Class CertPathValidatorUtilities
java.lang.Object
eu.emi.security.authn.x509.helpers.pkipath.bc.CertPathValidatorUtilities
- Direct Known Subclasses:
CertPathValidatorUtilitiesCanl
-
Field Summary
FieldsModifier and TypeFieldDescriptionprotected static final String
protected static final String
protected static final String
protected static final String
protected static final String
protected static final String
protected static final int
protected static final PKIXCRLUtil
protected static final String[]
protected static final String
protected static final String
protected static final String
protected static final String
protected static final int
protected static final String
protected static final String
protected static final String
protected static final String
protected static final String
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescription(package private) static void
checkCRLsNotEmpty
(Set crls, Object cert) protected static Collection
findCertificates
(org.bouncycastle.jcajce.PKIXCertStoreSelector certSelect, List certStores) Return a Collection of all certificates or attribute certificates found in the X509Store's that are matching the certSelect criteriums.(package private) static Collection
findIssuerCerts
(X509Certificate cert, List<CertStore> certStores, List<org.bouncycastle.jcajce.PKIXCertStore> pkixCertStores) Find the issuer certificates of a given certificate.protected static TrustAnchor
findTrustAnchor
(X509Certificate cert, Set trustAnchors) Search the given Set of TrustAnchor's for one that is the issuer of the given X509 certificate.protected static TrustAnchor
findTrustAnchor
(X509Certificate cert, Set trustAnchors, String sigProvider) Search the given Set of TrustAnchor's for one that is the issuer of the given X509 certificate.(package private) static List
<org.bouncycastle.jcajce.PKIXCertStore> getAdditionalStoresFromAltNames
(byte[] issuerAlternativeName, Map<org.bouncycastle.asn1.x509.GeneralName, org.bouncycastle.jcajce.PKIXCertStore> altNameCertStoreMap) (package private) static List
<org.bouncycastle.jcajce.PKIXCRLStore> getAdditionalStoresFromCRLDistributionPoint
(org.bouncycastle.asn1.x509.CRLDistPoint crldp, Map<org.bouncycastle.asn1.x509.GeneralName, org.bouncycastle.jcajce.PKIXCRLStore> namedCRLStoreMap) protected static org.bouncycastle.asn1.x509.AlgorithmIdentifier
protected static void
getCertStatus
(Date validDate, X509CRL crl, Object cert, CertStatus certStatus) protected static Set
getCompleteCRLs
(org.bouncycastle.asn1.x509.DistributionPoint dp, Object cert, Date currentDate, org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX) Fetches complete CRLs according to RFC 3280.protected static void
getCRLIssuersFromDistributionPoint
(org.bouncycastle.asn1.x509.DistributionPoint dp, Collection issuerPrincipals, X509CRLSelector selector) Add the CRL issuers from the cRLIssuer field of the distribution point or from the certificate if not given to the issuer criterion of theselector
.protected static Set
getDeltaCRLs
(Date validityDate, X509CRL completeCRL, List<CertStore> certStores, List<org.bouncycastle.jcajce.PKIXCRLStore> pkixCrlStores) Fetches delta CRLs according to RFC 3280 section 5.2.4.protected static org.bouncycastle.asn1.ASN1Primitive
getExtensionValue
(X509Extension ext, String oid) Extract the value of the given extension, if it exists.protected static PublicKey
getNextWorkingKey
(List certs, int index, org.bouncycastle.jcajce.util.JcaJceHelper helper) Return the next working key inheriting DSA parameters if necessary.private static org.bouncycastle.asn1.ASN1Primitive
protected static final Set
getQualifierSet
(org.bouncycastle.asn1.ASN1Sequence qualifiers) private static BigInteger
getSerialNumber
(Object cert) protected static Date
getValidCertDateFromValidityModel
(org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX, CertPath certPath, int index) protected static Date
getValidDate
(org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX) protected static boolean
isAnyPolicy
(Set policySet) private static boolean
isDeltaCRL
(X509CRL crl) protected static boolean
isSelfIssued
(X509Certificate cert) protected static void
prepareNextCertB1
(int i, List[] policyNodes, String id_p, Map m_idp, X509Certificate cert) protected static PKIXPolicyNode
prepareNextCertB2
(int i, List[] policyNodes, String id_p, PKIXPolicyNode validPolicyTree) protected static boolean
processCertD1i
(int index, List[] policyNodes, org.bouncycastle.asn1.ASN1ObjectIdentifier pOid, Set pq) protected static void
processCertD1ii
(int index, List[] policyNodes, org.bouncycastle.asn1.ASN1ObjectIdentifier _poid, Set _pq) protected static PKIXPolicyNode
removePolicyNode
(PKIXPolicyNode validPolicyTree, List[] policyNodes, PKIXPolicyNode _node) private static void
removePolicyNodeRecurse
(List[] policyNodes, PKIXPolicyNode _node) protected static void
verifyX509Certificate
(X509Certificate cert, PublicKey publicKey, String sigProvider)
-
Field Details
-
CRL_UTIL
-
CERTIFICATE_POLICIES
-
BASIC_CONSTRAINTS
-
POLICY_MAPPINGS
-
SUBJECT_ALTERNATIVE_NAME
-
NAME_CONSTRAINTS
-
KEY_USAGE
-
INHIBIT_ANY_POLICY
-
ISSUING_DISTRIBUTION_POINT
-
DELTA_CRL_INDICATOR
-
POLICY_CONSTRAINTS
-
FRESHEST_CRL
-
CRL_DISTRIBUTION_POINTS
-
AUTHORITY_KEY_IDENTIFIER
-
ANY_POLICY
- See Also:
-
CRL_NUMBER
-
KEY_CERT_SIGN
protected static final int KEY_CERT_SIGN- See Also:
-
CRL_SIGN
protected static final int CRL_SIGN- See Also:
-
crlReasons
-
-
Constructor Details
-
CertPathValidatorUtilities
CertPathValidatorUtilities()
-
-
Method Details
-
findTrustAnchor
protected static TrustAnchor findTrustAnchor(X509Certificate cert, Set trustAnchors) throws org.bouncycastle.jce.provider.AnnotatedException Search the given Set of TrustAnchor's for one that is the issuer of the given X509 certificate. Uses the default provider for signature verification.- Parameters:
cert
- the X509 certificatetrustAnchors
- a Set of TrustAnchor's- Returns:
- the
TrustAnchor
object if found ornull
if not. - Throws:
org.bouncycastle.jce.provider.AnnotatedException
- if a TrustAnchor was found but the signature verification on the given certificate has thrown an exception.
-
findTrustAnchor
protected static TrustAnchor findTrustAnchor(X509Certificate cert, Set trustAnchors, String sigProvider) throws org.bouncycastle.jce.provider.AnnotatedException Search the given Set of TrustAnchor's for one that is the issuer of the given X509 certificate. Uses the specified provider for signature verification, or the default provider if null.- Parameters:
cert
- the X509 certificatetrustAnchors
- a Set of TrustAnchor'ssigProvider
- the provider to use for signature verification- Returns:
- the
TrustAnchor
object if found ornull
if not. - Throws:
org.bouncycastle.jce.provider.AnnotatedException
- if a TrustAnchor was found but the signature verification on the given certificate has thrown an exception.
-
getAdditionalStoresFromAltNames
static List<org.bouncycastle.jcajce.PKIXCertStore> getAdditionalStoresFromAltNames(byte[] issuerAlternativeName, Map<org.bouncycastle.asn1.x509.GeneralName, org.bouncycastle.jcajce.PKIXCertStore> altNameCertStoreMap) throws CertificateParsingException- Throws:
CertificateParsingException
-
getValidDate
-
isSelfIssued
-
getExtensionValue
protected static org.bouncycastle.asn1.ASN1Primitive getExtensionValue(X509Extension ext, String oid) throws org.bouncycastle.jce.provider.AnnotatedException Extract the value of the given extension, if it exists.- Parameters:
ext
- The extension object.oid
- The object identifier to obtain.- Throws:
org.bouncycastle.jce.provider.AnnotatedException
- if the extension cannot be read.
-
getObject
private static org.bouncycastle.asn1.ASN1Primitive getObject(String oid, byte[] ext) throws org.bouncycastle.jce.provider.AnnotatedException - Throws:
org.bouncycastle.jce.provider.AnnotatedException
-
getAlgorithmIdentifier
protected static org.bouncycastle.asn1.x509.AlgorithmIdentifier getAlgorithmIdentifier(PublicKey key) throws CertPathValidatorException - Throws:
CertPathValidatorException
-
getQualifierSet
protected static final Set getQualifierSet(org.bouncycastle.asn1.ASN1Sequence qualifiers) throws CertPathValidatorException - Throws:
CertPathValidatorException
-
removePolicyNode
protected static PKIXPolicyNode removePolicyNode(PKIXPolicyNode validPolicyTree, List[] policyNodes, PKIXPolicyNode _node) -
removePolicyNodeRecurse
-
processCertD1i
-
processCertD1ii
-
prepareNextCertB1
protected static void prepareNextCertB1(int i, List[] policyNodes, String id_p, Map m_idp, X509Certificate cert) throws org.bouncycastle.jce.provider.AnnotatedException, CertPathValidatorException - Throws:
org.bouncycastle.jce.provider.AnnotatedException
CertPathValidatorException
-
prepareNextCertB2
protected static PKIXPolicyNode prepareNextCertB2(int i, List[] policyNodes, String id_p, PKIXPolicyNode validPolicyTree) -
isAnyPolicy
-
findCertificates
protected static Collection findCertificates(org.bouncycastle.jcajce.PKIXCertStoreSelector certSelect, List certStores) throws org.bouncycastle.jce.provider.AnnotatedException Return a Collection of all certificates or attribute certificates found in the X509Store's that are matching the certSelect criteriums.- Parameters:
certSelect
- aSelector
object that will be used to select the certificatescertStores
- a List containing onlyStore
objects. These are used to search for certificates.- Returns:
- a Collection of all found
X509Certificate
May be empty but nevernull
. - Throws:
org.bouncycastle.jce.provider.AnnotatedException
- annotated exception
-
getAdditionalStoresFromCRLDistributionPoint
static List<org.bouncycastle.jcajce.PKIXCRLStore> getAdditionalStoresFromCRLDistributionPoint(org.bouncycastle.asn1.x509.CRLDistPoint crldp, Map<org.bouncycastle.asn1.x509.GeneralName, org.bouncycastle.jcajce.PKIXCRLStore> namedCRLStoreMap) throws org.bouncycastle.jce.provider.AnnotatedException- Throws:
org.bouncycastle.jce.provider.AnnotatedException
-
getCRLIssuersFromDistributionPoint
protected static void getCRLIssuersFromDistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint dp, Collection issuerPrincipals, X509CRLSelector selector) throws org.bouncycastle.jce.provider.AnnotatedException Add the CRL issuers from the cRLIssuer field of the distribution point or from the certificate if not given to the issuer criterion of theselector
.The
issuerPrincipals
are a collection with a singleX500Name
forX509Certificate
s.- Parameters:
dp
- The distribution point.issuerPrincipals
- The issuers of the certificate or attribute certificate which contains the distribution point.selector
- The CRL selector.- Throws:
org.bouncycastle.jce.provider.AnnotatedException
- if an exception occurs while processing.ClassCastException
- ifissuerPrincipals
does not contain onlyX500Name
s.
-
getSerialNumber
-
getCertStatus
protected static void getCertStatus(Date validDate, X509CRL crl, Object cert, CertStatus certStatus) throws org.bouncycastle.jce.provider.AnnotatedException - Throws:
org.bouncycastle.jce.provider.AnnotatedException
-
getDeltaCRLs
protected static Set getDeltaCRLs(Date validityDate, X509CRL completeCRL, List<CertStore> certStores, List<org.bouncycastle.jcajce.PKIXCRLStore> pkixCrlStores) throws org.bouncycastle.jce.provider.AnnotatedException Fetches delta CRLs according to RFC 3280 section 5.2.4.- Parameters:
validityDate
- The date for which the delta CRLs must be valid.completeCRL
- The complete CRL the delta CRL is for.certStores
- aList
of certificate storespkixCrlStores
- aList
of CRL stores- Returns:
- A
Set
ofX509CRL
s with delta CRLs. - Throws:
org.bouncycastle.jce.provider.AnnotatedException
- if an exception occurs while picking the delta CRLs.
-
isDeltaCRL
-
getCompleteCRLs
protected static Set getCompleteCRLs(org.bouncycastle.asn1.x509.DistributionPoint dp, Object cert, Date currentDate, org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX) throws org.bouncycastle.jce.provider.AnnotatedException Fetches complete CRLs according to RFC 3280.- Parameters:
dp
- The distribution point for which the complete CRLcert
- TheX509Certificate
for which the CRL should be searched.currentDate
- The date for which the delta CRLs must be valid.paramsPKIX
- The extended PKIX parameters.- Returns:
- A
Set
ofX509CRL
s with complete CRLs. - Throws:
org.bouncycastle.jce.provider.AnnotatedException
- if an exception occurs while picking the CRLs or no CRLs are found.
-
getValidCertDateFromValidityModel
protected static Date getValidCertDateFromValidityModel(org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX, CertPath certPath, int index) throws org.bouncycastle.jce.provider.AnnotatedException - Throws:
org.bouncycastle.jce.provider.AnnotatedException
-
getNextWorkingKey
protected static PublicKey getNextWorkingKey(List certs, int index, org.bouncycastle.jcajce.util.JcaJceHelper helper) throws CertPathValidatorException Return the next working key inheriting DSA parameters if necessary.This methods inherits DSA parameters from the indexed certificate or previous certificates in the certificate chain to the returned
PublicKey
. The list is searched upwards, meaning the end certificate is at position 0 and previous certificates are following.If the indexed certificate does not contain a DSA key this method simply returns the public key. If the DSA key already contains DSA parameters the key is also only returned.
- Parameters:
certs
- The certification path.index
- The index of the certificate which contains the public key which should be extended with DSA parameters.helper
- JcaJce helper- Returns:
- The public key of the certificate in list position
index
extended with DSA parameters if applicable. - Throws:
CertPathValidatorException
- if DSA parameters cannot be inherited.
-
findIssuerCerts
static Collection findIssuerCerts(X509Certificate cert, List<CertStore> certStores, List<org.bouncycastle.jcajce.PKIXCertStore> pkixCertStores) throws org.bouncycastle.jce.provider.AnnotatedException Find the issuer certificates of a given certificate.- Parameters:
cert
- The certificate for which an issuer should be found.- Returns:
- A
Collection
object containing the issuerX509Certificate
s. Nevernull
. - Throws:
org.bouncycastle.jce.provider.AnnotatedException
- if an error occurs.
-
verifyX509Certificate
protected static void verifyX509Certificate(X509Certificate cert, PublicKey publicKey, String sigProvider) throws GeneralSecurityException - Throws:
GeneralSecurityException
-
checkCRLsNotEmpty
static void checkCRLsNotEmpty(Set crls, Object cert) throws org.bouncycastle.jce.provider.AnnotatedException - Throws:
org.bouncycastle.jce.provider.AnnotatedException
-