Class CertPathValidatorUtilities
- java.lang.Object
-
- eu.emi.security.authn.x509.helpers.pkipath.bc.CertPathValidatorUtilities
-
- Direct Known Subclasses:
CertPathValidatorUtilitiesCanl
class CertPathValidatorUtilities extends java.lang.Object
-
-
Field Summary
Fields Modifier and Type Field Description protected static java.lang.String
ANY_POLICY
protected static java.lang.String
AUTHORITY_KEY_IDENTIFIER
protected static java.lang.String
BASIC_CONSTRAINTS
protected static java.lang.String
CERTIFICATE_POLICIES
protected static java.lang.String
CRL_DISTRIBUTION_POINTS
protected static java.lang.String
CRL_NUMBER
protected static int
CRL_SIGN
protected static PKIXCRLUtil
CRL_UTIL
protected static java.lang.String[]
crlReasons
protected static java.lang.String
DELTA_CRL_INDICATOR
protected static java.lang.String
FRESHEST_CRL
protected static java.lang.String
INHIBIT_ANY_POLICY
protected static java.lang.String
ISSUING_DISTRIBUTION_POINT
protected static int
KEY_CERT_SIGN
protected static java.lang.String
KEY_USAGE
protected static java.lang.String
NAME_CONSTRAINTS
protected static java.lang.String
POLICY_CONSTRAINTS
protected static java.lang.String
POLICY_MAPPINGS
protected static java.lang.String
SUBJECT_ALTERNATIVE_NAME
-
Constructor Summary
Constructors Constructor Description CertPathValidatorUtilities()
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description (package private) static void
checkCRLsNotEmpty(java.util.Set crls, java.lang.Object cert)
protected static java.util.Collection
findCertificates(org.bouncycastle.jcajce.PKIXCertStoreSelector certSelect, java.util.List certStores)
Return a Collection of all certificates or attribute certificates found in the X509Store's that are matching the certSelect criteriums.(package private) static java.util.Collection
findIssuerCerts(java.security.cert.X509Certificate cert, java.util.List<java.security.cert.CertStore> certStores, java.util.List<org.bouncycastle.jcajce.PKIXCertStore> pkixCertStores)
Find the issuer certificates of a given certificate.protected static java.security.cert.TrustAnchor
findTrustAnchor(java.security.cert.X509Certificate cert, java.util.Set trustAnchors)
Search the given Set of TrustAnchor's for one that is the issuer of the given X509 certificate.protected static java.security.cert.TrustAnchor
findTrustAnchor(java.security.cert.X509Certificate cert, java.util.Set trustAnchors, java.lang.String sigProvider)
Search the given Set of TrustAnchor's for one that is the issuer of the given X509 certificate.(package private) static java.util.List<org.bouncycastle.jcajce.PKIXCertStore>
getAdditionalStoresFromAltNames(byte[] issuerAlternativeName, java.util.Map<org.bouncycastle.asn1.x509.GeneralName,org.bouncycastle.jcajce.PKIXCertStore> altNameCertStoreMap)
(package private) static java.util.List<org.bouncycastle.jcajce.PKIXCRLStore>
getAdditionalStoresFromCRLDistributionPoint(org.bouncycastle.asn1.x509.CRLDistPoint crldp, java.util.Map<org.bouncycastle.asn1.x509.GeneralName,org.bouncycastle.jcajce.PKIXCRLStore> namedCRLStoreMap)
protected static org.bouncycastle.asn1.x509.AlgorithmIdentifier
getAlgorithmIdentifier(java.security.PublicKey key)
protected static void
getCertStatus(java.util.Date validDate, java.security.cert.X509CRL crl, java.lang.Object cert, CertStatus certStatus)
protected static java.util.Set
getCompleteCRLs(org.bouncycastle.asn1.x509.DistributionPoint dp, java.lang.Object cert, java.util.Date currentDate, org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX)
Fetches complete CRLs according to RFC 3280.protected static void
getCRLIssuersFromDistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint dp, java.util.Collection issuerPrincipals, java.security.cert.X509CRLSelector selector)
Add the CRL issuers from the cRLIssuer field of the distribution point or from the certificate if not given to the issuer criterion of theselector
.protected static java.util.Set
getDeltaCRLs(java.util.Date validityDate, java.security.cert.X509CRL completeCRL, java.util.List<java.security.cert.CertStore> certStores, java.util.List<org.bouncycastle.jcajce.PKIXCRLStore> pkixCrlStores)
Fetches delta CRLs according to RFC 3280 section 5.2.4.protected static org.bouncycastle.asn1.ASN1Primitive
getExtensionValue(java.security.cert.X509Extension ext, java.lang.String oid)
Extract the value of the given extension, if it exists.protected static java.security.PublicKey
getNextWorkingKey(java.util.List certs, int index, org.bouncycastle.jcajce.util.JcaJceHelper helper)
Return the next working key inheriting DSA parameters if necessary.private static org.bouncycastle.asn1.ASN1Primitive
getObject(java.lang.String oid, byte[] ext)
protected static java.util.Set
getQualifierSet(org.bouncycastle.asn1.ASN1Sequence qualifiers)
private static java.math.BigInteger
getSerialNumber(java.lang.Object cert)
protected static java.util.Date
getValidCertDateFromValidityModel(org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX, java.security.cert.CertPath certPath, int index)
protected static java.util.Date
getValidDate(org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX)
protected static boolean
isAnyPolicy(java.util.Set policySet)
private static boolean
isDeltaCRL(java.security.cert.X509CRL crl)
protected static boolean
isSelfIssued(java.security.cert.X509Certificate cert)
protected static void
prepareNextCertB1(int i, java.util.List[] policyNodes, java.lang.String id_p, java.util.Map m_idp, java.security.cert.X509Certificate cert)
protected static PKIXPolicyNode
prepareNextCertB2(int i, java.util.List[] policyNodes, java.lang.String id_p, PKIXPolicyNode validPolicyTree)
protected static boolean
processCertD1i(int index, java.util.List[] policyNodes, org.bouncycastle.asn1.ASN1ObjectIdentifier pOid, java.util.Set pq)
protected static void
processCertD1ii(int index, java.util.List[] policyNodes, org.bouncycastle.asn1.ASN1ObjectIdentifier _poid, java.util.Set _pq)
protected static PKIXPolicyNode
removePolicyNode(PKIXPolicyNode validPolicyTree, java.util.List[] policyNodes, PKIXPolicyNode _node)
private static void
removePolicyNodeRecurse(java.util.List[] policyNodes, PKIXPolicyNode _node)
protected static void
verifyX509Certificate(java.security.cert.X509Certificate cert, java.security.PublicKey publicKey, java.lang.String sigProvider)
-
-
-
Field Detail
-
CRL_UTIL
protected static final PKIXCRLUtil CRL_UTIL
-
CERTIFICATE_POLICIES
protected static final java.lang.String CERTIFICATE_POLICIES
-
BASIC_CONSTRAINTS
protected static final java.lang.String BASIC_CONSTRAINTS
-
POLICY_MAPPINGS
protected static final java.lang.String POLICY_MAPPINGS
-
SUBJECT_ALTERNATIVE_NAME
protected static final java.lang.String SUBJECT_ALTERNATIVE_NAME
-
NAME_CONSTRAINTS
protected static final java.lang.String NAME_CONSTRAINTS
-
KEY_USAGE
protected static final java.lang.String KEY_USAGE
-
INHIBIT_ANY_POLICY
protected static final java.lang.String INHIBIT_ANY_POLICY
-
ISSUING_DISTRIBUTION_POINT
protected static final java.lang.String ISSUING_DISTRIBUTION_POINT
-
DELTA_CRL_INDICATOR
protected static final java.lang.String DELTA_CRL_INDICATOR
-
POLICY_CONSTRAINTS
protected static final java.lang.String POLICY_CONSTRAINTS
-
FRESHEST_CRL
protected static final java.lang.String FRESHEST_CRL
-
CRL_DISTRIBUTION_POINTS
protected static final java.lang.String CRL_DISTRIBUTION_POINTS
-
AUTHORITY_KEY_IDENTIFIER
protected static final java.lang.String AUTHORITY_KEY_IDENTIFIER
-
ANY_POLICY
protected static final java.lang.String ANY_POLICY
- See Also:
- Constant Field Values
-
CRL_NUMBER
protected static final java.lang.String CRL_NUMBER
-
KEY_CERT_SIGN
protected static final int KEY_CERT_SIGN
- See Also:
- Constant Field Values
-
CRL_SIGN
protected static final int CRL_SIGN
- See Also:
- Constant Field Values
-
crlReasons
protected static final java.lang.String[] crlReasons
-
-
Method Detail
-
findTrustAnchor
protected static java.security.cert.TrustAnchor findTrustAnchor(java.security.cert.X509Certificate cert, java.util.Set trustAnchors) throws org.bouncycastle.jce.provider.AnnotatedException
Search the given Set of TrustAnchor's for one that is the issuer of the given X509 certificate. Uses the default provider for signature verification.- Parameters:
cert
- the X509 certificatetrustAnchors
- a Set of TrustAnchor's- Returns:
- the
TrustAnchor
object if found ornull
if not. - Throws:
org.bouncycastle.jce.provider.AnnotatedException
- if a TrustAnchor was found but the signature verification on the given certificate has thrown an exception.
-
findTrustAnchor
protected static java.security.cert.TrustAnchor findTrustAnchor(java.security.cert.X509Certificate cert, java.util.Set trustAnchors, java.lang.String sigProvider) throws org.bouncycastle.jce.provider.AnnotatedException
Search the given Set of TrustAnchor's for one that is the issuer of the given X509 certificate. Uses the specified provider for signature verification, or the default provider if null.- Parameters:
cert
- the X509 certificatetrustAnchors
- a Set of TrustAnchor'ssigProvider
- the provider to use for signature verification- Returns:
- the
TrustAnchor
object if found ornull
if not. - Throws:
org.bouncycastle.jce.provider.AnnotatedException
- if a TrustAnchor was found but the signature verification on the given certificate has thrown an exception.
-
getAdditionalStoresFromAltNames
static java.util.List<org.bouncycastle.jcajce.PKIXCertStore> getAdditionalStoresFromAltNames(byte[] issuerAlternativeName, java.util.Map<org.bouncycastle.asn1.x509.GeneralName,org.bouncycastle.jcajce.PKIXCertStore> altNameCertStoreMap) throws java.security.cert.CertificateParsingException
- Throws:
java.security.cert.CertificateParsingException
-
getValidDate
protected static java.util.Date getValidDate(org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX)
-
isSelfIssued
protected static boolean isSelfIssued(java.security.cert.X509Certificate cert)
-
getExtensionValue
protected static org.bouncycastle.asn1.ASN1Primitive getExtensionValue(java.security.cert.X509Extension ext, java.lang.String oid) throws org.bouncycastle.jce.provider.AnnotatedException
Extract the value of the given extension, if it exists.- Parameters:
ext
- The extension object.oid
- The object identifier to obtain.- Throws:
org.bouncycastle.jce.provider.AnnotatedException
- if the extension cannot be read.
-
getObject
private static org.bouncycastle.asn1.ASN1Primitive getObject(java.lang.String oid, byte[] ext) throws org.bouncycastle.jce.provider.AnnotatedException
- Throws:
org.bouncycastle.jce.provider.AnnotatedException
-
getAlgorithmIdentifier
protected static org.bouncycastle.asn1.x509.AlgorithmIdentifier getAlgorithmIdentifier(java.security.PublicKey key) throws java.security.cert.CertPathValidatorException
- Throws:
java.security.cert.CertPathValidatorException
-
getQualifierSet
protected static final java.util.Set getQualifierSet(org.bouncycastle.asn1.ASN1Sequence qualifiers) throws java.security.cert.CertPathValidatorException
- Throws:
java.security.cert.CertPathValidatorException
-
removePolicyNode
protected static PKIXPolicyNode removePolicyNode(PKIXPolicyNode validPolicyTree, java.util.List[] policyNodes, PKIXPolicyNode _node)
-
removePolicyNodeRecurse
private static void removePolicyNodeRecurse(java.util.List[] policyNodes, PKIXPolicyNode _node)
-
processCertD1i
protected static boolean processCertD1i(int index, java.util.List[] policyNodes, org.bouncycastle.asn1.ASN1ObjectIdentifier pOid, java.util.Set pq)
-
processCertD1ii
protected static void processCertD1ii(int index, java.util.List[] policyNodes, org.bouncycastle.asn1.ASN1ObjectIdentifier _poid, java.util.Set _pq)
-
prepareNextCertB1
protected static void prepareNextCertB1(int i, java.util.List[] policyNodes, java.lang.String id_p, java.util.Map m_idp, java.security.cert.X509Certificate cert) throws org.bouncycastle.jce.provider.AnnotatedException, java.security.cert.CertPathValidatorException
- Throws:
org.bouncycastle.jce.provider.AnnotatedException
java.security.cert.CertPathValidatorException
-
prepareNextCertB2
protected static PKIXPolicyNode prepareNextCertB2(int i, java.util.List[] policyNodes, java.lang.String id_p, PKIXPolicyNode validPolicyTree)
-
isAnyPolicy
protected static boolean isAnyPolicy(java.util.Set policySet)
-
findCertificates
protected static java.util.Collection findCertificates(org.bouncycastle.jcajce.PKIXCertStoreSelector certSelect, java.util.List certStores) throws org.bouncycastle.jce.provider.AnnotatedException
Return a Collection of all certificates or attribute certificates found in the X509Store's that are matching the certSelect criteriums.- Parameters:
certSelect
- aSelector
object that will be used to select the certificatescertStores
- a List containing onlyStore
objects. These are used to search for certificates.- Returns:
- a Collection of all found
X509Certificate
May be empty but nevernull
. - Throws:
org.bouncycastle.jce.provider.AnnotatedException
- annotated exception
-
getAdditionalStoresFromCRLDistributionPoint
static java.util.List<org.bouncycastle.jcajce.PKIXCRLStore> getAdditionalStoresFromCRLDistributionPoint(org.bouncycastle.asn1.x509.CRLDistPoint crldp, java.util.Map<org.bouncycastle.asn1.x509.GeneralName,org.bouncycastle.jcajce.PKIXCRLStore> namedCRLStoreMap) throws org.bouncycastle.jce.provider.AnnotatedException
- Throws:
org.bouncycastle.jce.provider.AnnotatedException
-
getCRLIssuersFromDistributionPoint
protected static void getCRLIssuersFromDistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint dp, java.util.Collection issuerPrincipals, java.security.cert.X509CRLSelector selector) throws org.bouncycastle.jce.provider.AnnotatedException
Add the CRL issuers from the cRLIssuer field of the distribution point or from the certificate if not given to the issuer criterion of theselector
.The
issuerPrincipals
are a collection with a singleX500Name
forX509Certificate
s.- Parameters:
dp
- The distribution point.issuerPrincipals
- The issuers of the certificate or attribute certificate which contains the distribution point.selector
- The CRL selector.- Throws:
org.bouncycastle.jce.provider.AnnotatedException
- if an exception occurs while processing.java.lang.ClassCastException
- ifissuerPrincipals
does not contain onlyX500Name
s.
-
getSerialNumber
private static java.math.BigInteger getSerialNumber(java.lang.Object cert)
-
getCertStatus
protected static void getCertStatus(java.util.Date validDate, java.security.cert.X509CRL crl, java.lang.Object cert, CertStatus certStatus) throws org.bouncycastle.jce.provider.AnnotatedException
- Throws:
org.bouncycastle.jce.provider.AnnotatedException
-
getDeltaCRLs
protected static java.util.Set getDeltaCRLs(java.util.Date validityDate, java.security.cert.X509CRL completeCRL, java.util.List<java.security.cert.CertStore> certStores, java.util.List<org.bouncycastle.jcajce.PKIXCRLStore> pkixCrlStores) throws org.bouncycastle.jce.provider.AnnotatedException
Fetches delta CRLs according to RFC 3280 section 5.2.4.- Parameters:
validityDate
- The date for which the delta CRLs must be valid.completeCRL
- The complete CRL the delta CRL is for.certStores
- aList
of certificate storespkixCrlStores
- aList
of CRL stores- Returns:
- A
Set
ofX509CRL
s with delta CRLs. - Throws:
org.bouncycastle.jce.provider.AnnotatedException
- if an exception occurs while picking the delta CRLs.
-
isDeltaCRL
private static boolean isDeltaCRL(java.security.cert.X509CRL crl)
-
getCompleteCRLs
protected static java.util.Set getCompleteCRLs(org.bouncycastle.asn1.x509.DistributionPoint dp, java.lang.Object cert, java.util.Date currentDate, org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX) throws org.bouncycastle.jce.provider.AnnotatedException
Fetches complete CRLs according to RFC 3280.- Parameters:
dp
- The distribution point for which the complete CRLcert
- TheX509Certificate
for which the CRL should be searched.currentDate
- The date for which the delta CRLs must be valid.paramsPKIX
- The extended PKIX parameters.- Returns:
- A
Set
ofX509CRL
s with complete CRLs. - Throws:
org.bouncycastle.jce.provider.AnnotatedException
- if an exception occurs while picking the CRLs or no CRLs are found.
-
getValidCertDateFromValidityModel
protected static java.util.Date getValidCertDateFromValidityModel(org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX, java.security.cert.CertPath certPath, int index) throws org.bouncycastle.jce.provider.AnnotatedException
- Throws:
org.bouncycastle.jce.provider.AnnotatedException
-
getNextWorkingKey
protected static java.security.PublicKey getNextWorkingKey(java.util.List certs, int index, org.bouncycastle.jcajce.util.JcaJceHelper helper) throws java.security.cert.CertPathValidatorException
Return the next working key inheriting DSA parameters if necessary.This methods inherits DSA parameters from the indexed certificate or previous certificates in the certificate chain to the returned
PublicKey
. The list is searched upwards, meaning the end certificate is at position 0 and previous certificates are following.If the indexed certificate does not contain a DSA key this method simply returns the public key. If the DSA key already contains DSA parameters the key is also only returned.
- Parameters:
certs
- The certification path.index
- The index of the certificate which contains the public key which should be extended with DSA parameters.helper
- JcaJce helper- Returns:
- The public key of the certificate in list position
index
extended with DSA parameters if applicable. - Throws:
java.security.cert.CertPathValidatorException
- if DSA parameters cannot be inherited.
-
findIssuerCerts
static java.util.Collection findIssuerCerts(java.security.cert.X509Certificate cert, java.util.List<java.security.cert.CertStore> certStores, java.util.List<org.bouncycastle.jcajce.PKIXCertStore> pkixCertStores) throws org.bouncycastle.jce.provider.AnnotatedException
Find the issuer certificates of a given certificate.- Parameters:
cert
- The certificate for which an issuer should be found.- Returns:
- A
Collection
object containing the issuerX509Certificate
s. Nevernull
. - Throws:
org.bouncycastle.jce.provider.AnnotatedException
- if an error occurs.
-
verifyX509Certificate
protected static void verifyX509Certificate(java.security.cert.X509Certificate cert, java.security.PublicKey publicKey, java.lang.String sigProvider) throws java.security.GeneralSecurityException
- Throws:
java.security.GeneralSecurityException
-
checkCRLsNotEmpty
static void checkCRLsNotEmpty(java.util.Set crls, java.lang.Object cert) throws org.bouncycastle.jce.provider.AnnotatedException
- Throws:
org.bouncycastle.jce.provider.AnnotatedException
-
-