class CertPathValidatorUtilities
extends java.lang.Object
Modifier and Type | Field and Description |
---|---|
protected static java.lang.String |
ANY_POLICY |
protected static java.lang.String |
AUTHORITY_KEY_IDENTIFIER |
protected static java.lang.String |
BASIC_CONSTRAINTS |
protected static java.lang.String |
CERTIFICATE_POLICIES |
protected static java.lang.String |
CRL_DISTRIBUTION_POINTS |
protected static java.lang.String |
CRL_NUMBER |
protected static int |
CRL_SIGN |
protected static PKIXCRLUtil |
CRL_UTIL |
protected static java.lang.String[] |
crlReasons |
protected static java.lang.String |
DELTA_CRL_INDICATOR |
protected static java.lang.String |
FRESHEST_CRL |
protected static java.lang.String |
INHIBIT_ANY_POLICY |
protected static java.lang.String |
ISSUING_DISTRIBUTION_POINT |
protected static int |
KEY_CERT_SIGN |
protected static java.lang.String |
KEY_USAGE |
protected static java.lang.String |
NAME_CONSTRAINTS |
protected static java.lang.String |
POLICY_CONSTRAINTS |
protected static java.lang.String |
POLICY_MAPPINGS |
protected static java.lang.String |
SUBJECT_ALTERNATIVE_NAME |
Constructor and Description |
---|
CertPathValidatorUtilities() |
Modifier and Type | Method and Description |
---|---|
(package private) static void |
checkCRLsNotEmpty(java.util.Set crls,
java.lang.Object cert) |
protected static java.util.Collection |
findCertificates(org.bouncycastle.jcajce.PKIXCertStoreSelector certSelect,
java.util.List certStores)
Return a Collection of all certificates or attribute certificates found
in the X509Store's that are matching the certSelect criteriums.
|
(package private) static java.util.Collection |
findIssuerCerts(java.security.cert.X509Certificate cert,
java.util.List<java.security.cert.CertStore> certStores,
java.util.List<org.bouncycastle.jcajce.PKIXCertStore> pkixCertStores)
Find the issuer certificates of a given certificate.
|
protected static java.security.cert.TrustAnchor |
findTrustAnchor(java.security.cert.X509Certificate cert,
java.util.Set trustAnchors)
Search the given Set of TrustAnchor's for one that is the
issuer of the given X509 certificate.
|
protected static java.security.cert.TrustAnchor |
findTrustAnchor(java.security.cert.X509Certificate cert,
java.util.Set trustAnchors,
java.lang.String sigProvider)
Search the given Set of TrustAnchor's for one that is the
issuer of the given X509 certificate.
|
(package private) static java.util.List<org.bouncycastle.jcajce.PKIXCertStore> |
getAdditionalStoresFromAltNames(byte[] issuerAlternativeName,
java.util.Map<org.bouncycastle.asn1.x509.GeneralName,org.bouncycastle.jcajce.PKIXCertStore> altNameCertStoreMap) |
(package private) static java.util.List<org.bouncycastle.jcajce.PKIXCRLStore> |
getAdditionalStoresFromCRLDistributionPoint(org.bouncycastle.asn1.x509.CRLDistPoint crldp,
java.util.Map<org.bouncycastle.asn1.x509.GeneralName,org.bouncycastle.jcajce.PKIXCRLStore> namedCRLStoreMap) |
protected static org.bouncycastle.asn1.x509.AlgorithmIdentifier |
getAlgorithmIdentifier(java.security.PublicKey key) |
protected static void |
getCertStatus(java.util.Date validDate,
java.security.cert.X509CRL crl,
java.lang.Object cert,
CertStatus certStatus) |
protected static java.util.Set |
getCompleteCRLs(org.bouncycastle.asn1.x509.DistributionPoint dp,
java.lang.Object cert,
java.util.Date currentDate,
org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX)
Fetches complete CRLs according to RFC 3280.
|
protected static void |
getCRLIssuersFromDistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint dp,
java.util.Collection issuerPrincipals,
java.security.cert.X509CRLSelector selector)
Add the CRL issuers from the cRLIssuer field of the distribution point or
from the certificate if not given to the issuer criterion of the
selector . |
protected static java.util.Set |
getDeltaCRLs(java.util.Date validityDate,
java.security.cert.X509CRL completeCRL,
java.util.List<java.security.cert.CertStore> certStores,
java.util.List<org.bouncycastle.jcajce.PKIXCRLStore> pkixCrlStores)
Fetches delta CRLs according to RFC 3280 section 5.2.4.
|
protected static org.bouncycastle.asn1.ASN1Primitive |
getExtensionValue(java.security.cert.X509Extension ext,
java.lang.String oid)
Extract the value of the given extension, if it exists.
|
protected static java.security.PublicKey |
getNextWorkingKey(java.util.List certs,
int index,
org.bouncycastle.jcajce.util.JcaJceHelper helper)
Return the next working key inheriting DSA parameters if necessary.
|
private static org.bouncycastle.asn1.ASN1Primitive |
getObject(java.lang.String oid,
byte[] ext) |
protected static java.util.Set |
getQualifierSet(org.bouncycastle.asn1.ASN1Sequence qualifiers) |
private static java.math.BigInteger |
getSerialNumber(java.lang.Object cert) |
protected static java.util.Date |
getValidCertDateFromValidityModel(org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX,
java.security.cert.CertPath certPath,
int index) |
protected static java.util.Date |
getValidDate(org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX) |
protected static boolean |
isAnyPolicy(java.util.Set policySet) |
private static boolean |
isDeltaCRL(java.security.cert.X509CRL crl) |
protected static boolean |
isSelfIssued(java.security.cert.X509Certificate cert) |
protected static void |
prepareNextCertB1(int i,
java.util.List[] policyNodes,
java.lang.String id_p,
java.util.Map m_idp,
java.security.cert.X509Certificate cert) |
protected static PKIXPolicyNode |
prepareNextCertB2(int i,
java.util.List[] policyNodes,
java.lang.String id_p,
PKIXPolicyNode validPolicyTree) |
protected static boolean |
processCertD1i(int index,
java.util.List[] policyNodes,
org.bouncycastle.asn1.ASN1ObjectIdentifier pOid,
java.util.Set pq) |
protected static void |
processCertD1ii(int index,
java.util.List[] policyNodes,
org.bouncycastle.asn1.ASN1ObjectIdentifier _poid,
java.util.Set _pq) |
protected static PKIXPolicyNode |
removePolicyNode(PKIXPolicyNode validPolicyTree,
java.util.List[] policyNodes,
PKIXPolicyNode _node) |
private static void |
removePolicyNodeRecurse(java.util.List[] policyNodes,
PKIXPolicyNode _node) |
protected static void |
verifyX509Certificate(java.security.cert.X509Certificate cert,
java.security.PublicKey publicKey,
java.lang.String sigProvider) |
protected static final PKIXCRLUtil CRL_UTIL
protected static final java.lang.String CERTIFICATE_POLICIES
protected static final java.lang.String BASIC_CONSTRAINTS
protected static final java.lang.String POLICY_MAPPINGS
protected static final java.lang.String SUBJECT_ALTERNATIVE_NAME
protected static final java.lang.String NAME_CONSTRAINTS
protected static final java.lang.String KEY_USAGE
protected static final java.lang.String INHIBIT_ANY_POLICY
protected static final java.lang.String ISSUING_DISTRIBUTION_POINT
protected static final java.lang.String DELTA_CRL_INDICATOR
protected static final java.lang.String POLICY_CONSTRAINTS
protected static final java.lang.String FRESHEST_CRL
protected static final java.lang.String CRL_DISTRIBUTION_POINTS
protected static final java.lang.String AUTHORITY_KEY_IDENTIFIER
protected static final java.lang.String ANY_POLICY
protected static final java.lang.String CRL_NUMBER
protected static final int KEY_CERT_SIGN
protected static final int CRL_SIGN
protected static final java.lang.String[] crlReasons
protected static java.security.cert.TrustAnchor findTrustAnchor(java.security.cert.X509Certificate cert, java.util.Set trustAnchors) throws org.bouncycastle.jce.provider.AnnotatedException
cert
- the X509 certificatetrustAnchors
- a Set of TrustAnchor'sTrustAnchor
object if found or
null
if not.org.bouncycastle.jce.provider.AnnotatedException
- if a TrustAnchor was found but the signature verification
on the given certificate has thrown an exception.protected static java.security.cert.TrustAnchor findTrustAnchor(java.security.cert.X509Certificate cert, java.util.Set trustAnchors, java.lang.String sigProvider) throws org.bouncycastle.jce.provider.AnnotatedException
cert
- the X509 certificatetrustAnchors
- a Set of TrustAnchor'ssigProvider
- the provider to use for signature verificationTrustAnchor
object if found or
null
if not.org.bouncycastle.jce.provider.AnnotatedException
- if a TrustAnchor was found but the signature verification
on the given certificate has thrown an exception.static java.util.List<org.bouncycastle.jcajce.PKIXCertStore> getAdditionalStoresFromAltNames(byte[] issuerAlternativeName, java.util.Map<org.bouncycastle.asn1.x509.GeneralName,org.bouncycastle.jcajce.PKIXCertStore> altNameCertStoreMap) throws java.security.cert.CertificateParsingException
java.security.cert.CertificateParsingException
protected static java.util.Date getValidDate(org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX)
protected static boolean isSelfIssued(java.security.cert.X509Certificate cert)
protected static org.bouncycastle.asn1.ASN1Primitive getExtensionValue(java.security.cert.X509Extension ext, java.lang.String oid) throws org.bouncycastle.jce.provider.AnnotatedException
ext
- The extension object.oid
- The object identifier to obtain.org.bouncycastle.jce.provider.AnnotatedException
- if the extension cannot be read.private static org.bouncycastle.asn1.ASN1Primitive getObject(java.lang.String oid, byte[] ext) throws org.bouncycastle.jce.provider.AnnotatedException
org.bouncycastle.jce.provider.AnnotatedException
protected static org.bouncycastle.asn1.x509.AlgorithmIdentifier getAlgorithmIdentifier(java.security.PublicKey key) throws java.security.cert.CertPathValidatorException
java.security.cert.CertPathValidatorException
protected static final java.util.Set getQualifierSet(org.bouncycastle.asn1.ASN1Sequence qualifiers) throws java.security.cert.CertPathValidatorException
java.security.cert.CertPathValidatorException
protected static PKIXPolicyNode removePolicyNode(PKIXPolicyNode validPolicyTree, java.util.List[] policyNodes, PKIXPolicyNode _node)
private static void removePolicyNodeRecurse(java.util.List[] policyNodes, PKIXPolicyNode _node)
protected static boolean processCertD1i(int index, java.util.List[] policyNodes, org.bouncycastle.asn1.ASN1ObjectIdentifier pOid, java.util.Set pq)
protected static void processCertD1ii(int index, java.util.List[] policyNodes, org.bouncycastle.asn1.ASN1ObjectIdentifier _poid, java.util.Set _pq)
protected static void prepareNextCertB1(int i, java.util.List[] policyNodes, java.lang.String id_p, java.util.Map m_idp, java.security.cert.X509Certificate cert) throws org.bouncycastle.jce.provider.AnnotatedException, java.security.cert.CertPathValidatorException
org.bouncycastle.jce.provider.AnnotatedException
java.security.cert.CertPathValidatorException
protected static PKIXPolicyNode prepareNextCertB2(int i, java.util.List[] policyNodes, java.lang.String id_p, PKIXPolicyNode validPolicyTree)
protected static boolean isAnyPolicy(java.util.Set policySet)
protected static java.util.Collection findCertificates(org.bouncycastle.jcajce.PKIXCertStoreSelector certSelect, java.util.List certStores) throws org.bouncycastle.jce.provider.AnnotatedException
certSelect
- a Selector
object that will be used to select
the certificatescertStores
- a List containing only Store
objects. These
are used to search for certificates.X509Certificate
May be empty but never null
.org.bouncycastle.jce.provider.AnnotatedException
- annotated exceptionstatic java.util.List<org.bouncycastle.jcajce.PKIXCRLStore> getAdditionalStoresFromCRLDistributionPoint(org.bouncycastle.asn1.x509.CRLDistPoint crldp, java.util.Map<org.bouncycastle.asn1.x509.GeneralName,org.bouncycastle.jcajce.PKIXCRLStore> namedCRLStoreMap) throws org.bouncycastle.jce.provider.AnnotatedException
org.bouncycastle.jce.provider.AnnotatedException
protected static void getCRLIssuersFromDistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint dp, java.util.Collection issuerPrincipals, java.security.cert.X509CRLSelector selector) throws org.bouncycastle.jce.provider.AnnotatedException
selector
.
The issuerPrincipals
are a collection with a single
X500Name
for X509Certificate
s.
dp
- The distribution point.issuerPrincipals
- The issuers of the certificate or attribute
certificate which contains the distribution point.selector
- The CRL selector.org.bouncycastle.jce.provider.AnnotatedException
- if an exception occurs while processing.java.lang.ClassCastException
- if issuerPrincipals
does not
contain only X500Name
s.private static java.math.BigInteger getSerialNumber(java.lang.Object cert)
protected static void getCertStatus(java.util.Date validDate, java.security.cert.X509CRL crl, java.lang.Object cert, CertStatus certStatus) throws org.bouncycastle.jce.provider.AnnotatedException
org.bouncycastle.jce.provider.AnnotatedException
protected static java.util.Set getDeltaCRLs(java.util.Date validityDate, java.security.cert.X509CRL completeCRL, java.util.List<java.security.cert.CertStore> certStores, java.util.List<org.bouncycastle.jcajce.PKIXCRLStore> pkixCrlStores) throws org.bouncycastle.jce.provider.AnnotatedException
validityDate
- The date for which the delta CRLs must be valid.completeCRL
- The complete CRL the delta CRL is for.certStores
- a List
of certificate storespkixCrlStores
- a List
of CRL storesSet
of X509CRL
s with delta CRLs.org.bouncycastle.jce.provider.AnnotatedException
- if an exception occurs while picking the delta
CRLs.private static boolean isDeltaCRL(java.security.cert.X509CRL crl)
protected static java.util.Set getCompleteCRLs(org.bouncycastle.asn1.x509.DistributionPoint dp, java.lang.Object cert, java.util.Date currentDate, org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX) throws org.bouncycastle.jce.provider.AnnotatedException
dp
- The distribution point for which the complete CRLcert
- The X509Certificate
for
which the CRL should be searched.currentDate
- The date for which the delta CRLs must be valid.paramsPKIX
- The extended PKIX parameters.Set
of X509CRL
s with complete
CRLs.org.bouncycastle.jce.provider.AnnotatedException
- if an exception occurs while picking the CRLs
or no CRLs are found.protected static java.util.Date getValidCertDateFromValidityModel(org.bouncycastle.jcajce.PKIXExtendedParameters paramsPKIX, java.security.cert.CertPath certPath, int index) throws org.bouncycastle.jce.provider.AnnotatedException
org.bouncycastle.jce.provider.AnnotatedException
protected static java.security.PublicKey getNextWorkingKey(java.util.List certs, int index, org.bouncycastle.jcajce.util.JcaJceHelper helper) throws java.security.cert.CertPathValidatorException
This methods inherits DSA parameters from the indexed certificate or
previous certificates in the certificate chain to the returned
PublicKey
. The list is searched upwards, meaning the end
certificate is at position 0 and previous certificates are following.
If the indexed certificate does not contain a DSA key this method simply returns the public key. If the DSA key already contains DSA parameters the key is also only returned.
certs
- The certification path.index
- The index of the certificate which contains the public key
which should be extended with DSA parameters.helper
- JcaJce helperindex
extended with DSA parameters if applicable.java.security.cert.CertPathValidatorException
- if DSA parameters cannot be inherited.static java.util.Collection findIssuerCerts(java.security.cert.X509Certificate cert, java.util.List<java.security.cert.CertStore> certStores, java.util.List<org.bouncycastle.jcajce.PKIXCertStore> pkixCertStores) throws org.bouncycastle.jce.provider.AnnotatedException
cert
- The certificate for which an issuer should be found.Collection
object containing the issuer
X509Certificate
s. Never null
.org.bouncycastle.jce.provider.AnnotatedException
- if an error occurs.protected static void verifyX509Certificate(java.security.cert.X509Certificate cert, java.security.PublicKey publicKey, java.lang.String sigProvider) throws java.security.GeneralSecurityException
java.security.GeneralSecurityException
static void checkCRLsNotEmpty(java.util.Set crls, java.lang.Object cert) throws org.bouncycastle.jce.provider.AnnotatedException
org.bouncycastle.jce.provider.AnnotatedException