org.bouncycastle.pkix.jcajce

Class PKIXCertPathReviewer

java.lang.Object

org.bouncycastle.pkix.jcajce.PKIXCertPathReviewer

public class PKIXCertPathReviewer
extends java.lang.Object

PKIXCertPathReviewer
Validation of X.509 Certificate Paths. Tries to find as much errors in the Path as possible.

Field Summary

Fields

Modifier and Type	Field and Description
protected static java.lang.String	ANY_POLICY
protected static java.lang.String	AUTHORITY_KEY_IDENTIFIER
protected static java.lang.String	BASIC_CONSTRAINTS
protected static java.lang.String	CERTIFICATE_POLICIES
protected java.security.cert.CertPath	certPath
protected java.util.List	certs
protected static java.lang.String	CRL_DISTRIBUTION_POINTS
protected static java.lang.String	CRL_NUMBER
protected static int	CRL_SIGN
protected static java.lang.String[]	crlReasons
protected java.util.Date	currentDate
protected static java.lang.String	DELTA_CRL_INDICATOR
protected java.util.List[]	errors
protected static java.lang.String	FRESHEST_CRL
protected static java.lang.String	INHIBIT_ANY_POLICY
protected static java.lang.String	ISSUING_DISTRIBUTION_POINT
protected static int	KEY_CERT_SIGN
protected static java.lang.String	KEY_USAGE
protected int	n
protected static java.lang.String	NAME_CONSTRAINTS
protected java.util.List[]	notifications
protected java.security.cert.PKIXParameters	pkixParams
protected static java.lang.String	POLICY_CONSTRAINTS
protected static java.lang.String	POLICY_MAPPINGS
protected java.security.cert.PolicyNode	policyTree
protected static java.lang.String	SUBJECT_ALTERNATIVE_NAME
protected java.security.PublicKey	subjectPublicKey
protected java.security.cert.TrustAnchor	trustAnchor
protected java.util.Date	validDate

Constructor Summary

Constructors

Constructor and Description
PKIXCertPathReviewer() Creates an empty PKIXCertPathReviewer.
PKIXCertPathReviewer(java.security.cert.CertPath certPath, java.security.cert.PKIXParameters params) Creates a PKIXCertPathReviewer and initializes it with the given CertPath and PKIXParameters params

Method Summary

Modifier and Type	Method and Description
protected void	addError(ErrorBundle msg)
protected void	addError(ErrorBundle msg, int index)
protected void	addNotification(ErrorBundle msg)
protected void	addNotification(ErrorBundle msg, int index)
protected void	checkCRLs(java.security.cert.PKIXParameters paramsPKIX, java.security.cert.X509Certificate cert, java.util.Date validDate, java.security.cert.X509Certificate sign, java.security.PublicKey workingPublicKey, java.util.Vector crlDistPointUrls, int index)
protected void	checkRevocation(java.security.cert.PKIXParameters paramsPKIX, java.security.cert.X509Certificate cert, java.util.Date validDate, java.security.cert.X509Certificate sign, java.security.PublicKey workingPublicKey, java.util.Vector crlDistPointUrls, java.util.Vector ocspUrls, int index)
protected void	doChecks()
protected static java.util.Collection	findCertificates(org.bouncycastle.jcajce.PKIXCertStoreSelector certSelect, java.util.List certStores)
protected static java.util.Collection	findCertificates(org.bouncycastle.pkix.jcajce.X509CertStoreSelector certSelect, java.util.List certStores) Return a Collection of all certificates or attribute certificates found in the X509Store's that are matching the certSelect criteriums.
protected static org.bouncycastle.asn1.x509.AlgorithmIdentifier	getAlgorithmIdentifier(java.security.PublicKey key)
java.security.cert.CertPath	getCertPath()
int	getCertPathSize()
protected static void	getCertStatus(java.util.Date validDate, java.security.cert.X509CRL crl, java.lang.Object cert, org.bouncycastle.pkix.jcajce.CertStatus certStatus)
protected java.util.Vector	getCRLDistUrls(org.bouncycastle.asn1.x509.CRLDistPoint crlDistPoints)
protected static javax.security.auth.x500.X500Principal	getEncodedIssuerPrincipal(java.lang.Object cert) Returns the issuer of an attribute certificate or certificate.
java.util.List[]	getErrors() Returns an Array of Lists which contains a List of global error messages and a List of error messages for each certificate in the path.
java.util.List	getErrors(int index) Returns an List of error messages for the certificate at the given index in the CertPath.
protected static org.bouncycastle.asn1.ASN1Primitive	getExtensionValue(java.security.cert.X509Extension ext, java.lang.String oid) Extract the value of the given extension, if it exists.
protected static javax.security.auth.x500.X500Principal	getIssuerPrincipal(java.security.cert.X509CRL crl)
protected static java.security.PublicKey	getNextWorkingKey(java.util.List certs, int index) Return the next working key inheriting DSA parameters if necessary.
java.util.List[]	getNotifications() Returns an Array of Lists which contains a List of global notification messages and a List of botification messages for each certificate in the path.
java.util.List	getNotifications(int index) Returns an List of notification messages for the certificate at the given index in the CertPath.
protected java.util.Vector	getOCSPUrls(org.bouncycastle.asn1.x509.AuthorityInformationAccess authInfoAccess)
java.security.cert.PolicyNode	getPolicyTree()
protected static java.util.Set	getQualifierSet(org.bouncycastle.asn1.ASN1Sequence qualifiers)
protected static javax.security.auth.x500.X500Principal	getSubjectPrincipal(java.security.cert.X509Certificate cert)
java.security.PublicKey	getSubjectPublicKey()
java.security.cert.TrustAnchor	getTrustAnchor()
protected java.util.Collection	getTrustAnchors(java.security.cert.X509Certificate cert, java.util.Set trustanchors)
protected static java.util.Date	getValidDate(java.security.cert.PKIXParameters paramsPKIX)
void	init(java.security.cert.CertPath certPath, java.security.cert.PKIXParameters params) Initializes the PKIXCertPathReviewer with the given CertPath and PKIXParameters params
protected static boolean	isAnyPolicy(java.util.Set policySet)
protected static boolean	isSelfIssued(java.security.cert.X509Certificate cert)
boolean	isValidCertPath()
protected static void	prepareNextCertB1(int i, java.util.List[] policyNodes, java.lang.String id_p, java.util.Map m_idp, java.security.cert.X509Certificate cert)
protected static PKIXPolicyNode	prepareNextCertB2(int i, java.util.List[] policyNodes, java.lang.String id_p, PKIXPolicyNode validPolicyTree)
protected static boolean	processCertD1i(int index, java.util.List[] policyNodes, org.bouncycastle.asn1.ASN1ObjectIdentifier pOid, java.util.Set pq)
protected static void	processCertD1ii(int index, java.util.List[] policyNodes, org.bouncycastle.asn1.ASN1ObjectIdentifier _poid, java.util.Set _pq)
protected static PKIXPolicyNode	removePolicyNode(PKIXPolicyNode validPolicyTree, java.util.List[] policyNodes, PKIXPolicyNode _node)
protected static void	verifyX509Certificate(java.security.cert.X509Certificate cert, java.security.PublicKey publicKey, java.lang.String sigProvider)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

certPath

protected java.security.cert.CertPath certPath

pkixParams

protected java.security.cert.PKIXParameters pkixParams

currentDate

protected java.util.Date currentDate

validDate

protected java.util.Date validDate

certs

protected java.util.List certs

n

protected int n

notifications

protected java.util.List[] notifications

errors

protected java.util.List[] errors

trustAnchor

protected java.security.cert.TrustAnchor trustAnchor

subjectPublicKey

protected java.security.PublicKey subjectPublicKey

policyTree

protected java.security.cert.PolicyNode policyTree

CERTIFICATE_POLICIES

protected static final java.lang.String CERTIFICATE_POLICIES

BASIC_CONSTRAINTS

protected static final java.lang.String BASIC_CONSTRAINTS

POLICY_MAPPINGS

protected static final java.lang.String POLICY_MAPPINGS

SUBJECT_ALTERNATIVE_NAME

protected static final java.lang.String SUBJECT_ALTERNATIVE_NAME

NAME_CONSTRAINTS

protected static final java.lang.String NAME_CONSTRAINTS

KEY_USAGE

protected static final java.lang.String KEY_USAGE

INHIBIT_ANY_POLICY

protected static final java.lang.String INHIBIT_ANY_POLICY

ISSUING_DISTRIBUTION_POINT

protected static final java.lang.String ISSUING_DISTRIBUTION_POINT

DELTA_CRL_INDICATOR

protected static final java.lang.String DELTA_CRL_INDICATOR

POLICY_CONSTRAINTS

protected static final java.lang.String POLICY_CONSTRAINTS

FRESHEST_CRL

protected static final java.lang.String FRESHEST_CRL

CRL_DISTRIBUTION_POINTS

protected static final java.lang.String CRL_DISTRIBUTION_POINTS

AUTHORITY_KEY_IDENTIFIER

protected static final java.lang.String AUTHORITY_KEY_IDENTIFIER

ANY_POLICY

protected static final java.lang.String ANY_POLICY

See Also:

Constant Field Values

CRL_NUMBER

protected static final java.lang.String CRL_NUMBER

KEY_CERT_SIGN

protected static final int KEY_CERT_SIGN

See Also:

Constant Field Values

CRL_SIGN

protected static final int CRL_SIGN

See Also:

Constant Field Values

crlReasons

protected static final java.lang.String[] crlReasons

Constructor Detail

PKIXCertPathReviewer

public PKIXCertPathReviewer(java.security.cert.CertPath certPath,
                            java.security.cert.PKIXParameters params)
                     throws CertPathReviewerException

Creates a PKIXCertPathReviewer and initializes it with the given CertPath and PKIXParameters params

Parameters:

certPath - the CertPath to validate

params - the PKIXParameters to use

Throws:

CertPathReviewerException - if the certPath is empty

PKIXCertPathReviewer

public PKIXCertPathReviewer()

Creates an empty PKIXCertPathReviewer. Don't forget to call init() to initialize the object.

Method Detail

init

public void init(java.security.cert.CertPath certPath,
                 java.security.cert.PKIXParameters params)
          throws CertPathReviewerException

Initializes the PKIXCertPathReviewer with the given CertPath and PKIXParameters params

Parameters:

certPath - the CertPath to validate

params - the PKIXParameters to use

Throws:

CertPathReviewerException - if the certPath is empty

java.lang.IllegalStateException - if the PKIXCertPathReviewer is already initialized

getCertPath

public java.security.cert.CertPath getCertPath()

Returns:

the CertPath that was validated

getCertPathSize

public int getCertPathSize()

Returns:

the size of the CertPath

getErrors

public java.util.List[] getErrors()

Returns an Array of Lists which contains a List of global error messages and a List of error messages for each certificate in the path. The global error List is at index 0. The error lists for each certificate at index 1 to n. The error messages are of type.

Returns:

the Array of Lists which contain the error messages

Throws:

java.lang.IllegalStateException - if the PKIXCertPathReviewer was not initialized

getErrors

public java.util.List getErrors(int index)

Returns an List of error messages for the certificate at the given index in the CertPath. If index == -1 then the list of global errors is returned with errors not specific to a certificate.

Parameters:

index - the index of the certificate in the CertPath

Returns:

List of error messages for the certificate

Throws:

java.lang.IllegalStateException - if the PKIXCertPathReviewer was not initialized

getNotifications

public java.util.List[] getNotifications()

Returns an Array of Lists which contains a List of global notification messages and a List of botification messages for each certificate in the path. The global notificatio List is at index 0. The notification lists for each certificate at index 1 to n. The error messages are of type.

Returns:

the Array of Lists which contain the notification messages

Throws:

java.lang.IllegalStateException - if the PKIXCertPathReviewer was not initialized

getNotifications

public java.util.List getNotifications(int index)

Returns an List of notification messages for the certificate at the given index in the CertPath. If index == -1 then the list of global notifications is returned with notifications not specific to a certificate.

Parameters:

index - the index of the certificate in the CertPath

Returns:

List of notification messages for the certificate

Throws:

java.lang.IllegalStateException - if the PKIXCertPathReviewer was not initialized

getPolicyTree

public java.security.cert.PolicyNode getPolicyTree()

Returns:

the valid policy tree, null if no valid policy exists.

Throws:

java.lang.IllegalStateException - if the PKIXCertPathReviewer was not initialized

getSubjectPublicKey

public java.security.PublicKey getSubjectPublicKey()

Returns:

the PublicKey if the last certificate in the CertPath

Throws:

java.lang.IllegalStateException - if the PKIXCertPathReviewer was not initialized

getTrustAnchor

public java.security.cert.TrustAnchor getTrustAnchor()

Returns:

the TrustAnchor for the CertPath, null if no valid TrustAnchor was found.

Throws:

java.lang.IllegalStateException - if the PKIXCertPathReviewer was not initialized

isValidCertPath

public boolean isValidCertPath()

Returns:

if the CertPath is valid

Throws:

java.lang.IllegalStateException - if the PKIXCertPathReviewer was not initialized

addNotification

protected void addNotification(ErrorBundle msg)

addNotification

protected void addNotification(ErrorBundle msg,
                               int index)

addError

protected void addError(ErrorBundle msg)

addError

protected void addError(ErrorBundle msg,
                        int index)

doChecks

protected void doChecks()

checkRevocation

protected void checkRevocation(java.security.cert.PKIXParameters paramsPKIX,
                               java.security.cert.X509Certificate cert,
                               java.util.Date validDate,
                               java.security.cert.X509Certificate sign,
                               java.security.PublicKey workingPublicKey,
                               java.util.Vector crlDistPointUrls,
                               java.util.Vector ocspUrls,
                               int index)
                        throws CertPathReviewerException

Throws:

CertPathReviewerException

checkCRLs

protected void checkCRLs(java.security.cert.PKIXParameters paramsPKIX,
                         java.security.cert.X509Certificate cert,
                         java.util.Date validDate,
                         java.security.cert.X509Certificate sign,
                         java.security.PublicKey workingPublicKey,
                         java.util.Vector crlDistPointUrls,
                         int index)
                  throws CertPathReviewerException

Throws:

CertPathReviewerException

getCRLDistUrls

protected java.util.Vector getCRLDistUrls(org.bouncycastle.asn1.x509.CRLDistPoint crlDistPoints)

getOCSPUrls

protected java.util.Vector getOCSPUrls(org.bouncycastle.asn1.x509.AuthorityInformationAccess authInfoAccess)

getTrustAnchors

protected java.util.Collection getTrustAnchors(java.security.cert.X509Certificate cert,
                                               java.util.Set trustanchors)
                                        throws CertPathReviewerException

Throws:

CertPathReviewerException

getEncodedIssuerPrincipal

protected static javax.security.auth.x500.X500Principal getEncodedIssuerPrincipal(java.lang.Object cert)

Returns the issuer of an attribute certificate or certificate.

Parameters:

cert - The attribute certificate or certificate.

Returns:

The issuer as X500Principal.

getValidDate

protected static java.util.Date getValidDate(java.security.cert.PKIXParameters paramsPKIX)

getSubjectPrincipal

protected static javax.security.auth.x500.X500Principal getSubjectPrincipal(java.security.cert.X509Certificate cert)

isSelfIssued

protected static boolean isSelfIssued(java.security.cert.X509Certificate cert)

getExtensionValue

protected static org.bouncycastle.asn1.ASN1Primitive getExtensionValue(java.security.cert.X509Extension ext,
                                                                       java.lang.String oid)
                                                                throws org.bouncycastle.pkix.jcajce.AnnotatedException

Extract the value of the given extension, if it exists.

Parameters:

ext - The extension object.

oid - The object identifier to obtain.

Throws:

AnnotatedException - if the extension cannot be read.

getIssuerPrincipal

protected static javax.security.auth.x500.X500Principal getIssuerPrincipal(java.security.cert.X509CRL crl)

getAlgorithmIdentifier

protected static org.bouncycastle.asn1.x509.AlgorithmIdentifier getAlgorithmIdentifier(java.security.PublicKey key)
                                                                                throws java.security.cert.CertPathValidatorException

Throws:

java.security.cert.CertPathValidatorException

getQualifierSet

protected static final java.util.Set getQualifierSet(org.bouncycastle.asn1.ASN1Sequence qualifiers)
                                              throws java.security.cert.CertPathValidatorException

Throws:

java.security.cert.CertPathValidatorException

removePolicyNode

protected static PKIXPolicyNode removePolicyNode(PKIXPolicyNode validPolicyTree,
                                                 java.util.List[] policyNodes,
                                                 PKIXPolicyNode _node)

processCertD1i

protected static boolean processCertD1i(int index,
                                        java.util.List[] policyNodes,
                                        org.bouncycastle.asn1.ASN1ObjectIdentifier pOid,
                                        java.util.Set pq)

processCertD1ii

protected static void processCertD1ii(int index,
                                      java.util.List[] policyNodes,
                                      org.bouncycastle.asn1.ASN1ObjectIdentifier _poid,
                                      java.util.Set _pq)

prepareNextCertB1

protected static void prepareNextCertB1(int i,
                                        java.util.List[] policyNodes,
                                        java.lang.String id_p,
                                        java.util.Map m_idp,
                                        java.security.cert.X509Certificate cert)
                                 throws org.bouncycastle.pkix.jcajce.AnnotatedException,
                                        java.security.cert.CertPathValidatorException

Throws:

org.bouncycastle.pkix.jcajce.AnnotatedException

java.security.cert.CertPathValidatorException

prepareNextCertB2

protected static PKIXPolicyNode prepareNextCertB2(int i,
                                                  java.util.List[] policyNodes,
                                                  java.lang.String id_p,
                                                  PKIXPolicyNode validPolicyTree)

isAnyPolicy

protected static boolean isAnyPolicy(java.util.Set policySet)

findCertificates

protected static java.util.Collection findCertificates(org.bouncycastle.pkix.jcajce.X509CertStoreSelector certSelect,
                                                       java.util.List certStores)
                                                throws org.bouncycastle.pkix.jcajce.AnnotatedException

Return a Collection of all certificates or attribute certificates found in the X509Store's that are matching the certSelect criteriums.

Parameters:

certSelect - a Selector object that will be used to select the certificates

certStores - a List containing only X509Store objects. These are used to search for certificates.

Returns:

a Collection of all found X509Certificate or org.bouncycastle.x509.X509AttributeCertificate objects. May be empty but never null.

Throws:

org.bouncycastle.pkix.jcajce.AnnotatedException

findCertificates

protected static java.util.Collection findCertificates(org.bouncycastle.jcajce.PKIXCertStoreSelector certSelect,
                                                       java.util.List certStores)
                                                throws org.bouncycastle.pkix.jcajce.AnnotatedException

Throws:

org.bouncycastle.pkix.jcajce.AnnotatedException

getCertStatus

protected static void getCertStatus(java.util.Date validDate,
                                    java.security.cert.X509CRL crl,
                                    java.lang.Object cert,
                                    org.bouncycastle.pkix.jcajce.CertStatus certStatus)
                             throws org.bouncycastle.pkix.jcajce.AnnotatedException

Throws:

org.bouncycastle.pkix.jcajce.AnnotatedException

getNextWorkingKey

protected static java.security.PublicKey getNextWorkingKey(java.util.List certs,
                                                           int index)
                                                    throws java.security.cert.CertPathValidatorException

Return the next working key inheriting DSA parameters if necessary.

This methods inherits DSA parameters from the indexed certificate or previous certificates in the certificate chain to the returned PublicKey. The list is searched upwards, meaning the end certificate is at position 0 and previous certificates are following.

If the indexed certificate does not contain a DSA key this method simply returns the public key. If the DSA key already contains DSA parameters the key is also only returned.

Parameters:

certs - The certification path.

index - The index of the certificate which contains the public key which should be extended with DSA parameters.

Returns:

The public key of the certificate in list position index extended with DSA parameters if applicable.

Throws:

java.security.cert.CertPathValidatorException - if DSA parameters cannot be inherited.

verifyX509Certificate

protected static void verifyX509Certificate(java.security.cert.X509Certificate cert,
                                            java.security.PublicKey publicKey,
                                            java.lang.String sigProvider)
                                     throws java.security.GeneralSecurityException

Throws:

java.security.GeneralSecurityException