Start line:  
End line:  

Snippet Preview

Snippet HTML Code

Stack Overflow Questions
  package org.bouncycastle.jce.provider;
  
 import java.util.Date;
 import java.util.List;
 import java.util.Set;
 
 
 
 {
 
     private static final String TARGET_INFORMATION = .
         .getId();
 
     private static final String NO_REV_AVAIL = .
         .getId();
 
         .getId();
 
     private static final String AUTHORITY_INFO_ACCESS = .
         .getId();
 
     protected static void processAttrCert7(X509AttributeCertificate attrCert,
         CertPath certPathCertPath holderCertPath,
         PKIXExtendedParameters pkixParamsSet attrCertCheckersthrows CertPathValidatorException
     {
         // TODO:
         // AA Controls
         // Attribute encryption
         // Proxy
         Set set = attrCert.getCriticalExtensionOIDs();
         // 7.1
         // process extensions
 
         // target information checked in step 6 / X509AttributeCertStoreSelector
         if (set.contains())
         {
             try
             {
                 TargetInformation.getInstance(CertPathValidatorUtilities
                     .getExtensionValue(attrCert));
             }
             catch (AnnotatedException e)
             {
                 throw new ExtCertPathValidatorException(
                     "Target information extension could not be read."e);
             }
             catch (IllegalArgumentException e)
             {
                 throw new ExtCertPathValidatorException(
                     "Target information extension could not be read."e);
             }
         }
        set.remove();
        for (Iterator it = attrCertCheckers.iterator(); it
            .hasNext();)
        {
            ((PKIXAttrCertCheckerit.next()).check(attrCertcertPath,
                holderCertPathset);
        }
        if (!set.isEmpty())
        {
            throw new CertPathValidatorException(
                "Attribute certificate contains unsupported critical extensions: "
                    + set);
        }
    }

    
Checks if an attribute certificate is revoked.

Parameters:
attrCert Attribute certificate to check if it is revoked.
paramsPKIX PKIX parameters.
issuerCert The issuer certificate of the attribute certificate attrCert.
validDate The date when the certificate revocation status should be checked.
certPathCerts The certificates of the certification path to be checked.
Throws:
java.security.cert.CertPathValidatorException if the certificate is revoked or the status cannot be checked or some error occurs.
    protected static void checkCRLs(X509AttributeCertificate attrCert,
        PKIXExtendedParameters paramsPKIXX509Certificate issuerCert,
        Date validDateList certPathCertsJcaJceHelper helperthrows CertPathValidatorException
    {
        if (paramsPKIX.isRevocationEnabled())
        {
            // check if revocation is available
            if (attrCert.getExtensionValue() == null)
            {
                CRLDistPoint crldp = null;
                try
                {
                    crldp = CRLDistPoint.getInstance(CertPathValidatorUtilities
                        .getExtensionValue(attrCert));
                }
                catch (AnnotatedException e)
                {
                    throw new CertPathValidatorException(
                        "CRL distribution point extension could not be read.",
                        e);
                }
                List crlStores = new ArrayList();
                try
                {
                    crlStores.addAll(CertPathValidatorUtilities.getAdditionalStoresFromCRLDistributionPoint(crldpparamsPKIX.getNamedCRLStoreMap()));
                }
                catch (AnnotatedException e)
                {
                    throw new CertPathValidatorException(
                        "No additional CRL locations could be decoded from CRL distribution point extension.",
                        e);
                }
                PKIXExtendedParameters.Builder bldr = new PKIXExtendedParameters.Builder(paramsPKIX);
                for (Iterator it = crlStores.iterator(); it.hasNext(); )
                {
                    bldr.addCRLStore((PKIXCRLStore)crlStores);
                }
                paramsPKIX = bldr.build();
                CertStatus certStatus = new CertStatus();
                ReasonsMask reasonsMask = new ReasonsMask();
                AnnotatedException lastException = null;
                boolean validCrlFound = false;
                // for each distribution point
                if (crldp != null)
                {
                    DistributionPoint dps[] = null;
                    try
                    {
                        dps = crldp.getDistributionPoints();
                    }
                    catch (Exception e)
                    {
                        throw new ExtCertPathValidatorException(
                            "Distribution points could not be read."e);
                    }
                    try
                    {
                        for (int i = 0; i < dps.length
                            && certStatus.getCertStatus() == .
                            && !reasonsMask.isAllReasons(); i++)
                        {
                            PKIXExtendedParameters paramsPKIXClone = (PKIXExtendedParameters)paramsPKIX
                                    .clone();
                            checkCRL(dps[i], attrCertparamsPKIXClone,
                                validDateissuerCertcertStatusreasonsMask,
                                certPathCertshelper);
                            validCrlFound = true;
                        }
                    }
                    catch (AnnotatedException e)
                    {
                        lastException = new AnnotatedException(
                            "No valid CRL for distribution point found."e);
                    }
                }
                /*
                 * If the revocation status has not been determined, repeat the
                 * process above with any available CRLs not specified in a
                 * distribution point but issued by the certificate issuer.
                 */
                if (certStatus.getCertStatus() == .
                    && !reasonsMask.isAllReasons())
                {
                    try
                    {
                        /*
                         * assume a DP with both the reasons and the cRLIssuer
                         * fields omitted and a distribution point name of the
                         * certificate issuer.
                         */
                        ASN1Primitive issuer = null;
                        try
                        {
                            issuer = new ASN1InputStream(
                                ((X500PrincipalattrCert.getIssuer()
                                    .getPrincipals()[0]).getEncoded())
                                .readObject();
                        }
                        catch (Exception e)
                        {
                            throw new AnnotatedException(
                                "Issuer from certificate for CRL could not be reencoded.",
                                e);
                        }
                        DistributionPoint dp = new DistributionPoint(
                            new DistributionPointName(0, new GeneralNames(
                                new GeneralName(.,
                                    issuer))), nullnull);
                        PKIXExtendedParameters paramsPKIXClone = (PKIXExtendedParametersparamsPKIX
                            .clone();
                        checkCRL(dpattrCertparamsPKIXClonevalidDate,
                            issuerCertcertStatusreasonsMaskcertPathCertshelper);
                        validCrlFound = true;
                    }
                    catch (AnnotatedException e)
                    {
                        lastException = new AnnotatedException(
                            "No valid CRL for distribution point found."e);
                    }
                }
                if (!validCrlFound)
                {
                    throw new ExtCertPathValidatorException(
                        "No valid CRL found."lastException);
                }
                if (certStatus.getCertStatus() != .)
                {
                    String message = "Attribute certificate revocation after "
                        + certStatus.getRevocationDate();
                    message += ", reason: "
                        + .[certStatus
                            .getCertStatus()];
                    throw new CertPathValidatorException(message);
                }
                if (!reasonsMask.isAllReasons()
                    && certStatus.getCertStatus() == .)
                {
                    certStatus.setCertStatus(.);
                }
                if (certStatus.getCertStatus() == .)
                {
                    throw new CertPathValidatorException(
                        "Attribute certificate status could not be determined.");
                }
            }
            else
            {
                if (attrCert.getExtensionValue() != null
                    || attrCert.getExtensionValue() != null)
                {
                    throw new CertPathValidatorException(
                        "No rev avail extension is set, but also an AC revocation pointer.");
                }
            }
        }
    }
    protected static void additionalChecks(X509AttributeCertificate attrCert,
        Set prohibitedACAttributesSet necessaryACAttributesthrows CertPathValidatorException
    {
        // 1
        for (Iterator it = prohibitedACAttributes.iterator(); it
            .hasNext();)
        {
            String oid = (Stringit.next();
            if (attrCert.getAttributes(oid) != null)
            {
                throw new CertPathValidatorException(
                    "Attribute certificate contains prohibited attribute: "
                        + oid + ".");
            }
        }
        for (Iterator it = necessaryACAttributes.iterator(); it
            .hasNext();)
        {
            String oid = (Stringit.next();
            if (attrCert.getAttributes(oid) == null)
            {
                throw new CertPathValidatorException(
                    "Attribute certificate does not contain necessary attribute: "
                        + oid + ".");
            }
        }
    }
    protected static void processAttrCert5(X509AttributeCertificate attrCert,
        PKIXExtendedParameters pkixParamsthrows CertPathValidatorException
    {
        try
        {
            attrCert.checkValidity(CertPathValidatorUtilities
                .getValidDate(pkixParams));
        }
        catch (CertificateExpiredException e)
        {
            throw new ExtCertPathValidatorException(
                "Attribute certificate is not valid."e);
        }
        catch (CertificateNotYetValidException e)
        {
            throw new ExtCertPathValidatorException(
                "Attribute certificate is not valid."e);
        }
    }
    protected static void processAttrCert4(X509Certificate acIssuerCert,
        Set trustedACIssuersthrows CertPathValidatorException
    {
        Set set = trustedACIssuers;
        boolean trusted = false;
        for (Iterator it = set.iterator(); it.hasNext();)
        {
            TrustAnchor anchor = (TrustAnchorit.next();
            if (acIssuerCert.getSubjectX500Principal().getName("RFC2253")
                .equals(anchor.getCAName())
                || acIssuerCert.equals(anchor.getTrustedCert()))
            {
                trusted = true;
            }
        }
        if (!trusted)
        {
            throw new CertPathValidatorException(
                "Attribute certificate issuer is not directly trusted.");
        }
    }
    protected static void processAttrCert3(X509Certificate acIssuerCert,
        PKIXExtendedParameters pkixParamsthrows CertPathValidatorException
    {
        if (acIssuerCert.getKeyUsage() != null
            && (!acIssuerCert.getKeyUsage()[0] && !acIssuerCert.getKeyUsage()[1]))
        {
            throw new CertPathValidatorException(
                "Attribute certificate issuer public key cannot be used to validate digital signatures.");
        }
        if (acIssuerCert.getBasicConstraints() != -1)
        {
            throw new CertPathValidatorException(
                "Attribute certificate issuer is also a public key certificate issuer.");
        }
    }
    protected static CertPathValidatorResult processAttrCert2(
        CertPath certPathPKIXExtendedParameters pkixParams)
        throws CertPathValidatorException
    {
        CertPathValidator validator = null;
        try
        {
            validator = CertPathValidator.getInstance("PKIX".);
        }
        catch (NoSuchProviderException e)
        {
            throw new ExtCertPathValidatorException(
                "Support class could not be created."e);
        }
        catch (NoSuchAlgorithmException e)
        {
            throw new ExtCertPathValidatorException(
                "Support class could not be created."e);
        }
        try
        {
            return validator.validate(certPathpkixParams);
        }
        catch (CertPathValidatorException e)
        {
            throw new ExtCertPathValidatorException(
                "Certification path for issuer certificate of attribute certificate could not be validated.",
                e);
        }
        catch (InvalidAlgorithmParameterException e)
        {
            // must be a programming error
            throw new RuntimeException(e.getMessage());
        }
    }

    
Searches for a holder public key certificate and verifies its certification path.

Parameters:
attrCert the attribute certificate.
pkixParams The PKIX parameters.
Returns:
The certificate path of the holder certificate.
Throws:
AnnotatedException if
  • no public key certificate can be found although holder information is given by an entity name or a base certificate ID
  • support classes cannot be created
  • no certification path for the public key certificate can be built
    protected static CertPath processAttrCert1(
        X509AttributeCertificate attrCertPKIXExtendedParameters pkixParams)
        throws CertPathValidatorException
    {
        CertPathBuilderResult result = null;
        // find holder PKCs
        Set holderPKCs = new HashSet();
        if (attrCert.getHolder().getIssuer() != null)
        {
            X509CertSelector selector = new X509CertSelector();
            selector.setSerialNumber(attrCert.getHolder().getSerialNumber());
            Principal[] principals = attrCert.getHolder().getIssuer();
            for (int i = 0; i < principals.lengthi++)
            {
                try
                {
                    if (principals[iinstanceof X500Principal)
                    {
                        selector.setIssuer(((X500Principal)principals[i])
                            .getEncoded());
                    }
                    holderPKCs.addAll(CertPathValidatorUtilities
                        .findCertificates(new PKIXCertStoreSelector.Builder(selector).build(), pkixParams.getCertStores()));
                }
                catch (AnnotatedException e)
                {
                    throw new ExtCertPathValidatorException(
                        "Public key certificate for attribute certificate cannot be searched.",
                        e);
                }
                catch (IOException e)
                {
                    throw new ExtCertPathValidatorException(
                        "Unable to encode X500 principal."e);
                }
            }
            if (holderPKCs.isEmpty())
            {
                throw new CertPathValidatorException(
                    "Public key certificate specified in base certificate ID for attribute certificate cannot be found.");
            }
        }
        if (attrCert.getHolder().getEntityNames() != null)
        {
            X509CertStoreSelector selector = new X509CertStoreSelector();
            Principal[] principals = attrCert.getHolder().getEntityNames();
            for (int i = 0; i < principals.lengthi++)
            {
                try
                {
                    if (principals[iinstanceof X500Principal)
                    {
                        selector.setIssuer(((X500Principalprincipals[i])
                            .getEncoded());
                    }
                    holderPKCs.addAll(CertPathValidatorUtilities
                        .findCertificates(new PKIXCertStoreSelector.Builder(selector).build(), pkixParams.getCertStores()));
                }
                catch (AnnotatedException e)
                {
                    throw new ExtCertPathValidatorException(
                        "Public key certificate for attribute certificate cannot be searched.",
                        e);
                }
                catch (IOException e)
                {
                    throw new ExtCertPathValidatorException(
                        "Unable to encode X500 principal."e);
                }
            }
            if (holderPKCs.isEmpty())
            {
                throw new CertPathValidatorException(
                    "Public key certificate specified in entity name for attribute certificate cannot be found.");
            }
        }
        // verify cert paths for PKCs
        PKIXExtendedParameters.Builder paramsBldr = new PKIXExtendedParameters.Builder(pkixParams);
        CertPathValidatorException lastException = null;
        for (Iterator it = holderPKCs.iterator(); it.hasNext();)
        {
            X509CertStoreSelector selector = new X509CertStoreSelector();
            selector.setCertificate((X509Certificateit.next());
            paramsBldr.setTargetConstraints(new PKIXCertStoreSelector.Builder(selector).build());
            CertPathBuilder builder = null;
            try
            {
                builder = CertPathBuilder.getInstance("PKIX".);
            }
            catch (NoSuchProviderException e)
            {
                throw new ExtCertPathValidatorException(
                    "Support class could not be created."e);
            }
            catch (NoSuchAlgorithmException e)
            {
                throw new ExtCertPathValidatorException(
                    "Support class could not be created."e);
            }
            try
            {
                result = builder.build(new PKIXExtendedBuilderParameters.Builder(paramsBldr.build()).build());
            }
            catch (CertPathBuilderException e)
            {
                lastException = new ExtCertPathValidatorException(
                    "Certification path for public key certificate of attribute certificate could not be build.",
                    e);
            }
            catch (InvalidAlgorithmParameterException e)
            {
                // must be a programming error
                throw new RuntimeException(e.getMessage());
            }
        }
        if (lastException != null)
        {
            throw lastException;
        }
        return result.getCertPath();
    }

    
Checks a distribution point for revocation information for the certificate attrCert.

Parameters:
dp The distribution point to consider.
attrCert The attribute certificate which should be checked.
paramsPKIX PKIX parameters.
validDate The date when the certificate revocation status should be checked.
issuerCert Certificate to check if it is revoked.
reasonMask The reasons mask which is already checked.
certPathCerts The certificates of the certification path to be checked.
Throws:
AnnotatedException if the certificate is revoked or the status cannot be checked or some error occurs.
    private static void checkCRL(DistributionPoint dp,
        X509AttributeCertificate attrCertPKIXExtendedParameters paramsPKIX,
        Date validDateX509Certificate issuerCertCertStatus certStatus,
        ReasonsMask reasonMaskList certPathCertsJcaJceHelper helperthrows AnnotatedException
    {
        /*
         * 4.3.6 No Revocation Available
         * 
         * The noRevAvail extension, defined in [X.509-2000], allows an AC
         * issuer to indicate that no revocation information will be made
         * available for this AC.
         */
        if (attrCert.getExtensionValue(..getId()) != null)
        {
            return;
        }
        Date currentDate = new Date(System.currentTimeMillis());
        if (validDate.getTime() > currentDate.getTime())
        {
            throw new AnnotatedException("Validation time is in future.");
        }
        // (a)
        /*
         * We always get timely valid CRLs, so there is no step (a) (1).
         * "locally cached" CRLs are assumed to be in getStore(), additional
         * CRLs must be enabled in the PKIXExtendedParameters and are in
         * getAdditionalStore()
         */
        Set crls = CertPathValidatorUtilities.getCompleteCRLs(dpattrCert,
            currentDateparamsPKIX);
        boolean validCrlFound = false;
        AnnotatedException lastException = null;
        Iterator crl_iter = crls.iterator();
        while (crl_iter.hasNext()
            && certStatus.getCertStatus() == .
            && !reasonMask.isAllReasons())
        {
            try
            {
                X509CRL crl = (X509CRLcrl_iter.next();
                // (d)
                ReasonsMask interimReasonsMask = RFC3280CertPathUtilities
                    .processCRLD(crldp);
                // (e)
                /*
                 * The reasons mask is updated at the end, so only valid CRLs
                 * can update it. If this CRL does not contain new reasons it
                 * must be ignored.
                 */
                if (!interimReasonsMask.hasNewReasons(reasonMask))
                {
                    continue;
                }
                // (f)
                Set keys = RFC3280CertPathUtilities.processCRLF(crlattrCertnullnullparamsPKIXcertPathCertshelper);
                // (g)
                PublicKey key = RFC3280CertPathUtilities.processCRLG(crlkeys);
                X509CRL deltaCRL = null;
                if (paramsPKIX.isUseDeltasEnabled())
                {
                    // get delta CRLs
                    Set deltaCRLs = CertPathValidatorUtilities.getDeltaCRLs(currentDatecrlparamsPKIX.getCertStores(), paramsPKIX.getCRLStores());
                    // we only want one valid delta CRL
                    // (h)
                    deltaCRL = RFC3280CertPathUtilities.processCRLH(deltaCRLs,
                        key);
                }
                /*
                 * CRL must be be valid at the current time, not the validation
                 * time. If a certificate is revoked with reason keyCompromise,
                 * cACompromise, it can be used for forgery, also for the past.
                 * This reason may not be contained in older CRLs.
                 */
                /*
                 * in the chain model signatures stay valid also after the
                 * certificate has been expired, so they do not have to be in
                 * the CRL vality time
                 */
                if (paramsPKIX.getValidityModel() != .)
                {
                    /*
                     * if a certificate has expired, but was revoked, it is not
                     * more in the CRL, so it would be regarded as valid if the
                     * first check is not done
                     */
                    if (attrCert.getNotAfter().getTime() < crl.getThisUpdate()
                        .getTime())
                    {
                        throw new AnnotatedException(
                            "No valid CRL for current time found.");
                    }
                }
                RFC3280CertPathUtilities.processCRLB1(dpattrCertcrl);
                // (b) (2)
                RFC3280CertPathUtilities.processCRLB2(dpattrCertcrl);
                // (c)
                RFC3280CertPathUtilities.processCRLC(deltaCRLcrlparamsPKIX);
                // (i)
                RFC3280CertPathUtilities.processCRLI(validDatedeltaCRL,
                    attrCertcertStatusparamsPKIX);
                // (j)
                RFC3280CertPathUtilities.processCRLJ(validDatecrlattrCert,
                    certStatus);
                // (k)
                if (certStatus.getCertStatus() == .)
                {
                    certStatus.setCertStatus(.);
                }
                // update reasons mask
                reasonMask.addReasons(interimReasonsMask);
                validCrlFound = true;
            }
            catch (AnnotatedException e)
            {
                lastException = e;
            }
        }
        if (!validCrlFound)
        {
            throw lastException;
        }
    }
New to GrepCode? Check out our FAQ X