007: * the License. You may obtain a copy of the License at
008: *
009: * http://www.apache.org/licenses/LICENSE-2.0
010: *
011: * Unless required by applicable law or agreed to in writing, software
012: * distributed under the License is distributed on an "AS IS" BASIS,
013: * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014: * See the License for the specific language governing permissions and
015: * limitations under the License.
016: */
017:
018: /**
019: * @author Alexander Y. Kleymenov
020: * @version $Revision$
021: */package org.apache.harmony.security.provider.cert;
022:
023: import java.io.IOException;
024: import java.io.InputStream;
025: import java.math.BigInteger;
026: import java.security.InvalidKeyException;
027: import java.security.NoSuchAlgorithmException;
028: import java.security.NoSuchProviderException;
029: import java.security.Principal;
030: import java.security.PublicKey;
031: import java.security.Signature;
032: import java.security.SignatureException;
033: import java.security.cert.CRLException;
034: import java.security.cert.Certificate;
035: import java.security.cert.X509CRL;
036: import java.security.cert.X509CRLEntry;
037: import java.security.cert.X509Certificate;
038: import java.util.ArrayList;
039: import java.util.Date;
040: import java.util.HashSet;
041: import java.util.List;
042: import java.util.Set;
043:
044: import javax.security.auth.x500.X500Principal;
045:
046: import org.apache.harmony.security.internal.nls.Messages;
047: import org.apache.harmony.security.utils.AlgNameMapper;
048: import org.apache.harmony.security.x509.CertificateList;
049: import org.apache.harmony.security.x509.Extension;
050: import org.apache.harmony.security.x509.Extensions;
051: import org.apache.harmony.security.x509.TBSCertList;
052:
053: /**
054: * This class is an implementation of X509CRL. It wraps
055: * the instance of org.apache.harmony.security.x509.CertificateList
056: * built on the base of provided ASN.1 DER encoded form of
057: * CertificateList structure (as specified in RFC 3280
058: * http://www.ietf.org/rfc/rfc3280.txt).
059: * Implementation supports work with indirect CRLs.
060: * @see org.apache.harmony.security.x509.CertificateList
061: * @see java.security.cert.X509CRL
062: */
063: public class X509CRLImpl extends X509CRL {
064:
065: // the core object to be wrapped in X509CRL
066: private final CertificateList crl;
067:
068: // To speed up access to the info, the following fields
069: // cache values retrieved from the CertificateList object
070: private final TBSCertList tbsCertList;
071: private byte[] tbsCertListEncoding;
072: private final Extensions extensions;
073: private X500Principal issuer;
074: private ArrayList entries;
075: private int entriesSize;
076: private byte[] signature;
077: private String sigAlgOID;
078: private String sigAlgName;
079: private byte[] sigAlgParams;
080:
081: // encoded form of crl
082: private byte[] encoding;
083:
084: // indicates whether the signature algorithm parameters are null
085: private boolean nullSigAlgParams;
086: // indicates whether the crl entries have already been retrieved
087: // from CertificateList object (crl)
088: private boolean entriesRetrieved;
089:
090: // indicates whether this X.509 CRL is direct or indirect
091: // (see rfc 3280 http://www.ietf.org/rfc/rfc3280.txt, p 5.)
092: private boolean isIndirectCRL;
093: // if crl is indirect, this field holds an info about how
094: // many of the leading certificates in the list are issued
095: // by the same issuer as CRL.
096: private int nonIndirectEntriesSize;
097:
098: /**
099: * Creates X.509 CRL by wrapping of the specified CertificateList object.
100: */
101: public X509CRLImpl(CertificateList crl) {
102: this .crl = crl;
103: this .tbsCertList = crl.getTbsCertList();
104: this .extensions = tbsCertList.getCrlExtensions();
105: }
106:
107: /**
108: * Creates X.509 CRL on the base of ASN.1 DER encoded form of
109: * the CRL (CertificateList structure described in RFC 3280)
110: * provided via input stream.
111: * @throws CRLException if decoding errors occur.
112: */
113: public X509CRLImpl(InputStream in) throws CRLException {
114: try {
115: // decode CertificateList structure
116: this .crl = (CertificateList) CertificateList.ASN1
117: .decode(in);
118: this .tbsCertList = crl.getTbsCertList();
119: this .extensions = tbsCertList.getCrlExtensions();
120: } catch (IOException e) {
121: throw new CRLException(e);
122: }
123: }
124:
125: /**
126: * Creates X.509 CRL on the base of ASN.1 DER encoded form of
127: * the CRL (CertificateList structure described in RFC 3280)
128: * provided via array of bytes.
129: * @throws IOException if decoding errors occur.
130: */
131: public X509CRLImpl(byte[] encoding) throws IOException {
132: this ((CertificateList) CertificateList.ASN1.decode(encoding));
133: }
134:
135: // ---------------------------------------------------------------------
136: // ----- java.security.cert.X509CRL abstract method implementations ----
137: // ---------------------------------------------------------------------
138:
139: /**
140: * @see java.security.cert.X509CRL#getEncoded()
141: * method documentation for more info
142: */
143: public byte[] getEncoded() throws CRLException {
144: if (encoding == null) {
145: encoding = crl.getEncoded();
146: }
147: byte[] result = new byte[encoding.length];
148: System.arraycopy(encoding, 0, result, 0, encoding.length);
149: return result;
150: }
151:
152: /**
153: * @see java.security.cert.X509CRL#getVersion()
154: * method documentation for more info
155: */
156: public int getVersion() {
157: return tbsCertList.getVersion();
158: }
159:
160: /**
161: * @see java.security.cert.X509CRL#getIssuerDN()
162: * method documentation for more info
163: */
164: public Principal getIssuerDN() {
165: if (issuer == null) {
166: issuer = tbsCertList.getIssuer().getX500Principal();
167: }
168: return issuer;
169: }
170:
171: /**
172: * @see java.security.cert.X509CRL#getIssuerX500Principal()
173: * method documentation for more info
174: */
175: public X500Principal getIssuerX500Principal() {
176: if (issuer == null) {
177: issuer = tbsCertList.getIssuer().getX500Principal();
178: }
179: return issuer;
180: }
181:
182: /**
183: * @see java.security.cert.X509CRL#getThisUpdate()
184: * method documentation for more info
185: */
186: public Date getThisUpdate() {
187: return tbsCertList.getThisUpdate();
188: }
189:
190: /**
191: * @see java.security.cert.X509CRL#getNextUpdate()
192: * method documentation for more info
193: */
194: public Date getNextUpdate() {
195: return tbsCertList.getNextUpdate();
196: }
197:
198: /*
199: * Retrieves the crl entries (TBSCertList.RevokedCertificate objects)
200: * from the TBSCertList structure and converts them to the
201: * X509CRLEntryImpl objects
202: */
203: private void retrieveEntries() {
204: entriesRetrieved = true;
205: List rcerts = tbsCertList.getRevokedCertificates();
206: if (rcerts == null) {
207: return;
208: }
209: entriesSize = rcerts.size();
210: entries = new ArrayList(entriesSize);
211: // null means that revoked certificate issuer is the same as CRL issuer
212: X500Principal rcertIssuer = null;
213: for (int i = 0; i < entriesSize; i++) {
214: TBSCertList.RevokedCertificate rcert = (TBSCertList.RevokedCertificate) rcerts
215: .get(i);
216: X500Principal iss = rcert.getIssuer();
217: if (iss != null) {
218: // certificate issuer differs from CRL issuer
219: // and CRL is indirect.
220: rcertIssuer = iss;
221: isIndirectCRL = true;
222: // remember how many leading revoked certificates in the
223: // list are issued by the same issuer as issuer of CRL
224: // (these certificates are first in the list)
225: nonIndirectEntriesSize = i;
226: }
227: entries.add(new X509CRLEntryImpl(rcert, rcertIssuer));
228: }
229: }
230:
231: /**
232: * Searches for certificate in CRL.
233: * This method supports indirect CRLs: if CRL is indirect method takes
234: * into account serial number and issuer of the certificate,
235: * if CRL issued by CA (i.e. it is not indirect) search is done only
236: * by serial number of the specified certificate.
237: * @see java.security.cert.X509CRL#getRevokedCertificate(X509Certificate)
238: * method documentation for more info
239: */
240: public X509CRLEntry getRevokedCertificate(
241: X509Certificate certificate) {
242: if (certificate == null) {
243: throw new NullPointerException();
244: }
245: if (!entriesRetrieved) {
246: retrieveEntries();
247: }
248: if (entries == null) {
249: return null;
250: }
251: BigInteger serialN = certificate.getSerialNumber();
252: if (isIndirectCRL) {
253: // search in indirect crl
254: X500Principal certIssuer = certificate
255: .getIssuerX500Principal();
256: if (certIssuer.equals(getIssuerX500Principal())) {
257: // certificate issuer is CRL issuer
258: certIssuer = null;
259: }
260: for (int i = 0; i < entriesSize; i++) {
261: X509CRLEntry entry = (X509CRLEntry) entries.get(i);
262: // check the serial number of revoked certificate
263: if (serialN.equals(entry.getSerialNumber())) {
264: // revoked certificate issuer
265: X500Principal iss = entry.getCertificateIssuer();
266: // check the issuer of revoked certificate
267: if (certIssuer != null) {
268: // certificate issuer is not a CRL issuer, so
269: // check issuers for equality
270: if (certIssuer.equals(iss)) {
271: return entry;
272: }
273: } else if (iss == null) {
274: // both certificates was issued by CRL issuer
275: return entry;
276: }
277: }
278: }
279: } else {
280: // search in CA's (non indirect) crl: just look up the serial number
281: for (int i = 0; i < entriesSize; i++) {
282: X509CRLEntry entry = (X509CRLEntry) entries.get(i);
283: if (serialN.equals(entry.getSerialNumber())) {
284: return entry;
285: }
286: }
287: }
288: return null;
289: }
290:
291: /**
292: * Method searches for CRL entry with specified serial number.
293: * The method will search only certificate issued by CRL's issuer.
294: * @see java.security.cert.X509CRL#getRevokedCertificate(BigInteger)
295: * method documentation for more info
296: */
297: public X509CRLEntry getRevokedCertificate(BigInteger serialNumber) {
298: if (!entriesRetrieved) {
299: retrieveEntries();
300: }
301: if (entries == null) {
302: return null;
303: }
304: for (int i = 0; i < nonIndirectEntriesSize; i++) {
305: X509CRLEntry entry = (X509CRLEntry) entries.get(i);
306: if (serialNumber.equals(entry.getSerialNumber())) {
307: return entry;
308: }
309: }
310: return null;
311: }
312:
313: /**
314: * @see java.security.cert.X509CRL#getRevokedCertificates()
315: * method documentation for more info
316: */
317: public Set<? extends X509CRLEntry> getRevokedCertificates() {
318: if (!entriesRetrieved) {
319: retrieveEntries();
320: }
321: if (entries == null) {
322: return null;
323: }
324: return new HashSet(entries);
325: }
326:
327: /**
328: * @see java.security.cert.X509CRL#getTBSCertList()
329: * method documentation for more info
330: */
331: public byte[] getTBSCertList() throws CRLException {
332: if (tbsCertListEncoding == null) {
333: tbsCertListEncoding = tbsCertList.getEncoded();
334: }
335: byte[] result = new byte[tbsCertListEncoding.length];
336: System.arraycopy(tbsCertListEncoding, 0, result, 0,
337: tbsCertListEncoding.length);
338: return result;
339: }
340:
341: /**
342: * @see java.security.cert.X509CRL#getSignature()
343: * method documentation for more info
344: */
345: public byte[] getSignature() {
346: if (signature == null) {
347: signature = crl.getSignatureValue();
348: }
349: byte[] result = new byte[signature.length];
350: System.arraycopy(signature, 0, result, 0, signature.length);
351: return result;
352: }
353:
354: /**
355: * @see java.security.cert.X509CRL#getSigAlgName()
356: * method documentation for more info
357: */
358: public String getSigAlgName() {
359: if (sigAlgOID == null) {
360: sigAlgOID = tbsCertList.getSignature().getAlgorithm();
361: sigAlgName = AlgNameMapper.map2AlgName(sigAlgOID);
362: if (sigAlgName == null) {
363: sigAlgName = sigAlgOID;
364: }
365: }
366: return sigAlgName;
367: }
368:
369: /**
370: * @see java.security.cert.X509CRL#getSigAlgOID()
371: * method documentation for more info
372: */
373: public String getSigAlgOID() {
374: if (sigAlgOID == null) {
375: sigAlgOID = tbsCertList.getSignature().getAlgorithm();
376: sigAlgName = AlgNameMapper.map2AlgName(sigAlgOID);
377: if (sigAlgName == null) {
378: sigAlgName = sigAlgOID;
379: }
380: }
381: return sigAlgOID;
382: }
383:
384: /**
385: * @see java.security.cert.X509CRL#getSigAlgParams()
386: * method documentation for more info
387: */
388: public byte[] getSigAlgParams() {
389: if (nullSigAlgParams) {
390: return null;
391: }
392: if (sigAlgParams == null) {
393: sigAlgParams = tbsCertList.getSignature().getParameters();
394: if (sigAlgParams == null) {
395: nullSigAlgParams = true;
396: return null;
397: }
398: }
399: return sigAlgParams;
400: }
401:
402: /**
403: * @see java.security.cert.X509CRL#verify(PublicKey key)
404: * method documentation for more info
405: */
406: public void verify(PublicKey key) throws CRLException,
407: NoSuchAlgorithmException, InvalidKeyException,
408: NoSuchProviderException, SignatureException {
409: Signature signature = Signature.getInstance(getSigAlgName());
410: signature.initVerify(key);
411: byte[] tbsEncoding = tbsCertList.getEncoded();
412: signature.update(tbsEncoding, 0, tbsEncoding.length);
413: if (!signature.verify(crl.getSignatureValue())) {
414: throw new SignatureException(Messages
415: .getString("security.15C")); //$NON-NLS-1$
416: }
417: }
418:
419: /**
420: * @see java.security.cert.X509CRL#verify(PublicKey key, String sigProvider)
421: * method documentation for more info
422: */
423: public void verify(PublicKey key, String sigProvider)
424: throws CRLException, NoSuchAlgorithmException,
425: InvalidKeyException, NoSuchProviderException,
426: SignatureException {
427: Signature signature = Signature.getInstance(getSigAlgName(),
428: sigProvider);
429: signature.initVerify(key);
430: byte[] tbsEncoding = tbsCertList.getEncoded();
431: signature.update(tbsEncoding, 0, tbsEncoding.length);
432: if (!signature.verify(crl.getSignatureValue())) {
433: throw new SignatureException(Messages
434: .getString("security.15C")); //$NON-NLS-1$
435: }
436: }
437:
438: // ---------------------------------------------------------------------
439: // ------ java.security.cert.CRL abstract method implementations -------
440: // ---------------------------------------------------------------------
441:
442: /**
443: * @see java.security.cert.CRL#isRevoked(Certificate)
444: * method documentation for more info
445: */
446: public boolean isRevoked(Certificate cert) {
447: if (!(cert instanceof X509Certificate)) {
448: return false;
449: }
450: return getRevokedCertificate((X509Certificate) cert) != null;
451: }
452:
453: /**
454: * @see java.security.cert.CRL#toString()
455: * method documentation for more info
456: */
457: public String toString() {
458: return crl.toString();
459: }
460:
461: // ---------------------------------------------------------------------
462: // ------ java.security.cert.X509Extension method implementations ------
463: // ---------------------------------------------------------------------
464:
465: /**
466: * @see java.security.cert.X509Extension#getNonCriticalExtensionOIDs()
467: * method documentation for more info
468: */
469: public Set getNonCriticalExtensionOIDs() {
470: if (extensions == null) {
471: return null;
472: }
473: return extensions.getNonCriticalExtensions();
474: }
475:
476: /**
477: * @see java.security.cert.X509Extension#getCriticalExtensionOIDs()
478: * method documentation for more info
479: */
480: public Set getCriticalExtensionOIDs() {
481: if (extensions == null) {
482: return null;
483: }
484: return extensions.getCriticalExtensions();
485: }
486:
487: /**
488: * @see java.security.cert.X509Extension#getExtensionValue(String)
489: * method documentation for more info
490: */
491: public byte[] getExtensionValue(String oid) {
492: if (extensions == null) {
493: return null;
494: }
495: Extension ext = extensions.getExtensionByOID(oid);
496: return (ext == null) ? null : ext.getRawExtnValue();
497: }
498:
499: /**
500: * @see java.security.cert.X509Extension#hasUnsupportedCriticalExtension()
501: * method documentation for more info
502: */
503: public boolean hasUnsupportedCriticalExtension() {
504: if (extensions == null) {
505: return false;
506: }
507: return extensions.hasUnsupportedCritical();
508: }
509: }
|