diff options
| author | Sergio Giro <sgiro@google.com> | 2016-02-01 15:03:14 +0000 |
|---|---|---|
| committer | Sergio Giro <sgiro@google.com> | 2016-02-01 18:54:07 +0000 |
| commit | c1040cb5656c3299f1c2d0fe0bd7c44b10466aaf (patch) | |
| tree | b5eb091b97b2aade28e5b45a15352125a4a776d7 /bcprov/src/main/java/org/bouncycastle/x509 | |
| parent | 397d32894b89b506dc318e0f83446187c9b76ebe (diff) | |
| download | android_external_bouncycastle-c1040cb5656c3299f1c2d0fe0bd7c44b10466aaf.tar.gz android_external_bouncycastle-c1040cb5656c3299f1c2d0fe0bd7c44b10466aaf.tar.bz2 android_external_bouncycastle-c1040cb5656c3299f1c2d0fe0bd7c44b10466aaf.zip | |
Restoring the contents of aosp after
https://android-review.git.corp.google.com/#/c/199871
git diff 9b30eb05e5be69d51881a0d1b31e503e97acd784
(ToT before submitting the patch above)
doesn't show any differences
Change-Id: I9f424a67094839f1893a23cd46ec7d6f0992ac26
Diffstat (limited to 'bcprov/src/main/java/org/bouncycastle/x509')
21 files changed, 29 insertions, 7687 deletions
diff --git a/bcprov/src/main/java/org/bouncycastle/x509/CertPathReviewerException.java b/bcprov/src/main/java/org/bouncycastle/x509/CertPathReviewerException.java deleted file mode 100644 index 173d478..0000000 --- a/bcprov/src/main/java/org/bouncycastle/x509/CertPathReviewerException.java +++ /dev/null @@ -1,72 +0,0 @@ -package org.bouncycastle.x509; - -import java.security.cert.CertPath; - -import org.bouncycastle.i18n.ErrorBundle; -import org.bouncycastle.i18n.LocalizedException; - -public class CertPathReviewerException extends LocalizedException -{ - - private int index = -1; - - private CertPath certPath = null; - - public CertPathReviewerException(ErrorBundle errorMessage, Throwable throwable) - { - super(errorMessage, throwable); - } - - public CertPathReviewerException(ErrorBundle errorMessage) - { - super(errorMessage); - } - - public CertPathReviewerException( - ErrorBundle errorMessage, - Throwable throwable, - CertPath certPath, - int index) - { - super(errorMessage, throwable); - if (certPath == null || index == -1) - { - throw new IllegalArgumentException(); - } - if (index < -1 || (certPath != null && index >= certPath.getCertificates().size())) - { - throw new IndexOutOfBoundsException(); - } - this.certPath = certPath; - this.index = index; - } - - public CertPathReviewerException( - ErrorBundle errorMessage, - CertPath certPath, - int index) - { - super(errorMessage); - if (certPath == null || index == -1) - { - throw new IllegalArgumentException(); - } - if (index < -1 || (certPath != null && index >= certPath.getCertificates().size())) - { - throw new IndexOutOfBoundsException(); - } - this.certPath = certPath; - this.index = index; - } - - public CertPath getCertPath() - { - return certPath; - } - - public int getIndex() - { - return index; - } - -} diff --git a/bcprov/src/main/java/org/bouncycastle/x509/CertPathReviewerMessages_de.properties b/bcprov/src/main/java/org/bouncycastle/x509/CertPathReviewerMessages_de.properties deleted file mode 100644 index b9398ea..0000000 --- a/bcprov/src/main/java/org/bouncycastle/x509/CertPathReviewerMessages_de.properties +++ /dev/null @@ -1,621 +0,0 @@ - -## constructor exceptions - -# cert path is empty -CertPathReviewer.emptyCertPath.title = Zertifizierungspfad ist leer -CertPathReviewer.emptyCertPath.text = PKIXCertPathReviewer: der Zertifizierungspfad ist leer. -CertPathReviewer.emptyCertPath.summary = PKIXCertPathReviewer: der Zertifizierungspfad ist leer. -CertPathReviewer.emptyCertPath.details = PKIXCertPathReviewer: der Zertifizierungspfad ist leer. - -## name constraints processing errors - -# cert DN is not in the permitted tree -# {0} DN as String -CertPathReviewer.notPermittedDN.title = Fehler bei der Namensbeschränkung: Zertifikats DN ist nicht erlaubt -CertPathReviewer.notPermittedDN.text = Fehler bei der Namensbeschränkung: Der Zertifikats DN {0} ist nicht erlaubt. -CertPathReviewer.notPermittedDN.summary = Fehler bei der Namensbeschränkung: Der Zertifikats DN ist nicht erlaubt. -CertPathReviewer.notPermittedDN.details = Fehler bei der Namensbeschränkung: Der Zertifikats DN {0} ist nicht im Set der erlaubten DNs. - -# cert DN is in the excluded tree -# {0} DN as String -CertPathReviewer.excludedDN.title = Fehler bei der Namensbeschränkung: Zertifikats DN ist ausgeschlossen -CertPathReviewer.excludedDN.text = Fehler bei der Namensbeschränkung: Der Zertifikats DN {0} ist ausgeschlossen. -CertPathReviewer.excludedDN.summary = Fehler bei der Namensbeschränkung: Der Zertifikats DN ist ausgeschlossen -CertPathReviewer.excludedDN.details = Fehler bei der Namensbeschränkung: Der Zertifikats DN ist {0} is innerhalb des Sets von ausgeschlossenen DNs. - -# cert email is not in the permitted tree -# {0} email address as String -CertPathReviewer.notPermittedEmail.title = Fehler bei der Namensbeschränkung: nicht erlaubte Email Addresse -CertPathReviewer.notPermittedEmail.text = Fehler bei der Namensbeschränkung: Das Zertifikat enthält die nicht erlaubte Email Addresse {0}. -CertPathReviewer.notPermittedEmail.summary = Fehler bei der Namensbeschränkung: Die Email Addresse ist nicht erlaubt. -CertPathReviewer.notPermittedEmail.details = Fehler bei der Namensbeschränkung: Das Zertifikat enthält die Email Addresse {0}, welche nicht im Set der erlaubten Email Addressen ist. - -# cert email is in the excluded tree -# {0} email as String -CertPathReviewer.excludedEmail.title = Fehler bei der Namensbeschränkung: Email Addresse ausgeschlossen -CertPathReviewer.excludedEmail.text = Fehler bei der Namensbeschränkung: Die Email Addresse {0} im Zertifikat ist ausgeschlossen. -CertPathReviewer.excludedEmail.summary = Fehler bei der Namensbeschränkung: Die Email Addresse ist ausgeschlossen. -CertPathReviewer.excludedEmail.details = Fehler bei der Namensbeschränkung: Das Zertifikat enthält die Email Addresse {0}, welche im Set der ausgeschlossenen Email Addressen ist. - -# cert IP is not in the permitted tree -# {0} ip address as String -CertPathReviewer.notPermittedIP.title = Fehler bei der Namensbeschränkung: nicht erlaubte IP Addresse -CertPathReviewer.notPermittedIP.text = Fehler bei der Namensbeschränkung: Das Zertifikat enthält die nicht erlaubte IP Addresse {0}. -CertPathReviewer.notPermittedIP.summary = Fehler bei der Namensbeschränkung: Die IP Addresse ist nicht erlaubt. -CertPathReviewer.notPermittedIP.details = Fehler bei der Namensbeschränkung: Das Zertifikat enthält die IP Addresse {0}, welche nicht im Set der erlaubten IP Addressen ist. - -# cert ip is in the excluded tree -# {0} ip address as String -CertPathReviewer.excludedIP.title = Fehler bei der Namensbeschränkung: Ausgeschlossene IP Addresse -CertPathReviewer.excludedIP.text = Fehler bei der Namensbeschränkung: Das Zertifikat enhält die ausgeschlossene IP Addresse {0}. -CertPathReviewer.excludedIP.summary = Fehler bei der Namensbeschränkung: Die IP Addresse im Zertifikat ist ausgeschlossen. -CertPathReviewer.excludedIP.details = Fehler bei der Namensbeschränkung: Das Zertifikat enthält die IP Addresse {0}, welche im Set der ausgeschlossenen IP Addressen ist. - -# error processing the name constraints extension -CertPathReviewer.ncExtError.title = Prüfen der Namensbeschränkungen fehlgeschlagen -CertPathReviewer.ncExtError.text = Prüfen der Namensbeschränkungen fehlgeschlagen: Es gab Fehler bei der Verarbeitung der Name Constraints Erweiterung des Zertifikats. -CertPathReviewer.ncExtError.summary = Prüfen der Namensbeschränkungen fehlgeschlagen: Fehler bei der Verarbeitung der Name Constraints Erweiterung. -CertPathReviewer.ncExtError.details = Prüfen der Namensbeschränkungen fehlgeschlagen: Es gab Fehler bei der Verarbeitung der Name Constraints Erweiterung des Zertifikats. - -# error processing the subject alternative name extension -CertPathReviewer.subjAltNameExtError.title = Prüfen der Namensbeschränkungen fehlgeschlagen -CertPathReviewer.subjAltNameExtError.text = Prüfen der Namensbeschränkungen fehlgeschlagen: Es gab Fehler bei der Verarbeitung der Subject Alternative Name Erweiterung des Zertifikats. -CertPathReviewer.subjAltNameExtError.summary = Prüfen der Namensbeschränkungen fehlgeschlagen: Fehler bei der Verarbeitung der Subject Alternative Name Erweiterung. -CertPathReviewer.subjAltNameExtError.details = Prüfen der Namensbeschränkungen fehlgeschlagen: Es gab Fehler bei der Verarbeitung der Subject Alternative Name Erweiterung des Zertifikats. - -# exception extracting subject name when checking subtrees -# {0} subject Principal -CertPathReviewer.ncSubjectNameError.title = Prüfen der Namensbeschränkungen fehlgeschlagen -CertPathReviewer.ncSubjectNameError.text = Prüfen der Namensbeschränkungen fehlgeschlagen: Es gab einen Fehler beim auslesen des DN des Zertifikats. -CertPathReviewer.ncSubjectNameError.summary = Prüfen der Namensbeschränkungen fehlgeschlagen: Fehler beim auslesen des DNs. -CertPathReviewer.ncSubjectNameError.details = Prüfen der Namensbeschränkungen fehlgeschlagen: Es gab einen Fehler beim auslesen des DN des Zertifikats. - - -## path length errors - -# max path length extended -CertPathReviewer.pathLenghtExtended.title = Maximale Pfadlänge überschritten -CertPathReviewer.pathLenghtExtended.text = Zertifizierungspfad ungültig: die Maximale Pfadlänge ist überschritten. -CertPathReviewer.pathLenghtExtended.summary = Zertifizierungspfad ungültig: die Maximale Pfadlänge ist überschritten. -CertPathReviewer.pathLenghtExtended.details = Zertifizierungspfad ungültig: die Maximale Pfadlänge ist überschritten. - -# error reading length constraint from basic constraint extension -CertPathReviewer.processLengthConstError.title = Prüfen der Pfadlänge fehlgeschlagen -CertPathReviewer.processLengthConstError.text = Prüfen der Pfadlänge fehlgeschlagen: Es gab einen Fehler bei der Verarbeitung der subject alternative name Erweiterung des Zertifikats. -CertPathReviewer.processLengthConstError.summary = Fehler bei der Verarbeitung der subject alternative name Erweiterung. -CertPathReviewer.processLengthConstError.details = Prüfen der Pfadlänge fehlgeschlagen: Es gab einen Fehler bei der Verarbeitung der subject alternative name Erweiterung des Zertifikats. - - -## path length notifications - -# total path length as defined in rfc 3280 -# {0} the path length as Integer -CertPathReviewer.totalPathLength.title = Totale Pfadlänge -CertPathReviewer.totalPathLength.text = Die totale Pfadlänge ohne self-signed Zertifikate ist {0}. -CertPathReviewer.totalPathLength.summary = Die totale Pfadlänge ohne self-signed Zertifikate ist {0}. -CertPathReviewer.totalPathLength.details = Die totale Pfadlänge ohne self-signed Zertifikate, wie beschrieben in RFC 3280, ist {0}. - - -## critical extensions errors - -# one unknown critical extension -# {0} extension as String -CertPathReviewer.unknownCriticalExt.title = Unbekannte kritische Erweiterung -CertPathReviewer.unknownCriticalExt.text = Das Zertifikat enhält eine unbekannte kritische Erweiterung mit der OID {0}. -CertPathReviewer.unknownCriticalExt.summary = Unbekannte kritische Erweiterung: {0}. -CertPathReviewer.unknownCriticalExt.details = Das Zertifikat enhält eine unbekannte kritische Erweiterung mit der OID {0}. - -# more unknown critical extensions -# {0} extensions as Set of Strings -CertPathReviewer.unknownCriticalExts.title = Unbekannte kritische Erweiterung -CertPathReviewer.unknownCriticalExts.text = Das Zertifikat enhält zwei oder mehr unbekannte kritische Erweiterungen mit den OIDs {0}. -CertPathReviewer.unknownCriticalExts.summary = Unbekannte kritische Erweiterungen: {0}. -CertPathReviewer.unknownCriticalExts.details = Das Zertifikat enhält zwei oder mehr unbekannte kritische Erweiterungen mit den OIDs {0}. - -# error processing critical extension -# {0} the message of the underlying exception -# {1} the underlying exception -# {2} the name of the exception -CertPathReviewer.criticalExtensionError.title = Fehler bei der Verarbeitung einer kritischen Erweiterung -CertPathReviewer.criticalExtensionError.text = Fehler bei der Verarbeitung einer kritischen Erweiterung. Es gab eine {2}. -CertPathReviewer.criticalExtensionError.summary = Fehler bei der Verarbeitung einer kritischen Erweiterung. Es gab eine {2}. -CertPathReviewer.criticalExtensionError.details = Fehler bei der Verarbeitung einer kritischen Erweiterung. Es gab eine {2}. Grund: {0}. - -# error initializing the certpath checkers -# {0} the message of the underlying exception -# {1} the underlying exception -# {2} the name of the exception -CertPathReviewer.certPathCheckerError.title = Prüfen der kritischen Erweiterungen fehlgeschlagen -CertPathReviewer.certPathCheckerError.text = Prüfen der kritischen Erweiterungen fehlgeschlagen: Es gab eine {2} bei der Initialisierung eines CertPathChecker. -CertPathReviewer.certPathCheckerError.summary = Prüfen der kritischen Erweiterungen fehlgeschlagen: {2} bei der Initialisierung eines CertPathChecker. -CertPathReviewer.certPathCheckerError.details = Prüfen der kritischen Erweiterungen fehlgeschlagen: Es gab eine {2} bei der Initialisierung eines CertPathChecker. Grund: {0} - - -## check signature errors - -CertPathReviewer.rootKeyIsValidButNotATrustAnchor.title = rootKeyIsValidButNotATrustAnchor -CertPathReviewer.rootKeyIsValidButNotATrustAnchor.text = Das Zertifikat hat eine gültige Signatur, ist aber kein vertrauenswürdiges Root Zertifikat. -CertPathReviewer.rootKeyIsValidButNotATrustAnchor.summary = Das Zertifikat hat eine gültige Signatur, ist aber kein vertrauenswürdiges Root Zertifikat. -CertPathReviewer.rootKeyIsValidButNotATrustAnchor.details = Das Zertifikat hat eine gültige Signatur, ist aber kein vertrauenswürdiges Root Zertifikat. - -# trustanchor found, but certificate validation failed -CertPathReviewer.trustButInvalidCert.title = Vertrauenswürdiges Root Zertifikat invalid -CertPathReviewer.trustButInvalidCert.text = Ein Root Zertifikat wurde gefunden. Es hat aber einen anderen öffentlichen Schlüssel als verwendet wurde um das erste Zertifikat des Zertifizierungspfades zu signieren. -CertPathReviewer.trustButInvalidCert.summary = Ein Root Zertifikat wurde gefunden. Es hat aber einen anderen öffentlichen Schlüssel als verwendet wurde um das erste Zertifikat des Zertifizierungspfades zu signieren. -CertPathReviewer.trustButInvalidCert.details = Ein Root Zertifikat wurde gefunden. Es hat aber einen anderen öffentlichen Schlüssel als verwendet wurde um das erste Zertifikat des Zertifizierungspfades zu signieren. - -# trustanchor - cannot extract issuer -CertPathReviewer.trustAnchorIssuerError.title = Kann kein vertrauenswürdiges Root Zertifikat finden -CertPathReviewer.trustAnchorIssuerError.text = Kann kein vertrauenswürdiges Root Zertifikat finden: Der Herausgeber vom Zertifikat kann nicht auslesen werden. -CertPathReviewer.trustAnchorIssuerError.summary = Kann kein vertrauenswürdiges Root Zertifikat finden: Der Herausgeber vom Zertifikat kann nicht auslesen werden. -CertPathReviewer.trustAnchorIssuerError.details = Kann kein vertrauenswürdiges Root Zertifikat finden: Der Herausgeber vom Zertifikat kann nicht auslesen werden. - -# no trustanchor was found for the certificate path -# {0} issuer of the root certificate of the path -# {1} number of trusted root certificates (trustanchors) provided -CertPathReviewer.noTrustAnchorFound.title = Kein vertrauenswürdiges Root Zertifikat gefunden -CertPathReviewer.noTrustAnchorFound.text = Das Root Zertifikat der Zertifizierungspfads wurde nicht von einer vertrauenswürdigen CA ausgestellt. Der Name der CA ist "{0}". -CertPathReviewer.noTrustAnchorFound.summary = Das Root Zertifikat der Zertifizierungspfads wurde nicht von einer vertrauenswürdigen CA ausgestellt. -CertPathReviewer.noTrustAnchorFound.details = Das Root Zertifikat der Zertifizierungspfads wurde nicht von einer vertrauenswürdigen CA ausgestellt. Der Name der CA ist "{0}". Der Root-Zertifikat-Speicher enthält {1} CA(s). - -# conflicting trust anchors -# {0} number of trustanchors found (Integer) -# {1} the ca name -CertPathReviewer.conflictingTrustAnchors.title = Korrupter Root-Zertifikat-Speicher -CertPathReviewer.conflictingTrustAnchors.text = Warnung: Es sind {0} öffentliche Schlüssel für die CA "{1}" im Root-Zertifikat-Speicher vorhanden - bitte prüfen Sie mit der CA welches der richtige Schlüssel ist. -CertPathReviewer.conflictingTrustAnchors.summary = Warnung: Es sind {0} öffentliche Schlüssel für die CA "{1}" im Root-Zertifikat-Speicher vorhanden - bitte prüfen Sie mit der CA welches der richtige Schlüssel ist. -CertPathReviewer.conflictingTrustAnchors.details = Warnung: Es sind {0} öffentliche Schlüssel für die CA "{1}" im Root-Zertifikat-Speicher vorhanden - bitte prüfen Sie mit der CA welches der richtige Schlüssel ist. - -# trustanchor DN is invalid -# {0} DN of the Trustanchor -CertPathReviewer.trustDNInvalid.title = DN des vertrauenswürdigen Root Zertifikats mit falschem Format. -CertPathReviewer.trustDNInvalid.text = Der DN des vertrauenswürdigen Root Zertifikats hat ein falsches Format: {0}. -CertPathReviewer.trustDNInvalid.summary = Der DN des vertrauenswürdigen Root Zertifikats hat ein falsches Format: {0}. -CertPathReviewer.trustDNInvalid.details = Der DN des vertrauenswürdigen Root Zertifikats hat ein falsches Format: {0}. Es ist kein gültiger X.500 Name. Siehe RFC 1779 oder RFC 2253. - -# trustanchor public key algorithm error -CertPathReviewer.trustPubKeyError.title = Fehler bei der Verarbeitung des öffentlichen Schlüssels der vertrauenswürdigen Root Zertifikats -CertPathReviewer.trustPubKeyError.text = Fehler bei der Verarbeitung des öffentlichen Schlüssels der vertrauenswürdigen Root Zertifikats. -CertPathReviewer.trustPubKeyError.summary = Fehler bei der Verarbeitung des öffentlichen Schlüssels der vertrauenswürdigen Root Zertifikats. -CertPathReviewer.trustPubKeyError.details = Fehler bei der Verarbeitung des öffentlichen Schlüssels der vertrauenswürdigen Root Zertifikats. Der AlorithmIdentifier vom Schlüssel kann nicht ausgelesen werden. - -# can not verifiy signature: issuer public key unknown -CertPathReviewer.NoIssuerPublicKey.title = Zertifikats Signatur kann nicht geprüft werden -CertPathReviewer.NoIssuerPublicKey.text = Die Zertifikats Signatur kann nicht geprüft werden: Der öffentliche Schlüssel des Herausgebers ist unbekannt. -CertPathReviewer.NoIssuerPublicKey.summary = Die Zertifikats Signatur kann nicht geprüft werden: Der öffentliche Schlüssel des Herausgebers ist unbekannt. -CertPathReviewer.NoIssuerPublicKey.details = Die Zertifikats Signatur kann nicht geprüft werden: Der öffentliche Schlüssel des Herausgebers ist unbekannt. - -# signature can not be verified -# {0} message of the underlying exception (english) -# {1} the underlying exception -# {2} the name of the exception -CertPathReviewer.signatureNotVerified.title = Zertifikats Signatur ist ungültig -CertPathReviewer.signatureNotVerified.text = Die Zertifikats Signatur ist ungültig. Es gab eine {2}. -CertPathReviewer.signatureNotVerified.summary = Die Zertifikats Signatur ist ungültig. -CertPathReviewer.signatureNotVerified.details = Die Zertifikats Signatur ist ungültig. Es gab eine {2}. Grund: {0} - -# certificate expired -# {0} the date the certificate expired -CertPathReviewer.certificateExpired.title = Zertifikat ist abgelaufen -CertPathReviewer.certificateExpired.text = Das Zertifikat ist ungültig. Es ist am {0,date} {0,time,full} abgelaufen. -CertPathReviewer.certificateExpired.summary = Das Zertifikat ist abgelaufen am {0,date} {0,time,full}. -CertPathReviewer.certificateExpired.details = Das Zertifikat ist ungültig. Es ist am {0,date} {0,time,full} abgelaufen. - -# certificate not yet valid -# {0} the date from which on the certificate is valid -CertPathReviewer.certificateNotYetValid.title = Das Zertifikat ist noch nicht gültig -CertPathReviewer.certificateNotYetValid.text = Das Zertifikat ist ungültig. Es ist erst gültig ab {0,date} {0,time,full}. -CertPathReviewer.certificateNotYetValid.summary = Das Zertifikat ist nicht gültig bis {0,date} {0,time,full}. -CertPathReviewer.certificateNotYetValid.details = Das Zertifikat ist ungültig. Es ist erst gültig ab {0,date} {0,time,full}. - -# certificate invalid issuer DN -# {0} expected issuer DN as String -# {1} found issuer DN as String -CertPathReviewer.certWrongIssuer.title = Falscher Herausgeber -CertPathReviewer.certWrongIssuer.text = Das Herausgeber des Zertifikats ist ungültig. Erwartet {0}, gefunden {1}. -CertPathReviewer.certWrongIssuer.summary = Das Herausgeber des Zertifikats ist ungültig. -CertPathReviewer.certWrongIssuer.details = Das Herausgeber des Zertifikats ist ungültig. Erwartet {0}, gefunden {1}. - -# intermediate certificate is no ca cert -CertPathReviewer.noCACert.title = Zertifikat ist kein CA Zertifikat -CertPathReviewer.noCACert.text = Das Zertifikat ist kein CA Zertifikat. -CertPathReviewer.noCACert.summary = Das Zertifikat ist kein CA Zertifikat. -CertPathReviewer.noCACert.details = Das Zertifikat ist kein CA Zertifikat, wird aber wie eines gebraucht. - -# cert laks basic constraints -CertPathReviewer.noBasicConstraints.title = Zertifikat hat keine Basiseinschränkungen -CertPathReviewer.noBasicConstraints.text = Das Zertifikat hat keine Basiseinschränkungen. -CertPathReviewer.noBasicConstraints.summary = Das Zertifikat hat keine Basiseinschränkungen. -CertPathReviewer.noBasicConstraints.details = Das Zertifikat hat keine Basiseinschränkungen. - -# error processing basic constraints -CertPathReviewer.errorProcesingBC.title = Fehler bei der Verarbeitung der Basiseinschränkungen -CertPathReviewer.errorProcesingBC.text = Es gab einen Fehler bei der Verarbeitung der Basiseinschränkungen des Zertifikats. -CertPathReviewer.errorProcesingBC.summary = Fehler bei der Verarbeitung der Basiseinschränkungen -CertPathReviewer.errorProcesingBC.details = Es gab einen Fehler bei der Verarbeitung der Basiseinschränkungen des Zertifikats. - -# certificate not usable for signing certs -CertPathReviewer.noCertSign.title = Schlüssel nicht nutzbar für Zertifikatssignaturen -CertPathReviewer.noCertSign.text = Der Schlüssel kann nicht zum Signieren von Zertifikaten verwendet werden. -CertPathReviewer.noCertSign.summary = Der Schlüssel kann nicht zum Signieren von Zertifikaten verwendet werden. -CertPathReviewer.noCertSign.details = Der Schlüssel kann nicht zum Signieren von Zertifikaten verwendet werden. - -# error processing public key -CertPathReviewer.pubKeyError.title = Fehler bei der Verarbeitung des öffentlichen Schlüssels -CertPathReviewer.pubKeyError.text = Fehler bei der Verarbeitung des öffentlichen Schlüssels des Zertifikats. -CertPathReviewer.pubKeyError.summary = Fehler bei der Verarbeitung des öffentlichen Schlüssels des Zertifikats. -CertPathReviewer.pubKeyError.details = Fehler bei der Verarbeitung des öffentlichen Schlüssels des Zertifikats. Der AlorithmIdentifier konnte nicht extrahiert werden. - - -## check signatures notifications - -# -# trust anchor has no keyusage certSign -CertPathReviewer.trustKeyUsage.title = Root-Zertifikat Schlüsselverwendung -CertPathReviewer.trustKeyUsage.text = Das Root-Zertifikat darf nicht zum Signieren von Zertifikaten verwendet werden. -CertPathReviewer.trustKeyUsage.summary = Das Root-Zertifikat darf nicht zum Signieren von Zertifikaten verwendet werden. -CertPathReviewer.trustKeyUsage.details = Das Root-Zertifikat darf nicht zum Signieren von Zertifikaten verwendet werden. - -# certificate path validation date -# {0} date for which the cert path is validated -# {1} current date -CertPathReviewer.certPathValidDate.title = Datum der Zertifikatspfad Validierung -CertPathReviewer.certPathValidDate.text = Der Zertifikatspfad wurde am {0,date} {0,time,full} angewendet. Er wurde am {1,date} {1,time,full} geprüft. -CertPathReviewer.certPathValidDate.summary = Der Zertifikatspfad wurde am {0,date} {0,time,full} angewendet. Er wurde am {1,date} {1,time,full} geprüft. -CertPathReviewer.certPathValidDate.details = Der Zertifikatspfad wurde am {0,date} {0,time,full} angewendet. Er wurde am {1,date} {1,time,full} geprüft. - - -## check policy errors - -# error processing certificate policy extension -CertPathReviewer.policyExtError.title = Prüfen der Policy fehlgeschlagen -CertPathReviewer.policyExtError.text = Prüfen der Policy fehlgeschlagen: Es gab einen Fehler bei der Verarbeitung der Policy Erweiterung. -CertPathReviewer.policyExtError.summary = Fehler bei der Verarbeitung der Policy Erweiterung. -CertPathReviewer.policyExtError.details = Prüfen der Policy fehlgeschlagen: Es gab einen Fehler bei der Verarbeitung der Policy Erweiterung. - -# error processing policy constraints extension -CertPathReviewer.policyConstExtError.title = Prüfen der Policy fehlgeschlagen -CertPathReviewer.policyConstExtError.text = Prüfen der Policy fehlgeschlagen: Es gab einen Fehler bei der Verarbeitung der Policy Constraints Erweiterung. -CertPathReviewer.policyConstExtError.summary = Fehler bei der Verarbeitung der Policy Constraints Erweiterung. -CertPathReviewer.policyConstExtError.details = Prüfen der Policy fehlgeschlagen: Es gab einen Fehler bei der Verarbeitung der Policy Constraints Erweiterung. - -# error processing policy mapping extension -CertPathReviewer.policyMapExtError.title = Prüfen der Policy fehlgeschlagen -CertPathReviewer.policyMapExtError.text = Prüfen der Policy fehlgeschlagen: Es gab einen Fehler bei der Verarbeitung der Policy Mapping Erweiterung. -CertPathReviewer.policyMapExtError.summary = Fehler bei der Verarbeitung der Policy Mapping Erweiterung. -CertPathReviewer.policyMapExtError.details = Prüfen der Policy fehlgeschlagen: Es gab einen Fehler bei der Verarbeitung der Policy Mapping Erweiterung. - -# error processing inhibit any policy extension -CertPathReviewer.policyInhibitExtError.title = Prüfen der Policy fehlgeschlagen -CertPathReviewer.policyInhibitExtError.text = Prüfen der Policy fehlgeschlagen: Es gab einen Fehler bei der Verarbeitung der Inhibit Any Policy Erweiterung. -CertPathReviewer.policyInhibitExtError.summary = Fehler bei der Verarbeitung der Inhibit Any Policy Erweiterung. -CertPathReviewer.policyInhibitExtError.details = Prüfen der Policy fehlgeschlagen: Es gab einen Fehler bei der Verarbeitung der Inhibit Any Policy Erweiterung. - -# error building qualifier set -CertPathReviewer.policyQualifierError.title = Prüfen der Policy fehlgeschlagen -CertPathReviewer.policyQualifierError.text = Prüfen der Policy fehlgeschlagen: Fehler beim erstellen des Policy Qualifier Set. -CertPathReviewer.policyQualifierError.summary = Prüfen der Policy fehlgeschlagen: Fehler beim erstellen des Policy Qualifier Set. -CertPathReviewer.policyQualifierError.details = Prüfen der Policy fehlgeschlagen: Fehler beim erstellen des Policy Qualifier Set. - -# no valid policy tree - explicit policy required -CertPathReviewer.noValidPolicyTree.title = Prüfen der Policy fehlgeschlagen -CertPathReviewer.noValidPolicyTree.text = Prüfen der Policy fehlgeschlagen: Kein gültiger Policy Baum gefunden, als einer erwartet wurde. -CertPathReviewer.noValidPolicyTree.summary = Prüfen der Policy fehlgeschlagen: Kein gültiger Policy Baum gefunden, als einer erwartet wurde. -CertPathReviewer.noValidPolicyTree.details = Prüfen der Policy fehlgeschlagen: Kein gültiger Policy Baum gefunden, als einer erwartet wurde. - -# expicit policy requested, but no policy available -CertPathReviewer.explicitPolicy.title = Prüfen der Policy fehlgeschlagen -CertPathReviewer.explicitPolicy.text = Prüfen der Policy fehlgeschlagen: Policy verlang, aber keine Policy vorhanden. -CertPathReviewer.explicitPolicy.summary = Prüfen der Policy fehlgeschlagen: Policy verlang, aber keine Policy vorhanden. -CertPathReviewer.explicitPolicy.details = Prüfen der Policy fehlgeschlagen: Policy verlang, aber keine Policy vorhanden. - -# path processing failed on policy -CertPathReviewer.invalidPolicy.title = Pfad Validierung wegen der Policy fehlgeschlagen -CertPathReviewer.invalidPolicy.text = Pfad Validierung wegen der Policy fehlgeschlagen. -CertPathReviewer.invalidPolicy.summary = Pfad Validierung wegen der Policy fehlgeschlagen. -CertPathReviewer.invalidPolicy.details = Pfad Validierung wegen der Policy fehlgeschlagen. - -# invalid policy mapping -CertPathReviewer.invalidPolicyMapping.title = Ungültiges Policy Mapping -CertPathReviewer.invalidPolicyMapping.text = Das Zertifikat enthält ein Ungültiges Policy Mapping. -CertPathReviewer.invalidPolicyMapping.summary = Das Zertifikat enthält ein Ungültiges Policy Mapping. -CertPathReviewer.invalidPolicyMapping.details = Das Zertifikat enthält ein Ungültiges Policy Mapping, das den Wert Any Policy enthält. - -## check CRL notifications - -# found local valid CRL -# {0} thisUpdate of the CRL -# {1} nextUpdate of the CRL -CertPathReviewer.localValidCRL.title = Gültige Zertifikatssperrliste (CRL) gefunden -CertPathReviewer.localValidCRL.text = Gültige Zertifikatssperrliste (CRL) im lokalen Speicher gefunden. Herausgegeben am {0,date}, nächstes Update am {1,date}. -CertPathReviewer.localValidCRL.summary = Gültige Zertifikatssperrliste (CRL) im lokalen Speicher gefunden. Herausgegeben am {0,date}, nächstes Update am {1,date}. -CertPathReviewer.localValidCRL.details = Gültige Zertifikatssperrliste (CRL) im lokalen Speicher gefunden. Herausgegeben am {0,date}, nächstes Update am {1,date}. - - -# found matching CRL, but not valid -# {0} thisUpdate of the CRL -# {1} nextUpdate of the CRL -CertPathReviewer.localInvalidCRL.title = Lokale Zertifikatssperrliste (CRL) veraltet -CertPathReviewer.localInvalidCRL.text = Eine lokale Zertifikatssperrliste (CRL) wurde nicht genutzt, da sie veraltet ist. Herausgegeben am {0,date}, nächstes Update am {1,date}. -CertPathReviewer.localInvalidCRL.summary = Eine lokale Zertifikatssperrliste (CRL) wurde nicht genutzt, da sie veraltet ist. Herausgegeben am {0,date}, nächstes Update am {1,date}. -CertPathReviewer.localInvalidCRL.details = Eine lokale Zertifikatssperrliste (CRL) wurde nicht genutzt, da sie veraltet ist. Herausgegeben am {0,date}, nächstes Update am {1,date}. - -# found a valid crl at crl distribution point -# {0} thisUpdate of the CRL -# {1} nextUpdate of the CRL -# {2} the url of the distribution point -CertPathReviewer.onlineValidCRL.title = Gültige Zertifikatssperrliste (CRL) von einem CDP -CertPathReviewer.onlineValidCRL.text = Gültige Zertifikatssperrliste (CRL) gefunden von: {2}. Herausgegeben am {0,date}, nächstes Update am {1,date}. -CertPathReviewer.onlineValidCRL.summary = Gültige Zertifikatssperrliste (CRL) gefunden von: {2}. Herausgegeben am {0,date}, nächstes Update am {1,date}. -CertPathReviewer.onlineValidCRL.details = Gültige Zertifikatssperrliste (CRL) gefunden von: {2}. Herausgegeben am {0,date}, nächstes Update am {1,date}. - -# found an invalid CRL at crl distribution point -# {0} thisUpdate of the CRL -# {1} nextUpdate of the CRL -# {2} the url of the distribution point -CertPathReviewer.onlineInvalidCRL.title = Veraltete Zertifikatssperrliste (CRL) von einem CDP -CertPathReviewer.onlineInvalidCRL.text = Die Zertifikatssperrliste (CRL) von {2} ist veraltet. Herausgegeben am {0,date}, nächstes Update am {1,date}. -CertPathReviewer.onlineInvalidCRL.summary = Die Zertifikatssperrliste (CRL) von {2} ist veraltet. Herausgegeben am {0,date}, nächstes Update am {1,date}. -CertPathReviewer.onlineInvalidCRL.details = Die Zertifikatssperrliste (CRL) von {2} ist veraltet. Herausgegeben am {0,date}, nächstes Update am {1,date}. - -#found a CRL at a crl distribution point, but issued by another CA -# {0} issuer of the CRL -# {1} expected issuer -# {2} the url of the distribution point -CertPathReviewer.onlineCRLWrongCA.title = Zertifikatssperrliste (CRL) von CDP mit falschem Herausgeber -CertPathReviewer.onlineCRLWrongCA.text = Die Zertifikatssperrliste (CRL) von {2} wurde von {0} herausgegeben, erwartet wurde {1}. -CertPathReviewer.onlineCRLWrongCA.summary = Die Zertifikatssperrliste (CRL) von {2} hat einen falschen Herausgeber. -CertPathReviewer.onlineCRLWrongCA.details = Die Zertifikatssperrliste (CRL) von {2} wurde von {0} herausgegeben, erwartet wurde {1}. - -# Certificate not revoked -CertPathReviewer.notRevoked.title = Zertifikat nicht revoziert -CertPathReviewer.notRevoked.text = Das Zertifikat ist nicht revoziert. -CertPathReviewer.notRevoked.summary = Das Zertifikat ist nicht revoziert. -CertPathReviewer.notRevoked.details = Das Zertifikat ist nicht revoziert. - -# CRL found: certificate was revoked, but after the validationDate -# {0} the date the certificate was revoked -# {1} the reason for revoking the certificate -CertPathReviewer.revokedAfterValidation.title = Zertifikat revoziert nach dem Validierungdatum -CertPathReviewer.revokedAfterValidation.text = Das Zertifikat wurde nach dem Validierungdatum am {0,date} {0,time,full} revoziert. Grund: {1}. -CertPathReviewer.revokedAfterValidation.summary = Das Zertifikat wurde nach dem Validierungdatum am {0,date} {0,time,full} revoziert. -CertPathReviewer.revokedAfterValidation.details = Das Zertifikat wurde nach dem Validierungdatum am {0,date} {0,time,full} revoziert. Grund: {1}. - -# updated crl available -# {0} date since when the update is available -CertPathReviewer.crlUpdateAvailable.title = Zertifikatssperrlisten (CRL) Update erhältlich -CertPathReviewer.crlUpdateAvailable.text = Ein Update für die Zertifikatssperrliste (CRL) für dieses Zertifikat ist erhältlich seit {0,date} {0,time,full}. -CertPathReviewer.crlUpdateAvailable.summary = Ein Update für die Zertifikatssperrliste (CRL) für dieses Zertifikat ist erhältlich seit {0,date} {0,time,full}. -CertPathReviewer.crlUpdateAvailable.details = Ein Update für die Zertifikatssperrliste (CRL) für dieses Zertifikat ist erhältlich seit {0,date} {0,time,full}. - -# crl distribution point url -# {0} the crl distribution point url as String -CertPathReviewer.crlDistPoint.title = CDP -CertPathReviewer.crlDistPoint.text = Eine Zertifikatssperrliste (CRL) kann von {0} geladen werden. -CertPathReviewer.crlDistPoint.summary = Eine Zertifikatssperrliste (CRL) kann von {0} geladen werden. -CertPathReviewer.crlDistPoint.details = Eine Zertifikatssperrliste (CRL) kann von {0} geladen werden. - -# ocsp location -# {0} the url on which the ocsp service can be found -CertPathReviewer.ocspLocation.title = OCSP Server -CertPathReviewer.ocspLocation.text = OCSP Server: {0}. -CertPathReviewer.ocspLocation.summary = OCSP Server: {0}. -CertPathReviewer.ocspLocation.details = OCSP Server: {0}. - -# unable to get crl from crl distribution point -# {0} the url of the distribution point -# {1} the message of the occurred exception -# {2} the occurred exception -# {3} the name of the exception -CertPathReviewer.loadCrlDistPointError.title = Kann Zertifikatssperrliste (CRL) nicht von CDP laden -CertPathReviewer.loadCrlDistPointError.text = Kann die Zertifikatssperrliste (CRL) von {0} nicht laden. Es gab eine {2}. -CertPathReviewer.loadCrlDistPointError.summary = Kann die Zertifikatssperrliste (CRL) von {0} nicht laden. Es gab eine {2}. -CertPathReviewer.loadCrlDistPointError.details = Kann die Zertifikatssperrliste (CRL) von {0} nicht laden. Es gab eine {2}. Grund: {1}. - -# no crl found in certstores -# {0} the issuers which we searched for -# {1} list of crl issuer names that are found in the certstores -# {2} number of crls in the certstores -CertPathReviewer.noCrlInCertstore.title = Keine Zertifikatssperrliste (CRL) im lokalen Speicher -CertPathReviewer.noCrlInCertstore.text = Es wurde keine Zertifikatssperrliste (CRL) im lokalen Speicher gefunden. -CertPathReviewer.noCrlInCertstore.summary = Es wurde keine Zertifikatssperrliste (CRL) im lokalen Speicher gefunden. -CertPathReviewer.noCrlInCertstore.details = Es wurde keine Zertifikatssperrliste (CRL) für den Herausgeber {0} im lokalen Speicher gefunden. \ -Die {2} Zertifikatssperrlisten im lokalen Speicher wurden hearusgegeben von {1}. - - -## check CRL exceptions - -# cannot extract issuer from certificate -CertPathReviewer.crlIssuerException.title = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen -CertPathReviewer.crlIssuerException.text = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Kann den Herausgeber vom Zertifikat nicht extrahieren. -CertPathReviewer.crlIssuerException.summary = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Kann den Herausgeber vom Zertifikat nicht extrahieren. -CertPathReviewer.crlIssuerException.details = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Kann den Herausgeber vom Zertifikat nicht extrahieren. - -# cannot extract crls -# {0} message from the underlying exception -# {1} the underlying exception -# {2} the name of the exception -CertPathReviewer.crlExtractionError.title = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen -CertPathReviewer.crlExtractionError.text = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Es gab eine {2} beim laden der Zertifikatssperrliste (CRL) aus dem lokalen Speicher. -CertPathReviewer.crlExtractionError.summary = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Es gab eine {2} beim laden der Zertifikatssperrliste (CRL) aus dem lokalen Speicher. -CertPathReviewer.crlExtractionError.details = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Es gab eine {2} beim laden der Zertifikatssperrliste (CRL) aus dem lokalen Speicher. Grund: {0}. - -# Issuer certificate key usage extension does not permit crl signing -CertPathReviewer.noCrlSigningPermited.title = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen -CertPathReviewer.noCrlSigningPermited.text = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Das Herausgeber Zertifikat erlaubt keine Signieren von Zertifikatssperrlisten (CRL). -CertPathReviewer.noCrlSigningPermited.summary = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Das Herausgeber Zertifikat erlaubt keine Signieren von Zertifikatssperrlisten (CRL). -CertPathReviewer.noCrlSigningPermited.details = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Das Herausgeber Zertifikat erlaubt keine Signieren von Zertifikatssperrlisten (CRL). - -# can not verify crl: issuer public key unknown -CertPathReviewer.crlNoIssuerPublicKey.title = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen -CertPathReviewer.crlNoIssuerPublicKey.text = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Kann die Zertifikatssperrliste (CRL) nicht verifizieren. Der öffentliche Schlüssel des Herausgebers ist unbekannt. -CertPathReviewer.crlNoIssuerPublicKey.summary = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Kann die Zertifikatssperrliste (CRL) nicht verifizieren. Der öffentliche Schlüssel des Herausgebers ist unbekannt. -CertPathReviewer.crlNoIssuerPublicKey.details = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Kann die Zertifikatssperrliste (CRL) nicht verifizieren. Der öffentliche Schlüssel des Herausgebers ist unbekannt. - -# crl verification failed -CertPathReviewer.crlVerifyFailed.title = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen -CertPathReviewer.crlVerifyFailed.text = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Die Signatur der Zertifikatssperrliste (CRL) ist ungültig. -CertPathReviewer.crlVerifyFailed.summary = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Die Signatur der Zertifikatssperrliste (CRL) ist ungültig. -CertPathReviewer.crlVerifyFailed.details = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Die Signatur der Zertifikatssperrliste (CRL) ist ungültig. - -# no valid CRL found -CertPathReviewer.noValidCrlFound.title = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen -CertPathReviewer.noValidCrlFound.text = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: keine gültige Zertifikatssperrliste (CRL) gefunden. -CertPathReviewer.noValidCrlFound.summary = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: keine gültige Zertifikatssperrliste (CRL) gefunden. -CertPathReviewer.noValidCrlFound.details = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: keine gültige Zertifikatssperrliste (CRL) gefunden. - -# No base CRL for delta CRL -CertPathReviewer.noBaseCRL.title = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen -CertPathReviewer.noBaseCRL.text = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: keine Basis CRL für die Delta CRL gefunden. -CertPathReviewer.noBaseCRL.summary = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: keine Basis CRL für die Delta CRL gefunden. -CertPathReviewer.noBaseCRL.details = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: keine Basis CRL für die Delta CRL gefunden. - -# certificate revoked -# {0} the date the certificate was revoked -# {1} the reason for revoking the certificate -CertPathReviewer.certRevoked.title = Zertifikat wurde revoziert -CertPathReviewer.certRevoked.text = Das Zertifikat wurde am {0,date} {0,time,full} revoziert. Grund: {1}. -CertPathReviewer.certRevoked.summary = Das Zertifikat wurde am {0,date} {0,time,full} revoziert. -CertPathReviewer.certRevoked.details = Das Zertifikat wurde am {0,date} {0,time,full} revoziert. Grund: {1}. - -# error processing issuing distribution point extension -CertPathReviewer.distrPtExtError.title = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen -CertPathReviewer.distrPtExtError.text = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Es gab einen Fehler bei der Verarbeitung der Issuing Distribution Point Erweiterung. -CertPathReviewer.distrPtExtError.summary = Fehler bei der Verarbeitung der Issuing Distribution Point Erweiterung. -CertPathReviewer.distrPtExtError.details = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Es gab einen Fehler bei der Verarbeitung der Issuing Distribution Point Erweiterung. - -# error processing crl distribution points extension -CertPathReviewer.crlDistPtExtError.title = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen -CertPathReviewer.crlDistPtExtError.text = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Es gab einen Fehler bei der Verarbeitung der CRL Distribution Points Erweiterung. -CertPathReviewer.crlDistPtExtError.summary = Fehler bei der Verarbeitung der CRL Distribution Points Erweiterung. -CertPathReviewer.crlDistPtExtError.details = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Es gab einen Fehler bei der Verarbeitung der CRL Distribution Points Erweiterung. - -# error processing the authority info access extension -CertPathReviewer.crlAuthInfoAccError.title = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen -CertPathReviewer.crlAuthInfoAccError.text = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Es gab einen Fehler bei der Verarbeitung der Authority Info Access Erweiterung. -CertPathReviewer.crlAuthInfoAccError.summary = Fehler bei der Verarbeitung der Authority Info Access Erweiterung. -CertPathReviewer.crlAuthInfoAccError.details = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Es gab einen Fehler bei der Verarbeitung der Authority Info Access Erweiterung. - -# error processing delta crl indicator extension -CertPathReviewer.deltaCrlExtError.title = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen -CertPathReviewer.deltaCrlExtError.text = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Es gab einen Fehler bei der Verarbeitung der Delta CRL Indicator Erweiterung. -CertPathReviewer.deltaCrlExtError.summary = Fehler bei der Verarbeitung der Delta CRL Indicator Erweiterung. -CertPathReviewer.deltaCrlExtError.details = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Es gab einen Fehler bei der Verarbeitung der Delta CRL Indicator Erweiterung. - -# error porcessing crl number extension -CertPathReviewer.crlNbrExtError.title = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen -CertPathReviewer.crlNbrExtError.text = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Es gab einen Fehler bei der Verarbeitung der CRL Number Erweiterung. -CertPathReviewer.crlNbrExtError.summary = Fehler bei der Verarbeitung der CRL Number Erweiterung. -CertPathReviewer.crlNbrExtError.details = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Es gab einen Fehler bei der Verarbeitung der CRL Number Erweiterung. - -# error processing crl reason code extension -CertPathReviewer.crlReasonExtError.title = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen -CertPathReviewer.crlReasonExtError.text = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Es gab einen Fehler bei der Verarbeitung der CRL Reason Code Erweiterung. -CertPathReviewer.crlReasonExtError.summary = Fehler bei der Verarbeitung der CRL Reason Code Erweiterung. -CertPathReviewer.crlReasonExtError.details = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Es gab einen Fehler bei der Verarbeitung der CRL Reason Code Erweiterung. - -# error processing basic constraints extension -CertPathReviewer.crlBCExtError.title = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen -CertPathReviewer.crlBCExtError.text = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Es gab einen Fehler bei der Verarbeitung der CRL Reason Code Erweiterung. -CertPathReviewer.crlBCExtError.summary = Fehler bei der Verarbeitung der CRL Reason Code Erweiterung. -CertPathReviewer.crlBCExtError.details = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Es gab einen Fehler bei der Verarbeitung der CRL Reason Code Erweiterung. - -# CA Cert CRL only contains user certificates -CertPathReviewer.crlOnlyUserCert.title = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen -CertPathReviewer.crlOnlyUserCert.text = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Die Zertifikatssperrliste (CRL) enthält nur User Zertifikate. -CertPathReviewer.crlOnlyUserCert.summary = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Die Zertifikatssperrliste (CRL) enthält nur User Zertifikate. -CertPathReviewer.crlOnlyUserCert.details = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Die Zertifikatssperrliste (CRL) enthält nur User Zertifikate. - -# End CRL only contains CA certificates -CertPathReviewer.crlOnlyCaCert.title = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen -CertPathReviewer.crlOnlyCaCert.text = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Die Zertifikatssperrliste (CRL) enthält nur CA Zertifikate. -CertPathReviewer.crlOnlyCaCert.summary = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Die Zertifikatssperrliste (CRL) enthält nur CA Zertifikate. -CertPathReviewer.crlOnlyCaCert.details = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Die Zertifikatssperrliste (CRL) enthält nur CA Zertifikate. - -# onlyContainsAttributeCerts boolean is asserted -CertPathReviewer.crlOnlyAttrCert.title = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen -CertPathReviewer.crlOnlyAttrCert.text = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Die Zertifikatssperrliste (CRL) enthält nur Attribut Zertifikate. -CertPathReviewer.crlOnlyAttrCert.summary = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Die Zertifikatssperrliste (CRL) enthält nur Attribut Zertifikate. -CertPathReviewer.crlOnlyAttrCert.details = Prüfung der Zertifikatssperrliste (CRL) fehlgeschlagen: Die Zertifikatssperrliste (CRL) enthält nur Attribut Zertifikate. - - -## QcStatement notifications - -# unkown statement -# {0} statement OID -# {1} statement as ANS1Sequence -CertPathReviewer.QcUnknownStatement.title = Unbekanntes Statement in der QcStatement Erweiterung -CertPathReviewer.QcUnknownStatement.text = Unbekanntes Statement in der QcStatement Erweiterung: OID = {0} -CertPathReviewer.QcUnknownStatement.summary = Unbekanntes Statement in der QcStatement Erweiterung: OID = {0} -CertPathReviewer.QcUnknownStatement.details = Unbekanntes Statement in der QcStatement Erweiterung: OID = {0}, statement = {1} - -# QcLimitValue Alpha currency code -# {0} currency code -# {1} limit value -# {2} monetary value as MonetaryValue -CertPathReviewer.QcLimitValueAlpha.title = Transaction Value Limit -CertPathReviewer.QcLimitValueAlpha.text = Dieses Zertifikat hat ein Wertlimite von {1,number, ###,###,###,##0.00#} {0} für Transaktionen. -CertPathReviewer.QcLimitValueAlpha.summary = Wertlimite von {1,number, ###,###,###,##0.00#} {0} für Transaktionen. -CertPathReviewer.QcLimitValueAlpha.details = Dieses Zertifikat hat eine Wertlimite für Transaktionen für welche\ - das Zertifikat genutzt werden kann, gemäss der Richtlinie 1999/93/EG des Europäischen Parlaments und\ - des Rates über gemeinschaftliche Rahmenbedingungen für elektronische Signaturen und gemäss der Umsetzung der\ - Richtlinie im Land, das im Herausgeber dieses Zertifikats angegeben ist. Die Limite für diese Zertifikat ist {1,number, ###,###,###,##0.00#} {0}. - -# QcLimitValue Numeric currency code -# {0} currency code -# {1} limit value -# {2} monetary value as MonetaryValue -CertPathReviewer.QcLimitValueNum.title = Transaction Value Limit -CertPathReviewer.QcLimitValueNum.text = Dieses Zertifikat hat eine Wertlimite für Transaktionen von {1,number, ###,###,###,##0.00#} der Währung {0} (Siehe RFC 4217 für Währungscodes). -CertPathReviewer.QcLimitValueNum.summary = Wertlimite für Transaktionen von {1,number, ###,###,###,##0.00#} der Währung {0} (Siehe RFC 4217 für Währungscodes). -CertPathReviewer.QcLimitValueNum.details = Dieses Zertifikat hat eine Wertlimite für Transaktionen für welche\ - das Zertifikat genutzt werden kann, gemäss der Richtlinie 1999/93/EG des Europäischen Parlaments und\ - des Rates über gemeinschaftliche Rahmenbedingungen für elektronische Signaturen und gemäss der Umsetzung der\ - Richtlinie im Land, das im Herausgeber dieses Zertifikats angegeben ist. Die Limite für diese Zertifikat ist {1,number, ###,###,###,##0.00#} der Währung {0} (Siehe RFC 4217 für Währungscodes). - -# QcSSCD -CertPathReviewer.QcSSCD.title = QcSSCD Statement -CertPathReviewer.QcSSCD.text = (SSCD) Der Herausgeber macht geltend, dass der Private Schlüssel, der mit diesem Zertifikat verbunden ist, nach den Anforderungen die im Anhang III der Richtlinie 1999/93/EG des Europäischen Parlaments und des Rates über gemeinschaftliche Rahmenbedingungen für elektronische Signaturen geschützt ist. -CertPathReviewer.QcSSCD.summary = (SSCD) Der Herausgeber macht geltend, dass der Private Schlüssel, der mit diesem Zertifikat verbunden ist, nach den Anforderungen die im Anhang III der Richtlinie 1999/93/EG des Europäischen Parlaments und des Rates über gemeinschaftliche Rahmenbedingungen für elektronische Signaturen geschützt ist. -CertPathReviewer.QcSSCD.details = (SSCD) Der Herausgeber macht geltend, dass der Private Schlüssel, der mit diesem Zertifikat verbunden ist, nach den Anforderungen die im Anhang III der Richtlinie 1999/93/EG des Europäischen Parlaments und des Rates über gemeinschaftliche Rahmenbedingungen für elektronische Signaturen geschützt ist. - -# QcEuCompliance -CertPathReviewer.QcEuCompliance.title = Qualifiziertes Zertifikat -CertPathReviewer.QcEuCompliance.text = Dieses Zertifikat wurde als Qualifiziertes Zertifikat herausgegeben gemäss Anhang I und II der Richtlinie 1999/93/EG des Europäischen Parlaments und des Rates über gemeinschaftliche Rahmenbedingungen für elektronische Signaturen und gemäss der Umsetzung der Richtlinie im Land, das im Herausgeber dieses Zertifikats angegeben ist. -CertPathReviewer.QcEuCompliance.summary = Dieses Zertifikat wurde als Qualifiziertes Zertifikat herausgegeben gemäss Anhang I und II der Richtlinie 1999/93/EG des Europäischen Parlaments und des Rates über gemeinschaftliche Rahmenbedingungen für elektronische Signaturen und gemäss der Umsetzung der Richtlinie in dem Land, das im Herausgeber dieses Zertifikats angegeben ist. -CertPathReviewer.QcEuCompliance.details = Dieses Zertifikat wurde als Qualifiziertes Zertifikat herausgegeben gemäss Anhang I und II der Richtlinie 1999/93/EG des Europäischen Parlaments und des Rates über gemeinschaftliche Rahmenbedingungen für elektronische Signaturen und gemäss der Umsetzung der Richtlinie in dem Land, das im Herausgeber dieses Zertifikats angegeben ist. - -## QcStatement errors - -# error processing the QcStatement extension -CertPathReviewer.QcStatementExtError.title = Fehler bei der Verarbeitung der QcStatement Erweiterung -CertPathReviewer.QcStatementExtError.text = Fehler bei der Verarbeitung der QcStatement Erweiterung. -CertPathReviewer.QcStatementExtError.summary = Fehler bei der Verarbeitung der QcStatement Erweiterung. -CertPathReviewer.QcStatementExtError.details = Fehler bei der Verarbeitung der QcStatement Erweiterung. - -## unknown/generic errors -CertPathReviewer.unknown.title = Unbekannter Fehler -CertPathReviewer.unknown.text = Unbekannter Fehler {0} -CertPathReviewer.unknown.summary = Unbekannter Fehler -CertPathReviewer.unknown.details = Unbekannter Fehler {0} - -# -# crl reasons -# -unspecified = Nicht spezifiziert -keyCompromise = Schlüssel Kompromittierung -cACompromise = CA Kompromittierung -affiliationChanged = Veränderte Zugehörigkeit -superseded = Ersetzt -cessationOfOperation = Einstellen der Tätigkeiten -certificateHold = Zertifikat vorübergehend gesperrt -unknown = Unbekannt -removeFromCRL = Entferne von der CRL -privilegeWithdrawn = Zurückgezogene Rechte -aACompromise = AA Kompromittierung - -# -# -# -missingIssuer = The missing certificate was issued by -missingSerial = with the serial number diff --git a/bcprov/src/main/java/org/bouncycastle/x509/CertPathValidatorUtilities.java b/bcprov/src/main/java/org/bouncycastle/x509/CertPathValidatorUtilities.java deleted file mode 100644 index ca8769c..0000000 --- a/bcprov/src/main/java/org/bouncycastle/x509/CertPathValidatorUtilities.java +++ /dev/null @@ -1,1517 +0,0 @@ -package org.bouncycastle.x509; - -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.math.BigInteger; -import java.security.GeneralSecurityException; -import java.security.KeyFactory; -import java.security.PublicKey; -import java.security.cert.CRLException; -import java.security.cert.CertPath; -import java.security.cert.CertPathValidatorException; -import java.security.cert.CertStore; -import java.security.cert.CertStoreException; -import java.security.cert.Certificate; -import java.security.cert.CertificateException; -import java.security.cert.CertificateParsingException; -import java.security.cert.PKIXParameters; -import java.security.cert.PolicyQualifierInfo; -import java.security.cert.TrustAnchor; -import java.security.cert.X509CRL; -import java.security.cert.X509CRLEntry; -import java.security.cert.X509CRLSelector; -import java.security.cert.X509CertSelector; -import java.security.cert.X509Certificate; -import java.security.interfaces.DSAParams; -import java.security.interfaces.DSAPublicKey; -import java.security.spec.DSAPublicKeySpec; -import java.text.ParseException; -import java.util.ArrayList; -import java.util.Collection; -import java.util.Date; -import java.util.Enumeration; -import java.util.HashSet; -import java.util.Iterator; -import java.util.List; -import java.util.Map; -import java.util.Set; - -import javax.security.auth.x500.X500Principal; - -import org.bouncycastle.asn1.ASN1Encodable; -import org.bouncycastle.asn1.ASN1Enumerated; -import org.bouncycastle.asn1.ASN1GeneralizedTime; -import org.bouncycastle.asn1.ASN1InputStream; -import org.bouncycastle.asn1.ASN1Integer; -import org.bouncycastle.asn1.ASN1ObjectIdentifier; -import org.bouncycastle.asn1.ASN1OctetString; -import org.bouncycastle.asn1.ASN1OutputStream; -import org.bouncycastle.asn1.ASN1Primitive; -import org.bouncycastle.asn1.ASN1Sequence; -import org.bouncycastle.asn1.DERIA5String; -import org.bouncycastle.asn1.DERSequence; -import org.bouncycastle.asn1.isismtt.ISISMTTObjectIdentifiers; -import org.bouncycastle.asn1.x509.AlgorithmIdentifier; -import org.bouncycastle.asn1.x509.CRLDistPoint; -import org.bouncycastle.asn1.x509.CRLReason; -import org.bouncycastle.asn1.x509.DistributionPoint; -import org.bouncycastle.asn1.x509.DistributionPointName; -import org.bouncycastle.asn1.x509.Extension; -import org.bouncycastle.asn1.x509.GeneralName; -import org.bouncycastle.asn1.x509.GeneralNames; -import org.bouncycastle.asn1.x509.IssuingDistributionPoint; -import org.bouncycastle.asn1.x509.PolicyInformation; -import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; -import org.bouncycastle.asn1.x509.X509Extension; -import org.bouncycastle.jcajce.PKIXCertStoreSelector; -import org.bouncycastle.jce.X509LDAPCertStoreParameters; -import org.bouncycastle.jce.exception.ExtCertPathValidatorException; -import org.bouncycastle.jce.provider.AnnotatedException; -import org.bouncycastle.jce.provider.BouncyCastleProvider; -import org.bouncycastle.jce.provider.PKIXPolicyNode; -import org.bouncycastle.util.Encodable; -import org.bouncycastle.util.Integers; -import org.bouncycastle.util.Selector; -import org.bouncycastle.util.Store; -import org.bouncycastle.util.StoreException; - -class CertPathValidatorUtilities -{ - protected static final PKIXCRLUtil CRL_UTIL = new PKIXCRLUtil(); - - protected static final String CERTIFICATE_POLICIES = Extension.certificatePolicies.getId(); - protected static final String BASIC_CONSTRAINTS = Extension.basicConstraints.getId(); - protected static final String POLICY_MAPPINGS = Extension.policyMappings.getId(); - protected static final String SUBJECT_ALTERNATIVE_NAME = Extension.subjectAlternativeName.getId(); - protected static final String NAME_CONSTRAINTS = Extension.nameConstraints.getId(); - protected static final String KEY_USAGE = Extension.keyUsage.getId(); - protected static final String INHIBIT_ANY_POLICY = Extension.inhibitAnyPolicy.getId(); - protected static final String ISSUING_DISTRIBUTION_POINT = Extension.issuingDistributionPoint.getId(); - protected static final String DELTA_CRL_INDICATOR = Extension.deltaCRLIndicator.getId(); - protected static final String POLICY_CONSTRAINTS = Extension.policyConstraints.getId(); - protected static final String FRESHEST_CRL = Extension.freshestCRL.getId(); - protected static final String CRL_DISTRIBUTION_POINTS = Extension.cRLDistributionPoints.getId(); - protected static final String AUTHORITY_KEY_IDENTIFIER = Extension.authorityKeyIdentifier.getId(); - - protected static final String ANY_POLICY = "2.5.29.32.0"; - - protected static final String CRL_NUMBER = Extension.cRLNumber.getId(); - - /* - * key usage bits - */ - protected static final int KEY_CERT_SIGN = 5; - protected static final int CRL_SIGN = 6; - - protected static final String[] crlReasons = new String[]{ - "unspecified", - "keyCompromise", - "cACompromise", - "affiliationChanged", - "superseded", - "cessationOfOperation", - "certificateHold", - "unknown", - "removeFromCRL", - "privilegeWithdrawn", - "aACompromise"}; - - /** - * Search the given Set of TrustAnchor's for one that is the - * issuer of the given X509 certificate. Uses the default provider - * for signature verification. - * - * @param cert the X509 certificate - * @param trustAnchors a Set of TrustAnchor's - * @return the <code>TrustAnchor</code> object if found or - * <code>null</code> if not. - * @throws AnnotatedException if a TrustAnchor was found but the signature verification - * on the given certificate has thrown an exception. - */ - protected static TrustAnchor findTrustAnchor( - X509Certificate cert, - Set trustAnchors) - throws AnnotatedException - { - return findTrustAnchor(cert, trustAnchors, null); - } - - /** - * Search the given Set of TrustAnchor's for one that is the - * issuer of the given X509 certificate. Uses the specified - * provider for signature verification, or the default provider - * if null. - * - * @param cert the X509 certificate - * @param trustAnchors a Set of TrustAnchor's - * @param sigProvider the provider to use for signature verification - * @return the <code>TrustAnchor</code> object if found or - * <code>null</code> if not. - * @throws AnnotatedException if a TrustAnchor was found but the signature verification - * on the given certificate has thrown an exception. - */ - protected static TrustAnchor findTrustAnchor( - X509Certificate cert, - Set trustAnchors, - String sigProvider) - throws AnnotatedException - { - TrustAnchor trust = null; - PublicKey trustPublicKey = null; - Exception invalidKeyEx = null; - - X509CertSelector certSelectX509 = new X509CertSelector(); - X500Principal certIssuer = getEncodedIssuerPrincipal(cert); - - try - { - certSelectX509.setSubject(certIssuer.getEncoded()); - } - catch (IOException ex) - { - throw new AnnotatedException("Cannot set subject search criteria for trust anchor.", ex); - } - - Iterator iter = trustAnchors.iterator(); - while (iter.hasNext() && trust == null) - { - trust = (TrustAnchor)iter.next(); - if (trust.getTrustedCert() != null) - { - if (certSelectX509.match(trust.getTrustedCert())) - { - trustPublicKey = trust.getTrustedCert().getPublicKey(); - } - else - { - trust = null; - } - } - else if (trust.getCAName() != null - && trust.getCAPublicKey() != null) - { - try - { - X500Principal caName = new X500Principal(trust.getCAName()); - if (certIssuer.equals(caName)) - { - trustPublicKey = trust.getCAPublicKey(); - } - else - { - trust = null; - } - } - catch (IllegalArgumentException ex) - { - trust = null; - } - } - else - { - trust = null; - } - - if (trustPublicKey != null) - { - try - { - verifyX509Certificate(cert, trustPublicKey, sigProvider); - } - catch (Exception ex) - { - invalidKeyEx = ex; - trust = null; - trustPublicKey = null; - } - } - } - - if (trust == null && invalidKeyEx != null) - { - throw new AnnotatedException("TrustAnchor found but certificate validation failed.", invalidKeyEx); - } - - return trust; - } - - protected static void addAdditionalStoresFromAltNames( - X509Certificate cert, - ExtendedPKIXParameters pkixParams) - throws CertificateParsingException - { - // if in the IssuerAltName extension an URI - // is given, add an additional X.509 store - if (cert.getIssuerAlternativeNames() != null) - { - Iterator it = cert.getIssuerAlternativeNames().iterator(); - while (it.hasNext()) - { - // look for URI - List list = (List)it.next(); - if (list.get(0).equals(Integers.valueOf(GeneralName.uniformResourceIdentifier))) - { - // found - String temp = (String)list.get(1); - CertPathValidatorUtilities.addAdditionalStoreFromLocation(temp, pkixParams); - } - } - } - } - - /** - * Returns the issuer of an attribute certificate or certificate. - * - * @param cert The attribute certificate or certificate. - * @return The issuer as <code>X500Principal</code>. - */ - protected static X500Principal getEncodedIssuerPrincipal( - Object cert) - { - if (cert instanceof X509Certificate) - { - return ((X509Certificate)cert).getIssuerX500Principal(); - } - else - { - return (X500Principal)((X509AttributeCertificate)cert).getIssuer().getPrincipals()[0]; - } - } - - protected static Date getValidDate(PKIXParameters paramsPKIX) - { - Date validDate = paramsPKIX.getDate(); - - if (validDate == null) - { - validDate = new Date(); - } - - return validDate; - } - - protected static X500Principal getSubjectPrincipal(X509Certificate cert) - { - return cert.getSubjectX500Principal(); - } - - protected static boolean isSelfIssued(X509Certificate cert) - { - return cert.getSubjectDN().equals(cert.getIssuerDN()); - } - - - /** - * Extract the value of the given extension, if it exists. - * - * @param ext The extension object. - * @param oid The object identifier to obtain. - * @throws AnnotatedException if the extension cannot be read. - */ - protected static ASN1Primitive getExtensionValue( - java.security.cert.X509Extension ext, - String oid) - throws AnnotatedException - { - byte[] bytes = ext.getExtensionValue(oid); - if (bytes == null) - { - return null; - } - - return getObject(oid, bytes); - } - - private static ASN1Primitive getObject( - String oid, - byte[] ext) - throws AnnotatedException - { - try - { - ASN1InputStream aIn = new ASN1InputStream(ext); - ASN1OctetString octs = (ASN1OctetString)aIn.readObject(); - - aIn = new ASN1InputStream(octs.getOctets()); - return aIn.readObject(); - } - catch (Exception e) - { - throw new AnnotatedException("exception processing extension " + oid, e); - } - } - - protected static X500Principal getIssuerPrincipal(X509CRL crl) - { - return crl.getIssuerX500Principal(); - } - - protected static AlgorithmIdentifier getAlgorithmIdentifier( - PublicKey key) - throws CertPathValidatorException - { - try - { - ASN1InputStream aIn = new ASN1InputStream(key.getEncoded()); - - SubjectPublicKeyInfo info = SubjectPublicKeyInfo.getInstance(aIn.readObject()); - - return info.getAlgorithmId(); - } - catch (Exception e) - { - throw new ExtCertPathValidatorException("Subject public key cannot be decoded.", e); - } - } - - // crl checking - - - // - // policy checking - // - - protected static final Set getQualifierSet(ASN1Sequence qualifiers) - throws CertPathValidatorException - { - Set pq = new HashSet(); - - if (qualifiers == null) - { - return pq; - } - - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - ASN1OutputStream aOut = new ASN1OutputStream(bOut); - - Enumeration e = qualifiers.getObjects(); - - while (e.hasMoreElements()) - { - try - { - aOut.writeObject((ASN1Encodable)e.nextElement()); - - pq.add(new PolicyQualifierInfo(bOut.toByteArray())); - } - catch (IOException ex) - { - throw new ExtCertPathValidatorException("Policy qualifier info cannot be decoded.", ex); - } - - bOut.reset(); - } - - return pq; - } - - protected static PKIXPolicyNode removePolicyNode( - PKIXPolicyNode validPolicyTree, - List[] policyNodes, - PKIXPolicyNode _node) - { - PKIXPolicyNode _parent = (PKIXPolicyNode)_node.getParent(); - - if (validPolicyTree == null) - { - return null; - } - - if (_parent == null) - { - for (int j = 0; j < policyNodes.length; j++) - { - policyNodes[j] = new ArrayList(); - } - - return null; - } - else - { - _parent.removeChild(_node); - removePolicyNodeRecurse(policyNodes, _node); - - return validPolicyTree; - } - } - - private static void removePolicyNodeRecurse( - List[] policyNodes, - PKIXPolicyNode _node) - { - policyNodes[_node.getDepth()].remove(_node); - - if (_node.hasChildren()) - { - Iterator _iter = _node.getChildren(); - while (_iter.hasNext()) - { - PKIXPolicyNode _child = (PKIXPolicyNode)_iter.next(); - removePolicyNodeRecurse(policyNodes, _child); - } - } - } - - - protected static boolean processCertD1i( - int index, - List[] policyNodes, - ASN1ObjectIdentifier pOid, - Set pq) - { - List policyNodeVec = policyNodes[index - 1]; - - for (int j = 0; j < policyNodeVec.size(); j++) - { - PKIXPolicyNode node = (PKIXPolicyNode)policyNodeVec.get(j); - Set expectedPolicies = node.getExpectedPolicies(); - - if (expectedPolicies.contains(pOid.getId())) - { - Set childExpectedPolicies = new HashSet(); - childExpectedPolicies.add(pOid.getId()); - - PKIXPolicyNode child = new PKIXPolicyNode(new ArrayList(), - index, - childExpectedPolicies, - node, - pq, - pOid.getId(), - false); - node.addChild(child); - policyNodes[index].add(child); - - return true; - } - } - - return false; - } - - protected static void processCertD1ii( - int index, - List[] policyNodes, - ASN1ObjectIdentifier _poid, - Set _pq) - { - List policyNodeVec = policyNodes[index - 1]; - - for (int j = 0; j < policyNodeVec.size(); j++) - { - PKIXPolicyNode _node = (PKIXPolicyNode)policyNodeVec.get(j); - - if (ANY_POLICY.equals(_node.getValidPolicy())) - { - Set _childExpectedPolicies = new HashSet(); - _childExpectedPolicies.add(_poid.getId()); - - PKIXPolicyNode _child = new PKIXPolicyNode(new ArrayList(), - index, - _childExpectedPolicies, - _node, - _pq, - _poid.getId(), - false); - _node.addChild(_child); - policyNodes[index].add(_child); - return; - } - } - } - - protected static void prepareNextCertB1( - int i, - List[] policyNodes, - String id_p, - Map m_idp, - X509Certificate cert - ) - throws AnnotatedException, CertPathValidatorException - { - boolean idp_found = false; - Iterator nodes_i = policyNodes[i].iterator(); - while (nodes_i.hasNext()) - { - PKIXPolicyNode node = (PKIXPolicyNode)nodes_i.next(); - if (node.getValidPolicy().equals(id_p)) - { - idp_found = true; - node.setExpectedPolicies((Set)m_idp.get(id_p)); - break; - } - } - - if (!idp_found) - { - nodes_i = policyNodes[i].iterator(); - while (nodes_i.hasNext()) - { - PKIXPolicyNode node = (PKIXPolicyNode)nodes_i.next(); - if (ANY_POLICY.equals(node.getValidPolicy())) - { - Set pq = null; - ASN1Sequence policies = null; - try - { - policies = DERSequence.getInstance(getExtensionValue(cert, CERTIFICATE_POLICIES)); - } - catch (Exception e) - { - throw new AnnotatedException("Certificate policies cannot be decoded.", e); - } - Enumeration e = policies.getObjects(); - while (e.hasMoreElements()) - { - PolicyInformation pinfo = null; - - try - { - pinfo = PolicyInformation.getInstance(e.nextElement()); - } - catch (Exception ex) - { - throw new AnnotatedException("Policy information cannot be decoded.", ex); - } - if (ANY_POLICY.equals(pinfo.getPolicyIdentifier().getId())) - { - try - { - pq = getQualifierSet(pinfo.getPolicyQualifiers()); - } - catch (CertPathValidatorException ex) - { - throw new ExtCertPathValidatorException( - "Policy qualifier info set could not be built.", ex); - } - break; - } - } - boolean ci = false; - if (cert.getCriticalExtensionOIDs() != null) - { - ci = cert.getCriticalExtensionOIDs().contains(CERTIFICATE_POLICIES); - } - - PKIXPolicyNode p_node = (PKIXPolicyNode)node.getParent(); - if (ANY_POLICY.equals(p_node.getValidPolicy())) - { - PKIXPolicyNode c_node = new PKIXPolicyNode( - new ArrayList(), i, - (Set)m_idp.get(id_p), - p_node, pq, id_p, ci); - p_node.addChild(c_node); - policyNodes[i].add(c_node); - } - break; - } - } - } - } - - protected static PKIXPolicyNode prepareNextCertB2( - int i, - List[] policyNodes, - String id_p, - PKIXPolicyNode validPolicyTree) - { - Iterator nodes_i = policyNodes[i].iterator(); - while (nodes_i.hasNext()) - { - PKIXPolicyNode node = (PKIXPolicyNode)nodes_i.next(); - if (node.getValidPolicy().equals(id_p)) - { - PKIXPolicyNode p_node = (PKIXPolicyNode)node.getParent(); - p_node.removeChild(node); - nodes_i.remove(); - for (int k = (i - 1); k >= 0; k--) - { - List nodes = policyNodes[k]; - for (int l = 0; l < nodes.size(); l++) - { - PKIXPolicyNode node2 = (PKIXPolicyNode)nodes.get(l); - if (!node2.hasChildren()) - { - validPolicyTree = removePolicyNode(validPolicyTree, policyNodes, node2); - if (validPolicyTree == null) - { - break; - } - } - } - } - } - } - return validPolicyTree; - } - - protected static boolean isAnyPolicy( - Set policySet) - { - return policySet == null || policySet.contains(ANY_POLICY) || policySet.isEmpty(); - } - - protected static void addAdditionalStoreFromLocation(String location, - ExtendedPKIXParameters pkixParams) - { - if (pkixParams.isAdditionalLocationsEnabled()) - { - try - { - if (location.startsWith("ldap://")) - { - // ldap://directory.d-trust.net/CN=D-TRUST - // Qualified CA 2003 1:PN,O=D-Trust GmbH,C=DE - // skip "ldap://" - location = location.substring(7); - // after first / baseDN starts - String base = null; - String url = null; - if (location.indexOf("/") != -1) - { - base = location.substring(location.indexOf("/")); - // URL - url = "ldap://" - + location.substring(0, location.indexOf("/")); - } - else - { - url = "ldap://" + location; - } - // use all purpose parameters - X509LDAPCertStoreParameters params = new X509LDAPCertStoreParameters.Builder( - url, base).build(); - pkixParams.addAdditionalStore(X509Store.getInstance( - "CERTIFICATE/LDAP", params, BouncyCastleProvider.PROVIDER_NAME)); - pkixParams.addAdditionalStore(X509Store.getInstance( - "CRL/LDAP", params, BouncyCastleProvider.PROVIDER_NAME)); - pkixParams.addAdditionalStore(X509Store.getInstance( - "ATTRIBUTECERTIFICATE/LDAP", params, BouncyCastleProvider.PROVIDER_NAME)); - pkixParams.addAdditionalStore(X509Store.getInstance( - "CERTIFICATEPAIR/LDAP", params, BouncyCastleProvider.PROVIDER_NAME)); - } - } - catch (Exception e) - { - // cannot happen - throw new RuntimeException("Exception adding X.509 stores."); - } - } - } - - /** - * Return a Collection of all certificates or attribute certificates found - * in the X509Store's that are matching the certSelect criteriums. - * - * @param certSelect a {@link Selector} object that will be used to select - * the certificates - * @param certStores a List containing only {@link X509Store} objects. These - * are used to search for certificates. - * @return a Collection of all found {@link X509Certificate} or - * {@link org.bouncycastle.x509.X509AttributeCertificate} objects. - * May be empty but never <code>null</code>. - */ - protected static Collection findCertificates(X509CertStoreSelector certSelect, - List certStores) - throws AnnotatedException - { - Set certs = new HashSet(); - Iterator iter = certStores.iterator(); - org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory certFact = new org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory(); - - while (iter.hasNext()) - { - Object obj = iter.next(); - - if (obj instanceof Store) - { - Store certStore = (Store)obj; - try - { - for (Iterator it = certStore.getMatches(certSelect).iterator(); it.hasNext();) - { - Object cert = it.next(); - - if (cert instanceof Encodable) - { - certs.add(certFact.engineGenerateCertificate(new ByteArrayInputStream(((Encodable)cert).getEncoded()))); - } - else if (cert instanceof Certificate) - { - certs.add(cert); - } - else - { - throw new AnnotatedException( - "Unknown object found in certificate store."); - } - } - } - catch (StoreException e) - { - throw new AnnotatedException( - "Problem while picking certificates from X.509 store.", e); - } - catch (IOException e) - { - throw new AnnotatedException( - "Problem while extracting certificates from X.509 store.", e); - } - catch (CertificateException e) - { - throw new AnnotatedException( - "Problem while extracting certificates from X.509 store.", e); - } - } - else - { - CertStore certStore = (CertStore)obj; - - try - { - certs.addAll(certStore.getCertificates(certSelect)); - } - catch (CertStoreException e) - { - throw new AnnotatedException( - "Problem while picking certificates from certificate store.", - e); - } - } - } - return certs; - } - - protected static Collection findCertificates(PKIXCertStoreSelector certSelect, - List certStores) - throws AnnotatedException - { - Set certs = new HashSet(); - Iterator iter = certStores.iterator(); - - while (iter.hasNext()) - { - Object obj = iter.next(); - - if (obj instanceof Store) - { - Store certStore = (Store)obj; - try - { - certs.addAll(certStore.getMatches(certSelect)); - } - catch (StoreException e) - { - throw new AnnotatedException( - "Problem while picking certificates from X.509 store.", e); - } - } - else - { - CertStore certStore = (CertStore)obj; - - try - { - certs.addAll(PKIXCertStoreSelector.getCertificates(certSelect, certStore)); - } - catch (CertStoreException e) - { - throw new AnnotatedException( - "Problem while picking certificates from certificate store.", - e); - } - } - } - return certs; - } - - protected static Collection findCertificates(X509AttributeCertStoreSelector certSelect, - List certStores) - throws AnnotatedException - { - Set certs = new HashSet(); - Iterator iter = certStores.iterator(); - - while (iter.hasNext()) - { - Object obj = iter.next(); - - if (obj instanceof X509Store) - { - X509Store certStore = (X509Store)obj; - try - { - certs.addAll(certStore.getMatches(certSelect)); - } - catch (StoreException e) - { - throw new AnnotatedException( - "Problem while picking certificates from X.509 store.", e); - } - } - } - return certs; - } - - protected static void addAdditionalStoresFromCRLDistributionPoint( - CRLDistPoint crldp, ExtendedPKIXParameters pkixParams) - throws AnnotatedException - { - if (crldp != null) - { - DistributionPoint dps[] = null; - try - { - dps = crldp.getDistributionPoints(); - } - catch (Exception e) - { - throw new AnnotatedException( - "Distribution points could not be read.", e); - } - for (int i = 0; i < dps.length; i++) - { - DistributionPointName dpn = dps[i].getDistributionPoint(); - // look for URIs in fullName - if (dpn != null) - { - if (dpn.getType() == DistributionPointName.FULL_NAME) - { - GeneralName[] genNames = GeneralNames.getInstance( - dpn.getName()).getNames(); - // look for an URI - for (int j = 0; j < genNames.length; j++) - { - if (genNames[j].getTagNo() == GeneralName.uniformResourceIdentifier) - { - String location = DERIA5String.getInstance( - genNames[j].getName()).getString(); - CertPathValidatorUtilities - .addAdditionalStoreFromLocation(location, - pkixParams); - } - } - } - } - } - } - } - - /** - * Add the CRL issuers from the cRLIssuer field of the distribution point or - * from the certificate if not given to the issuer criterion of the - * <code>selector</code>. - * <p> - * The <code>issuerPrincipals</code> are a collection with a single - * <code>X500Principal</code> for <code>X509Certificate</code>s. For - * {@link X509AttributeCertificate}s the issuer may contain more than one - * <code>X500Principal</code>. - * </p> - * @param dp The distribution point. - * @param issuerPrincipals The issuers of the certificate or attribute - * certificate which contains the distribution point. - * @param selector The CRL selector. - * @param pkixParams The PKIX parameters containing the cert stores. - * @throws AnnotatedException if an exception occurs while processing. - * @throws ClassCastException if <code>issuerPrincipals</code> does not - * contain only <code>X500Principal</code>s. - */ - protected static void getCRLIssuersFromDistributionPoint( - DistributionPoint dp, - Collection issuerPrincipals, - X509CRLSelector selector, - ExtendedPKIXParameters pkixParams) - throws AnnotatedException - { - List issuers = new ArrayList(); - // indirect CRL - if (dp.getCRLIssuer() != null) - { - GeneralName genNames[] = dp.getCRLIssuer().getNames(); - // look for a DN - for (int j = 0; j < genNames.length; j++) - { - if (genNames[j].getTagNo() == GeneralName.directoryName) - { - try - { - issuers.add(new X500Principal(genNames[j].getName() - .toASN1Primitive().getEncoded())); - } - catch (IOException e) - { - throw new AnnotatedException( - "CRL issuer information from distribution point cannot be decoded.", - e); - } - } - } - } - else - { - /* - * certificate issuer is CRL issuer, distributionPoint field MUST be - * present. - */ - if (dp.getDistributionPoint() == null) - { - throw new AnnotatedException( - "CRL issuer is omitted from distribution point but no distributionPoint field present."); - } - // add and check issuer principals - for (Iterator it = issuerPrincipals.iterator(); it.hasNext(); ) - { - issuers.add((X500Principal)it.next()); - } - } - // TODO: is not found although this should correctly add the rel name. selector of Sun is buggy here or PKI test case is invalid - // distributionPoint -// if (dp.getDistributionPoint() != null) -// { -// // look for nameRelativeToCRLIssuer -// if (dp.getDistributionPoint().getType() == DistributionPointName.NAME_RELATIVE_TO_CRL_ISSUER) -// { -// // append fragment to issuer, only one -// // issuer can be there, if this is given -// if (issuers.size() != 1) -// { -// throw new AnnotatedException( -// "nameRelativeToCRLIssuer field is given but more than one CRL issuer is given."); -// } -// ASN1Encodable relName = dp.getDistributionPoint().getName(); -// Iterator it = issuers.iterator(); -// List issuersTemp = new ArrayList(issuers.size()); -// while (it.hasNext()) -// { -// Enumeration e = null; -// try -// { -// e = ASN1Sequence.getInstance( -// new ASN1InputStream(((X500Principal) it.next()) -// .getEncoded()).readObject()).getObjects(); -// } -// catch (IOException ex) -// { -// throw new AnnotatedException( -// "Cannot decode CRL issuer information.", ex); -// } -// ASN1EncodableVector v = new ASN1EncodableVector(); -// while (e.hasMoreElements()) -// { -// v.add((ASN1Encodable) e.nextElement()); -// } -// v.add(relName); -// issuersTemp.add(new X500Principal(new DERSequence(v) -// .getDEREncoded())); -// } -// issuers.clear(); -// issuers.addAll(issuersTemp); -// } -// } - Iterator it = issuers.iterator(); - while (it.hasNext()) - { - try - { - selector.addIssuerName(((X500Principal)it.next()).getEncoded()); - } - catch (IOException ex) - { - throw new AnnotatedException( - "Cannot decode CRL issuer information.", ex); - } - } - } - - private static BigInteger getSerialNumber( - Object cert) - { - if (cert instanceof X509Certificate) - { - return ((X509Certificate)cert).getSerialNumber(); - } - else - { - return ((X509AttributeCertificate)cert).getSerialNumber(); - } - } - - protected static void getCertStatus( - Date validDate, - X509CRL crl, - Object cert, - CertStatus certStatus) - throws AnnotatedException - { - X509CRLEntry crl_entry = null; - - boolean isIndirect; - try - { - isIndirect = isIndirectCRL(crl); - } - catch (CRLException exception) - { - throw new AnnotatedException("Failed check for indirect CRL.", exception); - } - - if (isIndirect) - { - crl_entry = crl.getRevokedCertificate(getSerialNumber(cert)); - - if (crl_entry == null) - { - return; - } - - X500Principal certIssuer = crl_entry.getCertificateIssuer(); - - if (certIssuer == null) - { - certIssuer = getIssuerPrincipal(crl); - } - - if (!getEncodedIssuerPrincipal(cert).equals(certIssuer)) - { - return; - } - } - else if (!getEncodedIssuerPrincipal(cert).equals(getIssuerPrincipal(crl))) - { - return; // not for our issuer, ignore - } - else - { - crl_entry = crl.getRevokedCertificate(getSerialNumber(cert)); - - if (crl_entry == null) - { - return; - } - } - - ASN1Enumerated reasonCode = null; - if (crl_entry.hasExtensions()) - { - try - { - reasonCode = ASN1Enumerated - .getInstance(CertPathValidatorUtilities - .getExtensionValue(crl_entry, - X509Extension.reasonCode.getId())); - } - catch (Exception e) - { - throw new AnnotatedException( - "Reason code CRL entry extension could not be decoded.", - e); - } - } - - // for reason keyCompromise, caCompromise, aACompromise or - // unspecified - if (!(validDate.getTime() < crl_entry.getRevocationDate().getTime()) - || reasonCode == null - || reasonCode.getValue().intValue() == 0 - || reasonCode.getValue().intValue() == 1 - || reasonCode.getValue().intValue() == 2 - || reasonCode.getValue().intValue() == 8) - { - - // (i) or (j) (1) - if (reasonCode != null) - { - certStatus.setCertStatus(reasonCode.getValue().intValue()); - } - // (i) or (j) (2) - else - { - certStatus.setCertStatus(CRLReason.unspecified); - } - certStatus.setRevocationDate(crl_entry.getRevocationDate()); - } - } - - /** - * Fetches delta CRLs according to RFC 3280 section 5.2.4. - * - * @param currentDate The date for which the delta CRLs must be valid. - * @param paramsPKIX The extended PKIX parameters. - * @param completeCRL The complete CRL the delta CRL is for. - * @return A <code>Set</code> of <code>X509CRL</code>s with delta CRLs. - * @throws AnnotatedException if an exception occurs while picking the delta - * CRLs. - */ - protected static Set getDeltaCRLs(Date currentDate, - ExtendedPKIXParameters paramsPKIX, X509CRL completeCRL) - throws AnnotatedException - { - - X509CRLStoreSelector deltaSelect = new X509CRLStoreSelector(); - - // 5.2.4 (a) - try - { - deltaSelect.addIssuerName(CertPathValidatorUtilities - .getIssuerPrincipal(completeCRL).getEncoded()); - } - catch (IOException e) - { - throw new AnnotatedException("Cannot extract issuer from CRL.", e); - } - - BigInteger completeCRLNumber = null; - try - { - ASN1Primitive derObject = CertPathValidatorUtilities.getExtensionValue(completeCRL, - CRL_NUMBER); - if (derObject != null) - { - completeCRLNumber = ASN1Integer.getInstance(derObject).getPositiveValue(); - } - } - catch (Exception e) - { - throw new AnnotatedException( - "CRL number extension could not be extracted from CRL.", e); - } - - // 5.2.4 (b) - byte[] idp = null; - try - { - idp = completeCRL.getExtensionValue(ISSUING_DISTRIBUTION_POINT); - } - catch (Exception e) - { - throw new AnnotatedException( - "Issuing distribution point extension value could not be read.", - e); - } - - // 5.2.4 (d) - - deltaSelect.setMinCRLNumber(completeCRLNumber == null ? null : completeCRLNumber - .add(BigInteger.valueOf(1))); - - deltaSelect.setIssuingDistributionPoint(idp); - deltaSelect.setIssuingDistributionPointEnabled(true); - - // 5.2.4 (c) - deltaSelect.setMaxBaseCRLNumber(completeCRLNumber); - - // find delta CRLs - Set temp = CRL_UTIL.findCRLs(deltaSelect, paramsPKIX, currentDate); - - Set result = new HashSet(); - - for (Iterator it = temp.iterator(); it.hasNext(); ) - { - X509CRL crl = (X509CRL)it.next(); - - if (isDeltaCRL(crl)) - { - result.add(crl); - } - } - - return result; - } - - private static boolean isDeltaCRL(X509CRL crl) - { - Set critical = crl.getCriticalExtensionOIDs(); - - if (critical == null) - { - return false; - } - - return critical.contains(Extension.deltaCRLIndicator.getId()); - } - - /** - * Fetches complete CRLs according to RFC 3280. - * - * @param dp The distribution point for which the complete CRL - * @param cert The <code>X509Certificate</code> or - * {@link org.bouncycastle.x509.X509AttributeCertificate} for - * which the CRL should be searched. - * @param currentDate The date for which the delta CRLs must be valid. - * @param paramsPKIX The extended PKIX parameters. - * @return A <code>Set</code> of <code>X509CRL</code>s with complete - * CRLs. - * @throws AnnotatedException if an exception occurs while picking the CRLs - * or no CRLs are found. - */ - protected static Set getCompleteCRLs(DistributionPoint dp, Object cert, - Date currentDate, ExtendedPKIXParameters paramsPKIX) - throws AnnotatedException - { - X509CRLStoreSelector crlselect = new X509CRLStoreSelector(); - try - { - Set issuers = new HashSet(); - if (cert instanceof X509AttributeCertificate) - { - issuers.add(((X509AttributeCertificate)cert) - .getIssuer().getPrincipals()[0]); - } - else - { - issuers.add(getEncodedIssuerPrincipal(cert)); - } - CertPathValidatorUtilities.getCRLIssuersFromDistributionPoint(dp, issuers, crlselect, paramsPKIX); - } - catch (AnnotatedException e) - { - throw new AnnotatedException( - "Could not get issuer information from distribution point.", e); - } - if (cert instanceof X509Certificate) - { - crlselect.setCertificateChecking((X509Certificate)cert); - } - else if (cert instanceof X509AttributeCertificate) - { - crlselect.setAttrCertificateChecking((X509AttributeCertificate)cert); - } - - - crlselect.setCompleteCRLEnabled(true); - - Set crls = CRL_UTIL.findCRLs(crlselect, paramsPKIX, currentDate); - - if (crls.isEmpty()) - { - if (cert instanceof X509AttributeCertificate) - { - X509AttributeCertificate aCert = (X509AttributeCertificate)cert; - - throw new AnnotatedException("No CRLs found for issuer \"" + aCert.getIssuer().getPrincipals()[0] + "\""); - } - else - { - X509Certificate xCert = (X509Certificate)cert; - - throw new AnnotatedException("No CRLs found for issuer \"" + xCert.getIssuerX500Principal() + "\""); - } - } - return crls; - } - - protected static Date getValidCertDateFromValidityModel( - ExtendedPKIXParameters paramsPKIX, CertPath certPath, int index) - throws AnnotatedException - { - if (paramsPKIX.getValidityModel() == ExtendedPKIXParameters.CHAIN_VALIDITY_MODEL) - { - // if end cert use given signing/encryption/... time - if (index <= 0) - { - return CertPathValidatorUtilities.getValidDate(paramsPKIX); - // else use time when previous cert was created - } - else - { - if (index - 1 == 0) - { - ASN1GeneralizedTime dateOfCertgen = null; - try - { - byte[] extBytes = ((X509Certificate)certPath.getCertificates().get(index - 1)).getExtensionValue(ISISMTTObjectIdentifiers.id_isismtt_at_dateOfCertGen.getId()); - if (extBytes != null) - { - dateOfCertgen = ASN1GeneralizedTime.getInstance(ASN1Primitive.fromByteArray(extBytes)); - } - } - catch (IOException e) - { - throw new AnnotatedException( - "Date of cert gen extension could not be read."); - } - catch (IllegalArgumentException e) - { - throw new AnnotatedException( - "Date of cert gen extension could not be read."); - } - if (dateOfCertgen != null) - { - try - { - return dateOfCertgen.getDate(); - } - catch (ParseException e) - { - throw new AnnotatedException( - "Date from date of cert gen extension could not be parsed.", - e); - } - } - return ((X509Certificate)certPath.getCertificates().get( - index - 1)).getNotBefore(); - } - else - { - return ((X509Certificate)certPath.getCertificates().get( - index - 1)).getNotBefore(); - } - } - } - else - { - return getValidDate(paramsPKIX); - } - } - - /** - * Return the next working key inheriting DSA parameters if necessary. - * <p> - * This methods inherits DSA parameters from the indexed certificate or - * previous certificates in the certificate chain to the returned - * <code>PublicKey</code>. The list is searched upwards, meaning the end - * certificate is at position 0 and previous certificates are following. - * </p> - * <p> - * If the indexed certificate does not contain a DSA key this method simply - * returns the public key. If the DSA key already contains DSA parameters - * the key is also only returned. - * </p> - * - * @param certs The certification path. - * @param index The index of the certificate which contains the public key - * which should be extended with DSA parameters. - * @return The public key of the certificate in list position - * <code>index</code> extended with DSA parameters if applicable. - * @throws AnnotatedException if DSA parameters cannot be inherited. - */ - protected static PublicKey getNextWorkingKey(List certs, int index) - throws CertPathValidatorException - { - Certificate cert = (Certificate)certs.get(index); - PublicKey pubKey = cert.getPublicKey(); - if (!(pubKey instanceof DSAPublicKey)) - { - return pubKey; - } - DSAPublicKey dsaPubKey = (DSAPublicKey)pubKey; - if (dsaPubKey.getParams() != null) - { - return dsaPubKey; - } - for (int i = index + 1; i < certs.size(); i++) - { - X509Certificate parentCert = (X509Certificate)certs.get(i); - pubKey = parentCert.getPublicKey(); - if (!(pubKey instanceof DSAPublicKey)) - { - throw new CertPathValidatorException( - "DSA parameters cannot be inherited from previous certificate."); - } - DSAPublicKey prevDSAPubKey = (DSAPublicKey)pubKey; - if (prevDSAPubKey.getParams() == null) - { - continue; - } - DSAParams dsaParams = prevDSAPubKey.getParams(); - DSAPublicKeySpec dsaPubKeySpec = new DSAPublicKeySpec( - dsaPubKey.getY(), dsaParams.getP(), dsaParams.getQ(), dsaParams.getG()); - try - { - KeyFactory keyFactory = KeyFactory.getInstance("DSA", BouncyCastleProvider.PROVIDER_NAME); - return keyFactory.generatePublic(dsaPubKeySpec); - } - catch (Exception exception) - { - throw new RuntimeException(exception.getMessage()); - } - } - throw new CertPathValidatorException("DSA parameters cannot be inherited from previous certificate."); - } - - /** - * Find the issuer certificates of a given certificate. - * - * @param cert The certificate for which an issuer should be found. - * @return A <code>Collection</code> object containing the issuer - * <code>X509Certificate</code>s. Never <code>null</code>. - * @throws AnnotatedException if an error occurs. - */ - static Collection findIssuerCerts( - X509Certificate cert, - List certStores, - List pkixCertStores) - throws AnnotatedException - { - X509CertSelector selector = new X509CertSelector(); - - try - { - selector.setSubject(cert.getIssuerX500Principal().getEncoded()); - } - catch (IOException e) - { - throw new AnnotatedException( - "Subject criteria for certificate selector to find issuer certificate could not be set.", e); - } - - PKIXCertStoreSelector certSelect = new PKIXCertStoreSelector.Builder(selector).build(); - Set certs = new HashSet(); - - Iterator iter; - - try - { - List matches = new ArrayList(); - - matches.addAll(CertPathValidatorUtilities.findCertificates(certSelect, certStores)); - matches.addAll(CertPathValidatorUtilities.findCertificates(certSelect, pkixCertStores)); - - iter = matches.iterator(); - } - catch (AnnotatedException e) - { - throw new AnnotatedException("Issuer certificate cannot be searched.", e); - } - - X509Certificate issuer = null; - while (iter.hasNext()) - { - issuer = (X509Certificate)iter.next(); - // issuer cannot be verified because possible DSA inheritance - // parameters are missing - certs.add(issuer); - } - return certs; - } - - protected static void verifyX509Certificate(X509Certificate cert, PublicKey publicKey, - String sigProvider) - throws GeneralSecurityException - { - if (sigProvider == null) - { - cert.verify(publicKey); - } - else - { - cert.verify(publicKey, sigProvider); - } - } - - static boolean isIndirectCRL(X509CRL crl) - throws CRLException - { - try - { - byte[] idp = crl.getExtensionValue(Extension.issuingDistributionPoint.getId()); - return idp != null - && IssuingDistributionPoint.getInstance(ASN1OctetString.getInstance(idp).getOctets()).isIndirectCRL(); - } - catch (Exception e) - { - throw new CRLException( - "Exception reading IssuingDistributionPoint: " + e); - } - } -} diff --git a/bcprov/src/main/java/org/bouncycastle/x509/CertStatus.java b/bcprov/src/main/java/org/bouncycastle/x509/CertStatus.java deleted file mode 100644 index f12910d..0000000 --- a/bcprov/src/main/java/org/bouncycastle/x509/CertStatus.java +++ /dev/null @@ -1,46 +0,0 @@ -package org.bouncycastle.x509; - -import java.util.Date; - -class CertStatus -{ - public static final int UNREVOKED = 11; - - public static final int UNDETERMINED = 12; - - int certStatus = UNREVOKED; - - Date revocationDate = null; - - /** - * @return Returns the revocationDate. - */ - public Date getRevocationDate() - { - return revocationDate; - } - - /** - * @param revocationDate The revocationDate to set. - */ - public void setRevocationDate(Date revocationDate) - { - this.revocationDate = revocationDate; - } - - /** - * @return Returns the certStatus. - */ - public int getCertStatus() - { - return certStatus; - } - - /** - * @param certStatus The certStatus to set. - */ - public void setCertStatus(int certStatus) - { - this.certStatus = certStatus; - } -} diff --git a/bcprov/src/main/java/org/bouncycastle/x509/NoSuchParserException.java b/bcprov/src/main/java/org/bouncycastle/x509/NoSuchParserException.java deleted file mode 100644 index c25b9dd..0000000 --- a/bcprov/src/main/java/org/bouncycastle/x509/NoSuchParserException.java +++ /dev/null @@ -1,10 +0,0 @@ -package org.bouncycastle.x509; - -public class NoSuchParserException - extends Exception -{ - public NoSuchParserException(String message) - { - super(message); - } -} diff --git a/bcprov/src/main/java/org/bouncycastle/x509/PKIXCRLUtil.java b/bcprov/src/main/java/org/bouncycastle/x509/PKIXCRLUtil.java deleted file mode 100644 index bfa9f2d..0000000 --- a/bcprov/src/main/java/org/bouncycastle/x509/PKIXCRLUtil.java +++ /dev/null @@ -1,153 +0,0 @@ -package org.bouncycastle.x509; - -import java.security.cert.CertStore; -import java.security.cert.CertStoreException; -import java.security.cert.PKIXParameters; -import java.security.cert.X509CRL; -import java.security.cert.X509Certificate; -import java.util.Collection; -import java.util.Date; -import java.util.HashSet; -import java.util.Iterator; -import java.util.List; -import java.util.Set; - -import org.bouncycastle.jce.provider.AnnotatedException; -import org.bouncycastle.util.StoreException; - -class PKIXCRLUtil -{ - public Set findCRLs(X509CRLStoreSelector crlselect, ExtendedPKIXParameters paramsPKIX, Date currentDate) - throws AnnotatedException - { - Set initialSet = new HashSet(); - - // get complete CRL(s) - try - { - initialSet.addAll(findCRLs(crlselect, paramsPKIX.getAdditionalStores())); - initialSet.addAll(findCRLs(crlselect, paramsPKIX.getStores())); - initialSet.addAll(findCRLs(crlselect, paramsPKIX.getCertStores())); - } - catch (AnnotatedException e) - { - throw new AnnotatedException("Exception obtaining complete CRLs.", e); - } - - Set finalSet = new HashSet(); - Date validityDate = currentDate; - - if (paramsPKIX.getDate() != null) - { - validityDate = paramsPKIX.getDate(); - } - - // based on RFC 5280 6.3.3 - for (Iterator it = initialSet.iterator(); it.hasNext();) - { - X509CRL crl = (X509CRL)it.next(); - - if (crl.getNextUpdate().after(validityDate)) - { - X509Certificate cert = crlselect.getCertificateChecking(); - - if (cert != null) - { - if (crl.getThisUpdate().before(cert.getNotAfter())) - { - finalSet.add(crl); - } - } - else - { - finalSet.add(crl); - } - } - } - - return finalSet; - } - - public Set findCRLs(X509CRLStoreSelector crlselect, PKIXParameters paramsPKIX) - throws AnnotatedException - { - Set completeSet = new HashSet(); - - // get complete CRL(s) - try - { - completeSet.addAll(findCRLs(crlselect, paramsPKIX.getCertStores())); - } - catch (AnnotatedException e) - { - throw new AnnotatedException("Exception obtaining complete CRLs.", e); - } - - return completeSet; - } - -/** - * Return a Collection of all CRLs found in the X509Store's that are - * matching the crlSelect criteriums. - * - * @param crlSelect a {@link X509CRLStoreSelector} object that will be used - * to select the CRLs - * @param crlStores a List containing only - * {@link org.bouncycastle.x509.X509Store X509Store} objects. - * These are used to search for CRLs - * - * @return a Collection of all found {@link java.security.cert.X509CRL X509CRL} objects. May be - * empty but never <code>null</code>. - */ - private final Collection findCRLs(X509CRLStoreSelector crlSelect, - List crlStores) throws AnnotatedException - { - Set crls = new HashSet(); - Iterator iter = crlStores.iterator(); - - AnnotatedException lastException = null; - boolean foundValidStore = false; - - while (iter.hasNext()) - { - Object obj = iter.next(); - - if (obj instanceof X509Store) - { - X509Store store = (X509Store)obj; - - try - { - crls.addAll(store.getMatches(crlSelect)); - foundValidStore = true; - } - catch (StoreException e) - { - lastException = new AnnotatedException( - "Exception searching in X.509 CRL store.", e); - } - } - else - { - CertStore store = (CertStore)obj; - - try - { - crls.addAll(store.getCRLs(crlSelect)); - foundValidStore = true; - } - catch (CertStoreException e) - { - lastException = new AnnotatedException( - "Exception searching in X.509 CRL store.", e); - } - } - } - if (!foundValidStore && lastException != null) - { - throw lastException; - } - return crls; - } - -}
\ No newline at end of file diff --git a/bcprov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.java b/bcprov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.java deleted file mode 100644 index 3271aa9..0000000 --- a/bcprov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.java +++ /dev/null @@ -1,2543 +0,0 @@ -package org.bouncycastle.x509; - -import java.io.ByteArrayInputStream; -import java.io.IOException; -import java.math.BigInteger; -import java.net.HttpURLConnection; -import java.net.InetAddress; -import java.net.URL; -import java.security.GeneralSecurityException; -import java.security.PublicKey; -import java.security.SignatureException; -import java.security.cert.CertPath; -import java.security.cert.CertPathValidatorException; -import java.security.cert.CertificateExpiredException; -import java.security.cert.CertificateFactory; -import java.security.cert.CertificateNotYetValidException; -import java.security.cert.PKIXCertPathChecker; -import java.security.cert.PKIXParameters; -import java.security.cert.PolicyNode; -import java.security.cert.TrustAnchor; -import java.security.cert.X509CRL; -import java.security.cert.X509CRLEntry; -import java.security.cert.X509CertSelector; -import java.security.cert.X509Certificate; -import java.util.ArrayList; -import java.util.Collection; -import java.util.Date; -import java.util.Enumeration; -import java.util.HashMap; -import java.util.HashSet; -import java.util.Iterator; -import java.util.List; -import java.util.Map; -import java.util.Set; -import java.util.Vector; - -import javax.security.auth.x500.X500Principal; - -import org.bouncycastle.asn1.ASN1Encodable; -import org.bouncycastle.asn1.ASN1Enumerated; -import org.bouncycastle.asn1.ASN1InputStream; -import org.bouncycastle.asn1.ASN1Integer; -import org.bouncycastle.asn1.ASN1ObjectIdentifier; -import org.bouncycastle.asn1.ASN1OctetString; -import org.bouncycastle.asn1.ASN1Primitive; -import org.bouncycastle.asn1.ASN1Sequence; -import org.bouncycastle.asn1.ASN1TaggedObject; -import org.bouncycastle.asn1.DERIA5String; -import org.bouncycastle.asn1.DEROctetString; -import org.bouncycastle.asn1.x509.AccessDescription; -import org.bouncycastle.asn1.x509.AlgorithmIdentifier; -import org.bouncycastle.asn1.x509.AuthorityInformationAccess; -import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier; -import org.bouncycastle.asn1.x509.BasicConstraints; -import org.bouncycastle.asn1.x509.CRLDistPoint; -import org.bouncycastle.asn1.x509.DistributionPoint; -import org.bouncycastle.asn1.x509.DistributionPointName; -import org.bouncycastle.asn1.x509.GeneralName; -import org.bouncycastle.asn1.x509.GeneralNames; -import org.bouncycastle.asn1.x509.GeneralSubtree; -import org.bouncycastle.asn1.x509.IssuingDistributionPoint; -import org.bouncycastle.asn1.x509.NameConstraints; -import org.bouncycastle.asn1.x509.PolicyInformation; -import org.bouncycastle.asn1.x509.X509Extensions; -import org.bouncycastle.asn1.x509.qualified.Iso4217CurrencyCode; -import org.bouncycastle.asn1.x509.qualified.MonetaryValue; -import org.bouncycastle.asn1.x509.qualified.QCStatement; -import org.bouncycastle.i18n.ErrorBundle; -import org.bouncycastle.i18n.LocaleString; -import org.bouncycastle.i18n.filter.TrustedInput; -import org.bouncycastle.i18n.filter.UntrustedInput; -import org.bouncycastle.i18n.filter.UntrustedUrlInput; -import org.bouncycastle.jce.provider.AnnotatedException; -import org.bouncycastle.jce.provider.PKIXNameConstraintValidator; -import org.bouncycastle.jce.provider.PKIXNameConstraintValidatorException; -import org.bouncycastle.jce.provider.PKIXPolicyNode; -import org.bouncycastle.util.Integers; -import org.bouncycastle.x509.extension.X509ExtensionUtil; - -/** - * PKIXCertPathReviewer<br> - * Validation of X.509 Certificate Paths. Tries to find as much errors in the Path as possible. - */ -public class PKIXCertPathReviewer extends CertPathValidatorUtilities -{ - - private static final String QC_STATEMENT = X509Extensions.QCStatements.getId(); - private static final String CRL_DIST_POINTS = X509Extensions.CRLDistributionPoints.getId(); - private static final String AUTH_INFO_ACCESS = X509Extensions.AuthorityInfoAccess.getId(); - - private static final String RESOURCE_NAME = "org.bouncycastle.x509.CertPathReviewerMessages"; - - // input parameters - - protected CertPath certPath; - - protected PKIXParameters pkixParams; - - protected Date validDate; - - // state variables - - protected List certs; - - protected int n; - - // output variables - - protected List[] notifications; - protected List[] errors; - protected TrustAnchor trustAnchor; - protected PublicKey subjectPublicKey; - protected PolicyNode policyTree; - - private boolean initialized; - - /** - * Initializes the PKIXCertPathReviewer with the given {@link CertPath} and {@link PKIXParameters} params - * @param certPath the {@link CertPath} to validate - * @param params the {@link PKIXParameters} to use - * @throws CertPathReviewerException if the certPath is empty - * @throws IllegalStateException if the {@link PKIXCertPathReviewer} is already initialized - */ - public void init(CertPath certPath, PKIXParameters params) - throws CertPathReviewerException - { - if (initialized) - { - throw new IllegalStateException("object is already initialized!"); - } - initialized = true; - - // check input parameters - if (certPath == null) - { - throw new NullPointerException("certPath was null"); - } - this.certPath = certPath; - - certs = certPath.getCertificates(); - n = certs.size(); - if (certs.isEmpty()) - { - throw new CertPathReviewerException( - new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.emptyCertPath")); - } - - pkixParams = (PKIXParameters) params.clone(); - - // 6.1.1 - Inputs - - // a) done - - // b) - - validDate = getValidDate(pkixParams); - - // c) part of pkixParams - - // d) done at the beginning of checkSignatures - - // e) f) g) part of pkixParams - - // initialize output parameters - - notifications = null; - errors = null; - trustAnchor = null; - subjectPublicKey = null; - policyTree = null; - } - - /** - * Creates a PKIXCertPathReviewer and initializes it with the given {@link CertPath} and {@link PKIXParameters} params - * @param certPath the {@link CertPath} to validate - * @param params the {@link PKIXParameters} to use - * @throws CertPathReviewerException if the certPath is empty - */ - public PKIXCertPathReviewer(CertPath certPath, PKIXParameters params) - throws CertPathReviewerException - { - init(certPath, params); - } - - /** - * Creates an empty PKIXCertPathReviewer. Don't forget to call init() to initialize the object. - */ - public PKIXCertPathReviewer() - { - // do nothing - } - - /** - * - * @return the CertPath that was validated - */ - public CertPath getCertPath() - { - return certPath; - } - - /** - * - * @return the size of the CertPath - */ - public int getCertPathSize() - { - return n; - } - - /** - * Returns an Array of Lists which contains a List of global error messages - * and a List of error messages for each certificate in the path. - * The global error List is at index 0. The error lists for each certificate at index 1 to n. - * The error messages are of type. - * @return the Array of Lists which contain the error messages - * @throws IllegalStateException if the {@link PKIXCertPathReviewer} was not initialized - */ - public List[] getErrors() - { - doChecks(); - return errors; - } - - /** - * Returns an List of error messages for the certificate at the given index in the CertPath. - * If index == -1 then the list of global errors is returned with errors not specific to a certificate. - * @param index the index of the certificate in the CertPath - * @return List of error messages for the certificate - * @throws IllegalStateException if the {@link PKIXCertPathReviewer} was not initialized - */ - public List getErrors(int index) - { - doChecks(); - return errors[index + 1]; - } - - /** - * Returns an Array of Lists which contains a List of global notification messages - * and a List of botification messages for each certificate in the path. - * The global notificatio List is at index 0. The notification lists for each certificate at index 1 to n. - * The error messages are of type. - * @return the Array of Lists which contain the notification messages - * @throws IllegalStateException if the {@link PKIXCertPathReviewer} was not initialized - */ - public List[] getNotifications() - { - doChecks(); - return notifications; - } - - /** - * Returns an List of notification messages for the certificate at the given index in the CertPath. - * If index == -1 then the list of global notifications is returned with notifications not specific to a certificate. - * @param index the index of the certificate in the CertPath - * @return List of notification messages for the certificate - * @throws IllegalStateException if the {@link PKIXCertPathReviewer} was not initialized - */ - public List getNotifications(int index) - { - doChecks(); - return notifications[index + 1]; - } - - /** - * - * @return the valid policy tree, <b>null</b> if no valid policy exists. - * @throws IllegalStateException if the {@link PKIXCertPathReviewer} was not initialized - */ - public PolicyNode getPolicyTree() - { - doChecks(); - return policyTree; - } - - /** - * - * @return the PublicKey if the last certificate in the CertPath - * @throws IllegalStateException if the {@link PKIXCertPathReviewer} was not initialized - */ - public PublicKey getSubjectPublicKey() - { - doChecks(); - return subjectPublicKey; - } - - /** - * - * @return the TrustAnchor for the CertPath, <b>null</b> if no valid TrustAnchor was found. - * @throws IllegalStateException if the {@link PKIXCertPathReviewer} was not initialized - */ - public TrustAnchor getTrustAnchor() - { - doChecks(); - return trustAnchor; - } - - /** - * - * @return if the CertPath is valid - * @throws IllegalStateException if the {@link PKIXCertPathReviewer} was not initialized - */ - public boolean isValidCertPath() - { - doChecks(); - boolean valid = true; - for (int i = 0; i < errors.length; i++) - { - if (!errors[i].isEmpty()) - { - valid = false; - break; - } - } - return valid; - } - - protected void addNotification(ErrorBundle msg) - { - notifications[0].add(msg); - } - - protected void addNotification(ErrorBundle msg, int index) - { - if (index < -1 || index >= n) - { - throw new IndexOutOfBoundsException(); - } - notifications[index + 1].add(msg); - } - - protected void addError(ErrorBundle msg) - { - errors[0].add(msg); - } - - protected void addError(ErrorBundle msg, int index) - { - if (index < -1 || index >= n) - { - throw new IndexOutOfBoundsException(); - } - errors[index + 1].add(msg); - } - - protected void doChecks() - { - if (!initialized) - { - throw new IllegalStateException("Object not initialized. Call init() first."); - } - if (notifications == null) - { - // initialize lists - notifications = new List[n+1]; - errors = new List[n+1]; - - for (int i = 0; i < notifications.length; i++) - { - notifications[i] = new ArrayList(); - errors[i] = new ArrayList(); - } - - // check Signatures - checkSignatures(); - - // check Name Constraints - checkNameConstraints(); - - // check Path Length - checkPathLength(); - - // check Policy - checkPolicy(); - - // check other critical extensions - checkCriticalExtensions(); - - } - } - - private void checkNameConstraints() - { - X509Certificate cert = null; - - // - // Setup - // - - // (b) and (c) - PKIXNameConstraintValidator nameConstraintValidator = new PKIXNameConstraintValidator(); - - // - // process each certificate except the last in the path - // - int index; - int i; - - try - { - for (index = certs.size()-1; index>0; index--) - { - i = n - index; - - // - // certificate processing - // - - cert = (X509Certificate) certs.get(index); - - // b),c) - - if (!isSelfIssued(cert)) - { - X500Principal principal = getSubjectPrincipal(cert); - ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(principal.getEncoded())); - ASN1Sequence dns; - - try - { - dns = (ASN1Sequence)aIn.readObject(); - } - catch (IOException e) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.ncSubjectNameError", - new Object[] {new UntrustedInput(principal)}); - throw new CertPathReviewerException(msg,e,certPath,index); - } - - try - { - nameConstraintValidator.checkPermittedDN(dns); - } - catch (PKIXNameConstraintValidatorException cpve) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.notPermittedDN", - new Object[] {new UntrustedInput(principal.getName())}); - throw new CertPathReviewerException(msg,cpve,certPath,index); - } - - try - { - nameConstraintValidator.checkExcludedDN(dns); - } - catch (PKIXNameConstraintValidatorException cpve) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.excludedDN", - new Object[] {new UntrustedInput(principal.getName())}); - throw new CertPathReviewerException(msg,cpve,certPath,index); - } - - ASN1Sequence altName; - try - { - altName = (ASN1Sequence)getExtensionValue(cert, SUBJECT_ALTERNATIVE_NAME); - } - catch (AnnotatedException ae) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.subjAltNameExtError"); - throw new CertPathReviewerException(msg,ae,certPath,index); - } - - if (altName != null) - { - for (int j = 0; j < altName.size(); j++) - { - GeneralName name = GeneralName.getInstance(altName.getObjectAt(j)); - - try - { - nameConstraintValidator.checkPermitted(name); - nameConstraintValidator.checkExcluded(name); - } - catch (PKIXNameConstraintValidatorException cpve) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.notPermittedEmail", - new Object[] {new UntrustedInput(name)}); - throw new CertPathReviewerException(msg,cpve,certPath,index); - } -// switch(o.getTagNo()) TODO - move resources to PKIXNameConstraints -// { -// case 1: -// String email = DERIA5String.getInstance(o, true).getString(); -// -// try -// { -// checkPermittedEmail(permittedSubtreesEmail, email); -// } -// catch (CertPathValidatorException cpve) -// { -// ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.notPermittedEmail", -// new Object[] {new UntrustedInput(email)}); -// throw new CertPathReviewerException(msg,cpve,certPath,index); -// } -// -// try -// { -// checkExcludedEmail(excludedSubtreesEmail, email); -// } -// catch (CertPathValidatorException cpve) -// { -// ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.excludedEmail", -// new Object[] {new UntrustedInput(email)}); -// throw new CertPathReviewerException(msg,cpve,certPath,index); -// } -// -// break; -// case 4: -// ASN1Sequence altDN = ASN1Sequence.getInstance(o, true); -// -// try -// { -// checkPermittedDN(permittedSubtreesDN, altDN); -// } -// catch (CertPathValidatorException cpve) -// { -// X509Name altDNName = new X509Name(altDN); -// ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.notPermittedDN", -// new Object[] {new UntrustedInput(altDNName)}); -// throw new CertPathReviewerException(msg,cpve,certPath,index); -// } -// -// try -// { -// checkExcludedDN(excludedSubtreesDN, altDN); -// } -// catch (CertPathValidatorException cpve) -// { -// X509Name altDNName = new X509Name(altDN); -// ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.excludedDN", -// new Object[] {new UntrustedInput(altDNName)}); -// throw new CertPathReviewerException(msg,cpve,certPath,index); -// } -// -// break; -// case 7: -// byte[] ip = ASN1OctetString.getInstance(o, true).getOctets(); -// -// try -// { -// checkPermittedIP(permittedSubtreesIP, ip); -// } -// catch (CertPathValidatorException cpve) -// { -// ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.notPermittedIP", -// new Object[] {IPtoString(ip)}); -// throw new CertPathReviewerException(msg,cpve,certPath,index); -// } -// -// try -// { -// checkExcludedIP(excludedSubtreesIP, ip); -// } -// catch (CertPathValidatorException cpve) -// { -// ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.excludedIP", -// new Object[] {IPtoString(ip)}); -// throw new CertPathReviewerException(msg,cpve,certPath,index); -// } -// } - } - } - } - - // - // prepare for next certificate - // - - // - // (g) handle the name constraints extension - // - ASN1Sequence ncSeq; - try - { - ncSeq = (ASN1Sequence)getExtensionValue(cert, NAME_CONSTRAINTS); - } - catch (AnnotatedException ae) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.ncExtError"); - throw new CertPathReviewerException(msg,ae,certPath,index); - } - - if (ncSeq != null) - { - NameConstraints nc = NameConstraints.getInstance(ncSeq); - - // - // (g) (1) permitted subtrees - // - GeneralSubtree[] permitted = nc.getPermittedSubtrees(); - if (permitted != null) - { - nameConstraintValidator.intersectPermittedSubtree(permitted); - } - - // - // (g) (2) excluded subtrees - // - GeneralSubtree[] excluded = nc.getExcludedSubtrees(); - if (excluded != null) - { - for (int c = 0; c != excluded.length; c++) - { - nameConstraintValidator.addExcludedSubtree(excluded[c]); - } - } - } - - } // for - } - catch (CertPathReviewerException cpre) - { - addError(cpre.getErrorMessage(),cpre.getIndex()); - } - - } - - /* - * checks: - path length constraints and reports - total path length - */ - private void checkPathLength() - { - // init - int maxPathLength = n; - int totalPathLength = 0; - - X509Certificate cert = null; - - int i; - for (int index = certs.size() - 1; index > 0; index--) - { - i = n - index; - - cert = (X509Certificate) certs.get(index); - - // l) - - if (!isSelfIssued(cert)) - { - if (maxPathLength <= 0) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.pathLenghtExtended"); - addError(msg); - } - maxPathLength--; - totalPathLength++; - } - - // m) - - BasicConstraints bc; - try - { - bc = BasicConstraints.getInstance(getExtensionValue(cert, - BASIC_CONSTRAINTS)); - } - catch (AnnotatedException ae) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.processLengthConstError"); - addError(msg,index); - bc = null; - } - - if (bc != null) - { - BigInteger _pathLengthConstraint = bc.getPathLenConstraint(); - - if (_pathLengthConstraint != null) - { - int _plc = _pathLengthConstraint.intValue(); - - if (_plc < maxPathLength) - { - maxPathLength = _plc; - } - } - } - - } - - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.totalPathLength", - new Object[]{Integers.valueOf(totalPathLength)}); - - addNotification(msg); - } - - /* - * checks: - signatures - name chaining - validity of certificates - todo: - * if certificate revoked (if specified in the parameters) - */ - private void checkSignatures() - { - // 1.6.1 - Inputs - - // d) - - TrustAnchor trust = null; - X500Principal trustPrincipal = null; - - // validation date - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.certPathValidDate", - new Object[] {new TrustedInput(validDate), new TrustedInput(new Date())}); - addNotification(msg); - } - - // find trust anchors - try - { - X509Certificate cert = (X509Certificate) certs.get(certs.size() - 1); - Collection trustColl = getTrustAnchors(cert,pkixParams.getTrustAnchors()); - if (trustColl.size() > 1) - { - // conflicting trust anchors - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, - "CertPathReviewer.conflictingTrustAnchors", - new Object[]{Integers.valueOf(trustColl.size()), - new UntrustedInput(cert.getIssuerX500Principal())}); - addError(msg); - } - else if (trustColl.isEmpty()) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, - "CertPathReviewer.noTrustAnchorFound", - new Object[]{new UntrustedInput(cert.getIssuerX500Principal()), - Integers.valueOf(pkixParams.getTrustAnchors().size())}); - addError(msg); - } - else - { - PublicKey trustPublicKey; - trust = (TrustAnchor) trustColl.iterator().next(); - if (trust.getTrustedCert() != null) - { - trustPublicKey = trust.getTrustedCert().getPublicKey(); - } - else - { - trustPublicKey = trust.getCAPublicKey(); - } - try - { - CertPathValidatorUtilities.verifyX509Certificate(cert, trustPublicKey, - pkixParams.getSigProvider()); - } - catch (SignatureException e) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.trustButInvalidCert"); - addError(msg); - } - catch (Exception e) - { - // do nothing, error occurs again later - } - } - } - catch (CertPathReviewerException cpre) - { - addError(cpre.getErrorMessage()); - } - catch (Throwable t) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, - "CertPathReviewer.unknown", - new Object[] {new UntrustedInput(t.getMessage()), new UntrustedInput(t)}); - addError(msg); - } - - if (trust != null) - { - // get the name of the trustAnchor - X509Certificate sign = trust.getTrustedCert(); - try - { - if (sign != null) - { - trustPrincipal = getSubjectPrincipal(sign); - } - else - { - trustPrincipal = new X500Principal(trust.getCAName()); - } - } - catch (IllegalArgumentException ex) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.trustDNInvalid", - new Object[] {new UntrustedInput(trust.getCAName())}); - addError(msg); - } - - // test key usages of the trust anchor - if (sign != null) - { - boolean[] ku = sign.getKeyUsage(); - if (ku != null && !ku[5]) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.trustKeyUsage"); - addNotification(msg); - } - } - } - - // 1.6.2 - Initialization - - PublicKey workingPublicKey = null; - X500Principal workingIssuerName = trustPrincipal; - - X509Certificate sign = null; - - AlgorithmIdentifier workingAlgId = null; - ASN1ObjectIdentifier workingPublicKeyAlgorithm = null; - ASN1Encodable workingPublicKeyParameters = null; - - if (trust != null) - { - sign = trust.getTrustedCert(); - - if (sign != null) - { - workingPublicKey = sign.getPublicKey(); - } - else - { - workingPublicKey = trust.getCAPublicKey(); - } - - try - { - workingAlgId = getAlgorithmIdentifier(workingPublicKey); - workingPublicKeyAlgorithm = workingAlgId.getObjectId(); - workingPublicKeyParameters = workingAlgId.getParameters(); - } - catch (CertPathValidatorException ex) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.trustPubKeyError"); - addError(msg); - workingAlgId = null; - } - - } - - // Basic cert checks - - X509Certificate cert = null; - int i; - - for (int index = certs.size() - 1; index >= 0; index--) - { - // - // i as defined in the algorithm description - // - i = n - index; - - // - // set certificate to be checked in this round - // sign and workingPublicKey and workingIssuerName are set - // at the end of the for loop and initialied the - // first time from the TrustAnchor - // - cert = (X509Certificate) certs.get(index); - - // verify signature - if (workingPublicKey != null) - { - try - { - CertPathValidatorUtilities.verifyX509Certificate(cert, workingPublicKey, - pkixParams.getSigProvider()); - } - catch (GeneralSecurityException ex) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.signatureNotVerified", - new Object[] {ex.getMessage(),ex,ex.getClass().getName()}); - addError(msg,index); - } - } - else if (isSelfIssued(cert)) - { - try - { - CertPathValidatorUtilities.verifyX509Certificate(cert, cert.getPublicKey(), - pkixParams.getSigProvider()); - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.rootKeyIsValidButNotATrustAnchor"); - addError(msg, index); - } - catch (GeneralSecurityException ex) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.signatureNotVerified", - new Object[] {ex.getMessage(),ex,ex.getClass().getName()}); - addError(msg,index); - } - } - else - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.NoIssuerPublicKey"); - // if there is an authority key extension add the serial and issuer of the missing certificate - byte[] akiBytes = cert.getExtensionValue(X509Extensions.AuthorityKeyIdentifier.getId()); - if (akiBytes != null) - { - try - { - AuthorityKeyIdentifier aki = AuthorityKeyIdentifier.getInstance( - X509ExtensionUtil.fromExtensionValue(akiBytes)); - GeneralNames issuerNames = aki.getAuthorityCertIssuer(); - if (issuerNames != null) - { - GeneralName name = issuerNames.getNames()[0]; - BigInteger serial = aki.getAuthorityCertSerialNumber(); - if (serial != null) - { - Object[] extraArgs = {new LocaleString(RESOURCE_NAME, "missingIssuer"), " \"", name , - "\" ", new LocaleString(RESOURCE_NAME, "missingSerial") , " ", serial}; - msg.setExtraArguments(extraArgs); - } - } - } - catch (IOException e) - { - // ignore - } - } - addError(msg,index); - } - - // certificate valid? - try - { - cert.checkValidity(validDate); - } - catch (CertificateNotYetValidException cnve) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.certificateNotYetValid", - new Object[] {new TrustedInput(cert.getNotBefore())}); - addError(msg,index); - } - catch (CertificateExpiredException cee) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.certificateExpired", - new Object[] {new TrustedInput(cert.getNotAfter())}); - addError(msg,index); - } - - // certificate revoked? - if (pkixParams.isRevocationEnabled()) - { - // read crl distribution points extension - CRLDistPoint crlDistPoints = null; - try - { - ASN1Primitive crl_dp = getExtensionValue(cert,CRL_DIST_POINTS); - if (crl_dp != null) - { - crlDistPoints = CRLDistPoint.getInstance(crl_dp); - } - } - catch (AnnotatedException ae) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlDistPtExtError"); - addError(msg,index); - } - - // read authority information access extension - AuthorityInformationAccess authInfoAcc = null; - try - { - ASN1Primitive auth_info_acc = getExtensionValue(cert,AUTH_INFO_ACCESS); - if (auth_info_acc != null) - { - authInfoAcc = AuthorityInformationAccess.getInstance(auth_info_acc); - } - } - catch (AnnotatedException ae) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlAuthInfoAccError"); - addError(msg,index); - } - - Vector crlDistPointUrls = getCRLDistUrls(crlDistPoints); - Vector ocspUrls = getOCSPUrls(authInfoAcc); - - // add notifications with the crl distribution points - - // output crl distribution points - Iterator urlIt = crlDistPointUrls.iterator(); - while (urlIt.hasNext()) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlDistPoint", - new Object[] {new UntrustedUrlInput(urlIt.next())}); - addNotification(msg,index); - } - - // output ocsp urls - urlIt = ocspUrls.iterator(); - while (urlIt.hasNext()) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.ocspLocation", - new Object[] {new UntrustedUrlInput(urlIt.next())}); - addNotification(msg,index); - } - - // TODO also support Netscapes revocation-url and/or OCSP instead of CRLs for revocation checking - // check CRLs - try - { - checkRevocation(pkixParams, cert, validDate, sign, workingPublicKey, crlDistPointUrls, ocspUrls, index); - } - catch (CertPathReviewerException cpre) - { - addError(cpre.getErrorMessage(),index); - } - } - - // certificate issuer correct - if (workingIssuerName != null && !cert.getIssuerX500Principal().equals(workingIssuerName)) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.certWrongIssuer", - new Object[] {workingIssuerName.getName(), - cert.getIssuerX500Principal().getName()}); - addError(msg,index); - } - - // - // prepare for next certificate - // - if (i != n) - { - - if (cert != null && cert.getVersion() == 1) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.noCACert"); - addError(msg,index); - } - - // k) - - BasicConstraints bc; - try - { - bc = BasicConstraints.getInstance(getExtensionValue(cert, - BASIC_CONSTRAINTS)); - if (bc != null) - { - if (!bc.isCA()) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.noCACert"); - addError(msg,index); - } - } - else - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.noBasicConstraints"); - addError(msg,index); - } - } - catch (AnnotatedException ae) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.errorProcesingBC"); - addError(msg,index); - } - - // n) - - boolean[] _usage = cert.getKeyUsage(); - - if ((_usage != null) && !_usage[KEY_CERT_SIGN]) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.noCertSign"); - addError(msg,index); - } - - } // if - - // set signing certificate for next round - sign = cert; - - // c) - - workingIssuerName = cert.getSubjectX500Principal(); - - // d) e) f) - - try - { - workingPublicKey = getNextWorkingKey(certs, index); - workingAlgId = getAlgorithmIdentifier(workingPublicKey); - workingPublicKeyAlgorithm = workingAlgId.getObjectId(); - workingPublicKeyParameters = workingAlgId.getParameters(); - } - catch (CertPathValidatorException ex) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.pubKeyError"); - addError(msg,index); - workingAlgId = null; - workingPublicKeyAlgorithm = null; - workingPublicKeyParameters = null; - } - - } // for - - trustAnchor = trust; - subjectPublicKey = workingPublicKey; - } - - private void checkPolicy() - { - // - // 6.1.1 Inputs - // - - // c) Initial Policy Set - - Set userInitialPolicySet = pkixParams.getInitialPolicies(); - - // e) f) g) are part of pkixParams - - // - // 6.1.2 Initialization - // - - // a) valid policy tree - - List[] policyNodes = new ArrayList[n + 1]; - for (int j = 0; j < policyNodes.length; j++) - { - policyNodes[j] = new ArrayList(); - } - - Set policySet = new HashSet(); - - policySet.add(ANY_POLICY); - - PKIXPolicyNode validPolicyTree = new PKIXPolicyNode(new ArrayList(), 0, - policySet, null, new HashSet(), ANY_POLICY, false); - - policyNodes[0].add(validPolicyTree); - - // d) explicit policy - - int explicitPolicy; - if (pkixParams.isExplicitPolicyRequired()) - { - explicitPolicy = 0; - } - else - { - explicitPolicy = n + 1; - } - - // e) inhibit any policy - - int inhibitAnyPolicy; - if (pkixParams.isAnyPolicyInhibited()) - { - inhibitAnyPolicy = 0; - } - else - { - inhibitAnyPolicy = n + 1; - } - - // f) policy mapping - - int policyMapping; - if (pkixParams.isPolicyMappingInhibited()) - { - policyMapping = 0; - } - else - { - policyMapping = n + 1; - } - - Set acceptablePolicies = null; - - // - // 6.1.3 Basic Certificate processing - // - - X509Certificate cert = null; - int index; - int i; - - try - { - for (index = certs.size() - 1; index >= 0; index--) - { - // i as defined in the algorithm description - i = n - index; - - // set certificate to be checked in this round - cert = (X509Certificate) certs.get(index); - - // d) process policy information - - ASN1Sequence certPolicies; - try - { - certPolicies = (ASN1Sequence) getExtensionValue( - cert, CERTIFICATE_POLICIES); - } - catch (AnnotatedException ae) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.policyExtError"); - throw new CertPathReviewerException(msg,ae,certPath,index); - } - if (certPolicies != null && validPolicyTree != null) - { - - // d) 1) - - Enumeration e = certPolicies.getObjects(); - Set pols = new HashSet(); - - while (e.hasMoreElements()) - { - PolicyInformation pInfo = PolicyInformation.getInstance(e.nextElement()); - ASN1ObjectIdentifier pOid = pInfo.getPolicyIdentifier(); - - pols.add(pOid.getId()); - - if (!ANY_POLICY.equals(pOid.getId())) - { - Set pq; - try - { - pq = getQualifierSet(pInfo.getPolicyQualifiers()); - } - catch (CertPathValidatorException cpve) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.policyQualifierError"); - throw new CertPathReviewerException(msg,cpve,certPath,index); - } - - boolean match = processCertD1i(i, policyNodes, pOid, pq); - - if (!match) - { - processCertD1ii(i, policyNodes, pOid, pq); - } - } - } - - if (acceptablePolicies == null || acceptablePolicies.contains(ANY_POLICY)) - { - acceptablePolicies = pols; - } - else - { - Iterator it = acceptablePolicies.iterator(); - Set t1 = new HashSet(); - - while (it.hasNext()) - { - Object o = it.next(); - - if (pols.contains(o)) - { - t1.add(o); - } - } - - acceptablePolicies = t1; - } - - // d) 2) - - if ((inhibitAnyPolicy > 0) || ((i < n) && isSelfIssued(cert))) - { - e = certPolicies.getObjects(); - - while (e.hasMoreElements()) - { - PolicyInformation pInfo = PolicyInformation.getInstance(e.nextElement()); - - if (ANY_POLICY.equals(pInfo.getPolicyIdentifier().getId())) - { - Set _apq; - try - { - _apq = getQualifierSet(pInfo.getPolicyQualifiers()); - } - catch (CertPathValidatorException cpve) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.policyQualifierError"); - throw new CertPathReviewerException(msg,cpve,certPath,index); - } - List _nodes = policyNodes[i - 1]; - - for (int k = 0; k < _nodes.size(); k++) - { - PKIXPolicyNode _node = (PKIXPolicyNode) _nodes.get(k); - - Iterator _policySetIter = _node.getExpectedPolicies().iterator(); - while (_policySetIter.hasNext()) - { - Object _tmp = _policySetIter.next(); - - String _policy; - if (_tmp instanceof String) - { - _policy = (String) _tmp; - } - else if (_tmp instanceof ASN1ObjectIdentifier) - { - _policy = ((ASN1ObjectIdentifier) _tmp).getId(); - } - else - { - continue; - } - - boolean _found = false; - Iterator _childrenIter = _node - .getChildren(); - - while (_childrenIter.hasNext()) - { - PKIXPolicyNode _child = (PKIXPolicyNode) _childrenIter.next(); - - if (_policy.equals(_child.getValidPolicy())) - { - _found = true; - } - } - - if (!_found) - { - Set _newChildExpectedPolicies = new HashSet(); - _newChildExpectedPolicies.add(_policy); - - PKIXPolicyNode _newChild = new PKIXPolicyNode( - new ArrayList(), i, - _newChildExpectedPolicies, - _node, _apq, _policy, false); - _node.addChild(_newChild); - policyNodes[i].add(_newChild); - } - } - } - break; - } - } - } - - // - // (d) (3) - // - for (int j = (i - 1); j >= 0; j--) - { - List nodes = policyNodes[j]; - - for (int k = 0; k < nodes.size(); k++) - { - PKIXPolicyNode node = (PKIXPolicyNode) nodes.get(k); - if (!node.hasChildren()) - { - validPolicyTree = removePolicyNode( - validPolicyTree, policyNodes, node); - if (validPolicyTree == null) - { - break; - } - } - } - } - - // - // d (4) - // - Set criticalExtensionOids = cert.getCriticalExtensionOIDs(); - - if (criticalExtensionOids != null) - { - boolean critical = criticalExtensionOids.contains(CERTIFICATE_POLICIES); - - List nodes = policyNodes[i]; - for (int j = 0; j < nodes.size(); j++) - { - PKIXPolicyNode node = (PKIXPolicyNode) nodes.get(j); - node.setCritical(critical); - } - } - - } - - // e) - - if (certPolicies == null) - { - validPolicyTree = null; - } - - // f) - - if (explicitPolicy <= 0 && validPolicyTree == null) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.noValidPolicyTree"); - throw new CertPathReviewerException(msg); - } - - // - // 6.1.4 preparation for next Certificate - // - - if (i != n) - { - - // a) - - ASN1Primitive pm; - try - { - pm = getExtensionValue(cert, POLICY_MAPPINGS); - } - catch (AnnotatedException ae) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.policyMapExtError"); - throw new CertPathReviewerException(msg,ae,certPath,index); - } - - if (pm != null) - { - ASN1Sequence mappings = (ASN1Sequence) pm; - for (int j = 0; j < mappings.size(); j++) - { - ASN1Sequence mapping = (ASN1Sequence) mappings.getObjectAt(j); - ASN1ObjectIdentifier ip_id = (ASN1ObjectIdentifier) mapping.getObjectAt(0); - ASN1ObjectIdentifier sp_id = (ASN1ObjectIdentifier) mapping.getObjectAt(1); - if (ANY_POLICY.equals(ip_id.getId())) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.invalidPolicyMapping"); - throw new CertPathReviewerException(msg,certPath,index); - } - if (ANY_POLICY.equals(sp_id.getId())) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.invalidPolicyMapping"); - throw new CertPathReviewerException(msg,certPath,index); - } - } - } - - // b) - - if (pm != null) - { - ASN1Sequence mappings = (ASN1Sequence)pm; - Map m_idp = new HashMap(); - Set s_idp = new HashSet(); - - for (int j = 0; j < mappings.size(); j++) - { - ASN1Sequence mapping = (ASN1Sequence)mappings.getObjectAt(j); - String id_p = ((ASN1ObjectIdentifier)mapping.getObjectAt(0)).getId(); - String sd_p = ((ASN1ObjectIdentifier)mapping.getObjectAt(1)).getId(); - Set tmp; - - if (!m_idp.containsKey(id_p)) - { - tmp = new HashSet(); - tmp.add(sd_p); - m_idp.put(id_p, tmp); - s_idp.add(id_p); - } - else - { - tmp = (Set)m_idp.get(id_p); - tmp.add(sd_p); - } - } - - Iterator it_idp = s_idp.iterator(); - while (it_idp.hasNext()) - { - String id_p = (String)it_idp.next(); - - // - // (1) - // - if (policyMapping > 0) - { - try - { - prepareNextCertB1(i,policyNodes,id_p,m_idp,cert); - } - catch (AnnotatedException ae) - { - // error processing certificate policies extension - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.policyExtError"); - throw new CertPathReviewerException(msg,ae,certPath,index); - } - catch (CertPathValidatorException cpve) - { - // error building qualifier set - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.policyQualifierError"); - throw new CertPathReviewerException(msg,cpve,certPath,index); - } - - // - // (2) - // - } - else if (policyMapping <= 0) - { - validPolicyTree = prepareNextCertB2(i,policyNodes,id_p,validPolicyTree); - } - - } - } - - // - // h) - // - - if (!isSelfIssued(cert)) - { - - // (1) - if (explicitPolicy != 0) - { - explicitPolicy--; - } - - // (2) - if (policyMapping != 0) - { - policyMapping--; - } - - // (3) - if (inhibitAnyPolicy != 0) - { - inhibitAnyPolicy--; - } - - } - - // - // i) - // - - try - { - ASN1Sequence pc = (ASN1Sequence) getExtensionValue(cert,POLICY_CONSTRAINTS); - if (pc != null) - { - Enumeration policyConstraints = pc.getObjects(); - - while (policyConstraints.hasMoreElements()) - { - ASN1TaggedObject constraint = (ASN1TaggedObject) policyConstraints.nextElement(); - int tmpInt; - - switch (constraint.getTagNo()) - { - case 0: - tmpInt = ASN1Integer.getInstance(constraint, false).getValue().intValue(); - if (tmpInt < explicitPolicy) - { - explicitPolicy = tmpInt; - } - break; - case 1: - tmpInt = ASN1Integer.getInstance(constraint, false).getValue().intValue(); - if (tmpInt < policyMapping) - { - policyMapping = tmpInt; - } - break; - } - } - } - } - catch (AnnotatedException ae) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.policyConstExtError"); - throw new CertPathReviewerException(msg,certPath,index); - } - - // - // j) - // - - try - { - ASN1Integer iap = (ASN1Integer)getExtensionValue(cert, INHIBIT_ANY_POLICY); - - if (iap != null) - { - int _inhibitAnyPolicy = iap.getValue().intValue(); - - if (_inhibitAnyPolicy < inhibitAnyPolicy) - { - inhibitAnyPolicy = _inhibitAnyPolicy; - } - } - } - catch (AnnotatedException ae) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.policyInhibitExtError"); - throw new CertPathReviewerException(msg,certPath,index); - } - } - - } - - // - // 6.1.5 Wrap up - // - - // - // a) - // - - if (!isSelfIssued(cert) && explicitPolicy > 0) - { - explicitPolicy--; - } - - // - // b) - // - - try - { - ASN1Sequence pc = (ASN1Sequence) getExtensionValue(cert, POLICY_CONSTRAINTS); - if (pc != null) - { - Enumeration policyConstraints = pc.getObjects(); - - while (policyConstraints.hasMoreElements()) - { - ASN1TaggedObject constraint = (ASN1TaggedObject)policyConstraints.nextElement(); - switch (constraint.getTagNo()) - { - case 0: - int tmpInt = ASN1Integer.getInstance(constraint, false).getValue().intValue(); - if (tmpInt == 0) - { - explicitPolicy = 0; - } - break; - } - } - } - } - catch (AnnotatedException e) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.policyConstExtError"); - throw new CertPathReviewerException(msg,certPath,index); - } - - - // - // (g) - // - PKIXPolicyNode intersection; - - - // - // (g) (i) - // - if (validPolicyTree == null) - { - if (pkixParams.isExplicitPolicyRequired()) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.explicitPolicy"); - throw new CertPathReviewerException(msg,certPath,index); - } - intersection = null; - } - else if (isAnyPolicy(userInitialPolicySet)) // (g) (ii) - { - if (pkixParams.isExplicitPolicyRequired()) - { - if (acceptablePolicies.isEmpty()) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.explicitPolicy"); - throw new CertPathReviewerException(msg,certPath,index); - } - else - { - Set _validPolicyNodeSet = new HashSet(); - - for (int j = 0; j < policyNodes.length; j++) - { - List _nodeDepth = policyNodes[j]; - - for (int k = 0; k < _nodeDepth.size(); k++) - { - PKIXPolicyNode _node = (PKIXPolicyNode)_nodeDepth.get(k); - - if (ANY_POLICY.equals(_node.getValidPolicy())) - { - Iterator _iter = _node.getChildren(); - while (_iter.hasNext()) - { - _validPolicyNodeSet.add(_iter.next()); - } - } - } - } - - Iterator _vpnsIter = _validPolicyNodeSet.iterator(); - while (_vpnsIter.hasNext()) - { - PKIXPolicyNode _node = (PKIXPolicyNode)_vpnsIter.next(); - String _validPolicy = _node.getValidPolicy(); - - if (!acceptablePolicies.contains(_validPolicy)) - { - //validPolicyTree = removePolicyNode(validPolicyTree, policyNodes, _node); - } - } - if (validPolicyTree != null) - { - for (int j = (n - 1); j >= 0; j--) - { - List nodes = policyNodes[j]; - - for (int k = 0; k < nodes.size(); k++) - { - PKIXPolicyNode node = (PKIXPolicyNode)nodes.get(k); - if (!node.hasChildren()) - { - validPolicyTree = removePolicyNode(validPolicyTree, policyNodes, node); - } - } - } - } - } - } - - intersection = validPolicyTree; - } - else - { - // - // (g) (iii) - // - // This implementation is not exactly same as the one described in RFC3280. - // However, as far as the validation result is concerned, both produce - // adequate result. The only difference is whether AnyPolicy is remain - // in the policy tree or not. - // - // (g) (iii) 1 - // - Set _validPolicyNodeSet = new HashSet(); - - for (int j = 0; j < policyNodes.length; j++) - { - List _nodeDepth = policyNodes[j]; - - for (int k = 0; k < _nodeDepth.size(); k++) - { - PKIXPolicyNode _node = (PKIXPolicyNode)_nodeDepth.get(k); - - if (ANY_POLICY.equals(_node.getValidPolicy())) - { - Iterator _iter = _node.getChildren(); - while (_iter.hasNext()) - { - PKIXPolicyNode _c_node = (PKIXPolicyNode)_iter.next(); - if (!ANY_POLICY.equals(_c_node.getValidPolicy())) - { - _validPolicyNodeSet.add(_c_node); - } - } - } - } - } - - // - // (g) (iii) 2 - // - Iterator _vpnsIter = _validPolicyNodeSet.iterator(); - while (_vpnsIter.hasNext()) - { - PKIXPolicyNode _node = (PKIXPolicyNode)_vpnsIter.next(); - String _validPolicy = _node.getValidPolicy(); - - if (!userInitialPolicySet.contains(_validPolicy)) - { - validPolicyTree = removePolicyNode(validPolicyTree, policyNodes, _node); - } - } - - // - // (g) (iii) 4 - // - if (validPolicyTree != null) - { - for (int j = (n - 1); j >= 0; j--) - { - List nodes = policyNodes[j]; - - for (int k = 0; k < nodes.size(); k++) - { - PKIXPolicyNode node = (PKIXPolicyNode)nodes.get(k); - if (!node.hasChildren()) - { - validPolicyTree = removePolicyNode(validPolicyTree, policyNodes, node); - } - } - } - } - - intersection = validPolicyTree; - } - - if ((explicitPolicy <= 0) && (intersection == null)) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.invalidPolicy"); - throw new CertPathReviewerException(msg); - } - - validPolicyTree = intersection; - } - catch (CertPathReviewerException cpre) - { - addError(cpre.getErrorMessage(),cpre.getIndex()); - validPolicyTree = null; - } - } - - private void checkCriticalExtensions() - { - // - // initialise CertPathChecker's - // - List pathCheckers = pkixParams.getCertPathCheckers(); - Iterator certIter = pathCheckers.iterator(); - - try - { - try - { - while (certIter.hasNext()) - { - ((PKIXCertPathChecker)certIter.next()).init(false); - } - } - catch (CertPathValidatorException cpve) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.certPathCheckerError", - new Object[] {cpve.getMessage(),cpve,cpve.getClass().getName()}); - throw new CertPathReviewerException(msg,cpve); - } - - // - // process critical extesions for each certificate - // - - X509Certificate cert = null; - - int index; - - for (index = certs.size()-1; index >= 0; index--) - { - cert = (X509Certificate) certs.get(index); - - Set criticalExtensions = cert.getCriticalExtensionOIDs(); - if (criticalExtensions == null || criticalExtensions.isEmpty()) - { - continue; - } - // remove already processed extensions - criticalExtensions.remove(KEY_USAGE); - criticalExtensions.remove(CERTIFICATE_POLICIES); - criticalExtensions.remove(POLICY_MAPPINGS); - criticalExtensions.remove(INHIBIT_ANY_POLICY); - criticalExtensions.remove(ISSUING_DISTRIBUTION_POINT); - criticalExtensions.remove(DELTA_CRL_INDICATOR); - criticalExtensions.remove(POLICY_CONSTRAINTS); - criticalExtensions.remove(BASIC_CONSTRAINTS); - criticalExtensions.remove(SUBJECT_ALTERNATIVE_NAME); - criticalExtensions.remove(NAME_CONSTRAINTS); - - // process qcStatements extension - if (criticalExtensions.contains(QC_STATEMENT)) - { - if (processQcStatements(cert,index)) - { - criticalExtensions.remove(QC_STATEMENT); - } - } - - Iterator tmpIter = pathCheckers.iterator(); - while (tmpIter.hasNext()) - { - try - { - ((PKIXCertPathChecker)tmpIter.next()).check(cert, criticalExtensions); - } - catch (CertPathValidatorException e) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.criticalExtensionError", - new Object[] {e.getMessage(),e,e.getClass().getName()}); - throw new CertPathReviewerException(msg,e.getCause(),certPath,index); - } - } - if (!criticalExtensions.isEmpty()) - { - ErrorBundle msg; - Iterator it = criticalExtensions.iterator(); - while (it.hasNext()) - { - msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.unknownCriticalExt", - new Object[] {new ASN1ObjectIdentifier((String) it.next())}); - addError(msg, index); - } - } - } - } - catch (CertPathReviewerException cpre) - { - addError(cpre.getErrorMessage(),cpre.getIndex()); - } - } - - private boolean processQcStatements( - X509Certificate cert, - int index) - { - try - { - boolean unknownStatement = false; - - ASN1Sequence qcSt = (ASN1Sequence) getExtensionValue(cert,QC_STATEMENT); - for (int j = 0; j < qcSt.size(); j++) - { - QCStatement stmt = QCStatement.getInstance(qcSt.getObjectAt(j)); - if (QCStatement.id_etsi_qcs_QcCompliance.equals(stmt.getStatementId())) - { - // process statement - just write a notification that the certificate contains this statement - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.QcEuCompliance"); - addNotification(msg,index); - } - else if (QCStatement.id_qcs_pkixQCSyntax_v1.equals(stmt.getStatementId())) - { - // process statement - just recognize the statement - } - else if (QCStatement.id_etsi_qcs_QcSSCD.equals(stmt.getStatementId())) - { - // process statement - just write a notification that the certificate contains this statement - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.QcSSCD"); - addNotification(msg,index); - } - else if (QCStatement.id_etsi_qcs_LimiteValue.equals(stmt.getStatementId())) - { - // process statement - write a notification containing the limit value - MonetaryValue limit = MonetaryValue.getInstance(stmt.getStatementInfo()); - Iso4217CurrencyCode currency = limit.getCurrency(); - double value = limit.getAmount().doubleValue() * Math.pow(10,limit.getExponent().doubleValue()); - ErrorBundle msg; - if (limit.getCurrency().isAlphabetic()) - { - msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.QcLimitValueAlpha", - new Object[] {limit.getCurrency().getAlphabetic(), - new TrustedInput(new Double(value)), - limit}); - } - else - { - msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.QcLimitValueNum", - new Object[]{Integers.valueOf(limit.getCurrency().getNumeric()), - new TrustedInput(new Double(value)), - limit}); - } - addNotification(msg,index); - } - else - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.QcUnknownStatement", - new Object[] {stmt.getStatementId(),new UntrustedInput(stmt)}); - addNotification(msg,index); - unknownStatement = true; - } - } - - return !unknownStatement; - } - catch (AnnotatedException ae) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.QcStatementExtError"); - addError(msg,index); - } - - return false; - } - - private String IPtoString(byte[] ip) - { - String result; - try - { - result = InetAddress.getByAddress(ip).getHostAddress(); - } - catch (Exception e) - { - StringBuffer b = new StringBuffer(); - - for (int i = 0; i != ip.length; i++) - { - b.append(Integer.toHexString(ip[i] & 0xff)); - b.append(' '); - } - - result = b.toString(); - } - - return result; - } - - protected void checkRevocation(PKIXParameters paramsPKIX, - X509Certificate cert, - Date validDate, - X509Certificate sign, - PublicKey workingPublicKey, - Vector crlDistPointUrls, - Vector ocspUrls, - int index) - throws CertPathReviewerException - { - checkCRLs(paramsPKIX, cert, validDate, sign, workingPublicKey, crlDistPointUrls, index); - } - - protected void checkCRLs( - PKIXParameters paramsPKIX, - X509Certificate cert, - Date validDate, - X509Certificate sign, - PublicKey workingPublicKey, - Vector crlDistPointUrls, - int index) - throws CertPathReviewerException - { - X509CRLStoreSelector crlselect; - crlselect = new X509CRLStoreSelector(); - - try - { - crlselect.addIssuerName(getEncodedIssuerPrincipal(cert).getEncoded()); - } - catch (IOException e) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlIssuerException"); - throw new CertPathReviewerException(msg,e); - } - - crlselect.setCertificateChecking(cert); - - Iterator crl_iter; - try - { - Collection crl_coll = CRL_UTIL.findCRLs(crlselect, paramsPKIX); - crl_iter = crl_coll.iterator(); - - if (crl_coll.isEmpty()) - { - // notifcation - no local crls found - crl_coll = CRL_UTIL.findCRLs(new X509CRLStoreSelector(),paramsPKIX); - Iterator it = crl_coll.iterator(); - List nonMatchingCrlNames = new ArrayList(); - while (it.hasNext()) - { - nonMatchingCrlNames.add(((X509CRL) it.next()).getIssuerX500Principal()); - } - int numbOfCrls = nonMatchingCrlNames.size(); - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, - "CertPathReviewer.noCrlInCertstore", - new Object[]{new UntrustedInput(crlselect.getIssuerNames()), - new UntrustedInput(nonMatchingCrlNames), - Integers.valueOf(numbOfCrls)}); - addNotification(msg,index); - } - - } - catch (AnnotatedException ae) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlExtractionError", - new Object[] {ae.getCause().getMessage(),ae.getCause(),ae.getCause().getClass().getName()}); - addError(msg,index); - crl_iter = new ArrayList().iterator(); - } - boolean validCrlFound = false; - X509CRL crl = null; - while (crl_iter.hasNext()) - { - crl = (X509CRL)crl_iter.next(); - - if (crl.getNextUpdate() == null - || paramsPKIX.getDate().before(crl.getNextUpdate())) - { - validCrlFound = true; - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, - "CertPathReviewer.localValidCRL", - new Object[] {new TrustedInput(crl.getThisUpdate()), new TrustedInput(crl.getNextUpdate())}); - addNotification(msg,index); - break; - } - else - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, - "CertPathReviewer.localInvalidCRL", - new Object[] {new TrustedInput(crl.getThisUpdate()), new TrustedInput(crl.getNextUpdate())}); - addNotification(msg,index); - } - } - - // if no valid crl was found in the CertStores try to get one from a - // crl distribution point - if (!validCrlFound) - { - X509CRL onlineCRL = null; - Iterator urlIt = crlDistPointUrls.iterator(); - while (urlIt.hasNext()) - { - try - { - String location = (String) urlIt.next(); - onlineCRL = getCRL(location); - if (onlineCRL != null) - { - // check if crl issuer is correct - if (!cert.getIssuerX500Principal().equals(onlineCRL.getIssuerX500Principal())) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, - "CertPathReviewer.onlineCRLWrongCA", - new Object[] {new UntrustedInput(onlineCRL.getIssuerX500Principal().getName()), - new UntrustedInput(cert.getIssuerX500Principal().getName()), - new UntrustedUrlInput(location)}); - addNotification(msg,index); - continue; - } - - if (onlineCRL.getNextUpdate() == null - || pkixParams.getDate().before(onlineCRL.getNextUpdate())) - { - validCrlFound = true; - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, - "CertPathReviewer.onlineValidCRL", - new Object[] {new TrustedInput(onlineCRL.getThisUpdate()), - new TrustedInput(onlineCRL.getNextUpdate()), - new UntrustedUrlInput(location)}); - addNotification(msg,index); - crl = onlineCRL; - break; - } - else - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, - "CertPathReviewer.onlineInvalidCRL", - new Object[] {new TrustedInput(onlineCRL.getThisUpdate()), - new TrustedInput(onlineCRL.getNextUpdate()), - new UntrustedUrlInput(location)}); - addNotification(msg,index); - } - } - } - catch (CertPathReviewerException cpre) - { - addNotification(cpre.getErrorMessage(),index); - } - } - } - - // check the crl - X509CRLEntry crl_entry; - if (crl != null) - { - if (sign != null) - { - boolean[] keyusage = sign.getKeyUsage(); - - if (keyusage != null - && (keyusage.length < 7 || !keyusage[CRL_SIGN])) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.noCrlSigningPermited"); - throw new CertPathReviewerException(msg); - } - } - - if (workingPublicKey != null) - { - try - { - crl.verify(workingPublicKey, "BC"); - } - catch (Exception e) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlVerifyFailed"); - throw new CertPathReviewerException(msg,e); - } - } - else // issuer public key not known - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlNoIssuerPublicKey"); - throw new CertPathReviewerException(msg); - } - - crl_entry = crl.getRevokedCertificate(cert.getSerialNumber()); - if (crl_entry != null) - { - String reason = null; - - if (crl_entry.hasExtensions()) - { - ASN1Enumerated reasonCode; - try - { - reasonCode = ASN1Enumerated.getInstance(getExtensionValue(crl_entry, X509Extensions.ReasonCode.getId())); - } - catch (AnnotatedException ae) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlReasonExtError"); - throw new CertPathReviewerException(msg,ae); - } - if (reasonCode != null) - { - reason = crlReasons[reasonCode.getValue().intValue()]; - } - } - - if (reason == null) - { - reason = crlReasons[7]; // unknown - } - - // i18n reason - LocaleString ls = new LocaleString(RESOURCE_NAME, reason); - - if (!validDate.before(crl_entry.getRevocationDate())) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.certRevoked", - new Object[] {new TrustedInput(crl_entry.getRevocationDate()),ls}); - throw new CertPathReviewerException(msg); - } - else // cert was revoked after validation date - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.revokedAfterValidation", - new Object[] {new TrustedInput(crl_entry.getRevocationDate()),ls}); - addNotification(msg,index); - } - } - else // cert is not revoked - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.notRevoked"); - addNotification(msg,index); - } - - // - // warn if a new crl is available - // - if (crl.getNextUpdate() != null && crl.getNextUpdate().before(pkixParams.getDate())) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlUpdateAvailable", - new Object[] {new TrustedInput(crl.getNextUpdate())}); - addNotification(msg,index); - } - - // - // check the DeltaCRL indicator, base point and the issuing distribution point - // - ASN1Primitive idp; - try - { - idp = getExtensionValue(crl, ISSUING_DISTRIBUTION_POINT); - } - catch (AnnotatedException ae) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.distrPtExtError"); - throw new CertPathReviewerException(msg); - } - ASN1Primitive dci; - try - { - dci = getExtensionValue(crl, DELTA_CRL_INDICATOR); - } - catch (AnnotatedException ae) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.deltaCrlExtError"); - throw new CertPathReviewerException(msg); - } - - if (dci != null) - { - X509CRLStoreSelector baseSelect = new X509CRLStoreSelector(); - - try - { - baseSelect.addIssuerName(getIssuerPrincipal(crl).getEncoded()); - } - catch (IOException e) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlIssuerException"); - throw new CertPathReviewerException(msg,e); - } - - baseSelect.setMinCRLNumber(((ASN1Integer)dci).getPositiveValue()); - try - { - baseSelect.setMaxCRLNumber(((ASN1Integer)getExtensionValue(crl, CRL_NUMBER)).getPositiveValue().subtract(BigInteger.valueOf(1))); - } - catch (AnnotatedException ae) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlNbrExtError"); - throw new CertPathReviewerException(msg,ae); - } - - boolean foundBase = false; - Iterator it; - try - { - it = CRL_UTIL.findCRLs(baseSelect, paramsPKIX).iterator(); - } - catch (AnnotatedException ae) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlExtractionError"); - throw new CertPathReviewerException(msg,ae); - } - while (it.hasNext()) - { - X509CRL base = (X509CRL)it.next(); - - ASN1Primitive baseIdp; - try - { - baseIdp = getExtensionValue(base, ISSUING_DISTRIBUTION_POINT); - } - catch (AnnotatedException ae) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.distrPtExtError"); - throw new CertPathReviewerException(msg,ae); - } - - if (idp == null) - { - if (baseIdp == null) - { - foundBase = true; - break; - } - } - else - { - if (idp.equals(baseIdp)) - { - foundBase = true; - break; - } - } - } - - if (!foundBase) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.noBaseCRL"); - throw new CertPathReviewerException(msg); - } - } - - if (idp != null) - { - IssuingDistributionPoint p = IssuingDistributionPoint.getInstance(idp); - BasicConstraints bc = null; - try - { - bc = BasicConstraints.getInstance(getExtensionValue(cert, BASIC_CONSTRAINTS)); - } - catch (AnnotatedException ae) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlBCExtError"); - throw new CertPathReviewerException(msg,ae); - } - - if (p.onlyContainsUserCerts() && (bc != null && bc.isCA())) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlOnlyUserCert"); - throw new CertPathReviewerException(msg); - } - - if (p.onlyContainsCACerts() && (bc == null || !bc.isCA())) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlOnlyCaCert"); - throw new CertPathReviewerException(msg); - } - - if (p.onlyContainsAttributeCerts()) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlOnlyAttrCert"); - throw new CertPathReviewerException(msg); - } - } - } - - if (!validCrlFound) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.noValidCrlFound"); - throw new CertPathReviewerException(msg); - } - - } - - protected Vector getCRLDistUrls(CRLDistPoint crlDistPoints) - { - Vector urls = new Vector(); - - if (crlDistPoints != null) - { - DistributionPoint[] distPoints = crlDistPoints.getDistributionPoints(); - for (int i = 0; i < distPoints.length; i++) - { - DistributionPointName dp_name = distPoints[i].getDistributionPoint(); - if (dp_name.getType() == DistributionPointName.FULL_NAME) - { - GeneralName[] generalNames = GeneralNames.getInstance(dp_name.getName()).getNames(); - for (int j = 0; j < generalNames.length; j++) - { - if (generalNames[j].getTagNo() == GeneralName.uniformResourceIdentifier) - { - String url = ((DERIA5String) generalNames[j].getName()).getString(); - urls.add(url); - } - } - } - } - } - return urls; - } - - protected Vector getOCSPUrls(AuthorityInformationAccess authInfoAccess) - { - Vector urls = new Vector(); - - if (authInfoAccess != null) - { - AccessDescription[] ads = authInfoAccess.getAccessDescriptions(); - for (int i = 0; i < ads.length; i++) - { - if (ads[i].getAccessMethod().equals(AccessDescription.id_ad_ocsp)) - { - GeneralName name = ads[i].getAccessLocation(); - if (name.getTagNo() == GeneralName.uniformResourceIdentifier) - { - String url = ((DERIA5String) name.getName()).getString(); - urls.add(url); - } - } - } - } - - return urls; - } - - private X509CRL getCRL(String location) throws CertPathReviewerException - { - X509CRL result = null; - try - { - URL url = new URL(location); - - if (url.getProtocol().equals("http") || url.getProtocol().equals("https")) - { - HttpURLConnection conn = (HttpURLConnection) url.openConnection(); - conn.setUseCaches(false); - //conn.setConnectTimeout(2000); - conn.setDoInput(true); - conn.connect(); - if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) - { - CertificateFactory cf = CertificateFactory.getInstance("X.509","BC"); - result = (X509CRL) cf.generateCRL(conn.getInputStream()); - } - else - { - throw new Exception(conn.getResponseMessage()); - } - } - } - catch (Exception e) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, - "CertPathReviewer.loadCrlDistPointError", - new Object[] {new UntrustedInput(location), - e.getMessage(),e,e.getClass().getName()}); - throw new CertPathReviewerException(msg); - } - return result; - } - - protected Collection getTrustAnchors(X509Certificate cert, Set trustanchors) throws CertPathReviewerException - { - Collection trustColl = new ArrayList(); - Iterator it = trustanchors.iterator(); - - X509CertSelector certSelectX509 = new X509CertSelector(); - - try - { - certSelectX509.setSubject(getEncodedIssuerPrincipal(cert).getEncoded()); - byte[] ext = cert.getExtensionValue(X509Extensions.AuthorityKeyIdentifier.getId()); - - if (ext != null) - { - ASN1OctetString oct = (ASN1OctetString)ASN1Primitive.fromByteArray(ext); - AuthorityKeyIdentifier authID = AuthorityKeyIdentifier.getInstance(ASN1Primitive.fromByteArray(oct.getOctets())); - - certSelectX509.setSerialNumber(authID.getAuthorityCertSerialNumber()); - byte[] keyID = authID.getKeyIdentifier(); - if (keyID != null) - { - certSelectX509.setSubjectKeyIdentifier(new DEROctetString(keyID).getEncoded()); - } - } - } - catch (IOException ex) - { - ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.trustAnchorIssuerError"); - throw new CertPathReviewerException(msg); - } - - while (it.hasNext()) - { - TrustAnchor trust = (TrustAnchor) it.next(); - if (trust.getTrustedCert() != null) - { - if (certSelectX509.match(trust.getTrustedCert())) - { - trustColl.add(trust); - } - } - else if (trust.getCAName() != null && trust.getCAPublicKey() != null) - { - X500Principal certIssuer = getEncodedIssuerPrincipal(cert); - X500Principal caName = new X500Principal(trust.getCAName()); - if (certIssuer.equals(caName)) - { - trustColl.add(trust); - } - } - } - return trustColl; - } -} diff --git a/bcprov/src/main/java/org/bouncycastle/x509/X509AttributeCertStoreSelector.java b/bcprov/src/main/java/org/bouncycastle/x509/X509AttributeCertStoreSelector.java deleted file mode 100644 index bd474fd..0000000 --- a/bcprov/src/main/java/org/bouncycastle/x509/X509AttributeCertStoreSelector.java +++ /dev/null @@ -1,484 +0,0 @@ -package org.bouncycastle.x509; - -import java.io.IOException; -import java.math.BigInteger; -import java.security.cert.CertificateExpiredException; -import java.security.cert.CertificateNotYetValidException; -import java.util.Collection; -import java.util.Collections; -import java.util.Date; -import java.util.HashSet; -import java.util.Iterator; -import java.util.Set; - -import org.bouncycastle.asn1.ASN1InputStream; -import org.bouncycastle.asn1.ASN1Primitive; -import org.bouncycastle.asn1.DEROctetString; -import org.bouncycastle.asn1.x509.GeneralName; -import org.bouncycastle.asn1.x509.Target; -import org.bouncycastle.asn1.x509.TargetInformation; -import org.bouncycastle.asn1.x509.Targets; -import org.bouncycastle.asn1.x509.X509Extensions; -import org.bouncycastle.util.Selector; - -/** - * This class is an <code>Selector</code> like implementation to select - * attribute certificates from a given set of criteria. - * - * @see org.bouncycastle.x509.X509AttributeCertificate - * @see org.bouncycastle.x509.X509Store - * @deprecated use org.bouncycastle.cert.X509AttributeCertificateSelector and org.bouncycastle.cert.X509AttributeCertificateSelectorBuilder. - */ -public class X509AttributeCertStoreSelector - implements Selector -{ - - // TODO: name constraints??? - - private AttributeCertificateHolder holder; - - private AttributeCertificateIssuer issuer; - - private BigInteger serialNumber; - - private Date attributeCertificateValid; - - private X509AttributeCertificate attributeCert; - - private Collection targetNames = new HashSet(); - - private Collection targetGroups = new HashSet(); - - public X509AttributeCertStoreSelector() - { - super(); - } - - /** - * Decides if the given attribute certificate should be selected. - * - * @param obj The attribute certificate which should be checked. - * @return <code>true</code> if the attribute certificate can be selected, - * <code>false</code> otherwise. - */ - public boolean match(Object obj) - { - if (!(obj instanceof X509AttributeCertificate)) - { - return false; - } - - X509AttributeCertificate attrCert = (X509AttributeCertificate) obj; - - if (this.attributeCert != null) - { - if (!this.attributeCert.equals(attrCert)) - { - return false; - } - } - if (serialNumber != null) - { - if (!attrCert.getSerialNumber().equals(serialNumber)) - { - return false; - } - } - if (holder != null) - { - if (!attrCert.getHolder().equals(holder)) - { - return false; - } - } - if (issuer != null) - { - if (!attrCert.getIssuer().equals(issuer)) - { - return false; - } - } - - if (attributeCertificateValid != null) - { - try - { - attrCert.checkValidity(attributeCertificateValid); - } - catch (CertificateExpiredException e) - { - return false; - } - catch (CertificateNotYetValidException e) - { - return false; - } - } - if (!targetNames.isEmpty() || !targetGroups.isEmpty()) - { - - byte[] targetInfoExt = attrCert - .getExtensionValue(X509Extensions.TargetInformation.getId()); - if (targetInfoExt != null) - { - TargetInformation targetinfo; - try - { - targetinfo = TargetInformation - .getInstance(new ASN1InputStream( - ((DEROctetString) DEROctetString - .fromByteArray(targetInfoExt)).getOctets()) - .readObject()); - } - catch (IOException e) - { - return false; - } - catch (IllegalArgumentException e) - { - return false; - } - Targets[] targetss = targetinfo.getTargetsObjects(); - if (!targetNames.isEmpty()) - { - boolean found = false; - - for (int i=0; i<targetss.length; i++) - { - Targets t = targetss[i]; - Target[] targets = t.getTargets(); - for (int j=0; j<targets.length; j++) - { - if (targetNames.contains(GeneralName.getInstance(targets[j] - .getTargetName()))) - { - found = true; - break; - } - } - } - if (!found) - { - return false; - } - } - if (!targetGroups.isEmpty()) - { - boolean found = false; - - for (int i=0; i<targetss.length; i++) - { - Targets t = targetss[i]; - Target[] targets = t.getTargets(); - for (int j=0; j<targets.length; j++) - { - if (targetGroups.contains(GeneralName.getInstance(targets[j] - .getTargetGroup()))) - { - found = true; - break; - } - } - } - if (!found) - { - return false; - } - } - } - } - return true; - } - - /** - * Returns a clone of this object. - * - * @return the clone. - */ - public Object clone() - { - X509AttributeCertStoreSelector sel = new X509AttributeCertStoreSelector(); - sel.attributeCert = attributeCert; - sel.attributeCertificateValid = getAttributeCertificateValid(); - sel.holder = holder; - sel.issuer = issuer; - sel.serialNumber = serialNumber; - sel.targetGroups = getTargetGroups(); - sel.targetNames = getTargetNames(); - return sel; - } - - /** - * Returns the attribute certificate which must be matched. - * - * @return Returns the attribute certificate. - */ - public X509AttributeCertificate getAttributeCert() - { - return attributeCert; - } - - /** - * Set the attribute certificate to be matched. If <code>null</code> is - * given any will do. - * - * @param attributeCert The attribute certificate to set. - */ - public void setAttributeCert(X509AttributeCertificate attributeCert) - { - this.attributeCert = attributeCert; - } - - /** - * Get the criteria for the validity. - * - * @return Returns the attributeCertificateValid. - */ - public Date getAttributeCertificateValid() - { - if (attributeCertificateValid != null) - { - return new Date(attributeCertificateValid.getTime()); - } - - return null; - } - - /** - * Set the time, when the certificate must be valid. If <code>null</code> - * is given any will do. - * - * @param attributeCertificateValid The attribute certificate validation - * time to set. - */ - public void setAttributeCertificateValid(Date attributeCertificateValid) - { - if (attributeCertificateValid != null) - { - this.attributeCertificateValid = new Date(attributeCertificateValid - .getTime()); - } - else - { - this.attributeCertificateValid = null; - } - } - - /** - * Gets the holder. - * - * @return Returns the holder. - */ - public AttributeCertificateHolder getHolder() - { - return holder; - } - - /** - * Sets the holder. If <code>null</code> is given any will do. - * - * @param holder The holder to set. - */ - public void setHolder(AttributeCertificateHolder holder) - { - this.holder = holder; - } - - /** - * Returns the issuer criterion. - * - * @return Returns the issuer. - */ - public AttributeCertificateIssuer getIssuer() - { - return issuer; - } - - /** - * Sets the issuer the attribute certificate must have. If <code>null</code> - * is given any will do. - * - * @param issuer The issuer to set. - */ - public void setIssuer(AttributeCertificateIssuer issuer) - { - this.issuer = issuer; - } - - /** - * Gets the serial number the attribute certificate must have. - * - * @return Returns the serialNumber. - */ - public BigInteger getSerialNumber() - { - return serialNumber; - } - - /** - * Sets the serial number the attribute certificate must have. If - * <code>null</code> is given any will do. - * - * @param serialNumber The serialNumber to set. - */ - public void setSerialNumber(BigInteger serialNumber) - { - this.serialNumber = serialNumber; - } - - /** - * Adds a target name criterion for the attribute certificate to the target - * information extension criteria. The <code>X509AttributeCertificate</code> - * must contain at least one of the specified target names. - * <p> - * Each attribute certificate may contain a target information extension - * limiting the servers where this attribute certificate can be used. If - * this extension is not present, the attribute certificate is not targeted - * and may be accepted by any server. - * - * @param name The name as a GeneralName (not <code>null</code>) - */ - public void addTargetName(GeneralName name) - { - targetNames.add(name); - } - - /** - * Adds a target name criterion for the attribute certificate to the target - * information extension criteria. The <code>X509AttributeCertificate</code> - * must contain at least one of the specified target names. - * <p> - * Each attribute certificate may contain a target information extension - * limiting the servers where this attribute certificate can be used. If - * this extension is not present, the attribute certificate is not targeted - * and may be accepted by any server. - * - * @param name a byte array containing the name in ASN.1 DER encoded form of a GeneralName - * @throws IOException if a parsing error occurs. - */ - public void addTargetName(byte[] name) throws IOException - { - addTargetName(GeneralName.getInstance(ASN1Primitive.fromByteArray(name))); - } - - /** - * Adds a collection with target names criteria. If <code>null</code> is - * given any will do. - * <p> - * The collection consists of either GeneralName objects or byte[] arrays representing - * DER encoded GeneralName structures. - * - * @param names A collection of target names. - * @throws IOException if a parsing error occurs. - * @see #addTargetName(byte[]) - * @see #addTargetName(GeneralName) - */ - public void setTargetNames(Collection names) throws IOException - { - targetNames = extractGeneralNames(names); - } - - /** - * Gets the target names. The collection consists of <code>GeneralName</code> - * objects. - * <p> - * The returned collection is immutable. - * - * @return The collection of target names - * @see #setTargetNames(Collection) - */ - public Collection getTargetNames() - { - return Collections.unmodifiableCollection(targetNames); - } - - /** - * Adds a target group criterion for the attribute certificate to the target - * information extension criteria. The <code>X509AttributeCertificate</code> - * must contain at least one of the specified target groups. - * <p> - * Each attribute certificate may contain a target information extension - * limiting the servers where this attribute certificate can be used. If - * this extension is not present, the attribute certificate is not targeted - * and may be accepted by any server. - * - * @param group The group as GeneralName form (not <code>null</code>) - */ - public void addTargetGroup(GeneralName group) - { - targetGroups.add(group); - } - - /** - * Adds a target group criterion for the attribute certificate to the target - * information extension criteria. The <code>X509AttributeCertificate</code> - * must contain at least one of the specified target groups. - * <p> - * Each attribute certificate may contain a target information extension - * limiting the servers where this attribute certificate can be used. If - * this extension is not present, the attribute certificate is not targeted - * and may be accepted by any server. - * - * @param name a byte array containing the group in ASN.1 DER encoded form of a GeneralName - * @throws IOException if a parsing error occurs. - */ - public void addTargetGroup(byte[] name) throws IOException - { - addTargetGroup(GeneralName.getInstance(ASN1Primitive.fromByteArray(name))); - } - - /** - * Adds a collection with target groups criteria. If <code>null</code> is - * given any will do. - * <p> - * The collection consists of <code>GeneralName</code> objects or <code>byte[]</code representing DER - * encoded GeneralNames. - * - * @param names A collection of target groups. - * @throws IOException if a parsing error occurs. - * @see #addTargetGroup(byte[]) - * @see #addTargetGroup(GeneralName) - */ - public void setTargetGroups(Collection names) throws IOException - { - targetGroups = extractGeneralNames(names); - } - - - - /** - * Gets the target groups. The collection consists of <code>GeneralName</code> objects. - * <p> - * The returned collection is immutable. - * - * @return The collection of target groups. - * @see #setTargetGroups(Collection) - */ - public Collection getTargetGroups() - { - return Collections.unmodifiableCollection(targetGroups); - } - - private Set extractGeneralNames(Collection names) - throws IOException - { - if (names == null || names.isEmpty()) - { - return new HashSet(); - } - Set temp = new HashSet(); - for (Iterator it = names.iterator(); it.hasNext();) - { - Object o = it.next(); - if (o instanceof GeneralName) - { - temp.add(o); - } - else - { - temp.add(GeneralName.getInstance(ASN1Primitive.fromByteArray((byte[])o))); - } - } - return temp; - } -} diff --git a/bcprov/src/main/java/org/bouncycastle/x509/X509CertPairStoreSelector.java b/bcprov/src/main/java/org/bouncycastle/x509/X509CertPairStoreSelector.java deleted file mode 100644 index 187b098..0000000 --- a/bcprov/src/main/java/org/bouncycastle/x509/X509CertPairStoreSelector.java +++ /dev/null @@ -1,155 +0,0 @@ -package org.bouncycastle.x509; - -import org.bouncycastle.util.Selector; - -/** - * This class is an <code>Selector</code> like implementation to select - * certificates pairs, which are e.g. used for cross certificates. The set of - * criteria is given from two - * {@link org.bouncycastle.x509.X509CertStoreSelector}s which must be both - * matched. - * - * @see org.bouncycastle.x509.X509AttributeCertificate - * @see org.bouncycastle.x509.X509Store - */ -public class X509CertPairStoreSelector implements Selector -{ - - private X509CertStoreSelector forwardSelector; - - private X509CertStoreSelector reverseSelector; - - private X509CertificatePair certPair; - - public X509CertPairStoreSelector() - { - } - - /** - * Returns the certificate pair which is used for testing on equality. - * - * @return Returns the certificate pair which is checked. - */ - public X509CertificatePair getCertPair() - { - return certPair; - } - - /** - * Set the certificate pair which is used for testing on equality. - * - * @param certPair The certPairChecking to set. - */ - public void setCertPair(X509CertificatePair certPair) - { - this.certPair = certPair; - } - - /** - * @param forwardSelector The certificate selector for the forward part in - * the pair. - */ - public void setForwardSelector(X509CertStoreSelector forwardSelector) - { - this.forwardSelector = forwardSelector; - } - - /** - * @param reverseSelector The certificate selector for the reverse part in - * the pair. - */ - public void setReverseSelector(X509CertStoreSelector reverseSelector) - { - this.reverseSelector = reverseSelector; - } - - /** - * Returns a clone of this selector. - * - * @return A clone of this selector. - * @see java.lang.Object#clone() - */ - public Object clone() - { - X509CertPairStoreSelector cln = new X509CertPairStoreSelector(); - - cln.certPair = certPair; - - if (forwardSelector != null) - { - cln.setForwardSelector((X509CertStoreSelector) forwardSelector - .clone()); - } - - if (reverseSelector != null) - { - cln.setReverseSelector((X509CertStoreSelector) reverseSelector - .clone()); - } - - return cln; - } - - /** - * Decides if the given certificate pair should be selected. If - * <code>obj</code> is not a {@link X509CertificatePair} this method - * returns <code>false</code>. - * - * @param obj The {@link X509CertificatePair} which should be tested. - * @return <code>true</code> if the object matches this selector. - */ - public boolean match(Object obj) - { - try - { - if (!(obj instanceof X509CertificatePair)) - { - return false; - } - X509CertificatePair pair = (X509CertificatePair)obj; - - if (forwardSelector != null - && !forwardSelector.match((Object)pair.getForward())) - { - return false; - } - - if (reverseSelector != null - && !reverseSelector.match((Object)pair.getReverse())) - { - return false; - } - - if (certPair != null) - { - return certPair.equals(obj); - } - - return true; - } - catch (Exception e) - { - return false; - } - } - - /** - * Returns the certicate selector for the forward part. - * - * @return Returns the certicate selector for the forward part. - */ - public X509CertStoreSelector getForwardSelector() - { - return forwardSelector; - } - - /** - * Returns the certicate selector for the reverse part. - * - * @return Returns the reverse selector for teh reverse part. - */ - public X509CertStoreSelector getReverseSelector() - { - return reverseSelector; - } -} diff --git a/bcprov/src/main/java/org/bouncycastle/x509/X509CertificatePair.java b/bcprov/src/main/java/org/bouncycastle/x509/X509CertificatePair.java deleted file mode 100644 index 73e5ba3..0000000 --- a/bcprov/src/main/java/org/bouncycastle/x509/X509CertificatePair.java +++ /dev/null @@ -1,167 +0,0 @@ -package org.bouncycastle.x509; - -import java.io.IOException; -import java.security.cert.CertificateEncodingException; -import java.security.cert.CertificateParsingException; -import java.security.cert.X509Certificate; - -import org.bouncycastle.asn1.ASN1Encoding; -import org.bouncycastle.asn1.ASN1InputStream; -import org.bouncycastle.asn1.x509.Certificate; -import org.bouncycastle.asn1.x509.CertificatePair; -import org.bouncycastle.jce.provider.X509CertificateObject; - -/** - * This class contains a cross certificate pair. Cross certificates pairs may - * contain two cross signed certificates from two CAs. A certificate from the - * other CA to this CA is contained in the forward certificate, the certificate - * from this CA to the other CA is contained in the reverse certificate. - */ -public class X509CertificatePair -{ - private X509Certificate forward; - private X509Certificate reverse; - - /** - * Constructor. - * - * @param forward Certificate from the other CA to this CA. - * @param reverse Certificate from this CA to the other CA. - */ - public X509CertificatePair( - X509Certificate forward, - X509Certificate reverse) - { - this.forward = forward; - this.reverse = reverse; - } - - /** - * Constructor from a ASN.1 CertificatePair structure. - * - * @param pair The <code>CertificatePair</code> ASN.1 object. - */ - public X509CertificatePair( - CertificatePair pair) - throws CertificateParsingException - { - if (pair.getForward() != null) - { - this.forward = new X509CertificateObject(pair.getForward()); - } - if (pair.getReverse() != null) - { - this.reverse = new X509CertificateObject(pair.getReverse()); - } - } - - public byte[] getEncoded() - throws CertificateEncodingException - { - Certificate f = null; - Certificate r = null; - try - { - if (forward != null) - { - f = Certificate.getInstance(new ASN1InputStream( - forward.getEncoded()).readObject()); - if (f == null) - { - throw new CertificateEncodingException("unable to get encoding for forward"); - } - } - if (reverse != null) - { - r = Certificate.getInstance(new ASN1InputStream( - reverse.getEncoded()).readObject()); - if (r == null) - { - throw new CertificateEncodingException("unable to get encoding for reverse"); - } - } - return new CertificatePair(f, r).getEncoded(ASN1Encoding.DER); - } - catch (IllegalArgumentException e) - { - throw new ExtCertificateEncodingException(e.toString(), e); - } - catch (IOException e) - { - throw new ExtCertificateEncodingException(e.toString(), e); - } - } - - /** - * Returns the certificate from the other CA to this CA. - * - * @return Returns the forward certificate. - */ - public X509Certificate getForward() - { - return forward; - } - - /** - * Return the certificate from this CA to the other CA. - * - * @return Returns the reverse certificate. - */ - public X509Certificate getReverse() - { - return reverse; - } - - public boolean equals(Object o) - { - if (o == null) - { - return false; - } - if (!(o instanceof X509CertificatePair)) - { - return false; - } - X509CertificatePair pair = (X509CertificatePair)o; - boolean equalReverse = true; - boolean equalForward = true; - if (forward != null) - { - equalForward = this.forward.equals(pair.forward); - } - else - { - if (pair.forward != null) - { - equalForward = false; - } - } - if (reverse != null) - { - equalReverse = this.reverse.equals(pair.reverse); - } - else - { - if (pair.reverse != null) - { - equalReverse = false; - } - } - return equalForward && equalReverse; - } - - public int hashCode() - { - int hash = -1; - if (forward != null) - { - hash ^= forward.hashCode(); - } - if (reverse != null) - { - hash *= 17; - hash ^= reverse.hashCode(); - } - return hash; - } -} diff --git a/bcprov/src/main/java/org/bouncycastle/x509/X509Store.java b/bcprov/src/main/java/org/bouncycastle/x509/X509Store.java deleted file mode 100644 index 61d921c..0000000 --- a/bcprov/src/main/java/org/bouncycastle/x509/X509Store.java +++ /dev/null @@ -1,82 +0,0 @@ -package org.bouncycastle.x509; - -import java.security.NoSuchAlgorithmException; -import java.security.NoSuchProviderException; -import java.security.Provider; -import java.util.Collection; - -import org.bouncycastle.util.Selector; -import org.bouncycastle.util.Store; - -/** - * @deprecated use CollectionStore - this class will be removed. - */ -public class X509Store - implements Store -{ - public static X509Store getInstance(String type, X509StoreParameters parameters) - throws NoSuchStoreException - { - try - { - X509Util.Implementation impl = X509Util.getImplementation("X509Store", type); - - return createStore(impl, parameters); - } - catch (NoSuchAlgorithmException e) - { - throw new NoSuchStoreException(e.getMessage()); - } - } - - public static X509Store getInstance(String type, X509StoreParameters parameters, String provider) - throws NoSuchStoreException, NoSuchProviderException - { - return getInstance(type, parameters, X509Util.getProvider(provider)); - } - - public static X509Store getInstance(String type, X509StoreParameters parameters, Provider provider) - throws NoSuchStoreException - { - try - { - X509Util.Implementation impl = X509Util.getImplementation("X509Store", type, provider); - - return createStore(impl, parameters); - } - catch (NoSuchAlgorithmException e) - { - throw new NoSuchStoreException(e.getMessage()); - } - } - - private static X509Store createStore(X509Util.Implementation impl, X509StoreParameters parameters) - { - X509StoreSpi spi = (X509StoreSpi)impl.getEngine(); - - spi.engineInit(parameters); - - return new X509Store(impl.getProvider(), spi); - } - - private Provider _provider; - private X509StoreSpi _spi; - - private X509Store( - Provider provider, - X509StoreSpi spi) - { - _provider = provider; - _spi = spi; - } - - public Provider getProvider() - { - return _provider; - } - - public Collection getMatches(Selector selector) - { - return _spi.engineGetMatches(selector); - } -} diff --git a/bcprov/src/main/java/org/bouncycastle/x509/X509StreamParser.java b/bcprov/src/main/java/org/bouncycastle/x509/X509StreamParser.java deleted file mode 100644 index 3ad2846..0000000 --- a/bcprov/src/main/java/org/bouncycastle/x509/X509StreamParser.java +++ /dev/null @@ -1,161 +0,0 @@ -package org.bouncycastle.x509; - -import org.bouncycastle.x509.util.StreamParser; -import org.bouncycastle.x509.util.StreamParsingException; - -import java.io.ByteArrayInputStream; -import java.io.InputStream; -import java.security.NoSuchAlgorithmException; -import java.security.NoSuchProviderException; -import java.security.Provider; -import java.util.Collection; - -/** - * - * This class allows access to different implementations for reading X.509 - * objects from streams. - * <p> - * A X509StreamParser is used to read a collection of objects or a single object - * of a certain X.509 object structure. E.g. one X509StreamParser can read - * certificates, another one CRLs, certification paths, attribute certificates - * and so on. The kind of object structure is specified with the - * <code>algorithm</code> parameter to the <code>getInstance</code> methods. - * <p> - * Implementations must implement the - * {@link org.bouncycastle.x509.X509StreamParserSpi}. - */ -public class X509StreamParser - implements StreamParser -{ - /** - * Generates a StreamParser object that implements the specified type. If - * the default provider package provides an implementation of the requested - * type, an instance of StreamParser containing that implementation is - * returned. If the type is not available in the default package, other - * packages are searched. - * - * @param type - * The name of the requested X.509 object type. - * @return a StreamParser object for the specified type. - * - * @exception NoSuchParserException - * if the requested type is not available in the default - * provider package or any of the other provider packages - * that were searched. - */ - public static X509StreamParser getInstance(String type) - throws NoSuchParserException - { - try - { - X509Util.Implementation impl = X509Util.getImplementation("X509StreamParser", type); - - return createParser(impl); - } - catch (NoSuchAlgorithmException e) - { - throw new NoSuchParserException(e.getMessage()); - } - } - - /** - * Generates a X509StreamParser object for the specified type from the - * specified provider. - * - * @param type - * the name of the requested X.509 object type. - * @param provider - * the name of the provider. - * - * @return a X509StreamParser object for the specified type. - * - * @exception NoSuchParserException - * if the type is not available from the specified provider. - * - * @exception NoSuchProviderException - * if the provider can not be found. - * - * @see Provider - */ - public static X509StreamParser getInstance(String type, String provider) - throws NoSuchParserException, NoSuchProviderException - { - return getInstance(type, X509Util.getProvider(provider)); - } - - /** - * Generates a X509StreamParser object for the specified type from the - * specified provider. - * - * @param type - * the name of the requested X.509 object type. - * @param provider - * the Provider to use. - * - * @return a X509StreamParser object for the specified type. - * - * @exception NoSuchParserException - * if the type is not available from the specified provider. - * - * @see Provider - */ - public static X509StreamParser getInstance(String type, Provider provider) - throws NoSuchParserException - { - try - { - X509Util.Implementation impl = X509Util.getImplementation("X509StreamParser", type, provider); - - return createParser(impl); - } - catch (NoSuchAlgorithmException e) - { - throw new NoSuchParserException(e.getMessage()); - } - } - - private static X509StreamParser createParser(X509Util.Implementation impl) - { - X509StreamParserSpi spi = (X509StreamParserSpi)impl.getEngine(); - - return new X509StreamParser(impl.getProvider(), spi); - } - - private Provider _provider; - private X509StreamParserSpi _spi; - - private X509StreamParser( - Provider provider, - X509StreamParserSpi spi) - { - _provider = provider; - _spi = spi; - } - - public Provider getProvider() - { - return _provider; - } - - public void init(InputStream stream) - { - _spi.engineInit(stream); - } - - public void init(byte[] data) - { - _spi.engineInit(new ByteArrayInputStream(data)); - } - - public Object read() - throws StreamParsingException - { - return _spi.engineRead(); - } - - public Collection readAll() - throws StreamParsingException - { - return _spi.engineReadAll(); - } -} diff --git a/bcprov/src/main/java/org/bouncycastle/x509/X509StreamParserSpi.java b/bcprov/src/main/java/org/bouncycastle/x509/X509StreamParserSpi.java deleted file mode 100644 index 6929eb1..0000000 --- a/bcprov/src/main/java/org/bouncycastle/x509/X509StreamParserSpi.java +++ /dev/null @@ -1,45 +0,0 @@ -package org.bouncycastle.x509; - -import org.bouncycastle.x509.util.StreamParsingException; - -import java.io.InputStream; -import java.util.Collection; - -/** - * This abstract class defines the service provider interface (SPI) for - * X509StreamParser. - * - * @see org.bouncycastle.x509.X509StreamParser - * - */ -public abstract class X509StreamParserSpi -{ - /** - * Initializes this stream parser with the input stream. - * - * @param in The input stream. - */ - public abstract void engineInit(InputStream in); - - /** - * Returns the next X.509 object of the type of this SPI from the given - * input stream. - * - * @return the next X.509 object in the stream or <code>null</code> if the - * end of the stream is reached. - * @exception StreamParsingException - * if the object cannot be created from input stream. - */ - public abstract Object engineRead() throws StreamParsingException; - - /** - * Returns all X.509 objects of the type of this SPI from - * the given input stream. - * - * @return A collection of all X.509 objects in the input stream or - * <code>null</code> if the end of the stream is reached. - * @exception StreamParsingException - * if an object cannot be created from input stream. - */ - public abstract Collection engineReadAll() throws StreamParsingException; -} diff --git a/bcprov/src/main/java/org/bouncycastle/x509/X509Util.java b/bcprov/src/main/java/org/bouncycastle/x509/X509Util.java index d002111..ecf910f 100644 --- a/bcprov/src/main/java/org/bouncycastle/x509/X509Util.java +++ b/bcprov/src/main/java/org/bouncycastle/x509/X509Util.java @@ -25,12 +25,16 @@ import org.bouncycastle.asn1.ASN1Encoding; import org.bouncycastle.asn1.ASN1Integer; import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.DERNull; -import org.bouncycastle.asn1.cryptopro.CryptoProObjectIdentifiers; +// BEGIN android-removed +// import org.bouncycastle.asn1.cryptopro.CryptoProObjectIdentifiers; +// END android-removed import org.bouncycastle.asn1.nist.NISTObjectIdentifiers; import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers; import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; import org.bouncycastle.asn1.pkcs.RSASSAPSSparams; -import org.bouncycastle.asn1.teletrust.TeleTrusTObjectIdentifiers; +// BEGIN android-removed +// import org.bouncycastle.asn1.teletrust.TeleTrusTObjectIdentifiers; +// END android-removed import org.bouncycastle.asn1.x509.AlgorithmIdentifier; import org.bouncycastle.asn1.x9.X9ObjectIdentifiers; import org.bouncycastle.jce.X509Principal; @@ -44,8 +48,10 @@ class X509Util static { - algorithms.put("MD2WITHRSAENCRYPTION", PKCSObjectIdentifiers.md2WithRSAEncryption); - algorithms.put("MD2WITHRSA", PKCSObjectIdentifiers.md2WithRSAEncryption); + // BEGIN android-removed + // algorithms.put("MD2WITHRSAENCRYPTION", PKCSObjectIdentifiers.md2WithRSAEncryption); + // algorithms.put("MD2WITHRSA", PKCSObjectIdentifiers.md2WithRSAEncryption); + // END android-removed algorithms.put("MD5WITHRSAENCRYPTION", PKCSObjectIdentifiers.md5WithRSAEncryption); algorithms.put("MD5WITHRSA", PKCSObjectIdentifiers.md5WithRSAEncryption); algorithms.put("SHA1WITHRSAENCRYPTION", PKCSObjectIdentifiers.sha1WithRSAEncryption); @@ -63,12 +69,14 @@ class X509Util algorithms.put("SHA256WITHRSAANDMGF1", PKCSObjectIdentifiers.id_RSASSA_PSS); algorithms.put("SHA384WITHRSAANDMGF1", PKCSObjectIdentifiers.id_RSASSA_PSS); algorithms.put("SHA512WITHRSAANDMGF1", PKCSObjectIdentifiers.id_RSASSA_PSS); - algorithms.put("RIPEMD160WITHRSAENCRYPTION", TeleTrusTObjectIdentifiers.rsaSignatureWithripemd160); - algorithms.put("RIPEMD160WITHRSA", TeleTrusTObjectIdentifiers.rsaSignatureWithripemd160); - algorithms.put("RIPEMD128WITHRSAENCRYPTION", TeleTrusTObjectIdentifiers.rsaSignatureWithripemd128); - algorithms.put("RIPEMD128WITHRSA", TeleTrusTObjectIdentifiers.rsaSignatureWithripemd128); - algorithms.put("RIPEMD256WITHRSAENCRYPTION", TeleTrusTObjectIdentifiers.rsaSignatureWithripemd256); - algorithms.put("RIPEMD256WITHRSA", TeleTrusTObjectIdentifiers.rsaSignatureWithripemd256); + // BEGIN android-removed + // algorithms.put("RIPEMD160WITHRSAENCRYPTION", TeleTrusTObjectIdentifiers.rsaSignatureWithripemd160); + // algorithms.put("RIPEMD160WITHRSA", TeleTrusTObjectIdentifiers.rsaSignatureWithripemd160); + // algorithms.put("RIPEMD128WITHRSAENCRYPTION", TeleTrusTObjectIdentifiers.rsaSignatureWithripemd128); + // algorithms.put("RIPEMD128WITHRSA", TeleTrusTObjectIdentifiers.rsaSignatureWithripemd128); + // algorithms.put("RIPEMD256WITHRSAENCRYPTION", TeleTrusTObjectIdentifiers.rsaSignatureWithripemd256); + // algorithms.put("RIPEMD256WITHRSA", TeleTrusTObjectIdentifiers.rsaSignatureWithripemd256); + // END android-removed algorithms.put("SHA1WITHDSA", X9ObjectIdentifiers.id_dsa_with_sha1); algorithms.put("DSAWITHSHA1", X9ObjectIdentifiers.id_dsa_with_sha1); algorithms.put("SHA224WITHDSA", NISTObjectIdentifiers.dsa_with_sha224); @@ -81,11 +89,13 @@ class X509Util algorithms.put("SHA256WITHECDSA", X9ObjectIdentifiers.ecdsa_with_SHA256); algorithms.put("SHA384WITHECDSA", X9ObjectIdentifiers.ecdsa_with_SHA384); algorithms.put("SHA512WITHECDSA", X9ObjectIdentifiers.ecdsa_with_SHA512); - algorithms.put("GOST3411WITHGOST3410", CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_94); - algorithms.put("GOST3411WITHGOST3410-94", CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_94); - algorithms.put("GOST3411WITHECGOST3410", CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_2001); - algorithms.put("GOST3411WITHECGOST3410-2001", CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_2001); - algorithms.put("GOST3411WITHGOST3410-2001", CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_2001); + // BEGIN android-removed + // algorithms.put("GOST3411WITHGOST3410", CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_94); + // algorithms.put("GOST3411WITHGOST3410-94", CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_94); + // algorithms.put("GOST3411WITHECGOST3410", CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_2001); + // algorithms.put("GOST3411WITHECGOST3410-2001", CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_2001); + // algorithms.put("GOST3411WITHGOST3410-2001", CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_2001); + // END android-removed // // According to RFC 3279, the ASN.1 encoding SHALL (id-dsa-with-sha1) or MUST (ecdsa-with-SHA*) omit the parameters field. @@ -105,8 +115,10 @@ class X509Util // // RFC 4491 // - noParams.add(CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_94); - noParams.add(CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_2001); + // BEGIN android-removed + // noParams.add(CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_94); + // noParams.add(CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_2001); + // END android-removed // // explicit params diff --git a/bcprov/src/main/java/org/bouncycastle/x509/X509V2CRLGenerator.java b/bcprov/src/main/java/org/bouncycastle/x509/X509V2CRLGenerator.java deleted file mode 100644 index 8773d0e..0000000 --- a/bcprov/src/main/java/org/bouncycastle/x509/X509V2CRLGenerator.java +++ /dev/null @@ -1,450 +0,0 @@ -package org.bouncycastle.x509; - -import java.io.IOException; -import java.math.BigInteger; -import java.security.GeneralSecurityException; -import java.security.InvalidKeyException; -import java.security.NoSuchAlgorithmException; -import java.security.NoSuchProviderException; -import java.security.PrivateKey; -import java.security.SecureRandom; -import java.security.SignatureException; -import java.security.cert.CRLException; -import java.security.cert.X509CRL; -import java.security.cert.X509CRLEntry; -import java.util.Date; -import java.util.Iterator; -import java.util.Set; - -import javax.security.auth.x500.X500Principal; - -import org.bouncycastle.asn1.ASN1Encodable; -import org.bouncycastle.asn1.ASN1EncodableVector; -import org.bouncycastle.asn1.ASN1GeneralizedTime; -import org.bouncycastle.asn1.ASN1InputStream; -import org.bouncycastle.asn1.ASN1Integer; -import org.bouncycastle.asn1.ASN1ObjectIdentifier; -import org.bouncycastle.asn1.ASN1Sequence; -import org.bouncycastle.asn1.DERBitString; -import org.bouncycastle.asn1.DERSequence; -import org.bouncycastle.asn1.x509.AlgorithmIdentifier; -import org.bouncycastle.asn1.x509.CertificateList; -import org.bouncycastle.asn1.x509.Extensions; -import org.bouncycastle.asn1.x509.TBSCertList; -import org.bouncycastle.asn1.x509.Time; -import org.bouncycastle.asn1.x509.V2TBSCertListGenerator; -import org.bouncycastle.asn1.x509.X509Extensions; -import org.bouncycastle.asn1.x509.X509ExtensionsGenerator; -import org.bouncycastle.asn1.x509.X509Name; -import org.bouncycastle.jce.X509Principal; -import org.bouncycastle.jce.provider.X509CRLObject; - -/** - * class to produce an X.509 Version 2 CRL. - * @deprecated use org.bouncycastle.cert.X509v2CRLBuilder. - */ -public class X509V2CRLGenerator -{ - private V2TBSCertListGenerator tbsGen; - private ASN1ObjectIdentifier sigOID; - private AlgorithmIdentifier sigAlgId; - private String signatureAlgorithm; - private X509ExtensionsGenerator extGenerator; - - public X509V2CRLGenerator() - { - tbsGen = new V2TBSCertListGenerator(); - extGenerator = new X509ExtensionsGenerator(); - } - - /** - * reset the generator - */ - public void reset() - { - tbsGen = new V2TBSCertListGenerator(); - extGenerator.reset(); - } - - /** - * Set the issuer distinguished name - the issuer is the entity whose private key is used to sign the - * certificate. - */ - public void setIssuerDN( - X500Principal issuer) - { - try - { - tbsGen.setIssuer(new X509Principal(issuer.getEncoded())); - } - catch (IOException e) - { - throw new IllegalArgumentException("can't process principal: " + e); - } - } - - /** - * Set the issuer distinguished name - the issuer is the entity whose private key is used to sign the - * certificate. - */ - public void setIssuerDN( - X509Name issuer) - { - tbsGen.setIssuer(issuer); - } - - public void setThisUpdate( - Date date) - { - tbsGen.setThisUpdate(new Time(date)); - } - - public void setNextUpdate( - Date date) - { - tbsGen.setNextUpdate(new Time(date)); - } - - /** - * Reason being as indicated by CRLReason, i.e. CRLReason.keyCompromise - * or 0 if CRLReason is not to be used - **/ - public void addCRLEntry(BigInteger userCertificate, Date revocationDate, int reason) - { - tbsGen.addCRLEntry(new ASN1Integer(userCertificate), new Time(revocationDate), reason); - } - - /** - * Add a CRL entry with an Invalidity Date extension as well as a CRLReason extension. - * Reason being as indicated by CRLReason, i.e. CRLReason.keyCompromise - * or 0 if CRLReason is not to be used - **/ - public void addCRLEntry(BigInteger userCertificate, Date revocationDate, int reason, Date invalidityDate) - { - tbsGen.addCRLEntry(new ASN1Integer(userCertificate), new Time(revocationDate), reason, new ASN1GeneralizedTime(invalidityDate)); - } - - /** - * Add a CRL entry with extensions. - **/ - public void addCRLEntry(BigInteger userCertificate, Date revocationDate, X509Extensions extensions) - { - tbsGen.addCRLEntry(new ASN1Integer(userCertificate), new Time(revocationDate), Extensions.getInstance(extensions)); - } - - /** - * Add the CRLEntry objects contained in a previous CRL. - * - * @param other the X509CRL to source the other entries from. - */ - public void addCRL(X509CRL other) - throws CRLException - { - Set revocations = other.getRevokedCertificates(); - - if (revocations != null) - { - Iterator it = revocations.iterator(); - while (it.hasNext()) - { - X509CRLEntry entry = (X509CRLEntry)it.next(); - - ASN1InputStream aIn = new ASN1InputStream(entry.getEncoded()); - - try - { - tbsGen.addCRLEntry(ASN1Sequence.getInstance(aIn.readObject())); - } - catch (IOException e) - { - throw new CRLException("exception processing encoding of CRL: " + e.toString()); - } - } - } - } - - /** - * Set the signature algorithm. This can be either a name or an OID, names - * are treated as case insensitive. - * - * @param signatureAlgorithm string representation of the algorithm name. - */ - public void setSignatureAlgorithm( - String signatureAlgorithm) - { - this.signatureAlgorithm = signatureAlgorithm; - - try - { - sigOID = X509Util.getAlgorithmOID(signatureAlgorithm); - } - catch (Exception e) - { - throw new IllegalArgumentException("Unknown signature type requested"); - } - - sigAlgId = X509Util.getSigAlgID(sigOID, signatureAlgorithm); - - tbsGen.setSignature(sigAlgId); - } - - /** - * add a given extension field for the standard extensions tag (tag 0) - */ - public void addExtension( - String oid, - boolean critical, - ASN1Encodable value) - { - this.addExtension(new ASN1ObjectIdentifier(oid), critical, value); - } - - /** - * add a given extension field for the standard extensions tag (tag 0) - */ - public void addExtension( - ASN1ObjectIdentifier oid, - boolean critical, - ASN1Encodable value) - { - extGenerator.addExtension(new ASN1ObjectIdentifier(oid.getId()), critical, value); - } - - /** - * add a given extension field for the standard extensions tag (tag 0) - */ - public void addExtension( - String oid, - boolean critical, - byte[] value) - { - this.addExtension(new ASN1ObjectIdentifier(oid), critical, value); - } - - /** - * add a given extension field for the standard extensions tag (tag 0) - */ - public void addExtension( - ASN1ObjectIdentifier oid, - boolean critical, - byte[] value) - { - extGenerator.addExtension(new ASN1ObjectIdentifier(oid.getId()), critical, value); - } - - /** - * generate an X509 CRL, based on the current issuer and subject - * using the default provider "BC". - * @deprecated use generate(key, "BC") - */ - public X509CRL generateX509CRL( - PrivateKey key) - throws SecurityException, SignatureException, InvalidKeyException - { - try - { - return generateX509CRL(key, "BC", null); - } - catch (NoSuchProviderException e) - { - throw new SecurityException("BC provider not installed!"); - } - } - - /** - * generate an X509 CRL, based on the current issuer and subject - * using the default provider "BC" and an user defined SecureRandom object as - * source of randomness. - * @deprecated use generate(key, random, "BC") - */ - public X509CRL generateX509CRL( - PrivateKey key, - SecureRandom random) - throws SecurityException, SignatureException, InvalidKeyException - { - try - { - return generateX509CRL(key, "BC", random); - } - catch (NoSuchProviderException e) - { - throw new SecurityException("BC provider not installed!"); - } - } - - /** - * generate an X509 certificate, based on the current issuer and subject - * using the passed in provider for the signing. - * @deprecated use generate() - */ - public X509CRL generateX509CRL( - PrivateKey key, - String provider) - throws NoSuchProviderException, SecurityException, SignatureException, InvalidKeyException - { - return generateX509CRL(key, provider, null); - } - - /** - * generate an X509 CRL, based on the current issuer and subject, - * using the passed in provider for the signing. - * @deprecated use generate() - */ - public X509CRL generateX509CRL( - PrivateKey key, - String provider, - SecureRandom random) - throws NoSuchProviderException, SecurityException, SignatureException, InvalidKeyException - { - try - { - return generate(key, provider, random); - } - catch (NoSuchProviderException e) - { - throw e; - } - catch (SignatureException e) - { - throw e; - } - catch (InvalidKeyException e) - { - throw e; - } - catch (GeneralSecurityException e) - { - throw new SecurityException("exception: " + e); - } - } - - /** - * generate an X509 CRL, based on the current issuer and subject - * using the default provider. - * <p> - * <b>Note:</b> this differs from the deprecated method in that the default provider is - * used - not "BC". - * </p> - */ - public X509CRL generate( - PrivateKey key) - throws CRLException, IllegalStateException, NoSuchAlgorithmException, SignatureException, InvalidKeyException - { - return generate(key, (SecureRandom)null); - } - - /** - * generate an X509 CRL, based on the current issuer and subject - * using the default provider and an user defined SecureRandom object as - * source of randomness. - * <p> - * <b>Note:</b> this differs from the deprecated method in that the default provider is - * used - not "BC". - * </p> - */ - public X509CRL generate( - PrivateKey key, - SecureRandom random) - throws CRLException, IllegalStateException, NoSuchAlgorithmException, SignatureException, InvalidKeyException - { - TBSCertList tbsCrl = generateCertList(); - byte[] signature; - - try - { - signature = X509Util.calculateSignature(sigOID, signatureAlgorithm, key, random, tbsCrl); - } - catch (IOException e) - { - throw new ExtCRLException("cannot generate CRL encoding", e); - } - - return generateJcaObject(tbsCrl, signature); - } - - /** - * generate an X509 certificate, based on the current issuer and subject - * using the passed in provider for the signing. - */ - public X509CRL generate( - PrivateKey key, - String provider) - throws CRLException, IllegalStateException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, InvalidKeyException - { - return generate(key, provider, null); - } - - /** - * generate an X509 CRL, based on the current issuer and subject, - * using the passed in provider for the signing. - */ - public X509CRL generate( - PrivateKey key, - String provider, - SecureRandom random) - throws CRLException, IllegalStateException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, InvalidKeyException - { - TBSCertList tbsCrl = generateCertList(); - byte[] signature; - - try - { - signature = X509Util.calculateSignature(sigOID, signatureAlgorithm, provider, key, random, tbsCrl); - } - catch (IOException e) - { - throw new ExtCRLException("cannot generate CRL encoding", e); - } - - return generateJcaObject(tbsCrl, signature); - } - - private TBSCertList generateCertList() - { - if (!extGenerator.isEmpty()) - { - tbsGen.setExtensions(extGenerator.generate()); - } - - return tbsGen.generateTBSCertList(); - } - - private X509CRL generateJcaObject(TBSCertList tbsCrl, byte[] signature) - throws CRLException - { - ASN1EncodableVector v = new ASN1EncodableVector(); - - v.add(tbsCrl); - v.add(sigAlgId); - v.add(new DERBitString(signature)); - - return new X509CRLObject(new CertificateList(new DERSequence(v))); - } - - /** - * Return an iterator of the signature names supported by the generator. - * - * @return an iterator containing recognised names. - */ - public Iterator getSignatureAlgNames() - { - return X509Util.getAlgNames(); - } - - private static class ExtCRLException - extends CRLException - { - Throwable cause; - - ExtCRLException(String message, Throwable cause) - { - super(message); - this.cause = cause; - } - - public Throwable getCause() - { - return cause; - } - } -} diff --git a/bcprov/src/main/java/org/bouncycastle/x509/examples/package.html b/bcprov/src/main/java/org/bouncycastle/x509/examples/package.html deleted file mode 100644 index 6262157..0000000 --- a/bcprov/src/main/java/org/bouncycastle/x509/examples/package.html +++ /dev/null @@ -1,7 +0,0 @@ -<html> -<body bgcolor="#ffffff"> -<p> -Examples for X.509 attribute certificates. -<p> -</body> -</html> diff --git a/bcprov/src/main/java/org/bouncycastle/x509/extension/package.html b/bcprov/src/main/java/org/bouncycastle/x509/extension/package.html deleted file mode 100644 index abc2da5..0000000 --- a/bcprov/src/main/java/org/bouncycastle/x509/extension/package.html +++ /dev/null @@ -1,5 +0,0 @@ -<html> -<body bgcolor="#ffffff"> -Helper classes for dealing with common X.509 extensions. -</body> -</html> diff --git a/bcprov/src/main/java/org/bouncycastle/x509/package.html b/bcprov/src/main/java/org/bouncycastle/x509/package.html deleted file mode 100644 index b6b5298..0000000 --- a/bcprov/src/main/java/org/bouncycastle/x509/package.html +++ /dev/null @@ -1,7 +0,0 @@ -<html> -<body bgcolor="#ffffff"> -<p> -Classes for supporting the generation of X.509 certificates and X.509 attribute certificates. -<p> -</body> -</html> diff --git a/bcprov/src/main/java/org/bouncycastle/x509/util/LDAPStoreHelper.java b/bcprov/src/main/java/org/bouncycastle/x509/util/LDAPStoreHelper.java deleted file mode 100644 index 128c1c8..0000000 --- a/bcprov/src/main/java/org/bouncycastle/x509/util/LDAPStoreHelper.java +++ /dev/null @@ -1,1117 +0,0 @@ -package org.bouncycastle.x509.util; - -import java.io.ByteArrayInputStream; -import java.io.IOException; -import java.security.Principal; -import java.security.cert.CertificateParsingException; -import java.security.cert.X509CRL; -import java.security.cert.X509Certificate; -import java.sql.Date; -import java.util.ArrayList; -import java.util.Collection; -import java.util.HashMap; -import java.util.HashSet; -import java.util.Iterator; -import java.util.List; -import java.util.Map; -import java.util.Properties; -import java.util.Set; - -import javax.naming.Context; -import javax.naming.NamingEnumeration; -import javax.naming.NamingException; -import javax.naming.directory.Attribute; -import javax.naming.directory.DirContext; -import javax.naming.directory.InitialDirContext; -import javax.naming.directory.SearchControls; -import javax.naming.directory.SearchResult; -import javax.security.auth.x500.X500Principal; - -import org.bouncycastle.asn1.ASN1InputStream; -import org.bouncycastle.asn1.x509.Certificate; -import org.bouncycastle.asn1.x509.CertificatePair; -import org.bouncycastle.jce.X509LDAPCertStoreParameters; -import org.bouncycastle.jce.provider.X509AttrCertParser; -import org.bouncycastle.jce.provider.X509CRLParser; -import org.bouncycastle.jce.provider.X509CertPairParser; -import org.bouncycastle.jce.provider.X509CertParser; -import org.bouncycastle.util.StoreException; -import org.bouncycastle.x509.X509AttributeCertStoreSelector; -import org.bouncycastle.x509.X509AttributeCertificate; -import org.bouncycastle.x509.X509CRLStoreSelector; -import org.bouncycastle.x509.X509CertPairStoreSelector; -import org.bouncycastle.x509.X509CertStoreSelector; -import org.bouncycastle.x509.X509CertificatePair; - -/** - * This is a general purpose implementation to get X.509 certificates, CRLs, - * attribute certificates and cross certificates from a LDAP location. - * <p> - * At first a search is performed in the ldap*AttributeNames of the - * {@link org.bouncycastle.jce.X509LDAPCertStoreParameters} with the given - * information of the subject (for all kind of certificates) or issuer (for - * CRLs), respectively, if a {@link org.bouncycastle.x509.X509CertStoreSelector} or - * {@link org.bouncycastle.x509.X509AttributeCertificate} is given with that - * details. - * </p><p> - * For the used schemes see: - * <ul> - * <li><a href="http://www.ietf.org/rfc/rfc2587.txt">RFC 2587</a> - * <li><a - * href="http://www3.ietf.org/proceedings/01mar/I-D/pkix-ldap-schema-01.txt">Internet - * X.509 Public Key Infrastructure Additional LDAP Schema for PKIs and PMIs</a> - * </ul> - * </p> - */ -public class LDAPStoreHelper -{ - - // TODO: cache results - - private X509LDAPCertStoreParameters params; - - public LDAPStoreHelper(X509LDAPCertStoreParameters params) - { - this.params = params; - } - - /** - * Initial Context Factory. - */ - private static String LDAP_PROVIDER = "com.sun.jndi.ldap.LdapCtxFactory"; - - /** - * Processing referrals.. - */ - private static String REFERRALS_IGNORE = "ignore"; - - /** - * Security level to be used for LDAP connections. - */ - private static final String SEARCH_SECURITY_LEVEL = "none"; - - /** - * Package Prefix for loading URL context factories. - */ - private static final String URL_CONTEXT_PREFIX = "com.sun.jndi.url"; - - private DirContext connectLDAP() throws NamingException - { - Properties props = new Properties(); - props.setProperty(Context.INITIAL_CONTEXT_FACTORY, LDAP_PROVIDER); - props.setProperty(Context.BATCHSIZE, "0"); - - props.setProperty(Context.PROVIDER_URL, params.getLdapURL()); - props.setProperty(Context.URL_PKG_PREFIXES, URL_CONTEXT_PREFIX); - props.setProperty(Context.REFERRAL, REFERRALS_IGNORE); - props.setProperty(Context.SECURITY_AUTHENTICATION, - SEARCH_SECURITY_LEVEL); - - DirContext ctx = new InitialDirContext(props); - return ctx; - } - - private String parseDN(String subject, String dNAttributeName) - { - String temp = subject; - int begin = temp.toLowerCase().indexOf( - dNAttributeName.toLowerCase() + "="); - if (begin == -1) - { - return ""; - } - temp = temp.substring(begin + dNAttributeName.length()); - int end = temp.indexOf(','); - if (end == -1) - { - end = temp.length(); - } - while (temp.charAt(end - 1) == '\\') - { - end = temp.indexOf(',', end + 1); - if (end == -1) - { - end = temp.length(); - } - } - temp = temp.substring(0, end); - begin = temp.indexOf('='); - temp = temp.substring(begin + 1); - if (temp.charAt(0) == ' ') - { - temp = temp.substring(1); - } - if (temp.startsWith("\"")) - { - temp = temp.substring(1); - } - if (temp.endsWith("\"")) - { - temp = temp.substring(0, temp.length() - 1); - } - return temp; - } - - private Set createCerts(List list, X509CertStoreSelector xselector) - throws StoreException - { - Set certSet = new HashSet(); - - Iterator it = list.iterator(); - X509CertParser parser = new X509CertParser(); - while (it.hasNext()) - { - try - { - parser.engineInit(new ByteArrayInputStream((byte[])it - .next())); - X509Certificate cert = (X509Certificate)parser - .engineRead(); - if (xselector.match((Object)cert)) - { - certSet.add(cert); - } - - } - catch (Exception e) - { - - } - } - - return certSet; - } - - /** - * Can use the subject and serial and the subject and serialNumber of the - * certificate of the given of the X509CertStoreSelector. If a certificate - * for checking is given this has higher precedence. - * - * @param xselector The selector with the search criteria. - * @param attrs Attributes which contain the certificates in the LDAP - * directory. - * @param attrNames Attribute names in teh LDAP directory which correspond to the - * subjectAttributeNames. - * @param subjectAttributeNames Subject attribute names (like "CN", "O", "OU") to use to - * search in the LDAP directory - * @return A list of found DER encoded certificates. - * @throws StoreException if an error occurs while searching. - */ - private List certSubjectSerialSearch(X509CertStoreSelector xselector, - String[] attrs, String attrNames[], String subjectAttributeNames[]) - throws StoreException - { - // TODO: support also subjectAltNames? - List list = new ArrayList(); - - String subject = null; - String serial = null; - - subject = getSubjectAsString(xselector); - - if (xselector.getSerialNumber() != null) - { - serial = xselector.getSerialNumber().toString(); - } - if (xselector.getCertificate() != null) - { - subject = xselector.getCertificate().getSubjectX500Principal().getName("RFC1779"); - serial = xselector.getCertificate().getSerialNumber().toString(); - } - - String attrValue = null; - if (subject != null) - { - for (int i = 0; i < subjectAttributeNames.length; i++) - { - attrValue = parseDN(subject, subjectAttributeNames[i]); - list - .addAll(search(attrNames, "*" + attrValue + "*", - attrs)); - } - } - if (serial != null && params.getSearchForSerialNumberIn() != null) - { - attrValue = serial; - list.addAll(search( - splitString(params.getSearchForSerialNumberIn()), - attrValue, attrs)); - } - if (serial == null && subject == null) - { - list.addAll(search(attrNames, "*", attrs)); - } - - return list; - } - - - - /** - * Can use the subject of the forward certificate of the set certificate - * pair or the subject of the forward - * {@link org.bouncycastle.x509.X509CertStoreSelector} of the given - * selector. - * - * @param xselector The selector with the search criteria. - * @param attrs Attributes which contain the attribute certificates in the - * LDAP directory. - * @param attrNames Attribute names in the LDAP directory which correspond to the - * subjectAttributeNames. - * @param subjectAttributeNames Subject attribute names (like "CN", "O", "OU") to use to - * search in the LDAP directory - * @return A list of found DER encoded certificate pairs. - * @throws StoreException if an error occurs while searching. - */ - private List crossCertificatePairSubjectSearch( - X509CertPairStoreSelector xselector, String[] attrs, - String attrNames[], String subjectAttributeNames[]) - throws StoreException - { - List list = new ArrayList(); - - // search for subject - String subject = null; - - if (xselector.getForwardSelector() != null) - { - subject = getSubjectAsString(xselector.getForwardSelector()); - } - if (xselector.getCertPair() != null) - { - if (xselector.getCertPair().getForward() != null) - { - subject = xselector.getCertPair().getForward() - .getSubjectX500Principal().getName("RFC1779"); - } - } - String attrValue = null; - if (subject != null) - { - for (int i = 0; i < subjectAttributeNames.length; i++) - { - attrValue = parseDN(subject, subjectAttributeNames[i]); - list - .addAll(search(attrNames, "*" + attrValue + "*", - attrs)); - } - } - if (subject == null) - { - list.addAll(search(attrNames, "*", attrs)); - } - - return list; - } - - /** - * Can use the entityName of the holder of the attribute certificate, the - * serialNumber of attribute certificate and the serialNumber of the - * associated certificate of the given of the X509AttributeCertSelector. - * - * @param xselector The selector with the search criteria. - * @param attrs Attributes which contain the attribute certificates in the - * LDAP directory. - * @param attrNames Attribute names in the LDAP directory which correspond to the - * subjectAttributeNames. - * @param subjectAttributeNames Subject attribute names (like "CN", "O", "OU") to use to - * search in the LDAP directory - * @return A list of found DER encoded attribute certificates. - * @throws StoreException if an error occurs while searching. - */ - private List attrCertSubjectSerialSearch( - X509AttributeCertStoreSelector xselector, String[] attrs, - String attrNames[], String subjectAttributeNames[]) - throws StoreException - { - List list = new ArrayList(); - - // search for serialNumber of associated cert, - // serialNumber of the attribute certificate or DN in the entityName - // of the holder - - String subject = null; - String serial = null; - - Collection serials = new HashSet(); - Principal principals[] = null; - if (xselector.getHolder() != null) - { - // serialNumber of associated cert - if (xselector.getHolder().getSerialNumber() != null) - { - serials.add(xselector.getHolder().getSerialNumber() - .toString()); - } - // DN in the entityName of the holder - if (xselector.getHolder().getEntityNames() != null) - { - principals = xselector.getHolder().getEntityNames(); - } - } - - if (xselector.getAttributeCert() != null) - { - if (xselector.getAttributeCert().getHolder().getEntityNames() != null) - { - principals = xselector.getAttributeCert().getHolder() - .getEntityNames(); - } - // serialNumber of the attribute certificate - serials.add(xselector.getAttributeCert().getSerialNumber() - .toString()); - } - if (principals != null) - { - // only first should be relevant - if (principals[0] instanceof X500Principal) - { - subject = ((X500Principal)principals[0]) - .getName("RFC1779"); - } - else - { - // strange ... - subject = principals[0].getName(); - } - } - if (xselector.getSerialNumber() != null) - { - serials.add(xselector.getSerialNumber().toString()); - } - - String attrValue = null; - if (subject != null) - { - for (int i = 0; i < subjectAttributeNames.length; i++) - { - attrValue = parseDN(subject, subjectAttributeNames[i]); - list - .addAll(search(attrNames, "*" + attrValue + "*", - attrs)); - } - } - if (serials.size() > 0 - && params.getSearchForSerialNumberIn() != null) - { - Iterator it = serials.iterator(); - while (it.hasNext()) - { - serial = (String)it.next(); - list.addAll(search(splitString(params.getSearchForSerialNumberIn()), serial, attrs)); - } - } - if (serials.size() == 0 && subject == null) - { - list.addAll(search(attrNames, "*", attrs)); - } - - return list; - } - - /** - * Can use the issuer of the given of the X509CRLStoreSelector. - * - * @param xselector The selector with the search criteria. - * @param attrs Attributes which contain the attribute certificates in the - * LDAP directory. - * @param attrNames Attribute names in the LDAP directory which correspond to the - * subjectAttributeNames. - * @param issuerAttributeNames Issuer attribute names (like "CN", "O", "OU") to use to search - * in the LDAP directory - * @return A list of found DER encoded CRLs. - * @throws StoreException if an error occurs while searching. - */ - private List cRLIssuerSearch(X509CRLStoreSelector xselector, - String[] attrs, String attrNames[], String issuerAttributeNames[]) - throws StoreException - { - List list = new ArrayList(); - - String issuer = null; - Collection issuers = new HashSet(); - if (xselector.getIssuers() != null) - { - issuers.addAll(xselector.getIssuers()); - } - if (xselector.getCertificateChecking() != null) - { - issuers.add(getCertificateIssuer(xselector.getCertificateChecking())); - } - if (xselector.getAttrCertificateChecking() != null) - { - Principal principals[] = xselector.getAttrCertificateChecking().getIssuer().getPrincipals(); - for (int i=0; i<principals.length; i++) - { - if (principals[i] instanceof X500Principal) - { - issuers.add(principals[i]); - } - } - } - Iterator it = issuers.iterator(); - while (it.hasNext()) - { - issuer = ((X500Principal)it.next()).getName("RFC1779"); - String attrValue = null; - - for (int i = 0; i < issuerAttributeNames.length; i++) - { - attrValue = parseDN(issuer, issuerAttributeNames[i]); - list - .addAll(search(attrNames, "*" + attrValue + "*", - attrs)); - } - } - if (issuer == null) - { - list.addAll(search(attrNames, "*", attrs)); - } - - return list; - } - - /** - * Returns a <code>List</code> of encodings of the certificates, attribute - * certificates, CRL or certificate pairs. - * - * @param attributeNames The attribute names to look for in the LDAP. - * @param attributeValue The value the attribute name must have. - * @param attrs The attributes in the LDAP which hold the certificate, - * attribute certificate, certificate pair or CRL in a found - * entry. - * @return A <code>List</code> of byte arrays with the encodings. - * @throws StoreException if an error occurs getting the results from the LDAP - * directory. - */ - private List search(String attributeNames[], String attributeValue, - String[] attrs) throws StoreException - { - String filter = null; - if (attributeNames == null) - { - filter = null; - } - else - { - filter = ""; - if (attributeValue.equals("**")) - { - attributeValue = "*"; - } - for (int i = 0; i < attributeNames.length; i++) - { - filter += "(" + attributeNames[i] + "=" + attributeValue + ")"; - } - filter = "(|" + filter + ")"; - } - String filter2 = ""; - for (int i = 0; i < attrs.length; i++) - { - filter2 += "(" + attrs[i] + "=*)"; - } - filter2 = "(|" + filter2 + ")"; - - String filter3 = "(&" + filter + "" + filter2 + ")"; - if (filter == null) - { - filter3 = filter2; - } - List list; - list = getFromCache(filter3); - if (list != null) - { - return list; - } - DirContext ctx = null; - list = new ArrayList(); - try - { - - ctx = connectLDAP(); - - SearchControls constraints = new SearchControls(); - constraints.setSearchScope(SearchControls.SUBTREE_SCOPE); - constraints.setCountLimit(0); - constraints.setReturningAttributes(attrs); - NamingEnumeration results = ctx.search(params.getBaseDN(), filter3, - constraints); - while (results.hasMoreElements()) - { - SearchResult sr = (SearchResult)results.next(); - NamingEnumeration enumeration = ((Attribute)(sr - .getAttributes().getAll().next())).getAll(); - while (enumeration.hasMore()) - { - list.add(enumeration.next()); - } - } - addToCache(filter3, list); - } - catch (NamingException e) - { - // skip exception, unfortunately if an attribute type is not - // supported an exception is thrown - - } - finally - { - try - { - if (null != ctx) - { - ctx.close(); - } - } - catch (Exception e) - { - } - } - return list; - } - - private Set createCRLs(List list, X509CRLStoreSelector xselector) - throws StoreException - { - Set crlSet = new HashSet(); - - X509CRLParser parser = new X509CRLParser(); - Iterator it = list.iterator(); - while (it.hasNext()) - { - try - { - parser.engineInit(new ByteArrayInputStream((byte[])it - .next())); - X509CRL crl = (X509CRL)parser.engineRead(); - if (xselector.match((Object)crl)) - { - crlSet.add(crl); - } - } - catch (StreamParsingException e) - { - - } - } - - return crlSet; - } - - private Set createCrossCertificatePairs(List list, - X509CertPairStoreSelector xselector) throws StoreException - { - Set certPairSet = new HashSet(); - - int i = 0; - while (i < list.size()) - { - X509CertificatePair pair; - try - { - // first try to decode it as certificate pair - try - { - X509CertPairParser parser = new X509CertPairParser(); - parser.engineInit(new ByteArrayInputStream( - (byte[])list.get(i))); - pair = (X509CertificatePair)parser.engineRead(); - } - catch (StreamParsingException e) - { - // now try it to construct it the forward and reverse - // certificate - byte[] forward = (byte[])list.get(i); - byte[] reverse = (byte[])list.get(i + 1); - pair = new X509CertificatePair(new CertificatePair( - Certificate - .getInstance(new ASN1InputStream( - forward).readObject()), - Certificate - .getInstance(new ASN1InputStream( - reverse).readObject()))); - i++; - } - if (xselector.match((Object)pair)) - { - certPairSet.add(pair); - } - } - catch (CertificateParsingException e) - { - // try next - } - catch (IOException e) - { - // try next - } - i++; - } - - return certPairSet; - } - - private Set createAttributeCertificates(List list, - X509AttributeCertStoreSelector xselector) throws StoreException - { - Set certSet = new HashSet(); - - Iterator it = list.iterator(); - X509AttrCertParser parser = new X509AttrCertParser(); - while (it.hasNext()) - { - try - { - parser.engineInit(new ByteArrayInputStream((byte[])it - .next())); - X509AttributeCertificate cert = (X509AttributeCertificate)parser - .engineRead(); - if (xselector.match((Object)cert)) - { - certSet.add(cert); - } - } - catch (StreamParsingException e) - { - - } - } - - return certSet; - } - - /** - * Returns the CRLs for issued certificates for other CAs matching the given - * selector. <br> - * The authorityRevocationList attribute includes revocation information - * regarding certificates issued to other CAs. - * - * @param selector The CRL selector to use to find the CRLs. - * @return A possible empty collection with CRLs - * @throws StoreException - */ - public Collection getAuthorityRevocationLists(X509CRLStoreSelector selector) - throws StoreException - { - String[] attrs = splitString(params.getAuthorityRevocationListAttribute()); - String attrNames[] = splitString(params - .getLdapAuthorityRevocationListAttributeName()); - String issuerAttributeNames[] = splitString(params - .getAuthorityRevocationListIssuerAttributeName()); - - List list = cRLIssuerSearch(selector, attrs, attrNames, - issuerAttributeNames); - Set resultSet = createCRLs(list, selector); - if (resultSet.size() == 0) - { - X509CRLStoreSelector emptySelector = new X509CRLStoreSelector(); - list = cRLIssuerSearch(emptySelector, attrs, attrNames, - issuerAttributeNames); - - resultSet.addAll(createCRLs(list, selector)); - } - return resultSet; - } - - /** - * Returns the revocation list for revoked attribute certificates. - * <p> - * The attributeCertificateRevocationList holds a list of attribute - * certificates that have been revoked. - * </p> - * @param selector The CRL selector to use to find the CRLs. - * @return A possible empty collection with CRLs. - * @throws StoreException - */ - public Collection getAttributeCertificateRevocationLists( - X509CRLStoreSelector selector) throws StoreException - { - String[] attrs = splitString(params - .getAttributeCertificateRevocationListAttribute()); - String attrNames[] = splitString(params - .getLdapAttributeCertificateRevocationListAttributeName()); - String issuerAttributeNames[] = splitString(params - .getAttributeCertificateRevocationListIssuerAttributeName()); - - List list = cRLIssuerSearch(selector, attrs, attrNames, - issuerAttributeNames); - Set resultSet = createCRLs(list, selector); - if (resultSet.size() == 0) - { - X509CRLStoreSelector emptySelector = new X509CRLStoreSelector(); - list = cRLIssuerSearch(emptySelector, attrs, attrNames, - issuerAttributeNames); - - resultSet.addAll(createCRLs(list, selector)); - } - return resultSet; - } - - /** - * Returns the revocation list for revoked attribute certificates for an - * attribute authority - * <p> - * The attributeAuthorityList holds a list of AA certificates that have been - * revoked. - * </p> - * @param selector The CRL selector to use to find the CRLs. - * @return A possible empty collection with CRLs - * @throws StoreException - */ - public Collection getAttributeAuthorityRevocationLists( - X509CRLStoreSelector selector) throws StoreException - { - String[] attrs = splitString(params.getAttributeAuthorityRevocationListAttribute()); - String attrNames[] = splitString(params - .getLdapAttributeAuthorityRevocationListAttributeName()); - String issuerAttributeNames[] = splitString(params - .getAttributeAuthorityRevocationListIssuerAttributeName()); - - List list = cRLIssuerSearch(selector, attrs, attrNames, - issuerAttributeNames); - Set resultSet = createCRLs(list, selector); - if (resultSet.size() == 0) - { - X509CRLStoreSelector emptySelector = new X509CRLStoreSelector(); - list = cRLIssuerSearch(emptySelector, attrs, attrNames, - issuerAttributeNames); - - resultSet.addAll(createCRLs(list, selector)); - } - return resultSet; - } - - /** - * Returns cross certificate pairs. - * - * @param selector The selector to use to find the cross certificates. - * @return A possible empty collection with {@link X509CertificatePair}s - * @throws StoreException - */ - public Collection getCrossCertificatePairs( - X509CertPairStoreSelector selector) throws StoreException - { - String[] attrs = splitString(params.getCrossCertificateAttribute()); - String attrNames[] = splitString(params.getLdapCrossCertificateAttributeName()); - String subjectAttributeNames[] = splitString(params - .getCrossCertificateSubjectAttributeName()); - List list = crossCertificatePairSubjectSearch(selector, attrs, - attrNames, subjectAttributeNames); - Set resultSet = createCrossCertificatePairs(list, selector); - if (resultSet.size() == 0) - { - X509CertStoreSelector emptyCertselector = new X509CertStoreSelector(); - X509CertPairStoreSelector emptySelector = new X509CertPairStoreSelector(); - - emptySelector.setForwardSelector(emptyCertselector); - emptySelector.setReverseSelector(emptyCertselector); - list = crossCertificatePairSubjectSearch(emptySelector, attrs, - attrNames, subjectAttributeNames); - resultSet.addAll(createCrossCertificatePairs(list, selector)); - } - return resultSet; - } - - /** - * Returns end certificates. - * <p/> - * The attributeDescriptorCertificate is self signed by a source of - * authority and holds a description of the privilege and its delegation - * rules. - * - * @param selector The selector to find the certificates. - * @return A possible empty collection with certificates. - * @throws StoreException - */ - public Collection getUserCertificates(X509CertStoreSelector selector) - throws StoreException - { - String[] attrs = splitString(params.getUserCertificateAttribute()); - String attrNames[] = splitString(params.getLdapUserCertificateAttributeName()); - String subjectAttributeNames[] = splitString(params - .getUserCertificateSubjectAttributeName()); - - List list = certSubjectSerialSearch(selector, attrs, attrNames, - subjectAttributeNames); - Set resultSet = createCerts(list, selector); - if (resultSet.size() == 0) - { - X509CertStoreSelector emptySelector = new X509CertStoreSelector(); - list = certSubjectSerialSearch(emptySelector, attrs, attrNames, - subjectAttributeNames); - resultSet.addAll(createCerts(list, selector)); - } - - return resultSet; - } - - /** - * Returns attribute certificates for an attribute authority - * <p> - * The aAcertificate holds the privileges of an attribute authority. - * </p> - * @param selector The selector to find the attribute certificates. - * @return A possible empty collection with attribute certificates. - * @throws StoreException - */ - public Collection getAACertificates(X509AttributeCertStoreSelector selector) - throws StoreException - { - String[] attrs = splitString(params.getAACertificateAttribute()); - String attrNames[] = splitString(params.getLdapAACertificateAttributeName()); - String subjectAttributeNames[] = splitString(params.getAACertificateSubjectAttributeName()); - - List list = attrCertSubjectSerialSearch(selector, attrs, attrNames, - subjectAttributeNames); - Set resultSet = createAttributeCertificates(list, selector); - if (resultSet.size() == 0) - { - X509AttributeCertStoreSelector emptySelector = new X509AttributeCertStoreSelector(); - list = attrCertSubjectSerialSearch(emptySelector, attrs, attrNames, - subjectAttributeNames); - resultSet.addAll(createAttributeCertificates(list, selector)); - } - - return resultSet; - } - - /** - * Returns an attribute certificate for an authority - * <p> - * The attributeDescriptorCertificate is self signed by a source of - * authority and holds a description of the privilege and its delegation - * rules. - * </p> - * @param selector The selector to find the attribute certificates. - * @return A possible empty collection with attribute certificates. - * @throws StoreException - */ - public Collection getAttributeDescriptorCertificates( - X509AttributeCertStoreSelector selector) throws StoreException - { - String[] attrs = splitString(params.getAttributeDescriptorCertificateAttribute()); - String attrNames[] = splitString(params - .getLdapAttributeDescriptorCertificateAttributeName()); - String subjectAttributeNames[] = splitString(params - .getAttributeDescriptorCertificateSubjectAttributeName()); - - List list = attrCertSubjectSerialSearch(selector, attrs, attrNames, - subjectAttributeNames); - Set resultSet = createAttributeCertificates(list, selector); - if (resultSet.size() == 0) - { - X509AttributeCertStoreSelector emptySelector = new X509AttributeCertStoreSelector(); - list = attrCertSubjectSerialSearch(emptySelector, attrs, attrNames, - subjectAttributeNames); - resultSet.addAll(createAttributeCertificates(list, selector)); - } - - return resultSet; - } - - /** - * Returns CA certificates. - * <p> - * The cACertificate attribute of a CA's directory entry shall be used to - * store self-issued certificates (if any) and certificates issued to this - * CA by CAs in the same realm as this CA. - * </p> - * @param selector The selector to find the certificates. - * @return A possible empty collection with certificates. - * @throws StoreException - */ - public Collection getCACertificates(X509CertStoreSelector selector) - throws StoreException - { - String[] attrs = splitString(params.getCACertificateAttribute()); - String attrNames[] = splitString(params.getLdapCACertificateAttributeName()); - String subjectAttributeNames[] = splitString(params - .getCACertificateSubjectAttributeName()); - List list = certSubjectSerialSearch(selector, attrs, attrNames, - subjectAttributeNames); - Set resultSet = createCerts(list, selector); - if (resultSet.size() == 0) - { - X509CertStoreSelector emptySelector = new X509CertStoreSelector(); - list = certSubjectSerialSearch(emptySelector, attrs, attrNames, - subjectAttributeNames); - resultSet.addAll(createCerts(list, selector)); - } - return resultSet; - } - - /** - * Returns the delta revocation list for revoked certificates. - * - * @param selector The CRL selector to use to find the CRLs. - * @return A possible empty collection with CRLs. - * @throws StoreException - */ - public Collection getDeltaCertificateRevocationLists( - X509CRLStoreSelector selector) throws StoreException - { - String[] attrs = splitString(params.getDeltaRevocationListAttribute()); - String attrNames[] = splitString(params.getLdapDeltaRevocationListAttributeName()); - String issuerAttributeNames[] = splitString(params - .getDeltaRevocationListIssuerAttributeName()); - List list = cRLIssuerSearch(selector, attrs, attrNames, - issuerAttributeNames); - Set resultSet = createCRLs(list, selector); - if (resultSet.size() == 0) - { - X509CRLStoreSelector emptySelector = new X509CRLStoreSelector(); - list = cRLIssuerSearch(emptySelector, attrs, attrNames, - issuerAttributeNames); - - resultSet.addAll(createCRLs(list, selector)); - } - return resultSet; - } - - /** - * Returns an attribute certificate for an user. - * <p> - * The attributeCertificateAttribute holds the privileges of a user - * </p> - * @param selector The selector to find the attribute certificates. - * @return A possible empty collection with attribute certificates. - * @throws StoreException - */ - public Collection getAttributeCertificateAttributes( - X509AttributeCertStoreSelector selector) throws StoreException - { - String[] attrs = splitString(params.getAttributeCertificateAttributeAttribute()); - String attrNames[] = splitString(params - .getLdapAttributeCertificateAttributeAttributeName()); - String subjectAttributeNames[] = splitString(params - .getAttributeCertificateAttributeSubjectAttributeName()); - List list = attrCertSubjectSerialSearch(selector, attrs, attrNames, - subjectAttributeNames); - Set resultSet = createAttributeCertificates(list, selector); - if (resultSet.size() == 0) - { - X509AttributeCertStoreSelector emptySelector = new X509AttributeCertStoreSelector(); - list = attrCertSubjectSerialSearch(emptySelector, attrs, attrNames, - subjectAttributeNames); - resultSet.addAll(createAttributeCertificates(list, selector)); - } - - return resultSet; - } - - /** - * Returns the certificate revocation lists for revoked certificates. - * - * @param selector The CRL selector to use to find the CRLs. - * @return A possible empty collection with CRLs. - * @throws StoreException - */ - public Collection getCertificateRevocationLists( - X509CRLStoreSelector selector) throws StoreException - { - String[] attrs = splitString(params.getCertificateRevocationListAttribute()); - String attrNames[] = splitString(params - .getLdapCertificateRevocationListAttributeName()); - String issuerAttributeNames[] = splitString(params - .getCertificateRevocationListIssuerAttributeName()); - List list = cRLIssuerSearch(selector, attrs, attrNames, - issuerAttributeNames); - Set resultSet = createCRLs(list, selector); - if (resultSet.size() == 0) - { - X509CRLStoreSelector emptySelector = new X509CRLStoreSelector(); - list = cRLIssuerSearch(emptySelector, attrs, attrNames, - issuerAttributeNames); - - resultSet.addAll(createCRLs(list, selector)); - } - return resultSet; - } - - private Map cacheMap = new HashMap(cacheSize); - - private static int cacheSize = 32; - - private static long lifeTime = 60 * 1000; - - private synchronized void addToCache(String searchCriteria, List list) - { - Date now = new Date(System.currentTimeMillis()); - List cacheEntry = new ArrayList(); - cacheEntry.add(now); - cacheEntry.add(list); - if (cacheMap.containsKey(searchCriteria)) - { - cacheMap.put(searchCriteria, cacheEntry); - } - else - { - if (cacheMap.size() >= cacheSize) - { - // replace oldest - Iterator it = cacheMap.entrySet().iterator(); - long oldest = now.getTime(); - Object replace = null; - while (it.hasNext()) - { - Map.Entry entry = (Map.Entry)it.next(); - long current = ((Date)((List)entry.getValue()).get(0)) - .getTime(); - if (current < oldest) - { - oldest = current; - replace = entry.getKey(); - } - } - cacheMap.remove(replace); - } - cacheMap.put(searchCriteria, cacheEntry); - } - } - - private List getFromCache(String searchCriteria) - { - List entry = (List)cacheMap.get(searchCriteria); - long now = System.currentTimeMillis(); - if (entry != null) - { - // too old - if (((Date)entry.get(0)).getTime() < (now - lifeTime)) - { - return null; - } - return (List)entry.get(1); - } - return null; - } - - /* - * spilt string based on spaces - */ - private String[] splitString(String str) - { - return str.split("\\s+"); - } - - private String getSubjectAsString(X509CertStoreSelector xselector) - { - try - { - byte[] encSubject = xselector.getSubjectAsBytes(); - if (encSubject != null) - { - return new X500Principal(encSubject).getName("RFC1779"); - } - } - catch (IOException e) - { - throw new StoreException("exception processing name: " + e.getMessage(), e); - } - return null; - } - - private X500Principal getCertificateIssuer(X509Certificate cert) - { - return cert.getIssuerX500Principal(); - } -} diff --git a/bcprov/src/main/java/org/bouncycastle/x509/util/StreamParser.java b/bcprov/src/main/java/org/bouncycastle/x509/util/StreamParser.java deleted file mode 100644 index 2604894..0000000 --- a/bcprov/src/main/java/org/bouncycastle/x509/util/StreamParser.java +++ /dev/null @@ -1,10 +0,0 @@ -package org.bouncycastle.x509.util; - -import java.util.Collection; - -public interface StreamParser -{ - Object read() throws StreamParsingException; - - Collection readAll() throws StreamParsingException; -} diff --git a/bcprov/src/main/java/org/bouncycastle/x509/util/StreamParsingException.java b/bcprov/src/main/java/org/bouncycastle/x509/util/StreamParsingException.java deleted file mode 100644 index 8f69ff6..0000000 --- a/bcprov/src/main/java/org/bouncycastle/x509/util/StreamParsingException.java +++ /dev/null @@ -1,18 +0,0 @@ -package org.bouncycastle.x509.util; - -public class StreamParsingException - extends Exception -{ - Throwable _e; - - public StreamParsingException(String message, Throwable e) - { - super(message); - _e = e; - } - - public Throwable getCause() - { - return _e; - } -} |