001/* X509CRL.java --- X.509 Certificate Revocation List 002 Copyright (C) 1999, 2004 Free Software Foundation, Inc. 003 004This file is part of GNU Classpath. 005 006GNU Classpath is free software; you can redistribute it and/or modify 007it under the terms of the GNU General Public License as published by 008the Free Software Foundation; either version 2, or (at your option) 009any later version. 010 011GNU Classpath is distributed in the hope that it will be useful, but 012WITHOUT ANY WARRANTY; without even the implied warranty of 013MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 014General Public License for more details. 015 016You should have received a copy of the GNU General Public License 017along with GNU Classpath; see the file COPYING. If not, write to the 018Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 01902110-1301 USA. 020 021Linking this library statically or dynamically with other modules is 022making a combined work based on this library. Thus, the terms and 023conditions of the GNU General Public License cover the whole 024combination. 025 026As a special exception, the copyright holders of this library give you 027permission to link this library with independent modules to produce an 028executable, regardless of the license terms of these independent 029modules, and to copy and distribute the resulting executable under 030terms of your choice, provided that you also meet, for each linked 031independent module, the terms and conditions of the license of that 032module. An independent module is a module which is not derived from 033or based on this library. If you modify this library, you may extend 034this exception to your version of the library, but you are not 035obligated to do so. If you do not wish to do so, delete this 036exception statement from your version. */ 037 038 039package java.security.cert; 040 041import java.math.BigInteger; 042import java.security.InvalidKeyException; 043import java.security.NoSuchAlgorithmException; 044import java.security.NoSuchProviderException; 045import java.security.Principal; 046import java.security.PublicKey; 047import java.security.SignatureException; 048import java.util.Date; 049import java.util.Set; 050 051import javax.security.auth.x500.X500Principal; 052 053/** 054 The X509CRL class is the abstract class used to manage 055 X.509 Certificate Revocation Lists. The CRL is a list of 056 time stamped entries which indicate which lists have been 057 revoked. The list is signed by a Certificate Authority (CA) 058 and made publically available in a repository. 059 060 Each revoked certificate in the CRL is identified by its 061 certificate serial number. When a piece of code uses a 062 certificate, the certificates validity is checked by 063 validating its signature and determing that it is not 064 only a recently acquired CRL. The recently aquired CRL 065 is depends on the local policy in affect. The CA issues 066 a new CRL periodically and entries are removed as the 067 certificate expiration date is reached 068 069 070 A description of the X.509 v2 CRL follows below from rfc2459. 071 072 "The X.509 v2 CRL syntax is as follows. For signature calculation, 073 the data that is to be signed is ASN.1 DER encoded. ASN.1 DER 074 encoding is a tag, length, value encoding system for each element. 075 076 CertificateList ::= SEQUENCE { 077 tbsCertList TBSCertList, 078 signatureAlgorithm AlgorithmIdentifier, 079 signatureValue BIT STRING } 080 081 TBSCertList ::= SEQUENCE { 082 version Version OPTIONAL, 083 -- if present, shall be v2 084 signature AlgorithmIdentifier, 085 issuer Name, 086 thisUpdate Time, 087 nextUpdate Time OPTIONAL, 088 revokedCertificates SEQUENCE OF SEQUENCE { 089 userCertificate CertificateSerialNumber, 090 revocationDate Time, 091 crlEntryExtensions Extensions OPTIONAL 092 -- if present, shall be v2 093 } OPTIONAL, 094 crlExtensions [0] EXPLICIT Extensions OPTIONAL 095 -- if present, shall be v2 096 }" 097 098 @author Mark Benvenuto 099 100 @since 1.2 101*/ 102public abstract class X509CRL extends CRL implements X509Extension 103{ 104 105 /** 106 Constructs a new X509CRL. 107 */ 108 protected X509CRL() 109 { 110 super("X.509"); 111 } 112 113 /** 114 Compares this X509CRL to other. It checks if the 115 object if instanceOf X509CRL and then checks if 116 the encoded form matches. 117 118 @param other An Object to test for equality 119 120 @return true if equal, false otherwise 121 */ 122 public boolean equals(Object other) 123 { 124 if( other instanceof X509CRL ) { 125 try { 126 X509CRL x = (X509CRL) other; 127 if( getEncoded().length != x.getEncoded().length ) 128 return false; 129 130 byte[] b1 = getEncoded(); 131 byte[] b2 = x.getEncoded(); 132 133 for( int i = 0; i < b1.length; i++ ) 134 if( b1[i] != b2[i] ) 135 return false; 136 137 } catch( CRLException crle ) { 138 return false; 139 } 140 return true; 141 } 142 return false; 143 } 144 145 /** 146 Returns a hash code for this X509CRL in its encoded 147 form. 148 149 @return A hash code of this class 150 */ 151 public int hashCode() 152 { 153 return super.hashCode(); 154 } 155 156 /** 157 Gets the DER ASN.1 encoded format for this X.509 CRL. 158 159 @return byte array containg encoded form 160 161 @throws CRLException if an error occurs 162 */ 163 public abstract byte[] getEncoded() throws CRLException; 164 165 /** 166 Verifies that this CRL was properly signed with the 167 PublicKey that corresponds to its private key. 168 169 @param key PublicKey to verify with 170 171 @throws CRLException encoding error 172 @throws NoSuchAlgorithmException unsupported algorithm 173 @throws InvalidKeyException incorrect key 174 @throws NoSuchProviderException no provider 175 @throws SignatureException signature error 176 */ 177 public abstract void verify(PublicKey key) 178 throws CRLException, 179 NoSuchAlgorithmException, 180 InvalidKeyException, 181 NoSuchProviderException, 182 SignatureException; 183 184 /** 185 Verifies that this CRL was properly signed with the 186 PublicKey that corresponds to its private key and uses 187 the signature engine provided by the provider. 188 189 @param key PublicKey to verify with 190 @param sigProvider Provider to use for signature algorithm 191 192 @throws CRLException encoding error 193 @throws NoSuchAlgorithmException unsupported algorithm 194 @throws InvalidKeyException incorrect key 195 @throws NoSuchProviderException incorrect provider 196 @throws SignatureException signature error 197 */ 198 public abstract void verify(PublicKey key, 199 String sigProvider) 200 throws CRLException, 201 NoSuchAlgorithmException, 202 InvalidKeyException, 203 NoSuchProviderException, 204 SignatureException; 205 206 /** 207 Gets the version of this CRL. 208 209 The ASN.1 encoding is: 210 211 version Version OPTIONAL, 212 -- if present, shall be v2 213 214 Version ::= INTEGER { v1(0), v2(1), v3(2) } 215 216 Consult rfc2459 for more information. 217 218 @return the version number, Ex: 1 or 2 219 */ 220 public abstract int getVersion(); 221 222 /** 223 Returns the issuer (issuer distinguished name) of the CRL. 224 The issuer is the entity who signed and issued the 225 Certificate Revocation List. 226 227 The ASN.1 DER encoding is: 228 229 issuer Name, 230 231 Name ::= CHOICE { 232 RDNSequence } 233 234 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName 235 236 RelativeDistinguishedName ::= 237 SET OF AttributeTypeAndValue 238 239 AttributeTypeAndValue ::= SEQUENCE { 240 type AttributeType, 241 value AttributeValue } 242 243 AttributeType ::= OBJECT IDENTIFIER 244 245 AttributeValue ::= ANY DEFINED BY AttributeType 246 247 DirectoryString ::= CHOICE { 248 teletexString TeletexString (SIZE (1..MAX)), 249 printableString PrintableString (SIZE (1..MAX)), 250 universalString UniversalString (SIZE (1..MAX)), 251 utf8String UTF8String (SIZE (1.. MAX)), 252 bmpString BMPString (SIZE (1..MAX)) } 253 254 Consult rfc2459 for more information. 255 256 @return the issuer in the Principal class 257 */ 258 public abstract Principal getIssuerDN(); 259 260 /** 261 Returns the thisUpdate date of the CRL. 262 263 The ASN.1 DER encoding is: 264 265 thisUpdate Time, 266 267 Time ::= CHOICE { 268 utcTime UTCTime, 269 generalTime GeneralizedTime } 270 271 Consult rfc2459 for more information. 272 273 @return the thisUpdate date 274 */ 275 public abstract Date getThisUpdate(); 276 277 /* 278 Gets the nextUpdate field 279 280 The ASN.1 DER encoding is: 281 282 nextUpdate Time OPTIONAL, 283 284 Time ::= CHOICE { 285 utcTime UTCTime, 286 generalTime GeneralizedTime } 287 288 Consult rfc2459 for more information. 289 290 @return the nextUpdate date 291 */ 292 public abstract Date getNextUpdate(); 293 294 /** 295 Gets the requeste dX509Entry for the specified 296 certificate serial number. 297 298 @return a X509CRLEntry representing the X.509 CRL entry 299 */ 300 public abstract X509CRLEntry getRevokedCertificate(BigInteger serialNumber); 301 302 /** 303 Returns a Set of revoked certificates. 304 305 @return a set of revoked certificates. 306 */ 307 public abstract Set<? extends X509CRLEntry> getRevokedCertificates(); 308 309 /** 310 Returns the DER ASN.1 encoded tbsCertList which is 311 the basic information of the list and associated certificates 312 in the encoded state. See top for more information. 313 314 The ASN.1 DER encoding is: 315 316 tbsCertList TBSCertList, 317 318 Consult rfc2459 for more information. 319 320 @return byte array representing tbsCertList 321 */ 322 public abstract byte[] getTBSCertList() throws CRLException; 323 324 325 /** 326 Returns the signature for the CRL. 327 328 The ASN.1 DER encoding is: 329 330 signatureValue BIT STRING 331 332 Consult rfc2459 for more information. 333 */ 334 public abstract byte[] getSignature(); 335 336 /** 337 Returns the signature algorithm used to sign the CRL. 338 An examples is "SHA-1/DSA". 339 340 The ASN.1 DER encoding is: 341 342 signatureAlgorithm AlgorithmIdentifier, 343 344 AlgorithmIdentifier ::= SEQUENCE { 345 algorithm OBJECT IDENTIFIER, 346 parameters ANY DEFINED BY algorithm OPTIONAL } 347 348 Consult rfc2459 for more information. 349 350 The algorithm name is determined from the OID. 351 352 @return a string with the signature algorithm name 353 */ 354 public abstract String getSigAlgName(); 355 356 /** 357 Returns the OID for the signature algorithm used. 358 Example "1.2.840.10040.4.3" is return for SHA-1 with DSA.\ 359 360 The ASN.1 DER encoding for the example is: 361 362 id-dsa-with-sha1 ID ::= { 363 iso(1) member-body(2) us(840) x9-57 (10040) 364 x9cm(4) 3 } 365 366 Consult rfc2459 for more information. 367 368 @return a string containing the OID. 369 */ 370 public abstract String getSigAlgOID(); 371 372 /** 373 Returns the AlgorithmParameters in the encoded form 374 for the signature algorithm used. 375 376 If access to the parameters is need, create an 377 instance of AlgorithmParameters. 378 379 @return byte array containing algorithm parameters, null 380 if no parameters are present in CRL 381 */ 382 public abstract byte[] getSigAlgParams(); 383 384 // 1.4 instance methods. 385 // ------------------------------------------------------------------------ 386 387 /** 388 * Returns the X.500 distinguished name of this CRL's issuer. 389 * 390 * @return The issuer's X.500 distinguished name. 391 * @since JDK 1.4 392 */ 393 public X500Principal getIssuerX500Principal() 394 { 395 throw new UnsupportedOperationException(); 396 } 397}