2362N/A * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved. 0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 0N/A * This code is free software; you can redistribute it and/or modify it 0N/A * under the terms of the GNU General Public License version 2 only, as 2362N/A * published by the Free Software Foundation. Oracle designates this 0N/A * particular file as subject to the "Classpath" exception as provided 2362N/A * by Oracle in the LICENSE file that accompanied this code. 0N/A * This code is distributed in the hope that it will be useful, but WITHOUT 0N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 0N/A * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 0N/A * version 2 for more details (a copy is included in the LICENSE file that 0N/A * accompanied this code). 0N/A * You should have received a copy of the GNU General Public License version 0N/A * 2 along with this work; if not, write to the Free Software Foundation, 0N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 2362N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 2362N/A * or visit www.oracle.com if you need additional information or have any 5090N/A * An implementation for X509 CRL (Certificate Revocation List). 0N/A * The X.509 v2 CRL format is described below in ASN.1: 0N/A * CertificateList ::= SEQUENCE { 0N/A * tbsCertList TBSCertList, 0N/A * signatureAlgorithm AlgorithmIdentifier, 0N/A * signature BIT STRING } 0N/A * More information can be found in 0N/A * Public Key Infrastructure Certificate and CRL Profile</a>. 0N/A * The ASN.1 definition of <code>tbsCertList</code> is: 0N/A * TBSCertList ::= SEQUENCE { 0N/A * version Version OPTIONAL, 0N/A * -- if present, must be v2 0N/A * signature AlgorithmIdentifier, 0N/A * thisUpdate ChoiceOfTime, 0N/A * nextUpdate ChoiceOfTime OPTIONAL, 0N/A * revokedCertificates SEQUENCE OF SEQUENCE { 0N/A * userCertificate CertificateSerialNumber, 0N/A * revocationDate ChoiceOfTime, 0N/A * crlEntryExtensions Extensions OPTIONAL 0N/A * -- if present, must be v2 0N/A * crlExtensions [0] EXPLICIT Extensions OPTIONAL 0N/A * -- if present, must be v2 0N/A * @author Hemma Prafullchandra 0N/A // CRL data, and its envelope 0N/A private static final long YR_2050 =
2524636800000L;
0N/A * PublicKey that has previously been used to successfully verify 0N/A * the signature of this CRL. Null if the CRL has not 0N/A * yet been verified (successfully). 0N/A * If verifiedPublicKey is not null, name of the provider used to 0N/A * successfully verify the signature of this CRL, or the 0N/A * empty String if no provider was explicitly specified. 0N/A * Not to be used. As it would lead to cases of uninitialized 0N/A * Unmarshals an X.509 CRL from its encoded form, parsing the encoded 0N/A * bytes. This form of constructor is used by agents which 0N/A * need to examine and use CRL contents. Note that the buffer 0N/A * must include only one CRL, and no "garbage" may be left at 0N/A * @param crlData the encoded bytes, with no trailing padding. 0N/A * @exception CRLException on parsing errors. 0N/A * Unmarshals an X.509 CRL from an DER value. 0N/A * @param val a DER value holding at least one CRL 0N/A * @exception CRLException on parsing errors. 0N/A * Unmarshals an X.509 CRL from an input stream. Only one CRL 0N/A * is expected at the end of the input stream. 0N/A * @param inStrm an input stream holding at least one CRL 0N/A * @exception CRLException on parsing errors. 0N/A * Initial CRL constructor, no revoked certs, and no extensions. 0N/A * @param issuer the name of the CA issuing this CRL. 0N/A * @param thisUpdate the Date of this issue. 0N/A * @param nextUpdate the Date of the next CRL. 0N/A * CRL constructor, revoked certs, no extensions. 0N/A * @param issuer the name of the CA issuing this CRL. 0N/A * @param thisUpdate the Date of this issue. 0N/A * @param nextUpdate the Date of the next CRL. 0N/A * @param badCerts the array of CRL entries. 0N/A * CRL constructor, revoked certs and extensions. 0N/A * @param issuer the name of the CA issuing this CRL. 0N/A * @param thisUpdate the Date of this issue. 0N/A * @param nextUpdate the Date of the next CRL. 0N/A * @param badCerts the array of CRL entries. 0N/A * @param crlExts the CRL extensions. 0N/A * Returned the encoding as an uncloned byte array. Callers must 0N/A * guarantee that they neither modify it nor expose it to untrusted 0N/A * Returns the ASN.1 DER encoded form of this CRL. 0N/A * @exception CRLException if an encoding error occurs. 0N/A * Encodes the "to-be-signed" CRL to the OutputStream. 0N/A * @param out the OutputStream to write to. 0N/A * @exception CRLException on encoding errors. 0N/A * Verifies that this CRL was signed using the 0N/A * private key that corresponds to the given public key. 0N/A * @param key the PublicKey used to carry out the verification. 0N/A * @exception NoSuchAlgorithmException on unsupported signature 0N/A * @exception InvalidKeyException on incorrect key. 0N/A * @exception NoSuchProviderException if there's no default provider. 0N/A * @exception SignatureException on signature errors. 0N/A * @exception CRLException on encoding errors. 0N/A * Verifies that this CRL was signed using the 0N/A * private key that corresponds to the given public key, 0N/A * and that the signature verification was computed by 0N/A * the given provider. 0N/A * @param key the PublicKey used to carry out the verification. 0N/A * @param sigProvider the name of the signature provider. 0N/A * @exception NoSuchAlgorithmException on unsupported signature 0N/A * @exception InvalidKeyException on incorrect key. 0N/A * @exception NoSuchProviderException on incorrect provider. 0N/A * @exception SignatureException on signature errors. 0N/A * @exception CRLException on encoding errors. 0N/A // this CRL has already been successfully verified using 0N/A // this public key. Make sure providers match, too. 0N/A * Encodes an X.509 CRL, and signs it using the given key. 0N/A * @param key the private key used for signing. 0N/A * @param algorithm the name of the signature algorithm used. 0N/A * @exception NoSuchAlgorithmException on unsupported signature 0N/A * @exception InvalidKeyException on incorrect key. 0N/A * @exception NoSuchProviderException on incorrect provider. 0N/A * @exception SignatureException on signature errors. 0N/A * @exception CRLException if any mandatory data was omitted. 0N/A * Encodes an X.509 CRL, and signs it using the given key. 0N/A * @param key the private key used for signing. 0N/A * @param algorithm the name of the signature algorithm used. 0N/A * @param provider the name of the provider. 0N/A * @exception NoSuchAlgorithmException on unsupported signature 0N/A * @exception InvalidKeyException on incorrect key. 0N/A * @exception NoSuchProviderException on incorrect provider. 0N/A * @exception SignatureException on signature errors. 0N/A * @exception CRLException if any mandatory data was omitted. 0N/A // in case the name is reset 0N/A // encode algorithm identifier 0N/A // Create and encode the signature itself. 0N/A // Wrap the signed data in a SEQUENCE { data, algorithm, sig } 0N/A * Returns a printable string of this CRL. 0N/A * @return value of this CRL in a printable form. 0N/A +
"DER encoded OCTET string =\n" 0N/A * Checks whether the given certificate is on this CRL. 0N/A * @param cert the certificate to check for. 0N/A * @return true if the given certificate is on this CRL, 0N/A * Gets the version number from this CRL. 0N/A * The ASN.1 definition for this is: 0N/A * Version ::= INTEGER { v1(0), v2(1), v3(2) } 0N/A * -- v3 does not apply to CRLs but appears for consistency 0N/A * -- with definition of Version for certs 0N/A * @return the version number, i.e. 1 or 2. 0N/A * Gets the issuer distinguished name from this CRL. 0N/A * The issuer name identifies the entity who has signed (and 0N/A * issued the CRL). The issuer name field contains an 0N/A * X.500 distinguished name (DN). 0N/A * The ASN.1 definition for this is: 0N/A * Name ::= CHOICE { RDNSequence } 0N/A * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName 0N/A * RelativeDistinguishedName ::= 0N/A * SET OF AttributeValueAssertion 0N/A * AttributeValueAssertion ::= SEQUENCE { 0N/A * AttributeType ::= OBJECT IDENTIFIER 0N/A * AttributeValue ::= ANY 0N/A * The Name describes a hierarchical name composed of attributes, 0N/A * such as country name, and corresponding values, such as US. 0N/A * The type of the component AttributeValue is determined by the 0N/A * AttributeType; in general it will be a directoryString. 0N/A * A directoryString is usually one of PrintableString, 0N/A * TeletexString or UniversalString. 0N/A * @return the issuer name. 0N/A * Return the issuer as X500Principal. Overrides method in X509CRL 0N/A * to provide a slightly more efficient version. 0N/A * Gets the thisUpdate date from the CRL. 0N/A * The ASN.1 definition for this is: 0N/A * @return the thisUpdate date from the CRL. 0N/A * Gets the nextUpdate date from the CRL. 0N/A * @return the nextUpdate date from the CRL, or null if 0N/A * Gets the CRL entry with the given serial number from this CRL. 0N/A * @return the entry with the given serial number, or <code>null</code> if 0N/A * no such entry exists in the CRL. 0N/A // assume this is a direct CRL entry (cert and CRL issuer are the same) 0N/A * Gets the CRL entry for the given certificate. 0N/A * Gets all the revoked certificates from the CRL. 0N/A * A Set of X509CRLEntry. 0N/A * @return all the revoked certificates or <code>null</code> if there are 0N/A * Gets the DER encoded CRL information, the 0N/A * <code>tbsCertList</code> from this CRL. 0N/A * This can be used to verify the signature independently. 0N/A * @return the DER encoded CRL information. 0N/A * @exception CRLException on encoding errors. 0N/A * Gets the raw Signature bits from the CRL. 0N/A * @return the signature. 0N/A * Gets the signature algorithm name for the CRL 0N/A * signature algorithm. For example, the string "SHA1withDSA". 0N/A * The ASN.1 definition for this is: 0N/A * AlgorithmIdentifier ::= SEQUENCE { 0N/A * algorithm OBJECT IDENTIFIER, 0N/A * parameters ANY DEFINED BY algorithm OPTIONAL } 0N/A * -- contains a value of the type 0N/A * -- registered for use with the 0N/A * -- algorithm object identifier value 0N/A * @return the signature algorithm name. 0N/A * Gets the signature algorithm OID string from the CRL. 0N/A * An OID is represented by a set of positive whole number separated 0N/A * by ".", that means,<br> 0N/A * <positive whole number>.<positive whole number>.<...> 0N/A * For example, the string "1.2.840.10040.4.3" identifies the SHA-1 0N/A * with DSA signature algorithm defined in 0N/A * Identifiers for the Internet X.509 Public Key Infrastructure Certificate 0N/A * and CRL Profile</a>. 0N/A * @return the signature algorithm oid string. 0N/A * Gets the DER encoded signature algorithm parameters from this 0N/A * CRL's signature algorithm. In most cases, the signature 0N/A * algorithm parameters are null, the parameters are usually 0N/A * supplied with the Public Key. 0N/A * @return the DER encoded signature algorithm parameters, or 0N/A * null if no parameters are present. 2999N/A * Gets the signature AlgorithmId from the CRL. 2999N/A * @return the signature AlgorithmId 0N/A * return the AuthorityKeyIdentifier, if any. 0N/A * @returns AuthorityKeyIdentifier or null 0N/A * (if no AuthorityKeyIdentifierExtension) 0N/A * @throws IOException on error 0N/A * return the AuthorityKeyIdentifierExtension, if any. 0N/A * @returns AuthorityKeyIdentifierExtension or null (if no such extension) 0N/A * @throws IOException on error 0N/A * return the CRLNumberExtension, if any. 0N/A * @returns CRLNumberExtension or null (if no such extension) 0N/A * @throws IOException on error 0N/A * return the CRL number from the CRLNumberExtension, if any. 0N/A * @returns number or null (if no such extension) 0N/A * @throws IOException on error 0N/A * return the DeltaCRLIndicatorExtension, if any. 0N/A * @returns DeltaCRLIndicatorExtension or null (if no such extension) 0N/A * @throws IOException on error 0N/A * return the base CRL number from the DeltaCRLIndicatorExtension, if any. 0N/A * @returns number or null (if no such extension) 0N/A * @throws IOException on error 0N/A * return the IssuerAlternativeNameExtension, if any. 0N/A * @returns IssuerAlternativeNameExtension or null (if no such extension) 0N/A * @throws IOException on error 0N/A * return the IssuingDistributionPointExtension, if any. 0N/A * @returns IssuingDistributionPointExtension or null 0N/A * (if no such extension) 0N/A * @throws IOException on error 0N/A * Return true if a critical extension is found that is 0N/A * not supported, otherwise return false. 0N/A * Gets a Set of the extension(s) marked CRITICAL in the 0N/A * CRL. In the returned set, each extension is represented by 0N/A * @return a set of the extension oid strings in the 0N/A * CRL that are marked critical. 0N/A * Gets a Set of the extension(s) marked NON-CRITICAL in the 0N/A * CRL. In the returned set, each extension is represented by 0N/A * @return a set of the extension oid strings in the 0N/A * CRL that are NOT marked critical. 0N/A * Gets the DER encoded OCTET string for the extension value 0N/A * (<code>extnValue</code>) identified by the passed in oid String. 0N/A * The <code>oid</code> string is 0N/A * represented by a set of positive whole number separated 0N/A * by ".", that means,<br> 0N/A * <positive whole number>.<positive whole number>.<...> 0N/A * @param oid the Object Identifier value for the extension. 0N/A * @return the der encoded octet string of the extension value. 0N/A * @param oid ObjectIdentifier of extension desired 0N/A * @returns Object of type <extension> or null, if not found 0N/A * @throws IOException on error 0N/A // XXX Consider cloning this 0N/A * Parses an X.509 CRL, should be used only by constructors. 0N/A // check if can over write the certificate 0N/A // parse the information 0N/A // version (optional if v1) 0N/A // the "inner" and "outer" signature algorithms must match 0N/A // check if UTCTime encoded or GeneralizedTime 0N/A return;
// done parsing no more optional fields present 0N/A // nextUpdate (optional) 0N/A }
// else it is not present 0N/A return;
// done parsing no more optional fields present 0N/A // revokedCertificates (optional) 0N/A return;
// done parsing no extensions 0N/A // crlExtensions (optional) 0N/A * Extract the issuer X500Principal from an X509CRL. Parses the encoded 0N/A * form of the CRL to preserve the principal's ASN.1 encoding. 0N/A * Called by java.security.cert.X509CRL.getIssuerX500Principal(). 0N/A // skip version number if present 0N/A * Returned the encoding of the given certificate for internal use. 0N/A * Callers must guarantee that they neither modify it nor expose it 0N/A * to untrusted code. Uses getEncodedInternal() if the certificate 0N/A * is instance of X509CertImpl, getEncoded() otherwise. 0N/A * Utility method to convert an arbitrary instance of X509CRL 0N/A * to a X509CRLImpl. Does a cast if possible, otherwise reparses 0N/A * Returns the X500 certificate issuer DN of a CRL entry. 0N/A * @param entry the entry to check 0N/A * @param prevCertIssuer the previous entry's certificate issuer 0N/A * @return the X500Principal in a CertificateIssuerExtension, or 0N/A * prevCertIssuer if it does not exist 0N/A * Immutable X.509 Certificate Issuer DN and serial number pair 0N/A * Create an X509IssuerSerial. 0N/A * @param issuer the issuer DN 0N/A * @param serial the serial number 0N/A * Construct an X509IssuerSerial from an X509Certificate. 0N/A * Returns the issuer. 0N/A * @return the issuer 0N/A * Returns the serial number. 0N/A * @return the serial number 0N/A * Compares this X509Serial with another and returns true if they 0N/A * @param o the other object to compare with 0N/A * @return true if equal, false otherwise 0N/A * Returns a hash code value for this X509IssuerSerial. 0N/A * @return the hash code value