// // Decompiled by Procyon v0.6.0 // package org.bouncycastle.pkix.jcajce; import java.security.cert.CRLSelector; import org.bouncycastle.jcajce.PKIXCRLStoreSelector; import java.security.cert.X509CRLSelector; import org.bouncycastle.jcajce.PKIXCRLStore; import java.util.Collection; import org.bouncycastle.asn1.x509.CRLDistPoint; import java.util.Date; import java.security.cert.CertPathBuilder; import java.util.Iterator; import java.security.cert.Certificate; import org.bouncycastle.util.Properties; import java.util.HashSet; import java.security.cert.CertPathValidatorException; import java.security.cert.CertPathBuilderException; import java.security.cert.CertPathParameters; import org.bouncycastle.jcajce.PKIXExtendedBuilderParameters; import java.util.LinkedHashSet; import java.security.cert.CertSelector; import org.bouncycastle.jcajce.PKIXCertStoreSelector; import java.security.cert.X509CertSelector; import java.util.Set; import org.bouncycastle.jcajce.util.JcaJceHelper; import java.util.List; import org.bouncycastle.jcajce.PKIXExtendedParameters; import java.security.PublicKey; import org.bouncycastle.asn1.ASN1Primitive; import java.io.IOException; import org.bouncycastle.util.Arrays; import java.util.Enumeration; import org.bouncycastle.asn1.x509.DistributionPointName; import org.bouncycastle.asn1.x509.BasicConstraints; import java.security.cert.X509Certificate; import org.bouncycastle.asn1.x509.GeneralName; import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.asn1.DERSequence; import org.bouncycastle.asn1.ASN1Encodable; import org.bouncycastle.asn1.ASN1Sequence; import org.bouncycastle.asn1.ASN1EncodableVector; import org.bouncycastle.asn1.x509.GeneralNames; import java.util.ArrayList; import org.bouncycastle.asn1.x509.IssuingDistributionPoint; import java.security.cert.X509Extension; import org.bouncycastle.asn1.x509.Extension; import java.security.cert.X509CRL; import org.bouncycastle.asn1.x509.DistributionPoint; class RFC3280CertPathUtilities { public static final String ISSUING_DISTRIBUTION_POINT; public static final String FRESHEST_CRL; public static final String DELTA_CRL_INDICATOR; public static final String BASIC_CONSTRAINTS; public static final String AUTHORITY_KEY_IDENTIFIER; protected static final int KEY_CERT_SIGN = 5; protected static final int CRL_SIGN = 6; protected static void processCRLB2(final DistributionPoint distributionPoint, final Object o, final X509CRL x509CRL) throws AnnotatedException { IssuingDistributionPoint instance; try { instance = IssuingDistributionPoint.getInstance(RevocationUtilities.getExtensionValue(x509CRL, Extension.issuingDistributionPoint)); } catch (final Exception ex) { throw new AnnotatedException("Issuing distribution point extension could not be decoded.", ex); } if (instance != null) { if (instance.getDistributionPoint() != null) { final DistributionPointName distributionPoint2 = IssuingDistributionPoint.getInstance(instance).getDistributionPoint(); final ArrayList list = new ArrayList(); if (distributionPoint2.getType() == 0) { final GeneralName[] names = GeneralNames.getInstance(distributionPoint2.getName()).getNames(); for (int i = 0; i < names.length; ++i) { list.add(names[i]); } } if (distributionPoint2.getType() == 1) { final ASN1EncodableVector asn1EncodableVector = new ASN1EncodableVector(); try { final Enumeration objects = ASN1Sequence.getInstance(x509CRL.getIssuerX500Principal().getEncoded()).getObjects(); while (objects.hasMoreElements()) { asn1EncodableVector.add((ASN1Encodable)objects.nextElement()); } } catch (final Exception ex2) { throw new AnnotatedException("Could not read CRL issuer.", ex2); } asn1EncodableVector.add(distributionPoint2.getName()); list.add(new GeneralName(X500Name.getInstance(new DERSequence(asn1EncodableVector)))); } int n = 0; if (distributionPoint.getDistributionPoint() != null) { final DistributionPointName distributionPoint3 = distributionPoint.getDistributionPoint(); GeneralName[] array = null; if (distributionPoint3.getType() == 0) { array = GeneralNames.getInstance(distributionPoint3.getName()).getNames(); } if (distributionPoint3.getType() == 1) { if (distributionPoint.getCRLIssuer() != null) { array = distributionPoint.getCRLIssuer().getNames(); } else { array = new GeneralName[] { null }; try { array[0] = new GeneralName(X500Name.getInstance(((X509Certificate)o).getIssuerX500Principal().getEncoded())); } catch (final Exception ex3) { throw new AnnotatedException("Could not read certificate issuer.", ex3); } } for (int j = 0; j < array.length; ++j) { final Enumeration objects2 = ASN1Sequence.getInstance(array[j].getName().toASN1Primitive()).getObjects(); final ASN1EncodableVector asn1EncodableVector2 = new ASN1EncodableVector(); while (objects2.hasMoreElements()) { asn1EncodableVector2.add(objects2.nextElement()); } asn1EncodableVector2.add(distributionPoint3.getName()); array[j] = new GeneralName(X500Name.getInstance(new DERSequence(asn1EncodableVector2))); } } if (array != null) { for (int k = 0; k < array.length; ++k) { if (list.contains(array[k])) { n = 1; break; } } } if (n == 0) { throw new AnnotatedException("No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point."); } } else { if (distributionPoint.getCRLIssuer() == null) { throw new AnnotatedException("Either the cRLIssuer or the distributionPoint field must be contained in DistributionPoint."); } final GeneralName[] names2 = distributionPoint.getCRLIssuer().getNames(); for (int l = 0; l < names2.length; ++l) { if (list.contains(names2[l])) { n = 1; break; } } if (n == 0) { throw new AnnotatedException("No match for certificate CRL issuing distribution point name to cRLIssuer CRL distribution point."); } } } BasicConstraints instance2; try { instance2 = BasicConstraints.getInstance(RevocationUtilities.getExtensionValue((X509Extension)o, Extension.basicConstraints)); } catch (final Exception ex4) { throw new AnnotatedException("Basic constraints extension could not be decoded.", ex4); } if (o instanceof X509Certificate) { if (instance.onlyContainsUserCerts() && instance2 != null && instance2.isCA()) { throw new AnnotatedException("CA Cert CRL only contains user certificates."); } if (instance.onlyContainsCACerts() && (instance2 == null || !instance2.isCA())) { throw new AnnotatedException("End CRL only contains CA certificates."); } } if (instance.onlyContainsAttributeCerts()) { throw new AnnotatedException("onlyContainsAttributeCerts boolean is asserted."); } } } protected static void processCRLB1(final DistributionPoint distributionPoint, final Object o, final X509CRL x509CRL) throws AnnotatedException { final ASN1Primitive extensionValue = RevocationUtilities.getExtensionValue(x509CRL, Extension.issuingDistributionPoint); boolean b = false; if (extensionValue != null && IssuingDistributionPoint.getInstance(extensionValue).isIndirectCRL()) { b = true; } final byte[] encoded = x509CRL.getIssuerX500Principal().getEncoded(); int n = 0; if (distributionPoint.getCRLIssuer() != null) { final GeneralName[] names = distributionPoint.getCRLIssuer().getNames(); for (int i = 0; i < names.length; ++i) { if (names[i].getTagNo() == 4) { try { if (Arrays.areEqual(names[i].getName().toASN1Primitive().getEncoded(), encoded)) { n = 1; } } catch (final IOException ex) { throw new AnnotatedException("CRL issuer information from distribution point cannot be decoded.", ex); } } } if (n != 0 && !b) { throw new AnnotatedException("Distribution point contains cRLIssuer field but CRL is not indirect."); } if (n == 0) { throw new AnnotatedException("CRL issuer of CRL does not match CRL issuer of distribution point."); } } else if (x509CRL.getIssuerX500Principal().equals(((X509Certificate)o).getIssuerX500Principal())) { n = 1; } if (n == 0) { throw new AnnotatedException("Cannot find matching CRL issuer for certificate."); } } protected static ReasonsMask processCRLD(final X509CRL x509CRL, final DistributionPoint distributionPoint) throws AnnotatedException { IssuingDistributionPoint instance; try { instance = IssuingDistributionPoint.getInstance(RevocationUtilities.getExtensionValue(x509CRL, Extension.issuingDistributionPoint)); } catch (final Exception ex) { throw new AnnotatedException("Issuing distribution point extension could not be decoded.", ex); } if (instance != null && instance.getOnlySomeReasons() != null && distributionPoint.getReasons() != null) { return new ReasonsMask(distributionPoint.getReasons()).intersect(new ReasonsMask(instance.getOnlySomeReasons())); } if ((instance == null || instance.getOnlySomeReasons() == null) && distributionPoint.getReasons() == null) { return ReasonsMask.allReasons; } return ((distributionPoint.getReasons() == null) ? ReasonsMask.allReasons : new ReasonsMask(distributionPoint.getReasons())).intersect((instance == null) ? ReasonsMask.allReasons : new ReasonsMask(instance.getOnlySomeReasons())); } protected static Set processCRLF(final X509CRL x509CRL, final Object o, final X509Certificate x509Certificate, final PublicKey publicKey, final PKIXExtendedParameters pkixExtendedParameters, final List list, final JcaJceHelper jcaJceHelper) throws AnnotatedException { final X509CertSelector x509CertSelector = new X509CertSelector(); try { x509CertSelector.setSubject(x509CRL.getIssuerX500Principal().getEncoded()); } catch (final IOException ex) { throw new AnnotatedException("subject criteria for certificate selector to find issuer certificate for CRL could not be set", ex); } final PKIXCertStoreSelector build = new PKIXCertStoreSelector.Builder(x509CertSelector).build(); final LinkedHashSet set = new LinkedHashSet(); try { RevocationUtilities.findCertificates(set, build, pkixExtendedParameters.getCertificateStores()); RevocationUtilities.findCertificates(set, build, pkixExtendedParameters.getCertStores()); } catch (final AnnotatedException ex2) { throw new AnnotatedException("Issuer certificate for CRL cannot be searched.", ex2); } set.add(x509Certificate); final ArrayList list2 = new ArrayList(); final ArrayList list3 = new ArrayList(); for (final X509Certificate certificate : set) { if (certificate.equals(x509Certificate)) { list2.add(certificate); list3.add(publicKey); } else { try { final CertPathBuilder certPathBuilder = jcaJceHelper.createCertPathBuilder("PKIX"); final X509CertSelector x509CertSelector2 = new X509CertSelector(); x509CertSelector2.setCertificate(certificate); final PKIXExtendedParameters.Builder setTargetConstraints = new PKIXExtendedParameters.Builder(pkixExtendedParameters).setTargetConstraints(new PKIXCertStoreSelector.Builder(x509CertSelector2).build()); if (list.contains(certificate)) { setTargetConstraints.setRevocationEnabled(false); } else { setTargetConstraints.setRevocationEnabled(true); } final List certificates = certPathBuilder.build(new PKIXExtendedBuilderParameters.Builder(setTargetConstraints.build()).build()).getCertPath().getCertificates(); list2.add(certificate); list3.add(RevocationUtilities.getNextWorkingKey(certificates, 0, jcaJceHelper)); } catch (final CertPathBuilderException ex3) { throw new AnnotatedException("CertPath for CRL signer failed to validate.", ex3); } catch (final CertPathValidatorException ex4) { throw new AnnotatedException("Public key of issuer certificate of CRL could not be retrieved.", ex4); } catch (final Exception ex5) { throw new AnnotatedException(ex5.getMessage()); } } } final HashSet set2 = new HashSet(); Object o2 = null; for (int i = 0; i < list2.size(); ++i) { final boolean[] keyUsage = ((X509Certificate)list2.get(i)).getKeyUsage(); if (keyUsage == null) { if (Properties.isOverrideSet("org.bouncycastle.x509.allow_ca_without_crl_sign", true)) { set2.add(list3.get(i)); } else { o2 = new AnnotatedException("No key usage extension on issuer certificate."); } } else if (keyUsage.length <= 6 || !keyUsage[6]) { o2 = new AnnotatedException("Issuer certificate key usage extension does not permit CRL signing."); } else { set2.add(list3.get(i)); } } if (set2.isEmpty() && o2 == null) { throw new AnnotatedException("Cannot find a valid issuer certificate."); } if (set2.isEmpty() && o2 != null) { throw o2; } return set2; } protected static PublicKey processCRLG(final X509CRL x509CRL, final Set set) throws AnnotatedException { Throwable t = null; for (final PublicKey publicKey : set) { try { x509CRL.verify(publicKey); return publicKey; } catch (final Exception ex) { t = ex; continue; } break; } throw new AnnotatedException("Cannot verify CRL.", t); } protected static X509CRL processCRLH(final Set set, final PublicKey publicKey) throws AnnotatedException { Throwable t = null; for (final X509CRL x509CRL : set) { try { x509CRL.verify(publicKey); return x509CRL; } catch (final Exception ex) { t = ex; continue; } break; } if (t != null) { throw new AnnotatedException("Cannot verify delta CRL.", t); } return null; } protected static Set processCRLA1i(final PKIXExtendedParameters pkixExtendedParameters, final Date date, final X509Certificate x509Certificate, final X509CRL x509CRL) throws AnnotatedException { final HashSet set = new HashSet(); if (pkixExtendedParameters.isUseDeltasEnabled()) { CRLDistPoint crlDistPoint; try { crlDistPoint = CRLDistPoint.getInstance(RevocationUtilities.getExtensionValue(x509Certificate, Extension.freshestCRL)); } catch (final AnnotatedException ex) { throw new AnnotatedException("Freshest CRL extension could not be decoded from certificate.", ex); } if (crlDistPoint == null) { try { crlDistPoint = CRLDistPoint.getInstance(RevocationUtilities.getExtensionValue(x509CRL, Extension.freshestCRL)); } catch (final AnnotatedException ex2) { throw new AnnotatedException("Freshest CRL extension could not be decoded from CRL.", ex2); } } if (crlDistPoint != null) { final ArrayList list = new ArrayList(); list.addAll(pkixExtendedParameters.getCRLStores()); try { list.addAll(RevocationUtilities.getAdditionalStoresFromCRLDistributionPoint(crlDistPoint, pkixExtendedParameters.getNamedCRLStoreMap())); } catch (final AnnotatedException ex3) { throw new AnnotatedException("No new delta CRL locations could be added from Freshest CRL extension.", ex3); } try { set.addAll(RevocationUtilities.getDeltaCRLs(date, x509CRL, pkixExtendedParameters.getCertStores(), list)); } catch (final AnnotatedException ex4) { throw new AnnotatedException("Exception obtaining delta CRLs.", ex4); } } } return set; } protected static Set[] processCRLA1ii(final PKIXExtendedParameters pkixExtendedParameters, final Date date, final Date date2, final X509Certificate certificateChecking, final X509CRL x509CRL) throws AnnotatedException { final X509CRLSelector x509CRLSelector = new X509CRLSelector(); x509CRLSelector.setCertificateChecking(certificateChecking); try { x509CRLSelector.addIssuerName(x509CRL.getIssuerX500Principal().getEncoded()); } catch (final IOException obj) { throw new AnnotatedException("Cannot extract issuer from CRL." + obj, obj); } final Set crLs = PKIXCRLUtil.findCRLs(new PKIXCRLStoreSelector.Builder(x509CRLSelector).setCompleteCRLEnabled(true).build(), date2, pkixExtendedParameters.getCertStores(), pkixExtendedParameters.getCRLStores()); final HashSet set = new HashSet(); if (pkixExtendedParameters.isUseDeltasEnabled()) { try { set.addAll(RevocationUtilities.getDeltaCRLs(date2, x509CRL, pkixExtendedParameters.getCertStores(), pkixExtendedParameters.getCRLStores())); } catch (final AnnotatedException ex) { throw new AnnotatedException("Exception obtaining delta CRLs.", ex); } } return new Set[] { crLs, set }; } protected static void processCRLC(final X509CRL x509CRL, final X509CRL x509CRL2, final PKIXExtendedParameters pkixExtendedParameters) throws AnnotatedException { if (x509CRL == null) { return; } IssuingDistributionPoint instance; try { instance = IssuingDistributionPoint.getInstance(RevocationUtilities.getExtensionValue(x509CRL2, Extension.issuingDistributionPoint)); } catch (final Exception ex) { throw new AnnotatedException("issuing distribution point extension could not be decoded.", ex); } if (pkixExtendedParameters.isUseDeltasEnabled()) { if (!x509CRL.getIssuerX500Principal().equals(x509CRL2.getIssuerX500Principal())) { throw new AnnotatedException("complete CRL issuer does not match delta CRL issuer"); } IssuingDistributionPoint instance2; try { instance2 = IssuingDistributionPoint.getInstance(RevocationUtilities.getExtensionValue(x509CRL, Extension.issuingDistributionPoint)); } catch (final Exception ex2) { throw new AnnotatedException("Issuing distribution point extension from delta CRL could not be decoded.", ex2); } boolean b = false; if (instance == null) { if (instance2 == null) { b = true; } } else if (instance.equals(instance2)) { b = true; } if (!b) { throw new AnnotatedException("Issuing distribution point extension from delta CRL and complete CRL does not match."); } ASN1Primitive extensionValue; try { extensionValue = RevocationUtilities.getExtensionValue(x509CRL2, Extension.authorityKeyIdentifier); } catch (final AnnotatedException ex3) { throw new AnnotatedException("Authority key identifier extension could not be extracted from complete CRL.", ex3); } ASN1Primitive extensionValue2; try { extensionValue2 = RevocationUtilities.getExtensionValue(x509CRL, Extension.authorityKeyIdentifier); } catch (final AnnotatedException ex4) { throw new AnnotatedException("Authority key identifier extension could not be extracted from delta CRL.", ex4); } if (extensionValue == null) { throw new AnnotatedException("CRL authority key identifier is null."); } if (extensionValue2 == null) { throw new AnnotatedException("Delta CRL authority key identifier is null."); } if (!extensionValue.equals(extensionValue2)) { throw new AnnotatedException("Delta CRL authority key identifier does not match complete CRL authority key identifier."); } } } protected static void processCRLI(final Date date, final X509CRL x509CRL, final Object o, final CertStatus certStatus, final PKIXExtendedParameters pkixExtendedParameters) throws AnnotatedException { if (pkixExtendedParameters.isUseDeltasEnabled() && x509CRL != null) { RevocationUtilities.getCertStatus(date, x509CRL, o, certStatus); } } protected static void processCRLJ(final Date date, final X509CRL x509CRL, final Object o, final CertStatus certStatus) throws AnnotatedException { if (certStatus.getCertStatus() == 11) { RevocationUtilities.getCertStatus(date, x509CRL, o, certStatus); } } static void checkCRL(final DistributionPoint distributionPoint, final PKIXExtendedParameters pkixExtendedParameters, final Date date, final Date date2, final X509Certificate x509Certificate, final X509Certificate x509Certificate2, final PublicKey publicKey, final CertStatus certStatus, final ReasonsMask reasonsMask, final List list, final JcaJceHelper jcaJceHelper) throws AnnotatedException, CRLNotFoundException { if (date2.getTime() > date.getTime()) { throw new AnnotatedException("Validation time is in future."); } final Set completeCRLs = RevocationUtilities.getCompleteCRLs(distributionPoint, x509Certificate, date2, pkixExtendedParameters.getCertStores(), pkixExtendedParameters.getCRLStores()); boolean b = false; AnnotatedException ex = null; final Iterator iterator = completeCRLs.iterator(); while (iterator.hasNext() && certStatus.getCertStatus() == 11 && !reasonsMask.isAllReasons()) { try { final X509CRL x509CRL = (X509CRL)iterator.next(); final ReasonsMask processCRLD = processCRLD(x509CRL, distributionPoint); if (!processCRLD.hasNewReasons(reasonsMask)) { continue; } final PublicKey processCRLG = processCRLG(x509CRL, processCRLF(x509CRL, x509Certificate, x509Certificate2, publicKey, pkixExtendedParameters, list, jcaJceHelper)); X509CRL processCRLH = null; if (pkixExtendedParameters.isUseDeltasEnabled()) { processCRLH = processCRLH(RevocationUtilities.getDeltaCRLs(date2, x509CRL, pkixExtendedParameters.getCertStores(), pkixExtendedParameters.getCRLStores()), processCRLG); } if (pkixExtendedParameters.getValidityModel() != 1 && x509Certificate.getNotAfter().getTime() < x509CRL.getThisUpdate().getTime()) { throw new AnnotatedException("No valid CRL for current time found."); } processCRLB1(distributionPoint, x509Certificate, x509CRL); processCRLB2(distributionPoint, x509Certificate, x509CRL); processCRLC(processCRLH, x509CRL, pkixExtendedParameters); processCRLI(date2, processCRLH, x509Certificate, certStatus, pkixExtendedParameters); processCRLJ(date2, x509CRL, x509Certificate, certStatus); if (certStatus.getCertStatus() == 8) { certStatus.setCertStatus(11); } reasonsMask.addReasons(processCRLD); final Set criticalExtensionOIDs = x509CRL.getCriticalExtensionOIDs(); if (criticalExtensionOIDs != null) { final HashSet set = new HashSet(criticalExtensionOIDs); set.remove(Extension.issuingDistributionPoint.getId()); set.remove(Extension.deltaCRLIndicator.getId()); if (!set.isEmpty()) { throw new AnnotatedException("CRL contains unsupported critical extensions."); } } if (processCRLH != null) { final Set criticalExtensionOIDs2 = processCRLH.getCriticalExtensionOIDs(); if (criticalExtensionOIDs2 != null) { final HashSet set2 = new HashSet(criticalExtensionOIDs2); set2.remove(Extension.issuingDistributionPoint.getId()); set2.remove(Extension.deltaCRLIndicator.getId()); if (!set2.isEmpty()) { throw new AnnotatedException("Delta CRL contains unsupported critical extension."); } } } b = true; } catch (final AnnotatedException ex2) { ex = ex2; } } if (!b) { throw ex; } } static { ISSUING_DISTRIBUTION_POINT = Extension.issuingDistributionPoint.getId(); FRESHEST_CRL = Extension.freshestCRL.getId(); DELTA_CRL_INDICATOR = Extension.deltaCRLIndicator.getId(); BASIC_CONSTRAINTS = Extension.basicConstraints.getId(); AUTHORITY_KEY_IDENTIFIER = Extension.authorityKeyIdentifier.getId(); } }