1 /* X509CRL.java --- X.509 Certificate Revocation List 2 Copyright (C) 1999, 2004 Free Software Foundation, Inc. 3 4 This file is part of GNU Classpath. 5 6 GNU Classpath is free software; you can redistribute it and/or modify 7 it under the terms of the GNU General Public License as published by 8 the Free Software Foundation; either version 2, or (at your option) 9 any later version. 10 11 GNU Classpath is distributed in the hope that it will be useful, but 12 WITHOUT ANY WARRANTY; without even the implied warranty of 13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 General Public License for more details. 15 16 You should have received a copy of the GNU General Public License 17 along with GNU Classpath; see the file COPYING. If not, write to the 18 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 19 02110-1301 USA. 20 21 Linking this library statically or dynamically with other modules is 22 making a combined work based on this library. Thus, the terms and 23 conditions of the GNU General Public License cover the whole 24 combination. 25 26 As a special exception, the copyright holders of this library give you 27 permission to link this library with independent modules to produce an 28 executable, regardless of the license terms of these independent 29 modules, and to copy and distribute the resulting executable under 30 terms of your choice, provided that you also meet, for each linked 31 independent module, the terms and conditions of the license of that 32 module. An independent module is a module which is not derived from 33 or based on this library. If you modify this library, you may extend 34 this exception to your version of the library, but you are not 35 obligated to do so. If you do not wish to do so, delete this 36 exception statement from your version. */ 37 38 39 package java.security.cert; 40 41 import java.math.BigInteger; 42 import java.security.InvalidKeyException; 43 import java.security.NoSuchAlgorithmException; 44 import java.security.NoSuchProviderException; 45 import java.security.Principal; 46 import java.security.PublicKey; 47 import java.security.SignatureException; 48 import java.util.Date; 49 import java.util.Set; 50 51 import javax.security.auth.x500.X500Principal; 52 53 /** 54 The X509CRL class is the abstract class used to manage 55 X.509 Certificate Revocation Lists. The CRL is a list of 56 time stamped entries which indicate which lists have been 57 revoked. The list is signed by a Certificate Authority (CA) 58 and made publically available in a repository. 59 60 Each revoked certificate in the CRL is identified by its 61 certificate serial number. When a piece of code uses a 62 certificate, the certificates validity is checked by 63 validating its signature and determing that it is not 64 only a recently acquired CRL. The recently aquired CRL 65 is depends on the local policy in affect. The CA issues 66 a new CRL periodically and entries are removed as the 67 certificate expiration date is reached 68 69 70 A description of the X.509 v2 CRL follows below from rfc2459. 71 72 "The X.509 v2 CRL syntax is as follows. For signature calculation, 73 the data that is to be signed is ASN.1 DER encoded. ASN.1 DER 74 encoding is a tag, length, value encoding system for each element. 75 76 CertificateList ::= SEQUENCE { 77 tbsCertList TBSCertList, 78 signatureAlgorithm AlgorithmIdentifier, 79 signatureValue BIT STRING } 80 81 TBSCertList ::= SEQUENCE { 82 version Version OPTIONAL, 83 -- if present, shall be v2 84 signature AlgorithmIdentifier, 85 issuer Name, 86 thisUpdate Time, 87 nextUpdate Time OPTIONAL, 88 revokedCertificates SEQUENCE OF SEQUENCE { 89 userCertificate CertificateSerialNumber, 90 revocationDate Time, 91 crlEntryExtensions Extensions OPTIONAL 92 -- if present, shall be v2 93 } OPTIONAL, 94 crlExtensions [0] EXPLICIT Extensions OPTIONAL 95 -- if present, shall be v2 96 }" 97 98 @author Mark Benvenuto 99 100 @since 1.2 101 */ 102 public abstract class X509CRL extends CRL implements X509Extension 103 { 104 105 /** 106 Constructs a new X509CRL. 107 */ X509CRL()108 protected X509CRL() 109 { 110 super("X.509"); 111 } 112 113 /** 114 Compares this X509CRL to other. It checks if the 115 object if instanceOf X509CRL and then checks if 116 the encoded form matches. 117 118 @param other An Object to test for equality 119 120 @return true if equal, false otherwise 121 */ equals(Object other)122 public boolean equals(Object other) 123 { 124 if( other instanceof X509CRL ) { 125 try { 126 X509CRL x = (X509CRL) other; 127 if( getEncoded().length != x.getEncoded().length ) 128 return false; 129 130 byte[] b1 = getEncoded(); 131 byte[] b2 = x.getEncoded(); 132 133 for( int i = 0; i < b1.length; i++ ) 134 if( b1[i] != b2[i] ) 135 return false; 136 137 } catch( CRLException crle ) { 138 return false; 139 } 140 return true; 141 } 142 return false; 143 } 144 145 /** 146 Returns a hash code for this X509CRL in its encoded 147 form. 148 149 @return A hash code of this class 150 */ hashCode()151 public int hashCode() 152 { 153 return super.hashCode(); 154 } 155 156 /** 157 Gets the DER ASN.1 encoded format for this X.509 CRL. 158 159 @return byte array containg encoded form 160 161 @throws CRLException if an error occurs 162 */ getEncoded()163 public abstract byte[] getEncoded() throws CRLException; 164 165 /** 166 Verifies that this CRL was properly signed with the 167 PublicKey that corresponds to its private key. 168 169 @param key PublicKey to verify with 170 171 @throws CRLException encoding error 172 @throws NoSuchAlgorithmException unsupported algorithm 173 @throws InvalidKeyException incorrect key 174 @throws NoSuchProviderException no provider 175 @throws SignatureException signature error 176 */ verify(PublicKey key)177 public abstract void verify(PublicKey key) 178 throws CRLException, 179 NoSuchAlgorithmException, 180 InvalidKeyException, 181 NoSuchProviderException, 182 SignatureException; 183 184 /** 185 Verifies that this CRL was properly signed with the 186 PublicKey that corresponds to its private key and uses 187 the signature engine provided by the provider. 188 189 @param key PublicKey to verify with 190 @param sigProvider Provider to use for signature algorithm 191 192 @throws CRLException encoding error 193 @throws NoSuchAlgorithmException unsupported algorithm 194 @throws InvalidKeyException incorrect key 195 @throws NoSuchProviderException incorrect provider 196 @throws SignatureException signature error 197 */ verify(PublicKey key, String sigProvider)198 public abstract void verify(PublicKey key, 199 String sigProvider) 200 throws CRLException, 201 NoSuchAlgorithmException, 202 InvalidKeyException, 203 NoSuchProviderException, 204 SignatureException; 205 206 /** 207 Gets the version of this CRL. 208 209 The ASN.1 encoding is: 210 211 version Version OPTIONAL, 212 -- if present, shall be v2 213 214 Version ::= INTEGER { v1(0), v2(1), v3(2) } 215 216 Consult rfc2459 for more information. 217 218 @return the version number, Ex: 1 or 2 219 */ getVersion()220 public abstract int getVersion(); 221 222 /** 223 Returns the issuer (issuer distinguished name) of the CRL. 224 The issuer is the entity who signed and issued the 225 Certificate Revocation List. 226 227 The ASN.1 DER encoding is: 228 229 issuer Name, 230 231 Name ::= CHOICE { 232 RDNSequence } 233 234 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName 235 236 RelativeDistinguishedName ::= 237 SET OF AttributeTypeAndValue 238 239 AttributeTypeAndValue ::= SEQUENCE { 240 type AttributeType, 241 value AttributeValue } 242 243 AttributeType ::= OBJECT IDENTIFIER 244 245 AttributeValue ::= ANY DEFINED BY AttributeType 246 247 DirectoryString ::= CHOICE { 248 teletexString TeletexString (SIZE (1..MAX)), 249 printableString PrintableString (SIZE (1..MAX)), 250 universalString UniversalString (SIZE (1..MAX)), 251 utf8String UTF8String (SIZE (1.. MAX)), 252 bmpString BMPString (SIZE (1..MAX)) } 253 254 Consult rfc2459 for more information. 255 256 @return the issuer in the Principal class 257 */ getIssuerDN()258 public abstract Principal getIssuerDN(); 259 260 /** 261 Returns the thisUpdate date of the CRL. 262 263 The ASN.1 DER encoding is: 264 265 thisUpdate Time, 266 267 Time ::= CHOICE { 268 utcTime UTCTime, 269 generalTime GeneralizedTime } 270 271 Consult rfc2459 for more information. 272 273 @return the thisUpdate date 274 */ getThisUpdate()275 public abstract Date getThisUpdate(); 276 277 /* 278 Gets the nextUpdate field 279 280 The ASN.1 DER encoding is: 281 282 nextUpdate Time OPTIONAL, 283 284 Time ::= CHOICE { 285 utcTime UTCTime, 286 generalTime GeneralizedTime } 287 288 Consult rfc2459 for more information. 289 290 @return the nextUpdate date 291 */ getNextUpdate()292 public abstract Date getNextUpdate(); 293 294 /** 295 Gets the requeste dX509Entry for the specified 296 certificate serial number. 297 298 @return a X509CRLEntry representing the X.509 CRL entry 299 */ getRevokedCertificate(BigInteger serialNumber)300 public abstract X509CRLEntry getRevokedCertificate(BigInteger serialNumber); 301 302 /** 303 Returns a Set of revoked certificates. 304 305 @return a set of revoked certificates. 306 */ getRevokedCertificates()307 public abstract Set<? extends X509CRLEntry> getRevokedCertificates(); 308 309 /** 310 Returns the DER ASN.1 encoded tbsCertList which is 311 the basic information of the list and associated certificates 312 in the encoded state. See top for more information. 313 314 The ASN.1 DER encoding is: 315 316 tbsCertList TBSCertList, 317 318 Consult rfc2459 for more information. 319 320 @return byte array representing tbsCertList 321 */ getTBSCertList()322 public abstract byte[] getTBSCertList() throws CRLException; 323 324 325 /** 326 Returns the signature for the CRL. 327 328 The ASN.1 DER encoding is: 329 330 signatureValue BIT STRING 331 332 Consult rfc2459 for more information. 333 */ getSignature()334 public abstract byte[] getSignature(); 335 336 /** 337 Returns the signature algorithm used to sign the CRL. 338 An examples is "SHA-1/DSA". 339 340 The ASN.1 DER encoding is: 341 342 signatureAlgorithm AlgorithmIdentifier, 343 344 AlgorithmIdentifier ::= SEQUENCE { 345 algorithm OBJECT IDENTIFIER, 346 parameters ANY DEFINED BY algorithm OPTIONAL } 347 348 Consult rfc2459 for more information. 349 350 The algorithm name is determined from the OID. 351 352 @return a string with the signature algorithm name 353 */ getSigAlgName()354 public abstract String getSigAlgName(); 355 356 /** 357 Returns the OID for the signature algorithm used. 358 Example "1.2.840.10040.4.3" is return for SHA-1 with DSA.\ 359 360 The ASN.1 DER encoding for the example is: 361 362 id-dsa-with-sha1 ID ::= { 363 iso(1) member-body(2) us(840) x9-57 (10040) 364 x9cm(4) 3 } 365 366 Consult rfc2459 for more information. 367 368 @return a string containing the OID. 369 */ getSigAlgOID()370 public abstract String getSigAlgOID(); 371 372 /** 373 Returns the AlgorithmParameters in the encoded form 374 for the signature algorithm used. 375 376 If access to the parameters is need, create an 377 instance of AlgorithmParameters. 378 379 @return byte array containing algorithm parameters, null 380 if no parameters are present in CRL 381 */ getSigAlgParams()382 public abstract byte[] getSigAlgParams(); 383 384 // 1.4 instance methods. 385 // ------------------------------------------------------------------------ 386 387 /** 388 * Returns the X.500 distinguished name of this CRL's issuer. 389 * 390 * @return The issuer's X.500 distinguished name. 391 * @since JDK 1.4 392 */ getIssuerX500Principal()393 public X500Principal getIssuerX500Principal() 394 { 395 throw new UnsupportedOperationException(); 396 } 397 } 398