1 /* |
1 /* |
2 * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved. |
2 * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 * |
4 * |
5 * This code is free software; you can redistribute it and/or modify it |
5 * This code is free software; you can redistribute it and/or modify it |
6 * under the terms of the GNU General Public License version 2 only, as |
6 * under the terms of the GNU General Public License version 2 only, as |
7 * published by the Free Software Foundation. Oracle designates this |
7 * published by the Free Software Foundation. Oracle designates this |
31 import java.security.cert.*; |
31 import java.security.cert.*; |
32 import javax.security.auth.x500.X500Principal; |
32 import javax.security.auth.x500.X500Principal; |
33 import java.util.*; |
33 import java.util.*; |
34 |
34 |
35 import sun.security.util.Debug; |
35 import sun.security.util.Debug; |
|
36 import sun.security.validator.Validator; |
36 import static sun.security.x509.PKIXExtensions.*; |
37 import static sun.security.x509.PKIXExtensions.*; |
37 import sun.security.x509.*; |
38 import sun.security.x509.*; |
38 |
39 |
39 /** |
40 /** |
40 * Class to obtain CRLs via the CRLDistributionPoints extension. |
41 * Class to obtain CRLs via the CRLDistributionPoints extension. |
64 /** |
65 /** |
65 * Return the X509CRLs matching this selector. The selector must be |
66 * Return the X509CRLs matching this selector. The selector must be |
66 * an X509CRLSelector with certificateChecking set. |
67 * an X509CRLSelector with certificateChecking set. |
67 */ |
68 */ |
68 public static Collection<X509CRL> getCRLs(X509CRLSelector selector, |
69 public static Collection<X509CRL> getCRLs(X509CRLSelector selector, |
|
70 boolean signFlag, PublicKey prevKey, String provider, |
|
71 List<CertStore> certStores, boolean[] reasonsMask, |
|
72 Set<TrustAnchor> trustAnchors, Date validity, String variant) |
|
73 throws CertStoreException |
|
74 { |
|
75 return getCRLs(selector, signFlag, prevKey, null, provider, certStores, |
|
76 reasonsMask, trustAnchors, validity, variant); |
|
77 } |
|
78 /** |
|
79 * Return the X509CRLs matching this selector. The selector must be |
|
80 * an X509CRLSelector with certificateChecking set. |
|
81 */ |
|
82 // Called by com.sun.deploy.security.RevocationChecker |
|
83 public static Collection<X509CRL> getCRLs(X509CRLSelector selector, |
69 boolean signFlag, |
84 boolean signFlag, |
70 PublicKey prevKey, |
85 PublicKey prevKey, |
71 String provider, |
86 String provider, |
72 List<CertStore> certStores, |
87 List<CertStore> certStores, |
73 boolean[] reasonsMask, |
88 boolean[] reasonsMask, |
74 Set<TrustAnchor> trustAnchors, |
89 Set<TrustAnchor> trustAnchors, |
75 Date validity) |
90 Date validity) |
76 throws CertStoreException |
91 throws CertStoreException |
77 { |
92 { |
78 return getCRLs(selector, signFlag, prevKey, null, provider, certStores, |
93 return getCRLs(selector, signFlag, prevKey, null, provider, certStores, |
79 reasonsMask, trustAnchors, validity); |
94 reasonsMask, trustAnchors, validity, Validator.VAR_GENERIC); |
80 } |
95 } |
81 |
96 |
82 /** |
97 /** |
83 * Return the X509CRLs matching this selector. The selector must be |
98 * Return the X509CRLs matching this selector. The selector must be |
84 * an X509CRLSelector with certificateChecking set. |
99 * an X509CRLSelector with certificateChecking set. |
89 X509Certificate prevCert, |
104 X509Certificate prevCert, |
90 String provider, |
105 String provider, |
91 List<CertStore> certStores, |
106 List<CertStore> certStores, |
92 boolean[] reasonsMask, |
107 boolean[] reasonsMask, |
93 Set<TrustAnchor> trustAnchors, |
108 Set<TrustAnchor> trustAnchors, |
94 Date validity) |
109 Date validity, |
|
110 String variant) |
95 throws CertStoreException |
111 throws CertStoreException |
96 { |
112 { |
97 X509Certificate cert = selector.getCertificateChecking(); |
113 X509Certificate cert = selector.getCertificateChecking(); |
98 if (cert == null) { |
114 if (cert == null) { |
99 return Collections.emptySet(); |
115 return Collections.emptySet(); |
118 for (Iterator<DistributionPoint> t = points.iterator(); |
134 for (Iterator<DistributionPoint> t = points.iterator(); |
119 t.hasNext() && !Arrays.equals(reasonsMask, ALL_REASONS); ) { |
135 t.hasNext() && !Arrays.equals(reasonsMask, ALL_REASONS); ) { |
120 DistributionPoint point = t.next(); |
136 DistributionPoint point = t.next(); |
121 Collection<X509CRL> crls = getCRLs(selector, certImpl, |
137 Collection<X509CRL> crls = getCRLs(selector, certImpl, |
122 point, reasonsMask, signFlag, prevKey, prevCert, provider, |
138 point, reasonsMask, signFlag, prevKey, prevCert, provider, |
123 certStores, trustAnchors, validity); |
139 certStores, trustAnchors, validity, variant); |
124 results.addAll(crls); |
140 results.addAll(crls); |
125 } |
141 } |
126 if (debug != null) { |
142 if (debug != null) { |
127 debug.println("Returning " + results.size() + " CRLs"); |
143 debug.println("Returning " + results.size() + " CRLs"); |
128 } |
144 } |
143 */ |
159 */ |
144 private static Collection<X509CRL> getCRLs(X509CRLSelector selector, |
160 private static Collection<X509CRL> getCRLs(X509CRLSelector selector, |
145 X509CertImpl certImpl, DistributionPoint point, boolean[] reasonsMask, |
161 X509CertImpl certImpl, DistributionPoint point, boolean[] reasonsMask, |
146 boolean signFlag, PublicKey prevKey, X509Certificate prevCert, |
162 boolean signFlag, PublicKey prevKey, X509Certificate prevCert, |
147 String provider, List<CertStore> certStores, |
163 String provider, List<CertStore> certStores, |
148 Set<TrustAnchor> trustAnchors, Date validity) |
164 Set<TrustAnchor> trustAnchors, Date validity, String variant) |
149 throws CertStoreException { |
165 throws CertStoreException { |
150 |
166 |
151 // check for full name |
167 // check for full name |
152 GeneralNames fullName = point.getFullName(); |
168 GeneralNames fullName = point.getFullName(); |
153 if (fullName == null) { |
169 if (fullName == null) { |
206 // make sure issuer is not set |
222 // make sure issuer is not set |
207 // we check the issuer in verifyCRLs method |
223 // we check the issuer in verifyCRLs method |
208 selector.setIssuerNames(null); |
224 selector.setIssuerNames(null); |
209 if (selector.match(crl) && verifyCRL(certImpl, point, crl, |
225 if (selector.match(crl) && verifyCRL(certImpl, point, crl, |
210 reasonsMask, signFlag, prevKey, prevCert, provider, |
226 reasonsMask, signFlag, prevKey, prevCert, provider, |
211 trustAnchors, certStores, validity)) { |
227 trustAnchors, certStores, validity, variant)) { |
212 crls.add(crl); |
228 crls.add(crl); |
213 } |
229 } |
214 } catch (IOException | CRLException e) { |
230 } catch (IOException | CRLException e) { |
215 // don't add the CRL |
231 // don't add the CRL |
216 if (debug != null) { |
232 if (debug != null) { |
314 */ |
330 */ |
315 static boolean verifyCRL(X509CertImpl certImpl, DistributionPoint point, |
331 static boolean verifyCRL(X509CertImpl certImpl, DistributionPoint point, |
316 X509CRL crl, boolean[] reasonsMask, boolean signFlag, |
332 X509CRL crl, boolean[] reasonsMask, boolean signFlag, |
317 PublicKey prevKey, X509Certificate prevCert, String provider, |
333 PublicKey prevKey, X509Certificate prevCert, String provider, |
318 Set<TrustAnchor> trustAnchors, List<CertStore> certStores, |
334 Set<TrustAnchor> trustAnchors, List<CertStore> certStores, |
319 Date validity) throws CRLException, IOException { |
335 Date validity, String variant) throws CRLException, IOException { |
320 |
336 |
321 if (debug != null) { |
337 if (debug != null) { |
322 debug.println("DistributionPointFetcher.verifyCRL: " + |
338 debug.println("DistributionPointFetcher.verifyCRL: " + |
323 "checking revocation status for" + |
339 "checking revocation status for" + |
324 "\n SN: " + Debug.toHexString(certImpl.getSerialNumber()) + |
340 "\n SN: " + Debug.toHexString(certImpl.getSerialNumber()) + |