| /* |
| * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved. |
| * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
| * |
| * This code is free software; you can redistribute it and/or modify it |
| * under the terms of the GNU General Public License version 2 only, as |
| * published by the Free Software Foundation. Oracle designates this |
| * particular file as subject to the "Classpath" exception as provided |
| * by Oracle in the LICENSE file that accompanied this code. |
| * |
| * This code is distributed in the hope that it will be useful, but WITHOUT |
| * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
| * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| * version 2 for more details (a copy is included in the LICENSE file that |
| * accompanied this code). |
| * |
| * You should have received a copy of the GNU General Public License version |
| * 2 along with this work; if not, write to the Free Software Foundation, |
| * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
| * |
| * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
| * or visit www.oracle.com if you need additional information or have any |
| * questions. |
| */ |
| |
| package sun.security.x509; |
| |
| import java.io.IOException; |
| import java.security.cert.CRLException; |
| import java.security.cert.CRLReason; |
| import java.security.cert.X509CRLEntry; |
| import java.math.BigInteger; |
| import java.util.*; |
| |
| import javax.security.auth.x500.X500Principal; |
| |
| import sun.security.util.*; |
| import sun.misc.HexDumpEncoder; |
| |
| /** |
| * <p>Abstract class for a revoked certificate in a CRL. |
| * This class is for each entry in the <code>revokedCertificates</code>, |
| * so it deals with the inner <em>SEQUENCE</em>. |
| * The ASN.1 definition for this is: |
| * <pre> |
| * revokedCertificates SEQUENCE OF SEQUENCE { |
| * userCertificate CertificateSerialNumber, |
| * revocationDate ChoiceOfTime, |
| * crlEntryExtensions Extensions OPTIONAL |
| * -- if present, must be v2 |
| * } OPTIONAL |
| * |
| * CertificateSerialNumber ::= INTEGER |
| * |
| * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension |
| * |
| * Extension ::= SEQUENCE { |
| * extnId OBJECT IDENTIFIER, |
| * critical BOOLEAN DEFAULT FALSE, |
| * extnValue OCTET STRING |
| * -- contains a DER encoding of a value |
| * -- of the type registered for use with |
| * -- the extnId object identifier value |
| * } |
| * </pre> |
| * |
| * @author Hemma Prafullchandra |
| */ |
| |
| public class X509CRLEntryImpl extends X509CRLEntry |
| implements Comparable<X509CRLEntryImpl> { |
| |
| private SerialNumber serialNumber = null; |
| private Date revocationDate = null; |
| private CRLExtensions extensions = null; |
| private byte[] revokedCert = null; |
| private X500Principal certIssuer; |
| |
| private final static boolean isExplicit = false; |
| private static final long YR_2050 = 2524636800000L; |
| |
| /** |
| * Constructs a revoked certificate entry using the given |
| * serial number and revocation date. |
| * |
| * @param num the serial number of the revoked certificate. |
| * @param date the Date on which revocation took place. |
| */ |
| public X509CRLEntryImpl(BigInteger num, Date date) { |
| this.serialNumber = new SerialNumber(num); |
| this.revocationDate = date; |
| } |
| |
| /** |
| * Constructs a revoked certificate entry using the given |
| * serial number, revocation date and the entry |
| * extensions. |
| * |
| * @param num the serial number of the revoked certificate. |
| * @param date the Date on which revocation took place. |
| * @param crlEntryExts the extensions for this entry. |
| */ |
| public X509CRLEntryImpl(BigInteger num, Date date, |
| CRLExtensions crlEntryExts) { |
| this.serialNumber = new SerialNumber(num); |
| this.revocationDate = date; |
| this.extensions = crlEntryExts; |
| } |
| |
| /** |
| * Unmarshals a revoked certificate from its encoded form. |
| * |
| * @param revokedCert the encoded bytes. |
| * @exception CRLException on parsing errors. |
| */ |
| public X509CRLEntryImpl(byte[] revokedCert) throws CRLException { |
| try { |
| parse(new DerValue(revokedCert)); |
| } catch (IOException e) { |
| this.revokedCert = null; |
| throw new CRLException("Parsing error: " + e.toString()); |
| } |
| } |
| |
| /** |
| * Unmarshals a revoked certificate from its encoded form. |
| * |
| * @param derVal the DER value containing the revoked certificate. |
| * @exception CRLException on parsing errors. |
| */ |
| public X509CRLEntryImpl(DerValue derValue) throws CRLException { |
| try { |
| parse(derValue); |
| } catch (IOException e) { |
| revokedCert = null; |
| throw new CRLException("Parsing error: " + e.toString()); |
| } |
| } |
| |
| /** |
| * Returns true if this revoked certificate entry has |
| * extensions, otherwise false. |
| * |
| * @return true if this CRL entry has extensions, otherwise |
| * false. |
| */ |
| public boolean hasExtensions() { |
| return (extensions != null); |
| } |
| |
| /** |
| * Encodes the revoked certificate to an output stream. |
| * |
| * @param outStrm an output stream to which the encoded revoked |
| * certificate is written. |
| * @exception CRLException on encoding errors. |
| */ |
| public void encode(DerOutputStream outStrm) throws CRLException { |
| try { |
| if (revokedCert == null) { |
| DerOutputStream tmp = new DerOutputStream(); |
| // sequence { serialNumber, revocationDate, extensions } |
| serialNumber.encode(tmp); |
| |
| if (revocationDate.getTime() < YR_2050) { |
| tmp.putUTCTime(revocationDate); |
| } else { |
| tmp.putGeneralizedTime(revocationDate); |
| } |
| |
| if (extensions != null) |
| extensions.encode(tmp, isExplicit); |
| |
| DerOutputStream seq = new DerOutputStream(); |
| seq.write(DerValue.tag_Sequence, tmp); |
| |
| revokedCert = seq.toByteArray(); |
| } |
| outStrm.write(revokedCert); |
| } catch (IOException e) { |
| throw new CRLException("Encoding error: " + e.toString()); |
| } |
| } |
| |
| /** |
| * Returns the ASN.1 DER-encoded form of this CRL Entry, |
| * which corresponds to the inner SEQUENCE. |
| * |
| * @exception CRLException if an encoding error occurs. |
| */ |
| public byte[] getEncoded() throws CRLException { |
| return getEncoded0().clone(); |
| } |
| |
| // Called internally to avoid clone |
| private byte[] getEncoded0() throws CRLException { |
| if (revokedCert == null) |
| this.encode(new DerOutputStream()); |
| return revokedCert; |
| } |
| |
| @Override |
| public X500Principal getCertificateIssuer() { |
| return certIssuer; |
| } |
| |
| void setCertificateIssuer(X500Principal crlIssuer, X500Principal certIssuer) { |
| if (crlIssuer.equals(certIssuer)) { |
| this.certIssuer = null; |
| } else { |
| this.certIssuer = certIssuer; |
| } |
| } |
| |
| /** |
| * Gets the serial number from this X509CRLEntry, |
| * i.e. the <em>userCertificate</em>. |
| * |
| * @return the serial number. |
| */ |
| public BigInteger getSerialNumber() { |
| return serialNumber.getNumber(); |
| } |
| |
| /** |
| * Gets the revocation date from this X509CRLEntry, |
| * the <em>revocationDate</em>. |
| * |
| * @return the revocation date. |
| */ |
| public Date getRevocationDate() { |
| return new Date(revocationDate.getTime()); |
| } |
| |
| /** |
| * This method is the overridden implementation of the getRevocationReason |
| * method in X509CRLEntry. It is better performance-wise since it returns |
| * cached values. |
| */ |
| @Override |
| public CRLReason getRevocationReason() { |
| Extension ext = getExtension(PKIXExtensions.ReasonCode_Id); |
| if (ext == null) { |
| return null; |
| } |
| CRLReasonCodeExtension rcExt = (CRLReasonCodeExtension) ext; |
| return rcExt.getReasonCode(); |
| } |
| |
| /** |
| * This static method is the default implementation of the |
| * getRevocationReason method in X509CRLEntry. |
| */ |
| public static CRLReason getRevocationReason(X509CRLEntry crlEntry) { |
| try { |
| byte[] ext = crlEntry.getExtensionValue("2.5.29.21"); |
| if (ext == null) { |
| return null; |
| } |
| DerValue val = new DerValue(ext); |
| byte[] data = val.getOctetString(); |
| |
| CRLReasonCodeExtension rcExt = |
| new CRLReasonCodeExtension(Boolean.FALSE, data); |
| return rcExt.getReasonCode(); |
| } catch (IOException ioe) { |
| return null; |
| } |
| } |
| |
| /** |
| * get Reason Code from CRL entry. |
| * |
| * @returns Integer or null, if no such extension |
| * @throws IOException on error |
| */ |
| public Integer getReasonCode() throws IOException { |
| Object obj = getExtension(PKIXExtensions.ReasonCode_Id); |
| if (obj == null) |
| return null; |
| CRLReasonCodeExtension reasonCode = (CRLReasonCodeExtension)obj; |
| return reasonCode.get(CRLReasonCodeExtension.REASON); |
| } |
| |
| /** |
| * Returns a printable string of this revoked certificate. |
| * |
| * @return value of this revoked certificate in a printable form. |
| */ |
| @Override |
| public String toString() { |
| StringBuilder sb = new StringBuilder(); |
| |
| sb.append(serialNumber.toString()); |
| sb.append(" On: " + revocationDate.toString()); |
| if (certIssuer != null) { |
| sb.append("\n Certificate issuer: " + certIssuer); |
| } |
| if (extensions != null) { |
| Collection<Extension> allEntryExts = extensions.getAllExtensions(); |
| Extension[] exts = allEntryExts.toArray(new Extension[0]); |
| |
| sb.append("\n CRL Entry Extensions: " + exts.length); |
| for (int i = 0; i < exts.length; i++) { |
| sb.append("\n [" + (i+1) + "]: "); |
| Extension ext = exts[i]; |
| try { |
| if (OIDMap.getClass(ext.getExtensionId()) == null) { |
| sb.append(ext.toString()); |
| byte[] extValue = ext.getExtensionValue(); |
| if (extValue != null) { |
| DerOutputStream out = new DerOutputStream(); |
| out.putOctetString(extValue); |
| extValue = out.toByteArray(); |
| HexDumpEncoder enc = new HexDumpEncoder(); |
| sb.append("Extension unknown: " |
| + "DER encoded OCTET string =\n" |
| + enc.encodeBuffer(extValue) + "\n"); |
| } |
| } else |
| sb.append(ext.toString()); //sub-class exists |
| } catch (Exception e) { |
| sb.append(", Error parsing this extension"); |
| } |
| } |
| } |
| sb.append("\n"); |
| return sb.toString(); |
| } |
| |
| /** |
| * Return true if a critical extension is found that is |
| * not supported, otherwise return false. |
| */ |
| public boolean hasUnsupportedCriticalExtension() { |
| if (extensions == null) |
| return false; |
| return extensions.hasUnsupportedCriticalExtension(); |
| } |
| |
| /** |
| * Gets a Set of the extension(s) marked CRITICAL in this |
| * X509CRLEntry. In the returned set, each extension is |
| * represented by its OID string. |
| * |
| * @return a set of the extension oid strings in the |
| * Object that are marked critical. |
| */ |
| public Set<String> getCriticalExtensionOIDs() { |
| if (extensions == null) { |
| return null; |
| } |
| Set<String> extSet = new TreeSet<>(); |
| for (Extension ex : extensions.getAllExtensions()) { |
| if (ex.isCritical()) { |
| extSet.add(ex.getExtensionId().toString()); |
| } |
| } |
| return extSet; |
| } |
| |
| /** |
| * Gets a Set of the extension(s) marked NON-CRITICAL in this |
| * X509CRLEntry. In the returned set, each extension is |
| * represented by its OID string. |
| * |
| * @return a set of the extension oid strings in the |
| * Object that are marked critical. |
| */ |
| public Set<String> getNonCriticalExtensionOIDs() { |
| if (extensions == null) { |
| return null; |
| } |
| Set<String> extSet = new TreeSet<>(); |
| for (Extension ex : extensions.getAllExtensions()) { |
| if (!ex.isCritical()) { |
| extSet.add(ex.getExtensionId().toString()); |
| } |
| } |
| return extSet; |
| } |
| |
| /** |
| * Gets the DER encoded OCTET string for the extension value |
| * (<em>extnValue</em>) identified by the passed in oid String. |
| * The <code>oid</code> string is |
| * represented by a set of positive whole number separated |
| * by ".", that means,<br> |
| * <positive whole number>.<positive whole number>.<positive |
| * whole number>.<...> |
| * |
| * @param oid the Object Identifier value for the extension. |
| * @return the DER encoded octet string of the extension value. |
| */ |
| public byte[] getExtensionValue(String oid) { |
| if (extensions == null) |
| return null; |
| try { |
| String extAlias = OIDMap.getName(new ObjectIdentifier(oid)); |
| Extension crlExt = null; |
| |
| if (extAlias == null) { // may be unknown |
| ObjectIdentifier findOID = new ObjectIdentifier(oid); |
| Extension ex = null; |
| ObjectIdentifier inCertOID; |
| for (Enumeration<Extension> e = extensions.getElements(); |
| e.hasMoreElements();) { |
| ex = e.nextElement(); |
| inCertOID = ex.getExtensionId(); |
| if (inCertOID.equals((Object)findOID)) { |
| crlExt = ex; |
| break; |
| } |
| } |
| } else |
| crlExt = extensions.get(extAlias); |
| if (crlExt == null) |
| return null; |
| byte[] extData = crlExt.getExtensionValue(); |
| if (extData == null) |
| return null; |
| |
| DerOutputStream out = new DerOutputStream(); |
| out.putOctetString(extData); |
| return out.toByteArray(); |
| } catch (Exception e) { |
| return null; |
| } |
| } |
| |
| /** |
| * get an extension |
| * |
| * @param oid ObjectIdentifier of extension desired |
| * @returns Extension of type <extension> or null, if not found |
| */ |
| public Extension getExtension(ObjectIdentifier oid) { |
| if (extensions == null) |
| return null; |
| |
| // following returns null if no such OID in map |
| //XXX consider cloning this |
| return extensions.get(OIDMap.getName(oid)); |
| } |
| |
| private void parse(DerValue derVal) |
| throws CRLException, IOException { |
| |
| if (derVal.tag != DerValue.tag_Sequence) { |
| throw new CRLException("Invalid encoded RevokedCertificate, " + |
| "starting sequence tag missing."); |
| } |
| if (derVal.data.available() == 0) |
| throw new CRLException("No data encoded for RevokedCertificates"); |
| |
| revokedCert = derVal.toByteArray(); |
| // serial number |
| DerInputStream in = derVal.toDerInputStream(); |
| DerValue val = in.getDerValue(); |
| this.serialNumber = new SerialNumber(val); |
| |
| // revocationDate |
| int nextByte = derVal.data.peekByte(); |
| if ((byte)nextByte == DerValue.tag_UtcTime) { |
| this.revocationDate = derVal.data.getUTCTime(); |
| } else if ((byte)nextByte == DerValue.tag_GeneralizedTime) { |
| this.revocationDate = derVal.data.getGeneralizedTime(); |
| } else |
| throw new CRLException("Invalid encoding for revocation date"); |
| |
| if (derVal.data.available() == 0) |
| return; // no extensions |
| |
| // crlEntryExtensions |
| this.extensions = new CRLExtensions(derVal.toDerInputStream()); |
| } |
| |
| /** |
| * Utility method to convert an arbitrary instance of X509CRLEntry |
| * to a X509CRLEntryImpl. Does a cast if possible, otherwise reparses |
| * the encoding. |
| */ |
| public static X509CRLEntryImpl toImpl(X509CRLEntry entry) |
| throws CRLException { |
| if (entry instanceof X509CRLEntryImpl) { |
| return (X509CRLEntryImpl)entry; |
| } else { |
| return new X509CRLEntryImpl(entry.getEncoded()); |
| } |
| } |
| |
| /** |
| * Returns the CertificateIssuerExtension |
| * |
| * @return the CertificateIssuerExtension, or null if it does not exist |
| */ |
| CertificateIssuerExtension getCertificateIssuerExtension() { |
| return (CertificateIssuerExtension) |
| getExtension(PKIXExtensions.CertificateIssuer_Id); |
| } |
| |
| /** |
| * Returns all extensions for this entry in a map |
| * @return the extension map, can be empty, but not null |
| */ |
| public Map<String, java.security.cert.Extension> getExtensions() { |
| if (extensions == null) { |
| return Collections.emptyMap(); |
| } |
| Collection<Extension> exts = extensions.getAllExtensions(); |
| Map<String, java.security.cert.Extension> map = new TreeMap<>(); |
| for (Extension ext : exts) { |
| map.put(ext.getId(), ext); |
| } |
| return map; |
| } |
| |
| @Override |
| public int compareTo(X509CRLEntryImpl that) { |
| int compSerial = getSerialNumber().compareTo(that.getSerialNumber()); |
| if (compSerial != 0) { |
| return compSerial; |
| } |
| try { |
| byte[] thisEncoded = this.getEncoded0(); |
| byte[] thatEncoded = that.getEncoded0(); |
| for (int i=0; i<thisEncoded.length && i<thatEncoded.length; i++) { |
| int a = thisEncoded[i] & 0xff; |
| int b = thatEncoded[i] & 0xff; |
| if (a != b) return a-b; |
| } |
| return thisEncoded.length -thatEncoded.length; |
| } catch (CRLException ce) { |
| return -1; |
| } |
| } |
| } |