88 * If CRLDP support is disabled, this method always returns an |
88 * If CRLDP support is disabled, this method always returns an |
89 * empty set. |
89 * empty set. |
90 */ |
90 */ |
91 Collection<X509CRL> getCRLs(X509CRLSelector selector, boolean signFlag, |
91 Collection<X509CRL> getCRLs(X509CRLSelector selector, boolean signFlag, |
92 PublicKey prevKey, String provider, List<CertStore> certStores, |
92 PublicKey prevKey, String provider, List<CertStore> certStores, |
93 boolean[] reasonsMask, |
93 boolean[] reasonsMask, Set<TrustAnchor> trustAnchors, |
94 Set<TrustAnchor> trustAnchors) throws CertStoreException { |
94 Date validity) throws CertStoreException { |
95 |
95 |
96 if (USE_CRLDP == false) { |
96 if (USE_CRLDP == false) { |
97 return Collections.emptySet(); |
97 return Collections.emptySet(); |
98 } |
98 } |
99 X509Certificate cert = selector.getCertificateChecking(); |
99 X509Certificate cert = selector.getCertificateChecking(); |
120 for (Iterator<DistributionPoint> t = points.iterator(); |
120 for (Iterator<DistributionPoint> t = points.iterator(); |
121 t.hasNext() && !Arrays.equals(reasonsMask, ALL_REASONS); ) { |
121 t.hasNext() && !Arrays.equals(reasonsMask, ALL_REASONS); ) { |
122 DistributionPoint point = t.next(); |
122 DistributionPoint point = t.next(); |
123 Collection<X509CRL> crls = getCRLs(selector, certImpl, |
123 Collection<X509CRL> crls = getCRLs(selector, certImpl, |
124 point, reasonsMask, signFlag, prevKey, provider, |
124 point, reasonsMask, signFlag, prevKey, provider, |
125 certStores, trustAnchors); |
125 certStores, trustAnchors, validity); |
126 results.addAll(crls); |
126 results.addAll(crls); |
127 } |
127 } |
128 if (debug != null) { |
128 if (debug != null) { |
129 debug.println("Returning " + results.size() + " CRLs"); |
129 debug.println("Returning " + results.size() + " CRLs"); |
130 } |
130 } |
141 * See the top of the class for current limitations. |
141 * See the top of the class for current limitations. |
142 */ |
142 */ |
143 private Collection<X509CRL> getCRLs(X509CRLSelector selector, |
143 private Collection<X509CRL> getCRLs(X509CRLSelector selector, |
144 X509CertImpl certImpl, DistributionPoint point, boolean[] reasonsMask, |
144 X509CertImpl certImpl, DistributionPoint point, boolean[] reasonsMask, |
145 boolean signFlag, PublicKey prevKey, String provider, |
145 boolean signFlag, PublicKey prevKey, String provider, |
146 List<CertStore> certStores, Set<TrustAnchor> trustAnchors) { |
146 List<CertStore> certStores, Set<TrustAnchor> trustAnchors, |
|
147 Date validity) { |
147 |
148 |
148 // check for full name |
149 // check for full name |
149 GeneralNames fullName = point.getFullName(); |
150 GeneralNames fullName = point.getFullName(); |
150 if (fullName == null) { |
151 if (fullName == null) { |
151 // check for relative name |
152 // check for relative name |
194 // make sure issuer is not set |
195 // make sure issuer is not set |
195 // we check the issuer in verifyCRLs method |
196 // we check the issuer in verifyCRLs method |
196 selector.setIssuerNames(null); |
197 selector.setIssuerNames(null); |
197 if (selector.match(crl) && verifyCRL(certImpl, point, crl, |
198 if (selector.match(crl) && verifyCRL(certImpl, point, crl, |
198 reasonsMask, signFlag, prevKey, provider, trustAnchors, |
199 reasonsMask, signFlag, prevKey, provider, trustAnchors, |
199 certStores)) { |
200 certStores, validity)) { |
200 crls.add(crl); |
201 crls.add(crl); |
201 } |
202 } |
202 } catch (Exception e) { |
203 } catch (Exception e) { |
203 // don't add the CRL |
204 // don't add the CRL |
204 if (debug != null) { |
205 if (debug != null) { |
278 * @param prevKey the public key that verifies the certificate's signature |
279 * @param prevKey the public key that verifies the certificate's signature |
279 * @param provider the Signature provider to use |
280 * @param provider the Signature provider to use |
280 * @param trustAnchors a {@code Set} of {@code TrustAnchor}s |
281 * @param trustAnchors a {@code Set} of {@code TrustAnchor}s |
281 * @param certStores a {@code List} of {@code CertStore}s to be used in |
282 * @param certStores a {@code List} of {@code CertStore}s to be used in |
282 * finding certificates and CRLs |
283 * finding certificates and CRLs |
|
284 * @param validity the time for which the validity of the CRL issuer's |
|
285 * certification path should be determined |
283 * @return true if ok, false if not |
286 * @return true if ok, false if not |
284 */ |
287 */ |
285 boolean verifyCRL(X509CertImpl certImpl, DistributionPoint point, |
288 boolean verifyCRL(X509CertImpl certImpl, DistributionPoint point, |
286 X509CRL crl, boolean[] reasonsMask, boolean signFlag, |
289 X509CRL crl, boolean[] reasonsMask, boolean signFlag, |
287 PublicKey prevKey, String provider, |
290 PublicKey prevKey, String provider, |
288 Set<TrustAnchor> trustAnchors, |
291 Set<TrustAnchor> trustAnchors, List<CertStore> certStores, |
289 List<CertStore> certStores) throws CRLException, IOException { |
292 Date validity) throws CRLException, IOException { |
290 |
293 |
291 boolean indirectCRL = false; |
294 boolean indirectCRL = false; |
292 X509CRLImpl crlImpl = X509CRLImpl.toImpl(crl); |
295 X509CRLImpl crlImpl = X509CRLImpl.toImpl(crl); |
293 IssuingDistributionPointExtension idpExt = |
296 IssuingDistributionPointExtension idpExt = |
294 crlImpl.getIssuingDistributionPointExtension(); |
297 crlImpl.getIssuingDistributionPointExtension(); |
603 } catch (InvalidAlgorithmParameterException iape) { |
606 } catch (InvalidAlgorithmParameterException iape) { |
604 throw new CRLException(iape); |
607 throw new CRLException(iape); |
605 } |
608 } |
606 params.setCertStores(certStores); |
609 params.setCertStores(certStores); |
607 params.setSigProvider(provider); |
610 params.setSigProvider(provider); |
|
611 params.setDate(validity); |
608 try { |
612 try { |
609 CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); |
613 CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); |
610 PKIXCertPathBuilderResult result = |
614 PKIXCertPathBuilderResult result = |
611 (PKIXCertPathBuilderResult) builder.build(params); |
615 (PKIXCertPathBuilderResult) builder.build(params); |
612 prevKey = result.getPublicKey(); |
616 prevKey = result.getPublicKey(); |