Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / libcore / 42db8377fdd20cdff6cac1994b25382551270a26 / . / luni / src / main / java / org / apache / harmony / security / provider / cert / X509CRLImpl.java
blob: de5bbfafd1ef95939104510da8f1c67c55b1947e [file] [log] [blame]
The Android Open Source Projectadc854b2009-03-03 19:28:47 -0800[diff] [blame]1/*
2 * Licensed to the Apache Software Foundation (ASF) under one or more
3 * contributor license agreements. See the NOTICE file distributed with
4 * this work for additional information regarding copyright ownership.
5 * The ASF licenses this file to You under the Apache License, Version 2.0
6 * (the "License"); you may not use this file except in compliance with
7 * the License. You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 */
17
18/**
19* @author Alexander Y. Kleymenov
20* @version $Revision$
21*/
22
23package org.apache.harmony.security.provider.cert;
24
25import java.io.IOException;
26import java.io.InputStream;
27import java.math.BigInteger;
28import java.security.InvalidKeyException;
29import java.security.NoSuchAlgorithmException;
30import java.security.NoSuchProviderException;
31import java.security.Principal;
32import java.security.PublicKey;
33import java.security.Signature;
34import java.security.SignatureException;
35import java.security.cert.CRLException;
36import java.security.cert.Certificate;
37import java.security.cert.X509CRL;
38import java.security.cert.X509CRLEntry;
39import java.security.cert.X509Certificate;
40import java.util.ArrayList;
41import java.util.Date;
42import java.util.HashSet;
43import java.util.List;
44import java.util.Set;
The Android Open Source Projectadc854b2009-03-03 19:28:47 -0800[diff] [blame]45import javax.security.auth.x500.X500Principal;
The Android Open Source Projectadc854b2009-03-03 19:28:47 -0800[diff] [blame]46import org.apache.harmony.security.utils.AlgNameMapper;
47import org.apache.harmony.security.x509.CertificateList;
48import org.apache.harmony.security.x509.Extension;
49import org.apache.harmony.security.x509.Extensions;
50import org.apache.harmony.security.x509.TBSCertList;
51
52/**
53 * This class is an implementation of X509CRL. It wraps
54 * the instance of org.apache.harmony.security.x509.CertificateList
55 * built on the base of provided ASN.1 DER encoded form of
56 * CertificateList structure (as specified in RFC 3280
57 * http://www.ietf.org/rfc/rfc3280.txt).
58 * Implementation supports work with indirect CRLs.
59 * @see org.apache.harmony.security.x509.CertificateList
60 * @see java.security.cert.X509CRL
61 */
62public class X509CRLImpl extends X509CRL {
63
64 // the core object to be wrapped in X509CRL
65 private final CertificateList crl;
66
67 // To speed up access to the info, the following fields
68 // cache values retrieved from the CertificateList object
69 private final TBSCertList tbsCertList;
70 private byte[] tbsCertListEncoding;
71 private final Extensions extensions;
72 private X500Principal issuer;
73 private ArrayList entries;
74 private int entriesSize;
75 private byte[] signature;
76 private String sigAlgOID;
77 private String sigAlgName;
78 private byte[] sigAlgParams;
79
80 // encoded form of crl
81 private byte[] encoding;
82
83 // indicates whether the signature algorithm parameters are null
84 private boolean nullSigAlgParams;
85 // indicates whether the crl entries have already been retrieved
86 // from CertificateList object (crl)
87 private boolean entriesRetrieved;
88
89 // indicates whether this X.509 CRL is direct or indirect
90 // (see rfc 3280 http://www.ietf.org/rfc/rfc3280.txt, p 5.)
91 private boolean isIndirectCRL;
92 // if crl is indirect, this field holds an info about how
93 // many of the leading certificates in the list are issued
94 // by the same issuer as CRL.
95 private int nonIndirectEntriesSize;
96
97 /**
98 * Creates X.509 CRL by wrapping of the specified CertificateList object.
99 */
100 public X509CRLImpl(CertificateList crl) {
101 this.crl = crl;
102 this.tbsCertList = crl.getTbsCertList();
103 this.extensions = tbsCertList.getCrlExtensions();
104 }
105
106 /**
107 * Creates X.509 CRL on the base of ASN.1 DER encoded form of
108 * the CRL (CertificateList structure described in RFC 3280)
109 * provided via input stream.
110 * @throws CRLException if decoding errors occur.
111 */
112 public X509CRLImpl(InputStream in) throws CRLException {
113 try {
114 // decode CertificateList structure
115 this.crl = (CertificateList) CertificateList.ASN1.decode(in);
116 this.tbsCertList = crl.getTbsCertList();
117 this.extensions = tbsCertList.getCrlExtensions();
118 } catch (IOException e) {
119 throw new CRLException(e);
120 }
121 }
122
123 /**
124 * Creates X.509 CRL on the base of ASN.1 DER encoded form of
125 * the CRL (CertificateList structure described in RFC 3280)
126 * provided via array of bytes.
127 * @throws IOException if decoding errors occur.
128 */
129 public X509CRLImpl(byte[] encoding) throws IOException {
130 this((CertificateList) CertificateList.ASN1.decode(encoding));
131 }
132
133 // ---------------------------------------------------------------------
134 // ----- java.security.cert.X509CRL abstract method implementations ----
135 // ---------------------------------------------------------------------
136
137 /**
138 * @see java.security.cert.X509CRL#getEncoded()
139 * method documentation for more info
140 */
141 public byte[] getEncoded() throws CRLException {
142 if (encoding == null) {
143 encoding = crl.getEncoded();
144 }
145 byte[] result = new byte[encoding.length];
146 System.arraycopy(encoding, 0, result, 0, encoding.length);
147 return result;
148 }
149
150 /**
151 * @see java.security.cert.X509CRL#getVersion()
152 * method documentation for more info
153 */
154 public int getVersion() {
155 return tbsCertList.getVersion();
156 }
157
158 /**
159 * @see java.security.cert.X509CRL#getIssuerDN()
160 * method documentation for more info
161 */
162 public Principal getIssuerDN() {
163 if (issuer == null) {
164 issuer = tbsCertList.getIssuer().getX500Principal();
165 }
166 return issuer;
167 }
168
169 /**
170 * @see java.security.cert.X509CRL#getIssuerX500Principal()
171 * method documentation for more info
172 */
173 public X500Principal getIssuerX500Principal() {
174 if (issuer == null) {
175 issuer = tbsCertList.getIssuer().getX500Principal();
176 }
177 return issuer;
178 }
179
180 /**
181 * @see java.security.cert.X509CRL#getThisUpdate()
182 * method documentation for more info
183 */
184 public Date getThisUpdate() {
185 return tbsCertList.getThisUpdate();
186 }
187
188 /**
189 * @see java.security.cert.X509CRL#getNextUpdate()
190 * method documentation for more info
191 */
192 public Date getNextUpdate() {
193 return tbsCertList.getNextUpdate();
194 }
195
196 /*
197 * Retrieves the crl entries (TBSCertList.RevokedCertificate objects)
198 * from the TBSCertList structure and converts them to the
199 * X509CRLEntryImpl objects
200 */
Elliott Hughes2f9e4682009-10-09 17:21:46 -0700[diff] [blame]201 private void retrieveEntries() {
The Android Open Source Projectadc854b2009-03-03 19:28:47 -0800[diff] [blame]202 entriesRetrieved = true;
203 List rcerts = tbsCertList.getRevokedCertificates();
204 if (rcerts == null) {
205 return;
206 }
207 entriesSize = rcerts.size();
208 entries = new ArrayList(entriesSize);
209 // null means that revoked certificate issuer is the same as CRL issuer
210 X500Principal rcertIssuer = null;
211 for (int i=0; i<entriesSize; i++) {
212 TBSCertList.RevokedCertificate rcert =
213 (TBSCertList.RevokedCertificate) rcerts.get(i);
214 X500Principal iss = rcert.getIssuer();
215 if (iss != null) {
216 // certificate issuer differs from CRL issuer
217 // and CRL is indirect.
218 rcertIssuer = iss;
219 isIndirectCRL = true;
220 // remember how many leading revoked certificates in the
221 // list are issued by the same issuer as issuer of CRL
222 // (these certificates are first in the list)
223 nonIndirectEntriesSize = i;
224 }
225 entries.add(new X509CRLEntryImpl(rcert, rcertIssuer));
226 }
227 }
228
229 /**
230 * Searches for certificate in CRL.
231 * This method supports indirect CRLs: if CRL is indirect method takes
232 * into account serial number and issuer of the certificate,
233 * if CRL issued by CA (i.e. it is not indirect) search is done only
234 * by serial number of the specified certificate.
235 * @see java.security.cert.X509CRL#getRevokedCertificate(X509Certificate)
236 * method documentation for more info
237 */
238 public X509CRLEntry getRevokedCertificate(X509Certificate certificate) {
239 if (certificate == null) {
Kenny Root86acc042012-09-12 10:32:58 -0700[diff] [blame]240 throw new NullPointerException("certificate == null");
The Android Open Source Projectadc854b2009-03-03 19:28:47 -0800[diff] [blame]241 }
242 if (!entriesRetrieved) {
Elliott Hughes2f9e4682009-10-09 17:21:46 -0700[diff] [blame]243 retrieveEntries();
The Android Open Source Projectadc854b2009-03-03 19:28:47 -0800[diff] [blame]244 }
245 if (entries == null) {
246 return null;
247 }
248 BigInteger serialN = certificate.getSerialNumber();
249 if (isIndirectCRL) {
250 // search in indirect crl
251 X500Principal certIssuer = certificate.getIssuerX500Principal();
252 if (certIssuer.equals(getIssuerX500Principal())) {
253 // certificate issuer is CRL issuer
254 certIssuer = null;
255 }
256 for (int i=0; i<entriesSize; i++) {
257 X509CRLEntry entry = (X509CRLEntry) entries.get(i);
258 // check the serial number of revoked certificate
259 if (serialN.equals(entry.getSerialNumber())) {
260 // revoked certificate issuer
261 X500Principal iss = entry.getCertificateIssuer();
262 // check the issuer of revoked certificate
263 if (certIssuer != null) {
264 // certificate issuer is not a CRL issuer, so
265 // check issuers for equality
266 if (certIssuer.equals(iss)) {
267 return entry;
268 }
269 } else if (iss == null) {
270 // both certificates was issued by CRL issuer
271 return entry;
272 }
273 }
274 }
275 } else {
276 // search in CA's (non indirect) crl: just look up the serial number
277 for (int i=0; i<entriesSize; i++) {
278 X509CRLEntry entry = (X509CRLEntry) entries.get(i);
279 if (serialN.equals(entry.getSerialNumber())) {
280 return entry;
281 }
282 }
283 }
284 return null;
285 }
286
287 /**
288 * Method searches for CRL entry with specified serial number.
289 * The method will search only certificate issued by CRL's issuer.
290 * @see java.security.cert.X509CRL#getRevokedCertificate(BigInteger)
291 * method documentation for more info
292 */
293 public X509CRLEntry getRevokedCertificate(BigInteger serialNumber) {
294 if (!entriesRetrieved) {
Elliott Hughes2f9e4682009-10-09 17:21:46 -0700[diff] [blame]295 retrieveEntries();
The Android Open Source Projectadc854b2009-03-03 19:28:47 -0800[diff] [blame]296 }
297 if (entries == null) {
298 return null;
299 }
Kenny Roote8c1d632014-01-31 10:56:34 -0800[diff] [blame]300 if (isIndirectCRL) {
301 for (int i = 0; i < nonIndirectEntriesSize; i++) {
302 X509CRLEntry entry = (X509CRLEntry) entries.get(i);
303 if (serialNumber.equals(entry.getSerialNumber())
304 && entry.getCertificateIssuer() == null) {
305 return entry;
306 }
307 }
308 } else {
309 for (int i = 0; i < entriesSize; i++) {
310 X509CRLEntry entry = (X509CRLEntry) entries.get(i);
311 if (serialNumber.equals(entry.getSerialNumber())) {
312 return entry;
313 }
The Android Open Source Projectadc854b2009-03-03 19:28:47 -0800[diff] [blame]314 }
315 }
316 return null;
317 }
318
319 /**
320 * @see java.security.cert.X509CRL#getRevokedCertificates()
321 * method documentation for more info
322 */
323 public Set<? extends X509CRLEntry> getRevokedCertificates() {
324 if (!entriesRetrieved) {
Elliott Hughes2f9e4682009-10-09 17:21:46 -0700[diff] [blame]325 retrieveEntries();
The Android Open Source Projectadc854b2009-03-03 19:28:47 -0800[diff] [blame]326 }
327 if (entries == null) {
328 return null;
329 }
330 return new HashSet(entries);
331 }
332
333 /**
334 * @see java.security.cert.X509CRL#getTBSCertList()
335 * method documentation for more info
336 */
337 public byte[] getTBSCertList() throws CRLException {
338 if (tbsCertListEncoding == null) {
339 tbsCertListEncoding = tbsCertList.getEncoded();
340 }
341 byte[] result = new byte[tbsCertListEncoding.length];
342 System.arraycopy(tbsCertListEncoding, 0,
343 result, 0, tbsCertListEncoding.length);
344 return result;
345 }
346
347 /**
348 * @see java.security.cert.X509CRL#getSignature()
349 * method documentation for more info
350 */
351 public byte[] getSignature() {
352 if (signature == null) {
353 signature = crl.getSignatureValue();
354 }
355 byte[] result = new byte[signature.length];
356 System.arraycopy(signature, 0, result, 0, signature.length);
357 return result;
358 }
359
360 /**
361 * @see java.security.cert.X509CRL#getSigAlgName()
362 * method documentation for more info
363 */
364 public String getSigAlgName() {
365 if (sigAlgOID == null) {
366 sigAlgOID = tbsCertList.getSignature().getAlgorithm();
367 sigAlgName = AlgNameMapper.map2AlgName(sigAlgOID);
368 if (sigAlgName == null) {
369 sigAlgName = sigAlgOID;
370 }
371 }
372 return sigAlgName;
373 }
374
375 /**
376 * @see java.security.cert.X509CRL#getSigAlgOID()
377 * method documentation for more info
378 */
379 public String getSigAlgOID() {
380 if (sigAlgOID == null) {
381 sigAlgOID = tbsCertList.getSignature().getAlgorithm();
382 sigAlgName = AlgNameMapper.map2AlgName(sigAlgOID);
383 if (sigAlgName == null) {
384 sigAlgName = sigAlgOID;
385 }
386 }
387 return sigAlgOID;
388 }
389
390 /**
391 * @see java.security.cert.X509CRL#getSigAlgParams()
392 * method documentation for more info
393 */
394 public byte[] getSigAlgParams() {
395 if (nullSigAlgParams) {
396 return null;
397 }
398 if (sigAlgParams == null) {
399 sigAlgParams = tbsCertList.getSignature().getParameters();
400 if (sigAlgParams == null) {
401 nullSigAlgParams = true;
402 return null;
403 }
404 }
405 return sigAlgParams;
406 }
407
408 /**
409 * @see java.security.cert.X509CRL#verify(PublicKey key)
410 * method documentation for more info
411 */
412 public void verify(PublicKey key)
413 throws CRLException, NoSuchAlgorithmException,
414 InvalidKeyException, NoSuchProviderException,
415 SignatureException {
416 Signature signature = Signature.getInstance(getSigAlgName());
417 signature.initVerify(key);
418 byte[] tbsEncoding = tbsCertList.getEncoded();
419 signature.update(tbsEncoding, 0, tbsEncoding.length);
420 if (!signature.verify(crl.getSignatureValue())) {
Elliott Hughes897538a2010-05-28 20:00:47 -0700[diff] [blame]421 throw new SignatureException("Signature was not verified");
The Android Open Source Projectadc854b2009-03-03 19:28:47 -0800[diff] [blame]422 }
423 }
424
425 /**
426 * @see java.security.cert.X509CRL#verify(PublicKey key, String sigProvider)
427 * method documentation for more info
428 */
429 public void verify(PublicKey key, String sigProvider)
430 throws CRLException, NoSuchAlgorithmException,
431 InvalidKeyException, NoSuchProviderException,
432 SignatureException {
433 Signature signature = Signature.getInstance(
434 getSigAlgName(), sigProvider);
435 signature.initVerify(key);
436 byte[] tbsEncoding = tbsCertList.getEncoded();
437 signature.update(tbsEncoding, 0, tbsEncoding.length);
438 if (!signature.verify(crl.getSignatureValue())) {
Elliott Hughes897538a2010-05-28 20:00:47 -0700[diff] [blame]439 throw new SignatureException("Signature was not verified");
The Android Open Source Projectadc854b2009-03-03 19:28:47 -0800[diff] [blame]440 }
441 }
442
443 // ---------------------------------------------------------------------
444 // ------ java.security.cert.CRL abstract method implementations -------
445 // ---------------------------------------------------------------------
446
447 /**
448 * @see java.security.cert.CRL#isRevoked(Certificate)
449 * method documentation for more info
450 */
451 public boolean isRevoked(Certificate cert) {
452 if (!(cert instanceof X509Certificate)) {
453 return false;
454 }
455 return getRevokedCertificate((X509Certificate) cert) != null;
456 }
457
458 /**
459 * @see java.security.cert.CRL#toString()
460 * method documentation for more info
461 */
462 public String toString() {
463 return crl.toString();
464 }
465
466 // ---------------------------------------------------------------------
467 // ------ java.security.cert.X509Extension method implementations ------
468 // ---------------------------------------------------------------------
469
470 /**
471 * @see java.security.cert.X509Extension#getNonCriticalExtensionOIDs()
472 * method documentation for more info
473 */
474 public Set getNonCriticalExtensionOIDs() {
475 if (extensions == null) {
476 return null;
477 }
478 return extensions.getNonCriticalExtensions();
479 }
480
481 /**
482 * @see java.security.cert.X509Extension#getCriticalExtensionOIDs()
483 * method documentation for more info
484 */
485 public Set getCriticalExtensionOIDs() {
486 if (extensions == null) {
487 return null;
488 }
489 return extensions.getCriticalExtensions();
490 }
491
492 /**
493 * @see java.security.cert.X509Extension#getExtensionValue(String)
494 * method documentation for more info
495 */
496 public byte[] getExtensionValue(String oid) {
497 if (extensions == null) {
498 return null;
499 }
500 Extension ext = extensions.getExtensionByOID(oid);
501 return (ext == null) ? null : ext.getRawExtnValue();
502 }
503
504 /**
505 * @see java.security.cert.X509Extension#hasUnsupportedCriticalExtension()
506 * method documentation for more info
507 */
508 public boolean hasUnsupportedCriticalExtension() {
509 if (extensions == null) {
510 return false;
511 }
512 return extensions.hasUnsupportedCritical();
513 }
514}