/** * Fetches delta CRLs according to RFC 3280 section 5.2.4. * * @param currentDate The date for which the delta CRLs must be valid. * @param paramsPKIX The extended PKIX parameters. * @param completeCRL The complete CRL the delta CRL is for. * @return A <code>Set</code> of <code>X509CRL</code>s with delta CRLs. * @throws AnnotatedException if an exception occurs while picking the delta CRLs. */ protected static Set getDeltaCRLs( Date currentDate, ExtendedPKIXParameters paramsPKIX, X509CRL completeCRL) throws AnnotatedException { X509CRLStoreSelector deltaSelect = new X509CRLStoreSelector(); // 5.2.4 (a) try { deltaSelect.addIssuerName( CertPathValidatorUtilities.getIssuerPrincipal(completeCRL).getEncoded()); } catch (IOException e) { throw new AnnotatedException("Cannot extract issuer from CRL.", e); } BigInteger completeCRLNumber = null; try { ASN1Primitive derObject = CertPathValidatorUtilities.getExtensionValue(completeCRL, CRL_NUMBER); if (derObject != null) { completeCRLNumber = ASN1Integer.getInstance(derObject).getPositiveValue(); } } catch (Exception e) { throw new AnnotatedException("CRL number extension could not be extracted from CRL.", e); } // 5.2.4 (b) byte[] idp = null; try { idp = completeCRL.getExtensionValue(ISSUING_DISTRIBUTION_POINT); } catch (Exception e) { throw new AnnotatedException( "Issuing distribution point extension value could not be read.", e); } // 5.2.4 (d) deltaSelect.setMinCRLNumber( completeCRLNumber == null ? null : completeCRLNumber.add(BigInteger.valueOf(1))); deltaSelect.setIssuingDistributionPoint(idp); deltaSelect.setIssuingDistributionPointEnabled(true); // 5.2.4 (c) deltaSelect.setMaxBaseCRLNumber(completeCRLNumber); // find delta CRLs Set temp = CRL_UTIL.findCRLs(deltaSelect, paramsPKIX, currentDate); Set result = new HashSet(); for (Iterator it = temp.iterator(); it.hasNext(); ) { X509CRL crl = (X509CRL) it.next(); if (isDeltaCRL(crl)) { result.add(crl); } } return result; }
/** * Fetches complete CRLs according to RFC 3280. * * @param dp The distribution point for which the complete CRL * @param cert The <code>X509Certificate</code> or {@link * org.bouncycastle.x509.X509AttributeCertificate} for which the CRL should be searched. * @param currentDate The date for which the delta CRLs must be valid. * @param paramsPKIX The extended PKIX parameters. * @return A <code>Set</code> of <code>X509CRL</code>s with complete CRLs. * @throws AnnotatedException if an exception occurs while picking the CRLs or no CRLs are found. */ protected static Set getCompleteCRLs( DistributionPoint dp, Object cert, Date currentDate, ExtendedPKIXParameters paramsPKIX) throws AnnotatedException { X509CRLStoreSelector crlselect = new X509CRLStoreSelector(); try { Set issuers = new HashSet(); if (cert instanceof X509AttributeCertificate) { issuers.add(((X509AttributeCertificate) cert).getIssuer().getPrincipals()[0]); } else { issuers.add(getEncodedIssuerPrincipal(cert)); } CertPathValidatorUtilities.getCRLIssuersFromDistributionPoint( dp, issuers, crlselect, paramsPKIX); } catch (AnnotatedException e) { throw new AnnotatedException("Could not get issuer information from distribution point.", e); } if (cert instanceof X509Certificate) { crlselect.setCertificateChecking((X509Certificate) cert); } else if (cert instanceof X509AttributeCertificate) { crlselect.setAttrCertificateChecking((X509AttributeCertificate) cert); } crlselect.setCompleteCRLEnabled(true); Set crls = CRL_UTIL.findCRLs(crlselect, paramsPKIX, currentDate); if (crls.isEmpty()) { if (cert instanceof X509AttributeCertificate) { X509AttributeCertificate aCert = (X509AttributeCertificate) cert; throw new AnnotatedException( "No CRLs found for issuer \"" + aCert.getIssuer().getPrincipals()[0] + "\""); } else { X509Certificate xCert = (X509Certificate) cert; throw new AnnotatedException( "No CRLs found for issuer \"" + xCert.getIssuerX500Principal() + "\""); } } return crls; }