// // Decompiled by Procyon v0.6.0 // package org.bouncycastle.jce.provider; import org.bouncycastle.asn1.x500.style.RFC4519Style; import org.bouncycastle.x509.X509AttributeCertificate; import java.security.GeneralSecurityException; import java.security.cert.CertSelector; import java.security.interfaces.DSAParams; import java.security.spec.KeySpec; import java.security.spec.DSAPublicKeySpec; import java.security.interfaces.DSAPublicKey; import java.text.ParseException; import org.bouncycastle.asn1.ASN1GeneralizedTime; import org.bouncycastle.internal.asn1.isismtt.ISISMTTObjectIdentifiers; import java.security.cert.CertPath; import org.bouncycastle.jcajce.PKIXCertRevocationCheckerParameters; import java.security.cert.CRL; import java.security.cert.CRLSelector; import org.bouncycastle.jcajce.PKIXCRLStoreSelector; import org.bouncycastle.asn1.ASN1Integer; import java.security.cert.X509CRLEntry; import org.bouncycastle.asn1.ASN1Enumerated; import org.bouncycastle.asn1.x509.Extension; import java.security.cert.CRLException; import java.security.cert.X509CRL; import java.math.BigInteger; import java.security.cert.X509CRLSelector; import java.security.cert.CertificateFactory; import org.bouncycastle.asn1.x509.DistributionPointName; import org.bouncycastle.asn1.x509.DistributionPoint; import java.net.URI; import org.bouncycastle.asn1.ASN1String; import org.bouncycastle.util.Properties; import org.bouncycastle.jcajce.util.JcaJceHelper; import org.bouncycastle.jcajce.PKIXCRLStore; import org.bouncycastle.asn1.x509.CRLDistPoint; import java.security.cert.CertStoreException; import java.security.cert.CertStore; import org.bouncycastle.util.StoreException; import org.bouncycastle.util.Selector; import org.bouncycastle.util.Store; import java.security.cert.PolicyNode; import org.bouncycastle.asn1.ASN1ObjectIdentifier; import java.util.Enumeration; import java.io.IOException; import java.security.cert.PolicyQualifierInfo; import org.bouncycastle.asn1.ASN1Encodable; import java.io.OutputStream; import org.bouncycastle.asn1.ASN1OutputStream; import java.io.ByteArrayOutputStream; import java.util.HashSet; import org.bouncycastle.asn1.ASN1Sequence; import java.security.cert.CertPathValidatorException; import org.bouncycastle.jce.exception.ExtCertPathValidatorException; import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; import org.bouncycastle.asn1.ASN1Primitive; import java.security.cert.X509Extension; import java.util.Date; import java.security.cert.CertificateParsingException; import java.util.ArrayList; import org.bouncycastle.asn1.x509.GeneralNames; import org.bouncycastle.asn1.ASN1OctetString; import org.bouncycastle.jcajce.PKIXCertStore; import org.bouncycastle.asn1.x509.GeneralName; import java.util.Map; import java.util.Iterator; import javax.security.auth.x500.X500Principal; import java.security.PublicKey; import org.bouncycastle.asn1.x500.X500Name; import java.security.cert.X509CertSelector; import java.security.cert.TrustAnchor; import java.security.cert.X509Certificate; import java.security.cert.Certificate; import org.bouncycastle.jcajce.PKIXCertStoreSelector; import org.bouncycastle.jcajce.PKIXExtendedParameters; import java.util.Collections; import java.security.cert.CertPathBuilderException; import org.bouncycastle.jce.exception.ExtCertPathBuilderException; import java.util.List; import java.util.Set; import java.util.LinkedHashSet; import java.util.Collection; import org.bouncycastle.jcajce.PKIXExtendedBuilderParameters; class CertPathValidatorUtilities { protected static final String CERTIFICATE_POLICIES; protected static final String BASIC_CONSTRAINTS; protected static final String POLICY_MAPPINGS; protected static final String SUBJECT_ALTERNATIVE_NAME; protected static final String NAME_CONSTRAINTS; protected static final String KEY_USAGE; protected static final String INHIBIT_ANY_POLICY; protected static final String ISSUING_DISTRIBUTION_POINT; protected static final String DELTA_CRL_INDICATOR; protected static final String POLICY_CONSTRAINTS; protected static final String FRESHEST_CRL; protected static final String CRL_DISTRIBUTION_POINTS; protected static final String AUTHORITY_KEY_IDENTIFIER; protected static final String ANY_POLICY = "2.5.29.32.0"; protected static final String CRL_NUMBER; protected static final int KEY_CERT_SIGN = 5; protected static final int CRL_SIGN = 6; protected static final String[] crlReasons; static Collection findTargets(final PKIXExtendedBuilderParameters pkixExtendedBuilderParameters) throws CertPathBuilderException { final PKIXExtendedParameters baseParameters = pkixExtendedBuilderParameters.getBaseParameters(); final PKIXCertStoreSelector targetConstraints = baseParameters.getTargetConstraints(); final LinkedHashSet set = new LinkedHashSet(); try { findCertificates(set, targetConstraints, baseParameters.getCertificateStores()); findCertificates(set, targetConstraints, baseParameters.getCertStores()); } catch (final AnnotatedException ex) { throw new ExtCertPathBuilderException("Error finding target certificate.", ex); } if (!set.isEmpty()) { return set; } final Certificate certificate = targetConstraints.getCertificate(); if (null == certificate) { throw new CertPathBuilderException("No certificate found matching targetConstraints."); } return Collections.singleton(certificate); } protected static TrustAnchor findTrustAnchor(final X509Certificate x509Certificate, final Set set) throws AnnotatedException { return findTrustAnchor(x509Certificate, set, null); } protected static TrustAnchor findTrustAnchor(final X509Certificate x509Certificate, final Set set, final String s) throws AnnotatedException { TrustAnchor trustAnchor = null; PublicKey publicKey = null; Throwable t = null; final X509CertSelector x509CertSelector = new X509CertSelector(); final X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal(); x509CertSelector.setSubject(issuerX500Principal); X500Name instance = null; final Iterator iterator = set.iterator(); while (iterator.hasNext() && trustAnchor == null) { trustAnchor = (TrustAnchor)iterator.next(); if (trustAnchor.getTrustedCert() != null) { if (x509CertSelector.match(trustAnchor.getTrustedCert())) { publicKey = trustAnchor.getTrustedCert().getPublicKey(); } else { trustAnchor = null; } } else if (trustAnchor.getCA() != null && trustAnchor.getCAName() != null && trustAnchor.getCAPublicKey() != null) { if (instance == null) { instance = X500Name.getInstance(issuerX500Principal.getEncoded()); } try { if (instance.equals(X500Name.getInstance(trustAnchor.getCA().getEncoded()))) { publicKey = trustAnchor.getCAPublicKey(); } else { trustAnchor = null; } } catch (final IllegalArgumentException ex) { trustAnchor = null; } } else { trustAnchor = null; } if (publicKey != null) { try { verifyX509Certificate(x509Certificate, publicKey, s); } catch (final Exception ex2) { t = ex2; trustAnchor = null; publicKey = null; } } } if (trustAnchor == null && t != null) { throw new AnnotatedException("TrustAnchor found but certificate validation failed.", t); } return trustAnchor; } static boolean isIssuerTrustAnchor(final X509Certificate x509Certificate, final Set set, final String s) throws AnnotatedException { try { return findTrustAnchor(x509Certificate, set, s) != null; } catch (final Exception ex) { return false; } } static List getAdditionalStoresFromAltNames(final byte[] array, final Map map) throws CertificateParsingException { if (array == null) { return Collections.EMPTY_LIST; } final GeneralName[] names = GeneralNames.getInstance(ASN1OctetString.getInstance(array).getOctets()).getNames(); final ArrayList list = new ArrayList(); for (int i = 0; i != names.length; ++i) { final PKIXCertStore pkixCertStore = map.get(names[i]); if (pkixCertStore != null) { list.add(pkixCertStore); } } return list; } protected static Date getValidityDate(final PKIXExtendedParameters pkixExtendedParameters, final Date date) { final Date validityDate = pkixExtendedParameters.getValidityDate(); return (null == validityDate) ? date : validityDate; } protected static boolean isSelfIssued(final X509Certificate x509Certificate) { return x509Certificate.getSubjectDN().equals(x509Certificate.getIssuerDN()); } protected static ASN1Primitive getExtensionValue(final X509Extension x509Extension, final String s) throws AnnotatedException { final byte[] extensionValue = x509Extension.getExtensionValue(s); return (null == extensionValue) ? null : getObject(s, extensionValue); } private static ASN1Primitive getObject(final String str, final byte[] array) throws AnnotatedException { try { return ASN1Primitive.fromByteArray(ASN1OctetString.getInstance(array).getOctets()); } catch (final Exception ex) { throw new AnnotatedException("exception processing extension " + str, ex); } } protected static AlgorithmIdentifier getAlgorithmIdentifier(final PublicKey publicKey) throws CertPathValidatorException { try { return SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()).getAlgorithm(); } catch (final Exception ex) { throw new ExtCertPathValidatorException("Subject public key cannot be decoded.", ex); } } protected static final Set getQualifierSet(final ASN1Sequence asn1Sequence) throws CertPathValidatorException { final HashSet set = new HashSet(); if (asn1Sequence == null) { return set; } final ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); final ASN1OutputStream create = ASN1OutputStream.create(byteArrayOutputStream); final Enumeration objects = asn1Sequence.getObjects(); while (objects.hasMoreElements()) { try { create.writeObject((ASN1Encodable)objects.nextElement()); set.add(new PolicyQualifierInfo(byteArrayOutputStream.toByteArray())); } catch (final IOException ex) { throw new ExtCertPathValidatorException("Policy qualifier info cannot be decoded.", ex); } byteArrayOutputStream.reset(); } return set; } static PKIXPolicyNode removeChildlessPolicyNodes(final PKIXPolicyNode pkixPolicyNode, final List[] array, final int n) { if (pkixPolicyNode == null) { return null; } int n2 = n; while (--n2 >= 0) { final List list = array[n2]; int size = list.size(); while (--size >= 0) { final PKIXPolicyNode pkixPolicyNode2 = list.get(size); if (pkixPolicyNode2.hasChildren()) { continue; } list.remove(size); final PKIXPolicyNode pkixPolicyNode3 = (PKIXPolicyNode)pkixPolicyNode2.getParent(); if (pkixPolicyNode3 == null) { return null; } pkixPolicyNode3.removeChild(pkixPolicyNode2); } } return pkixPolicyNode; } static PKIXPolicyNode removePolicyNode(final PKIXPolicyNode pkixPolicyNode, final List[] array, final PKIXPolicyNode pkixPolicyNode2) { if (pkixPolicyNode == null) { return null; } final PKIXPolicyNode pkixPolicyNode3 = (PKIXPolicyNode)pkixPolicyNode2.getParent(); if (pkixPolicyNode3 == null) { for (int i = 0; i < array.length; ++i) { array[i].clear(); } return null; } pkixPolicyNode3.removeChild(pkixPolicyNode2); removePolicyNodeRecurse(array, pkixPolicyNode2); return pkixPolicyNode; } private static void removePolicyNodeRecurse(final List[] array, final PKIXPolicyNode pkixPolicyNode) { array[pkixPolicyNode.getDepth()].remove(pkixPolicyNode); if (pkixPolicyNode.hasChildren()) { final Iterator children = pkixPolicyNode.getChildren(); while (children.hasNext()) { removePolicyNodeRecurse(array, (PKIXPolicyNode)children.next()); } } } protected static boolean processCertD1i(final int n, final List[] array, final ASN1ObjectIdentifier asn1ObjectIdentifier, final Set set) { final List list = array[n - 1]; for (int i = 0; i < list.size(); ++i) { final PKIXPolicyNode pkixPolicyNode = list.get(i); if (pkixPolicyNode.getExpectedPolicies().contains(asn1ObjectIdentifier.getId())) { final HashSet set2 = new HashSet(); set2.add(asn1ObjectIdentifier.getId()); final PKIXPolicyNode pkixPolicyNode2 = new PKIXPolicyNode(new ArrayList(), n, set2, pkixPolicyNode, set, asn1ObjectIdentifier.getId(), false); pkixPolicyNode.addChild(pkixPolicyNode2); array[n].add(pkixPolicyNode2); return true; } } return false; } static void processCertD1ii(final int n, final List[] array, final ASN1ObjectIdentifier asn1ObjectIdentifier, final Set set) { final PKIXPolicyNode validPolicy = findValidPolicy(array[n - 1].iterator(), "2.5.29.32.0"); if (validPolicy != null) { final String id = asn1ObjectIdentifier.getId(); final HashSet set2 = new HashSet(); set2.add(id); final PKIXPolicyNode pkixPolicyNode = new PKIXPolicyNode(new ArrayList(), n, set2, validPolicy, set, id, false); validPolicy.addChild(pkixPolicyNode); array[n].add(pkixPolicyNode); } } protected static boolean isAnyPolicy(final Set set) { return set == null || set.contains("2.5.29.32.0") || set.isEmpty(); } protected static void findCertificates(final Set set, final PKIXCertStoreSelector pkixCertStoreSelector, final List list) throws AnnotatedException { for (final Object next : list) { if (next instanceof Store) { final Store store = (Store)next; try { set.addAll(store.getMatches(pkixCertStoreSelector)); } catch (final StoreException ex) { throw new AnnotatedException("Problem while picking certificates from X.509 store.", ex); } } else { final CertStore certStore = (CertStore)next; try { set.addAll(PKIXCertStoreSelector.getCertificates(pkixCertStoreSelector, certStore)); } catch (final CertStoreException ex2) { throw new AnnotatedException("Problem while picking certificates from certificate store.", ex2); } } } } static List getAdditionalStoresFromCRLDistributionPoint(final CRLDistPoint crlDistPoint, final Map map, final Date date, final JcaJceHelper jcaJceHelper) throws AnnotatedException { if (null == crlDistPoint) { return Collections.EMPTY_LIST; } DistributionPoint[] distributionPoints; try { distributionPoints = crlDistPoint.getDistributionPoints(); } catch (final Exception ex) { throw new AnnotatedException("Distribution points could not be read.", ex); } final ArrayList list = new ArrayList(); for (int i = 0; i < distributionPoints.length; ++i) { final DistributionPointName distributionPoint = distributionPoints[i].getDistributionPoint(); if (distributionPoint != null && distributionPoint.getType() == 0) { final GeneralName[] names = GeneralNames.getInstance(distributionPoint.getName()).getNames(); for (int j = 0; j < names.length; ++j) { final PKIXCRLStore pkixcrlStore = map.get(names[j]); if (pkixcrlStore != null) { list.add(pkixcrlStore); } } } } if (list.isEmpty() && Properties.isOverrideSet("org.bouncycastle.x509.enableCRLDP")) { CertificateFactory certificateFactory; try { certificateFactory = jcaJceHelper.createCertificateFactory("X.509"); } catch (final Exception ex2) { throw new AnnotatedException("cannot create certificate factory: " + ex2.getMessage(), ex2); } for (int k = 0; k < distributionPoints.length; ++k) { final DistributionPointName distributionPoint2 = distributionPoints[k].getDistributionPoint(); if (distributionPoint2 != null && distributionPoint2.getType() == 0) { final GeneralName[] names2 = GeneralNames.getInstance(distributionPoint2.getName()).getNames(); for (int l = 0; l < names2.length; ++l) { final GeneralName generalName = names2[l]; if (generalName.getTagNo() == 6) { try { final PKIXCRLStore crl = CrlCache.getCrl(certificateFactory, date, new URI(((ASN1String)generalName.getName()).getString())); if (crl != null) { list.add(crl); } break; } catch (final Exception ex3) {} } } } } } return list; } protected static void getCRLIssuersFromDistributionPoint(final DistributionPoint distributionPoint, final Collection collection, final X509CRLSelector x509CRLSelector) throws AnnotatedException { final ArrayList list = new ArrayList(); if (distributionPoint.getCRLIssuer() != null) { final GeneralName[] names = distributionPoint.getCRLIssuer().getNames(); for (int i = 0; i < names.length; ++i) { if (names[i].getTagNo() == 4) { try { list.add(X500Name.getInstance(names[i].getName().toASN1Primitive().getEncoded())); } catch (final IOException ex) { throw new AnnotatedException("CRL issuer information from distribution point cannot be decoded.", ex); } } } } else { if (distributionPoint.getDistributionPoint() == null) { throw new AnnotatedException("CRL issuer is omitted from distribution point but no distributionPoint field present."); } final Iterator iterator = collection.iterator(); while (iterator.hasNext()) { list.add(iterator.next()); } } final Iterator iterator2 = list.iterator(); while (iterator2.hasNext()) { try { x509CRLSelector.addIssuerName(((X500Name)iterator2.next()).getEncoded()); continue; } catch (final IOException ex2) { throw new AnnotatedException("Cannot decode CRL issuer information.", ex2); } break; } } private static BigInteger getSerialNumber(final Object o) { return ((X509Certificate)o).getSerialNumber(); } protected static void getCertStatus(final Date date, final X509CRL x509CRL, final Object o, final CertStatus certStatus) throws AnnotatedException { boolean indirectCRL; try { indirectCRL = X509CRLObject.isIndirectCRL(x509CRL); } catch (final CRLException ex) { throw new AnnotatedException("Failed check for indirect CRL.", ex); } X509CRLEntry x509CRLEntry; if (indirectCRL) { x509CRLEntry = x509CRL.getRevokedCertificate(getSerialNumber(o)); if (x509CRLEntry == null) { return; } final X500Principal certificateIssuer = x509CRLEntry.getCertificateIssuer(); X500Name x500Name; if (certificateIssuer == null) { x500Name = PrincipalUtils.getIssuerPrincipal(x509CRL); } else { x500Name = PrincipalUtils.getX500Name(certificateIssuer); } if (!PrincipalUtils.getEncodedIssuerPrincipal(o).equals(x500Name)) { return; } } else { if (!PrincipalUtils.getEncodedIssuerPrincipal(o).equals(PrincipalUtils.getIssuerPrincipal(x509CRL))) { return; } x509CRLEntry = x509CRL.getRevokedCertificate(getSerialNumber(o)); if (x509CRLEntry == null) { return; } } ASN1Enumerated instance = null; if (x509CRLEntry.hasExtensions()) { checkCRLEntryCriticalExtensions(x509CRLEntry, "CRL entry has unsupported critical extensions."); try { instance = ASN1Enumerated.getInstance(getExtensionValue(x509CRLEntry, Extension.reasonCode.getId())); } catch (final Exception ex2) { throw new AnnotatedException("Reason code CRL entry extension could not be decoded.", ex2); } } final int certStatus2 = (null == instance) ? 0 : instance.intValueExact(); if (date.getTime() >= x509CRLEntry.getRevocationDate().getTime() || certStatus2 == 0 || certStatus2 == 1 || certStatus2 == 2 || certStatus2 == 10) { certStatus.setCertStatus(certStatus2); certStatus.setRevocationDate(x509CRLEntry.getRevocationDate()); } } protected static Set getDeltaCRLs(final Date date, final X509CRL x509CRL, final List list, final List list2, final JcaJceHelper jcaJceHelper) throws AnnotatedException { final X509CRLSelector x509CRLSelector = new X509CRLSelector(); try { x509CRLSelector.addIssuerName(PrincipalUtils.getIssuerPrincipal(x509CRL).getEncoded()); } catch (final IOException ex) { throw new AnnotatedException("Cannot extract issuer from CRL.", ex); } BigInteger positiveValue = null; try { final ASN1Primitive extensionValue = getExtensionValue(x509CRL, CertPathValidatorUtilities.CRL_NUMBER); if (extensionValue != null) { positiveValue = ASN1Integer.getInstance(extensionValue).getPositiveValue(); } } catch (final Exception ex2) { throw new AnnotatedException("CRL number extension could not be extracted from CRL.", ex2); } byte[] extensionValue2; try { extensionValue2 = x509CRL.getExtensionValue(CertPathValidatorUtilities.ISSUING_DISTRIBUTION_POINT); } catch (final Exception ex3) { throw new AnnotatedException("Issuing distribution point extension value could not be read.", ex3); } x509CRLSelector.setMinCRLNumber((positiveValue == null) ? null : positiveValue.add(BigInteger.valueOf(1L))); final PKIXCRLStoreSelector.Builder builder = new PKIXCRLStoreSelector.Builder(x509CRLSelector); builder.setIssuingDistributionPoint(extensionValue2); builder.setIssuingDistributionPointEnabled(true); builder.setMaxBaseCRLNumber(positiveValue); builder.setDeltaCRLIndicatorEnabled(true); final PKIXCRLStoreSelector build = builder.build(); Set set = getDeltaCRLs(PKIXCRLUtil.findCRLs(build, date, list, list2)); if (set.isEmpty() && Properties.isOverrideSet("org.bouncycastle.x509.enableCRLDP")) { CertificateFactory certificateFactory; try { certificateFactory = jcaJceHelper.createCertificateFactory("X.509"); } catch (final Exception ex4) { throw new AnnotatedException("cannot create certificate factory: " + ex4.getMessage(), ex4); } final DistributionPoint[] distributionPoints = CRLDistPoint.getInstance(extensionValue2).getDistributionPoints(); for (int i = 0; i < distributionPoints.length; ++i) { final DistributionPointName distributionPoint = distributionPoints[i].getDistributionPoint(); if (distributionPoint != null && distributionPoint.getType() == 0) { final GeneralName[] names = GeneralNames.getInstance(distributionPoint.getName()).getNames(); for (int j = 0; j < names.length; ++j) { final GeneralName generalName = names[j]; if (generalName.getTagNo() == 6) { try { final PKIXCRLStore crl = CrlCache.getCrl(certificateFactory, date, new URI(((ASN1String)generalName.getName()).getString())); if (crl != null) { set = getDeltaCRLs(PKIXCRLUtil.findCRLs(build, date, Collections.EMPTY_LIST, Collections.singletonList(crl))); } break; } catch (final Exception ex5) {} } } } } } return set; } private static Set getDeltaCRLs(final Set set) { final HashSet set2 = new HashSet(); for (final X509CRL x509CRL : set) { if (isDeltaCRL(x509CRL)) { set2.add(x509CRL); } } return set2; } private static boolean isDeltaCRL(final X509CRL x509CRL) { return hasCriticalExtension(x509CRL, Extension.deltaCRLIndicator.getId()); } protected static Set getCompleteCRLs(final PKIXCertRevocationCheckerParameters pkixCertRevocationCheckerParameters, final DistributionPoint distributionPoint, final Object o, final PKIXExtendedParameters pkixExtendedParameters, final Date date) throws AnnotatedException, RecoverableCertPathValidatorException { final X509CRLSelector x509CRLSelector = new X509CRLSelector(); try { final HashSet set = new HashSet(); set.add(PrincipalUtils.getEncodedIssuerPrincipal(o)); getCRLIssuersFromDistributionPoint(distributionPoint, set, x509CRLSelector); } catch (final AnnotatedException ex) { throw new AnnotatedException("Could not get issuer information from distribution point.", ex); } if (o instanceof X509Certificate) { x509CRLSelector.setCertificateChecking((X509Certificate)o); } final Set crLs = PKIXCRLUtil.findCRLs(new PKIXCRLStoreSelector.Builder(x509CRLSelector).setCompleteCRLEnabled(true).build(), date, pkixExtendedParameters.getCertStores(), pkixExtendedParameters.getCRLStores()); checkCRLsNotEmpty(pkixCertRevocationCheckerParameters, crLs, o); return crLs; } protected static Date getValidCertDateFromValidityModel(final Date date, final int n, final CertPath certPath, final int n2) throws AnnotatedException { if (1 != n || n2 <= 0) { return date; } final X509Certificate x509Certificate = (X509Certificate)certPath.getCertificates().get(n2 - 1); if (n2 - 1 == 0) { ASN1GeneralizedTime instance = null; try { final byte[] extensionValue = ((X509Certificate)certPath.getCertificates().get(n2 - 1)).getExtensionValue(ISISMTTObjectIdentifiers.id_isismtt_at_dateOfCertGen.getId()); if (extensionValue != null) { instance = ASN1GeneralizedTime.getInstance(ASN1Primitive.fromByteArray(extensionValue)); } } catch (final IOException ex) { throw new AnnotatedException("Date of cert gen extension could not be read."); } catch (final IllegalArgumentException ex2) { throw new AnnotatedException("Date of cert gen extension could not be read."); } if (instance != null) { try { return instance.getDate(); } catch (final ParseException ex3) { throw new AnnotatedException("Date from date of cert gen extension could not be parsed.", ex3); } } } return x509Certificate.getNotBefore(); } protected static PublicKey getNextWorkingKey(final List list, final int n, final JcaJceHelper jcaJceHelper) throws CertPathValidatorException { final PublicKey publicKey = list.get(n).getPublicKey(); if (!(publicKey instanceof DSAPublicKey)) { return publicKey; } final DSAPublicKey dsaPublicKey = (DSAPublicKey)publicKey; if (dsaPublicKey.getParams() != null) { return dsaPublicKey; } for (int i = n + 1; i < list.size(); ++i) { final PublicKey publicKey2 = list.get(i).getPublicKey(); if (!(publicKey2 instanceof DSAPublicKey)) { throw new CertPathValidatorException("DSA parameters cannot be inherited from previous certificate."); } final DSAPublicKey dsaPublicKey2 = (DSAPublicKey)publicKey2; if (dsaPublicKey2.getParams() != null) { final DSAParams params = dsaPublicKey2.getParams(); final DSAPublicKeySpec keySpec = new DSAPublicKeySpec(dsaPublicKey.getY(), params.getP(), params.getQ(), params.getG()); try { return jcaJceHelper.createKeyFactory("DSA").generatePublic(keySpec); } catch (final Exception ex) { throw new RuntimeException(ex.getMessage()); } } } throw new CertPathValidatorException("DSA parameters cannot be inherited from previous certificate."); } static Collection findIssuerCerts(final X509Certificate x509Certificate, final List list, final List list2) throws AnnotatedException { final X509CertSelector x509CertSelector = new X509CertSelector(); try { x509CertSelector.setSubject(PrincipalUtils.getIssuerPrincipal(x509Certificate).getEncoded()); } catch (final Exception ex) { throw new AnnotatedException("Subject criteria for certificate selector to find issuer certificate could not be set.", ex); } final PKIXCertStoreSelector build = new PKIXCertStoreSelector.Builder(x509CertSelector).build(); final LinkedHashSet set = new LinkedHashSet(); try { findCertificates(set, build, list); findCertificates(set, build, list2); } catch (final AnnotatedException ex2) { throw new AnnotatedException("Issuer certificate cannot be searched.", ex2); } return set; } protected static void verifyX509Certificate(final X509Certificate x509Certificate, final PublicKey publicKey, final String s) throws GeneralSecurityException { if (s == null) { x509Certificate.verify(publicKey); } else { x509Certificate.verify(publicKey, s); } } static void checkCRLsNotEmpty(final PKIXCertRevocationCheckerParameters pkixCertRevocationCheckerParameters, final Set set, final Object o) throws RecoverableCertPathValidatorException { if (!set.isEmpty()) { return; } if (o instanceof X509AttributeCertificate) { throw new RecoverableCertPathValidatorException("No CRLs found for issuer \"" + ((X509AttributeCertificate)o).getIssuer().getPrincipals()[0] + "\"", null, pkixCertRevocationCheckerParameters.getCertPath(), pkixCertRevocationCheckerParameters.getIndex()); } throw new RecoverableCertPathValidatorException("No CRLs found for issuer \"" + RFC4519Style.INSTANCE.toString(PrincipalUtils.getIssuerPrincipal((X509Certificate)o)) + "\"", null, pkixCertRevocationCheckerParameters.getCertPath(), pkixCertRevocationCheckerParameters.getIndex()); } static void checkCRLCriticalExtensions(final X509CRL x509CRL, final String s) throws AnnotatedException { final Set criticalExtensionOIDs = x509CRL.getCriticalExtensionOIDs(); if (criticalExtensionOIDs != null) { int size = criticalExtensionOIDs.size(); if (size > 0) { if (criticalExtensionOIDs.contains(Extension.issuingDistributionPoint.getId())) { --size; } if (criticalExtensionOIDs.contains(Extension.deltaCRLIndicator.getId())) { --size; } if (size > 0) { throw new AnnotatedException(s); } } } } static void checkCRLEntryCriticalExtensions(final X509CRLEntry x509CRLEntry, final String s) throws AnnotatedException { if (x509CRLEntry.hasUnsupportedCriticalExtension()) { throw new AnnotatedException(s); } } static PKIXPolicyNode findValidPolicy(final Iterator iterator, final String s) { while (iterator.hasNext()) { final PKIXPolicyNode pkixPolicyNode = iterator.next(); if (s.equals(pkixPolicyNode.getValidPolicy())) { return pkixPolicyNode; } } return null; } static boolean hasCriticalExtension(final X509Certificate x509Certificate, final String s) { return hasCriticalExtension(x509Certificate.getCriticalExtensionOIDs(), s); } static boolean hasCriticalExtension(final X509CRL x509CRL, final String s) { return hasCriticalExtension(x509CRL.getCriticalExtensionOIDs(), s); } private static boolean hasCriticalExtension(final Set set, final String s) { return set != null && set.contains(s); } static { CERTIFICATE_POLICIES = Extension.certificatePolicies.getId(); BASIC_CONSTRAINTS = Extension.basicConstraints.getId(); POLICY_MAPPINGS = Extension.policyMappings.getId(); SUBJECT_ALTERNATIVE_NAME = Extension.subjectAlternativeName.getId(); NAME_CONSTRAINTS = Extension.nameConstraints.getId(); KEY_USAGE = Extension.keyUsage.getId(); INHIBIT_ANY_POLICY = Extension.inhibitAnyPolicy.getId(); ISSUING_DISTRIBUTION_POINT = Extension.issuingDistributionPoint.getId(); DELTA_CRL_INDICATOR = Extension.deltaCRLIndicator.getId(); POLICY_CONSTRAINTS = Extension.policyConstraints.getId(); FRESHEST_CRL = Extension.freshestCRL.getId(); CRL_DISTRIBUTION_POINTS = Extension.cRLDistributionPoints.getId(); AUTHORITY_KEY_IDENTIFIER = Extension.authorityKeyIdentifier.getId(); CRL_NUMBER = Extension.cRLNumber.getId(); crlReasons = new String[] { "unspecified", "keyCompromise", "cACompromise", "affiliationChanged", "superseded", "cessationOfOperation", "certificateHold", "unknown", "removeFromCRL", "privilegeWithdrawn", "aACompromise" }; } }