Class RFC3280CertPathUtilitiesCanl


  • public class RFC3280CertPathUtilitiesCanl
    extends Object
    This class exposes the BC's JCA implementation of the RFC3280CertPathUtilities. It was done to: fix its bugs (only one or two, should be OK in BC 1.47) and to have errors consumable by the rest of this library (most of the code).
    Author:
    K. Benedyczak (modifications)
    • Field Detail

      • CERTIFICATE_POLICIES

        public static final String CERTIFICATE_POLICIES
      • POLICY_MAPPINGS

        public static final String POLICY_MAPPINGS
      • INHIBIT_ANY_POLICY

        public static final String INHIBIT_ANY_POLICY
      • ISSUING_DISTRIBUTION_POINT

        public static final String ISSUING_DISTRIBUTION_POINT
      • FRESHEST_CRL

        public static final String FRESHEST_CRL
      • DELTA_CRL_INDICATOR

        public static final String DELTA_CRL_INDICATOR
      • POLICY_CONSTRAINTS

        public static final String POLICY_CONSTRAINTS
      • BASIC_CONSTRAINTS

        public static final String BASIC_CONSTRAINTS
      • CRL_DISTRIBUTION_POINTS

        public static final String CRL_DISTRIBUTION_POINTS
      • SUBJECT_ALTERNATIVE_NAME

        public static final String SUBJECT_ALTERNATIVE_NAME
      • NAME_CONSTRAINTS

        public static final String NAME_CONSTRAINTS
      • AUTHORITY_KEY_IDENTIFIER

        public static final String AUTHORITY_KEY_IDENTIFIER
      • KEY_USAGE

        public static final String KEY_USAGE
      • CRL_NUMBER

        public static final String CRL_NUMBER
      • crlReasons

        protected static final String[] crlReasons
    • Constructor Detail

      • RFC3280CertPathUtilitiesCanl

        public RFC3280CertPathUtilitiesCanl()
    • Method Detail

      • checkCRLs2

        public static void checkCRLs2​(ExtPKIXParameters2 paramsPKIX,
                                      X509Certificate cert,
                                      Date validDate,
                                      X509Certificate sign,
                                      PublicKey workingPublicKey,
                                      List<?> certPathCerts,
                                      org.bouncycastle.jcajce.util.JcaJceHelper jcaHelper)
                               throws SimpleValidationErrorException
        Checks a certificate if it is revoked.
        Parameters:
        paramsPKIX - PKIX parameters.
        cert - Certificate to check if it is revoked.
        validDate - The date when the certificate revocation status should be checked.
        sign - The issuer certificate of the certificate cert.
        workingPublicKey - The public key of the issuer certificate sign.
        certPathCerts - The certificates of the certification path.
        jcaHelper - JcaJce helper
        Throws:
        SimpleValidationErrorException - if the certificate is revoked or the status cannot be checked or some error occurs.
      • processCRLB2

        protected static void processCRLB2​(org.bouncycastle.asn1.x509.DistributionPoint dp,
                                           Object cert,
                                           X509CRL crl)
                                    throws org.bouncycastle.jce.provider.AnnotatedException
        If the complete CRL includes an issuing distribution point (IDP) CRL extension check the following:

        (i) If the distribution point name is present in the IDP CRL extension and the distribution field is present in the DP, then verify that one of the names in the IDP matches one of the names in the DP. If the distribution point name is present in the IDP CRL extension and the distribution field is omitted from the DP, then verify that one of the names in the IDP matches one of the names in the cRLIssuer field of the DP.

        (ii) If the onlyContainsUserCerts boolean is asserted in the IDP CRL extension, verify that the certificate does not include the basic constraints extension with the cA boolean asserted.

        (iii) If the onlyContainsCACerts boolean is asserted in the IDP CRL extension, verify that the certificate includes the basic constraints extension with the cA boolean asserted.

        (iv) Verify that the onlyContainsAttributeCerts boolean is not asserted.

        Parameters:
        dp - The distribution point.
        cert - The certificate.
        crl - The CRL.
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException - if one of the conditions is not met or an error occurs.
      • processCRLB1

        protected static void processCRLB1​(org.bouncycastle.asn1.x509.DistributionPoint dp,
                                           Object cert,
                                           X509CRL crl)
                                    throws org.bouncycastle.jce.provider.AnnotatedException
        If the DP includes cRLIssuer, then verify that the issuer field in the complete CRL matches cRLIssuer in the DP and that the complete CRL contains an issuing distribution point extension with the indirectCRL boolean asserted. Otherwise, verify that the CRL issuer matches the certificate issuer.
        Parameters:
        dp - The distribution point.
        cert - The certificate ot attribute certificate.
        crl - The CRL for cert.
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException - if one of the above conditions does not apply or an error occurs.
      • processCRLD

        protected static eu.emi.security.authn.x509.helpers.pkipath.bc.ReasonsMask processCRLD​(X509CRL crl,
                                                                                               org.bouncycastle.asn1.x509.DistributionPoint dp)
                                                                                        throws org.bouncycastle.jce.provider.AnnotatedException
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException
      • processCRLF

        protected static Set processCRLF​(X509CRL crl,
                                         Object cert,
                                         X509Certificate defaultCRLSignCert,
                                         PublicKey defaultCRLSignKey,
                                         org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX,
                                         List certPathCerts,
                                         org.bouncycastle.jcajce.util.JcaJceHelper helper)
                                  throws org.bouncycastle.jce.provider.AnnotatedException
        Obtain and validate the certification path for the complete CRL issuer. If a key usage extension is present in the CRL issuer's certificate, verify that the cRLSign bit is set.
        Parameters:
        crl - CRL which contains revocation information for the certificate cert.
        cert - The attribute certificate or certificate to check if it is revoked.
        defaultCRLSignCert - The issuer certificate of the certificate cert.
        defaultCRLSignKey - The public key of the issuer certificate defaultCRLSignCert.
        paramsPKIX - paramsPKIX PKIX parameters.
        certPathCerts - The certificates on the certification path.
        helper - JcaJce helper
        Returns:
        A Set with all keys of possible CRL issuer certificates.
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException - if the CRL is not valid or the status cannot be checked or some error occurs.
      • processCRLG

        protected static PublicKey processCRLG​(X509CRL crl,
                                               Set keys)
                                        throws org.bouncycastle.jce.provider.AnnotatedException
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException
      • processCRLH

        protected static X509CRL processCRLH​(Set deltacrls,
                                             PublicKey key)
                                      throws org.bouncycastle.jce.provider.AnnotatedException
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException
      • processCRLA1i

        protected static Set processCRLA1i​(Date currentDate,
                                           org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX,
                                           X509Certificate cert,
                                           X509CRL crl)
                                    throws org.bouncycastle.jce.provider.AnnotatedException
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException
      • processCRLA1ii

        protected static Set[] processCRLA1ii​(Date currentDate,
                                              org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX,
                                              X509Certificate cert,
                                              X509CRL crl)
                                       throws org.bouncycastle.jce.provider.AnnotatedException
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException
      • processCRLC

        protected static void processCRLC​(X509CRL deltaCRL,
                                          X509CRL completeCRL,
                                          org.bouncycastle.jcajce.PKIXExtendedParameters pkixParams)
                                   throws org.bouncycastle.jce.provider.AnnotatedException
        If use-deltas is set, verify the issuer and scope of the delta CRL.
        Parameters:
        deltaCRL - The delta CRL.
        completeCRL - The complete CRL.
        pkixParams - The PKIX paramaters.
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException - if an exception occurs.
      • processCRLI

        protected static void processCRLI​(Date validDate,
                                          X509CRL deltacrl,
                                          Object cert,
                                          eu.emi.security.authn.x509.helpers.pkipath.bc.CertStatus certStatus,
                                          org.bouncycastle.jcajce.PKIXExtendedParameters pkixParams)
                                   throws org.bouncycastle.jce.provider.AnnotatedException
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException
      • processCRLJ

        protected static void processCRLJ​(Date validDate,
                                          X509CRL completecrl,
                                          Object cert,
                                          eu.emi.security.authn.x509.helpers.pkipath.bc.CertStatus certStatus)
                                   throws org.bouncycastle.jce.provider.AnnotatedException
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException
      • processCertA

        protected static void processCertA​(CertPath certPath,
                                           org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX,
                                           int index,
                                           PublicKey workingPublicKey,
                                           boolean verificationAlreadyPerformed,
                                           org.bouncycastle.asn1.x500.X500Name workingIssuerName,
                                           X509Certificate sign,
                                           org.bouncycastle.jcajce.util.JcaJceHelper helper)
                                    throws org.bouncycastle.jce.exception.ExtCertPathValidatorException
        Throws:
        org.bouncycastle.jce.exception.ExtCertPathValidatorException
      • checkCRLs

        protected static void checkCRLs​(org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX,
                                        X509Certificate cert,
                                        Date validDate,
                                        X509Certificate sign,
                                        PublicKey workingPublicKey,
                                        List certPathCerts,
                                        org.bouncycastle.jcajce.util.JcaJceHelper helper)
                                 throws org.bouncycastle.jce.provider.AnnotatedException
        Checks a certificate if it is revoked.
        Parameters:
        paramsPKIX - PKIX parameters.
        cert - Certificate to check if it is revoked.
        validDate - The date when the certificate revocation status should be checked.
        sign - The issuer certificate of the certificate cert.
        workingPublicKey - The public key of the issuer certificate sign.
        certPathCerts - The certificates of the certification path.
        helper - JcaJce Helper
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException - if the certificate is revoked or the status cannot be checked or some error occurs.
      • prepareNextCertH1

        protected static int prepareNextCertH1​(CertPath certPath,
                                               int index,
                                               int explicitPolicy)
      • prepareNextCertH2

        protected static int prepareNextCertH2​(CertPath certPath,
                                               int index,
                                               int policyMapping)
      • prepareNextCertH3

        protected static int prepareNextCertH3​(CertPath certPath,
                                               int index,
                                               int inhibitAnyPolicy)
      • wrapupCertA

        protected static int wrapupCertA​(int explicitPolicy,
                                         X509Certificate cert)