Frames | No Frames |
1: /* X509CRL.java --- X.509 Certificate Revocation List 2: Copyright (C) 1999, 2004 Free Software Foundation, Inc. 3: 4: This file is part of GNU Classpath. 5: 6: GNU Classpath is free software; you can redistribute it and/or modify 7: it under the terms of the GNU General Public License as published by 8: the Free Software Foundation; either version 2, or (at your option) 9: any later version. 10: 11: GNU Classpath is distributed in the hope that it will be useful, but 12: WITHOUT ANY WARRANTY; without even the implied warranty of 13: MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14: General Public License for more details. 15: 16: You should have received a copy of the GNU General Public License 17: along with GNU Classpath; see the file COPYING. If not, write to the 18: Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 19: 02110-1301 USA. 20: 21: Linking this library statically or dynamically with other modules is 22: making a combined work based on this library. Thus, the terms and 23: conditions of the GNU General Public License cover the whole 24: combination. 25: 26: As a special exception, the copyright holders of this library give you 27: permission to link this library with independent modules to produce an 28: executable, regardless of the license terms of these independent 29: modules, and to copy and distribute the resulting executable under 30: terms of your choice, provided that you also meet, for each linked 31: independent module, the terms and conditions of the license of that 32: module. An independent module is a module which is not derived from 33: or based on this library. If you modify this library, you may extend 34: this exception to your version of the library, but you are not 35: obligated to do so. If you do not wish to do so, delete this 36: exception statement from your version. */ 37: 38: 39: package java.security.cert; 40: 41: import java.math.BigInteger; 42: import java.security.InvalidKeyException; 43: import java.security.NoSuchAlgorithmException; 44: import java.security.NoSuchProviderException; 45: import java.security.Principal; 46: import java.security.PublicKey; 47: import java.security.SignatureException; 48: import java.util.Date; 49: import java.util.Set; 50: 51: import javax.security.auth.x500.X500Principal; 52: 53: /** 54: The X509CRL class is the abstract class used to manage 55: X.509 Certificate Revocation Lists. The CRL is a list of 56: time stamped entries which indicate which lists have been 57: revoked. The list is signed by a Certificate Authority (CA) 58: and made publically available in a repository. 59: 60: Each revoked certificate in the CRL is identified by its 61: certificate serial number. When a piece of code uses a 62: certificate, the certificates validity is checked by 63: validating its signature and determing that it is not 64: only a recently acquired CRL. The recently aquired CRL 65: is depends on the local policy in affect. The CA issues 66: a new CRL periodically and entries are removed as the 67: certificate expiration date is reached 68: 69: 70: A description of the X.509 v2 CRL follows below from rfc2459. 71: 72: "The X.509 v2 CRL syntax is as follows. For signature calculation, 73: the data that is to be signed is ASN.1 DER encoded. ASN.1 DER 74: encoding is a tag, length, value encoding system for each element. 75: 76: CertificateList ::= SEQUENCE { 77: tbsCertList TBSCertList, 78: signatureAlgorithm AlgorithmIdentifier, 79: signatureValue BIT STRING } 80: 81: TBSCertList ::= SEQUENCE { 82: version Version OPTIONAL, 83: -- if present, shall be v2 84: signature AlgorithmIdentifier, 85: issuer Name, 86: thisUpdate Time, 87: nextUpdate Time OPTIONAL, 88: revokedCertificates SEQUENCE OF SEQUENCE { 89: userCertificate CertificateSerialNumber, 90: revocationDate Time, 91: crlEntryExtensions Extensions OPTIONAL 92: -- if present, shall be v2 93: } OPTIONAL, 94: crlExtensions [0] EXPLICIT Extensions OPTIONAL 95: -- if present, shall be v2 96: }" 97: 98: @author Mark Benvenuto 99: 100: @since 1.2 101: */ 102: public abstract class X509CRL extends CRL implements X509Extension 103: { 104: 105: /** 106: Constructs a new X509CRL. 107: */ 108: protected X509CRL() 109: { 110: super("X.509"); 111: } 112: 113: /** 114: Compares this X509CRL to other. It checks if the 115: object if instanceOf X509CRL and then checks if 116: the encoded form matches. 117: 118: @param other An Object to test for equality 119: 120: @return true if equal, false otherwise 121: */ 122: public boolean equals(Object other) 123: { 124: if( other instanceof X509CRL ) { 125: try { 126: X509CRL x = (X509CRL) other; 127: if( getEncoded().length != x.getEncoded().length ) 128: return false; 129: 130: byte[] b1 = getEncoded(); 131: byte[] b2 = x.getEncoded(); 132: 133: for( int i = 0; i < b1.length; i++ ) 134: if( b1[i] != b2[i] ) 135: return false; 136: 137: } catch( CRLException crle ) { 138: return false; 139: } 140: return true; 141: } 142: return false; 143: } 144: 145: /** 146: Returns a hash code for this X509CRL in its encoded 147: form. 148: 149: @return A hash code of this class 150: */ 151: public int hashCode() 152: { 153: return super.hashCode(); 154: } 155: 156: /** 157: Gets the DER ASN.1 encoded format for this X.509 CRL. 158: 159: @return byte array containg encoded form 160: 161: @throws CRLException if an error occurs 162: */ 163: public abstract byte[] getEncoded() throws CRLException; 164: 165: /** 166: Verifies that this CRL was properly signed with the 167: PublicKey that corresponds to its private key. 168: 169: @param key PublicKey to verify with 170: 171: @throws CRLException encoding error 172: @throws NoSuchAlgorithmException unsupported algorithm 173: @throws InvalidKeyException incorrect key 174: @throws NoSuchProviderException no provider 175: @throws SignatureException signature error 176: */ 177: public abstract void verify(PublicKey key) 178: throws CRLException, 179: NoSuchAlgorithmException, 180: InvalidKeyException, 181: NoSuchProviderException, 182: SignatureException; 183: 184: /** 185: Verifies that this CRL was properly signed with the 186: PublicKey that corresponds to its private key and uses 187: the signature engine provided by the provider. 188: 189: @param key PublicKey to verify with 190: @param sigProvider Provider to use for signature algorithm 191: 192: @throws CRLException encoding error 193: @throws NoSuchAlgorithmException unsupported algorithm 194: @throws InvalidKeyException incorrect key 195: @throws NoSuchProviderException incorrect provider 196: @throws SignatureException signature error 197: */ 198: public abstract void verify(PublicKey key, 199: String sigProvider) 200: throws CRLException, 201: NoSuchAlgorithmException, 202: InvalidKeyException, 203: NoSuchProviderException, 204: SignatureException; 205: 206: /** 207: Gets the version of this CRL. 208: 209: The ASN.1 encoding is: 210: 211: version Version OPTIONAL, 212: -- if present, shall be v2 213: 214: Version ::= INTEGER { v1(0), v2(1), v3(2) } 215: 216: Consult rfc2459 for more information. 217: 218: @return the version number, Ex: 1 or 2 219: */ 220: public abstract int getVersion(); 221: 222: /** 223: Returns the issuer (issuer distinguished name) of the CRL. 224: The issuer is the entity who signed and issued the 225: Certificate Revocation List. 226: 227: The ASN.1 DER encoding is: 228: 229: issuer Name, 230: 231: Name ::= CHOICE { 232: RDNSequence } 233: 234: RDNSequence ::= SEQUENCE OF RelativeDistinguishedName 235: 236: RelativeDistinguishedName ::= 237: SET OF AttributeTypeAndValue 238: 239: AttributeTypeAndValue ::= SEQUENCE { 240: type AttributeType, 241: value AttributeValue } 242: 243: AttributeType ::= OBJECT IDENTIFIER 244: 245: AttributeValue ::= ANY DEFINED BY AttributeType 246: 247: DirectoryString ::= CHOICE { 248: teletexString TeletexString (SIZE (1..MAX)), 249: printableString PrintableString (SIZE (1..MAX)), 250: universalString UniversalString (SIZE (1..MAX)), 251: utf8String UTF8String (SIZE (1.. MAX)), 252: bmpString BMPString (SIZE (1..MAX)) } 253: 254: Consult rfc2459 for more information. 255: 256: @return the issuer in the Principal class 257: */ 258: public abstract Principal getIssuerDN(); 259: 260: /** 261: Returns the thisUpdate date of the CRL. 262: 263: The ASN.1 DER encoding is: 264: 265: thisUpdate Time, 266: 267: Time ::= CHOICE { 268: utcTime UTCTime, 269: generalTime GeneralizedTime } 270: 271: Consult rfc2459 for more information. 272: 273: @return the thisUpdate date 274: */ 275: public abstract Date getThisUpdate(); 276: 277: /* 278: Gets the nextUpdate field 279: 280: The ASN.1 DER encoding is: 281: 282: nextUpdate Time OPTIONAL, 283: 284: Time ::= CHOICE { 285: utcTime UTCTime, 286: generalTime GeneralizedTime } 287: 288: Consult rfc2459 for more information. 289: 290: @return the nextUpdate date 291: */ 292: public abstract Date getNextUpdate(); 293: 294: /** 295: Gets the requeste dX509Entry for the specified 296: certificate serial number. 297: 298: @return a X509CRLEntry representing the X.509 CRL entry 299: */ 300: public abstract X509CRLEntry getRevokedCertificate(BigInteger serialNumber); 301: 302: /** 303: Returns a Set of revoked certificates. 304: 305: @return a set of revoked certificates. 306: */ 307: public abstract Set<? extends X509CRLEntry> getRevokedCertificates(); 308: 309: /** 310: Returns the DER ASN.1 encoded tbsCertList which is 311: the basic information of the list and associated certificates 312: in the encoded state. See top for more information. 313: 314: The ASN.1 DER encoding is: 315: 316: tbsCertList TBSCertList, 317: 318: Consult rfc2459 for more information. 319: 320: @return byte array representing tbsCertList 321: */ 322: public abstract byte[] getTBSCertList() throws CRLException; 323: 324: 325: /** 326: Returns the signature for the CRL. 327: 328: The ASN.1 DER encoding is: 329: 330: signatureValue BIT STRING 331: 332: Consult rfc2459 for more information. 333: */ 334: public abstract byte[] getSignature(); 335: 336: /** 337: Returns the signature algorithm used to sign the CRL. 338: An examples is "SHA-1/DSA". 339: 340: The ASN.1 DER encoding is: 341: 342: signatureAlgorithm AlgorithmIdentifier, 343: 344: AlgorithmIdentifier ::= SEQUENCE { 345: algorithm OBJECT IDENTIFIER, 346: parameters ANY DEFINED BY algorithm OPTIONAL } 347: 348: Consult rfc2459 for more information. 349: 350: The algorithm name is determined from the OID. 351: 352: @return a string with the signature algorithm name 353: */ 354: public abstract String getSigAlgName(); 355: 356: /** 357: Returns the OID for the signature algorithm used. 358: Example "1.2.840.10040.4.3" is return for SHA-1 with DSA.\ 359: 360: The ASN.1 DER encoding for the example is: 361: 362: id-dsa-with-sha1 ID ::= { 363: iso(1) member-body(2) us(840) x9-57 (10040) 364: x9cm(4) 3 } 365: 366: Consult rfc2459 for more information. 367: 368: @return a string containing the OID. 369: */ 370: public abstract String getSigAlgOID(); 371: 372: /** 373: Returns the AlgorithmParameters in the encoded form 374: for the signature algorithm used. 375: 376: If access to the parameters is need, create an 377: instance of AlgorithmParameters. 378: 379: @return byte array containing algorithm parameters, null 380: if no parameters are present in CRL 381: */ 382: public abstract byte[] getSigAlgParams(); 383: 384: // 1.4 instance methods. 385: // ------------------------------------------------------------------------ 386: 387: /** 388: * Returns the X.500 distinguished name of this CRL's issuer. 389: * 390: * @return The issuer's X.500 distinguished name. 391: * @since JDK 1.4 392: */ 393: public X500Principal getIssuerX500Principal() 394: { 395: throw new UnsupportedOperationException(); 396: } 397: }