package gnu.java.security.x509;
import gnu.java.security.OID;
import gnu.java.security.der.BitString;
import gnu.java.security.der.DER;
import gnu.java.security.der.DERReader;
import gnu.java.security.der.DERValue;
import gnu.java.security.x509.ext.Extension;
import java.io.InputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.Principal;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CRLException;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
public class X509CRL extends java.security.cert.X509CRL
implements GnuPKIExtension
{
private static final boolean DEBUG = false;
private static void debug(String msg)
{
if (DEBUG)
{
System.err.print(">> X509CRL: ");
System.err.println(msg);
}
}
private static final OID ID_DSA = new OID("1.2.840.10040.4.1");
private static final OID ID_DSA_WITH_SHA1 = new OID("1.2.840.10040.4.3");
private static final OID ID_RSA = new OID("1.2.840.113549.1.1.1");
private static final OID ID_RSA_WITH_MD2 = new OID("1.2.840.113549.1.1.2");
private static final OID ID_RSA_WITH_MD5 = new OID("1.2.840.113549.1.1.4");
private static final OID ID_RSA_WITH_SHA1 = new OID("1.2.840.113549.1.1.5");
private byte[] encoded;
private byte[] tbsCRLBytes;
private int version;
private OID algId;
private byte[] algParams;
private Date thisUpdate;
private Date nextUpdate;
private X500DistinguishedName issuerDN;
private HashMap revokedCerts;
private HashMap extensions;
private OID sigAlg;
private byte[] sigAlgParams;
private byte[] rawSig;
private byte[] signature;
public X509CRL(InputStream encoded) throws CRLException, IOException
{
super();
revokedCerts = new HashMap();
extensions = new HashMap();
try
{
parse(encoded);
}
catch (IOException ioe)
{
ioe.printStackTrace();
throw ioe;
}
catch (Exception x)
{
x.printStackTrace();
throw new CRLException(x.toString());
}
}
public boolean equals(Object o)
{
if (!(o instanceof X509CRL))
return false;
return ((X509CRL) o).getRevokedCertificates().equals(revokedCerts.values());
}
public int hashCode()
{
return revokedCerts.hashCode();
}
public byte[] getEncoded() throws CRLException
{
return (byte[]) encoded.clone();
}
public void verify(PublicKey key)
throws CRLException, NoSuchAlgorithmException, InvalidKeyException,
NoSuchProviderException, SignatureException
{
Signature sig = Signature.getInstance(sigAlg.toString());
doVerify(sig, key);
}
public void verify(PublicKey key, String provider)
throws CRLException, NoSuchAlgorithmException, InvalidKeyException,
NoSuchProviderException, SignatureException
{
Signature sig = Signature.getInstance(sigAlg.toString(), provider);
doVerify(sig, key);
}
public int getVersion()
{
return version;
}
public Principal getIssuerDN()
{
return issuerDN;
}
public X500Principal getIssuerX500Principal()
{
return new X500Principal(issuerDN.getDer());
}
public Date getThisUpdate()
{
return (Date) thisUpdate.clone();
}
public Date getNextUpdate()
{
if (nextUpdate != null)
return (Date) nextUpdate.clone();
return null;
}
public java.security.cert.X509CRLEntry getRevokedCertificate(BigInteger serialNo)
{
return (java.security.cert.X509CRLEntry) revokedCerts.get(serialNo);
}
public Set getRevokedCertificates()
{
return Collections.unmodifiableSet(new HashSet(revokedCerts.values()));
}
public byte[] getTBSCertList() throws CRLException
{
return (byte[]) tbsCRLBytes.clone();
}
public byte[] getSignature()
{
return (byte[]) rawSig.clone();
}
public String getSigAlgName()
{
if (sigAlg.equals(ID_DSA_WITH_SHA1))
return "SHA1withDSA";
if (sigAlg.equals(ID_RSA_WITH_MD2))
return "MD2withRSA";
if (sigAlg.equals(ID_RSA_WITH_MD5))
return "MD5withRSA";
if (sigAlg.equals(ID_RSA_WITH_SHA1))
return "SHA1withRSA";
return "unknown";
}
public String getSigAlgOID()
{
return sigAlg.toString();
}
public byte[] getSigAlgParams()
{
if (sigAlgParams != null)
return (byte[]) sigAlgParams.clone();
return null;
}
public boolean hasUnsupportedCriticalExtension()
{
for (Iterator it = extensions.values().iterator(); it.hasNext(); )
{
Extension e = (Extension) it.next();
if (e.isCritical() && !e.isSupported())
return true;
}
return false;
}
public Set getCriticalExtensionOIDs()
{
HashSet s = new HashSet();
for (Iterator it = extensions.values().iterator(); it.hasNext(); )
{
Extension e = (Extension) it.next();
if (e.isCritical())
s.add(e.getOid().toString());
}
return Collections.unmodifiableSet(s);
}
public Set getNonCriticalExtensionOIDs()
{
HashSet s = new HashSet();
for (Iterator it = extensions.values().iterator(); it.hasNext(); )
{
Extension e = (Extension) it.next();
if (!e.isCritical())
s.add(e.getOid().toString());
}
return Collections.unmodifiableSet(s);
}
public byte[] getExtensionValue(String oid)
{
Extension e = getExtension(new OID(oid));
if (e != null)
{
return e.getValue().getEncoded();
}
return null;
}
public Extension getExtension(OID oid)
{
return (Extension) extensions.get(oid);
}
public Collection getExtensions()
{
return extensions.values();
}
public String toString()
{
return X509CRL.class.getName();
}
public boolean isRevoked(Certificate cert)
{
if (!(cert instanceof java.security.cert.X509Certificate))
throw new IllegalArgumentException("not a X.509 certificate");
BigInteger certSerial =
((java.security.cert.X509Certificate) cert).getSerialNumber();
X509CRLEntry ent = (X509CRLEntry) revokedCerts.get(certSerial);
if (ent == null)
return false;
return ent.getRevocationDate().compareTo(new Date()) < 0;
}
private void doVerify(Signature sig, PublicKey key)
throws CRLException, InvalidKeyException, SignatureException
{
sig.initVerify(key);
sig.update(tbsCRLBytes);
if (!sig.verify(signature))
throw new CRLException("signature not verified");
}
private void parse(InputStream in) throws Exception
{
DERReader der = new DERReader(in);
DERValue val = der.read();
debug("start CertificateList len == " + val.getLength());
if (!val.isConstructed())
throw new IOException("malformed CertificateList");
encoded = val.getEncoded();
val = der.read();
if (!val.isConstructed())
throw new IOException("malformed TBSCertList");
debug("start tbsCertList len == " + val.getLength());
tbsCRLBytes = val.getEncoded();
val = der.read();
if (val.getValue() instanceof BigInteger)
{
version = ((BigInteger) val.getValue()).intValue() + 1;
val = der.read();
}
else
version = 1;
debug("read version == " + version);
debug("start AlgorithmIdentifier len == " + val.getLength());
if (!val.isConstructed())
throw new IOException("malformed AlgorithmIdentifier");
DERValue algIdVal = der.read();
algId = (OID) algIdVal.getValue();
debug("read object identifier == " + algId);
if (val.getLength() > algIdVal.getEncodedLength())
{
val = der.read();
debug("read parameters len == " + val.getEncodedLength());
algParams = val.getEncoded();
if (val.isConstructed())
in.skip(val.getLength());
}
val = der.read();
issuerDN = new X500DistinguishedName(val.getEncoded());
der.skip(val.getLength());
debug("read issuer == " + issuerDN);
thisUpdate = (Date) der.read().getValue();
debug("read thisUpdate == " + thisUpdate);
val = der.read();
if (val.getValue() instanceof Date)
{
nextUpdate = (Date) val.getValue();
debug("read nextUpdate == " + nextUpdate);
val = der.read();
}
if (val.getTag() != 0)
{
int len = 0;
while (len < val.getLength())
{
X509CRLEntry entry = new X509CRLEntry(version, der);
revokedCerts.put(entry.getSerialNumber(), entry);
len += entry.getEncoded().length;
}
val = der.read();
}
if (val.getTagClass() != DER.UNIVERSAL && val.getTag() == 0)
{
if (version < 2)
throw new IOException("extra data in CRL");
DERValue exts = der.read();
if (!exts.isConstructed())
throw new IOException("malformed Extensions");
debug("start Extensions len == " + exts.getLength());
int len = 0;
while (len < exts.getLength())
{
DERValue ext = der.read();
if (!ext.isConstructed())
throw new IOException("malformed Extension");
Extension e = new Extension(ext.getEncoded());
extensions.put(e.getOid(), e);
der.skip(ext.getLength());
len += ext.getEncodedLength();
debug("current count == " + len);
}
val = der.read();
}
debug("read tag == " + val.getTag());
if (!val.isConstructed())
throw new IOException("malformed AlgorithmIdentifier");
debug("start AlgorithmIdentifier len == " + val.getLength());
DERValue sigAlgVal = der.read();
debug("read tag == " + sigAlgVal.getTag());
if (sigAlgVal.getTag() != DER.OBJECT_IDENTIFIER)
throw new IOException("malformed AlgorithmIdentifier");
sigAlg = (OID) sigAlgVal.getValue();
debug("signature id == " + sigAlg);
debug("sigAlgVal length == " + sigAlgVal.getEncodedLength());
if (val.getLength() > sigAlgVal.getEncodedLength())
{
val = der.read();
debug("sig params tag = " + val.getTag() + " len == " + val.getEncodedLength());
sigAlgParams = (byte[]) val.getEncoded();
if (val.isConstructed())
in.skip(val.getLength());
}
val = der.read();
debug("read tag = " + val.getTag());
rawSig = val.getEncoded();
signature = ((BitString) val.getValue()).toByteArray();
}
}