/*

 * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.

 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

 *

 * This code is free software; you can redistribute it and/or modify it

 * under the terms of the GNU General Public License version 2 only, as

 * published by the Free Software Foundation.  Oracle designates this

 * particular file as subject to the "Classpath" exception as provided

 * by Oracle in the LICENSE file that accompanied this code.

 *

 * This code is distributed in the hope that it will be useful, but WITHOUT

 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

 * version 2 for more details (a copy is included in the LICENSE file that

 * accompanied this code).

 *

 * You should have received a copy of the GNU General Public License version

 * 2 along with this work; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

 *

 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

 * or visit www.oracle.com if you need additional information or have any

 * questions.

 */

package java.security.cert;

import java.security.NoSuchAlgorithmException;

import java.security.NoSuchProviderException;

import java.security.InvalidKeyException;

import java.security.SignatureException;

import java.security.Principal;

import java.security.Provider;

import java.security.PublicKey;

import java.security.Signature;

import javax.security.auth.x500.X500Principal;

import java.math.BigInteger;

import java.util.Date;

import java.util.Set;

import java.util.Arrays;

import sun.security.x509.X509CRLImpl;

/**

 * <p>

 * Abstract class for an X.509 Certificate Revocation List (CRL).

 * A CRL is a time-stamped list identifying revoked certificates.

 * It is signed by a Certificate Authority (CA) and made freely

 * available in a public repository.

 *

 * <p>Each revoked certificate is

 * identified in a CRL by its certificate serial number. When a

 * certificate-using system uses a certificate (e.g., for verifying a

 * remote user's digital signature), that system not only checks the

 * certificate signature and validity but also acquires a suitably-

 * recent CRL and checks that the certificate serial number is not on

 * that CRL.  The meaning of "suitably-recent" may vary with local

 * policy, but it usually means the most recently-issued CRL.  A CA

 * issues a new CRL on a regular periodic basis (e.g., hourly, daily, or

 * weekly).  Entries are added to CRLs as revocations occur, and an

 * entry may be removed when the certificate expiration date is reached.

 * <p>

 * The X.509 v2 CRL format is described below in ASN.1:

 * <pre>

 * CertificateList  ::=  SEQUENCE  {

 *     tbsCertList          TBSCertList,

 *     signatureAlgorithm   AlgorithmIdentifier,

 *     signature            BIT STRING  }

 * </pre>

 * <p>

 * More information can be found in

 * <a href="http://tools.ietf.org/html/rfc5280">RFC 5280: Internet X.509

 * Public Key Infrastructure Certificate and CRL Profile</a>.

 * <p>

 * The ASN.1 definition of {@code tbsCertList} is:

 * <pre>

 * TBSCertList  ::=  SEQUENCE  {

 *     version                 Version OPTIONAL,

 *                             -- if present, must be v2

 *     signature               AlgorithmIdentifier,

 *     issuer                  Name,

 *     thisUpdate              ChoiceOfTime,

 *     nextUpdate              ChoiceOfTime OPTIONAL,

 *     revokedCertificates     SEQUENCE OF SEQUENCE  {

 *         userCertificate         CertificateSerialNumber,

 *         revocationDate          ChoiceOfTime,

 *         crlEntryExtensions      Extensions OPTIONAL

 *                                 -- if present, must be v2

 *         }  OPTIONAL,

 *     crlExtensions           [0]  EXPLICIT Extensions OPTIONAL

 *                                  -- if present, must be v2

 *     }

 * </pre>

 * <p>

 * CRLs are instantiated using a certificate factory. The following is an

 * example of how to instantiate an X.509 CRL:

 * <pre>{@code

 * try (InputStream inStream = new FileInputStream("fileName-of-crl")) {

 *     CertificateFactory cf = CertificateFactory.getInstance("X.509");

 *     X509CRL crl = (X509CRL)cf.generateCRL(inStream);

 * }

 * }</pre>

 *

 * @author Hemma Prafullchandra

 * @since 1.2

 *

 *

 * @see CRL

 * @see CertificateFactory

 * @see X509Extension

 */

public abstract class X509CRL extends CRL implements X509Extension {

    private transient X500Principal issuerPrincipal;

    /**

     * Constructor for X.509 CRLs.

     */

    protected X509CRL() {

        super("X.509");

    }

    /**

     * Compares this CRL for equality with the given

     * object. If the {@code other} object is an

     * {@code instanceof} {@code X509CRL}, then

     * its encoded form is retrieved and compared with the

     * encoded form of this CRL.

     *

     * @param other the object to test for equality with this CRL.

     *

     * @return true iff the encoded forms of the two CRLs

     * match, false otherwise.

     */

    public boolean equals(Object other) {

        if (this == other) {

            return true;

        }

        if (!(other instanceof X509CRL)) {

            return false;

        }

        try {

            byte[] thisCRL = X509CRLImpl.getEncodedInternal(this);

            byte[] otherCRL = X509CRLImpl.getEncodedInternal((X509CRL)other);

            return Arrays.equals(thisCRL, otherCRL);

        } catch (CRLException e) {

            return false;

        }

    }

    /**

     * Returns a hashcode value for this CRL from its

     * encoded form.

     *

     * @return the hashcode value.

     */

    public int hashCode() {

        int retval = 0;

        try {

            byte[] crlData = X509CRLImpl.getEncodedInternal(this);

            for (int i = 1; i < crlData.length; i++) {

                 retval += crlData[i] * i;

            }

            return retval;

        } catch (CRLException e) {

            return retval;

        }

    }

    /**

     * Returns the ASN.1 DER-encoded form of this CRL.

     *

     * @return the encoded form of this certificate

     * @exception CRLException if an encoding error occurs.

     */

    public abstract byte[] getEncoded()

        throws CRLException;

    /**

     * Verifies that this CRL was signed using the

     * private key that corresponds to the given public key.

     *

     * @param key the PublicKey used to carry out the verification.

     *

     * @exception NoSuchAlgorithmException on unsupported signature

     * algorithms.

     * @exception InvalidKeyException on incorrect key.

     * @exception NoSuchProviderException if there's no default provider.

     * @exception SignatureException on signature errors.

     * @exception CRLException on encoding errors.

     */

    public abstract void verify(PublicKey key)

        throws CRLException,  NoSuchAlgorithmException,

        InvalidKeyException, NoSuchProviderException,

        SignatureException;

    /**

     * Verifies that this CRL was signed using the

     * private key that corresponds to the given public key.

     * This method uses the signature verification engine

     * supplied by the given provider.

     *

     * @param key the PublicKey used to carry out the verification.

     * @param sigProvider the name of the signature provider.

     *

     * @exception NoSuchAlgorithmException on unsupported signature

     * algorithms.

     * @exception InvalidKeyException on incorrect key.

     * @exception NoSuchProviderException on incorrect provider.

     * @exception SignatureException on signature errors.

     * @exception CRLException on encoding errors.

     */

    public abstract void verify(PublicKey key, String sigProvider)

        throws CRLException, NoSuchAlgorithmException,

        InvalidKeyException, NoSuchProviderException,

        SignatureException;

    /**

     * Verifies that this CRL was signed using the

     * private key that corresponds to the given public key.

     * This method uses the signature verification engine

     * supplied by the given provider. Note that the specified Provider object

     * does not have to be registered in the provider list.

     *

     * This method was added to version 1.8 of the Java Platform Standard

     * Edition. In order to maintain backwards compatibility with existing

     * service providers, this method is not {@code abstract}

     * and it provides a default implementation.

     *

     * @param key the PublicKey used to carry out the verification.

     * @param sigProvider the signature provider.

     *

     * @exception NoSuchAlgorithmException on unsupported signature

     * algorithms.

     * @exception InvalidKeyException on incorrect key.

     * @exception SignatureException on signature errors.

     * @exception CRLException on encoding errors.

     * @since 1.8

     */

    public void verify(PublicKey key, Provider sigProvider)

        throws CRLException, NoSuchAlgorithmException,

        InvalidKeyException, SignatureException {

        Signature sig = (sigProvider == null)

            ? Signature.getInstance(getSigAlgName())

            : Signature.getInstance(getSigAlgName(), sigProvider);

        sig.initVerify(key);

        byte[] tbsCRL = getTBSCertList();

        sig.update(tbsCRL, 0, tbsCRL.length);

        if (sig.verify(getSignature()) == false) {

            throw new SignatureException("Signature does not match.");

        }

    }

    /**

     * Gets the {@code version} (version number) value from the CRL.

     * The ASN.1 definition for this is:

     * <pre>

     * version    Version OPTIONAL,

     *             -- if present, must be v2

     *

     * Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }

     *             -- v3 does not apply to CRLs but appears for consistency

     *             -- with definition of Version for certs

     * </pre>

     *

     * @return the version number, i.e. 1 or 2.

     */

    public abstract int getVersion();

    /**

     * <strong>Denigrated</strong>, replaced by {@linkplain

     * #getIssuerX500Principal()}. This method returns the {@code issuer}

     * as an implementation specific Principal object, which should not be

     * relied upon by portable code.

     *

     * <p>

     * Gets the {@code issuer} (issuer distinguished name) value from

     * the CRL. The issuer name identifies the entity that signed (and

     * issued) the CRL.

     *

     * <p>The issuer name field contains an

     * X.500 distinguished name (DN).

     * The ASN.1 definition for this is:

     * <pre>

     * issuer    Name

     *

     * Name ::= CHOICE { RDNSequence }

     * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName

     * RelativeDistinguishedName ::=

     *     SET OF AttributeValueAssertion

     *

     * AttributeValueAssertion ::= SEQUENCE {

     *                               AttributeType,

     *                               AttributeValue }

     * AttributeType ::= OBJECT IDENTIFIER

     * AttributeValue ::= ANY

     * </pre>

     * The {@code Name} describes a hierarchical name composed of

     * attributes,

     * such as country name, and corresponding values, such as US.

     * The type of the {@code AttributeValue} component is determined by

     * the {@code AttributeType}; in general it will be a

     * {@code directoryString}. A {@code directoryString} is usually

     * one of {@code PrintableString},

     * {@code TeletexString} or {@code UniversalString}.

     *

     * @return a Principal whose name is the issuer distinguished name.

     */

    public abstract Principal getIssuerDN();

    /**

     * Returns the issuer (issuer distinguished name) value from the

     * CRL as an {@code X500Principal}.

     * <p>

     * It is recommended that subclasses override this method.

     *

     * @return an {@code X500Principal} representing the issuer

     *          distinguished name

     * @since 1.4

     */

    public X500Principal getIssuerX500Principal() {

        if (issuerPrincipal == null) {

            issuerPrincipal = X509CRLImpl.getIssuerX500Principal(this);

        }

        return issuerPrincipal;

    }

    /**

     * Gets the {@code thisUpdate} date from the CRL.

     * The ASN.1 definition for this is:

     * <pre>

     * thisUpdate   ChoiceOfTime

     * ChoiceOfTime ::= CHOICE {

     *     utcTime        UTCTime,

     *     generalTime    GeneralizedTime }

     * </pre>

     *

     * @return the {@code thisUpdate} date from the CRL.

     */

    public abstract Date getThisUpdate();

    /**

     * Gets the {@code nextUpdate} date from the CRL.

     *

     * @return the {@code nextUpdate} date from the CRL, or null if

     * not present.

     */

    public abstract Date getNextUpdate();

    /**

     * Gets the CRL entry, if any, with the given certificate serialNumber.

     *

     * @param serialNumber the serial number of the certificate for which a CRL entry

     * is to be looked up

     * @return the entry with the given serial number, or null if no such entry

     * exists in this CRL.

     * @see X509CRLEntry

     */

    public abstract X509CRLEntry

        getRevokedCertificate(BigInteger serialNumber);

    /**

     * Get the CRL entry, if any, for the given certificate.

     *

     * <p>This method can be used to lookup CRL entries in indirect CRLs,

     * that means CRLs that contain entries from issuers other than the CRL

     * issuer. The default implementation will only return entries for

     * certificates issued by the CRL issuer. Subclasses that wish to

     * support indirect CRLs should override this method.

     *

     * @param certificate the certificate for which a CRL entry is to be looked

     *   up

     * @return the entry for the given certificate, or null if no such entry

     *   exists in this CRL.

     * @exception NullPointerException if certificate is null

     *

     * @since 1.5

     */

    public X509CRLEntry getRevokedCertificate(X509Certificate certificate) {

        X500Principal certIssuer = certificate.getIssuerX500Principal();

        X500Principal crlIssuer = getIssuerX500Principal();

        if (certIssuer.equals(crlIssuer) == false) {

            return null;

        }

        return getRevokedCertificate(certificate.getSerialNumber());

    }

    /**

     * Gets all the entries from this CRL.

     * This returns a Set of X509CRLEntry objects.

     *

     * @return all the entries or null if there are none present.

     * @see X509CRLEntry

     */

    public abstract Set<? extends X509CRLEntry> getRevokedCertificates();

    /**

     * Gets the DER-encoded CRL information, the

     * {@code tbsCertList} from this CRL.

     * This can be used to verify the signature independently.

     *

     * @return the DER-encoded CRL information.

     * @exception CRLException if an encoding error occurs.

     */

    public abstract byte[] getTBSCertList() throws CRLException;

    /**

     * Gets the {@code signature} value (the raw signature bits) from

     * the CRL.

     * The ASN.1 definition for this is:

     * <pre>

     * signature     BIT STRING

     * </pre>

     *

     * @return the signature.

     */

    public abstract byte[] getSignature();

    /**

     * Gets the signature algorithm name for the CRL

     * signature algorithm. An example is the string "SHA256withRSA".

     * The ASN.1 definition for this is:

     * <pre>

     * signatureAlgorithm   AlgorithmIdentifier

     *

     * AlgorithmIdentifier  ::=  SEQUENCE  {

     *     algorithm               OBJECT IDENTIFIER,

     *     parameters              ANY DEFINED BY algorithm OPTIONAL  }

     *                             -- contains a value of the type

     *                             -- registered for use with the

     *                             -- algorithm object identifier value

     * </pre>

     *

     * <p>The algorithm name is determined from the {@code algorithm}

     * OID string.

     *

     * @return the signature algorithm name.

     */

    public abstract String getSigAlgName();

    /**

     * Gets the signature algorithm OID string from the CRL.

     * An OID is represented by a set of nonnegative whole numbers separated

     * by periods.

     * For example, the string "1.2.840.10040.4.3" identifies the SHA-1

     * with DSA signature algorithm defined in

     * <a href="http://www.ietf.org/rfc/rfc3279.txt">RFC 3279: Algorithms and

     * Identifiers for the Internet X.509 Public Key Infrastructure Certificate

     * and CRL Profile</a>.

     *

     * <p>See {@link #getSigAlgName() getSigAlgName} for

     * relevant ASN.1 definitions.

     *

     * @return the signature algorithm OID string.

     */

    public abstract String getSigAlgOID();

    /**

     * Gets the DER-encoded signature algorithm parameters from this

     * CRL's signature algorithm. In most cases, the signature

     * algorithm parameters are null; the parameters are usually

     * supplied with the public key.

     * If access to individual parameter values is needed then use

     * {@link java.security.AlgorithmParameters AlgorithmParameters}

     * and instantiate with the name returned by

     * {@link #getSigAlgName() getSigAlgName}.

     *

     * <p>See {@link #getSigAlgName() getSigAlgName} for

     * relevant ASN.1 definitions.

     *

     * @return the DER-encoded signature algorithm parameters, or

     *         null if no parameters are present.

     */

    public abstract byte[] getSigAlgParams();

}