/**
   * Checks a distribution point for revocation information for the certificate <code>attrCert
   * </code>.
   *
   * @param dp The distribution point to consider.
   * @param attrCert The attribute certificate which should be checked.
   * @param paramsPKIX PKIX parameters.
   * @param validDate The date when the certificate revocation status should be checked.
   * @param issuerCert Certificate to check if it is revoked.
   * @param reasonMask The reasons mask which is already checked.
   * @param certPathCerts The certificates of the certification path to be checked.
   * @throws AnnotatedException if the certificate is revoked or the status cannot be checked or
   *     some error occurs.
   */
  private static void checkCRL(
      DistributionPoint dp,
      X509AttributeCertificate attrCert,
      ExtendedPKIXParameters paramsPKIX,
      Date validDate,
      X509Certificate issuerCert,
      CertStatus certStatus,
      ReasonsMask reasonMask,
      List certPathCerts)
      throws AnnotatedException {

    /*
     * 4.3.6 No Revocation Available
     *
     * The noRevAvail extension, defined in [X.509-2000], allows an AC
     * issuer to indicate that no revocation information will be made
     * available for this AC.
     */
    if (attrCert.getExtensionValue(X509Extensions.NoRevAvail.getId()) != null) {
      return;
    }
    Date currentDate = new Date(System.currentTimeMillis());
    if (validDate.getTime() > currentDate.getTime()) {
      throw new AnnotatedException("Validation time is in future.");
    }

    // (a)
    /*
     * We always get timely valid CRLs, so there is no step (a) (1).
     * "locally cached" CRLs are assumed to be in getStore(), additional
     * CRLs must be enabled in the ExtendedPKIXParameters and are in
     * getAdditionalStore()
     */

    Set crls = CertPathValidatorUtilities.getCompleteCRLs(dp, attrCert, currentDate, paramsPKIX);
    boolean validCrlFound = false;
    AnnotatedException lastException = null;
    Iterator crl_iter = crls.iterator();

    while (crl_iter.hasNext()
        && certStatus.getCertStatus() == CertStatus.UNREVOKED
        && !reasonMask.isAllReasons()) {
      try {
        X509CRL crl = (X509CRL) crl_iter.next();

        // (d)
        ReasonsMask interimReasonsMask = RFC3280CertPathUtilities.processCRLD(crl, dp);

        // (e)
        /*
         * The reasons mask is updated at the end, so only valid CRLs
         * can update it. If this CRL does not contain new reasons it
         * must be ignored.
         */
        if (!interimReasonsMask.hasNewReasons(reasonMask)) {
          continue;
        }

        // (f)
        Set keys =
            RFC3280CertPathUtilities.processCRLF(
                crl, attrCert, null, null, paramsPKIX, certPathCerts);
        // (g)
        PublicKey key = RFC3280CertPathUtilities.processCRLG(crl, keys);

        X509CRL deltaCRL = null;

        if (paramsPKIX.isUseDeltasEnabled()) {
          // get delta CRLs
          Set deltaCRLs = CertPathValidatorUtilities.getDeltaCRLs(currentDate, paramsPKIX, crl);
          // we only want one valid delta CRL
          // (h)
          deltaCRL = RFC3280CertPathUtilities.processCRLH(deltaCRLs, key);
        }

        /*
         * CRL must be be valid at the current time, not the validation
         * time. If a certificate is revoked with reason keyCompromise,
         * cACompromise, it can be used for forgery, also for the past.
         * This reason may not be contained in older CRLs.
         */

        /*
         * in the chain model signatures stay valid also after the
         * certificate has been expired, so they do not have to be in
         * the CRL vality time
         */

        if (paramsPKIX.getValidityModel() != ExtendedPKIXParameters.CHAIN_VALIDITY_MODEL) {
          /*
           * if a certificate has expired, but was revoked, it is not
           * more in the CRL, so it would be regarded as valid if the
           * first check is not done
           */
          if (attrCert.getNotAfter().getTime() < crl.getThisUpdate().getTime()) {
            throw new AnnotatedException("No valid CRL for current time found.");
          }
        }

        RFC3280CertPathUtilities.processCRLB1(dp, attrCert, crl);

        // (b) (2)
        RFC3280CertPathUtilities.processCRLB2(dp, attrCert, crl);

        // (c)
        RFC3280CertPathUtilities.processCRLC(deltaCRL, crl, paramsPKIX);

        // (i)
        RFC3280CertPathUtilities.processCRLI(validDate, deltaCRL, attrCert, certStatus, paramsPKIX);

        // (j)
        RFC3280CertPathUtilities.processCRLJ(validDate, crl, attrCert, certStatus);

        // (k)
        if (certStatus.getCertStatus() == CRLReason.removeFromCRL) {
          certStatus.setCertStatus(CertStatus.UNREVOKED);
        }

        // update reasons mask
        reasonMask.addReasons(interimReasonsMask);
        validCrlFound = true;
      } catch (AnnotatedException e) {
        lastException = e;
      }
    }
    if (!validCrlFound) {
      throw lastException;
    }
  }
Пример #2
0
 /**
  * Intersects this mask with the given reasons mask.
  *
  * @param mask The mask to intersect with.
  * @return The intersection of this and teh given mask.
  */
 ReasonsMask intersect(ReasonsMask mask) {
   ReasonsMask _mask = new ReasonsMask();
   _mask.addReasons(new ReasonsMask(_reasons & mask.getReasons()));
   return _mask;
 }