class RFC3281CertPathUtilities { private static final String TARGET_INFORMATION = X509Extensions.TargetInformation.getId(); private static final String NO_REV_AVAIL = X509Extensions.NoRevAvail.getId(); private static final String CRL_DISTRIBUTION_POINTS = X509Extensions.CRLDistributionPoints.getId(); private static final String AUTHORITY_INFO_ACCESS = X509Extensions.AuthorityInfoAccess.getId(); protected static void processAttrCert7( X509AttributeCertificate attrCert, CertPath certPath, CertPath holderCertPath, ExtendedPKIXParameters pkixParams) throws CertPathValidatorException { // TODO: // AA Controls // Attribute encryption // Proxy Set set = attrCert.getCriticalExtensionOIDs(); // 7.1 // process extensions // target information checked in step 6 / X509AttributeCertStoreSelector if (set.contains(TARGET_INFORMATION)) { try { TargetInformation.getInstance( CertPathValidatorUtilities.getExtensionValue(attrCert, TARGET_INFORMATION)); } catch (AnnotatedException e) { throw new ExtCertPathValidatorException( "Target information extension could not be read.", e); } catch (IllegalArgumentException e) { throw new ExtCertPathValidatorException( "Target information extension could not be read.", e); } } set.remove(TARGET_INFORMATION); for (Iterator it = pkixParams.getAttrCertCheckers().iterator(); it.hasNext(); ) { ((PKIXAttrCertChecker) it.next()).check(attrCert, certPath, holderCertPath, set); } if (!set.isEmpty()) { throw new CertPathValidatorException( "Attribute certificate contains unsupported critical extensions: " + set); } } /** * Checks if an attribute certificate is revoked. * * @param attrCert Attribute certificate to check if it is revoked. * @param paramsPKIX PKIX parameters. * @param issuerCert The issuer certificate of the attribute certificate <code>attrCert</code>. * @param validDate The date when the certificate revocation status should be checked. * @param certPathCerts The certificates of the certification path to be checked. * @throws CertPathValidatorException if the certificate is revoked or the status cannot be * checked or some error occurs. */ protected static void checkCRLs( X509AttributeCertificate attrCert, ExtendedPKIXParameters paramsPKIX, X509Certificate issuerCert, Date validDate, List certPathCerts) throws CertPathValidatorException { if (paramsPKIX.isRevocationEnabled()) { // check if revocation is available if (attrCert.getExtensionValue(NO_REV_AVAIL) == null) { CRLDistPoint crldp = null; try { crldp = CRLDistPoint.getInstance( CertPathValidatorUtilities.getExtensionValue(attrCert, CRL_DISTRIBUTION_POINTS)); } catch (AnnotatedException e) { throw new CertPathValidatorException( "CRL distribution point extension could not be read.", e); } try { CertPathValidatorUtilities.addAdditionalStoresFromCRLDistributionPoint(crldp, paramsPKIX); } catch (AnnotatedException e) { throw new CertPathValidatorException( "No additional CRL locations could be decoded from CRL distribution point extension.", e); } CertStatus certStatus = new CertStatus(); ReasonsMask reasonsMask = new ReasonsMask(); AnnotatedException lastException = null; boolean validCrlFound = false; // for each distribution point if (crldp != null) { DistributionPoint dps[] = null; try { dps = crldp.getDistributionPoints(); } catch (Exception e) { throw new ExtCertPathValidatorException("Distribution points could not be read.", e); } try { for (int i = 0; i < dps.length && certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons(); i++) { ExtendedPKIXParameters paramsPKIXClone = (ExtendedPKIXParameters) paramsPKIX.clone(); checkCRL( dps[i], attrCert, paramsPKIXClone, validDate, issuerCert, certStatus, reasonsMask, certPathCerts); validCrlFound = true; } } catch (AnnotatedException e) { lastException = new AnnotatedException("No valid CRL for distribution point found.", e); } } /* * If the revocation status has not been determined, repeat the * process above with any available CRLs not specified in a * distribution point but issued by the certificate issuer. */ if (certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonsMask.isAllReasons()) { try { /* * assume a DP with both the reasons and the cRLIssuer * fields omitted and a distribution point name of the * certificate issuer. */ DERObject issuer = null; try { issuer = new ASN1InputStream( ((X500Principal) attrCert.getIssuer().getPrincipals()[0]).getEncoded()) .readObject(); } catch (Exception e) { throw new AnnotatedException( "Issuer from certificate for CRL could not be reencoded.", e); } DistributionPoint dp = new DistributionPoint( new DistributionPointName( 0, new GeneralNames(new GeneralName(GeneralName.directoryName, issuer))), null, null); ExtendedPKIXParameters paramsPKIXClone = (ExtendedPKIXParameters) paramsPKIX.clone(); checkCRL( dp, attrCert, paramsPKIXClone, validDate, issuerCert, certStatus, reasonsMask, certPathCerts); validCrlFound = true; } catch (AnnotatedException e) { lastException = new AnnotatedException("No valid CRL for distribution point found.", e); } } if (!validCrlFound) { throw new ExtCertPathValidatorException("No valid CRL found.", lastException); } if (certStatus.getCertStatus() != CertStatus.UNREVOKED) { String message = "Attribute certificate revocation after " + certStatus.getRevocationDate(); message += ", reason: " + RFC3280CertPathUtilities.crlReasons[certStatus.getCertStatus()]; throw new CertPathValidatorException(message); } if (!reasonsMask.isAllReasons() && certStatus.getCertStatus() == CertStatus.UNREVOKED) { certStatus.setCertStatus(CertStatus.UNDETERMINED); } if (certStatus.getCertStatus() == CertStatus.UNDETERMINED) { throw new CertPathValidatorException( "Attribute certificate status could not be determined."); } } else { if (attrCert.getExtensionValue(CRL_DISTRIBUTION_POINTS) != null || attrCert.getExtensionValue(AUTHORITY_INFO_ACCESS) != null) { throw new CertPathValidatorException( "No rev avail extension is set, but also an AC revocation pointer."); } } } } protected static void additionalChecks( X509AttributeCertificate attrCert, ExtendedPKIXParameters pkixParams) throws CertPathValidatorException { // 1 for (Iterator it = pkixParams.getProhibitedACAttributes().iterator(); it.hasNext(); ) { String oid = (String) it.next(); if (attrCert.getAttributes(oid) != null) { throw new CertPathValidatorException( "Attribute certificate contains prohibited attribute: " + oid + "."); } } for (Iterator it = pkixParams.getNecessaryACAttributes().iterator(); it.hasNext(); ) { String oid = (String) it.next(); if (attrCert.getAttributes(oid) == null) { throw new CertPathValidatorException( "Attribute certificate does not contain necessary attribute: " + oid + "."); } } } protected static void processAttrCert5( X509AttributeCertificate attrCert, ExtendedPKIXParameters pkixParams) throws CertPathValidatorException { try { attrCert.checkValidity(CertPathValidatorUtilities.getValidDate(pkixParams)); } catch (CertificateExpiredException e) { throw new ExtCertPathValidatorException("Attribute certificate is not valid.", e); } catch (CertificateNotYetValidException e) { throw new ExtCertPathValidatorException("Attribute certificate is not valid.", e); } } protected static void processAttrCert4( X509Certificate acIssuerCert, ExtendedPKIXParameters pkixParams) throws CertPathValidatorException { Set set = pkixParams.getTrustedACIssuers(); boolean trusted = false; for (Iterator it = set.iterator(); it.hasNext(); ) { TrustAnchor anchor = (TrustAnchor) it.next(); if (acIssuerCert.getSubjectX500Principal().getName("RFC2253").equals(anchor.getCAName()) || acIssuerCert.equals(anchor.getTrustedCert())) { trusted = true; } } if (!trusted) { throw new CertPathValidatorException("Attribute certificate issuer is not directly trusted."); } } protected static void processAttrCert3( X509Certificate acIssuerCert, ExtendedPKIXParameters pkixParams) throws CertPathValidatorException { if (acIssuerCert.getKeyUsage() != null && (!acIssuerCert.getKeyUsage()[0] && !acIssuerCert.getKeyUsage()[1])) { throw new CertPathValidatorException( "Attribute certificate issuer public key cannot be used to validate digital signatures."); } if (acIssuerCert.getBasicConstraints() != -1) { throw new CertPathValidatorException( "Attribute certificate issuer is also a public key certificate issuer."); } } protected static CertPathValidatorResult processAttrCert2( CertPath certPath, ExtendedPKIXParameters pkixParams) throws CertPathValidatorException { CertPathValidator validator = null; try { validator = CertPathValidator.getInstance("PKIX", "BC"); } catch (NoSuchProviderException e) { throw new ExtCertPathValidatorException("Support class could not be created.", e); } catch (NoSuchAlgorithmException e) { throw new ExtCertPathValidatorException("Support class could not be created.", e); } try { return validator.validate(certPath, pkixParams); } catch (CertPathValidatorException e) { throw new ExtCertPathValidatorException( "Certification path for issuer certificate of attribute certificate could not be validated.", e); } catch (InvalidAlgorithmParameterException e) { // must be a programming error throw new RuntimeException(e.getMessage()); } } /** * Searches for a holder public key certificate and verifies its certification path. * * @param attrCert the attribute certificate. * @param pkixParams The PKIX parameters. * @return The certificate path of the holder certificate. * @throws AnnotatedException if * <ul> * <li>no public key certificate can be found although holder information is given by an * entity name or a base certificate ID * <li>support classes cannot be created * <li>no certification path for the public key certificate can be built * </ul> */ protected static CertPath processAttrCert1( X509AttributeCertificate attrCert, ExtendedPKIXParameters pkixParams) throws CertPathValidatorException { CertPathBuilderResult result = null; // find holder PKCs Set holderPKCs = new HashSet(); if (attrCert.getHolder().getIssuer() != null) { X509CertStoreSelector selector = new X509CertStoreSelector(); selector.setSerialNumber(attrCert.getHolder().getSerialNumber()); Principal[] principals = attrCert.getHolder().getIssuer(); for (int i = 0; i < principals.length; i++) { try { if (principals[i] instanceof X500Principal) { selector.setIssuer(((X500Principal) principals[i]).getEncoded()); } holderPKCs.addAll( CertPathValidatorUtilities.findCertificates(selector, pkixParams.getStores())); } catch (AnnotatedException e) { throw new ExtCertPathValidatorException( "Public key certificate for attribute certificate cannot be searched.", e); } catch (IOException e) { throw new ExtCertPathValidatorException("Unable to encode X500 principal.", e); } } if (holderPKCs.isEmpty()) { throw new CertPathValidatorException( "Public key certificate specified in base certificate ID for attribute certificate cannot be found."); } } if (attrCert.getHolder().getEntityNames() != null) { X509CertStoreSelector selector = new X509CertStoreSelector(); Principal[] principals = attrCert.getHolder().getEntityNames(); for (int i = 0; i < principals.length; i++) { try { if (principals[i] instanceof X500Principal) { selector.setIssuer(((X500Principal) principals[i]).getEncoded()); } holderPKCs.addAll( CertPathValidatorUtilities.findCertificates(selector, pkixParams.getStores())); } catch (AnnotatedException e) { throw new ExtCertPathValidatorException( "Public key certificate for attribute certificate cannot be searched.", e); } catch (IOException e) { throw new ExtCertPathValidatorException("Unable to encode X500 principal.", e); } } if (holderPKCs.isEmpty()) { throw new CertPathValidatorException( "Public key certificate specified in entity name for attribute certificate cannot be found."); } } // verify cert paths for PKCs ExtendedPKIXBuilderParameters params = (ExtendedPKIXBuilderParameters) ExtendedPKIXBuilderParameters.getInstance(pkixParams); CertPathValidatorException lastException = null; for (Iterator it = holderPKCs.iterator(); it.hasNext(); ) { X509CertStoreSelector selector = new X509CertStoreSelector(); selector.setCertificate((X509Certificate) it.next()); params.setTargetConstraints(selector); CertPathBuilder builder = null; try { builder = CertPathBuilder.getInstance("PKIX", "BC"); } catch (NoSuchProviderException e) { throw new ExtCertPathValidatorException("Support class could not be created.", e); } catch (NoSuchAlgorithmException e) { throw new ExtCertPathValidatorException("Support class could not be created.", e); } try { result = builder.build(ExtendedPKIXBuilderParameters.getInstance(params)); } catch (CertPathBuilderException e) { lastException = new ExtCertPathValidatorException( "Certification path for public key certificate of attribute certificate could not be build.", e); } catch (InvalidAlgorithmParameterException e) { // must be a programming error throw new RuntimeException(e.getMessage()); } } if (lastException != null) { throw lastException; } return result.getCertPath(); } /** * Checks a distribution point for revocation information for the certificate <code>attrCert * </code>. * * @param dp The distribution point to consider. * @param attrCert The attribute certificate which should be checked. * @param paramsPKIX PKIX parameters. * @param validDate The date when the certificate revocation status should be checked. * @param issuerCert Certificate to check if it is revoked. * @param reasonMask The reasons mask which is already checked. * @param certPathCerts The certificates of the certification path to be checked. * @throws AnnotatedException if the certificate is revoked or the status cannot be checked or * some error occurs. */ private static void checkCRL( DistributionPoint dp, X509AttributeCertificate attrCert, ExtendedPKIXParameters paramsPKIX, Date validDate, X509Certificate issuerCert, CertStatus certStatus, ReasonsMask reasonMask, List certPathCerts) throws AnnotatedException { /* * 4.3.6 No Revocation Available * * The noRevAvail extension, defined in [X.509-2000], allows an AC * issuer to indicate that no revocation information will be made * available for this AC. */ if (attrCert.getExtensionValue(X509Extensions.NoRevAvail.getId()) != null) { return; } Date currentDate = new Date(System.currentTimeMillis()); if (validDate.getTime() > currentDate.getTime()) { throw new AnnotatedException("Validation time is in future."); } // (a) /* * We always get timely valid CRLs, so there is no step (a) (1). * "locally cached" CRLs are assumed to be in getStore(), additional * CRLs must be enabled in the ExtendedPKIXParameters and are in * getAdditionalStore() */ Set crls = CertPathValidatorUtilities.getCompleteCRLs(dp, attrCert, currentDate, paramsPKIX); boolean validCrlFound = false; AnnotatedException lastException = null; Iterator crl_iter = crls.iterator(); while (crl_iter.hasNext() && certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonMask.isAllReasons()) { try { X509CRL crl = (X509CRL) crl_iter.next(); // (d) ReasonsMask interimReasonsMask = RFC3280CertPathUtilities.processCRLD(crl, dp); // (e) /* * The reasons mask is updated at the end, so only valid CRLs * can update it. If this CRL does not contain new reasons it * must be ignored. */ if (!interimReasonsMask.hasNewReasons(reasonMask)) { continue; } // (f) Set keys = RFC3280CertPathUtilities.processCRLF( crl, attrCert, null, null, paramsPKIX, certPathCerts); // (g) PublicKey key = RFC3280CertPathUtilities.processCRLG(crl, keys); X509CRL deltaCRL = null; if (paramsPKIX.isUseDeltasEnabled()) { // get delta CRLs Set deltaCRLs = CertPathValidatorUtilities.getDeltaCRLs(currentDate, paramsPKIX, crl); // we only want one valid delta CRL // (h) deltaCRL = RFC3280CertPathUtilities.processCRLH(deltaCRLs, key); } /* * CRL must be be valid at the current time, not the validation * time. If a certificate is revoked with reason keyCompromise, * cACompromise, it can be used for forgery, also for the past. * This reason may not be contained in older CRLs. */ /* * in the chain model signatures stay valid also after the * certificate has been expired, so they do not have to be in * the CRL vality time */ if (paramsPKIX.getValidityModel() != ExtendedPKIXParameters.CHAIN_VALIDITY_MODEL) { /* * if a certificate has expired, but was revoked, it is not * more in the CRL, so it would be regarded as valid if the * first check is not done */ if (attrCert.getNotAfter().getTime() < crl.getThisUpdate().getTime()) { throw new AnnotatedException("No valid CRL for current time found."); } } RFC3280CertPathUtilities.processCRLB1(dp, attrCert, crl); // (b) (2) RFC3280CertPathUtilities.processCRLB2(dp, attrCert, crl); // (c) RFC3280CertPathUtilities.processCRLC(deltaCRL, crl, paramsPKIX); // (i) RFC3280CertPathUtilities.processCRLI(validDate, deltaCRL, attrCert, certStatus, paramsPKIX); // (j) RFC3280CertPathUtilities.processCRLJ(validDate, crl, attrCert, certStatus); // (k) if (certStatus.getCertStatus() == CRLReason.removeFromCRL) { certStatus.setCertStatus(CertStatus.UNREVOKED); } // update reasons mask reasonMask.addReasons(interimReasonsMask); validCrlFound = true; } catch (AnnotatedException e) { lastException = e; } } if (!validCrlFound) { throw lastException; } } }
/** * Checks a distribution point for revocation information for the certificate <code>attrCert * </code>. * * @param dp The distribution point to consider. * @param attrCert The attribute certificate which should be checked. * @param paramsPKIX PKIX parameters. * @param validDate The date when the certificate revocation status should be checked. * @param issuerCert Certificate to check if it is revoked. * @param reasonMask The reasons mask which is already checked. * @param certPathCerts The certificates of the certification path to be checked. * @throws AnnotatedException if the certificate is revoked or the status cannot be checked or * some error occurs. */ private static void checkCRL( DistributionPoint dp, X509AttributeCertificate attrCert, ExtendedPKIXParameters paramsPKIX, Date validDate, X509Certificate issuerCert, CertStatus certStatus, ReasonsMask reasonMask, List certPathCerts) throws AnnotatedException { /* * 4.3.6 No Revocation Available * * The noRevAvail extension, defined in [X.509-2000], allows an AC * issuer to indicate that no revocation information will be made * available for this AC. */ if (attrCert.getExtensionValue(X509Extensions.NoRevAvail.getId()) != null) { return; } Date currentDate = new Date(System.currentTimeMillis()); if (validDate.getTime() > currentDate.getTime()) { throw new AnnotatedException("Validation time is in future."); } // (a) /* * We always get timely valid CRLs, so there is no step (a) (1). * "locally cached" CRLs are assumed to be in getStore(), additional * CRLs must be enabled in the ExtendedPKIXParameters and are in * getAdditionalStore() */ Set crls = CertPathValidatorUtilities.getCompleteCRLs(dp, attrCert, currentDate, paramsPKIX); boolean validCrlFound = false; AnnotatedException lastException = null; Iterator crl_iter = crls.iterator(); while (crl_iter.hasNext() && certStatus.getCertStatus() == CertStatus.UNREVOKED && !reasonMask.isAllReasons()) { try { X509CRL crl = (X509CRL) crl_iter.next(); // (d) ReasonsMask interimReasonsMask = RFC3280CertPathUtilities.processCRLD(crl, dp); // (e) /* * The reasons mask is updated at the end, so only valid CRLs * can update it. If this CRL does not contain new reasons it * must be ignored. */ if (!interimReasonsMask.hasNewReasons(reasonMask)) { continue; } // (f) Set keys = RFC3280CertPathUtilities.processCRLF( crl, attrCert, null, null, paramsPKIX, certPathCerts); // (g) PublicKey key = RFC3280CertPathUtilities.processCRLG(crl, keys); X509CRL deltaCRL = null; if (paramsPKIX.isUseDeltasEnabled()) { // get delta CRLs Set deltaCRLs = CertPathValidatorUtilities.getDeltaCRLs(currentDate, paramsPKIX, crl); // we only want one valid delta CRL // (h) deltaCRL = RFC3280CertPathUtilities.processCRLH(deltaCRLs, key); } /* * CRL must be be valid at the current time, not the validation * time. If a certificate is revoked with reason keyCompromise, * cACompromise, it can be used for forgery, also for the past. * This reason may not be contained in older CRLs. */ /* * in the chain model signatures stay valid also after the * certificate has been expired, so they do not have to be in * the CRL vality time */ if (paramsPKIX.getValidityModel() != ExtendedPKIXParameters.CHAIN_VALIDITY_MODEL) { /* * if a certificate has expired, but was revoked, it is not * more in the CRL, so it would be regarded as valid if the * first check is not done */ if (attrCert.getNotAfter().getTime() < crl.getThisUpdate().getTime()) { throw new AnnotatedException("No valid CRL for current time found."); } } RFC3280CertPathUtilities.processCRLB1(dp, attrCert, crl); // (b) (2) RFC3280CertPathUtilities.processCRLB2(dp, attrCert, crl); // (c) RFC3280CertPathUtilities.processCRLC(deltaCRL, crl, paramsPKIX); // (i) RFC3280CertPathUtilities.processCRLI(validDate, deltaCRL, attrCert, certStatus, paramsPKIX); // (j) RFC3280CertPathUtilities.processCRLJ(validDate, crl, attrCert, certStatus); // (k) if (certStatus.getCertStatus() == CRLReason.removeFromCRL) { certStatus.setCertStatus(CertStatus.UNREVOKED); } // update reasons mask reasonMask.addReasons(interimReasonsMask); validCrlFound = true; } catch (AnnotatedException e) { lastException = e; } } if (!validCrlFound) { throw lastException; } }