6037N/A * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. 0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 0N/A * This code is free software; you can redistribute it and/or modify it 0N/A * under the terms of the GNU General Public License version 2 only, as 2362N/A * published by the Free Software Foundation. Oracle designates this 0N/A * particular file as subject to the "Classpath" exception as provided 2362N/A * by Oracle in the LICENSE file that accompanied this code. 0N/A * This code is distributed in the hope that it will be useful, but WITHOUT 0N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 0N/A * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 0N/A * version 2 for more details (a copy is included in the LICENSE file that 0N/A * accompanied this code). 0N/A * You should have received a copy of the GNU General Public License version 0N/A * 2 along with this work; if not, write to the Free Software Foundation, 0N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 2362N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 2362N/A * or visit www.oracle.com if you need additional information or have any 0N/A * CrlRevocationChecker is a <code>PKIXCertPathChecker</code> that checks 0N/A * revocation status information on a PKIX certificate using CRLs obtained 0N/A * from one or more <code>CertStores</code>. This is based on section 6.3 0N/A * @author Seth Proctor 0N/A * @author Steve Hanna 0N/A {
false,
false,
false,
false,
false,
false,
true };
0N/A {
true,
true,
true,
true,
true,
true,
true,
true,
true};
1421N/A // Maximum clock skew in milliseconds (15 minutes) allowed when checking 0N/A * Creates a <code>CrlRevocationChecker</code>. 0N/A * @param anchor anchor selected to validate the target certificate 0N/A * @param params <code>PKIXParameters</code> to be used for 0N/A * finding certificates and CRLs, etc. 0N/A * Creates a <code>CrlRevocationChecker</code>, allowing 0N/A * extra certificates to be supplied beyond those contained 0N/A * in the <code>PKIXParameters</code>. 0N/A * @param anchor anchor selected to validate the target certificate 0N/A * @param params <code>PKIXParameters</code> to be used for 0N/A * finding certificates and CRLs, etc. 0N/A * @param certs a <code>Collection</code> of certificates 0N/A * that may be useful, beyond those available 0N/A * through <code>params</code> (<code>null</code> 0N/A // should never occur but not necessarily fatal, so log it, 0N/A // ignore and continue 0N/A "error creating Collection CertStore: " + e);
0N/A * Initializes the internal state of the checker from parameters 0N/A * specified in the constructor 0N/A * Performs the revocation status check on the certificate using 0N/A * its internal state. 0N/A * @param cert the Certificate 0N/A * @param unresolvedCritExts a Collection of the unresolved critical 0N/A * @exception CertPathValidatorException Exception thrown if 0N/A * certificate does not verify 0N/A // Make new public key if parameters are missing 0N/A // cKey needs to inherit DSA parameters from prev key 0N/A * Performs the revocation status check on the certificate using 0N/A * the provided state variables, as well as the constant internal 0N/A * @param currCert the Certificate 0N/A * @param prevKey the previous PublicKey in the chain 0N/A * @param signFlag a boolean as returned from the last call, or true 0N/A * if this is the first cert in the chain 0N/A * @return a boolean specifying if the cert is allowed to vouch for the 0N/A * validity of a CRL for the next iteration 0N/A * @exception CertPathValidatorException Exception thrown if 0N/A * certificate does not verify. 0N/A * Checks that a cert can be used to verify a CRL. 0N/A * @param currCert an X509Certificate to check 0N/A * @return a boolean specifying if the cert is allowed to vouch for the 0N/A // if the cert doesn't include the key usage ext, or 0N/A // the key usage ext asserts cRLSigning, return true, 0N/A // otherwise return false. 0N/A * Internal method to start the verification of a cert 0N/A * Internal method to start the verification of a cert 0N/A * @param stackedCerts a <code>Set</code> of <code>X509Certificate</code>s> 0N/A * whose revocation status depends on the 0N/A * non-revoked status of this cert. To avoid 0N/A * circular dependencies, we assume they're 0N/A * revoked while checking the revocation 0N/A * status of this cert. 3998N/A * @param trustAnchors a <code>Set</code> of <code>TrustAnchor</code>s 0N/A " ---checking " +
msg +
"...");
0N/A // reject circular dependencies - RFC 3280 is not explicit on how 0N/A // to handle this, so we feel it is safest to reject them until 0N/A // the issue is resolved in the PKIX WG. 0N/A " circular dependency");
0N/A // init the state for this run 0N/A // all CRLs returned by the DP Fetcher have also been verified 0N/A // Now that we have a list of possible CRLs, see which ones can 0N/A // make sure that we have at least one CRL that _could_ cover 0N/A // the certificate in question and all reasons are covered 0N/A // See if the cert is in the set of approved crls. 3998N/A "starting the final sweep...");
0N/A * Abort CRL validation and throw exception if there are any 0N/A * unrecognized critical CRL entry extensions (see section 0N/A /* remove any that we will process */ 0N/A +
"critical extension(s) in revoked CRL entry: " 0N/A * We have a cert whose revocation status couldn't be verified by 0N/A * a CRL issued by the cert that issued the CRL. See if we can 0N/A * find a valid CRL issued by a separate key that can verify the 0N/A * revocation status of this certificate. 0N/A * Note that this does not provide support for indirect CRLs, 0N/A * only CRLs signed with a different key (but the same issuer 0N/A * name) as the certificate being checked. 0N/A * @param currCert the <code>X509Certificate</code> to be checked 0N/A * @param prevKey the <code>PublicKey</code> that failed 0N/A * @param signFlag <code>true</code> if that key was trusted to sign CRLs 0N/A * @param stackedCerts a <code>Set</code> of <code>X509Certificate</code>s> 0N/A * whose revocation status depends on the 0N/A * non-revoked status of this cert. To avoid 0N/A * circular dependencies, we assume they're 0N/A * revoked while checking the revocation 0N/A * status of this cert. 0N/A * @throws CertPathValidatorException if the cert's revocation status 0N/A * cannot be verified successfully with another key 0N/A "CrlRevocationChecker.verifyWithSeparateSigningKey()" +
0N/A " ---checking " +
msg +
"...");
0N/A // reject circular dependencies - RFC 3280 is not explicit on how 0N/A // to handle this, so we feel it is safest to reject them until 0N/A // the issue is resolved in the PKIX WG. 0N/A "CrlRevocationChecker.verifyWithSeparateSigningKey()" +
0N/A " circular dependency");
0N/A // If prevKey wasn't trusted, maybe we just didn't have the right 0N/A // path to it. Don't rule that key out. 0N/A // Try to find another key that might be able to sign 0N/A // CRLs vouching for this cert. 0N/A * Tries to find a CertPath that establishes a key that can be 0N/A * used to verify the revocation status of a given certificate. 0N/A * Ignores keys that have previously been tried. Throws a 0N/A * CertPathValidatorException if no such key could be found. 0N/A * @param currCert the <code>X509Certificate</code> to be checked 0N/A * @param prevKey the <code>PublicKey</code> of the certificate whose key 0N/A * cannot be used to vouch for the CRL and should be ignored 0N/A * @param stackedCerts a <code>Set</code> of <code>X509Certificate</code>s> 0N/A * whose revocation status depends on the 0N/A * establishment of this path. 0N/A * @throws CertPathValidatorException on failure 0N/A // Policy qualifiers must be rejected, since we don't have 0N/A // any way to convey them back to the application. 0N/A // It's unfortunate that there's no easy way to make a 0N/A // PKIXBuilderParameters object from a PKIXParameters 0N/A // object. This might miss some things if parameters 0N/A // are added in the future or the validatorParams object 0N/A // is a custom class derived from PKIXValidatorParameters. 0N/A // Policy qualifiers must be rejected, since we don't have 0N/A // any way to convey them back to the application. 0N/A // That's the default, so no need to write code. 0N/A // Skip revocation during this build to detect circular 0N/A // references. But check revocation afterwards, using the 0N/A // key (or any other that works). 0N/A // check for AuthorityInformationAccess extension 0N/A // ignore but log it 0N/A "error decoding cert: " +
ce);
0N/A " about to try build ...");
0N/A " about to check revocation ...");
0N/A // Now check revocation of all certs in path, assuming that 0N/A // the stackedCerts are revoked. 0N/A +
" index " + i +
" checking " +
cert);
0N/A // ignore it and try to get another key 0N/A // Now check revocation on the current cert using that key. 0N/A // If it doesn't check out, try to find a different key. 0N/A // And if we can't find a key, then return false. 0N/A // If that passed, the cert is OK! 0N/A // If it is revoked, rethrow exception 0N/A // Otherwise, ignore the exception and 0N/A // try to get another key. 0N/A * This inner class extends the X509CertSelector to add an additional 0N/A * check to make sure the subject public key isn't on a particular list. 0N/A * This class is used by buildToNewKey() to make sure the builder doesn't 0N/A * end up with a CertPath to a public key that has already been rejected. 0N/A * Creates a new <code>RejectKeySelector</code>. 0N/A * @param badPublicKeys a <code>Set</code> of 0N/A * <code>PublicKey</code>s that 0N/A * should be rejected (or <code>null</code> 0N/A * if no such check should be done) 0N/A * Decides whether a <code>Certificate</code> should be selected. 0N/A * @param cert the <code>Certificate</code> to be checked 0N/A * @return <code>true</code> if the <code>Certificate</code> should be 0N/A * selected, <code>false</code> otherwise 0N/A * Return a printable representation of the <code>CertSelector</code>. 0N/A * @return a <code>String</code> describing the contents of the 0N/A * <code>CertSelector</code> 0N/A * Internal method that verifies a set of possible_crls, 0N/A * and sees if each is approved, based on the cert. 0N/A * @param crls a set of possible CRLs to test for acceptability 0N/A * @param cert the certificate whose revocation status is being checked 0N/A * @param signFlag <code>true</code> if prevKey was trusted to sign CRLs 0N/A * @param prevKey the public key of the issuer of cert 0N/A * @param reasonsMask the reason code mask 3998N/A * @param trustAnchors a <code>Set</code> of <code>TrustAnchor</code>s> 0N/A * @return a collection of approved crls (or an empty collection) 0N/A "Checking CRLDPs for " 0N/A // assume a DP with reasons and CRLIssuer fields omitted 0N/A // and a DP name of the cert issuer. 0N/A // TODO add issuerAltName too