Java example source code file (DistributionPointFetcher.java)
The DistributionPointFetcher.java Java example source code
/*
* Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.provider.certpath;
import java.io.*;
import java.net.URI;
import java.security.*;
import java.security.cert.*;
import javax.security.auth.x500.X500Principal;
import java.util.*;
import sun.security.util.Debug;
import sun.security.util.DerOutputStream;
import static sun.security.x509.PKIXExtensions.*;
import sun.security.x509.*;
/**
* Class to obtain CRLs via the CRLDistributionPoints extension.
* Note that the functionality of this class must be explicitly enabled
* via a system property, see the USE_CRLDP variable below.
*
* This class uses the URICertStore class to fetch CRLs. The URICertStore
* class also implements CRL caching: see the class description for more
* information.
*
* @author Andreas Sterbenz
* @author Sean Mullan
* @since 1.4.2
*/
public class DistributionPointFetcher {
private static final Debug debug = Debug.getInstance("certpath");
private static final boolean[] ALL_REASONS =
{true, true, true, true, true, true, true, true, true};
/**
* Private instantiation only.
*/
private DistributionPointFetcher() {}
/**
* Return the X509CRLs matching this selector. The selector must be
* an X509CRLSelector with certificateChecking set.
*/
public static Collection<X509CRL> getCRLs(X509CRLSelector selector,
boolean signFlag,
PublicKey prevKey,
String provider,
List<CertStore> certStores,
boolean[] reasonsMask,
Set<TrustAnchor> trustAnchors,
Date validity)
throws CertStoreException
{
return getCRLs(selector, signFlag, prevKey, null, provider, certStores,
reasonsMask, trustAnchors, validity);
}
/**
* Return the X509CRLs matching this selector. The selector must be
* an X509CRLSelector with certificateChecking set.
*/
public static Collection<X509CRL> getCRLs(X509CRLSelector selector,
boolean signFlag,
PublicKey prevKey,
X509Certificate prevCert,
String provider,
List<CertStore> certStores,
boolean[] reasonsMask,
Set<TrustAnchor> trustAnchors,
Date validity)
throws CertStoreException
{
X509Certificate cert = selector.getCertificateChecking();
if (cert == null) {
return Collections.emptySet();
}
try {
X509CertImpl certImpl = X509CertImpl.toImpl(cert);
if (debug != null) {
debug.println("DistributionPointFetcher.getCRLs: Checking "
+ "CRLDPs for " + certImpl.getSubjectX500Principal());
}
CRLDistributionPointsExtension ext =
certImpl.getCRLDistributionPointsExtension();
if (ext == null) {
if (debug != null) {
debug.println("No CRLDP ext");
}
return Collections.emptySet();
}
List<DistributionPoint> points =
ext.get(CRLDistributionPointsExtension.POINTS);
Set<X509CRL> results = new HashSet<>();
for (Iterator<DistributionPoint> t = points.iterator();
t.hasNext() && !Arrays.equals(reasonsMask, ALL_REASONS); ) {
DistributionPoint point = t.next();
Collection<X509CRL> crls = getCRLs(selector, certImpl,
point, reasonsMask, signFlag, prevKey, prevCert, provider,
certStores, trustAnchors, validity);
results.addAll(crls);
}
if (debug != null) {
debug.println("Returning " + results.size() + " CRLs");
}
return results;
} catch (CertificateException | IOException e) {
return Collections.emptySet();
}
}
/**
* Download CRLs from the given distribution point, verify and return them.
* See the top of the class for current limitations.
*
* @throws CertStoreException if there is an error retrieving the CRLs
* from one of the GeneralNames and no other CRLs are retrieved from
* the other GeneralNames. If more than one GeneralName throws an
* exception then the one from the last GeneralName is thrown.
*/
private static Collection<X509CRL> getCRLs(X509CRLSelector selector,
X509CertImpl certImpl, DistributionPoint point, boolean[] reasonsMask,
boolean signFlag, PublicKey prevKey, X509Certificate prevCert,
String provider, List<CertStore> certStores,
Set<TrustAnchor> trustAnchors, Date validity)
throws CertStoreException {
// check for full name
GeneralNames fullName = point.getFullName();
if (fullName == null) {
// check for relative name
RDN relativeName = point.getRelativeName();
if (relativeName == null) {
return Collections.emptySet();
}
try {
GeneralNames crlIssuers = point.getCRLIssuer();
if (crlIssuers == null) {
fullName = getFullNames
((X500Name) certImpl.getIssuerDN(), relativeName);
} else {
// should only be one CRL Issuer
if (crlIssuers.size() != 1) {
return Collections.emptySet();
} else {
fullName = getFullNames
((X500Name) crlIssuers.get(0).getName(), relativeName);
}
}
} catch (IOException ioe) {
return Collections.emptySet();
}
}
Collection<X509CRL> possibleCRLs = new ArrayList<>();
CertStoreException savedCSE = null;
for (Iterator<GeneralName> t = fullName.iterator(); t.hasNext(); ) {
try {
GeneralName name = t.next();
if (name.getType() == GeneralNameInterface.NAME_DIRECTORY) {
X500Name x500Name = (X500Name) name.getName();
possibleCRLs.addAll(
getCRLs(x500Name, certImpl.getIssuerX500Principal(),
certStores));
} else if (name.getType() == GeneralNameInterface.NAME_URI) {
URIName uriName = (URIName)name.getName();
X509CRL crl = getCRL(uriName);
if (crl != null) {
possibleCRLs.add(crl);
}
}
} catch (CertStoreException cse) {
savedCSE = cse;
}
}
// only throw CertStoreException if no CRLs are retrieved
if (possibleCRLs.isEmpty() && savedCSE != null) {
throw savedCSE;
}
Collection<X509CRL> crls = new ArrayList<>(2);
for (X509CRL crl : possibleCRLs) {
try {
// make sure issuer is not set
// we check the issuer in verifyCRLs method
selector.setIssuerNames(null);
if (selector.match(crl) && verifyCRL(certImpl, point, crl,
reasonsMask, signFlag, prevKey, prevCert, provider,
trustAnchors, certStores, validity)) {
crls.add(crl);
}
} catch (IOException | CRLException e) {
// don't add the CRL
if (debug != null) {
debug.println("Exception verifying CRL: " + e.getMessage());
e.printStackTrace();
}
}
}
return crls;
}
/**
* Download CRL from given URI.
*/
private static X509CRL getCRL(URIName name) throws CertStoreException {
URI uri = name.getURI();
if (debug != null) {
debug.println("Trying to fetch CRL from DP " + uri);
}
CertStore ucs = null;
try {
ucs = URICertStore.getInstance
(new URICertStore.URICertStoreParameters(uri));
} catch (InvalidAlgorithmParameterException |
NoSuchAlgorithmException e) {
if (debug != null) {
debug.println("Can't create URICertStore: " + e.getMessage());
}
return null;
}
Collection<? extends CRL> crls = ucs.getCRLs(null);
if (crls.isEmpty()) {
return null;
} else {
return (X509CRL) crls.iterator().next();
}
}
/**
* Fetch CRLs from certStores.
*
* @throws CertStoreException if there is an error retrieving the CRLs from
* one of the CertStores and no other CRLs are retrieved from
* the other CertStores. If more than one CertStore throws an
* exception then the one from the last CertStore is thrown.
*/
private static Collection<X509CRL> getCRLs(X500Name name,
X500Principal certIssuer,
List<CertStore> certStores)
throws CertStoreException
{
if (debug != null) {
debug.println("Trying to fetch CRL from DP " + name);
}
X509CRLSelector xcs = new X509CRLSelector();
xcs.addIssuer(name.asX500Principal());
xcs.addIssuer(certIssuer);
Collection<X509CRL> crls = new ArrayList<>();
CertStoreException savedCSE = null;
for (CertStore store : certStores) {
try {
for (CRL crl : store.getCRLs(xcs)) {
crls.add((X509CRL)crl);
}
} catch (CertStoreException cse) {
if (debug != null) {
debug.println("Exception while retrieving " +
"CRLs: " + cse);
cse.printStackTrace();
}
savedCSE = new PKIX.CertStoreTypeException(store.getType(),cse);
}
}
// only throw CertStoreException if no CRLs are retrieved
if (crls.isEmpty() && savedCSE != null) {
throw savedCSE;
} else {
return crls;
}
}
/**
* Verifies a CRL for the given certificate's Distribution Point to
* ensure it is appropriate for checking the revocation status.
*
* @param certImpl the certificate whose revocation status is being checked
* @param point one of the distribution points of the certificate
* @param crl the CRL
* @param reasonsMask the interim reasons mask
* @param signFlag true if prevKey can be used to verify the CRL
* @param prevKey the public key that verifies the certificate's signature
* @param prevCert the certificate whose public key verifies
* {@code certImpl}'s signature
* @param provider the Signature provider to use
* @param trustAnchors a {@code Set} of {@code TrustAnchor}s
* @param certStores a {@code List} of {@code CertStore}s to be used in
* finding certificates and CRLs
* @param validity the time for which the validity of the CRL issuer's
* certification path should be determined
* @return true if ok, false if not
*/
static boolean verifyCRL(X509CertImpl certImpl, DistributionPoint point,
X509CRL crl, boolean[] reasonsMask, boolean signFlag,
PublicKey prevKey, X509Certificate prevCert, String provider,
Set<TrustAnchor> trustAnchors, List
Other Java examples (source code examples)Here is a short list of links related to this Java DistributionPointFetcher.java source code file: |
The search page
Other Java source code examples at this package level
Click here to learn more about this project
