eu.emi.security.authn.x509.helpers.pkipath.bc

Class RFC3280CertPathUtilitiesCanl

java.lang.Object

eu.emi.security.authn.x509.helpers.pkipath.bc.RFC3280CertPathUtilitiesCanl

public class RFC3280CertPathUtilitiesCanl
extends Object

This class exposes the BC's JCA implementation of the RFC3280CertPathUtilities. It was done to: fix its bugs (only one or two, should be OK in BC 1.47) and to have errors consumable by the rest of this library (most of the code).

Author:

K. Benedyczak (modifications)

Field Summary

Fields

Modifier and Type	Field and Description
static String	ANY_POLICY
static String	AUTHORITY_KEY_IDENTIFIER
static String	BASIC_CONSTRAINTS
static String	CERTIFICATE_POLICIES
static String	CRL_DISTRIBUTION_POINTS
static String	CRL_NUMBER
protected static int	CRL_SIGN
protected static String[]	crlReasons
static String	DELTA_CRL_INDICATOR
static String	FRESHEST_CRL
static String	INHIBIT_ANY_POLICY
static String	ISSUING_DISTRIBUTION_POINT
protected static int	KEY_CERT_SIGN
static String	KEY_USAGE
static String	NAME_CONSTRAINTS
static String	POLICY_CONSTRAINTS
static String	POLICY_MAPPINGS
static String	SUBJECT_ALTERNATIVE_NAME

Constructor Summary

Constructors

Constructor and Description
RFC3280CertPathUtilitiesCanl()

Method Summary

Modifier and Type	Method and Description
protected static void	checkCRLs(PKIXExtendedParameters paramsPKIX, X509Certificate cert, Date validDate, X509Certificate sign, PublicKey workingPublicKey, List certPathCerts, JcaJceHelper helper) Checks a certificate if it is revoked.
static void	checkCRLs2(ExtPKIXParameters2 paramsPKIX, X509Certificate cert, Date validDate, X509Certificate sign, PublicKey workingPublicKey, List<?> certPathCerts, JcaJceHelper jcaHelper) Checks a certificate if it is revoked.
protected static void	getCertStatus(Date validDate, X509CRL crl, Object cert, eu.emi.security.authn.x509.helpers.pkipath.bc.CertStatus certStatus)
protected static PKIXPolicyNode	prepareCertB(CertPath certPath, int index, List[] policyNodes, PKIXPolicyNode validPolicyTree, int policyMapping)
protected static void	prepareNextCertA(CertPath certPath, int index)
protected static void	prepareNextCertG(CertPath certPath, int index, PKIXNameConstraintValidator nameConstraintValidator)
protected static int	prepareNextCertH1(CertPath certPath, int index, int explicitPolicy)
protected static int	prepareNextCertH2(CertPath certPath, int index, int policyMapping)
protected static int	prepareNextCertH3(CertPath certPath, int index, int inhibitAnyPolicy)
protected static int	prepareNextCertI1(CertPath certPath, int index, int explicitPolicy)
protected static int	prepareNextCertI2(CertPath certPath, int index, int policyMapping)
protected static int	prepareNextCertJ(CertPath certPath, int index, int inhibitAnyPolicy)
protected static void	prepareNextCertK(CertPath certPath, int index)
protected static int	prepareNextCertL(CertPath certPath, int index, int maxPathLength)
protected static int	prepareNextCertM(CertPath certPath, int index, int maxPathLength)
protected static void	prepareNextCertN(CertPath certPath, int index)
protected static void	prepareNextCertO(CertPath certPath, int index, Set criticalExtensions, List pathCheckers)
protected static void	processCertA(CertPath certPath, PKIXExtendedParameters paramsPKIX, int index, PublicKey workingPublicKey, boolean verificationAlreadyPerformed, X500Name workingIssuerName, X509Certificate sign, JcaJceHelper helper)
protected static void	processCertBC(CertPath certPath, int index, PKIXNameConstraintValidator nameConstraintValidator)
protected static PKIXPolicyNode	processCertD(CertPath certPath, int index, Set acceptablePolicies, PKIXPolicyNode validPolicyTree, List[] policyNodes, int inhibitAnyPolicy)
protected static PKIXPolicyNode	processCertE(CertPath certPath, int index, PKIXPolicyNode validPolicyTree)
protected static void	processCertF(CertPath certPath, int index, PKIXPolicyNode validPolicyTree, int explicitPolicy)
protected static Set	processCRLA1i(Date currentDate, PKIXExtendedParameters paramsPKIX, X509Certificate cert, X509CRL crl)
protected static Set[]	processCRLA1ii(Date currentDate, PKIXExtendedParameters paramsPKIX, X509Certificate cert, X509CRL crl)
protected static void	processCRLB1(DistributionPoint dp, Object cert, X509CRL crl) If the DP includes cRLIssuer, then verify that the issuer field in the complete CRL matches cRLIssuer in the DP and that the complete CRL contains an issuing distribution point extension with the indirectCRL boolean asserted.
protected static void	processCRLB2(DistributionPoint dp, Object cert, X509CRL crl) If the complete CRL includes an issuing distribution point (IDP) CRL extension check the following: (i) If the distribution point name is present in the IDP CRL extension and the distribution field is present in the DP, then verify that one of the names in the IDP matches one of the names in the DP.
protected static void	processCRLC(X509CRL deltaCRL, X509CRL completeCRL, PKIXExtendedParameters pkixParams) If use-deltas is set, verify the issuer and scope of the delta CRL.
protected static eu.emi.security.authn.x509.helpers.pkipath.bc.ReasonsMask	processCRLD(X509CRL crl, DistributionPoint dp)
protected static Set	processCRLF(X509CRL crl, Object cert, X509Certificate defaultCRLSignCert, PublicKey defaultCRLSignKey, PKIXExtendedParameters paramsPKIX, List certPathCerts, JcaJceHelper helper) Obtain and validate the certification path for the complete CRL issuer.
protected static PublicKey	processCRLG(X509CRL crl, Set keys)
protected static X509CRL	processCRLH(Set deltacrls, PublicKey key)
protected static void	processCRLI(Date validDate, X509CRL deltacrl, Object cert, eu.emi.security.authn.x509.helpers.pkipath.bc.CertStatus certStatus, PKIXExtendedParameters pkixParams)
protected static void	processCRLJ(Date validDate, X509CRL completecrl, Object cert, eu.emi.security.authn.x509.helpers.pkipath.bc.CertStatus certStatus)
protected static int	wrapupCertA(int explicitPolicy, X509Certificate cert)
protected static int	wrapupCertB(CertPath certPath, int index, int explicitPolicy)
protected static void	wrapupCertF(CertPath certPath, int index, List pathCheckers, Set criticalExtensions)
protected static PKIXPolicyNode	wrapupCertG(CertPath certPath, PKIXExtendedParameters paramsPKIX, Set userInitialPolicySet, int index, List[] policyNodes, PKIXPolicyNode validPolicyTree, Set acceptablePolicies)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

CERTIFICATE_POLICIES

public static final String CERTIFICATE_POLICIES

POLICY_MAPPINGS

public static final String POLICY_MAPPINGS

INHIBIT_ANY_POLICY

public static final String INHIBIT_ANY_POLICY

ISSUING_DISTRIBUTION_POINT

public static final String ISSUING_DISTRIBUTION_POINT

FRESHEST_CRL

public static final String FRESHEST_CRL

DELTA_CRL_INDICATOR

public static final String DELTA_CRL_INDICATOR

POLICY_CONSTRAINTS

public static final String POLICY_CONSTRAINTS

BASIC_CONSTRAINTS

public static final String BASIC_CONSTRAINTS

CRL_DISTRIBUTION_POINTS

public static final String CRL_DISTRIBUTION_POINTS

SUBJECT_ALTERNATIVE_NAME

public static final String SUBJECT_ALTERNATIVE_NAME

NAME_CONSTRAINTS

public static final String NAME_CONSTRAINTS

AUTHORITY_KEY_IDENTIFIER

public static final String AUTHORITY_KEY_IDENTIFIER

KEY_USAGE

public static final String KEY_USAGE

CRL_NUMBER

public static final String CRL_NUMBER

ANY_POLICY

public static final String ANY_POLICY

See Also:

Constant Field Values

KEY_CERT_SIGN

protected static final int KEY_CERT_SIGN

See Also:

Constant Field Values

CRL_SIGN

protected static final int CRL_SIGN

See Also:

Constant Field Values

crlReasons

protected static final String[] crlReasons

Constructor Detail

RFC3280CertPathUtilitiesCanl

public RFC3280CertPathUtilitiesCanl()

Method Detail

checkCRLs2

public static void checkCRLs2(ExtPKIXParameters2 paramsPKIX,
                              X509Certificate cert,
                              Date validDate,
                              X509Certificate sign,
                              PublicKey workingPublicKey,
                              List<?> certPathCerts,
                              JcaJceHelper jcaHelper)
                       throws SimpleValidationErrorException

Checks a certificate if it is revoked.

Parameters:

paramsPKIX - PKIX parameters.

cert - Certificate to check if it is revoked.

validDate - The date when the certificate revocation status should be checked.

sign - The issuer certificate of the certificate cert.

workingPublicKey - The public key of the issuer certificate sign.

certPathCerts - The certificates of the certification path.

jcaHelper - JcaJce helper

Throws:

SimpleValidationErrorException - if the certificate is revoked or the status cannot be checked or some error occurs.

getCertStatus

protected static void getCertStatus(Date validDate,
                                    X509CRL crl,
                                    Object cert,
                                    eu.emi.security.authn.x509.helpers.pkipath.bc.CertStatus certStatus)
                             throws SimpleValidationErrorException

Throws:

SimpleValidationErrorException

processCRLB2

protected static void processCRLB2(DistributionPoint dp,
                                   Object cert,
                                   X509CRL crl)
                            throws AnnotatedException

If the complete CRL includes an issuing distribution point (IDP) CRL extension check the following:

(i) If the distribution point name is present in the IDP CRL extension and the distribution field is present in the DP, then verify that one of the names in the IDP matches one of the names in the DP. If the distribution point name is present in the IDP CRL extension and the distribution field is omitted from the DP, then verify that one of the names in the IDP matches one of the names in the cRLIssuer field of the DP.

(ii) If the onlyContainsUserCerts boolean is asserted in the IDP CRL extension, verify that the certificate does not include the basic constraints extension with the cA boolean asserted.

(iii) If the onlyContainsCACerts boolean is asserted in the IDP CRL extension, verify that the certificate includes the basic constraints extension with the cA boolean asserted.

(iv) Verify that the onlyContainsAttributeCerts boolean is not asserted.

Parameters:

dp - The distribution point.

cert - The certificate.

crl - The CRL.

Throws:

AnnotatedException - if one of the conditions is not met or an error occurs.

processCRLB1

protected static void processCRLB1(DistributionPoint dp,
                                   Object cert,
                                   X509CRL crl)
                            throws AnnotatedException

If the DP includes cRLIssuer, then verify that the issuer field in the complete CRL matches cRLIssuer in the DP and that the complete CRL contains an issuing distribution point extension with the indirectCRL boolean asserted. Otherwise, verify that the CRL issuer matches the certificate issuer.

Parameters:

dp - The distribution point.

cert - The certificate ot attribute certificate.

crl - The CRL for cert.

Throws:

AnnotatedException - if one of the above conditions does not apply or an error occurs.

processCRLD

protected static eu.emi.security.authn.x509.helpers.pkipath.bc.ReasonsMask processCRLD(X509CRL crl,
                                                                                       DistributionPoint dp)
                                                                                throws AnnotatedException

Throws:

AnnotatedException

processCRLF

protected static Set processCRLF(X509CRL crl,
                                 Object cert,
                                 X509Certificate defaultCRLSignCert,
                                 PublicKey defaultCRLSignKey,
                                 PKIXExtendedParameters paramsPKIX,
                                 List certPathCerts,
                                 JcaJceHelper helper)
                          throws AnnotatedException

Obtain and validate the certification path for the complete CRL issuer. If a key usage extension is present in the CRL issuer's certificate, verify that the cRLSign bit is set.

Parameters:

crl - CRL which contains revocation information for the certificate cert.

cert - The attribute certificate or certificate to check if it is revoked.

defaultCRLSignCert - The issuer certificate of the certificate cert.

defaultCRLSignKey - The public key of the issuer certificate defaultCRLSignCert.

paramsPKIX - paramsPKIX PKIX parameters.

certPathCerts - The certificates on the certification path.

helper - JcaJce helper

Returns:

A Set with all keys of possible CRL issuer certificates.

Throws:

AnnotatedException - if the CRL is not valid or the status cannot be checked or some error occurs.

processCRLG

protected static PublicKey processCRLG(X509CRL crl,
                                       Set keys)
                                throws AnnotatedException

Throws:

AnnotatedException

processCRLH

protected static X509CRL processCRLH(Set deltacrls,
                                     PublicKey key)
                              throws AnnotatedException

Throws:

AnnotatedException

processCRLA1i

protected static Set processCRLA1i(Date currentDate,
                                   PKIXExtendedParameters paramsPKIX,
                                   X509Certificate cert,
                                   X509CRL crl)
                            throws AnnotatedException

Throws:

AnnotatedException

processCRLA1ii

protected static Set[] processCRLA1ii(Date currentDate,
                                      PKIXExtendedParameters paramsPKIX,
                                      X509Certificate cert,
                                      X509CRL crl)
                               throws AnnotatedException

Throws:

AnnotatedException

processCRLC

protected static void processCRLC(X509CRL deltaCRL,
                                  X509CRL completeCRL,
                                  PKIXExtendedParameters pkixParams)
                           throws AnnotatedException

If use-deltas is set, verify the issuer and scope of the delta CRL.

Parameters:

deltaCRL - The delta CRL.

completeCRL - The complete CRL.

pkixParams - The PKIX paramaters.

Throws:

AnnotatedException - if an exception occurs.

processCRLI

protected static void processCRLI(Date validDate,
                                  X509CRL deltacrl,
                                  Object cert,
                                  eu.emi.security.authn.x509.helpers.pkipath.bc.CertStatus certStatus,
                                  PKIXExtendedParameters pkixParams)
                           throws AnnotatedException

Throws:

AnnotatedException

processCRLJ

protected static void processCRLJ(Date validDate,
                                  X509CRL completecrl,
                                  Object cert,
                                  eu.emi.security.authn.x509.helpers.pkipath.bc.CertStatus certStatus)
                           throws AnnotatedException

Throws:

AnnotatedException

prepareCertB

protected static PKIXPolicyNode prepareCertB(CertPath certPath,
                                             int index,
                                             List[] policyNodes,
                                             PKIXPolicyNode validPolicyTree,
                                             int policyMapping)
                                      throws CertPathValidatorException

Throws:

CertPathValidatorException

prepareNextCertA

protected static void prepareNextCertA(CertPath certPath,
                                       int index)
                                throws CertPathValidatorException

Throws:

CertPathValidatorException

processCertF

protected static void processCertF(CertPath certPath,
                                   int index,
                                   PKIXPolicyNode validPolicyTree,
                                   int explicitPolicy)
                            throws CertPathValidatorException

Throws:

CertPathValidatorException

processCertE

protected static PKIXPolicyNode processCertE(CertPath certPath,
                                             int index,
                                             PKIXPolicyNode validPolicyTree)
                                      throws CertPathValidatorException

Throws:

CertPathValidatorException

processCertBC

protected static void processCertBC(CertPath certPath,
                                    int index,
                                    PKIXNameConstraintValidator nameConstraintValidator)
                             throws CertPathValidatorException

Throws:

CertPathValidatorException

processCertD

protected static PKIXPolicyNode processCertD(CertPath certPath,
                                             int index,
                                             Set acceptablePolicies,
                                             PKIXPolicyNode validPolicyTree,
                                             List[] policyNodes,
                                             int inhibitAnyPolicy)
                                      throws CertPathValidatorException

Throws:

CertPathValidatorException

processCertA

protected static void processCertA(CertPath certPath,
                                   PKIXExtendedParameters paramsPKIX,
                                   int index,
                                   PublicKey workingPublicKey,
                                   boolean verificationAlreadyPerformed,
                                   X500Name workingIssuerName,
                                   X509Certificate sign,
                                   JcaJceHelper helper)
                            throws ExtCertPathValidatorException

Throws:

ExtCertPathValidatorException

prepareNextCertI1

protected static int prepareNextCertI1(CertPath certPath,
                                       int index,
                                       int explicitPolicy)
                                throws CertPathValidatorException

Throws:

CertPathValidatorException

prepareNextCertI2

protected static int prepareNextCertI2(CertPath certPath,
                                       int index,
                                       int policyMapping)
                                throws CertPathValidatorException

Throws:

CertPathValidatorException

prepareNextCertG

protected static void prepareNextCertG(CertPath certPath,
                                       int index,
                                       PKIXNameConstraintValidator nameConstraintValidator)
                                throws CertPathValidatorException

Throws:

CertPathValidatorException

checkCRLs

protected static void checkCRLs(PKIXExtendedParameters paramsPKIX,
                                X509Certificate cert,
                                Date validDate,
                                X509Certificate sign,
                                PublicKey workingPublicKey,
                                List certPathCerts,
                                JcaJceHelper helper)
                         throws AnnotatedException

Checks a certificate if it is revoked.

Parameters:

paramsPKIX - PKIX parameters.

cert - Certificate to check if it is revoked.

validDate - The date when the certificate revocation status should be checked.

sign - The issuer certificate of the certificate cert.

workingPublicKey - The public key of the issuer certificate sign.

certPathCerts - The certificates of the certification path.

helper - JcaJce Helper

Throws:

AnnotatedException - if the certificate is revoked or the status cannot be checked or some error occurs.

prepareNextCertJ

protected static int prepareNextCertJ(CertPath certPath,
                                      int index,
                                      int inhibitAnyPolicy)
                               throws CertPathValidatorException

Throws:

CertPathValidatorException

prepareNextCertK

protected static void prepareNextCertK(CertPath certPath,
                                       int index)
                                throws CertPathValidatorException

Throws:

CertPathValidatorException

prepareNextCertL

protected static int prepareNextCertL(CertPath certPath,
                                      int index,
                                      int maxPathLength)
                               throws CertPathValidatorException

Throws:

CertPathValidatorException

prepareNextCertM

protected static int prepareNextCertM(CertPath certPath,
                                      int index,
                                      int maxPathLength)
                               throws CertPathValidatorException

Throws:

CertPathValidatorException

prepareNextCertN

protected static void prepareNextCertN(CertPath certPath,
                                       int index)
                                throws CertPathValidatorException

Throws:

CertPathValidatorException

prepareNextCertO

protected static void prepareNextCertO(CertPath certPath,
                                       int index,
                                       Set criticalExtensions,
                                       List pathCheckers)
                                throws CertPathValidatorException

Throws:

CertPathValidatorException

prepareNextCertH1

protected static int prepareNextCertH1(CertPath certPath,
                                       int index,
                                       int explicitPolicy)

prepareNextCertH2

protected static int prepareNextCertH2(CertPath certPath,
                                       int index,
                                       int policyMapping)

prepareNextCertH3

protected static int prepareNextCertH3(CertPath certPath,
                                       int index,
                                       int inhibitAnyPolicy)

wrapupCertA

protected static int wrapupCertA(int explicitPolicy,
                                 X509Certificate cert)

wrapupCertB

protected static int wrapupCertB(CertPath certPath,
                                 int index,
                                 int explicitPolicy)
                          throws CertPathValidatorException

Throws:

CertPathValidatorException

wrapupCertF

protected static void wrapupCertF(CertPath certPath,
                                  int index,
                                  List pathCheckers,
                                  Set criticalExtensions)
                           throws CertPathValidatorException

Throws:

CertPathValidatorException

wrapupCertG

protected static PKIXPolicyNode wrapupCertG(CertPath certPath,
                                            PKIXExtendedParameters paramsPKIX,
                                            Set userInitialPolicySet,
                                            int index,
                                            List[] policyNodes,
                                            PKIXPolicyNode validPolicyTree,
                                            Set acceptablePolicies)
                                     throws CertPathValidatorException

Throws:

CertPathValidatorException