Package eu.emi.security.authn.x509.helpers.pkipath.bc

Class CertPathValidatorUtilities

    • Method Summary

      All Methods Static Methods Concrete Methods 
      Modifier and Type Method Description
      (package private) static void checkCRLsNotEmpty​(java.util.Set crls, java.lang.Object cert)  
      protected static java.util.Collection findCertificates​(org.bouncycastle.jcajce.PKIXCertStoreSelector certSelect, java.util.List certStores)
      Return a Collection of all certificates or attribute certificates found in the X509Store's that are matching the certSelect criteriums.
      (package private) static java.util.Collection findIssuerCerts​(java.security.cert.X509Certificate cert, java.util.List<java.security.cert.CertStore> certStores, java.util.List<org.bouncycastle.jcajce.PKIXCertStore> pkixCertStores)
      Find the issuer certificates of a given certificate.
      protected static java.security.cert.TrustAnchor findTrustAnchor​(java.security.cert.X509Certificate cert, java.util.Set trustAnchors)
      Search the given Set of TrustAnchor's for one that is the issuer of the given X509 certificate.
      protected static java.security.cert.TrustAnchor findTrustAnchor​(java.security.cert.X509Certificate cert, java.util.Set trustAnchors, java.lang.String sigProvider)
      Search the given Set of TrustAnchor's for one that is the issuer of the given X509 certificate.
      (package private) static java.util.List<org.bouncycastle.jcajce.PKIXCertStore> getAdditionalStoresFromAltNames​(byte[] issuerAlternativeName, java.util.Map<org.bouncycastle.asn1.x509.GeneralName,​org.bouncycastle.jcajce.PKIXCertStore> altNameCertStoreMap)  
      (package private) static java.util.List<org.bouncycastle.jcajce.PKIXCRLStore> getAdditionalStoresFromCRLDistributionPoint​(org.bouncycastle.asn1.x509.CRLDistPoint crldp, java.util.Map<org.bouncycastle.asn1.x509.GeneralName,​org.bouncycastle.jcajce.PKIXCRLStore> namedCRLStoreMap)  
      protected static org.bouncycastle.asn1.x509.AlgorithmIdentifier getAlgorithmIdentifier​(java.security.PublicKey key)  
      protected static void getCertStatus​(java.util.Date validDate, java.security.cert.X509CRL crl, java.lang.Object cert, CertStatus certStatus)  
      protected static java.util.Set getCompleteCRLs​(org.bouncycastle.asn1.x509.DistributionPoint dp, java.lang.Object cert, java.util.Date currentDate, org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX)
      Fetches complete CRLs according to RFC 3280.
      protected static void getCRLIssuersFromDistributionPoint​(org.bouncycastle.asn1.x509.DistributionPoint dp, java.util.Collection issuerPrincipals, java.security.cert.X509CRLSelector selector)
      Add the CRL issuers from the cRLIssuer field of the distribution point or from the certificate if not given to the issuer criterion of the selector.
      protected static java.util.Set getDeltaCRLs​(java.util.Date validityDate, java.security.cert.X509CRL completeCRL, java.util.List<java.security.cert.CertStore> certStores, java.util.List<org.bouncycastle.jcajce.PKIXCRLStore> pkixCrlStores)
      Fetches delta CRLs according to RFC 3280 section 5.2.4.
      protected static org.bouncycastle.asn1.ASN1Primitive getExtensionValue​(java.security.cert.X509Extension ext, java.lang.String oid)
      Extract the value of the given extension, if it exists.
      protected static java.security.PublicKey getNextWorkingKey​(java.util.List certs, int index, org.bouncycastle.jcajce.util.JcaJceHelper helper)
      Return the next working key inheriting DSA parameters if necessary.
      private static org.bouncycastle.asn1.ASN1Primitive getObject​(java.lang.String oid, byte[] ext)  
      protected static java.util.Set getQualifierSet​(org.bouncycastle.asn1.ASN1Sequence qualifiers)  
      private static java.math.BigInteger getSerialNumber​(java.lang.Object cert)  
      protected static java.util.Date getValidCertDateFromValidityModel​(org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX, java.security.cert.CertPath certPath, int index)  
      protected static java.util.Date getValidDate​(org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX)  
      protected static boolean isAnyPolicy​(java.util.Set policySet)  
      private static boolean isDeltaCRL​(java.security.cert.X509CRL crl)  
      protected static boolean isSelfIssued​(java.security.cert.X509Certificate cert)  
      protected static void prepareNextCertB1​(int i, java.util.List[] policyNodes, java.lang.String id_p, java.util.Map m_idp, java.security.cert.X509Certificate cert)  
      protected static PKIXPolicyNode prepareNextCertB2​(int i, java.util.List[] policyNodes, java.lang.String id_p, PKIXPolicyNode validPolicyTree)  
      protected static boolean processCertD1i​(int index, java.util.List[] policyNodes, org.bouncycastle.asn1.ASN1ObjectIdentifier pOid, java.util.Set pq)  
      protected static void processCertD1ii​(int index, java.util.List[] policyNodes, org.bouncycastle.asn1.ASN1ObjectIdentifier _poid, java.util.Set _pq)  
      protected static PKIXPolicyNode removePolicyNode​(PKIXPolicyNode validPolicyTree, java.util.List[] policyNodes, PKIXPolicyNode _node)  
      private static void removePolicyNodeRecurse​(java.util.List[] policyNodes, PKIXPolicyNode _node)  
      protected static void verifyX509Certificate​(java.security.cert.X509Certificate cert, java.security.PublicKey publicKey, java.lang.String sigProvider)  

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Field Detail

      • CRL_UTIL

        protected static final PKIXCRLUtil CRL_UTIL

      • CERTIFICATE_POLICIES

        protected static final java.lang.String CERTIFICATE_POLICIES

      • BASIC_CONSTRAINTS

        protected static final java.lang.String BASIC_CONSTRAINTS

      • POLICY_MAPPINGS

        protected static final java.lang.String POLICY_MAPPINGS

      • SUBJECT_ALTERNATIVE_NAME

        protected static final java.lang.String SUBJECT_ALTERNATIVE_NAME

      • NAME_CONSTRAINTS

        protected static final java.lang.String NAME_CONSTRAINTS

      • KEY_USAGE

        protected static final java.lang.String KEY_USAGE

      • INHIBIT_ANY_POLICY

        protected static final java.lang.String INHIBIT_ANY_POLICY

      • ISSUING_DISTRIBUTION_POINT

        protected static final java.lang.String ISSUING_DISTRIBUTION_POINT

      • DELTA_CRL_INDICATOR

        protected static final java.lang.String DELTA_CRL_INDICATOR

      • POLICY_CONSTRAINTS

        protected static final java.lang.String POLICY_CONSTRAINTS

      • FRESHEST_CRL

        protected static final java.lang.String FRESHEST_CRL

      • CRL_DISTRIBUTION_POINTS

        protected static final java.lang.String CRL_DISTRIBUTION_POINTS

      • AUTHORITY_KEY_IDENTIFIER

        protected static final java.lang.String AUTHORITY_KEY_IDENTIFIER

      • CRL_NUMBER

        protected static final java.lang.String CRL_NUMBER

      • crlReasons

        protected static final java.lang.String[] crlReasons

    • Constructor Detail

      • CertPathValidatorUtilities

        CertPathValidatorUtilities()

    • Method Detail

      • findTrustAnchor

        protected static java.security.cert.TrustAnchor findTrustAnchor​(java.security.cert.X509Certificate cert,
                                                                java.util.Set trustAnchors)
                                                         throws org.bouncycastle.jce.provider.AnnotatedException
        Search the given Set of TrustAnchor's for one that is the issuer of the given X509 certificate. Uses the default provider for signature verification.
        Parameters:
        cert - the X509 certificate
        trustAnchors - a Set of TrustAnchor's
        Returns:
        the TrustAnchor object if found or null if not.
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException - if a TrustAnchor was found but the signature verification on the given certificate has thrown an exception.

      • findTrustAnchor

        protected static java.security.cert.TrustAnchor findTrustAnchor​(java.security.cert.X509Certificate cert,
                                                                java.util.Set trustAnchors,
                                                                java.lang.String sigProvider)
                                                         throws org.bouncycastle.jce.provider.AnnotatedException
        Search the given Set of TrustAnchor's for one that is the issuer of the given X509 certificate. Uses the specified provider for signature verification, or the default provider if null.
        Parameters:
        cert - the X509 certificate
        trustAnchors - a Set of TrustAnchor's
        sigProvider - the provider to use for signature verification
        Returns:
        the TrustAnchor object if found or null if not.
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException - if a TrustAnchor was found but the signature verification on the given certificate has thrown an exception.

      • getAdditionalStoresFromAltNames

        static java.util.List<org.bouncycastle.jcajce.PKIXCertStore> getAdditionalStoresFromAltNames​(byte[] issuerAlternativeName,
                                                                                             java.util.Map<org.bouncycastle.asn1.x509.GeneralName,​org.bouncycastle.jcajce.PKIXCertStore> altNameCertStoreMap)
                                                                                      throws java.security.cert.CertificateParsingException
        Throws:
        java.security.cert.CertificateParsingException

      • getValidDate

        protected static java.util.Date getValidDate​(org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX)

      • isSelfIssued

        protected static boolean isSelfIssued​(java.security.cert.X509Certificate cert)

      • getExtensionValue

        protected static org.bouncycastle.asn1.ASN1Primitive getExtensionValue​(java.security.cert.X509Extension ext,
                                                                       java.lang.String oid)
                                                                throws org.bouncycastle.jce.provider.AnnotatedException
        Extract the value of the given extension, if it exists.
        Parameters:
        ext - The extension object.
        oid - The object identifier to obtain.
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException - if the extension cannot be read.

      • getObject

        private static org.bouncycastle.asn1.ASN1Primitive getObject​(java.lang.String oid,
                                                             byte[] ext)
                                                      throws org.bouncycastle.jce.provider.AnnotatedException
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException

      • getAlgorithmIdentifier

        protected static org.bouncycastle.asn1.x509.AlgorithmIdentifier getAlgorithmIdentifier​(java.security.PublicKey key)
                                                                                throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException

      • getQualifierSet

        protected static final java.util.Set getQualifierSet​(org.bouncycastle.asn1.ASN1Sequence qualifiers)
                                              throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException

      • removePolicyNodeRecurse

        private static void removePolicyNodeRecurse​(java.util.List[] policyNodes,
                                            PKIXPolicyNode _node)

      • processCertD1i

        protected static boolean processCertD1i​(int index,
                                        java.util.List[] policyNodes,
                                        org.bouncycastle.asn1.ASN1ObjectIdentifier pOid,
                                        java.util.Set pq)

      • processCertD1ii

        protected static void processCertD1ii​(int index,
                                      java.util.List[] policyNodes,
                                      org.bouncycastle.asn1.ASN1ObjectIdentifier _poid,
                                      java.util.Set _pq)

      • prepareNextCertB1

        protected static void prepareNextCertB1​(int i,
                                        java.util.List[] policyNodes,
                                        java.lang.String id_p,
                                        java.util.Map m_idp,
                                        java.security.cert.X509Certificate cert)
                                 throws org.bouncycastle.jce.provider.AnnotatedException,
                                        java.security.cert.CertPathValidatorException
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException
        java.security.cert.CertPathValidatorException

      • prepareNextCertB2

        protected static PKIXPolicyNode prepareNextCertB2​(int i,
                                                  java.util.List[] policyNodes,
                                                  java.lang.String id_p,
                                                  PKIXPolicyNode validPolicyTree)

      • isAnyPolicy

        protected static boolean isAnyPolicy​(java.util.Set policySet)

      • findCertificates

        protected static java.util.Collection findCertificates​(org.bouncycastle.jcajce.PKIXCertStoreSelector certSelect,
                                                       java.util.List certStores)
                                                throws org.bouncycastle.jce.provider.AnnotatedException
        Return a Collection of all certificates or attribute certificates found in the X509Store's that are matching the certSelect criteriums.
        Parameters:
        certSelect - a Selector object that will be used to select the certificates
        certStores - a List containing only Store objects. These are used to search for certificates.
        Returns:
        a Collection of all found X509Certificate May be empty but never null.
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException - annotated exception

      • getAdditionalStoresFromCRLDistributionPoint

        static java.util.List<org.bouncycastle.jcajce.PKIXCRLStore> getAdditionalStoresFromCRLDistributionPoint​(org.bouncycastle.asn1.x509.CRLDistPoint crldp,
                                                                                                        java.util.Map<org.bouncycastle.asn1.x509.GeneralName,​org.bouncycastle.jcajce.PKIXCRLStore> namedCRLStoreMap)
                                                                                                 throws org.bouncycastle.jce.provider.AnnotatedException
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException

      • getCRLIssuersFromDistributionPoint

        protected static void getCRLIssuersFromDistributionPoint​(org.bouncycastle.asn1.x509.DistributionPoint dp,
                                                         java.util.Collection issuerPrincipals,
                                                         java.security.cert.X509CRLSelector selector)
                                                  throws org.bouncycastle.jce.provider.AnnotatedException
        Add the CRL issuers from the cRLIssuer field of the distribution point or from the certificate if not given to the issuer criterion of the selector.

        The issuerPrincipals are a collection with a single X500Name for X509Certificates.

        Parameters:
        dp - The distribution point.
        issuerPrincipals - The issuers of the certificate or attribute certificate which contains the distribution point.
        selector - The CRL selector.
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException - if an exception occurs while processing.
        java.lang.ClassCastException - if issuerPrincipals does not contain only X500Names.

      • getSerialNumber

        private static java.math.BigInteger getSerialNumber​(java.lang.Object cert)

      • getCertStatus

        protected static void getCertStatus​(java.util.Date validDate,
                                    java.security.cert.X509CRL crl,
                                    java.lang.Object cert,
                                    CertStatus certStatus)
                             throws org.bouncycastle.jce.provider.AnnotatedException
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException

      • getDeltaCRLs

        protected static java.util.Set getDeltaCRLs​(java.util.Date validityDate,
                                            java.security.cert.X509CRL completeCRL,
                                            java.util.List<java.security.cert.CertStore> certStores,
                                            java.util.List<org.bouncycastle.jcajce.PKIXCRLStore> pkixCrlStores)
                                     throws org.bouncycastle.jce.provider.AnnotatedException
        Fetches delta CRLs according to RFC 3280 section 5.2.4.
        Parameters:
        validityDate - The date for which the delta CRLs must be valid.
        completeCRL - The complete CRL the delta CRL is for.
        certStores - a List of certificate stores
        pkixCrlStores - a List of CRL stores
        Returns:
        A Set of X509CRLs with delta CRLs.
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException - if an exception occurs while picking the delta CRLs.

      • isDeltaCRL

        private static boolean isDeltaCRL​(java.security.cert.X509CRL crl)

      • getCompleteCRLs

        protected static java.util.Set getCompleteCRLs​(org.bouncycastle.asn1.x509.DistributionPoint dp,
                                               java.lang.Object cert,
                                               java.util.Date currentDate,
                                               org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX)
                                        throws org.bouncycastle.jce.provider.AnnotatedException
        Fetches complete CRLs according to RFC 3280.
        Parameters:
        dp - The distribution point for which the complete CRL
        cert - The X509Certificate for which the CRL should be searched.
        currentDate - The date for which the delta CRLs must be valid.
        paramsPKIX - The extended PKIX parameters.
        Returns:
        A Set of X509CRLs with complete CRLs.
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException - if an exception occurs while picking the CRLs or no CRLs are found.

      • getValidCertDateFromValidityModel

        protected static java.util.Date getValidCertDateFromValidityModel​(org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX,
                                                                  java.security.cert.CertPath certPath,
                                                                  int index)
                                                           throws org.bouncycastle.jce.provider.AnnotatedException
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException

      • getNextWorkingKey

        protected static java.security.PublicKey getNextWorkingKey​(java.util.List certs,
                                                           int index,
                                                           org.bouncycastle.jcajce.util.JcaJceHelper helper)
                                                    throws java.security.cert.CertPathValidatorException
        Return the next working key inheriting DSA parameters if necessary.

        This methods inherits DSA parameters from the indexed certificate or previous certificates in the certificate chain to the returned PublicKey. The list is searched upwards, meaning the end certificate is at position 0 and previous certificates are following.

        If the indexed certificate does not contain a DSA key this method simply returns the public key. If the DSA key already contains DSA parameters the key is also only returned.

        Parameters:
        certs - The certification path.
        index - The index of the certificate which contains the public key which should be extended with DSA parameters.
        helper - JcaJce helper
        Returns:
        The public key of the certificate in list position index extended with DSA parameters if applicable.
        Throws:
        java.security.cert.CertPathValidatorException - if DSA parameters cannot be inherited.

      • findIssuerCerts

        static java.util.Collection findIssuerCerts​(java.security.cert.X509Certificate cert,
                                            java.util.List<java.security.cert.CertStore> certStores,
                                            java.util.List<org.bouncycastle.jcajce.PKIXCertStore> pkixCertStores)
                                     throws org.bouncycastle.jce.provider.AnnotatedException
        Find the issuer certificates of a given certificate.
        Parameters:
        cert - The certificate for which an issuer should be found.
        Returns:
        A Collection object containing the issuer X509Certificates. Never null.
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException - if an error occurs.

      • verifyX509Certificate

        protected static void verifyX509Certificate​(java.security.cert.X509Certificate cert,
                                            java.security.PublicKey publicKey,
                                            java.lang.String sigProvider)
                                     throws java.security.GeneralSecurityException
        Throws:
        java.security.GeneralSecurityException

      • checkCRLsNotEmpty

        static void checkCRLsNotEmpty​(java.util.Set crls,
                              java.lang.Object cert)
                       throws org.bouncycastle.jce.provider.AnnotatedException
        Throws:
        org.bouncycastle.jce.provider.AnnotatedException