Package org.bouncycastle.jce.provider

Class CertPathValidatorUtilities

java.lang.Object
org.bouncycastle.jce.provider.CertPathValidatorUtilities
public class CertPathValidatorUtilities
extends Object

  • Field Details

    • CRL_UTIL

      protected static final PKIXCRLUtil CRL_UTIL

    • CERTIFICATE_POLICIES

      protected static final String CERTIFICATE_POLICIES

    • BASIC_CONSTRAINTS

      protected static final String BASIC_CONSTRAINTS

    • POLICY_MAPPINGS

      protected static final String POLICY_MAPPINGS

    • SUBJECT_ALTERNATIVE_NAME

      protected static final String SUBJECT_ALTERNATIVE_NAME

    • NAME_CONSTRAINTS

      protected static final String NAME_CONSTRAINTS

    • KEY_USAGE

      protected static final String KEY_USAGE

    • INHIBIT_ANY_POLICY

      protected static final String INHIBIT_ANY_POLICY

    • ISSUING_DISTRIBUTION_POINT

      protected static final String ISSUING_DISTRIBUTION_POINT

    • DELTA_CRL_INDICATOR

      protected static final String DELTA_CRL_INDICATOR

    • POLICY_CONSTRAINTS

      protected static final String POLICY_CONSTRAINTS

    • FRESHEST_CRL

      protected static final String FRESHEST_CRL

    • CRL_DISTRIBUTION_POINTS

      protected static final String CRL_DISTRIBUTION_POINTS

    • AUTHORITY_KEY_IDENTIFIER

      protected static final String AUTHORITY_KEY_IDENTIFIER

    • ANY_POLICY

      protected static final String ANY_POLICY
      See Also:
      Constant Field Values

    • CRL_NUMBER

      protected static final String CRL_NUMBER

    • KEY_CERT_SIGN

      protected static final int KEY_CERT_SIGN
      See Also:
      Constant Field Values

    • CRL_SIGN

      protected static final int CRL_SIGN
      See Also:
      Constant Field Values

    • crlReasons

      protected static final String[] crlReasons

  • Constructor Details

    • CertPathValidatorUtilities

      public CertPathValidatorUtilities()

  • Method Details

    • findTrustAnchor

      protected static TrustAnchor findTrustAnchor​(X509Certificate cert, Set trustAnchors) throws AnnotatedException
      Search the given Set of TrustAnchor's for one that is the issuer of the given X509 certificate. Uses the default provider for signature verification.
      Parameters:
      cert - the X509 certificate
      trustAnchors - a Set of TrustAnchor's
      Returns:
      the TrustAnchor object if found or null if not.
      Throws:
      AnnotatedException - if a TrustAnchor was found but the signature verification on the given certificate has thrown an exception.

    • findTrustAnchor

      protected static TrustAnchor findTrustAnchor​(X509Certificate cert, Set trustAnchors, String sigProvider) throws AnnotatedException
      Search the given Set of TrustAnchor's for one that is the issuer of the given X509 certificate. Uses the specified provider for signature verification, or the default provider if null.
      Parameters:
      cert - the X509 certificate
      trustAnchors - a Set of TrustAnchor's
      sigProvider - the provider to use for signature verification
      Returns:
      the TrustAnchor object if found or null if not.
      Throws:
      AnnotatedException - if a TrustAnchor was found but the signature verification on the given certificate has thrown an exception.

    • addAdditionalStoresFromAltNames

      protected static void addAdditionalStoresFromAltNames​(X509Certificate cert, ExtendedPKIXParameters pkixParams) throws CertificateParsingException
      Throws:
      CertificateParsingException

    • getEncodedIssuerPrincipal

      protected static X500Principal getEncodedIssuerPrincipal​(Object cert)
      Returns the issuer of an attribute certificate or certificate.
      Parameters:
      cert - The attribute certificate or certificate.
      Returns:
      The issuer as X500Principal.

    • getValidDate

      protected static Date getValidDate​(PKIXParameters paramsPKIX)

    • getSubjectPrincipal

      protected static X500Principal getSubjectPrincipal​(X509Certificate cert)

    • isSelfIssued

      protected static boolean isSelfIssued​(X509Certificate cert)

    • getExtensionValue

      protected static ASN1Primitive getExtensionValue​(X509Extension ext, String oid) throws AnnotatedException
      Extract the value of the given extension, if it exists.
      Parameters:
      ext - The extension object.
      oid - The object identifier to obtain.
      Throws:
      AnnotatedException - if the extension cannot be read.

    • getIssuerPrincipal

      protected static X500Principal getIssuerPrincipal​(X509CRL crl)

    • getAlgorithmIdentifier

      protected static AlgorithmIdentifier getAlgorithmIdentifier​(PublicKey key) throws CertPathValidatorException
      Throws:
      CertPathValidatorException

    • getQualifierSet

      protected static final Set getQualifierSet​(ASN1Sequence qualifiers) throws CertPathValidatorException
      Throws:
      CertPathValidatorException

    • removePolicyNode

      protected static PKIXPolicyNode removePolicyNode​(PKIXPolicyNode validPolicyTree, List[] policyNodes, PKIXPolicyNode _node)

    • processCertD1i

      protected static boolean processCertD1i​(int index, List[] policyNodes, DERObjectIdentifier pOid, Set pq)

    • processCertD1ii

      protected static void processCertD1ii​(int index, List[] policyNodes, DERObjectIdentifier _poid, Set _pq)

    • prepareNextCertB1

      protected static void prepareNextCertB1​(int i, List[] policyNodes, String id_p, Map m_idp, X509Certificate cert) throws AnnotatedException, CertPathValidatorException
      Throws:
      AnnotatedException
      CertPathValidatorException

    • prepareNextCertB2

      protected static PKIXPolicyNode prepareNextCertB2​(int i, List[] policyNodes, String id_p, PKIXPolicyNode validPolicyTree)

    • isAnyPolicy

      protected static boolean isAnyPolicy​(Set policySet)

    • addAdditionalStoreFromLocation

      protected static void addAdditionalStoreFromLocation​(String location, ExtendedPKIXParameters pkixParams)

    • findCertificates

      protected static Collection findCertificates​(X509CertStoreSelector certSelect, List certStores) throws AnnotatedException
      Return a Collection of all certificates or attribute certificates found in the X509Store's that are matching the certSelect criteriums.
      Parameters:
      certSelect - a Selector object that will be used to select the certificates
      certStores - a List containing only X509Store objects. These are used to search for certificates.
      Returns:
      a Collection of all found X509Certificate or X509AttributeCertificate objects. May be empty but never null.
      Throws:
      AnnotatedException

    • addAdditionalStoresFromCRLDistributionPoint

      protected static void addAdditionalStoresFromCRLDistributionPoint​(CRLDistPoint crldp, ExtendedPKIXParameters pkixParams) throws AnnotatedException
      Throws:
      AnnotatedException

    • getCRLIssuersFromDistributionPoint

      protected static void getCRLIssuersFromDistributionPoint​(DistributionPoint dp, Collection issuerPrincipals, X509CRLSelector selector, ExtendedPKIXParameters pkixParams) throws AnnotatedException
      Add the CRL issuers from the cRLIssuer field of the distribution point or from the certificate if not given to the issuer criterion of the selector.

      The issuerPrincipals are a collection with a single X500Principal for X509Certificates. For X509AttributeCertificates the issuer may contain more than one X500Principal.

      Parameters:
      dp - The distribution point.
      issuerPrincipals - The issuers of the certificate or attribute certificate which contains the distribution point.
      selector - The CRL selector.
      pkixParams - The PKIX parameters containing the cert stores.
      Throws:
      AnnotatedException - if an exception occurs while processing.
      ClassCastException - if issuerPrincipals does not contain only X500Principals.

    • getCertStatus

      protected static void getCertStatus​(Date validDate, X509CRL crl, Object cert, org.bouncycastle.jce.provider.CertStatus certStatus) throws AnnotatedException
      Throws:
      AnnotatedException

    • getDeltaCRLs

      protected static Set getDeltaCRLs​(Date currentDate, ExtendedPKIXParameters paramsPKIX, X509CRL completeCRL) throws AnnotatedException
      Fetches delta CRLs according to RFC 3280 section 5.2.4.
      Parameters:
      currentDate - The date for which the delta CRLs must be valid.
      paramsPKIX - The extended PKIX parameters.
      completeCRL - The complete CRL the delta CRL is for.
      Returns:
      A Set of X509CRLs with delta CRLs.
      Throws:
      AnnotatedException - if an exception occurs while picking the delta CRLs.

    • getCompleteCRLs

      protected static Set getCompleteCRLs​(DistributionPoint dp, Object cert, Date currentDate, ExtendedPKIXParameters paramsPKIX) throws AnnotatedException
      Fetches complete CRLs according to RFC 3280.
      Parameters:
      dp - The distribution point for which the complete CRL
      cert - The X509Certificate or X509AttributeCertificate for which the CRL should be searched.
      currentDate - The date for which the delta CRLs must be valid.
      paramsPKIX - The extended PKIX parameters.
      Returns:
      A Set of X509CRLs with complete CRLs.
      Throws:
      AnnotatedException - if an exception occurs while picking the CRLs or no CRLs are found.

    • getValidCertDateFromValidityModel

      protected static Date getValidCertDateFromValidityModel​(ExtendedPKIXParameters paramsPKIX, CertPath certPath, int index) throws AnnotatedException
      Throws:
      AnnotatedException

    • getNextWorkingKey

      protected static PublicKey getNextWorkingKey​(List certs, int index) throws CertPathValidatorException
      Return the next working key inheriting DSA parameters if necessary.

      This methods inherits DSA parameters from the indexed certificate or previous certificates in the certificate chain to the returned PublicKey. The list is searched upwards, meaning the end certificate is at position 0 and previous certificates are following.

      If the indexed certificate does not contain a DSA key this method simply returns the public key. If the DSA key already contains DSA parameters the key is also only returned.

      Parameters:
      certs - The certification path.
      index - The index of the certificate which contains the public key which should be extended with DSA parameters.
      Returns:
      The public key of the certificate in list position index extended with DSA parameters if applicable.
      Throws:
      AnnotatedException - if DSA parameters cannot be inherited.
      CertPathValidatorException

    • findIssuerCerts

      protected static Collection findIssuerCerts​(X509Certificate cert, ExtendedPKIXBuilderParameters pkixParams) throws AnnotatedException
      Find the issuer certificates of a given certificate.
      Parameters:
      cert - The certificate for which an issuer should be found.
      pkixParams -
      Returns:
      A Collection object containing the issuer X509Certificates. Never null.
      Throws:
      AnnotatedException - if an error occurs.

    • verifyX509Certificate

      protected static void verifyX509Certificate​(X509Certificate cert, PublicKey publicKey, String sigProvider) throws GeneralSecurityException
      Throws:
      GeneralSecurityException