1 /* 2 * Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package java.security.cert; 27 28 import java.security.*; 29 import java.security.spec.*; 30 31 import javax.security.auth.x500.X500Principal; 32 33 import java.math.BigInteger; 34 import java.util.Date; 35 import java.util.Set; 36 import java.util.Arrays; 37 38 import sun.security.x509.X509CRLImpl; 39 import sun.security.util.SignatureUtil; 40 41 /** 42 * <p> 43 * Abstract class for an X.509 Certificate Revocation List (CRL). 44 * A CRL is a time-stamped list identifying revoked certificates. 45 * It is signed by a Certificate Authority (CA) and made freely 46 * available in a public repository. 47 * 48 * <p>Each revoked certificate is 49 * identified in a CRL by its certificate serial number. When a 50 * certificate-using system uses a certificate (e.g., for verifying a 51 * remote user's digital signature), that system not only checks the 52 * certificate signature and validity but also acquires a suitably- 53 * recent CRL and checks that the certificate serial number is not on 54 * that CRL. The meaning of "suitably-recent" may vary with local 55 * policy, but it usually means the most recently-issued CRL. A CA 56 * issues a new CRL on a regular periodic basis (e.g., hourly, daily, or 57 * weekly). Entries are added to CRLs as revocations occur, and an 58 * entry may be removed when the certificate expiration date is reached. 59 * <p> 60 * The X.509 v2 CRL format is described below in ASN.1: 61 * <pre> 62 * CertificateList ::= SEQUENCE { 63 * tbsCertList TBSCertList, 64 * signatureAlgorithm AlgorithmIdentifier, 65 * signature BIT STRING } 66 * </pre> 67 * <p> 68 * More information can be found in 69 * <a href="http://tools.ietf.org/html/rfc5280">RFC 5280: Internet X.509 70 * Public Key Infrastructure Certificate and CRL Profile</a>. 71 * <p> 72 * The ASN.1 definition of {@code tbsCertList} is: 73 * <pre> 74 * TBSCertList ::= SEQUENCE { 75 * version Version OPTIONAL, 76 * -- if present, must be v2 77 * signature AlgorithmIdentifier, 78 * issuer Name, 79 * thisUpdate ChoiceOfTime, 80 * nextUpdate ChoiceOfTime OPTIONAL, 81 * revokedCertificates SEQUENCE OF SEQUENCE { 82 * userCertificate CertificateSerialNumber, 83 * revocationDate ChoiceOfTime, 84 * crlEntryExtensions Extensions OPTIONAL 85 * -- if present, must be v2 86 * } OPTIONAL, 87 * crlExtensions [0] EXPLICIT Extensions OPTIONAL 88 * -- if present, must be v2 89 * } 90 * </pre> 91 * <p> 92 * CRLs are instantiated using a certificate factory. The following is an 93 * example of how to instantiate an X.509 CRL: 94 * <pre>{@code 95 * try (InputStream inStream = new FileInputStream("fileName-of-crl")) { 96 * CertificateFactory cf = CertificateFactory.getInstance("X.509"); 97 * X509CRL crl = (X509CRL)cf.generateCRL(inStream); 98 * } 99 * }</pre> 100 * 101 * @author Hemma Prafullchandra 102 * 103 * 104 * @see CRL 105 * @see CertificateFactory 106 * @see X509Extension 107 */ 108 109 public abstract class X509CRL extends CRL implements X509Extension { 110 111 private transient X500Principal issuerPrincipal; 112 113 /** 114 * Constructor for X.509 CRLs. 115 */ X509CRL()116 protected X509CRL() { 117 super("X.509"); 118 } 119 120 /** 121 * Compares this CRL for equality with the given 122 * object. If the {@code other} object is an 123 * {@code instanceof} {@code X509CRL}, then 124 * its encoded form is retrieved and compared with the 125 * encoded form of this CRL. 126 * 127 * @param other the object to test for equality with this CRL. 128 * 129 * @return true iff the encoded forms of the two CRLs 130 * match, false otherwise. 131 */ equals(Object other)132 public boolean equals(Object other) { 133 if (this == other) { 134 return true; 135 } 136 if (!(other instanceof X509CRL)) { 137 return false; 138 } 139 try { 140 byte[] thisCRL = X509CRLImpl.getEncodedInternal(this); 141 byte[] otherCRL = X509CRLImpl.getEncodedInternal((X509CRL)other); 142 143 return Arrays.equals(thisCRL, otherCRL); 144 } catch (CRLException e) { 145 return false; 146 } 147 } 148 149 /** 150 * Returns a hashcode value for this CRL from its 151 * encoded form. 152 * 153 * @return the hashcode value. 154 */ hashCode()155 public int hashCode() { 156 int retval = 0; 157 try { 158 byte[] crlData = X509CRLImpl.getEncodedInternal(this); 159 for (int i = 1; i < crlData.length; i++) { 160 retval += crlData[i] * i; 161 } 162 return retval; 163 } catch (CRLException e) { 164 return retval; 165 } 166 } 167 168 /** 169 * Returns the ASN.1 DER-encoded form of this CRL. 170 * 171 * @return the encoded form of this certificate 172 * @exception CRLException if an encoding error occurs. 173 */ getEncoded()174 public abstract byte[] getEncoded() 175 throws CRLException; 176 177 /** 178 * Verifies that this CRL was signed using the 179 * private key that corresponds to the given public key. 180 * 181 * @param key the PublicKey used to carry out the verification. 182 * 183 * @exception NoSuchAlgorithmException on unsupported signature 184 * algorithms. 185 * @exception InvalidKeyException on incorrect key. 186 * @exception NoSuchProviderException if there's no default provider. 187 * @exception SignatureException on signature errors. 188 * @exception CRLException on encoding errors. 189 */ verify(PublicKey key)190 public abstract void verify(PublicKey key) 191 throws CRLException, NoSuchAlgorithmException, 192 InvalidKeyException, NoSuchProviderException, 193 SignatureException; 194 195 /** 196 * Verifies that this CRL was signed using the 197 * private key that corresponds to the given public key. 198 * This method uses the signature verification engine 199 * supplied by the given provider. 200 * 201 * @param key the PublicKey used to carry out the verification. 202 * @param sigProvider the name of the signature provider. 203 * 204 * @exception NoSuchAlgorithmException on unsupported signature 205 * algorithms. 206 * @exception InvalidKeyException on incorrect key. 207 * @exception NoSuchProviderException on incorrect provider. 208 * @exception SignatureException on signature errors. 209 * @exception CRLException on encoding errors. 210 */ verify(PublicKey key, String sigProvider)211 public abstract void verify(PublicKey key, String sigProvider) 212 throws CRLException, NoSuchAlgorithmException, 213 InvalidKeyException, NoSuchProviderException, 214 SignatureException; 215 216 /** 217 * Verifies that this CRL was signed using the 218 * private key that corresponds to the given public key. 219 * This method uses the signature verification engine 220 * supplied by the given provider. Note that the specified Provider object 221 * does not have to be registered in the provider list. 222 * 223 * This method was added to version 1.8 of the Java Platform Standard 224 * Edition. In order to maintain backwards compatibility with existing 225 * service providers, this method is not {@code abstract} 226 * and it provides a default implementation. 227 * 228 * @param key the PublicKey used to carry out the verification. 229 * @param sigProvider the signature provider. 230 * 231 * @exception NoSuchAlgorithmException on unsupported signature 232 * algorithms. 233 * @exception InvalidKeyException on incorrect key. 234 * @exception SignatureException on signature errors. 235 * @exception CRLException on encoding errors. 236 * @since 1.8 237 */ verify(PublicKey key, Provider sigProvider)238 public void verify(PublicKey key, Provider sigProvider) 239 throws CRLException, NoSuchAlgorithmException, 240 InvalidKeyException, SignatureException { 241 String sigAlgName = getSigAlgName(); 242 Signature sig = (sigProvider == null) 243 ? Signature.getInstance(sigAlgName) 244 : Signature.getInstance(sigAlgName, sigProvider); 245 246 try { 247 byte[] paramBytes = getSigAlgParams(); 248 SignatureUtil.initVerifyWithParam(sig, key, 249 SignatureUtil.getParamSpec(sigAlgName, paramBytes)); 250 } catch (ProviderException e) { 251 throw new CRLException(e.getMessage(), e.getCause()); 252 } catch (InvalidAlgorithmParameterException e) { 253 throw new CRLException(e); 254 } 255 256 byte[] tbsCRL = getTBSCertList(); 257 sig.update(tbsCRL, 0, tbsCRL.length); 258 259 if (sig.verify(getSignature()) == false) { 260 throw new SignatureException("Signature does not match."); 261 } 262 } 263 264 /** 265 * Gets the {@code version} (version number) value from the CRL. 266 * The ASN.1 definition for this is: 267 * <pre> 268 * version Version OPTIONAL, 269 * -- if present, must be v2 270 * 271 * Version ::= INTEGER { v1(0), v2(1), v3(2) } 272 * -- v3 does not apply to CRLs but appears for consistency 273 * -- with definition of Version for certs 274 * </pre> 275 * 276 * @return the version number, i.e. 1 or 2. 277 */ getVersion()278 public abstract int getVersion(); 279 280 /** 281 * <strong>Denigrated</strong>, replaced by {@linkplain 282 * #getIssuerX500Principal()}. This method returns the {@code issuer} 283 * as an implementation specific Principal object, which should not be 284 * relied upon by portable code. 285 * 286 * <p> 287 * Gets the {@code issuer} (issuer distinguished name) value from 288 * the CRL. The issuer name identifies the entity that signed (and 289 * issued) the CRL. 290 * 291 * <p>The issuer name field contains an 292 * X.500 distinguished name (DN). 293 * The ASN.1 definition for this is: 294 * <pre> 295 * issuer Name 296 * 297 * Name ::= CHOICE { RDNSequence } 298 * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName 299 * RelativeDistinguishedName ::= 300 * SET OF AttributeValueAssertion 301 * 302 * AttributeValueAssertion ::= SEQUENCE { 303 * AttributeType, 304 * AttributeValue } 305 * AttributeType ::= OBJECT IDENTIFIER 306 * AttributeValue ::= ANY 307 * </pre> 308 * The {@code Name} describes a hierarchical name composed of 309 * attributes, 310 * such as country name, and corresponding values, such as US. 311 * The type of the {@code AttributeValue} component is determined by 312 * the {@code AttributeType}; in general it will be a 313 * {@code directoryString}. A {@code directoryString} is usually 314 * one of {@code PrintableString}, 315 * {@code TeletexString} or {@code UniversalString}. 316 * 317 * @return a Principal whose name is the issuer distinguished name. 318 */ getIssuerDN()319 public abstract Principal getIssuerDN(); 320 321 /** 322 * Returns the issuer (issuer distinguished name) value from the 323 * CRL as an {@code X500Principal}. 324 * <p> 325 * It is recommended that subclasses override this method. 326 * 327 * @return an {@code X500Principal} representing the issuer 328 * distinguished name 329 * @since 1.4 330 */ getIssuerX500Principal()331 public X500Principal getIssuerX500Principal() { 332 if (issuerPrincipal == null) { 333 issuerPrincipal = X509CRLImpl.getIssuerX500Principal(this); 334 } 335 return issuerPrincipal; 336 } 337 338 /** 339 * Gets the {@code thisUpdate} date from the CRL. 340 * The ASN.1 definition for this is: 341 * <pre> 342 * thisUpdate ChoiceOfTime 343 * ChoiceOfTime ::= CHOICE { 344 * utcTime UTCTime, 345 * generalTime GeneralizedTime } 346 * </pre> 347 * 348 * @return the {@code thisUpdate} date from the CRL. 349 */ getThisUpdate()350 public abstract Date getThisUpdate(); 351 352 /** 353 * Gets the {@code nextUpdate} date from the CRL. 354 * 355 * @return the {@code nextUpdate} date from the CRL, or null if 356 * not present. 357 */ getNextUpdate()358 public abstract Date getNextUpdate(); 359 360 /** 361 * Gets the CRL entry, if any, with the given certificate serialNumber. 362 * 363 * @param serialNumber the serial number of the certificate for which a CRL entry 364 * is to be looked up 365 * @return the entry with the given serial number, or null if no such entry 366 * exists in this CRL. 367 * @see X509CRLEntry 368 */ 369 public abstract X509CRLEntry getRevokedCertificate(BigInteger serialNumber)370 getRevokedCertificate(BigInteger serialNumber); 371 372 /** 373 * Get the CRL entry, if any, for the given certificate. 374 * 375 * <p>This method can be used to lookup CRL entries in indirect CRLs, 376 * that means CRLs that contain entries from issuers other than the CRL 377 * issuer. The default implementation will only return entries for 378 * certificates issued by the CRL issuer. Subclasses that wish to 379 * support indirect CRLs should override this method. 380 * 381 * @param certificate the certificate for which a CRL entry is to be looked 382 * up 383 * @return the entry for the given certificate, or null if no such entry 384 * exists in this CRL. 385 * @exception NullPointerException if certificate is null 386 * 387 * @since 1.5 388 */ getRevokedCertificate(X509Certificate certificate)389 public X509CRLEntry getRevokedCertificate(X509Certificate certificate) { 390 X500Principal certIssuer = certificate.getIssuerX500Principal(); 391 X500Principal crlIssuer = getIssuerX500Principal(); 392 if (certIssuer.equals(crlIssuer) == false) { 393 return null; 394 } 395 return getRevokedCertificate(certificate.getSerialNumber()); 396 } 397 398 /** 399 * Gets all the entries from this CRL. 400 * This returns a Set of X509CRLEntry objects. 401 * 402 * @return all the entries or null if there are none present. 403 * @see X509CRLEntry 404 */ getRevokedCertificates()405 public abstract Set<? extends X509CRLEntry> getRevokedCertificates(); 406 407 /** 408 * Gets the DER-encoded CRL information, the 409 * {@code tbsCertList} from this CRL. 410 * This can be used to verify the signature independently. 411 * 412 * @return the DER-encoded CRL information. 413 * @exception CRLException if an encoding error occurs. 414 */ getTBSCertList()415 public abstract byte[] getTBSCertList() throws CRLException; 416 417 /** 418 * Gets the {@code signature} value (the raw signature bits) from 419 * the CRL. 420 * The ASN.1 definition for this is: 421 * <pre> 422 * signature BIT STRING 423 * </pre> 424 * 425 * @return the signature. 426 */ getSignature()427 public abstract byte[] getSignature(); 428 429 /** 430 * Gets the signature algorithm name for the CRL 431 * signature algorithm. An example is the string "SHA256withRSA". 432 * The ASN.1 definition for this is: 433 * <pre> 434 * signatureAlgorithm AlgorithmIdentifier 435 * 436 * AlgorithmIdentifier ::= SEQUENCE { 437 * algorithm OBJECT IDENTIFIER, 438 * parameters ANY DEFINED BY algorithm OPTIONAL } 439 * -- contains a value of the type 440 * -- registered for use with the 441 * -- algorithm object identifier value 442 * </pre> 443 * 444 * <p>The algorithm name is determined from the {@code algorithm} 445 * OID string. 446 * 447 * @return the signature algorithm name. 448 */ getSigAlgName()449 public abstract String getSigAlgName(); 450 451 /** 452 * Gets the signature algorithm OID string from the CRL. 453 * An OID is represented by a set of nonnegative whole numbers separated 454 * by periods. 455 * For example, the string "1.2.840.10040.4.3" identifies the SHA-1 456 * with DSA signature algorithm defined in 457 * <a href="http://www.ietf.org/rfc/rfc3279.txt">RFC 3279: Algorithms and 458 * Identifiers for the Internet X.509 Public Key Infrastructure Certificate 459 * and CRL Profile</a>. 460 * 461 * <p>See {@link #getSigAlgName() getSigAlgName} for 462 * relevant ASN.1 definitions. 463 * 464 * @return the signature algorithm OID string. 465 */ getSigAlgOID()466 public abstract String getSigAlgOID(); 467 468 /** 469 * Gets the DER-encoded signature algorithm parameters from this 470 * CRL's signature algorithm. In most cases, the signature 471 * algorithm parameters are null; the parameters are usually 472 * supplied with the public key. 473 * If access to individual parameter values is needed then use 474 * {@link java.security.AlgorithmParameters AlgorithmParameters} 475 * and instantiate with the name returned by 476 * {@link #getSigAlgName() getSigAlgName}. 477 * 478 * <p>See {@link #getSigAlgName() getSigAlgName} for 479 * relevant ASN.1 definitions. 480 * 481 * @return the DER-encoded signature algorithm parameters, or 482 * null if no parameters are present. 483 */ getSigAlgParams()484 public abstract byte[] getSigAlgParams(); 485 } 486