eu.emi.security.authn.x509.helpers.pkipath.bc

Class CertPathValidatorUtilitiesCanl

java.lang.Object

eu.emi.security.authn.x509.helpers.pkipath.bc.CertPathValidatorUtilitiesCanl

public class CertPathValidatorUtilitiesCanl
extends Object

Exposes otherwise hidden methods from CertPathValidatorUtilitiesCanl plus in some cases fixes bugs plus produces errors in the desired format.

Author:

K. Benedyczak

Field Summary

Fields

Modifier and Type	Field and Description
protected static String	ANY_POLICY
protected static String	AUTHORITY_KEY_IDENTIFIER
protected static String	BASIC_CONSTRAINTS
protected static String	CERTIFICATE_POLICIES
protected static String	CRL_DISTRIBUTION_POINTS
protected static String	CRL_NUMBER
protected static int	CRL_SIGN
protected static eu.emi.security.authn.x509.helpers.pkipath.bc.PKIXCRLUtil	CRL_UTIL
protected static String[]	crlReasons
protected static String	DELTA_CRL_INDICATOR
protected static String	FRESHEST_CRL
protected static String	INHIBIT_ANY_POLICY
protected static String	ISSUING_DISTRIBUTION_POINT
protected static int	KEY_CERT_SIGN
protected static String	KEY_USAGE
protected static String	NAME_CONSTRAINTS
protected static String	POLICY_CONSTRAINTS
protected static String	POLICY_MAPPINGS
protected static String	SUBJECT_ALTERNATIVE_NAME

Constructor Summary

Constructors

Constructor and Description
CertPathValidatorUtilitiesCanl()

Method Summary

Modifier and Type	Method and Description
protected static Collection	findCertificates(PKIXCertStoreSelector certSelect, List certStores) Return a Collection of all certificates or attribute certificates found in the X509Store's that are matching the certSelect criteriums.
static Collection<?>	findIssuerCerts(X509Certificate cert, PKIXExtendedBuilderParameters pkixParams)
protected static TrustAnchor	findTrustAnchor(X509Certificate cert, Set trustAnchors) Search the given Set of TrustAnchor's for one that is the issuer of the given X509 certificate.
protected static TrustAnchor	findTrustAnchor(X509Certificate cert, Set trustAnchors, String sigProvider) Search the given Set of TrustAnchor's for one that is the issuer of the given X509 certificate.
static TrustAnchor	findTrustAnchorPublic(X509Certificate cert, Set<?> trustAnchors, String sigProvider)
protected static List<PKIXCRLStore>	getAdditionalStoresFromCRLDistributionPoint(CRLDistPoint crldp, PKIXExtendedBuilderParameters pkixParams)
protected static AlgorithmIdentifier	getAlgorithmIdentifier(PublicKey key)
protected static void	getCertStatus(Date validDate, X509CRL crl, Object cert, eu.emi.security.authn.x509.helpers.pkipath.bc.CertStatus certStatus)
protected static Set	getCompleteCRLs(DistributionPoint dp, Object cert, Date currentDate, PKIXExtendedParameters paramsPKIX) As CertPathValidatorUtilities.getCompleteCRLs(DistributionPoint, Object, Date, PKIXExtendedParameters) but it returns also expired CRLs.
protected static Set<?>	getCompleteCRLs2(DistributionPoint dp, X509Certificate cert, Date currentDate, PKIXExtendedParameters paramsPKIX)
protected static void	getCRLIssuersFromDistributionPoint(DistributionPoint dp, Collection issuerPrincipals, X509CRLSelector selector) Add the CRL issuers from the cRLIssuer field of the distribution point or from the certificate if not given to the issuer criterion of the selector.
protected static Set	getDeltaCRLs(Date validityDate, X509CRL completeCRL, List<CertStore> certStores, List<PKIXCRLStore> pkixCrlStores) Fetches delta CRLs according to RFC 3280 section 5.2.4.
protected static Set<X509CRL>	getDeltaCRLs2(Date currentDate, PKIXExtendedParameters paramsPKIX, X509CRL completeCRL) Fetches delta CRLs according to RFC 3280 section 5.2.4.
protected static ASN1Primitive	getExtensionValue(X509Extension ext, String oid)
protected static PublicKey	getNextWorkingKey(List certs, int index, JcaJceHelper helper) Return the next working key inheriting DSA parameters if necessary.
protected static Set	getQualifierSet(ASN1Sequence qualifiers)
static BigInteger	getSerialNumber(Object cert)
protected static Date	getValidCertDateFromValidityModel(PKIXExtendedParameters paramsPKIX, CertPath certPath, int index)
protected static Date	getValidDate(PKIXExtendedParameters paramsPKIX)
protected static boolean	isAnyPolicy(Set policySet)
protected static boolean	isSelfIssued(X509Certificate cert)
protected static void	prepareNextCertB1(int i, List[] policyNodes, String id_p, Map m_idp, X509Certificate cert)
protected static PKIXPolicyNode	prepareNextCertB2(int i, List[] policyNodes, String id_p, PKIXPolicyNode validPolicyTree)
protected static boolean	processCertD1i(int index, List[] policyNodes, ASN1ObjectIdentifier pOid, Set pq)
protected static void	processCertD1ii(int index, List[] policyNodes, ASN1ObjectIdentifier _poid, Set _pq)
protected static PKIXPolicyNode	removePolicyNode(PKIXPolicyNode validPolicyTree, List[] policyNodes, PKIXPolicyNode _node)
protected static void	verifyX509Certificate(X509Certificate cert, PublicKey publicKey, String sigProvider)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

CRL_UTIL

protected static final eu.emi.security.authn.x509.helpers.pkipath.bc.PKIXCRLUtil CRL_UTIL

CERTIFICATE_POLICIES

protected static final String CERTIFICATE_POLICIES

BASIC_CONSTRAINTS

protected static final String BASIC_CONSTRAINTS

POLICY_MAPPINGS

protected static final String POLICY_MAPPINGS

SUBJECT_ALTERNATIVE_NAME

protected static final String SUBJECT_ALTERNATIVE_NAME

NAME_CONSTRAINTS

protected static final String NAME_CONSTRAINTS

KEY_USAGE

protected static final String KEY_USAGE

INHIBIT_ANY_POLICY

protected static final String INHIBIT_ANY_POLICY

ISSUING_DISTRIBUTION_POINT

protected static final String ISSUING_DISTRIBUTION_POINT

DELTA_CRL_INDICATOR

protected static final String DELTA_CRL_INDICATOR

POLICY_CONSTRAINTS

protected static final String POLICY_CONSTRAINTS

FRESHEST_CRL

protected static final String FRESHEST_CRL

CRL_DISTRIBUTION_POINTS

protected static final String CRL_DISTRIBUTION_POINTS

AUTHORITY_KEY_IDENTIFIER

protected static final String AUTHORITY_KEY_IDENTIFIER

ANY_POLICY

protected static final String ANY_POLICY

See Also:

Constant Field Values

CRL_NUMBER

protected static final String CRL_NUMBER

KEY_CERT_SIGN

protected static final int KEY_CERT_SIGN

See Also:

Constant Field Values

CRL_SIGN

protected static final int CRL_SIGN

See Also:

Constant Field Values

crlReasons

protected static final String[] crlReasons

Constructor Detail

CertPathValidatorUtilitiesCanl

public CertPathValidatorUtilitiesCanl()

Method Detail

findTrustAnchorPublic

public static TrustAnchor findTrustAnchorPublic(X509Certificate cert,
                                                Set<?> trustAnchors,
                                                String sigProvider)
                                         throws AnnotatedException

Throws:

AnnotatedException

findIssuerCerts

public static Collection<?> findIssuerCerts(X509Certificate cert,
                                            PKIXExtendedBuilderParameters pkixParams)
                                     throws AnnotatedException

Throws:

AnnotatedException

getCompleteCRLs2

protected static Set<?> getCompleteCRLs2(DistributionPoint dp,
                                         X509Certificate cert,
                                         Date currentDate,
                                         PKIXExtendedParameters paramsPKIX)
                                  throws SimpleValidationErrorException

Throws:

SimpleValidationErrorException

getCompleteCRLs

protected static Set getCompleteCRLs(DistributionPoint dp,
                                     Object cert,
                                     Date currentDate,
                                     PKIXExtendedParameters paramsPKIX)
                              throws AnnotatedException

As CertPathValidatorUtilities.getCompleteCRLs(DistributionPoint, Object, Date, PKIXExtendedParameters) but it returns also expired CRLs.

Parameters:

dp -

cert -

currentDate -

paramsPKIX -

Returns:

A Set of X509CRLs.

Throws:

AnnotatedException

getDeltaCRLs2

protected static Set<X509CRL> getDeltaCRLs2(Date currentDate,
                                            PKIXExtendedParameters paramsPKIX,
                                            X509CRL completeCRL)
                                     throws SimpleValidationErrorException

Fetches delta CRLs according to RFC 3280 section 5.2.4.

Parameters:

currentDate - The date for which the delta CRLs must be valid.

paramsPKIX - The extended PKIX parameters.

completeCRL - The complete CRL the delta CRL is for.

Returns:

A Set of X509CRLs with delta CRLs.

Throws:

SimpleValidationErrorException - if an exception occurs while picking the delta CRLs.

getExtensionValue

protected static ASN1Primitive getExtensionValue(X509Extension ext,
                                                 String oid)
                                          throws AnnotatedException

Throws:

AnnotatedException

getAdditionalStoresFromCRLDistributionPoint

protected static List<PKIXCRLStore> getAdditionalStoresFromCRLDistributionPoint(CRLDistPoint crldp,
                                                                                PKIXExtendedBuilderParameters pkixParams)
                                                                         throws AnnotatedException

Throws:

AnnotatedException

getSerialNumber

public static BigInteger getSerialNumber(Object cert)

findTrustAnchor

protected static TrustAnchor findTrustAnchor(X509Certificate cert,
                                             Set trustAnchors)
                                      throws AnnotatedException

Search the given Set of TrustAnchor's for one that is the issuer of the given X509 certificate. Uses the default provider for signature verification.

Parameters:

cert - the X509 certificate

trustAnchors - a Set of TrustAnchor's

Returns:

the TrustAnchor object if found or null if not.

Throws:

AnnotatedException - if a TrustAnchor was found but the signature verification on the given certificate has thrown an exception.

findTrustAnchor

protected static TrustAnchor findTrustAnchor(X509Certificate cert,
                                             Set trustAnchors,
                                             String sigProvider)
                                      throws AnnotatedException

Search the given Set of TrustAnchor's for one that is the issuer of the given X509 certificate. Uses the specified provider for signature verification, or the default provider if null.

Parameters:

cert - the X509 certificate

trustAnchors - a Set of TrustAnchor's

sigProvider - the provider to use for signature verification

Returns:

the TrustAnchor object if found or null if not.

Throws:

AnnotatedException - if a TrustAnchor was found but the signature verification on the given certificate has thrown an exception.

getValidDate

protected static Date getValidDate(PKIXExtendedParameters paramsPKIX)

isSelfIssued

protected static boolean isSelfIssued(X509Certificate cert)

getAlgorithmIdentifier

protected static AlgorithmIdentifier getAlgorithmIdentifier(PublicKey key)
                                                     throws CertPathValidatorException

Throws:

CertPathValidatorException

getQualifierSet

protected static final Set getQualifierSet(ASN1Sequence qualifiers)
                                    throws CertPathValidatorException

Throws:

CertPathValidatorException

removePolicyNode

protected static PKIXPolicyNode removePolicyNode(PKIXPolicyNode validPolicyTree,
                                                 List[] policyNodes,
                                                 PKIXPolicyNode _node)

processCertD1i

protected static boolean processCertD1i(int index,
                                        List[] policyNodes,
                                        ASN1ObjectIdentifier pOid,
                                        Set pq)

processCertD1ii

protected static void processCertD1ii(int index,
                                      List[] policyNodes,
                                      ASN1ObjectIdentifier _poid,
                                      Set _pq)

prepareNextCertB1

protected static void prepareNextCertB1(int i,
                                        List[] policyNodes,
                                        String id_p,
                                        Map m_idp,
                                        X509Certificate cert)
                                 throws AnnotatedException,
                                        CertPathValidatorException

Throws:

AnnotatedException

CertPathValidatorException

prepareNextCertB2

protected static PKIXPolicyNode prepareNextCertB2(int i,
                                                  List[] policyNodes,
                                                  String id_p,
                                                  PKIXPolicyNode validPolicyTree)

isAnyPolicy

protected static boolean isAnyPolicy(Set policySet)

findCertificates

protected static Collection findCertificates(PKIXCertStoreSelector certSelect,
                                             List certStores)
                                      throws AnnotatedException

Return a Collection of all certificates or attribute certificates found in the X509Store's that are matching the certSelect criteriums.

Parameters:

certSelect - a Selector object that will be used to select the certificates

certStores - a List containing only Store objects. These are used to search for certificates.

Returns:

a Collection of all found X509Certificate May be empty but never null.

Throws:

AnnotatedException - annotated exception

getCRLIssuersFromDistributionPoint

protected static void getCRLIssuersFromDistributionPoint(DistributionPoint dp,
                                                         Collection issuerPrincipals,
                                                         X509CRLSelector selector)
                                                  throws AnnotatedException

Add the CRL issuers from the cRLIssuer field of the distribution point or from the certificate if not given to the issuer criterion of the selector.

The issuerPrincipals are a collection with a single X500Name for X509Certificates.

Parameters:

dp - The distribution point.

issuerPrincipals - The issuers of the certificate or attribute certificate which contains the distribution point.

selector - The CRL selector.

Throws:

AnnotatedException - if an exception occurs while processing.

ClassCastException - if issuerPrincipals does not contain only X500Names.

getCertStatus

protected static void getCertStatus(Date validDate,
                                    X509CRL crl,
                                    Object cert,
                                    eu.emi.security.authn.x509.helpers.pkipath.bc.CertStatus certStatus)
                             throws AnnotatedException

Throws:

AnnotatedException

getDeltaCRLs

protected static Set getDeltaCRLs(Date validityDate,
                                  X509CRL completeCRL,
                                  List<CertStore> certStores,
                                  List<PKIXCRLStore> pkixCrlStores)
                           throws AnnotatedException

Fetches delta CRLs according to RFC 3280 section 5.2.4.

Parameters:

validityDate - The date for which the delta CRLs must be valid.

completeCRL - The complete CRL the delta CRL is for.

certStores - a List of certificate stores

pkixCrlStores - a List of CRL stores

Returns:

A Set of X509CRLs with delta CRLs.

Throws:

AnnotatedException - if an exception occurs while picking the delta CRLs.

getValidCertDateFromValidityModel

protected static Date getValidCertDateFromValidityModel(PKIXExtendedParameters paramsPKIX,
                                                        CertPath certPath,
                                                        int index)
                                                 throws AnnotatedException

Throws:

AnnotatedException

getNextWorkingKey

protected static PublicKey getNextWorkingKey(List certs,
                                             int index,
                                             JcaJceHelper helper)
                                      throws CertPathValidatorException

Return the next working key inheriting DSA parameters if necessary.

This methods inherits DSA parameters from the indexed certificate or previous certificates in the certificate chain to the returned PublicKey. The list is searched upwards, meaning the end certificate is at position 0 and previous certificates are following.

If the indexed certificate does not contain a DSA key this method simply returns the public key. If the DSA key already contains DSA parameters the key is also only returned.

Parameters:

certs - The certification path.

index - The index of the certificate which contains the public key which should be extended with DSA parameters.

helper - JcaJce helper

Returns:

The public key of the certificate in list position index extended with DSA parameters if applicable.

Throws:

CertPathValidatorException - if DSA parameters cannot be inherited.

verifyX509Certificate

protected static void verifyX509Certificate(X509Certificate cert,
                                            PublicKey publicKey,
                                            String sigProvider)
                                     throws GeneralSecurityException

Throws:

GeneralSecurityException