Package eu.emi.security.authn.x509.helpers.pkipath.bc

Class RFC3280CertPathUtilitiesCanl

java.lang.Object
eu.emi.security.authn.x509.helpers.pkipath.bc.RFC3280CertPathUtilitiesCanl
public class RFC3280CertPathUtilitiesCanl extends Object
This class exposes the BC's JCA implementation of the RFC3280CertPathUtilities. It was done to: fix its bugs (only one or two, should be OK in BC 1.47) and to have errors consumable by the rest of this library (most of the code).
Author:
K. Benedyczak (modifications)

  • Field Details

    • CERTIFICATE_POLICIES

      public static final String CERTIFICATE_POLICIES

    • POLICY_MAPPINGS

      public static final String POLICY_MAPPINGS

    • INHIBIT_ANY_POLICY

      public static final String INHIBIT_ANY_POLICY

    • ISSUING_DISTRIBUTION_POINT

      public static final String ISSUING_DISTRIBUTION_POINT

    • FRESHEST_CRL

      public static final String FRESHEST_CRL

    • DELTA_CRL_INDICATOR

      public static final String DELTA_CRL_INDICATOR

    • POLICY_CONSTRAINTS

      public static final String POLICY_CONSTRAINTS

    • BASIC_CONSTRAINTS

      public static final String BASIC_CONSTRAINTS

    • CRL_DISTRIBUTION_POINTS

      public static final String CRL_DISTRIBUTION_POINTS

    • SUBJECT_ALTERNATIVE_NAME

      public static final String SUBJECT_ALTERNATIVE_NAME

    • NAME_CONSTRAINTS

      public static final String NAME_CONSTRAINTS

    • AUTHORITY_KEY_IDENTIFIER

      public static final String AUTHORITY_KEY_IDENTIFIER

    • KEY_USAGE

      public static final String KEY_USAGE

    • CRL_NUMBER

      public static final String CRL_NUMBER

    • ANY_POLICY

      public static final String ANY_POLICY
      See Also:

    • KEY_CERT_SIGN

      protected static final int KEY_CERT_SIGN
      See Also:

    • CRL_SIGN

      protected static final int CRL_SIGN
      See Also:

    • crlReasons

      protected static final String[] crlReasons

  • Constructor Details

    • RFC3280CertPathUtilitiesCanl

      public RFC3280CertPathUtilitiesCanl()

  • Method Details

    • checkCRLs2

      public static void checkCRLs2(ExtPKIXParameters2 paramsPKIX, X509Certificate cert, Date validDate, X509Certificate sign, PublicKey workingPublicKey, List<?> certPathCerts, org.bouncycastle.jcajce.util.JcaJceHelper jcaHelper) throws SimpleValidationErrorException
      Checks a certificate if it is revoked.
      Parameters:
      paramsPKIX - PKIX parameters.
      cert - Certificate to check if it is revoked.
      validDate - The date when the certificate revocation status should be checked.
      sign - The issuer certificate of the certificate cert.
      workingPublicKey - The public key of the issuer certificate sign.
      certPathCerts - The certificates of the certification path.
      jcaHelper - JcaJce helper
      Throws:
      SimpleValidationErrorException - if the certificate is revoked or the status cannot be checked or some error occurs.

    • getCertStatus

      protected static void getCertStatus(Date validDate, X509CRL crl, Object cert, eu.emi.security.authn.x509.helpers.pkipath.bc.CertStatus certStatus) throws SimpleValidationErrorException
      Throws:
      SimpleValidationErrorException

    • processCRLB2

      protected static void processCRLB2(org.bouncycastle.asn1.x509.DistributionPoint dp, Object cert, X509CRL crl) throws org.bouncycastle.jce.provider.AnnotatedException
      If the complete CRL includes an issuing distribution point (IDP) CRL extension check the following:

      (i) If the distribution point name is present in the IDP CRL extension and the distribution field is present in the DP, then verify that one of the names in the IDP matches one of the names in the DP. If the distribution point name is present in the IDP CRL extension and the distribution field is omitted from the DP, then verify that one of the names in the IDP matches one of the names in the cRLIssuer field of the DP.

      (ii) If the onlyContainsUserCerts boolean is asserted in the IDP CRL extension, verify that the certificate does not include the basic constraints extension with the cA boolean asserted.

      (iii) If the onlyContainsCACerts boolean is asserted in the IDP CRL extension, verify that the certificate includes the basic constraints extension with the cA boolean asserted.

      (iv) Verify that the onlyContainsAttributeCerts boolean is not asserted.

      Parameters:
      dp - The distribution point.
      cert - The certificate.
      crl - The CRL.
      Throws:
      org.bouncycastle.jce.provider.AnnotatedException - if one of the conditions is not met or an error occurs.

    • processCRLB1

      protected static void processCRLB1(org.bouncycastle.asn1.x509.DistributionPoint dp, Object cert, X509CRL crl) throws org.bouncycastle.jce.provider.AnnotatedException
      If the DP includes cRLIssuer, then verify that the issuer field in the complete CRL matches cRLIssuer in the DP and that the complete CRL contains an issuing distribution point extension with the indirectCRL boolean asserted. Otherwise, verify that the CRL issuer matches the certificate issuer.
      Parameters:
      dp - The distribution point.
      cert - The certificate ot attribute certificate.
      crl - The CRL for cert.
      Throws:
      org.bouncycastle.jce.provider.AnnotatedException - if one of the above conditions does not apply or an error occurs.

    • processCRLD

      protected static eu.emi.security.authn.x509.helpers.pkipath.bc.ReasonsMask processCRLD(X509CRL crl, org.bouncycastle.asn1.x509.DistributionPoint dp) throws org.bouncycastle.jce.provider.AnnotatedException
      Throws:
      org.bouncycastle.jce.provider.AnnotatedException

    • processCRLF

      protected static Set processCRLF(X509CRL crl, Object cert, X509Certificate defaultCRLSignCert, PublicKey defaultCRLSignKey, org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX, List certPathCerts, org.bouncycastle.jcajce.util.JcaJceHelper helper) throws org.bouncycastle.jce.provider.AnnotatedException
      Obtain and validate the certification path for the complete CRL issuer. If a key usage extension is present in the CRL issuer's certificate, verify that the cRLSign bit is set.
      Parameters:
      crl - CRL which contains revocation information for the certificate cert.
      cert - The attribute certificate or certificate to check if it is revoked.
      defaultCRLSignCert - The issuer certificate of the certificate cert.
      defaultCRLSignKey - The public key of the issuer certificate defaultCRLSignCert.
      paramsPKIX - paramsPKIX PKIX parameters.
      certPathCerts - The certificates on the certification path.
      helper - JcaJce helper
      Returns:
      A Set with all keys of possible CRL issuer certificates.
      Throws:
      org.bouncycastle.jce.provider.AnnotatedException - if the CRL is not valid or the status cannot be checked or some error occurs.

    • processCRLG

      protected static PublicKey processCRLG(X509CRL crl, Set keys) throws org.bouncycastle.jce.provider.AnnotatedException
      Throws:
      org.bouncycastle.jce.provider.AnnotatedException

    • processCRLH

      protected static X509CRL processCRLH(Set deltacrls, PublicKey key) throws org.bouncycastle.jce.provider.AnnotatedException
      Throws:
      org.bouncycastle.jce.provider.AnnotatedException

    • processCRLA1i

      protected static Set processCRLA1i(Date currentDate, org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX, X509Certificate cert, X509CRL crl) throws org.bouncycastle.jce.provider.AnnotatedException
      Throws:
      org.bouncycastle.jce.provider.AnnotatedException

    • processCRLA1ii

      protected static Set[] processCRLA1ii(Date currentDate, org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX, X509Certificate cert, X509CRL crl) throws org.bouncycastle.jce.provider.AnnotatedException
      Throws:
      org.bouncycastle.jce.provider.AnnotatedException

    • processCRLC

      protected static void processCRLC(X509CRL deltaCRL, X509CRL completeCRL, org.bouncycastle.jcajce.PKIXExtendedParameters pkixParams) throws org.bouncycastle.jce.provider.AnnotatedException
      If use-deltas is set, verify the issuer and scope of the delta CRL.
      Parameters:
      deltaCRL - The delta CRL.
      completeCRL - The complete CRL.
      pkixParams - The PKIX paramaters.
      Throws:
      org.bouncycastle.jce.provider.AnnotatedException - if an exception occurs.

    • processCRLI

      protected static void processCRLI(Date validDate, X509CRL deltacrl, Object cert, eu.emi.security.authn.x509.helpers.pkipath.bc.CertStatus certStatus, org.bouncycastle.jcajce.PKIXExtendedParameters pkixParams) throws org.bouncycastle.jce.provider.AnnotatedException
      Throws:
      org.bouncycastle.jce.provider.AnnotatedException

    • processCRLJ

      protected static void processCRLJ(Date validDate, X509CRL completecrl, Object cert, eu.emi.security.authn.x509.helpers.pkipath.bc.CertStatus certStatus) throws org.bouncycastle.jce.provider.AnnotatedException
      Throws:
      org.bouncycastle.jce.provider.AnnotatedException

    • prepareCertB

      protected static PKIXPolicyNode prepareCertB(CertPath certPath, int index, List[] policyNodes, PKIXPolicyNode validPolicyTree, int policyMapping) throws CertPathValidatorException
      Throws:
      CertPathValidatorException

    • prepareNextCertA

      protected static void prepareNextCertA(CertPath certPath, int index) throws CertPathValidatorException
      Throws:
      CertPathValidatorException

    • processCertF

      protected static void processCertF(CertPath certPath, int index, PKIXPolicyNode validPolicyTree, int explicitPolicy) throws CertPathValidatorException
      Throws:
      CertPathValidatorException

    • processCertE

      protected static PKIXPolicyNode processCertE(CertPath certPath, int index, PKIXPolicyNode validPolicyTree) throws CertPathValidatorException
      Throws:
      CertPathValidatorException

    • processCertBC

      protected static void processCertBC(CertPath certPath, int index, org.bouncycastle.jce.provider.PKIXNameConstraintValidator nameConstraintValidator) throws CertPathValidatorException
      Throws:
      CertPathValidatorException

    • processCertD

      protected static PKIXPolicyNode processCertD(CertPath certPath, int index, Set acceptablePolicies, PKIXPolicyNode validPolicyTree, List[] policyNodes, int inhibitAnyPolicy) throws CertPathValidatorException
      Throws:
      CertPathValidatorException

    • processCertA

      protected static void processCertA(CertPath certPath, org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX, int index, PublicKey workingPublicKey, boolean verificationAlreadyPerformed, org.bouncycastle.asn1.x500.X500Name workingIssuerName, X509Certificate sign, org.bouncycastle.jcajce.util.JcaJceHelper helper) throws org.bouncycastle.jce.exception.ExtCertPathValidatorException
      Throws:
      org.bouncycastle.jce.exception.ExtCertPathValidatorException

    • prepareNextCertI1

      protected static int prepareNextCertI1(CertPath certPath, int index, int explicitPolicy) throws CertPathValidatorException
      Throws:
      CertPathValidatorException

    • prepareNextCertI2

      protected static int prepareNextCertI2(CertPath certPath, int index, int policyMapping) throws CertPathValidatorException
      Throws:
      CertPathValidatorException

    • prepareNextCertG

      protected static void prepareNextCertG(CertPath certPath, int index, org.bouncycastle.jce.provider.PKIXNameConstraintValidator nameConstraintValidator) throws CertPathValidatorException
      Throws:
      CertPathValidatorException

    • checkCRLs

      protected static void checkCRLs(org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX, X509Certificate cert, Date validDate, X509Certificate sign, PublicKey workingPublicKey, List certPathCerts, org.bouncycastle.jcajce.util.JcaJceHelper helper) throws org.bouncycastle.jce.provider.AnnotatedException
      Checks a certificate if it is revoked.
      Parameters:
      paramsPKIX - PKIX parameters.
      cert - Certificate to check if it is revoked.
      validDate - The date when the certificate revocation status should be checked.
      sign - The issuer certificate of the certificate cert.
      workingPublicKey - The public key of the issuer certificate sign.
      certPathCerts - The certificates of the certification path.
      helper - JcaJce Helper
      Throws:
      org.bouncycastle.jce.provider.AnnotatedException - if the certificate is revoked or the status cannot be checked or some error occurs.

    • prepareNextCertJ

      protected static int prepareNextCertJ(CertPath certPath, int index, int inhibitAnyPolicy) throws CertPathValidatorException
      Throws:
      CertPathValidatorException

    • prepareNextCertK

      protected static void prepareNextCertK(CertPath certPath, int index) throws CertPathValidatorException
      Throws:
      CertPathValidatorException

    • prepareNextCertL

      protected static int prepareNextCertL(CertPath certPath, int index, int maxPathLength) throws CertPathValidatorException
      Throws:
      CertPathValidatorException

    • prepareNextCertM

      protected static int prepareNextCertM(CertPath certPath, int index, int maxPathLength) throws CertPathValidatorException
      Throws:
      CertPathValidatorException

    • prepareNextCertN

      protected static void prepareNextCertN(CertPath certPath, int index) throws CertPathValidatorException
      Throws:
      CertPathValidatorException

    • prepareNextCertO

      protected static void prepareNextCertO(CertPath certPath, int index, Set criticalExtensions, List pathCheckers) throws CertPathValidatorException
      Throws:
      CertPathValidatorException

    • prepareNextCertH1

      protected static int prepareNextCertH1(CertPath certPath, int index, int explicitPolicy)

    • prepareNextCertH2

      protected static int prepareNextCertH2(CertPath certPath, int index, int policyMapping)

    • prepareNextCertH3

      protected static int prepareNextCertH3(CertPath certPath, int index, int inhibitAnyPolicy)

    • wrapupCertA

      protected static int wrapupCertA(int explicitPolicy, X509Certificate cert)

    • wrapupCertB

      protected static int wrapupCertB(CertPath certPath, int index, int explicitPolicy) throws CertPathValidatorException
      Throws:
      CertPathValidatorException

    • wrapupCertF

      protected static void wrapupCertF(CertPath certPath, int index, List pathCheckers, Set criticalExtensions) throws CertPathValidatorException
      Throws:
      CertPathValidatorException

    • wrapupCertG

      protected static PKIXPolicyNode wrapupCertG(CertPath certPath, org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX, Set userInitialPolicySet, int index, List[] policyNodes, PKIXPolicyNode validPolicyTree, Set acceptablePolicies) throws CertPathValidatorException
      Throws:
      CertPathValidatorException