Class CertPathValidatorUtilitiesCanl
- java.lang.Object
-
- eu.emi.security.authn.x509.helpers.pkipath.bc.CertPathValidatorUtilitiesCanl
-
public class CertPathValidatorUtilitiesCanl extends Object
Exposes otherwise hidden methods fromCertPathValidatorUtilitiesCanl
plus in some cases fixes bugs plus produces errors in the desired format.- Author:
- K. Benedyczak
-
-
Field Summary
Fields Modifier and Type Field Description protected static String
ANY_POLICY
protected static String
AUTHORITY_KEY_IDENTIFIER
protected static String
BASIC_CONSTRAINTS
protected static String
CERTIFICATE_POLICIES
protected static String
CRL_DISTRIBUTION_POINTS
protected static String
CRL_NUMBER
protected static int
CRL_SIGN
protected static eu.emi.security.authn.x509.helpers.pkipath.bc.PKIXCRLUtil
CRL_UTIL
protected static String[]
crlReasons
protected static String
DELTA_CRL_INDICATOR
protected static String
FRESHEST_CRL
protected static String
INHIBIT_ANY_POLICY
protected static String
ISSUING_DISTRIBUTION_POINT
protected static int
KEY_CERT_SIGN
protected static String
KEY_USAGE
protected static String
NAME_CONSTRAINTS
protected static String
POLICY_CONSTRAINTS
protected static String
POLICY_MAPPINGS
protected static String
SUBJECT_ALTERNATIVE_NAME
-
Constructor Summary
Constructors Constructor Description CertPathValidatorUtilitiesCanl()
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description protected static Collection
findCertificates(org.bouncycastle.jcajce.PKIXCertStoreSelector certSelect, List certStores)
Return a Collection of all certificates or attribute certificates found in the X509Store's that are matching the certSelect criteriums.static Collection<?>
findIssuerCerts(X509Certificate cert, org.bouncycastle.jcajce.PKIXExtendedBuilderParameters pkixParams)
protected static TrustAnchor
findTrustAnchor(X509Certificate cert, Set trustAnchors)
Search the given Set of TrustAnchor's for one that is the issuer of the given X509 certificate.protected static TrustAnchor
findTrustAnchor(X509Certificate cert, Set trustAnchors, String sigProvider)
Search the given Set of TrustAnchor's for one that is the issuer of the given X509 certificate.static TrustAnchor
findTrustAnchorPublic(X509Certificate cert, Set<?> trustAnchors, String sigProvider)
protected static List<org.bouncycastle.jcajce.PKIXCRLStore>
getAdditionalStoresFromCRLDistributionPoint(org.bouncycastle.asn1.x509.CRLDistPoint crldp, org.bouncycastle.jcajce.PKIXExtendedBuilderParameters pkixParams)
protected static org.bouncycastle.asn1.x509.AlgorithmIdentifier
getAlgorithmIdentifier(PublicKey key)
protected static void
getCertStatus(Date validDate, X509CRL crl, Object cert, eu.emi.security.authn.x509.helpers.pkipath.bc.CertStatus certStatus)
protected static Set
getCompleteCRLs(org.bouncycastle.asn1.x509.DistributionPoint dp, Object cert, Date currentDate, org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX)
AsCertPathValidatorUtilities.getCompleteCRLs(DistributionPoint, Object, Date, PKIXExtendedParameters)
but it returns also expired CRLs.protected static Set<?>
getCompleteCRLs2(org.bouncycastle.asn1.x509.DistributionPoint dp, X509Certificate cert, Date currentDate, org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX)
protected static void
getCRLIssuersFromDistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint dp, Collection issuerPrincipals, X509CRLSelector selector)
Add the CRL issuers from the cRLIssuer field of the distribution point or from the certificate if not given to the issuer criterion of theselector
.protected static Set
getDeltaCRLs(Date validityDate, X509CRL completeCRL, List<CertStore> certStores, List<org.bouncycastle.jcajce.PKIXCRLStore> pkixCrlStores)
Fetches delta CRLs according to RFC 3280 section 5.2.4.protected static Set<X509CRL>
getDeltaCRLs2(Date currentDate, org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX, X509CRL completeCRL)
Fetches delta CRLs according to RFC 3280 section 5.2.4.protected static org.bouncycastle.asn1.ASN1Primitive
getExtensionValue(X509Extension ext, String oid)
protected static PublicKey
getNextWorkingKey(List certs, int index, org.bouncycastle.jcajce.util.JcaJceHelper helper)
Return the next working key inheriting DSA parameters if necessary.protected static Set
getQualifierSet(org.bouncycastle.asn1.ASN1Sequence qualifiers)
static BigInteger
getSerialNumber(Object cert)
protected static Date
getValidCertDateFromValidityModel(org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX, CertPath certPath, int index)
protected static Date
getValidDate(org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX)
protected static boolean
isAnyPolicy(Set policySet)
protected static boolean
isSelfIssued(X509Certificate cert)
protected static void
prepareNextCertB1(int i, List[] policyNodes, String id_p, Map m_idp, X509Certificate cert)
protected static PKIXPolicyNode
prepareNextCertB2(int i, List[] policyNodes, String id_p, PKIXPolicyNode validPolicyTree)
protected static boolean
processCertD1i(int index, List[] policyNodes, org.bouncycastle.asn1.ASN1ObjectIdentifier pOid, Set pq)
protected static void
processCertD1ii(int index, List[] policyNodes, org.bouncycastle.asn1.ASN1ObjectIdentifier _poid, Set _pq)
protected static PKIXPolicyNode
removePolicyNode(PKIXPolicyNode validPolicyTree, List[] policyNodes, PKIXPolicyNode _node)
protected static void
verifyX509Certificate(X509Certificate cert, PublicKey publicKey, String sigProvider)
-
-
-
Field Detail
-
CRL_UTIL
protected static final eu.emi.security.authn.x509.helpers.pkipath.bc.PKIXCRLUtil CRL_UTIL
-
CERTIFICATE_POLICIES
protected static final String CERTIFICATE_POLICIES
-
BASIC_CONSTRAINTS
protected static final String BASIC_CONSTRAINTS
-
POLICY_MAPPINGS
protected static final String POLICY_MAPPINGS
-
SUBJECT_ALTERNATIVE_NAME
protected static final String SUBJECT_ALTERNATIVE_NAME
-
NAME_CONSTRAINTS
protected static final String NAME_CONSTRAINTS
-
KEY_USAGE
protected static final String KEY_USAGE
-
INHIBIT_ANY_POLICY
protected static final String INHIBIT_ANY_POLICY
-
ISSUING_DISTRIBUTION_POINT
protected static final String ISSUING_DISTRIBUTION_POINT
-
DELTA_CRL_INDICATOR
protected static final String DELTA_CRL_INDICATOR
-
POLICY_CONSTRAINTS
protected static final String POLICY_CONSTRAINTS
-
FRESHEST_CRL
protected static final String FRESHEST_CRL
-
CRL_DISTRIBUTION_POINTS
protected static final String CRL_DISTRIBUTION_POINTS
-
AUTHORITY_KEY_IDENTIFIER
protected static final String AUTHORITY_KEY_IDENTIFIER
-
ANY_POLICY
protected static final String ANY_POLICY
- See Also:
- Constant Field Values
-
CRL_NUMBER
protected static final String CRL_NUMBER
-
KEY_CERT_SIGN
protected static final int KEY_CERT_SIGN
- See Also:
- Constant Field Values
-
CRL_SIGN
protected static final int CRL_SIGN
- See Also:
- Constant Field Values
-
crlReasons
protected static final String[] crlReasons
-
-
Method Detail
-
findTrustAnchorPublic
public static TrustAnchor findTrustAnchorPublic(X509Certificate cert, Set<?> trustAnchors, String sigProvider) throws org.bouncycastle.jce.provider.AnnotatedException
- Throws:
org.bouncycastle.jce.provider.AnnotatedException
-
findIssuerCerts
public static Collection<?> findIssuerCerts(X509Certificate cert, org.bouncycastle.jcajce.PKIXExtendedBuilderParameters pkixParams) throws org.bouncycastle.jce.provider.AnnotatedException
- Throws:
org.bouncycastle.jce.provider.AnnotatedException
-
getCompleteCRLs2
protected static Set<?> getCompleteCRLs2(org.bouncycastle.asn1.x509.DistributionPoint dp, X509Certificate cert, Date currentDate, org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX) throws SimpleValidationErrorException
- Throws:
SimpleValidationErrorException
-
getCompleteCRLs
protected static Set getCompleteCRLs(org.bouncycastle.asn1.x509.DistributionPoint dp, Object cert, Date currentDate, org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX) throws org.bouncycastle.jce.provider.AnnotatedException
AsCertPathValidatorUtilities.getCompleteCRLs(DistributionPoint, Object, Date, PKIXExtendedParameters)
but it returns also expired CRLs.- Parameters:
dp
-cert
-currentDate
-paramsPKIX
-- Returns:
- A
Set
ofX509CRL
s. - Throws:
org.bouncycastle.jce.provider.AnnotatedException
-
getDeltaCRLs2
protected static Set<X509CRL> getDeltaCRLs2(Date currentDate, org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX, X509CRL completeCRL) throws SimpleValidationErrorException
Fetches delta CRLs according to RFC 3280 section 5.2.4.- Parameters:
currentDate
- The date for which the delta CRLs must be valid.paramsPKIX
- The extended PKIX parameters.completeCRL
- The complete CRL the delta CRL is for.- Returns:
- A
Set
ofX509CRL
s with delta CRLs. - Throws:
SimpleValidationErrorException
- if an exception occurs while picking the delta CRLs.
-
getExtensionValue
protected static org.bouncycastle.asn1.ASN1Primitive getExtensionValue(X509Extension ext, String oid) throws org.bouncycastle.jce.provider.AnnotatedException
- Throws:
org.bouncycastle.jce.provider.AnnotatedException
-
getAdditionalStoresFromCRLDistributionPoint
protected static List<org.bouncycastle.jcajce.PKIXCRLStore> getAdditionalStoresFromCRLDistributionPoint(org.bouncycastle.asn1.x509.CRLDistPoint crldp, org.bouncycastle.jcajce.PKIXExtendedBuilderParameters pkixParams) throws org.bouncycastle.jce.provider.AnnotatedException
- Throws:
org.bouncycastle.jce.provider.AnnotatedException
-
getSerialNumber
public static BigInteger getSerialNumber(Object cert)
-
findTrustAnchor
protected static TrustAnchor findTrustAnchor(X509Certificate cert, Set trustAnchors) throws org.bouncycastle.jce.provider.AnnotatedException
Search the given Set of TrustAnchor's for one that is the issuer of the given X509 certificate. Uses the default provider for signature verification.- Parameters:
cert
- the X509 certificatetrustAnchors
- a Set of TrustAnchor's- Returns:
- the
TrustAnchor
object if found ornull
if not. - Throws:
org.bouncycastle.jce.provider.AnnotatedException
- if a TrustAnchor was found but the signature verification on the given certificate has thrown an exception.
-
findTrustAnchor
protected static TrustAnchor findTrustAnchor(X509Certificate cert, Set trustAnchors, String sigProvider) throws org.bouncycastle.jce.provider.AnnotatedException
Search the given Set of TrustAnchor's for one that is the issuer of the given X509 certificate. Uses the specified provider for signature verification, or the default provider if null.- Parameters:
cert
- the X509 certificatetrustAnchors
- a Set of TrustAnchor'ssigProvider
- the provider to use for signature verification- Returns:
- the
TrustAnchor
object if found ornull
if not. - Throws:
org.bouncycastle.jce.provider.AnnotatedException
- if a TrustAnchor was found but the signature verification on the given certificate has thrown an exception.
-
getValidDate
protected static Date getValidDate(org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX)
-
isSelfIssued
protected static boolean isSelfIssued(X509Certificate cert)
-
getAlgorithmIdentifier
protected static org.bouncycastle.asn1.x509.AlgorithmIdentifier getAlgorithmIdentifier(PublicKey key) throws CertPathValidatorException
- Throws:
CertPathValidatorException
-
getQualifierSet
protected static final Set getQualifierSet(org.bouncycastle.asn1.ASN1Sequence qualifiers) throws CertPathValidatorException
- Throws:
CertPathValidatorException
-
removePolicyNode
protected static PKIXPolicyNode removePolicyNode(PKIXPolicyNode validPolicyTree, List[] policyNodes, PKIXPolicyNode _node)
-
processCertD1i
protected static boolean processCertD1i(int index, List[] policyNodes, org.bouncycastle.asn1.ASN1ObjectIdentifier pOid, Set pq)
-
processCertD1ii
protected static void processCertD1ii(int index, List[] policyNodes, org.bouncycastle.asn1.ASN1ObjectIdentifier _poid, Set _pq)
-
prepareNextCertB1
protected static void prepareNextCertB1(int i, List[] policyNodes, String id_p, Map m_idp, X509Certificate cert) throws org.bouncycastle.jce.provider.AnnotatedException, CertPathValidatorException
- Throws:
org.bouncycastle.jce.provider.AnnotatedException
CertPathValidatorException
-
prepareNextCertB2
protected static PKIXPolicyNode prepareNextCertB2(int i, List[] policyNodes, String id_p, PKIXPolicyNode validPolicyTree)
-
isAnyPolicy
protected static boolean isAnyPolicy(Set policySet)
-
findCertificates
protected static Collection findCertificates(org.bouncycastle.jcajce.PKIXCertStoreSelector certSelect, List certStores) throws org.bouncycastle.jce.provider.AnnotatedException
Return a Collection of all certificates or attribute certificates found in the X509Store's that are matching the certSelect criteriums.- Parameters:
certSelect
- aSelector
object that will be used to select the certificatescertStores
- a List containing onlyStore
objects. These are used to search for certificates.- Returns:
- a Collection of all found
X509Certificate
May be empty but nevernull
. - Throws:
org.bouncycastle.jce.provider.AnnotatedException
- annotated exception
-
getCRLIssuersFromDistributionPoint
protected static void getCRLIssuersFromDistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint dp, Collection issuerPrincipals, X509CRLSelector selector) throws org.bouncycastle.jce.provider.AnnotatedException
Add the CRL issuers from the cRLIssuer field of the distribution point or from the certificate if not given to the issuer criterion of theselector
.The
issuerPrincipals
are a collection with a singleX500Name
forX509Certificate
s.- Parameters:
dp
- The distribution point.issuerPrincipals
- The issuers of the certificate or attribute certificate which contains the distribution point.selector
- The CRL selector.- Throws:
org.bouncycastle.jce.provider.AnnotatedException
- if an exception occurs while processing.ClassCastException
- ifissuerPrincipals
does not contain onlyX500Name
s.
-
getCertStatus
protected static void getCertStatus(Date validDate, X509CRL crl, Object cert, eu.emi.security.authn.x509.helpers.pkipath.bc.CertStatus certStatus) throws org.bouncycastle.jce.provider.AnnotatedException
- Throws:
org.bouncycastle.jce.provider.AnnotatedException
-
getDeltaCRLs
protected static Set getDeltaCRLs(Date validityDate, X509CRL completeCRL, List<CertStore> certStores, List<org.bouncycastle.jcajce.PKIXCRLStore> pkixCrlStores) throws org.bouncycastle.jce.provider.AnnotatedException
Fetches delta CRLs according to RFC 3280 section 5.2.4.- Parameters:
validityDate
- The date for which the delta CRLs must be valid.completeCRL
- The complete CRL the delta CRL is for.certStores
- aList
of certificate storespkixCrlStores
- aList
of CRL stores- Returns:
- A
Set
ofX509CRL
s with delta CRLs. - Throws:
org.bouncycastle.jce.provider.AnnotatedException
- if an exception occurs while picking the delta CRLs.
-
getValidCertDateFromValidityModel
protected static Date getValidCertDateFromValidityModel(org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX, CertPath certPath, int index) throws org.bouncycastle.jce.provider.AnnotatedException
- Throws:
org.bouncycastle.jce.provider.AnnotatedException
-
getNextWorkingKey
protected static PublicKey getNextWorkingKey(List certs, int index, org.bouncycastle.jcajce.util.JcaJceHelper helper) throws CertPathValidatorException
Return the next working key inheriting DSA parameters if necessary.This methods inherits DSA parameters from the indexed certificate or previous certificates in the certificate chain to the returned
PublicKey
. The list is searched upwards, meaning the end certificate is at position 0 and previous certificates are following.If the indexed certificate does not contain a DSA key this method simply returns the public key. If the DSA key already contains DSA parameters the key is also only returned.
- Parameters:
certs
- The certification path.index
- The index of the certificate which contains the public key which should be extended with DSA parameters.helper
- JcaJce helper- Returns:
- The public key of the certificate in list position
index
extended with DSA parameters if applicable. - Throws:
CertPathValidatorException
- if DSA parameters cannot be inherited.
-
verifyX509Certificate
protected static void verifyX509Certificate(X509Certificate cert, PublicKey publicKey, String sigProvider) throws GeneralSecurityException
- Throws:
GeneralSecurityException
-
-