AMCRLStore.java revision e6c3a72a023407f5d1fface64356e1cc81f1af31
/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: AMCRLStore.java,v 1.7 2009/01/28 05:35:12 ww203982 Exp $
*
* Portions Copyrighted 2013-2016 ForgeRock AS.
*/
/**
* The class is used to manage crl store in LDAP server
* This class does get crl and update crl with CRLDistribution
* PointsExtension in client certificate or IssuingDistribution
* PointExtension in CRL. This class should be used
* in order to manage CRL store in LDAP
* <pre>
* id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-ce 31 }
*
* RLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
*
* DistributionPoint ::= SEQUENCE {
* distributionPoint [0] DistributionPointName OPTIONAL,
* reasons [1] ReasonFlags OPTIONAL,
* cRLIssuer [2] GeneralNames OPTIONAL }
*
* DistributionPointName ::= CHOICE {
* fullName [0] GeneralNames,
* nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
*
* ReasonFlags ::= BIT STRING {
* unused (0),
* keyCompromise (1),
* cACompromise (2),
* affiliationChanged (3),
* superseded (4),
* cessationOfOperation (5),
* certificateHold (6),
* privilegeWithdrawn (7),
* aACompromise (8) }
* </pre>
*/
public class AMCRLStore extends AMCertStore {
public static final String CERTIFICATE_REVOCATION_LIST_BINARY = CERTIFICATE_REVOCATION_LIST + ";binary";
// In memory CRL cache
/**
* Class AMCRLStore is special cased CRL store for LDAP.
* A AMCRLStore instance has to have all the information for ldap
* and all the access information for CRLDistributionPointExtension and
* CRLIssuingDistributionPoint Extension
*
* @param param
*/
super(param);
}
/**
* Checks certificate and returns corresponding stored CRL in ldap store
*
* @param certificate
*/
if (storeParam.isDoCRLCaching()) {
if (debug.messageEnabled()) {
}
}
return null;
}
if (debug.messageEnabled()) {
}
if (mCrlAttrName == null) {
} else {
}
}
if (debug.messageEnabled()) {
}
try {
}
} catch (Exception e) {
}
try {
} catch (Exception e) {
}
}
}
}
if (debug.messageEnabled()) {
}
tmpcrl.getEncoded());
}
}
}
if (storeParam.isDoCRLCaching()) {
if (debug.messageEnabled()) {
}
}
} catch (Exception e) {
}
return crl;
}
/**
* Checks certificate and returns corresponding stored CRL in cached CRL store.
*
* @param certificate
* @return Cached CRL information about the certificate.
*/
}
/**
* Checks certificate and update CRL in cached CRL store.
*
* @param certificate
* @param crl
*/
} else {
}
}
throws Exception {
if (debug.messageEnabled()) {
}
return null;
}
try {
/*
* Retrieve the certificate revocation list if available.
*/
if (mCrlAttrName == null) {
if (crlAttribute == null) {
if (crlAttribute == null) {
return null;
}
}
} else {
}
return null;
}
} catch (Exception e) {
return null;
}
try {
if (debug.messageEnabled()) {
}
} catch (Exception e) {
}
return crl;
}
/**
* It checks whether the certificate has CRLDistributionPointsExtension
* or not. If there is, it returns the extension.
*
* @param certificate
*/
try {
} catch (Exception e) {
}
return dpExt;
}
/**
* It checks whether the crl has IssuingDistributionPointExtension
* or not. If there is, it returns the extension.
*
* @param crl
*/
return null;
}
if (debug.messageEnabled()) {
}
try {
byte[] ext =
}
} catch (Exception e) {
}
return idpExt;
}
/**
* It updates CRL under the dn in the directory server.
* It retrieves CRL distribution points from the parameter
* CRLDistributionPointsExtension dpExt.
*
* @param dpExt
*/
private synchronized X509CRL
// Get CRL Distribution points
return null;
}
try {
} catch (IOException ioex) {
if (debug.warningEnabled()) {
}
}
return null;
}
if (debug.messageEnabled()) {
gName);
}
try {
new ByteArrayInputStream(Crls));
if (debug.warningEnabled()) {
"Error in generating X509CRL", ex);
}
}
}
}
return null;
}
/**
* It updates CRL under the dn in the directory server.
* It retrieves CRL distribution points from the parameter
* CRLDistributionPointsExtension dpExt.
*
* @param idpExt
*/
return null;
}
if (debug.messageEnabled()) {
}
try {
} catch (Exception e) {
}
}
return crl;
}
if (debug.messageEnabled()) {
}
int idx = 0;
do {
int proto_pos;
continue;
}
}
}
}
if (debug.messageEnabled()) {
}
return Crls;
}
/**
* It replaces attribute value under the DN.
* It is used to replace old CRL with new one.
*
* @param ldc
* @param dn
* @param crls
*/
try {
} catch (LdapException e) {
}
}
/**
* It is checking uri's protocol.
* Protocol has to be http(s) or ldap.
* Based on checked protocol, it gets new CRL by invking
* getCRLByLdapURI() or getCRLByHttpURI()
*
* @param uri
*/
if (debug.messageEnabled()) {
}
return null;
}
return getCRLByHttpURI(uri);
return getCRLByLdapURI(uri);
}
return null;
}
/**
* It gets the new CRL from ldap server.
* If it is ldap URI, the URI has to be a dn that can be accessed
* with ldap anonymous bind.
* This dn entry has to have CRL in attribute certificaterevocationlist
* or certificaterevocationlist;binary.
*
* @param uri
*/
if (debug.messageEnabled()) {
}
try {
} catch (LocalizedIllegalArgumentException e) {
return null;
}
// Check ldap over SSL
try {
new SSLContextBuilder().getSSLContext()));
} catch (GeneralSecurityException e) {
return null;
}
} else { // non-ssl
}
return null;
}
if (results.isReference()) {
return null;
}
/*
* Retrieve the certificate revocation list if available.
*/
if (crlAttribute == null) {
if (crlAttribute == null) {
return null;
}
}
} catch (Exception e) {
}
return crl;
}
try {
if (uriParamsCRL != null) {
params = new StringBuffer();
while (st1.hasMoreTokens()) {
} else {
continue;
}
if (st1.hasMoreTokens()) {
}
}
}
// Prepare for both input and output
con.setDoInput(true);
// Turn off Caching
con.setUseCaches(false);
con.setDoOutput(true);
// Write the arguments as post data
}
}
// Input ...
int len;
byte[] buf = new byte[1024];
}
if (debug.messageEnabled()) {
}
} catch (Exception e) {
}
return crl;
}
// It returns NextCRLUpdate for current cached CRL
// It gets CRL from crlAttribue member variable
return true;
}
// Check CRLNextUpdate in CRL
if (debug.messageEnabled()) {
}
}
/**
* It gets the new CRL from ldap server.
* If it is ldap URI, the URI has to be a dn that can be accessed
* with ldap anonymous bind.
* This dn entry has to have CRL in attribute certificaterevocationlist
* or certificaterevocationlist;binary.
* <p/>
* if attrNames does only contain one value the ldap search filter will be
* (attrName=Value_of_the_corresponding_Attribute_from_SubjectDN)
* e.g. SubjectDN of issuer cert 'C=BE, CN=Citizen CA, serialNumber=201007'
* attrNames is 'CN', search filter used will be (CN=Citizen CA)
* <p/>
* if attrNames does contain serveral values the ldap search filter value will be
* a comma separated list of name attribute values, the search attribute will be 'cn'
* (cn="attrNames[0]=Value_of_the_corresponding_Attribute_from_SubjectDN,
* attrNames[1]=Value_of_the_corresponding_Attribute_from_SubjectDN")
* <p/>
* e.g. SubjectDN of issuer cert 'C=BE, CN=Citizen CA, serialNumber=201007'
* attrNames is {"CN","serialNumber"}, search filter used will be
* (cn=CN=Citizen CA,serialNumber=201007)
* <p/>
* The order of the values of attrNames matter as they must match the value of the
* 'cn' attribute of a crlDistributionPoint entry in the directory server
*
* @param ldapParam
* @param cert
* @param attrNames, attributes names from the subjectDN of the issuer cert
*/
public static X509CRL getCRL(AMLDAPCertStoreParameters ldapParam, X509Certificate cert, String... attrNames) {
try {
/*
* Get the CN of the input certificate
*/
// Retrieve attribute value of the attribute name
return crl;
}
} else {
if (searchFilterValue.isEmpty()) {
return crl;
}
}
if (debug.messageEnabled()) {
}
/*
* Lookup the certificate in the LDAP certificate directory
*/
}
} catch (Exception e) {
}
return crl;
}
}
}
}
return searchFilterBuilder.toString();
}
}