// adds unsigned certs & revocation infos (CRL or OCSP) to existing certs & revocation info list
// ('certificates' and 'crls' CMS fields)
public void appendValidationValues(Collection certificateValues, Collection revocationValues) {
try {
Store certStore = cmsSignedData.getCertificates();
Store crlStore = cmsSignedData.getCRLs();
if (certificateValues != null && !certificateValues.isEmpty()) {
Collection<Certificate> existingCerts = getSignatureCertificateInfo();
Set<Certificate> newCerts =
new HashSet<Certificate>(existingCerts); // 'Set' to avoid duplicates
newCerts.addAll(certificateValues);
certStore = new JcaCertStore(newCerts);
}
if (revocationValues != null && !revocationValues.isEmpty()) {
Collection<CRL> existingCrls = getUnsignedCRLs();
Set<CRL> newCrls = new HashSet<CRL>(existingCrls); // 'Set' to avoid duplicates
// FIXME : also add OCSP info (use OtherRevocationInfoFormat of RevocationInfoChoices, see
// RFC 3852)
for (Object o : revocationValues) {
if (o instanceof CRL) newCrls.add((CRL) o);
}
crlStore = new JcaCRLStore(newCrls);
}
cmsSignedData =
CMSSignedData.replaceCertificatesAndCRLs(
cmsSignedData, certStore, cmsSignedData.getAttributeCertificates(), crlStore);
} catch (Exception e) {
ExceptionHandlerTyped.<SPISignatureException>handle(SPISignatureException.class, e);
}
}
// unsigned CRLs at the root of CMS structure (outside signerInfos)
public Collection<CRL> getUnsignedCRLs() {
try {
Collection<CertificateList> crlCollection = cmsSignedData.getCRLs().getMatches(null);
// Then we need to "cast" from bouncycastle.CertificateList to java.CRL
Collection<CRL> x509CrlsCollection = new HashSet<CRL>(crlCollection.size());
for (CertificateList certList : crlCollection) {
x509CrlsCollection.add(
CertificateFactory.getInstance("X.509", BouncyCastleProvider.PROVIDER_NAME)
.generateCRL(new ByteArrayInputStream(certList.getEncoded())));
}
return x509CrlsCollection;
} catch (Exception e) {
ExceptionHandlerTyped.<SPISignatureException>handle(SPISignatureException.class, e);
}
return null;
}
