Package org.bouncycastle.pkix.jcajce

Class PKIXCertPathReviewer

java.lang.Object
org.bouncycastle.pkix.jcajce.PKIXCertPathReviewer
public class PKIXCertPathReviewer extends Object
PKIXCertPathReviewer
Validation of X.509 Certificate Paths. Tries to find as much errors in the Path as possible.

  • Field Details

    • certPath

      protected CertPath certPath

    • pkixParams

      protected PKIXParameters pkixParams

    • currentDate

      protected Date currentDate

    • validDate

      protected Date validDate

    • certs

      protected List certs

    • n

      protected int n

    • notifications

      protected List[] notifications

    • errors

      protected List[] errors

    • trustAnchor

      protected TrustAnchor trustAnchor

    • subjectPublicKey

      protected PublicKey subjectPublicKey

    • policyTree

      protected PolicyNode policyTree

    • CERTIFICATE_POLICIES

      protected static final String CERTIFICATE_POLICIES

    • BASIC_CONSTRAINTS

      protected static final String BASIC_CONSTRAINTS

    • POLICY_MAPPINGS

      protected static final String POLICY_MAPPINGS

    • SUBJECT_ALTERNATIVE_NAME

      protected static final String SUBJECT_ALTERNATIVE_NAME

    • NAME_CONSTRAINTS

      protected static final String NAME_CONSTRAINTS

    • KEY_USAGE

      protected static final String KEY_USAGE

    • INHIBIT_ANY_POLICY

      protected static final String INHIBIT_ANY_POLICY

    • ISSUING_DISTRIBUTION_POINT

      protected static final String ISSUING_DISTRIBUTION_POINT

    • DELTA_CRL_INDICATOR

      protected static final String DELTA_CRL_INDICATOR

    • POLICY_CONSTRAINTS

      protected static final String POLICY_CONSTRAINTS

    • FRESHEST_CRL

      protected static final String FRESHEST_CRL

    • CRL_DISTRIBUTION_POINTS

      protected static final String CRL_DISTRIBUTION_POINTS

    • AUTHORITY_KEY_IDENTIFIER

      protected static final String AUTHORITY_KEY_IDENTIFIER

    • ANY_POLICY

      protected static final String ANY_POLICY
      See Also:

    • CRL_NUMBER

      protected static final String CRL_NUMBER

    • KEY_CERT_SIGN

      protected static final int KEY_CERT_SIGN
      See Also:

    • CRL_SIGN

      protected static final int CRL_SIGN
      See Also:

    • crlReasons

      protected static final String[] crlReasons

  • Constructor Details

  • Method Details

    • init

      public void init(CertPath certPath, PKIXParameters params) throws CertPathReviewerException
      Initializes the PKIXCertPathReviewer with the given CertPath and PKIXParameters params
      Parameters:
      certPath - the CertPath to validate
      params - the PKIXParameters to use
      Throws:
      CertPathReviewerException - if the certPath is empty
      IllegalStateException - if the PKIXCertPathReviewer is already initialized

    • getCertPath

      public CertPath getCertPath()
      Returns:
      the CertPath that was validated

    • getCertPathSize

      public int getCertPathSize()
      Returns:
      the size of the CertPath

    • getErrors

      public List[] getErrors()
      Returns an Array of Lists which contains a List of global error messages and a List of error messages for each certificate in the path. The global error List is at index 0. The error lists for each certificate at index 1 to n. The error messages are of type.
      Returns:
      the Array of Lists which contain the error messages
      Throws:
      IllegalStateException - if the PKIXCertPathReviewer was not initialized

    • getErrors

      public List getErrors(int index)
      Returns an List of error messages for the certificate at the given index in the CertPath. If index == -1 then the list of global errors is returned with errors not specific to a certificate.
      Parameters:
      index - the index of the certificate in the CertPath
      Returns:
      List of error messages for the certificate
      Throws:
      IllegalStateException - if the PKIXCertPathReviewer was not initialized

    • getNotifications

      public List[] getNotifications()
      Returns an Array of Lists which contains a List of global notification messages and a List of botification messages for each certificate in the path. The global notificatio List is at index 0. The notification lists for each certificate at index 1 to n. The error messages are of type.
      Returns:
      the Array of Lists which contain the notification messages
      Throws:
      IllegalStateException - if the PKIXCertPathReviewer was not initialized

    • getNotifications

      public List getNotifications(int index)
      Returns an List of notification messages for the certificate at the given index in the CertPath. If index == -1 then the list of global notifications is returned with notifications not specific to a certificate.
      Parameters:
      index - the index of the certificate in the CertPath
      Returns:
      List of notification messages for the certificate
      Throws:
      IllegalStateException - if the PKIXCertPathReviewer was not initialized

    • getPolicyTree

      public PolicyNode getPolicyTree()
      Returns:
      the valid policy tree, null if no valid policy exists.
      Throws:
      IllegalStateException - if the PKIXCertPathReviewer was not initialized

    • getSubjectPublicKey

      public PublicKey getSubjectPublicKey()
      Returns:
      the PublicKey if the last certificate in the CertPath
      Throws:
      IllegalStateException - if the PKIXCertPathReviewer was not initialized

    • getTrustAnchor

      public TrustAnchor getTrustAnchor()
      Returns:
      the TrustAnchor for the CertPath, null if no valid TrustAnchor was found.
      Throws:
      IllegalStateException - if the PKIXCertPathReviewer was not initialized

    • isValidCertPath

      public boolean isValidCertPath()
      Returns:
      if the CertPath is valid
      Throws:
      IllegalStateException - if the PKIXCertPathReviewer was not initialized

    • addNotification

      protected void addNotification(ErrorBundle msg)

    • addNotification

      protected void addNotification(ErrorBundle msg, int index)

    • addError

      protected void addError(ErrorBundle msg)

    • addError

      protected void addError(ErrorBundle msg, int index)

    • doChecks

      protected void doChecks()

    • checkRevocation

      protected void checkRevocation(PKIXParameters paramsPKIX, X509Certificate cert, Date validDate, X509Certificate sign, PublicKey workingPublicKey, Vector crlDistPointUrls, Vector ocspUrls, int index) throws CertPathReviewerException
      Throws:
      CertPathReviewerException

    • checkCRLs

      protected void checkCRLs(PKIXParameters paramsPKIX, X509Certificate cert, Date validDate, X509Certificate sign, PublicKey workingPublicKey, Vector crlDistPointUrls, int index) throws CertPathReviewerException
      Throws:
      CertPathReviewerException

    • getCRLDistUrls

      protected Vector getCRLDistUrls(org.bouncycastle.asn1.x509.CRLDistPoint crlDistPoints)

    • getOCSPUrls

      protected Vector getOCSPUrls(org.bouncycastle.asn1.x509.AuthorityInformationAccess authInfoAccess)

    • getTrustAnchors

      protected Collection getTrustAnchors(X509Certificate cert, Set trustanchors) throws CertPathReviewerException
      Throws:
      CertPathReviewerException

    • getEncodedIssuerPrincipal

      protected static X500Principal getEncodedIssuerPrincipal(Object cert)
      Returns the issuer of an attribute certificate or certificate.
      Parameters:
      cert - The attribute certificate or certificate.
      Returns:
      The issuer as X500Principal.

    • getValidDate

      protected static Date getValidDate(PKIXParameters paramsPKIX)

    • getSubjectPrincipal

      protected static X500Principal getSubjectPrincipal(X509Certificate cert)

    • isSelfIssued

      protected static boolean isSelfIssued(X509Certificate cert)

    • getExtensionValue

      protected static org.bouncycastle.asn1.ASN1Primitive getExtensionValue(X509Extension ext, String oid) throws org.bouncycastle.pkix.jcajce.AnnotatedException
      Extract the value of the given extension, if it exists.
      Parameters:
      ext - The extension object.
      oid - The object identifier to obtain.
      Throws:
      org.bouncycastle.pkix.jcajce.AnnotatedException - if the extension cannot be read.

    • getIssuerPrincipal

      protected static X500Principal getIssuerPrincipal(X509CRL crl)

    • getAlgorithmIdentifier

      protected static org.bouncycastle.asn1.x509.AlgorithmIdentifier getAlgorithmIdentifier(PublicKey key) throws CertPathValidatorException
      Throws:
      CertPathValidatorException

    • getQualifierSet

      protected static final Set getQualifierSet(org.bouncycastle.asn1.ASN1Sequence qualifiers) throws CertPathValidatorException
      Throws:
      CertPathValidatorException

    • removePolicyNode

      protected static PKIXPolicyNode removePolicyNode(PKIXPolicyNode validPolicyTree, List[] policyNodes, PKIXPolicyNode _node)

    • processCertD1i

      protected static boolean processCertD1i(int index, List[] policyNodes, org.bouncycastle.asn1.ASN1ObjectIdentifier pOid, Set pq)

    • processCertD1ii

      protected static void processCertD1ii(int index, List[] policyNodes, org.bouncycastle.asn1.ASN1ObjectIdentifier _poid, Set _pq)

    • prepareNextCertB1

      protected static void prepareNextCertB1(int i, List[] policyNodes, String id_p, Map m_idp, X509Certificate cert) throws org.bouncycastle.pkix.jcajce.AnnotatedException, CertPathValidatorException
      Throws:
      org.bouncycastle.pkix.jcajce.AnnotatedException
      CertPathValidatorException

    • prepareNextCertB2

      protected static PKIXPolicyNode prepareNextCertB2(int i, List[] policyNodes, String id_p, PKIXPolicyNode validPolicyTree)

    • isAnyPolicy

      protected static boolean isAnyPolicy(Set policySet)

    • findCertificates

      protected static Collection findCertificates(org.bouncycastle.pkix.jcajce.X509CertStoreSelector certSelect, List certStores) throws org.bouncycastle.pkix.jcajce.AnnotatedException
      Return a Collection of all certificates or attribute certificates found in the X509Store's that are matching the certSelect criteriums.
      Parameters:
      certSelect - a Selector object that will be used to select the certificates
      certStores - a List containing only Store objects. These are used to search for certificates.
      Returns:
      a Collection of all found X509Certificate May be empty but never null.
      Throws:
      org.bouncycastle.pkix.jcajce.AnnotatedException

    • findCertificates

      protected static Collection findCertificates(org.bouncycastle.jcajce.PKIXCertStoreSelector certSelect, List certStores) throws org.bouncycastle.pkix.jcajce.AnnotatedException
      Throws:
      org.bouncycastle.pkix.jcajce.AnnotatedException

    • getCertStatus

      protected static void getCertStatus(Date validDate, X509CRL crl, Object cert, org.bouncycastle.pkix.jcajce.CertStatus certStatus) throws org.bouncycastle.pkix.jcajce.AnnotatedException
      Throws:
      org.bouncycastle.pkix.jcajce.AnnotatedException

    • getNextWorkingKey

      protected static PublicKey getNextWorkingKey(List certs, int index) throws CertPathValidatorException
      Return the next working key inheriting DSA parameters if necessary.

      This methods inherits DSA parameters from the indexed certificate or previous certificates in the certificate chain to the returned PublicKey. The list is searched upwards, meaning the end certificate is at position 0 and previous certificates are following.

      If the indexed certificate does not contain a DSA key this method simply returns the public key. If the DSA key already contains DSA parameters the key is also only returned.

      Parameters:
      certs - The certification path.
      index - The index of the certificate which contains the public key which should be extended with DSA parameters.
      Returns:
      The public key of the certificate in list position index extended with DSA parameters if applicable.
      Throws:
      CertPathValidatorException - if DSA parameters cannot be inherited.

    • verifyX509Certificate

      protected static void verifyX509Certificate(X509Certificate cert, PublicKey publicKey, String sigProvider) throws GeneralSecurityException
      Throws:
      GeneralSecurityException

    • getValidityDate

      protected static Date getValidityDate(PKIXParameters paramsPKIX, Date currentDate)